WS-Security Header Mismatch in Request

Question

Where do we define where to put which security header. I have a ws-security enabled web service that needs to be consumed, (I'm using wso2 ESB 4.9.0 for this purpose) What I can see is when trying to call the client through ESB there is a mismatch of headers and I'm getting an error. The expected request message and ESB generated request message are given below. Will be pleased if anyone can help.

Expected Request Message

<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:mob="http://com.mobitel.payment/MobitelPaymentGW/">
   <soapenv:Header>
      <wsse:Security 
         xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
         xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
         soapenv:mustUnderstand="1">
         <wsse:UsernameToken 
            wsu:Id="UsernameToken-B4BD97FC2A64C1B4DE15580859645869">
            <wsse:Username>MobitelPaymentGWUser</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">MobitelPay#123Test</wsse:Password>
            <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">8mIivn6+R6uqXclmVDva1A==</wsse:Nonce>
            <wsu:Created>2019-05-17T09:39:24.586Z</wsu:Created>
         </wsse:UsernameToken>
      </wsse:Security>
   </soapenv:Header>
   <soapenv:Body>
      <mob:payBill>
         <transaction>
            <serviceId>TEST</serviceId>
            <mobileOrAccountNo>0710380350</mobileOrAccountNo>
            <signature>201905170000000007</signature>
            <amount>1</amount>
            <payMode>COU</payMode>
            <txnDate>2019-05-17 13:28:00</txnDate>
         </transaction>
      </mob:payBill>
   </soapenv:Body>
</soapenv:Envelope>

ESB Generated Request

[![<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">
   <soapenv:Header>
      <wsse:Security 
        xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" 
        soapenv:mustUnderstand="true">
         <wsse:UsernameToken 
            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" 
            wsu:Id="UsernameToken-4">
            <wsse:Username>MobitelPaymentGWUser</wsse:Username>
            <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">MobitelPay#123Test
            </wsse:Password>
            <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">pf0L6vJFNPvYzn+Zaz8PJQ==
            </wsse:Nonce>
            <wsu:Created>2019-07-15T03:23:29.681Z</wsu:Created>
         </wsse:UsernameToken>
      </wsse:Security>
   </soapenv:Header>
   <soapenv:Body>
      <mob:payBill xmlns:mob="http://com.mobitel.payment/MobitelPaymentGW/">
         <transaction xmlns="http://ws.apache.org/ns/synapse">
            <serviceId>TEST</serviceId>
            <mobileOrAccountNo>0710380350</mobileOrAccountNo>
            <signature>201905170000000007</signature>
            <amount>1</amount>
            <payMode>COU</payMode>
            <txnDate>2019-05-17 13:28:00</txnDate>
         </transaction>
      </mob:payBill>
   </soapenv:Body>
</soapenv:Envelope>

Rampart version 1.6.1

Added an image indicating where the headers are differing: 1

Thanks in advance Yasothar

Answer 1

I've had a quick look and do not see any significant differences. Yes the namespace declarations are not at the same location but both are 'XML equivalent' so the signature should not be the problem IF the receiving end adheres to the same standard. edit: not all suggestions were valid as this is about basic auth and not signing.