You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Pawel Lipka (JIRA)" <ji...@apache.org> on 2009/07/24 15:27:14 UTC
[jira] Created: (CXF-2356) WS-SecurityPolicy and faults
WS-SecurityPolicy and faults
----------------------------
Key: CXF-2356
URL: https://issues.apache.org/jira/browse/CXF-2356
Project: CXF
Issue Type: Bug
Components: WS-* Components
Affects Versions: 2.2.2
Environment: cxf-2.2.2, wss4j-1.5.7, xmlsec-1.4.2
Reporter: Pawel Lipka
Attachments: wssecuritypolicy-tests.zip
I have a secure WS that is described by a WS-Policy document that's
pasted below.
Policy A is attached to the wsdl:binding while policy B is attached to
the wsdl:input,wsdl:output and wsdl:fault
When my WS throws a soap fault there's a couple of problems:
1) the soap:Body element is not encrypted
2) the soap:Body element is not signed
3) the WS client fails to validate the WS-Security header with the
that's also pasted below.
The problem seems to be in the way CXF handles WS-Security header using
the PolicyBasedWSS4JInterceptor.
When the response arrives it passes through the in interceptor chain and
the encrypted parts are decrypted. The way wss4j handles decryption is
that it replaces the xmlenc:EncryptedData element in the SOAP document
with the decrypted content but it does not remove the corresponding
xmlenc:ReferenceData/xmlenc:DataReference element from the Security
header. After decryption is done some other interceptor detects that the
message is actually a fault and triggers the inFault interceptor chain.
The inFault interceptor chain again contains the
PolicyBasedWSS4JInterceptor and it should contain it since not all the
policy assertions have been asserted by the 'in' chain. (e.g.
UsingAddressing assertion).
The PolicyBasedWSS4JInterceptor runs wss4j again on a document that has
already been decrypted and fails with the error below because the
xmlenc:ReferenceData/xmlenc:DataReference elements point to nothing.
Has anyone ever hit a problem like that? Is there any workaround for
that (other than chainging the WS-Policy document)?
thanks in advance,
7038 [main] WARN org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor -
org.apache.ws.security.WSSecurityException: An error was discovered
processing the <wsse:Security> header (WSSecurityEngine: DataReference -
referenced data not found)
at
org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:141)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:113)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:76)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:179)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
at
org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:96)
at
org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
at
org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:645)
at org.apache.cxf.transport.http.HTTPConduit
$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:2132)
at org.apache.cxf.transport.http.HTTPConduit
$WrappedOutputStream.handleResponse(HTTPConduit.java:2015)
at org.apache.cxf.transport.http.HTTPConduit
$WrappedOutputStream.close(HTTPConduit.java:1940)
at
org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47)
at
org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:180)
at
org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66)
at
org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:627)
at org.apache.cxf.interceptor.MessageSenderInterceptor
$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:471)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:301)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:253)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:121)
at $Proxy38.sendMessage(Unknown Source)
<wsp:Policy wsu:Id="A">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireDerivedKeys />
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:EncryptSignature />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:SymmetricBinding>
<sp:EndorsingSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
<sp:RequireSignatureConfirmation />
</wsp:Policy>
</sp:Wss11>
<sp:Trust10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<sp:RequireClientEntropy />
<sp:RequireServerEntropy />
</wsp:Policy>
</sp:Trust10>
<wsaw:UsingAddressing />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="B">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
<sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="From"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing" />
</sp:SignedParts>
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (CXF-2356) WS-SecurityPolicy and faults
Posted by "Pawel Lipka (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-2356?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12735051#action_12735051 ]
Pawel Lipka commented on CXF-2356:
----------------------------------
Unzip the attachment and run mvn test.
> WS-SecurityPolicy and faults
> ----------------------------
>
> Key: CXF-2356
> URL: https://issues.apache.org/jira/browse/CXF-2356
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.2
> Environment: cxf-2.2.2, wss4j-1.5.7, xmlsec-1.4.2
> Reporter: Pawel Lipka
> Attachments: wssecuritypolicy-tests.zip
>
>
> I have a secure WS that is described by a WS-Policy document that's
> pasted below.
> Policy A is attached to the wsdl:binding while policy B is attached to
> the wsdl:input,wsdl:output and wsdl:fault
> When my WS throws a soap fault there's a couple of problems:
> 1) the soap:Body element is not encrypted
> 2) the soap:Body element is not signed
> 3) the WS client fails to validate the WS-Security header with the
> that's also pasted below.
> The problem seems to be in the way CXF handles WS-Security header using
> the PolicyBasedWSS4JInterceptor.
> When the response arrives it passes through the in interceptor chain and
> the encrypted parts are decrypted. The way wss4j handles decryption is
> that it replaces the xmlenc:EncryptedData element in the SOAP document
> with the decrypted content but it does not remove the corresponding
> xmlenc:ReferenceData/xmlenc:DataReference element from the Security
> header. After decryption is done some other interceptor detects that the
> message is actually a fault and triggers the inFault interceptor chain.
> The inFault interceptor chain again contains the
> PolicyBasedWSS4JInterceptor and it should contain it since not all the
> policy assertions have been asserted by the 'in' chain. (e.g.
> UsingAddressing assertion).
> The PolicyBasedWSS4JInterceptor runs wss4j again on a document that has
> already been decrypted and fails with the error below because the
> xmlenc:ReferenceData/xmlenc:DataReference elements point to nothing.
> Has anyone ever hit a problem like that? Is there any workaround for
> that (other than chainging the WS-Policy document)?
> thanks in advance,
> 7038 [main] WARN org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor -
> org.apache.ws.security.WSSecurityException: An error was discovered
> processing the <wsse:Security> header (WSSecurityEngine: DataReference -
> referenced data not found)
> at
> org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:141)
> at
> org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:113)
> at
> org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:76)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:179)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
> at
> org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:96)
> at
> org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
> at
> org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
> at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:645)
> at org.apache.cxf.transport.http.HTTPConduit
> $WrappedOutputStream.handleResponseInternal(HTTPConduit.java:2132)
> at org.apache.cxf.transport.http.HTTPConduit
> $WrappedOutputStream.handleResponse(HTTPConduit.java:2015)
> at org.apache.cxf.transport.http.HTTPConduit
> $WrappedOutputStream.close(HTTPConduit.java:1940)
> at
> org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47)
> at
> org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:180)
> at
> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66)
> at
> org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:627)
> at org.apache.cxf.interceptor.MessageSenderInterceptor
> $MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:471)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:301)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:253)
> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:121)
> at $Proxy38.sendMessage(Unknown Source)
> <wsp:Policy wsu:Id="A">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SymmetricBinding
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireDerivedKeys />
> <sp:RequireThumbprintReference />
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> <sp:EncryptSignature />
> <sp:OnlySignEntireHeadersAndBody />
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:EndorsingSupportingTokens
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:RequireThumbprintReference />
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:EndorsingSupportingTokens>
> <sp:Wss11
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier />
> <sp:MustSupportRefIssuerSerial />
> <sp:MustSupportRefThumbprint />
> <sp:MustSupportRefEncryptedKey />
> <sp:RequireSignatureConfirmation />
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust10
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportIssuedTokens />
> <sp:RequireClientEntropy />
> <sp:RequireServerEntropy />
> </wsp:Policy>
> </sp:Trust10>
> <wsaw:UsingAddressing />
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> <wsp:Policy wsu:Id="B">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SignedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body />
> <sp:Header Name="To"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="From"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="FaultTo"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="ReplyTo"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="MessageID"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="RelatesTo"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="Action"
> Namespace="http://www.w3.org/2005/08/addressing" />
> </sp:SignedParts>
> <sp:EncryptedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body />
> </sp:EncryptedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (CXF-2356) WS-SecurityPolicy and faults
Posted by "Daniel Kulp (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-2356?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Kulp resolved CXF-2356.
------------------------------
Resolution: Fixed
Fix Version/s: 2.2.3
Assignee: Daniel Kulp
> WS-SecurityPolicy and faults
> ----------------------------
>
> Key: CXF-2356
> URL: https://issues.apache.org/jira/browse/CXF-2356
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.2
> Environment: cxf-2.2.2, wss4j-1.5.7, xmlsec-1.4.2
> Reporter: Pawel Lipka
> Assignee: Daniel Kulp
> Fix For: 2.2.3
>
> Attachments: wssecuritypolicy-tests.zip
>
>
> I have a secure WS that is described by a WS-Policy document that's
> pasted below.
> Policy A is attached to the wsdl:binding while policy B is attached to
> the wsdl:input,wsdl:output and wsdl:fault
> When my WS throws a soap fault there's a couple of problems:
> 1) the soap:Body element is not encrypted
> 2) the soap:Body element is not signed
> 3) the WS client fails to validate the WS-Security header with the
> that's also pasted below.
> The problem seems to be in the way CXF handles WS-Security header using
> the PolicyBasedWSS4JInterceptor.
> When the response arrives it passes through the in interceptor chain and
> the encrypted parts are decrypted. The way wss4j handles decryption is
> that it replaces the xmlenc:EncryptedData element in the SOAP document
> with the decrypted content but it does not remove the corresponding
> xmlenc:ReferenceData/xmlenc:DataReference element from the Security
> header. After decryption is done some other interceptor detects that the
> message is actually a fault and triggers the inFault interceptor chain.
> The inFault interceptor chain again contains the
> PolicyBasedWSS4JInterceptor and it should contain it since not all the
> policy assertions have been asserted by the 'in' chain. (e.g.
> UsingAddressing assertion).
> The PolicyBasedWSS4JInterceptor runs wss4j again on a document that has
> already been decrypted and fails with the error below because the
> xmlenc:ReferenceData/xmlenc:DataReference elements point to nothing.
> Has anyone ever hit a problem like that? Is there any workaround for
> that (other than chainging the WS-Policy document)?
> thanks in advance,
> 7038 [main] WARN org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor -
> org.apache.ws.security.WSSecurityException: An error was discovered
> processing the <wsse:Security> header (WSSecurityEngine: DataReference -
> referenced data not found)
> at
> org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:141)
> at
> org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:113)
> at
> org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:76)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:179)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
> at
> org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:96)
> at
> org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
> at
> org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
> at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:645)
> at org.apache.cxf.transport.http.HTTPConduit
> $WrappedOutputStream.handleResponseInternal(HTTPConduit.java:2132)
> at org.apache.cxf.transport.http.HTTPConduit
> $WrappedOutputStream.handleResponse(HTTPConduit.java:2015)
> at org.apache.cxf.transport.http.HTTPConduit
> $WrappedOutputStream.close(HTTPConduit.java:1940)
> at
> org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47)
> at
> org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:180)
> at
> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66)
> at
> org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:627)
> at org.apache.cxf.interceptor.MessageSenderInterceptor
> $MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:471)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:301)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:253)
> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:121)
> at $Proxy38.sendMessage(Unknown Source)
> <wsp:Policy wsu:Id="A">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SymmetricBinding
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireDerivedKeys />
> <sp:RequireThumbprintReference />
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> <sp:EncryptSignature />
> <sp:OnlySignEntireHeadersAndBody />
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:EndorsingSupportingTokens
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:RequireThumbprintReference />
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:EndorsingSupportingTokens>
> <sp:Wss11
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier />
> <sp:MustSupportRefIssuerSerial />
> <sp:MustSupportRefThumbprint />
> <sp:MustSupportRefEncryptedKey />
> <sp:RequireSignatureConfirmation />
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust10
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportIssuedTokens />
> <sp:RequireClientEntropy />
> <sp:RequireServerEntropy />
> </wsp:Policy>
> </sp:Trust10>
> <wsaw:UsingAddressing />
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> <wsp:Policy wsu:Id="B">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SignedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body />
> <sp:Header Name="To"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="From"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="FaultTo"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="ReplyTo"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="MessageID"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="RelatesTo"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="Action"
> Namespace="http://www.w3.org/2005/08/addressing" />
> </sp:SignedParts>
> <sp:EncryptedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body />
> </sp:EncryptedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (CXF-2356) WS-SecurityPolicy and faults
Posted by "Pawel Lipka (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/CXF-2356?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pawel Lipka updated CXF-2356:
-----------------------------
Attachment: wssecuritypolicy-tests.zip
A maven project with a test that shows the bug
> WS-SecurityPolicy and faults
> ----------------------------
>
> Key: CXF-2356
> URL: https://issues.apache.org/jira/browse/CXF-2356
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2.2
> Environment: cxf-2.2.2, wss4j-1.5.7, xmlsec-1.4.2
> Reporter: Pawel Lipka
> Attachments: wssecuritypolicy-tests.zip
>
>
> I have a secure WS that is described by a WS-Policy document that's
> pasted below.
> Policy A is attached to the wsdl:binding while policy B is attached to
> the wsdl:input,wsdl:output and wsdl:fault
> When my WS throws a soap fault there's a couple of problems:
> 1) the soap:Body element is not encrypted
> 2) the soap:Body element is not signed
> 3) the WS client fails to validate the WS-Security header with the
> that's also pasted below.
> The problem seems to be in the way CXF handles WS-Security header using
> the PolicyBasedWSS4JInterceptor.
> When the response arrives it passes through the in interceptor chain and
> the encrypted parts are decrypted. The way wss4j handles decryption is
> that it replaces the xmlenc:EncryptedData element in the SOAP document
> with the decrypted content but it does not remove the corresponding
> xmlenc:ReferenceData/xmlenc:DataReference element from the Security
> header. After decryption is done some other interceptor detects that the
> message is actually a fault and triggers the inFault interceptor chain.
> The inFault interceptor chain again contains the
> PolicyBasedWSS4JInterceptor and it should contain it since not all the
> policy assertions have been asserted by the 'in' chain. (e.g.
> UsingAddressing assertion).
> The PolicyBasedWSS4JInterceptor runs wss4j again on a document that has
> already been decrypted and fails with the error below because the
> xmlenc:ReferenceData/xmlenc:DataReference elements point to nothing.
> Has anyone ever hit a problem like that? Is there any workaround for
> that (other than chainging the WS-Policy document)?
> thanks in advance,
> 7038 [main] WARN org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor -
> org.apache.ws.security.WSSecurityException: An error was discovered
> processing the <wsse:Security> header (WSSecurityEngine: DataReference -
> referenced data not found)
> at
> org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:141)
> at
> org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:113)
> at
> org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:76)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:179)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
> at
> org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:96)
> at
> org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
> at
> org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
> at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:645)
> at org.apache.cxf.transport.http.HTTPConduit
> $WrappedOutputStream.handleResponseInternal(HTTPConduit.java:2132)
> at org.apache.cxf.transport.http.HTTPConduit
> $WrappedOutputStream.handleResponse(HTTPConduit.java:2015)
> at org.apache.cxf.transport.http.HTTPConduit
> $WrappedOutputStream.close(HTTPConduit.java:1940)
> at
> org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47)
> at
> org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:180)
> at
> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66)
> at
> org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:627)
> at org.apache.cxf.interceptor.MessageSenderInterceptor
> $MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:471)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:301)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:253)
> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:121)
> at $Proxy38.sendMessage(Unknown Source)
> <wsp:Policy wsu:Id="A">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SymmetricBinding
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> <wsp:Policy>
> <sp:RequireDerivedKeys />
> <sp:RequireThumbprintReference />
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> <sp:EncryptSignature />
> <sp:OnlySignEntireHeadersAndBody />
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:EndorsingSupportingTokens
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:RequireThumbprintReference />
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:EndorsingSupportingTokens>
> <sp:Wss11
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier />
> <sp:MustSupportRefIssuerSerial />
> <sp:MustSupportRefThumbprint />
> <sp:MustSupportRefEncryptedKey />
> <sp:RequireSignatureConfirmation />
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust10
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportIssuedTokens />
> <sp:RequireClientEntropy />
> <sp:RequireServerEntropy />
> </wsp:Policy>
> </sp:Trust10>
> <wsaw:UsingAddressing />
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> <wsp:Policy wsu:Id="B">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SignedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body />
> <sp:Header Name="To"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="From"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="FaultTo"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="ReplyTo"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="MessageID"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="RelatesTo"
> Namespace="http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="Action"
> Namespace="http://www.w3.org/2005/08/addressing" />
> </sp:SignedParts>
> <sp:EncryptedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body />
> </sp:EncryptedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.