Wildfly10
CXF 3.1.6
SOAP Webservices
WSDL configuration of security policy is:
<wsp:Policy wsu:Id="UsernameTransportPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:TextPassword />
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Handler configuration is:
<jaxws-config xmlns="urn:jboss:jbossws-jaxws-config:4.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:javaee="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="urn:jboss:jbossws-jaxws-config:4.0 schema/jbossws-jaxws-config_4_0.xsd">
<endpoint-config>
<config-name>Custom-JAXWS-WS-SecurityEndpoint</config-name>
<property>
<property-name>ws-security.validate.token</property-name>
<property-value>true</property-value>
</property>
<property>
<property-name>ws-security.callback-handler</property-name>
<property-value>com.xxx.xxxx.security.ServerPasswordHandler
</property-value>
</property>
</endpoint-config>
</jaxws-config>
Handler code:
public class ServerPasswordHandler implements CallbackHandler
{
private static final Logger logger = Logger.getInstance(ServerPasswordHandler.class);
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException
{
logger.debug("begin handle");
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
String userId = "wsuser";
String password = "wspassword";
logger.debug("userId is["+userId+"]");
if (userId.equals(pc.getIdentifier()))
{
pc.setPassword(password);
logger.info("User ["+userId+"] is familiar.");
}
else
logger.error("Unknown user ["+userId+"]");
logger.debug("end handle");
}
}
Sending xml request as:
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ser="http://service.dms.ctl.com/"
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security soap:mustUnderstand='true'
xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'
xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
<wsse:UsernameToken wsu:Id='UsernameToken-3DAJDJSKJDHFJASDKJFKJ234JL2K3H2K3J42'>
<wsse:Username>wsuser</wsse:Username>
<wsse:Password Type='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText'>wspassword</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
.....
</soapenv:Body>
I am getting following error:
15:22:54,541 DEBUG [c.c.i.s.MessageInterceptor] handleMessage
15:22:56,684 DEBUG [c.c.i.s.ServerPasswordHandler] begin handle
15:22:56,685 DEBUG [c.c.i.s.ServerPasswordHandler] userId is[wsuser]
15:22:56,685 INFO [c.c.i.s.ServerPasswordHandler] User [wsuser] is familiar.
15:22:56,685 DEBUG [c.c.i.s.ServerPasswordHandler] end handle
15:23:18,609 SEVERE [o.a.c.w.p.PolicyVerificationInInterceptor] Inbound policy verification failed: These policy alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TextPassword
15:23:18,609 WARNING [o.a.c.p.PhaseInterceptorChain] Interceptor for {http://service.xxx.xxx.com/}Adapter#{http://service.dms.ctl.com/}findAvailableCustomers has thrown exception, unwinding now: org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TextPassword
at org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179)
at org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:102)
at org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:254)
at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:108)
at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:134)
at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:88)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:299)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:218)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:136)
at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
Looking at the source code, i see the exception being thrown at following :
try {
//Exception here
List<List<Assertion>> usedAlternatives = aim.checkEffectivePolicy(effectivePolicy.getPolicy());
if (usedAlternatives != null && !usedAlternatives.isEmpty() && message.getExchange() != null) {
message.getExchange().put("ws-policy.validated.alternatives", usedAlternatives);
}
} catch (PolicyException ex) {
LOG.log(Level.SEVERE, "Inbound policy verification failed: " + ex.getMessage());
//To check if there is ws addressing policy violation and throw WSA specific
//exception to pass jaxws2.2 tests
if (ex.getMessage().indexOf("Addressing") > -1) {
throw new Fault("A required header representing a Message Addressing Property "
+ "is not present", LOG)
.setFaultCode(new QName("http://www.w3.org/2005/08/addressing",
"MessageAddressingHeaderRequired"));
}
throw ex;
EDIT: Fixed minor debug message
I was able to fix this with information from various websites. First off, as mentioned in oasis-open, i removed following element as passwords are mandatory.
<wsp:Policy>
<sp:TextPassword />
</wsp:Policy>
But due to a bug that was mentioned cxf issue, UsernameToken needed a policy element so workaround was to keep an empty policy under usernametoken
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
That fixed it.
"sp:TextPassword" is not a valid policy.
Related
An external system is sending my service a SOAP message and I have a listener in place
#Endpoint
public class NotificationListener {
private static final String NAMESPACE_URI = "http://test.com/test";
#PayloadRoot(namespace = NAMESPACE_URI, localPart = "Notification")
#ResponsePayload
public void getSOAPMessage(#RequestPayload HistoryMessage request) {
// calls to methods in other classes which handle the business logic
}
The request body contains the following headers:
<soap:Header>
<wsa:To soap:mustUnderstand="1"
xmlns:wsa="http://www.w3.org/2005/08/addressing">{destination endpoint}
</wsa:To>
<wsa:From
xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
</wsa:From>
<wsa:ReplyTo
xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:FaultTo
xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>http://www.w3.org/2005/08/addressing/anonymous</wsa:Address>
</wsa:FaultTo>
<wsa:Action soap:mustUnderstand="1"
xmlns:wsa="http://www.w3.org/2005/08/addressing">
</wsa:Action>
<wsa:MessageID
xmlns:wsa="http://www.w3.org/2005/08/addressing">urn:uuid:fa163e6e-ef55-1eec-b9ac-5e80af1d126a
</wsa:MessageID>
I get the following error on calling my endpoint:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header/>
<SOAP-ENV:Body>
<SOAP-ENV:Fault>
<faultcode>SOAP-ENV:MustUnderstand</faultcode>
<faultstring xml:lang="en">One or more mandatory SOAP header blocks not understood</faultstring>
</SOAP-ENV:Fault>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
I understand that the mustUnderstand attribute in the header is set to 1 which means true and that header must be handled. But how do I handle it?
I'm using Spring WS to build the listener service.
TIA:)
I'm checking Mule with SoapUI and face an issue path parameter must start with /.
Error message on Mule
WARN 2022-01-23 00:01:02,491 [http.listener.03 SelectorRunner] org.glassfish.grizzly.filterchain.DefaultFilterChain: GRIZZLY0013: Exception during FilterChain execution
java.lang.IllegalArgumentException: path parameter must start with /
at org.mule.runtime.api.util.Preconditions.checkArgument(Preconditions.java:25) ~[mule-api-1.4.0-20211227.jar:?]
at org.mule.service.http.impl.service.util.DefaultRequestMatcherRegistry.lambda$new$1(DefaultRequestMatcherRegistry.java:69) ~[mule-service-http-1.6.3.jar:1.6.3]
at com.github.benmanes.caffeine.cache.LocalLoadingCache.lambda$newMappingFunction$2(LocalLoadingCache.java:140) ~[caffeine-2.8.0.jar:?]
at com.github.benmanes.caffeine.cache.BoundedLocalCache.lambda$doComputeIfAbsent$14(BoundedLocalCache.java:2379) ~[caffeine-2.8.0.jar:?]
at java.util.concurrent.ConcurrentHashMap.compute(ConcurrentHashMap.java:1853) ~[?:1.8.0_282]
at com.github.benmanes.caffeine.cache.BoundedLocalCache.doComputeIfAbsent(BoundedLocalCache.java:2377) ~[caffeine-2.8.0.jar:?]
at com.github.benmanes.caffeine.cache.BoundedLocalCache.computeIfAbsent(BoundedLocalCache.java:2360) ~[caffeine-2.8.0.jar:?]
at com.github.benmanes.caffeine.cache.LocalCache.computeIfAbsent(LocalCache.java:108) ~[caffeine-2.8.0.jar:?]
at com.github.benmanes.caffeine.cache.LocalLoadingCache.get(LocalLoadingCache.java:54) ~[caffeine-2.8.0.jar:?]
at org.mule.service.http.impl.service.util.DefaultRequestMatcherRegistry.find(DefaultRequestMatcherRegistry.java:260) ~[mule-service-http-1.6.3.jar:1.6.3]
at org.mule.service.http.impl.service.server.HttpListenerRegistry.getRequestHandler(HttpListenerRegistry.java:109) ~[mule-service-http-1.6.3.jar:1.6.3]
at org.mule.service.http.impl.service.server.grizzly.GrizzlyRequestDispatcherFilter.handleRead(GrizzlyRequestDispatcherFilter.java:123) ~[mule-service-http-1.6.3.jar:1.6.3]
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119) ~[grizzly-framework-2.3.36-MULE-024.jar:2.3.36-MULE-024]
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284) ~[grizzly-framework-2.3.36-MULE-024.jar:2.3.36-MULE-024]
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201) ~[grizzly-framework-2.3.36-MULE-024.jar:2.3.36-MULE-024]
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133) [grizzly-framework-2.3.36-MULE-024.jar:2.3.36-MULE-024]
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112) [grizzly-framework-2.3.36-MULE-024.jar:2.3.36-MULE-024]
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77) [grizzly-framework-2.3.36-MULE-024.jar:2.3.36-MULE-024]
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:540) [grizzly-framework-2.3.36-MULE-024.jar:2.3.36-MULE-024]
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112) [grizzly-framework-2.3.36-MULE-024.jar:2.3.36-MULE-024]
at org.mule.service.http.impl.service.server.grizzly.ExecutorPerServerAddressIOStrategy.run0(ExecutorPerServerAddressIOStrategy.java:99) [mule-service-http-1.6.3.jar:1.6.3]
at org.mule.service.http.impl.service.server.grizzly.ExecutorPerServerAddressIOStrategy.executeIoEvent(ExecutorPerServerAddressIOStrategy.java:74) [mule-service-http-1.6.3.jar:1.6.3]
at org.glassfish.grizzly.strategies.AbstractIOStrategy.executeIoEvent(AbstractIOStrategy.java:89) [grizzly-framework-2.3.36-MULE-024.jar:2.3.36-MULE-024]
at org.glassfish.grizzly.nio.SelectorRunner.iterateKeyEvents(SelectorRunner.java:415) [grizzly-framework-2.3.36-MULE-024.jar:2.3.36-MULE-024]
at org.glassfish.grizzly.nio.SelectorRunner.iterateKeys(SelectorRunner.java:384) [grizzly-framework-2.3.36-MULE-024.jar:2.3.36-MULE-024]
at org.glassfish.grizzly.nio.SelectorRunner.doSelect(SelectorRunner.java:348) [grizzly-framework-2.3.36-MULE-024.jar:2.3.36-MULE-024]
at org.glassfish.grizzly.nio.SelectorRunner.run(SelectorRunner.java:279) [grizzly-framework-2.3.36-MULE-024.jar:2.3.36-MULE-024]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:1.8.0_282]
at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:1.8.0_282]
at org.mule.service.scheduler.internal.AbstractRunnableFutureDecorator.doRun(AbstractRunnableFutureDecorator.java:113) [mule-service-scheduler-1.4.1/:?]
at org.mule.service.scheduler.internal.RunnableFutureDecorator.run(RunnableFutureDecorator.java:54) [mule-service-scheduler-1.4.1/:?]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_282]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_282]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_282]
Steps
Find WSDL here (https://www.dataaccess.com/webservicesserver/numberconversion.wso?WSDL)
[Mule4.4] Create Listener and SOAP Router.
HTTP Listener config: port = 1081
SOAP configuration: Wsdl location = (URL in Step 1.)
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<mule xmlns="http://www.mulesoft.org/schema/mule/core" xmlns:apikit-soap="http://www.mulesoft.org/schema/mule/apikit-soap" xmlns:ee="http://www.mulesoft.org/schema/mule/ee/core" xmlns:http="http://www.mulesoft.org/schema/mule/http" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.mulesoft.org/schema/mule/core http://www.mulesoft.org/schema/mule/core/current/mule.xsd http://www.mulesoft.org/schema/mule/http http://www.mulesoft.org/schema/mule/http/current/mule-http.xsd http://www.mulesoft.org/schema/mule/apikit-soap http://www.mulesoft.org/schema/mule/apikit-soap/current/mule-apikit-soap.xsd http://www.mulesoft.org/schema/mule/ee/core http://www.mulesoft.org/schema/mule/ee/core/current/mule-ee.xsd">
<http:listener-config name="api-httpListenerConfig">
<http:listener-connection host="0.0.0.0" port="1081"/>
</http:listener-config>
<apikit-soap:config httpStatusVarName="httpStatus" name="soapkit-config" port="NumberConversionSoap" service="NumberConversion" wsdlLocation="https://www.dataaccess.com/webservicesserver/numberconversion.wso?WSDL"/>
<flow name="api-main">
<http:listener config-ref="api-httpListenerConfig" path="/NumberConversion/NumberConversionSoap">
<http:response statusCode="#[attributes.additionalTransportData.statusCode default 200]">
<http:body>#[payload]</http:body>
<http:headers>#[attributes.protocolHeaders default {}]</http:headers>
</http:response>
<http:error-response statusCode="#[attributes.additionalTransportData.statusCode default 500]">
<http:body>#[payload]</http:body>
<http:headers>#[attributes.protocolHeaders default {}]</http:headers>
</http:error-response>
</http:listener>
<apikit-soap:router config-ref="soapkit-config">
<apikit-soap:attributes><![CDATA[#[%dw 2.0
output application/java
---
{
headers: attributes.headers,
method: attributes.method,
queryString: attributes.queryString
}]]]></apikit-soap:attributes>
</apikit-soap:router>
</flow>
<flow name="NumberToWords:\soapkit-config">
<ee:transform>
<ee:message>
<ee:set-payload>
<![CDATA[%dw 2.0
output application/java
ns soap http://schemas.xmlsoap.org/soap/envelope
---
{
body: {
soap#Fault: {
faultcode: "soap:Server",
faultstring: "Operation [NumberToWords:\soapkit-config] not implemented"
}
} write "application/xml"
}]]>
</ee:set-payload>
</ee:message>
</ee:transform>
</flow>
<flow name="NumberToDollars:\soapkit-config">
<ee:transform>
<ee:message>
<ee:set-payload>
<![CDATA[%dw 2.0
output application/java
ns soap http://schemas.xmlsoap.org/soap/envelope
---
{
body: {
soap#Fault: {
faultcode: "soap:Server",
faultstring: "Operation [NumberToDollars:\soapkit-config] not implemented"
}
} write "application/xml"
}]]>
</ee:set-payload>
</ee:message>
</ee:transform>
</flow>
</mule>
[SoapUI5.7] Create a new SOAP API with the URL in Step 1. Then create a new request (https://0.0.0.0:1081/NumberConversion/NumberConversionSoap) and run it. The message at the bottom says "failed to respond"
[Mule4.4] See the message.
Notes
I confirm Listener's Path starts with "/".
It is a warning not an error. It is most likely harmless. Ensure you are using the last version of Studio and cumulative patches for Mule 4.4. There is something strange in the log though. It looks to be executing an HTTP service for Mule 4.3 (mule-service-http-1.6.3) which is not a right version for Mule 4. May be the project is being executed in Mule 4.3? Check the log when the application is starting and the run configuration to be sure.
Trying to implement WS-Policy within WSDL.
There is my configurations:
WS-Policy within WSDL:
<wsp:Policy wsu:Id="Signature">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken=
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken=
"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:LaxTsFirst />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedParts>
<sp:Body />
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
CXF configuration:
EndpointImpl endpoint = new EndpointImpl(bus, service);
endpoint.setWsdlLocation("classpath:/wsdl/ws.wsdl");
endpoint.setProperties(new HashMap<String, Object>() {
{
put("ws-security.signature.validator", customSignatureValidator);
put("ws-security.signature.properties", new Properties() {{
put("org.apache.ws.security.crypto.provider", "org.apache.ws.security.components.crypto.Merlin");
put("org.apache.ws.security.crypto.merlin.keystore.type", "jks");
put("org.apache.ws.security.crypto.merlin.keystore.password", keystorePassword);
put("org.apache.ws.security.crypto.merlin.file", keystorePath);
}});
put("ws-security.signature.username", privateKeyName);
put("ws-security.callback-handler", (CallbackHandler) callbacks -> {
WSPasswordCallback passwordCallback = (WSPasswordCallback) callbacks[0];
passwordCallback.setPassword(privateKeyPassword);
});
}
});
endpoint.publish("/ws");
Problem:
After sending SOAP request with timestamp, signature key information etc. I'm getting SOAP fault message:
These policy alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: Received Timestamp does not match the requirements
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}OnlySignEntireHeadersAndBody
Error appears even if I'm not sending timestamp. According logs (CXF) I see that signature is correct.
After some debugging and experiments figured out the problem: provided SOAP request was incorrect according WS-Policy: Timestamp and Body must be signed by the same signature. If signed only Body - will face listed errors (which are bit inaccurate).
I try to intercept encrypted soap message in wildfly 10 with soapUI. Deployment is successful.
First below pics are outgoing ws-security configuration which includes signature and encryption.
* Signature
Keystore - client keystore
Alias - alias of client's private key
Password - password of client's private key
Key Identifier Type - X.509
Parts - arg0 (Name), Body (Encode)
* Encryption
Keystore - client keystore
Alias - alias of server's public key
Password - Empty (no password required for public key)
Key Identifier Type - X.509
Parts - arg0 (Name), Body (Content)
The final pic shows incoming WS-Security Configuration.
Decrypt Keystore - client keystore
Signature Keystore - client keystore
Password - password of client's private key
But the returned response is soap-fault like following
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:InvalidSecurity</faultcode>
<faultstring>An error was discovered processing the <wsse:Security> header</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>
Is there some process which I missed?
Update
This is soap request
<soapenv:Envelope xmlns:soap="http://soap.aaa.com/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="374FDD240DA4088CF9146901568147641">
MIICxzCCAa+gAwIBAgIENlXkmDANBgkqUg35Lpg==
</wsse:BinarySecurityToken>
<xenc:EncryptedKey Id="EK-374FDD240DA4088CF9146901568147640" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference><wsse:Reference URI="#374FDD240DA4088CF9146901568147641" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>gBZkBwQh+A==
</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#ED-374FDD240DA4088CF9146901568147642"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="X509-374FDD240DA4088CF9146901568146635">MIICzTCCAskwggGxo
</wsse:BinarySecurityToken>
<ds:Signature Id="SIG-374FDD240DA4088CF9146901568146639" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soap soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-374FDD240DA4088CF9146901568146638">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soap soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>EiWlHfC/AfhBC2bOo2R6CHDe06s=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>WSnRVBSZlF2XXxvkH0Udi8gsRwvsKzJ9KnjXPZIbz/msx5VpjhgcTVOgPQW1myUVVwSD20XQ==
</ds:SignatureValue>
<ds:KeyInfo Id="KI-374FDD240DA4088CF9146901568146636">
<wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="STR-374FDD240DA4088CF9146901568146637" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<wsse:Reference URI="#X509-374FDD240DA4088CF9146901568146635" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
<soap:sayHello>
<!--Optional:-->
<arg0 wsu:Id="id-374FDD240DA4088CF9146901568146638" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><xenc:EncryptedData Id="ED-374FDD240DA4088CF9146901568147642" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><wsse:Reference URI="#EK-374FDD240DA4088CF9146901568147640"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>A9cCXThSZz8lZzPSZftZUXB40KLM08w3Ck6+sc8dAbg=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></arg0>
</soap:sayHello>
</soapenv:Body>
</soapenv:Envelope>
UPDATE more
This is my original SOAP message
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://soap.aaa.com/">
<soapenv:Header/>
<soapenv:Body>
<soap:sayHello>
<!--Optional:-->
<arg0>Jina</arg0>
</soap:sayHello>
</soapenv:Body>
</soapenv:Envelope>
And Belows are my modified WSS configuration
Signature
Keystore : client keystore jks file
Alias : client key alias
Password : client private key password
Key Identifier Type : X.509
Parts : sayHello(Name), http://soap.aaa.com/ (Namespace), Element (Encode)
Encryption
Keystore : client keystore jks file
Alias : service key alias
Password : empty
Key Identifier Type : X.509
Parts : sayHello (Name), http://soap.aaa.com/ (Namespace), Content (Encode)
*Ingoing WS-Security Configuration
Decrypt Keystore : client keystore jks file
Signature Keystore : client keystore jks file
Password - password of client's private key
This configuration throws no soap exception in SoapUI side. In SoapUI log only this message is shown
Sun Jul 24 08:59:51 KST 2016:DEBUG:Attempt 1 to execute request
Sun Jul 24 08:59:51 KST 2016:DEBUG:Sending request: POST /SOAPSecurityWeb/HelloWorld HTTP/1.1
Sun Jul 24 08:59:52 KST 2016:DEBUG:Receiving response: HTTP/1.1 500 Internal Server Error
Sun Jul 24 08:59:52 KST 2016:DEBUG:Connection can be kept alive indefinitely
Sun Jul 24 08:59:52 KST 2016:INFO:Got response for [HelloWorldServiceSoapBinding.sayHello:Request 1] in 326ms (361 bytes)
The soap error response from SOAP service is like below
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:InvalidSecurity</faultcode>
<faultstring>An error was discovered processing the <wsse:Security> header</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>
And in WS service side this exception is displayed
09:37:54,340 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (default task-2) Interceptor for {http://soap.aaa.com/}HelloWorldService has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: An error was discovered processing the <wsse:Security> header
at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:216)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:329)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:184)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:79)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:66)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)
at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:108)
at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:134)
at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:88)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:212)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:136)
at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
Caused by: org.apache.wss4j.common.ext.WSSecurityException: An error was discovered processing the <wsse:Security> header
at org.apache.wss4j.common.crypto.AlgorithmSuiteValidator.checkSymmetricEncryptionAlgorithm(AlgorithmSuiteValidator.java:149)
at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.decryptDataRef(EncryptedKeyProcessor.java:550)
And more the following exception are thrown when the SoapUI 5.2.1 starting, Do you think these exceptions are related with this issues?
Sun Jul 24 09:34:33 KST 2016:ERROR:An error occurred [com.eviware.soapui.plugins.auto.factories.AutoDiscoveryMethodFactory], see error log for details
Sun Jul 24 09:34:33 KST 2016:ERROR:An error occurred [com.eviware.soapui.plugins.auto.factories.AutoImportMethodFactory], see error log for details
Sun Jul 24 09:34:33 KST 2016:ERROR:An error occurred [com.eviware.soapui.plugins.auto.factories.AutoDiscoveryMethodFactory], see error log for details
Sun Jul 24 09:34:33 KST 2016:ERROR:An error occurred [com.eviware.soapui.plugins.auto.factories.AutoImportMethodFactory], see error log for details
UPDATE LAST
I deployed the same SOAP service on both Wildfly 8.2 and Wildfly 10. But the different exceptions are thrown.
Wildfly 10 :
15:44:53,834 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (default task-2) Interceptor for {http://soap.aaa.com/}HelloWorldService has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: A security error was encountered when verifying the message
at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:216)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:329)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:184)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:79)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:66)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)
at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:108)
at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:134)
at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:88)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:212)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:136)
at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
Caused by: org.apache.wss4j.common.ext.WSSecurityException: Cannot find key for alias: [myclientkey]
Original Exception was org.apache.wss4j.common.ext.WSSecurityException: Cannot find key for alias: [myclientkey]
at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.getAsymmetricDecryptedBytes(EncryptedKeyProcessor.java:301)
at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:194)
at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:76)
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:344)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:280)
... 42 more
Caused by: org.apache.wss4j.common.ext.WSSecurityException: Cannot find key for alias: [myclientkey]
at org.apache.wss4j.common.crypto.Merlin.getPrivateKey(Merlin.java:632)
at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.getAsymmetricDecryptedBytes(EncryptedKeyProcessor.java:259)
... 46 more
SOAP fault :
<faultcode xmlns:ns1="http://ws.apache.org/wss4j">ns1:SecurityError</faultcode>
<faultstring>A security error was encountered when verifying the message</faultstring>
Wildfly 8.2 :
WARNING [org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor] (default task-2) : org.apache.ws.security.WSSecurityException: The signature or decryption was invalid
at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:163) [wss4j-1.6.17.jar:1.6.17]
at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:66) [wss4j-1.6.17.jar:1.6.17]
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:402) [wss4j-1.6.17.jar:1.6.17]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:272) [cxf-rt-ws-security-2.7.13.jar:2.7.13]
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:121) [cxf-rt-ws-security-2.7.13.jar:2.7.13]
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:106) [cxf-rt-ws-security-2.7.13.jar:2.7.13]
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) [cxf-api-2.7.13.jar:2.7.13]
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-api-2.7.13.jar:2.7.13]
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:241) [cxf-rt-transports-http-2.7.13.jar:2.7.13]
at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:97)
at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:131)
at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:88)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286) [cxf-rt-transports-http-2.7.13.jar:2.7.13]
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206) [cxf-rt-transports-http-2.7.13.jar:2.7.13]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:136)
at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) [jbossws-spi-2.3.1.Final.jar:2.3.1.Final]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:86) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final]
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) [undertow-core-1.1.8.Final.jar:1.1.8.Final]
Caused by: org.apache.ws.security.WSSecurityException: Cannot find key for alias: [myclientkey]
at org.apache.ws.security.components.crypto.Merlin.getPrivateKey(Merlin.java:651) [wss4j-1.6.17.jar:1.6.17]
at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:142) [wss4j-1.6.17.jar:1.6.17]
... 43 more
15:46:03,174 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (default task-2) Interceptor for {http://soap.aaa.com/}HelloWorldService has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: The signature or decryption was invalid
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:863) [cxf-rt-ws-security-2.7.13.jar:2.7.13]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:329) [cxf-rt-ws-security-2.7.13.jar:2.7.13]
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:121) [cxf-rt-ws-security-2.7.13.jar:2.7.13]
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:106) [cxf-rt-ws-security-2.7.13.jar:2.7.13]
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) [cxf-api-2.7.13.jar:2.7.13]
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-api-2.7.13.jar:2.7.13]
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:241) [cxf-rt-transports-http-2.7.13.jar:2.7.13]
at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:97)
at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:131)
at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:88)
Caused by: org.apache.ws.security.WSSecurityException: The signature or decryption was invalid
at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:163) [wss4j-1.6.17.jar:1.6.17]
at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:66) [wss4j-1.6.17.jar:1.6.17]
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:402) [wss4j-1.6.17.jar:1.6.17]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:272) [cxf-rt-ws-security-2.7.13.jar:2.7.13]
... 40 more
Caused by: org.apache.ws.security.WSSecurityException: Cannot find key for alias: [myclientkey]
at org.apache.ws.security.components.crypto.Merlin.getPrivateKey(Merlin.java:651) [wss4j-1.6.17.jar:1.6.17]
at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:142) [wss4j-1.6.17.jar:1.6.17]
... 43 more
SOAP fault :
<faultcode xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:FailedCheck</faultcode>
<faultstring>The signature or decryption was invalid</faultstring>
Do you have any idea? If you don't mind I can make another thread on this site with the wildfly version you want.
I've created axs 2 web service with rampart ws security in eclipse (here s the tutorial I follow TUTORIAL PAGE - 18-21
I've aplied the policy in service.xml by adding this code AND ENGAGED RAMPART MODULE
<wsp:Policy wsu:Id="UTOverTransport"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient" />
</wsp:Policy>
</sp:SignedSupportingTokens>
<ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy">
<ramp:passwordCallbackClass>axis2wstest.PWCBHandler</ramp:passwordCallbackClass>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Then I create web service client - here is the code
public static void main(String[] args) throws RemoteException {
ConfigurationContext ctx;
ctx = ConfigurationContextFactory.createConfigurationContextFromFileSystem("C:/Users/Tanya/workspace/testlnclient/WebContent/WEB-INF", null);
TestlnStub stub = new TestlnStub(ctx);
Testws cl = new Testws();
cl.setX(5);
ServiceClient client = stub._getServiceClient();
client.engageModule("rampart");
//client.addHeader(omSecurityElement);
org.apache.axis2.client.Options o = client.getOptions();
o.setPassword("pass");
o.setUserName("test");
TestwsResponse resp = stub.testws(cl);
System.out.println("Response" + resp.get_return());
// TODO Auto-generated method stub
}
}
but it gives me an excetion
exception in thread "main" org.apache.axis2.AxisFault: java.lang.NullPointerException
at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(Utils.java:531)
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(OutInAxisOperation.java:375)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:421)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:229)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:165)
at axis2wstest.TestlnStub.testws(TestlnStub.java:191)
at axis2wstest.testlnclient.main(testlnclient.java:35)
The presence of Utils.getInboundFaultFromMessageContext in the stack trace indicates that the NullPointerException is actually coming from the service and not thrown by the client. Check the server logs to see where the NullPointerException occurs.