I have been struggling, for several days trying to get a simple SOAP request to pass WS-Security, after many emails I was finally able to get some logs out of the service provider...
Note that the webservice is SOAP 1.2
2021-04-11 23:49:24,052:INFO :ajp-nio-127.0.0.1-8009-exec-5:ptor.Soap12FaultOutInterceptor:class org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInternalapplication/soap+xml
2021-04-11 23:49:47,867:WARN :ajp-nio-127.0.0.1-8009-exec-28:urity.wss4j.WSS4JInInterceptor:Security processing failed (actions mismatch)
2021-04-11 23:49:47,867:WARN :ajp-nio-127.0.0.1-8009-exec-28:xf.phase.PhaseInterceptorChain:Interceptor for {http://[redacted]/rti/cdd/wsdl}CDDService has thrown exception, unwinding now
Sadly this hasn't helped much as in searching for this error it appears to be quite ambiguous, one of which mentioning a bug in the WSS4JInInterceptor where whitespace between the body open tag, and the first node can cause this, however even in removing that whitespace, I still receive the same error.
Here is the XML I'm sending (using Content-Type: application/soap+xml;charset=utf-8;action="mySoapAction" header), the service provider has confirmed they are receiving the XML body in full:
<?xml version="1.0"?>
<soapenv:Envelope xmlns:sch="http://[redacted]/rti/cdd/schema" xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustUnderstand="1">
<wsse:UsernameToken xmlns:wsu="http://docs.oasisopen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="UsernameToken-1618447264">
<wsse:Username>[redacted]</wsse:Username>
<wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-tokenprofile-1.0#PasswordText">[redacted]</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<sch:cddRequest clientID="1213" clientCandidateId="3">
<candidateName>
<firstName>Learner</firstName>
<lastName>Learner</lastName>
</candidateName>
<webAccountInfo>
<email>learner@nowhere.com</email>
</webAccountInfo>
<lastUpdate>2021/04/15 00:47:44 BST</lastUpdate>
<primaryAddress>
<addressType>Home</addressType>
<address1>[redacted]</address1>
<address2>[redacted]</address2>
<city>Gold Coast</city>
<postalCode>4218</postalCode>
<country>AU</country>
<phone>
<phoneNumber>[redacted]</phoneNumber>
<phoneCountryCode>[redacted]</phoneCountryCode>
</phone>
</primaryAddress>
<candidatePrefs>
<candidatePref prefType="ConfirmationPreference">
<prefOption>email</prefOption>
</candidatePref>
<candidatePref prefType="ReminderPreference">
<prefOption>email</prefOption>
</candidatePref>
<candidatePref prefType="LocalePreference">
<prefOption>en_GB</prefOption>
</candidatePref>
</candidatePrefs>
</sch:cddRequest>
</soapenv:Body>
</soapenv:Envelope>
Any help greatly appreciated.
You tagged the question WSS4J but by any chance have you written the security header by hand? Because all your namespaces are wrong:
wsse = http://docs.oasis-open.org/wss/2004/01/oasis200401-wss-wssecurity-secext-1.0.xsd
wsu = http://docs.oasisopen.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Type attribute = http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-tokenprofile-1.0#PasswordText
Pay attention to the dashes (-).
Correct namespaces are:
wsse = http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
wsu = http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Type attribute = http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText