I'm a bit of a Noob with WSS4J so I'm hoping I'm missing something simple. I'm trying to create a Security header for an outbound SOAP message using WSS4j and CXF. As per the requirements the Assertion and the Timestamp have to be signed. The Assertion is done in a SAMLCallback and the Timestamp with the properties for the WSS4JOutInterceptor. All of that is straight forward. The hitch is instead of embedding the KeyInfo information for the Timestamp signature in the Signature, I need to reference the Assertion, which has the KeyInfo for it's Signature within it. So the Signature for the Timestamp's KeyInfo should look like this:
<ds:KeyInfo>
<wsse:SecurityTokenReference TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">3a4edd62-458e-4c3f-adc0-a9b505cb6284</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
Note how the KeyIdentifier points to and ID which is the ID of the Assertion. I've tried all the different WSHandlerConstants.SIG_KEY_ID options for the WSS4JOutInterceptor but all of them populate the KeyInfo element with the information from the certificate. I'm hoping there is some straightforward solution within the WSS4J framework for this. Otherwise I'm looking at writing an interceptor to hack up the SOAP header.
Thanks In Advance.
Yes it's possible, here's a test I pushed to CXF to show how it can be done:
https://github.com/apache/cxf/commit/5504cad08be5f2eb8396410618da68cb732b80e0