Ceptor PortalProtect has support for WS-Security meaning it can be used to sign/encrypt outgoing SOAP messages, and it can verify signatures / decrypt incoming SOAP messages.
...
This is a list of the methods that can be use used for that…
Please refer to the javadoc for the most up-to-date list of methods and parameters.
...
| Code Block |
|---|
<property name="wss.ws.default.signrequest" value="testvoces" description=""/> <property name="wss.ws.default.encryptrequest" value="TDC TOTALLØSNINGER A/S - TDC Test" description=""/> |
Note that when calling the client handler, a session ID does normally need to be present for the thread in dk.itp.security.sessionctrl.PPSecurityContext otherwise the client handler will not perform any action at all. The server handler will use either the session ID from PPSecurityContext or if that is not available it will attempt to extract it from the http request – if none is found, it will create a new session itself and use that for the call. However, if the property wss.ws.xxxx.allowanonymouscalls is set to true then an anonymous PP session ID will be used instead, and the call will be performed anyway – this does make it impossible for the PP server to verify if the user is allowed to use the private key or not to sign the request so only use it if you believe it is ok to not have any security on that part.
Signing XML
When signing XML (not SOAP requests), one of the parameters to setWSDoSignXML/signXML is a string containing the signatureDestination. It is used to specify where in the resulting XML the signature should end up – it consists of a semicolon separated list of tags from the parent inwards to where the signature should be placed. The tagname can optionally be specified with the namespace in {} brackets before the tag name, and the namespace can optionally be named by adding the name: in front of the tag name.
e.g. it can be specified as: {http://some.namespace/url}parenttag;childtag;{http://some.other.namespace}other:signatureDestination
In the above example, the signature will be placed here:
<ns1:parenttag xmlns:ns1=http://some.namespace/url>
<childtag>
<other:signatureDestination xmlns:other=”http://some.other.namespace”>
<xmldsig:signature xmlns:xmldsig=”….”>
…
</xmldsig:signature>
</other:signatureDestination>
</childtag>
</ns1:parenttag>
Xpath transformations
...
Decryption just requires the xml and the alias of a private key loaded by portalprotect server, and it can then decrypt the xml message.
Publicclass WSSAgent {
/**
*SignandEncryptaSOAPmessage
*@paramsessionIDSessionIDofuserdoingthesigning
*@paramxmlXML–SOAPrequestorresponsetosignandencrypt
*@paramsignerIDofsigner–mustbealiasofkeyregisteredatPPserver
*@paramreceipientIDofreceiver,eitheraliasofpublickey/certificate,oremailaddressorserialwhichcanbelookedupinTDC’sLDAPserver.
*@returnSignedandencryptedSOAP.
*@throwsPTException
*/
publicstatic String signAndEncryptSOAP(String sessionID, String xml, String signer, String receipient) throws PTException;
/**
*SignandEncryptaSOAPmessage
*@paramsessionIDSessionIDofuserdoingthesigning
*@paramxmlXML–SOAPrequestorresponsetosignandencrypt
*@paramsignerIDofsigner–mustbealiasofkeyregisteredatPPserver
*@paramreceipientIDofreceiver,eitheraliasofpublickey/certificate,oremailaddressorserialwhichcanbelookedupinTDC’sLDAPserver.
*@parampartsDefinitionDefineswhichpartstosign–e.g.“Body;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken”
*@returnSignedandencryptedSOAP.
*@throwsPTException
*/
publicstatic String signAndEncryptSOAP(String sessionID, String xml, String signer, String receipient, String partsDefinition) throws PTException;
/**
*SignaSOAPmessage
*@paramsessionIDSessionIDofuserdoingthesigning
*@paramxmlSOAPrequestorresponsetosignandencrypt
*@paramsignerIDofsigner–mustbealiasofkeyregisteredatPPserver
*@returnSignedSOAP.
*@throwsPTException
*/
publicstatic String signSOAP(String sessionID, String xml, String signer) throws PTException;
/**
*SignaSOAPmessage
*@paramsessionIDSessionIDofuserdoingthesigning
*@paramxmlSOAPrequestorresponsetosignandencrypt
*@paramsignerIDofsigner–mustbealiasofkeyregisteredatPPserver
*@parampartsDefinitionDefineswhichpartstosign–e.g.“Body;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken”
*@returnSignedSOAP.
*@throwsPTException
*/
publicstatic String signSOAP(String sessionID, String xml, String signer,String partsDefinition) throws PTException;
/**
*Validatesanddecryptsanlusteredsignedand/orencryptedSOAPmessage
*@paramsessionIDSessionIDofuserdoingthevalidation
*@paramxmlSOAPtodecrypt/checksignaturefor.
*@returnDecryptedSOAPmessage
*@throwsPTException
*/
publicstatic String validateSignatureAndDecryptSOAP(String sessionID, String xml) throws PTException;
/**
*LogonwithasignedXMLmessage–thecertificatewhichsignedthemessagewillbeusedforloggingin.
*@paramsessionIDSessiontologinto
*@paramxmlSOAPtodecrypt/checksignaturefor.
*@returnDecryptedSOAPmessage
*@throwsPTException
*/
publicstatic String logonWithSOAP(String sessionID, String xml) throws PTException;
/**
*SignsaparticularpieceofXML(notSOAP)usingXMLDSIG
*@paramsessionIDSessionIDtouseforsigning
*@paramxmlXMLtosign
*@paramsignerIDofsigner–mustmatchaliasornameofcertificateconfiguredonPPserver
*@paramreferenceIDsListofreferencestosign
*@paramsignatureDestinationPlacetoputthesignatureintheXML–listoftokenslusteredby/
*@returnSignedXML
*@throwsPTException
*/
publicstatic String signXML(String sessionID, String xml, String signer, String[] referenceIDs, String signatureDestination) throws PTException;
/**
*ValidatesanXMLDSIGsigneddocument.
*
*@paramsessionIDSessionIDtouseforvalidating
*@paramxmlSignedXML
*@returnList of certificates which signed this XML
*@throwsPTException
*/
publicstatic X509Certificate[] validateXMLSignature(String sessionID, String xml) throws PTException;