Hello everyone.
I'm trying to implement authentication by certificate in web service. According to Spring ws-security manual it can be implemented by adding BinarySecurityToken to the SOAP message, like:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://nxp.com/oum/xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:BinarySecurityToken
ValueType="wsse:X509v3"
EncodingType="wsse:Base64Binary" Id="SecurityToken">
MIIHlD...
</wsse:BinarySecurityToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>...
</soapenv:Body>
</soapenv:Envelope>
Also, to be sure that BinarySecurityToken is included to the message, we have to add security policy:
<xwss:SecurityConfiguration xmlns:xwss="http://java.sun.com/xml/ns/xwss/config">
...
<xwss:RequireSignature requireTimestamp="false"/>
...
</xwss:SecurityConfiguration>
Then we have to configure CallBackHandlers and everything should work, but what I have in the result is exception:
Could not validate request: com.sun.xml.wss.XWSSecurityException: More Receiver requirements [ SignaturePolicy ] specified than present in the message; nested exception is com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: More Receiver requirements [ SignaturePolicy ] specified than present in the message
If then I try to add information about signature (<ds:Signature></ds:Signature>), it begins to work more properly, but it tries to validate signature info, and that's not what I need. At this time the only thing I want is to validate sender certificate and give him rights according to the certificate's owner info.
The question is: is it not possible to send only BinarySecurityToken? If so, why spring documentation shows this method of authentication, if actually it can work only by signing message.