How to implement digital signature validation in spring web service for different clients?

Question

I have a requirement to validate the digital signature of the SOAP request using X509 certificates for a spring based webservice that accepts requests from multiple vendors.

What is the general strategy for implementing such a security? Should I create one webservice for each vendor so that I can validate the digital signature based on the public key of the caller? Ideally I would like to just have one webservice as the content of each vendor request has the same schema.

Answer 1

The digital signature for SOAP messages is embedded into the SOAP header of the message. This is a simplified schema of a message. (See a full example here)

<?xml version="1.0" encoding="UTF8"?>
<SOAP-ENV:Envelope>
<SOAP-ENV:Header>
 <wsse:Security 
    <wsse:BinarySecurityToken />
    <ds:Signature>
        <ds:SignedInfo> 
        <ds:SignatureValue>
        <ds:KeyInfo>
    </ds:Signature>
 </wsse:Security>
</SOAP-ENV:Header>
<SOAP-ENV:Body> 
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

The signature allows to know the identity of the signer referencing the x509 certificate used to sign.

You do not need different webservice for each vendor. To allow access, request the public part of the certificate to the vendor that is going to be used to sign messages. When a soap message is received, compare the signer certificate with the expected one.

To simplify comparison, you can check serialnumber+issuer