8

I am implementing ebXML3.0 in java and looking for a java library/API I can use for Signing and Encryption of SOAP messages with attachment. Earlier I was using "Apache wss4j" but this seems to only support signing/encryption of SOAP Body (No attachment).

Basically looking for Java API which supports following

https://www.oasis-open.org/committees/download.php/16672/wss-v1.1-spec-os-SwAProfile.pdf

user1842997
  • 99
  • 4
  • The only thing I found was something in a [2005 Oracle whitepaper](http://www.oracle.com/technetwork/middleware/ias/ws-attachment-pcho-130995.pdf): "WS-Security, being a standard built on XML Infoset, cannot associate encrypted or signed attachments with SOAP envelope in case of SwA or DIME messages. For that reason, as of today, SOAP Requester should encrypt or sign sensitive payload manually before sending as attachments via SwA or DIME, and subsequently, SOAP Provider has to carry out decryption or signature validation at the Service implementation layer..." – Maarten Bodewes Jan 05 '13 at 03:23
  • It seems to me that I've offered my bounty to no avail, dear new user. If you ever find out the answer, please don't forget to post it here. – Maarten Bodewes Mar 13 '13 at 00:52
  • Could you put a shared key in the body of the SOAP message (which you encrypt using your currently library) and handle encryption yourself using that key. – Colton Mar 13 '13 at 17:55

2 Answers2

1

I guess you already found http://docs.oracle.com/cd/E17802_01/webservices/webservices/docs/1.6/tutorial/doc/XWS-SecuritySamples6.html and it hasn't been what you were looking for?

Edit: After your latest comment I guess, it does already work out for you Glassfish Metro is an implementation which is able to use WS-Security in combination with SOAP with Attachments. More information (including an example application can be found on https://blogs.oracle.com/enterprisetechtips/entry/securing_attachments_with_metro_1). I'm sure the example will lead you on.

BTW: It also looks like XWSS 2.x and higher are also supporting WS-Sec with SwA, see: http://xwss.java.net/

D.R.
  • 20,268
  • 21
  • 102
  • 205
  • It seems that that points to a development pack that has been replaced by project GlassFish. If you can point to same within project GlassFish and put a bit of content in the answer (just a link is not considered an adequate answer) then I would be happy to award you the points. – Maarten Bodewes Mar 13 '13 at 22:39
  • added some more pointers, not much time left, midnight *g* – D.R. Mar 13 '13 at 23:05
  • Can't test it, but it seems good enough to me, gotta sleep too. – Maarten Bodewes Mar 14 '13 at 00:48
0

Some thought has been given to supporting SwA in WSS4J - see https://issues.apache.org/jira/browse/WSS-430 although no timeline as yet.

Nathan
  • 1,418
  • 16
  • 32