79812449

Date: 2025-11-07 14:33:37
Score: 0.5
Natty:
Report link

You're right — implementing full WS-Security (Timestamp, UsernameToken with nonce, BinarySecurityToken, Signature + Encryption) for an enterprise SOAP 1.2 endpoint is tricky in Python because Zeep doesn’t fully handle WS-Security policies out of the box.

**Short answer:** You can absolutely do this in Python, but you'll need to combine Zeep (for SOAP/WSDL) with python-xmlsec (for signing and encryption). Zeep alone doesn’t implement the full WS-Security stack (EncryptedKey, BinarySecurityToken, etc.), so a hybrid approach is typically required.

**Recommended approach:**

1. **Use Zeep** to generate the SOAP body and handle WSDL parsing — it supports SOAP 1.2.

2. **Add WS-Security headers** (Timestamp with millisecond precision, UsernameToken with Nonce & Created) manually or via Zeep WSSE hooks.

3. **Use python-xmlsec (xmlsec)** to:

4. **Match your policy.xml exactly** — check namespaces, transforms, canonicalization, and the placement of `KeyInfo` and `BinarySecurityToken`.

5. **Send the finalized envelope** over HTTPS.

**Libraries:**

- `zeep` (SOAP 1.2 and WSDL support)

- `lxml`

- `python-xmlsec` (requires xmlsec native library)

- `requests`

This process isn’t trivial — it requires careful comparison against a working SoapUI request. You can export the raw XML from SoapUI and diff it against your generated XML to ensure structure and signature placement match.

If you can share the relevant sections of your `policy.xml` and SoapUI raw request, I can outline a concrete Python example showing the correct `BinarySecurityToken`, `KeyInfo`, and canonicalization setup.

**TL;DR:**

Use Zeep for SOAP generation and python-xmlsec for WS-Security (signing + encryption). That’s the most reliable and Pythonic way to meet enterprise SOAP 1.2 security requirements.

Reasons:
  • Long answer (-1):
  • No code block (0.5):
  • Low reputation (1):
Posted by: Learn_2025_2026