Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Complete
    • Affects Version/s: 2.0.2
    • Fix Version/s: 2.1 RC1
    • Component/s: None
    • Labels:
      None

      Description

      From support issue - Reference #11620

      wss4j 1.6.1 has made much improves to the WS-Security implememtation and key to us (sure others) is the work to ensure cross-implementation compliance with BSP 1.1 http://coheigea.blogspot.com/2011/03/wss4j-16-basic-security-profile-11.html.

      This upgrade opens up the possibility for Spring-WS to support SAML authentication (I'll open a separate issue for that).

        Activity

        Hide
        mdiskin Mark Diskin added a comment -

        In the meantime I've dropped the spring-ws-security dependancy, that way I'm able to bring in the latest wss4j 1.6 and handle the SAML2 SenderVoucher in my Security filter and still use the springws 2.0.x jars.

        Show
        mdiskin Mark Diskin added a comment - In the meantime I've dropped the spring-ws-security dependancy, that way I'm able to bring in the latest wss4j 1.6 and handle the SAML2 SenderVoucher in my Security filter and still use the springws 2.0.x jars.
        Hide
        arjen.poutsma Arjen Poutsma added a comment -

        I've upgraded SVN to use WSS4J 1.6, with the help of the patch provided jaminh (Thanks!). It compiles, and all tests run fine. That said, because the way WSS4J has changed internally, there are some breaking changes:

        • SpringDigestPasswordValidationCallbackHandler and SpringPlainTestPasswordValidationCallbackHandler have been merged into SpringSecurityPasswordValidationCallbackHandler, which works the same way as the SpringDigestPasswordValidationCallbackHandler (i.e. supply it with a UserDetailsService).
        • The Wss4jSecurityInterceptor no longer has the securementCallbackHandler property, as it's no longer used by WS4J.

        Furthermore, the Wss4jSecurityInterceptor has some additional properties: enableRevocation and bspCompliant. Check the javadocs to see what these do.

        I've just triggered a snapshot build, and it would be great if you guys could check it out if everything still works for you. This page shows you how to get snapshots.

        If everything looks good, I will release 2.1.0-RC1 this Friday (11th May) followed by the GA release the following week.

        Show
        arjen.poutsma Arjen Poutsma added a comment - I've upgraded SVN to use WSS4J 1.6, with the help of the patch provided jaminh (Thanks!). It compiles, and all tests run fine. That said, because the way WSS4J has changed internally, there are some breaking changes: SpringDigestPasswordValidationCallbackHandler and SpringPlainTestPasswordValidationCallbackHandler have been merged into SpringSecurityPasswordValidationCallbackHandler , which works the same way as the SpringDigestPasswordValidationCallbackHandler (i.e. supply it with a UserDetailsService ). The Wss4jSecurityInterceptor no longer has the securementCallbackHandler property, as it's no longer used by WS4J. Furthermore, the Wss4jSecurityInterceptor has some additional properties: enableRevocation and bspCompliant. Check the javadocs to see what these do. I've just triggered a snapshot build, and it would be great if you guys could check it out if everything still works for you. This page shows you how to get snapshots. If everything looks good, I will release 2.1.0-RC1 this Friday (11th May) followed by the GA release the following week.
        Hide
        arjen.poutsma Arjen Poutsma added a comment -

        I've just pushed out version 2.1.0.RC1. Please give it a go and tell me if you find anything.

        Show
        arjen.poutsma Arjen Poutsma added a comment - I've just pushed out version 2.1.0.RC1. Please give it a go and tell me if you find anything.
        Hide
        pkotlov Pavel Kotlov added a comment -

        Combination of spring-ws-2.1.0 and wss4j-1.6.6 still results in this error:

        Could not instantiate bean class [org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor]: Constructor threw exception; 
        nested exception is java.lang.NoSuchMethodError: org.apache.ws.security.WSSecurityEngine.getInstance()Lorg/apache/ws/security/WSSecurityEngine;

        Using wss4j-1.5.12 solves the problem for me. Well perhaps not for everyone...

        Show
        pkotlov Pavel Kotlov added a comment - Combination of spring-ws-2.1.0 and wss4j-1.6.6 still results in this error: Could not instantiate bean class [org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor]: Constructor threw exception; nested exception is java.lang.NoSuchMethodError: org.apache.ws.security.WSSecurityEngine.getInstance()Lorg/apache/ws/security/WSSecurityEngine; Using wss4j-1.5.12 solves the problem for me. Well perhaps not for everyone...
        Hide
        vansh2k6 Vanshaj added a comment -

        I am using Spring-ws 2.1.4 along with wss4j 1.6.4 and getting the same problem while using wss4j 1.5.x, its working fine.

        Looks like the issue still exists with wss4j 1.6.x.

        Show
        vansh2k6 Vanshaj added a comment - I am using Spring-ws 2.1.4 along with wss4j 1.6.4 and getting the same problem while using wss4j 1.5.x, its working fine. Looks like the issue still exists with wss4j 1.6.x.

          People

          • Assignee:
            arjen.poutsma Arjen Poutsma
            Reporter:
            mdiskin Mark Diskin
          • Votes:
            4 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - Not Specified
              Not Specified
              Remaining:
              Remaining Estimate - Not Specified
              Not Specified
              Logged:
              Time Spent - 3d 2.1h
              3d 2.1h