Recently, I have been playing with Spring WS with WS-Security. I just want to write down how it works. Do not except anything special, just simple example of basic security operations.

The example

We want to implement both client and server side. The client will sign the message, encrypt some part of it and add a timestamp. To make it more complex and real-life like we will sign the message using private key with alias “client” and encrypt the message using public key called “server”. Server will validate that the request is valid and will just sign the response using his key called “server”. Please note that I have picked Wss4j implementation because the configuration seemed to be easier than Xws.

Client

It’s easy to do configure client interceptor like this.

    
        
            
        
    
    ...



    
    
    
    
    
    
    
    
    

    
    
    



    
    

As you can see, there is nothing special. We just define which actions to take and properties. The only confusing part is, that key alias is defined as “securementUsername”.

Whit this configuration we will get following SOAP message.

    
        
            
                
                
                    
                        
                            
                                CN=Test Server,OU=Test
                                1275904530
                            
                        
                    
                
                
                    fwFM7ShJ1xd7dTGrkh0410sTmW92OPB1q1fpzB21XFIe36siDDJWGgbw5B94yjmGK2YaPOWLb7cpVTYPzc9VUDs7Jc42CtrhT2H6eZ7CDiA60Ugz+qi2UyyfMDK6Vrdj9J68rij5P12AiBeTnd2wlhI29+71XbUpD5weHDHjMtQ=
                    
                
                
                    
                
            
            
                
                    
                    
                    
                        
                            
                        
                        
                        AU9utUgz5RylYCRDUAO0JWM48kM=
                    
                
                
                    NHjjgpb9/alUOq50CqPKLcdYrp7edYdKJDNvIhh+2OAhYdDvZmD1qGsVKd1H9oKPF17uaF2Sv3aY
                    0le6BrvzVx3n2+nYYlHwAWlzBk7wsBt4vLll6q6juLCP+siupTIb1PeZDf3WrAbHUQh5oqjD6cZB
                    Sc89pDspWRABQ8wPxYE=

                
                    
                        
                            
                                CN=Lukas Krecan,OU=Test
                                1275900789
                            
                        
                    
                
            
            
                2010-06-07T11:03:35.749Z
                2010-06-07T11:08:35.749Z
            
        
    
    
        
            
                
                    
                    
                        
                            
                        
                    
                    
                        81TEtUhHXo6iZeAmYrtYlm2ObAqOBpjfzf2VOVUg4Hs=
                        
                    
                
            
            2
        
    

Server config

To configure server, you have to define Spring WS server interceptor like this (full example).

No surprise here neither. The response will look like this.

    
        
            
                
                    
                    
                    
                        
                            
                        
                        
                        hEdDfxM6Nfs62Jxe8EOsELCDtUk=
                    
                    
                        
                            
                        
                        
                        TTSRri5KJqXeMJfjzXyVmUewPxc=
                    
                
                
                    V5by3bOoGQNajfs7i9xQ+cbAqIkI0NS9N9FQlLb/dAuQfguE7jKRP9iypOeRLHCPr7g3BNg+NCrX
                    6YcgDQ0TfXNhdL00AmoEfDmWSNvIVNE49kZEn3Ji/RW4VtdEiV79VD7Vuay0YAYGo9DSQvzq3FP6
                    YEhfzfMqvfbWMdEKcO8=

                
                    
                        
                            
                                CN=Test Server,OU=Test
                                1275904530
                            
                        
                    
                
            
            
        
    
    
        
            3
        
    

As we have seen it’s possible to configure WS-Security without much hassle. To learn more, visit the official Spring WS reference. You can download full example here.