WebService Security

Ceptor PortalProtect has support for WS-Security meaning it can be used to sign/encrypt outgoing SOAP messages, and it can verify signatures / decrypt incoming SOAP messages.

Additionally it can sign complete XML documents, or parts of documents using the XMLDSIG standard – and it can verify signed documents.

Overview

All signing/verification takes place on the PP server – which means that keys, keystores etc. are only known to the PP server and not to the applications that use it.

An application that needs to sign a document calls an API in the PortalProtect Agent with the XML and an alias of the key which should be used to sign the document. The Agent then transfers the document to the PP server which signs/encrypts it and the signed/encrypted document is then transferred back to the Agent.

Requirements

The .jar files PortalProtectWSSecurity.jar must be installed on the PortalProtect server, and PortalProtectWSSecurity_Support.jar must be installed in the agent.



The required .jar files are present in the Ceptor PortalProtect server distribution - these are all from Apache WSS4J and dependant projects – WSS4J is the WS-Security engine which PortalProtect uses under the covers for doing the actual encryption/signing/validation.

On the PP server, the authentication plugin dk.itp.portalprotect.wss.WSSAuthenticationPlugin must be configured in the session controller. Alternatively you can implement your own authentication plugin which uses dk.itp.portalprotect.wss.WSSAuthPluginSupport to do the WSS work.

Here is the source code for WSSAuthenticationPlugin which you can base your own plugin on if you wish to do something else at login.

package dk.itp.portalprotect.wss;
import java.util.Hashtable;
import java.util.Properties;

import dk.itp.portalprotect.wss.WSSAuthPluginSupport.Result;
import dk.itp.security.authentication.x509.AbstractX509CertificatePlugin;
import dk.itp.security.passticket.AuthTypes;
import dk.itp.security.passticket.PTException;
import dk.itp.security.passticket.User;
import dk.itp.security.passticket.server.AuthErrorCodes;

/**
 * SSL Cert plugin, which adds support for WSS
 * 
 * @author Kim Rasmussen
 * @version $Revision: 1.1 $
 * 
 * <pre>
 * PortalProtect - Security infrastructure
 * 
 * This source code is confidential.
 * </pre>
 */
public class WSSAuthenticationPlugin extends AbstractX509CertificatePlugin {
	WSSAuthPluginSupport wssauth;  
	public Object executeCommand(User user, String name, Object input)
			throws PTException {
		return wssauth.executeCommand(user, name, input);
	}
	public void setConfiguration(Properties props) {
		super.setConfiguration(props);
		
		wssauth = new WSSAuthPluginSupport(statistics, providers);
		wssauth.setConfiguration(props);
	}
	public String getStatusText(String action) {
		return super.getStatusText() + wssauth.getStatusText(this, action);
	}
	public String getName() {
		return "WebService Security";
	}
	public int getAuthenticationType() {
		return AuthTypes.AUTHTYPE_WSS;
	}
	public int getAuthenticationLevel() {
		return 3;
	}
	public void confirm(User user, String signtext, Object credentials) throws PTException {
		verifyCertificate(user, credentials.toString(), true, true, null, signtext);
	}
	public void login(User user, String userid, Object credentials) throws PTException {
		Result result = wssauth.logonValidateSignatureAndDecrypt(credentials.toString());
		try {
			if (user.stateVariables == null)
				user.stateVariables = new Hashtable();
			
			user.stateVariables.put("soap", result.xmlOutput);
			
			if (result.subject != null) {
				user.username = result.subject.getProperty("CN");
	
				// CPR might be in userid, but this plugin wants it in customerID
				user.customerID = user.userid;
				user.userid = result.subject.getSerialNumber();
				user.password = null;
				user.isLoggedOn = true;
				
				if (result.subject.getO() != null)
					user.stateVariables.put("subject_o", result.subject.getO());
				if (result.subject.getOu() != null)
					user.stateVariables.put("subject_ou", result.subject.getOu());
				user.stateVariables.put("subject_dn", result.subject.getOrderedSubjectDN());

				if (result.cvr != null)
					user.stateVariables.put("cvr", result.cvr);
				if (result.pid != null)
					user.stateVariables.put("pid", result.pid);
				if (result.rid != null)
					user.stateVariables.put("rid", result.rid);
				if (result.uid != null)
					user.stateVariables.put("uid", result.uid);
			} else {
				throw new PTException("No certificate or SOAP not signed", AuthErrorCodes.ERROR_USERNOTFOUND,
					"No certificate");				
			}
		} catch (Throwable t) {
			cat.warn("Problem authenticating", t);
			throw new PTException("unexpected error occurred while authenticating using X509 Certificate",
				(short) - 1, t.getMessage());
		}
	}
}

Client API

To access the WS-Security API from the client, you can call the methods in dk.itp.portalprotect.wss.agent.WSSAgent to explicitly sign or encrypt a document.

This is a list of the methods that can be used for that…

Please refer to the javadoc for the most up-to-date list of methods and parameters.

ublic class WSSAgent { /** * Sign and Encrypt a SOAP message * @param sessionID Session ID of user doing the signing * @param xml XML - SOAP request or response to sign and encrypt * @param signer ID of signer - must be alias of key registered at PP server * @param receipient ID of receiver, either alias of public key/certificate, or email address or serial which can be looked up in TDC's LDAP server. * @return Signed and encrypted SOAP. * @throws PTException */ public static String signAndEncryptSOAP(String sessionID, String xml, String signer, String receipient) throws PTException; /** * Sign and Encrypt a SOAP message * @param sessionID Session ID of user doing the signing * @param xml XML - SOAP request or response to sign and encrypt * @param signer ID of signer - must be alias of key registered at PP server * @param receipient ID of receiver, either alias of public key/certificate, or email address or serial which can be looked up in TDC's LDAP server. * @param partsDefinition Defines which parts to sign - e.g. "Body;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken" * @return Signed and encrypted SOAP. * @throws PTException */ public static String signAndEncryptSOAP(String sessionID, String xml, String signer, String receipient, String partsDefinition) throws PTException; /** * Sign a SOAP message * @param sessionID Session ID of user doing the signing * @param xml SOAP request or response to sign and encrypt * @param signer ID of signer - must be alias of key registered at PP server * @return Signed SOAP. * @throws PTException */ public static String signSOAP(String sessionID, String xml, String signer) throws PTException; /** * Sign a SOAP message * @param sessionID Session ID of user doing the signing * @param xml SOAP request or response to sign and encrypt * @param signer ID of signer - must be alias of key registered at PP server * @param partsDefinition Defines which parts to sign - e.g. "Body;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken" * @return Signed SOAP. * @throws PTException */ public static String signSOAP(String sessionID, String xml, String signer,String partsDefinition) throws PTException; /** * Validates and decrypts an lustered signed and/or encrypted SOAP message * @param sessionID Session ID of user doing the validation * @param xml SOAP to decrypt/check signature for. * @return Decrypted SOAP message * @throws PTException */ public static String validateSignatureAndDecryptSOAP(String sessionID, String xml) throws PTException; /** * Logon with a signed XML message - the certificate which signed the message will be used for logging in. * @param sessionID Session to log in to * @param xml SOAP to decrypt/check signature for. * @return Decrypted SOAP message * @throws PTException */ public static String logonWithSOAP(String sessionID, String xml) throws PTException; /** * Signs a particular piece of XML (not SOAP) using XMLDSIG * @param sessionID Session ID to use for signing * @param xml XML to sign * @param signer ID of signer - must match alias or name of certificate configured on PP server * @param referenceIDs List of references to sign * @param signatureDestination Place to put the signature in the XML - list of tokens lustered by / * @returnSigned XML * @throws PTException */ public static String signXML(String sessionID, String xml, String signer, String[] referenceIDs, String signatureDestination) throws PTException; /** * Validates an XMLDSIG signed document. * * @param sessionID Session ID to use for validating * @param xml Signed XML * @return List of certificates which signed this XML * @throws PTException */ public static X509Certificate[] validateXMLSignature(String sessionID, String xml) throws PTException; }


Axis / RPC Message Handlers

It is possible to let some message handlers do the work of calling the various APIs and intercepting the SOAP messages to encrypt/decrypt and check signature for. These webservice handlers are named:

dk.itp.portalprotect.wss.handlers.AxisClientSecurityHandler
dk.itp.portalprotect.wss.handlers.ClientSecurityHandler
dk.itp.portalprotect.wss.handlers.AxisSecurityHandler
dk.itp.portalprotect.wss.handlers.SecurityHandler

On a client making webservice calls, you should use AxisClientSecurityHandler if using an Axis 1.x client, or ClientSecurityHandler if you want an RPC webservice handler for another webservice engine.

On the server receiving webservice calls, you should use AxisSecurityHandler us using an Axis 1.x server, or SecurityHandler if you want an RPC webservice handler for another webservice engine.

You can either use configuration entries, or API calls to instruct the handlers on which messages should need signing and/or encryption. If you use API calls, they will overwrite the configuration. All API calls are in the WSSAgent class as listed above.


This is a list of the functions which can be called, and they all affect the next webservice request or reply passing through the handlers.

public static class WSSignInfo {
/**
 * Sign and Encrypt a SOAP message
 * @param sessionID Session ID of user doing the signing
 * @param xml XML - SOAP request or response to sign and encrypt
 * @param signer ID of signer - must be alias of key registered at PP server
 * @param receipient ID of receiver, either alias of public key/certificate, or email address or serial which can be looked up in TDC's LDAP server.
 * @return Signed and encrypted SOAP.
 * @throws PTException
 */
public static String signAndEncryptSOAP(String sessionID, String xml, String signer, String receipient) throws PTException;

/**
 * Sign and Encrypt a SOAP message
 * @param sessionID Session ID of user doing the signing
 * @param xml XML - SOAP request or response to sign and encrypt
 * @param signer ID of signer - must be alias of key registered at PP server
 * @param receipient ID of receiver, either alias of public key/certificate, or email address or serial which can be looked up in TDC's LDAP server.
 * @param partsDefinition Defines which parts to sign - e.g. "Body;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken"
 * @return Signed and encrypted SOAP.
 * @throws PTException
 */
public static String signAndEncryptSOAP(String sessionID, String xml, String signer, String receipient, String partsDefinition) throws PTException;

/**
 * Sign a SOAP message
 * @param sessionID Session ID of user doing the signing
 * @param xml SOAP request or response to sign and encrypt
 * @param signer ID of signer - must be alias of key registered at PP server
 * @return Signed SOAP.
 * @throws PTException
 */
public static String signSOAP(String sessionID, String xml, String signer) throws PTException;
    
/**
 * Sign a SOAP message
 * @param sessionID Session ID of user doing the signing
 * @param xml SOAP request or response to sign and encrypt
 * @param signer ID of signer - must be alias of key registered at PP server
 * @param partsDefinition Defines which parts to sign - e.g. "Body;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken"
 * @return Signed SOAP.
 * @throws PTException
 */
public static String signSOAP(String sessionID, String xml, String signer, String partsDefinition) throws PTException;
    
/**
 * Validates and decrypts an eventualy signed and/or encrypted SOAP message 
 * @param sessionID Session ID of user doing the validation
 * @param xml SOAP to decrypt/check signature for.
 * @return Decrypted SOAP message
 * @throws PTException
 */
public static String validateSignatureAndDecryptSOAP(String sessionID, String xml) throws PTException;
    
/**
 * Logon with a signed XML message - the certificate which signed the message will be used for logging in.
 * @param sessionID Session to log in to
 * @param xml SOAP to decrypt/check signature for.
 * @return Decrypted SOAP message
 * @throws PTException
 */
public static String logonWithSOAP(String sessionID, String xml) throws PTException;

/**
 * Signs a particular piece of XML (not SOAP) using XMLDSIG
 * @param sessionID Session ID to use for signing
 * @param xml XML to sign
 * @param signer ID of signer - must match alias or name of certificate configured on PP server
 * @param referenceIDs List of references to sign
 * @param signatureDestination Place to put the signature in the XML - list of tokens  lean-ups by /
 * @returnSigned XML
 * @throws PTException
 */
public static String signXML(String sessionID, String xml, String signer, String[] referenceIDs, String signatureDestination) throws PTException;

/**
 * Signs a particular piece of XML (not SOAP) using XMLDSIG
 * @param sessionID Session ID to use for signing
 * @param xml XML to sign
 * @param signer ID of signer - must match alias or name of certificate configured on PP server
 * @param referenceIDs List of references to sign
 * @param signatureDestination Place to put the signature in the XML - list of tokens  lean-ups by /
 * @param prefixList InclusiveNamespacs PrefixList - refer to EXC-C14N standard for description - can be null.
 * @param xpathFilter Optional Xpath filter - if specified, the Xpath filter transform will be added too
 * @param xpathNamespaceMap Optional Xpath namespace map - ignored unless Xpath filter specified too.
 * @returnSigned XML
 * @throws PTException
 */
public static String signXML(String sessionID, String xml, String signer, String[] referenceIDs, String signatureDestination, List prefixList, String xpathFilter, Map xpathNamespaceMap);

/**
 * Signs a particular piece of XML (not SOAP) using XMLDSIG, and using an enveloped signature
 * @param sessionID Session ID to use for signing
 * @param xml XML to sign
 * @param signer ID of signer - must match alias or name of certificate configured on PP server
 * @return Signed XML
 * @throws PTException
 */
public static String signXMLEnveloped(String sessionID, String xml, String signer) throws PTException;
	
/**
 * Validates an XMLDSIG signed document.
 * 
 * @param sessionID Session ID to use for validating
 * @param xml Signed XML
 * @return List of certificates which signed this XML document
 * @throws PTException
 */
public static X509Certificate[] validateXMLSignature(String sessionID, String xml) throws PTException;
    
/**
 * Reset the action on the next SOAP request/response
 */
public static void setWSSignEncryptReset();

/**
 * Do not sign or encrypt the next webservice request/response for this thread.
 */
public static void setWSDoNotSignOrEncrypt();


/**
 * Sign the next webservice request/response for this thread
 * @param signer ID of signer - must match alias/name configured in PP server
 */
public static void setWSDoSign(String signer); 

/**
 * Sign the next webservice request/response for this thread
 * @param signer ID of signer - must match alias/name configured in PP server
 * @param partsDefinition Defines which parts to sign - e.g. "Body;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken"
 */
public static void setWSDoSign(String signer, String partsDefinition);

/**
 * Sign and encrypt the next webservice request/response for this thread.
 * @param signer ID of signer key
 * @param receipient
 */
public static void setWSDoSignAndEncrypt(String signer, String receipient);

/**
 * Sign and encrypt the next webservice request/response for this thread.
 * @param signer ID of signer key
 * @param receipient
 * @param partsDefinition Defines which parts to sign - e.g. "Body;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken"
 */
public static void setWSDoSignAndEncrypt(String signer, String receipient, String partsDefinition);
	
/**
 * Do not sign or encrypt the XML (XMLDSIG) in the next webservice request
 */
public static void setWSDoNotSignOrEncryptXML();

/**
 * Sign the XML (XMLDSIG) in the next webservice request
 */
public static void setWSDoSignXML(String signer, String[] referenceIDs, String signatureDestinationNode);

/**
 * Sign the XML (XMLDSIG) in the next webservice request
 */
public static void setWSDoSignXML(String signer, String[] referenceIDs, String signatureDestinationNode, List prefixList, String xpathFilter, Map xpathNamespaceMap);
	
/**
 * Gets the configuration for a webservice
 * @param name Name of the webservice, or "default" to get the default configuration for webservices if any
 * @return Entry containing configuration for this particular webservice
 */
public static WSSConfigurationEntry getServiceConfiguration(String name);
}


Alternatively, the configuration for the specific server the webservice handler is running in can contain wss.ws.* entries (see the configuration section in this document) which specifies the behavior of the handlers if the APIs are not called.               

 

This is an example of the configuration to by default sign all requests using the testvoces certificate, and by default encrypt all requests using the specified certificate.

<property name="wss.ws.default.signrequest" value="testvoces" description=""/>
<property name="wss.ws.default.encryptrequest" value="TDC TOTALLØSNINGER A/S - TDC Test" description=""/>

Note that when calling the client handler, a session ID does normally need to be present for the thread in dk.itp.security.sessionctrl.PPSecurityContext otherwise the client handler will not perform any action at all. The server handler will use either the session ID from PPSecurityContext or if that is not available it will attempt to extract it from the http request – if none is found, it will create a new session itself and use that for the call. However, if the property wss.ws.xxxx.allowanonymouscalls is set to true then an anonymous PP session ID will be used instead, and the call will be performed anyway – this does make it impossible for the PP server to verify if the user is allowed to use the private key or not to sign the request so only use it if you believe it is ok to not have any security on that part.


Signing XML

When signing XML (not SOAP requests), one of the parameters to setWSDoSignXML/signXML is a string containing the signatureDestination. It is used to specify where in the resulting XML the signature should end up – it consists of a semicolon separated list of tags from the parent inwards to where the signature should be placed. The tagname can optionally be specified with the namespace in {} brackets before the tag name, and the namespace can optionally be named by adding the name: in front of the tag name.

e.g. it can be specified as: {http://some.namespace/url}parenttag;childtag;{http://some.other.namespace}other:signatureDestination

In the above example, the signature will be placed here:

<ns1:parenttag xmlns:ns1=http://some.namespace/url>

   <childtag>

      <other:signatureDestination xmlns:other=”http://some.other.namespace”>

         <xmldsig:signature xmlns:xmldsig=”….”>

            …

         </xmldsig:signature>

      </other:signatureDestination>

   </childtag>

</ns1:parenttag>

Xpath Transformations

Some applications require Xpath transformations – this can be done with both the signXML and setWSDoSignXML methods.

Example:

WSSAgent.signXML(sessionid, xml, signer, referenceIDs, destination, prefixlist, “<xpath expression>”, xpathNamespaceMap);


This will add a reference with an empty URI to the signed XML, much like this:

<Reference URI="">
      <Transforms>
       <Transform Algorithm="http://www.w3.org/TR/1999/REC-xpath-19991116">
        <Xpath>not(ancestor-or-self::*)</XPath>
       </Transform>
      </Transforms>
      <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
      <DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</DigestValue>
</Reference>

XML Encryption

If you need confidentiality, you can encrypt or decrypt XML, this can be done using the following methods in the WSSAgent (dk.itp.portalprotect.wss.agent.WSSAgent) class:


Please refer to the javadoc for the most up-to-date information.

/**
 * Decrypts and validates an XMLDSIG signed document, optionally disabling certificate validity checks.
 * 
 * @param sessionID Session ID to use for validating
 * @param xml Signed XML
 * @param agent The Agent instance to use
 * @param timestamp The time to check validity for. Set to null to check validity now.
 * @param checkValidity If false, CRL or expire checks will not be done
 * @return Object array, first element is decrypted XML, the rest is a number of X509Certificate  which signed this XML document
 * @throws PTException
 */
public static Object[] decryptAndValidateXMLSignature(IPTServer agent, String sessionID, String xml, Date timestamp, boolean checkValidity, String aliasOfPrivateEncryptKey) throws PTException;

/**
 * Signs and encrypts a particular piece of XML (not SOAP) using XMLDSIG, and using an enveloped signature
 * @param sessionID Session ID to use for signing
 * @param xml XML to sign
 * @param signer ID of signer - must match alias or name of certificate configured on PP server
 * @param canonicalizationMethod CanonicalizationMethod - default is: http://www.w3.org/TR/2001/REC-xml-c14n-20010315
 * @param signatureProperties List of strings containing XML that will be signed and added to the signature as signature properties
 * @param agent The Agent instance to use
 * @param digestMethod Digest Method to use, either "http://www.w3.org/2000/09/xmldsig#sha1" or "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
 * @param receiverCertificateAlias Alias of the certificate containing the public key to use for encrypting the XML
 * @param encryptContentOnly If true, just the content is encrypted and not the root element, if false the root element is encrypted too.
 * 
 * @return Signed and encrypted XML
 * @throws PTException
 */
public static String signAndEncryptXMLEnveloped(String sessionID, String xml, String signer, String canonicalizationMethod, String[] signatureProperties, String digestMethod, String receiverCertificateAlias, bool encryptContentOnly) throws PTException;

/**
 * Encrypts a particular piece of XML
 * @param sessionID Session ID to use for encryption
 * @param xml XML to encrypt
 * @param receiverCertificate Certificate to use key from when encrypting
 * @param receiverPublicKeyAlias If receiverCertificate is null, use this alias to lookup the certificate
 * @param pathToElement Path to element to encrypt, e.g. "ds:Signature" or "" for root element
 * @param encryptContentOnly If true, just the content is encrypted and not the root element, if false the root element is
 * @return Signed XML
 * @throws PTException
 */
public static String encryptXML(IPTServer agent, String sessionID, String xml, X509Certificate receiverCertificate, String receiverPublicKeyAlias, String pathToElement, bool encryptContentOnly) throws PTException;

/**
 * Decrypts a particular piece of XML
 * @param sessionID Session ID to use for encryption
 * @param xml XML to encrypt
 * @param privateKeyAlias Alias of private key which should be used to decrypt the XML
 * @return Decrypted XML
 * @throws PTException
 */
public static String decryptXML(IPTServer agent, String sessionID, String xml, String privateKeyAlias) throws PTException;

XML Encryption is done by generating a symmetric key which is used to encrypt the message – this key is encrypted by the receivers public key and included in the message.


Below is an example of an encrypted XML message.

<?xml version="1.0" encoding="UTF-8"?>
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<xenc:CipherData><xenc:CipherValue>aaeJh+36XTAsf7+9Ysd1hX7X8IJCejnnzCR5oGsQiaU3CnmEGdmBlPCpcIh/5qORYkxFNsQZVE10
rCoTaQ386ByiAYClcvX19B8AiUr3LePapzEt0DKP96DSwk3KLzg5LlTdwg/1y+VjX3Ln+tAuFuM6
bsc7vdg6P/d606bHP7Y=
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>6aUfkD8NcwKDW4+eurV2a/oo+WzOaTtdIGK6TyjUkrMCTgTvR9VMTSNi7PAVa1YsJ1+yppB55aps
s1glGspu40oBZg2qZExMjVlMkMWzdtsZpHaZcHy6rgjdF9uVhR+fccMGcryVthDM6NCirshpUcgu
6sFporvT47R5aG/HWZHB4I2pUbkUQ9wouNTFumdKZToKjvVH1XhpQ0KdHKiMWg1x61TkV+D42qi/
... Lines removed ...
4w8mT/FO67PG6awESS4JSPRKfExXLmZzoZc4owzPAwQYg7brMF10meSEADJmC3p6WegbgYjRVRgy
XCETs3yFxe5YJZ/Lk5mYb1l7zCx96xO05gMl7uCx8GFW8jA7/fgREJru9bXQEfg1LGZwgm4H7uTc
bzk3WmOchkmJyZTSDJ0BcYppi4qmAvuxnsRGM7g4cw==
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>



Decryption just requires the xml and the alias of a private key loaded by portalprotect server, and it can then decrypt the xml message.


Public class WSSAgent {

    

     /**

      * Sign and Encrypt a SOAP message

      * @param sessionID Session ID of user doing the signing

      * @param xml XML SOAP request or response to sign and encrypt

      * @param signer ID of signer must be alias of key registered at PP server

      * @param receipient ID of receiver, either alias of public key/certificate, or email address or serial which can be looked up in TDC’s LDAP server.

      * @return Signed and encrypted SOAP.

      * @throws PTException

      */

    public static String signAndEncryptSOAP(String sessionID, String xml, String signer, String receipient) throws PTException;

   

     /**

      * Sign and Encrypt a SOAP message

      * @param sessionID Session ID of user doing the signing

      * @param xml XML SOAP request or response to sign and encrypt

      * @param signer ID of signer must be alias of key registered at PP server

      * @param receipient ID of receiver, either alias of public key/certificate, or email address or serial which can be looked up in TDC’s LDAP server.

      * @param partsDefinition Defines which parts to sign e.g. “Body;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken”

      * @return Signed and encrypted SOAP.

      * @throws PTException

      */

    public static String signAndEncryptSOAP(String sessionID, String xml, String signer, String receipient, String partsDefinition) throws PTException;

 

     /**

      * Sign a SOAP message

      * @param sessionID Session ID of user doing the signing

      * @param xml SOAP request or response to sign and encrypt

      * @param signer ID of signer must be alias of key registered at PP server

      * @return Signed SOAP.

      * @throws PTException

      */

    public static String signSOAP(String sessionID, String xml, String signer) throws PTException;

 

     /**

      * Sign a SOAP message

      * @param sessionID Session ID of user doing the signing

      * @param xml SOAP request or response to sign and encrypt

      * @param signer ID of signer must be alias of key registered at PP server

      * @param partsDefinition Defines which parts to sign e.g. “Body;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}BinarySecurityToken”

      * @return Signed SOAP.

      * @throws PTException

      */

    public static String signSOAP(String sessionID, String xml, String signer,String partsDefinition) throws PTException;

   

    /**

     * Validates and decrypts an lustered signed and/or encrypted SOAP message

     * @param sessionID Session ID of user doing the validation

     * @param xml SOAP to decrypt/check signature for.

     * @return Decrypted SOAP message

     * @throws PTException

     */

    public static String validateSignatureAndDecryptSOAP(String sessionID, String xml) throws PTException;

   

    /**

     * Logon with a signed XML message the certificate which signed the message will be used for logging in.

     * @param sessionID Session to log in to

     * @param xml SOAP to decrypt/check signature for.

     * @return Decrypted SOAP message

     * @throws PTException

     */

    public static String logonWithSOAP(String sessionID, String xml) throws PTException;

 

    /**

     * Signs a particular piece of XML (not SOAP) using XMLDSIG

     * @param sessionID Session ID to use for signing

     * @param xml XML to sign

     * @param signer ID of signer must match alias or name of certificate configured on PP server

     * @param referenceIDs List of references to sign

     * @param signatureDestination Place to put the signature in the XML list of tokens lustered by /

     * @returnSigned XML

     * @throws PTException

     */

     public static String signXML(String sessionID, String xml, String signer, String[] referenceIDs, String signatureDestination) throws PTException;

   

     /**

      * Validates an XMLDSIG signed document.

      *

      * @param sessionID Session ID to use for validating

      * @param xml Signed XML

      * @return List of certificates which signed this XML

      * @throws PTException

      */

     public static X509Certificate[] validateXMLSignature(String sessionID, String xml) throws PTException;

© Ceptor ApS. All Rights Reserved.