You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Hammad Khan <kh...@ca.ibm.com> on 2016/10/25 17:28:18 UTC
Hardcoded token expiry in SymmetricBindingHandler
Hi,
When making secure service calls that take longer then 5 minutes we are
getting the following exception when the operation finishes:
javax.xml.ws.soap.SOAPFaultException: Unsupported key identification:
rNxxOCJ5uh7BFH69DLeDkZu21LM=
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke
(JaxWsClientProxy.java:160)
at com.sun.proxy.$Proxy45.getJobDescription(Unknown Source)
at
com.merge.icc.demos.client.employee.basic.CallServiceListener.callService
(CallServiceListener.java:39)
at
com.merge.icc.demos.client.employee.basic.CallServiceListener.actionPerformed
(CallServiceListener.java:53)
at javax.swing.AbstractButton.fireActionPerformed
(AbstractButton.java:2018)
at javax.swing.AbstractButton$Handler.actionPerformed
(AbstractButton.java:2341)
at javax.swing.DefaultButtonModel.fireActionPerformed
(DefaultButtonModel.java:402)
at javax.swing.DefaultButtonModel.setPressed
(DefaultButtonModel.java:259)
at javax.swing.plaf.basic.BasicButtonListener.mouseReleased
(BasicButtonListener.java:252)
at java.awt.Component.processMouseEvent(Component.java:6516)
at javax.swing.JComponent.processMouseEvent(JComponent.java:3321)
at java.awt.Component.processEvent(Component.java:6281)
at java.awt.Container.processEvent(Container.java:2229)
at java.awt.Component.dispatchEventImpl(Component.java:4872)
at java.awt.Container.dispatchEventImpl(Container.java:2287)
at java.awt.Component.dispatchEvent(Component.java:4698)
at java.awt.LightweightDispatcher.retargetMouseEvent
(Container.java:4832)
at java.awt.LightweightDispatcher.processMouseEvent
(Container.java:4492)
at java.awt.LightweightDispatcher.dispatchEvent(Container.java:4422)
at java.awt.Container.dispatchEventImpl(Container.java:2273)
at java.awt.Window.dispatchEventImpl(Window.java:2719)
at java.awt.Component.dispatchEvent(Component.java:4698)
at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:747)
at java.awt.EventQueue.access$300(EventQueue.java:103)
at java.awt.EventQueue$3.run(EventQueue.java:706)
at java.awt.EventQueue$3.run(EventQueue.java:704)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege
(ProtectionDomain.java:76)
at java.security.ProtectionDomain$1.doIntersectionPrivilege
(ProtectionDomain.java:87)
at java.awt.EventQueue$4.run(EventQueue.java:720)
at java.awt.EventQueue$4.run(EventQueue.java:718)
at java.security.AccessController.doPrivileged(Native Method)
at java.security.ProtectionDomain$1.doIntersectionPrivilege
(ProtectionDomain.java:76)
at java.awt.EventQueue.dispatchEvent(EventQueue.java:717)
at java.awt.EventDispatchThread.pumpOneEventForFilters
(EventDispatchThread.java:242)
at java.awt.EventDispatchThread.pumpEventsForFilter
(EventDispatchThread.java:161)
at java.awt.EventDispatchThread.pumpEventsForHierarchy
(EventDispatchThread.java:150)
at java.awt.EventDispatchThread.pumpEvents
(EventDispatchThread.java:146)
at java.awt.EventDispatchThread.pumpEvents
(EventDispatchThread.java:138)
at java.awt.EventDispatchThread.run(EventDispatchThread.java:91)
Caused by: org.apache.wss4j.common.ext.WSSecurityException: Unsupported key
identification: rNxxOCJ5uh7BFH69DLeDkZu21LM=
at
org.apache.wss4j.dom.str.DerivedKeyTokenSTRParser.parseSecurityTokenReference
(DerivedKeyTokenSTRParser.java:135)
at
org.apache.wss4j.dom.processor.DerivedKeyTokenProcessor.handleToken
(DerivedKeyTokenProcessor.java:63)
at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader
(WSSecurityEngine.java:428)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal
(WSS4JInInterceptor.java:278)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage
(WSS4JInInterceptor.java:190)
at
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage
(PolicyBasedWSS4JInInterceptor.java:127)
at
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage
(PolicyBasedWSS4JInInterceptor.java:112)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept
(PhaseInterceptorChain.java:307)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)
at org.apache.cxf.transport.http.HTTPConduit
$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1644)
at org.apache.cxf.transport.http.HTTPConduit
$WrappedOutputStream.handleResponse(HTTPConduit.java:1532)
at org.apache.cxf.transport.http.HTTPConduit
$WrappedOutputStream.close(HTTPConduit.java:1330)
at org.apache.cxf.io.CacheAndWriteOutputStream.postClose
(CacheAndWriteOutputStream.java:56)
at org.apache.cxf.io.CachedOutputStream.close
(CachedOutputStream.java:215)
at org.apache.cxf.transport.AbstractConduit.close
(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close
(HTTPConduit.java:652)
at org.apache.cxf.interceptor.MessageSenderInterceptor
$MessageSenderEndingInterceptor.handleMessage
(MessageSenderInterceptor.java:62)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept
(PhaseInterceptorChain.java:307)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)
at org.apache.cxf.frontend.ClientProxy.invokeSync
(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke
(JaxWsClientProxy.java:138)
... 39 more
We have tacked this issue down to the fact that the method
setupEncryptedKey in the
org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler
class has a hard coded expiry time of 5 minutes.
(same with methods: getEncryptedKey, setupUTDerivedKey, getUTDerivedKey)
We are using cxf 3.0.6, however, looking at the latest
SymmetricBindingHandler I see that the expiry time is still hard coded to 5
minutes.
Is it possible to make this expiry time configurable.
One option I see is to have a property in the jaxrs:client configuration
and read this property in the SymmetricBindingHandler constructor from
request context of the passed message.
Thanks
Re: Hardcoded token expiry in SymmetricBindingHandler
Posted by Colm O hEigeartaigh <co...@apache.org>.
I've merged a fix for this: https://issues.apache.org/jira/browse/CXF-7111
You can change the token lifetime via a new JAX-WS property:
"ws-security.security.token.lifetime"
Colm.
On Tue, Oct 25, 2016 at 6:28 PM, Hammad Khan <kh...@ca.ibm.com> wrote:
>
> Hi,
> When making secure service calls that take longer then 5 minutes we are
> getting the following exception when the operation finishes:
>
> javax.xml.ws.soap.SOAPFaultException: Unsupported key identification:
> rNxxOCJ5uh7BFH69DLeDkZu21LM=
> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke
> (JaxWsClientProxy.java:160)
> at com.sun.proxy.$Proxy45.getJobDescription(Unknown Source)
> at
> com.merge.icc.demos.client.employee.basic.CallServiceListener.callService
> (CallServiceListener.java:39)
> at
> com.merge.icc.demos.client.employee.basic.CallServiceListener.
> actionPerformed
> (CallServiceListener.java:53)
> at javax.swing.AbstractButton.fireActionPerformed
> (AbstractButton.java:2018)
> at javax.swing.AbstractButton$Handler.actionPerformed
> (AbstractButton.java:2341)
> at javax.swing.DefaultButtonModel.fireActionPerformed
> (DefaultButtonModel.java:402)
> at javax.swing.DefaultButtonModel.setPressed
> (DefaultButtonModel.java:259)
> at javax.swing.plaf.basic.BasicButtonListener.mouseReleased
> (BasicButtonListener.java:252)
> at java.awt.Component.processMouseEvent(Component.java:6516)
> at javax.swing.JComponent.processMouseEvent(JComponent.java:3321)
> at java.awt.Component.processEvent(Component.java:6281)
> at java.awt.Container.processEvent(Container.java:2229)
> at java.awt.Component.dispatchEventImpl(Component.java:4872)
> at java.awt.Container.dispatchEventImpl(Container.java:2287)
> at java.awt.Component.dispatchEvent(Component.java:4698)
> at java.awt.LightweightDispatcher.retargetMouseEvent
> (Container.java:4832)
> at java.awt.LightweightDispatcher.processMouseEvent
> (Container.java:4492)
> at java.awt.LightweightDispatcher.dispatchEvent(Container.java:
> 4422)
> at java.awt.Container.dispatchEventImpl(Container.java:2273)
> at java.awt.Window.dispatchEventImpl(Window.java:2719)
> at java.awt.Component.dispatchEvent(Component.java:4698)
> at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:747)
> at java.awt.EventQueue.access$300(EventQueue.java:103)
> at java.awt.EventQueue$3.run(EventQueue.java:706)
> at java.awt.EventQueue$3.run(EventQueue.java:704)
> at java.security.AccessController.doPrivileged(Native Method)
> at java.security.ProtectionDomain$1.doIntersectionPrivilege
> (ProtectionDomain.java:76)
> at java.security.ProtectionDomain$1.doIntersectionPrivilege
> (ProtectionDomain.java:87)
> at java.awt.EventQueue$4.run(EventQueue.java:720)
> at java.awt.EventQueue$4.run(EventQueue.java:718)
> at java.security.AccessController.doPrivileged(Native Method)
> at java.security.ProtectionDomain$1.doIntersectionPrivilege
> (ProtectionDomain.java:76)
> at java.awt.EventQueue.dispatchEvent(EventQueue.java:717)
> at java.awt.EventDispatchThread.pumpOneEventForFilters
> (EventDispatchThread.java:242)
> at java.awt.EventDispatchThread.pumpEventsForFilter
> (EventDispatchThread.java:161)
> at java.awt.EventDispatchThread.pumpEventsForHierarchy
> (EventDispatchThread.java:150)
> at java.awt.EventDispatchThread.pumpEvents
> (EventDispatchThread.java:146)
> at java.awt.EventDispatchThread.pumpEvents
> (EventDispatchThread.java:138)
> at java.awt.EventDispatchThread.run(EventDispatchThread.java:91)
> Caused by: org.apache.wss4j.common.ext.WSSecurityException: Unsupported
> key
> identification: rNxxOCJ5uh7BFH69DLeDkZu21LM=
> at
> org.apache.wss4j.dom.str.DerivedKeyTokenSTRParser.
> parseSecurityTokenReference
> (DerivedKeyTokenSTRParser.java:135)
> at
> org.apache.wss4j.dom.processor.DerivedKeyTokenProcessor.handleToken
> (DerivedKeyTokenProcessor.java:63)
> at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader
> (WSSecurityEngine.java:428)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal
> (WSS4JInInterceptor.java:278)
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.
> handleMessage
> (WSS4JInInterceptor.java:190)
> at
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.
> handleMessage
> (PolicyBasedWSS4JInInterceptor.java:127)
> at
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.
> handleMessage
> (PolicyBasedWSS4JInInterceptor.java:112)
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept
> (PhaseInterceptorChain.java:307)
> at org.apache.cxf.endpoint.ClientImpl.onMessage(
> ClientImpl.java:802)
> at org.apache.cxf.transport.http.HTTPConduit
> $WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1644)
> at org.apache.cxf.transport.http.HTTPConduit
> $WrappedOutputStream.handleResponse(HTTPConduit.java:1532)
> at org.apache.cxf.transport.http.HTTPConduit
> $WrappedOutputStream.close(HTTPConduit.java:1330)
> at org.apache.cxf.io.CacheAndWriteOutputStream.postClose
> (CacheAndWriteOutputStream.java:56)
> at org.apache.cxf.io.CachedOutputStream.close
> (CachedOutputStream.java:215)
> at org.apache.cxf.transport.AbstractConduit.close
> (AbstractConduit.java:56)
> at org.apache.cxf.transport.http.HTTPConduit.close
> (HTTPConduit.java:652)
> at org.apache.cxf.interceptor.MessageSenderInterceptor
> $MessageSenderEndingInterceptor.handleMessage
> (MessageSenderInterceptor.java:62)
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept
> (PhaseInterceptorChain.java:307)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(
> ClientImpl.java:516)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)
> at org.apache.cxf.frontend.ClientProxy.invokeSync
> (ClientProxy.java:96)
> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke
> (JaxWsClientProxy.java:138)
> ... 39 more
>
> We have tacked this issue down to the fact that the method
> setupEncryptedKey in the
> org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler
> class has a hard coded expiry time of 5 minutes.
> (same with methods: getEncryptedKey, setupUTDerivedKey, getUTDerivedKey)
>
> We are using cxf 3.0.6, however, looking at the latest
> SymmetricBindingHandler I see that the expiry time is still hard coded to 5
> minutes.
>
> Is it possible to make this expiry time configurable.
>
> One option I see is to have a property in the jaxrs:client configuration
> and read this property in the SymmetricBindingHandler constructor from
> request context of the passed message.
>
> Thanks
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com