You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Alexandros Karypidis <ak...@yahoo.gr> on 2009/12/11 16:58:10 UTC
WS-Security _DEMANDS_ "target part" be present, breaking WS-RM (Bug?)
Hi,
SHORT STORY:
I need to encrypt an element in my SOAP message. Therefore I configure
my sending endpoint as follows:
This generally works, but breaks if I enable WS-ReliableMessaging (with
a policy in the WSDL). In that case, when trying to send a message the
interceptor fails with:
org.apache.ws.security.WSSecurityException:
General security error (WSEncryptBody/WSSignEnvelope:
Element to encrypt/sign not found: {http://messaging/}deliver)
Now, apparently this is caused by WS-RM injecting a "CreateSequence"
message which does not contain my "target" element. I can see only three
ways out of this and I appreciate any help.
LONG STORY:
My thoughts on getting around this are below, but I need help from
someone more knowledgable:
1) I don't know if it's possible to have the WS-Security interceptor be
added _before_ the WS-RM interceptor (I assume this would result in WSS
"not seeing" RM-injected messages). Although I add the "WSS" interceptor
with code, the RM interceptor is added automatically by a policy in the
WSDL. I add WSS with:
Map<String, Object> outProps = new HashMap<String, Object>();
WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
// ...
outProps.put(WSHandlerConstants.ENCRYPTION_PARTS,
"{Content}{http://messaging/}deliver");
org.apache.cxf.endpoint.Client client =
org.apache.cxf.frontend.ClientProxy.getClient(portStub);
org.apache.cxf.endpoint.Endpoint cxfEndpoint = client.getEndpoint();
cxfEndpoint.getOutInterceptors().add(wssOut);
2) Is it possible to define the "target part" as "optional" so that WSS
does not abort when it fails to find the element?
3) Are neither (1) nor (2) possible, in which case I should open a bug
report (and start coding)?
Re: WS-Security _DEMANDS_ "target part" be present, breaking WS-RM
(Bug?)
Posted by versus <vl...@gmail.com>.
Hi karypid,
I'm facing the same issue at the moment, did you manage to come up with a
patch?
Best regards,
versus
karypid wrote:
>
> Ok, thank. I will look at it over the weekend and try to submit a
> test-case/patch.
>
> Daniel Kulp wrote:
>> Hmm.....
>>
>> The only thing I can think of is to subclass the WSS4JOutInterceptor to
>> override a method or two to turn off the ENCRYPTION_PARTS thing if the
>> body
>> contains one of the RM messages.
>>
>> You can probably override the the "getString(String key, Object mc)" call
>> to
>> do something like:
>>
>> if (key.equals(WSHandlerConstants.ENCRYPTION_PARTS)) {
>> SoapMessage m = (SoapMessage)mc;
>> SOAPMessage doc = msg.getContent(SOAPMessage.class);
>> SOAPBody body = doc.getSOAPBody();
>> //check the content of body and return null if RM.....
>> }
>> return super.getString(key, mc);
>>
>>
>> Dan
>>
>>
>>
>>
>
>
>
>
--
View this message in context: http://old.nabble.com/WS-Security-_DEMANDS_-%22target-part%22-be-present%2C-breaking-WS-RM-%28Bug-%29-tp26746724p28381155.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: WS-Security _DEMANDS_ "target part" be present, breaking WS-RM
(Bug?)
Posted by Alexandros Karypidis <ak...@yahoo.gr>.
Ok, thank. I will look at it over the weekend and try to submit a
test-case/patch.
Daniel Kulp wrote:
> Hmm.....
>
> The only thing I can think of is to subclass the WSS4JOutInterceptor to
> override a method or two to turn off the ENCRYPTION_PARTS thing if the body
> contains one of the RM messages.
>
> You can probably override the the "getString(String key, Object mc)" call to
> do something like:
>
> if (key.equals(WSHandlerConstants.ENCRYPTION_PARTS)) {
> SoapMessage m = (SoapMessage)mc;
> SOAPMessage doc = msg.getContent(SOAPMessage.class);
> SOAPBody body = doc.getSOAPBody();
> //check the content of body and return null if RM.....
> }
> return super.getString(key, mc);
>
>
> Dan
>
>
>
>
> On Fri December 11 2009 10:58:10 am Alexandros Karypidis wrote:
>
>> Hi,
>>
>> SHORT STORY:
>>
>> I need to encrypt an element in my SOAP message. Therefore I configure
>> my sending endpoint as follows:
>>
>> This generally works, but breaks if I enable WS-ReliableMessaging (with
>> a policy in the WSDL). In that case, when trying to send a message the
>> interceptor fails with:
>>
>> org.apache.ws.security.WSSecurityException:
>> General security error (WSEncryptBody/WSSignEnvelope:
>> Element to encrypt/sign not found: {http://messaging/}deliver)
>>
>> Now, apparently this is caused by WS-RM injecting a "CreateSequence"
>> message which does not contain my "target" element. I can see only three
>> ways out of this and I appreciate any help.
>>
>> LONG STORY:
>>
>> My thoughts on getting around this are below, but I need help from
>> someone more knowledgable:
>>
>> 1) I don't know if it's possible to have the WS-Security interceptor be
>> added _before_ the WS-RM interceptor (I assume this would result in WSS
>> "not seeing" RM-injected messages). Although I add the "WSS" interceptor
>> with code, the RM interceptor is added automatically by a policy in the
>> WSDL. I add WSS with:
>>
>> Map<String, Object> outProps = new HashMap<String, Object>();
>> WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
>> // ...
>> outProps.put(WSHandlerConstants.ENCRYPTION_PARTS,
>> "{Content}{http://messaging/}deliver");
>> org.apache.cxf.endpoint.Client client =
>> org.apache.cxf.frontend.ClientProxy.getClient(portStub);
>> org.apache.cxf.endpoint.Endpoint cxfEndpoint =
>> client.getEndpoint(); cxfEndpoint.getOutInterceptors().add(wssOut);
>>
>> 2) Is it possible to define the "target part" as "optional" so that WSS
>> does not abort when it fails to find the element?
>>
>> 3) Are neither (1) nor (2) possible, in which case I should open a bug
>> report (and start coding)?
>>
>>
>
>
Re: WS-Security _DEMANDS_ "target part" be present, breaking WS-RM (Bug?)
Posted by Daniel Kulp <dk...@apache.org>.
Hmm.....
The only thing I can think of is to subclass the WSS4JOutInterceptor to
override a method or two to turn off the ENCRYPTION_PARTS thing if the body
contains one of the RM messages.
You can probably override the the "getString(String key, Object mc)" call to
do something like:
if (key.equals(WSHandlerConstants.ENCRYPTION_PARTS)) {
SoapMessage m = (SoapMessage)mc;
SOAPMessage doc = msg.getContent(SOAPMessage.class);
SOAPBody body = doc.getSOAPBody();
//check the content of body and return null if RM.....
}
return super.getString(key, mc);
Dan
On Fri December 11 2009 10:58:10 am Alexandros Karypidis wrote:
> Hi,
>
> SHORT STORY:
>
> I need to encrypt an element in my SOAP message. Therefore I configure
> my sending endpoint as follows:
>
> This generally works, but breaks if I enable WS-ReliableMessaging (with
> a policy in the WSDL). In that case, when trying to send a message the
> interceptor fails with:
>
> org.apache.ws.security.WSSecurityException:
> General security error (WSEncryptBody/WSSignEnvelope:
> Element to encrypt/sign not found: {http://messaging/}deliver)
>
> Now, apparently this is caused by WS-RM injecting a "CreateSequence"
> message which does not contain my "target" element. I can see only three
> ways out of this and I appreciate any help.
>
> LONG STORY:
>
> My thoughts on getting around this are below, but I need help from
> someone more knowledgable:
>
> 1) I don't know if it's possible to have the WS-Security interceptor be
> added _before_ the WS-RM interceptor (I assume this would result in WSS
> "not seeing" RM-injected messages). Although I add the "WSS" interceptor
> with code, the RM interceptor is added automatically by a policy in the
> WSDL. I add WSS with:
>
> Map<String, Object> outProps = new HashMap<String, Object>();
> WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
> // ...
> outProps.put(WSHandlerConstants.ENCRYPTION_PARTS,
> "{Content}{http://messaging/}deliver");
> org.apache.cxf.endpoint.Client client =
> org.apache.cxf.frontend.ClientProxy.getClient(portStub);
> org.apache.cxf.endpoint.Endpoint cxfEndpoint =
> client.getEndpoint(); cxfEndpoint.getOutInterceptors().add(wssOut);
>
> 2) Is it possible to define the "target part" as "optional" so that WSS
> does not abort when it fails to find the element?
>
> 3) Are neither (1) nor (2) possible, in which case I should open a bug
> report (and start coding)?
>
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog