I am trying to call a external web service which is secured with ws-security, it requires timestamp and sign just the request's body, but not the timestamp. I create a proxy service and a business service into osb. I apply default policy but client doesn't sign the timestamp and proxy service throws an error about "timestamp not signed". If I delete timestamp from the policy the call works ok, but client cannot interpret the response cause no timestamp is in the response.
Is there any way of apply a security policy to web service which require sign and Timestamp, but sign just the body but not the timestamp? I used the default OWSM "oracle/wss10_message_protection_service_policy", unckeking the crypto part and including timestamp, but it always sign the timestamp. I know timestamp should be signed but the context requiere not to be signed.
If is not possible, is there a way of doing by hand?, it means call a java function for signing an then add it to response.
Edited by: user13492520 on 09-nov-2012 8:37
It should be possible to use custom policies with OWSM. You'll need to create a new policy that defines only those elements that you want to sign and apply this policy on the service.
Did you have a look at this post - https://blogs.oracle.com/owsm/entry/custom_policies_custom_assertions_11g
Patrick It is considered good etiquette to reward answerers with points (as "helpful" - 5 pts - or "correct" - 10pts).
Thank for your replay.
As you say, it is possible to use custom policies with OWSM, and that is what I did but no results at all. I create a new policy from "oracle/wss10_message_protection_service_policy" and uncheck the encryption part, both request and response. Then I delete from the sign part all element from header and check sign all body option. I leave the timestamp checked and there is no way to say if I want to sign the timestamp or not. Then I check the policy's xml and I see that message part to signed is only the body, but then when I use console for testing the service, timestamp is always signed in the response.
So, my questión is, OSB sign always timestamp or there is a way to say that no signed timestamp is necesary
thank a lot