You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Yeikel Valdes Santana <Ye...@aexp.com.INVALID> on 2022/01/18 00:45:54 UTC
Apache CXF WS-Security: "Security processing failed (actions mismatch)
I am trying to generate a SOAP request using Apache CXF WS-Security similar to the following request(I generated it using SoapUI) :
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ds:Signature Id="SIG-xxx" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soapenv"
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#xxxx">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList=""
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>xxxx</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>xxxx
</ds:SignatureValue>
<ds:KeyInfo Id="xxxxx">
<wsse:SecurityTokenReference wsu:Id="xxxxx">
<wsse:KeyIdentifier
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
xxxx
</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soapenv:Header>
<soapenv:Body wsu:Id="id-xxx"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<v3:AccountRequest
xmlns:v3="http://services.mysiste.com/V3">
<Request>
<SearchParametersBlock>
<MktCd>
<MktCdData>
<MktCd>US</MktCd>
</MktCdData>
</MktCd>
</SearchParametersBlock>
</Request>
</v3:AccountRequest>
</soapenv:Body>
</soapenv:Envelope>
I am using the following code to generate my Java request :
Properties signatureProperties = new Properties();
signatureProperties.put("org.apache.ws.security.crypto.provider",
"org.apache.ws.security.components.crypto.Merlin");
signatureProperties.put("org.apache.ws.security.crypto.merlin.keystore.type",
"jks");
signatureProperties.put("org.apache.ws.security.crypto.merlin.keystore.file",
"server.jks");
signatureProperties.put("org.apache.ws.security.crypto.merlin.keystore.password",
"password");
signatureProperties.put("org.apache.ws.security.crypto.merlin.keystore.alias",
"myAlias");
signatureProperties.put("org.apache.ws.security.crypto.merlin.keystore.private.password", "password");
Map<String,Object> outProps = new HashMap<>();
outProps.put(WSHandlerConstants.USER, "myAlias");
outProps.put(WSHandlerConstants.SIG_KEY_ID, "X509KeyIdentifier");
outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE);
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, ServiceKeystorePasswordCallback.class.getName());
outProps.put(WSHandlerConstants.SIG_ALGO, "http://www.w3.org/2000/09/xmldsig#sha1");
outProps.put(WSHandlerConstants.SIG_C14N_ALGO, "http://www.w3.org/2001/10/xml-exc-c14n#");
outProps.put(WSHandlerConstants.SIG_PROP_REF_ID, "signatureProperties");
outProps.put("signatureProperties", signatureProperties);
org.apache.cxf.endpoint.Client client = ClientProxy.getClient(this.service);
org.apache.cxf.endpoint.Endpoint cxfEndpoint = client.getEndpoint();
WSS4JInInterceptor wssIn = new WSS4JInInterceptor(outProps);
cxfEndpoint.getOutInterceptors().add(wssIn);
But I am experiencing the following error : "Security processing failed (actions mismatch)"
I traced the exception and it boils down to the following snippet
if (!checkReceiverResultsAnyOrder(wsResult, actions)) {
LOG.warning("Security processing failed (actions mismatch)");
throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
}
Where actions != wsResult(it is empty)
I am not sure how to populate wsResult in this case. Any help would be greatly appreciated
American Express made the following annotations
"This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank you."
American Express a ajouté le commentaire suivant
Ce courrier et toute pièce jointe qu'il contient sont réservés au seul destinataire indiqué et peuvent contenir des renseignements confidentiels et privilégiés. Si vous n'êtes pas le destinataire prévu, toute divulgation, duplication, utilisation ou distribution du courrier ou de toute pièce jointe est interdite. Si vous avez reçu cette communication par erreur, veuillez nous en aviser par courrier et détruire immédiatement le courrier et les pièces jointes. Merci.
Re: Apache CXF WS-Security: "Security processing failed (actions mismatch)
Posted by Yeikel Valdes Santana <Ye...@aexp.com.INVALID>.
++ users@cxf.apache.org<ma...@cxf.apache.org>
From: Yeikel Valdes Santana <Ye...@aexp.com>
Date: Friday, January 21, 2022 at 9:54 AM
To: "coheigea@apache.org" <co...@apache.org>
Subject: Re: [External] Re: Apache CXF WS-Security: "Security processing failed (actions mismatch)
Thank you.
I solved it myself. It turns out I was using the wrong class. I had to use WSS4JOutInterceptor Instead of WSS4JInInterceptor
From: Colm O hEigeartaigh <co...@apache.org>
Reply-To: "coheigea@apache.org" <co...@apache.org>
Date: Friday, January 21, 2022 at 8:38 AM
To: "users@cxf.apache.org" <us...@cxf.apache.org>
Subject: [External] Re: Apache CXF WS-Security: "Security processing failed (actions mismatch)
Hi,
Could you put together a test-case that reproduces the problem that we can run?
Colm.
On Tue, Jan 18, 2022 at 12:46 AM Yeikel Valdes Santana
<Ye...@aexp.com>.invalid> wrote:
>
> I am trying to generate a SOAP request using Apache CXF WS-Security similar to the following request(I generated it using SoapUI) :
>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/<https://isolate.menlosecurity.com/1/3735928037/http:/schemas.xmlsoap.org/soap/envelope/>">
> <soapenv:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd<https://isolate.menlosecurity.com/1/3735928037/http:/docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd>"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd<https://isolate.menlosecurity.com/1/3735928037/http:/docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd>">
> <ds:Signature Id="SIG-xxx" xmlns:ds="http://www.w3.org/2000/09/xmldsig#<https://isolate.menlosecurity.com/1/3735928037/http:/www.w3.org/2000/09/xmldsig>">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#<https://isolate.menlosecurity.com/1/3735928037/http:/www.w3.org/2001/10/xml-exc-c14n>">
> <ec:InclusiveNamespaces PrefixList="soapenv"
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#<https://isolate.menlosecurity.com/1/3735928037/http:/www.w3.org/2001/10/xml-exc-c14n>"/>
> </ds:CanonicalizationMethod>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1<https://isolate.menlosecurity.com/1/3735928037/http:/www.w3.org/2000/09/xmldsig#rsa-sha1>"/>
> <ds:Reference URI="#xxxx">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#<https://isolate.menlosecurity.com/1/3735928037/http:/www.w3.org/2001/10/xml-exc-c14n>">
> <ec:InclusiveNamespaces PrefixList=""
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#<https://isolate.menlosecurity.com/1/3735928037/http:/www.w3.org/2001/10/xml-exc-c14n>"/>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1<https://isolate.menlosecurity.com/1/3735928037/http:/www.w3.org/2000/09/xmldsig#sha1>"/>
> <ds:DigestValue>xxxx</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>xxxx
> </ds:SignatureValue>
> <ds:KeyInfo Id="xxxxx">
> <wsse:SecurityTokenReference wsu:Id="xxxxx">
> <wsse:KeyIdentifier
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary<https://isolate.menlosecurity.com/1/3735928037/http:/docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary>"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3<https://isolate.menlosecurity.com/1/3735928037/http:/docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3>">
> xxxx
> </wsse:KeyIdentifier>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
>
> </soapenv:Header>
> <soapenv:Body wsu:Id="id-xxx"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd<https://isolate.menlosecurity.com/1/3735928037/http:/docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd>">
> <v3:AccountRequest
> xmlns:v3="http://services.mysiste.com/V3<https://isolate.menlosecurity.com/1/3735928037/http:/services.mysiste.com/V3>">
> <Request>
> <SearchParametersBlock>
> <MktCd>
> <MktCdData>
> <MktCd>US</MktCd>
> </MktCdData>
> </MktCd>
> </SearchParametersBlock>
> </Request>
> </v3:AccountRequest>
> </soapenv:Body>
> </soapenv:Envelope>
>
>
> I am using the following code to generate my Java request :
>
>
> Properties signatureProperties = new Properties();
> signatureProperties.put("org.apache.ws<https://isolate.menlosecurity.com/1/3735928037/http:/org.apache.ws>.security.crypto.provider",
> "org.apache.ws<https://isolate.menlosecurity.com/1/3735928037/http:/org.apache.ws>.security.components.crypto.Merlin");
> signatureProperties.put("org.apache.ws<https://isolate.menlosecurity.com/1/3735928037/http:/org.apache.ws>.security.crypto.merlin.keystore.type",
> "jks");
> signatureProperties.put("org.apache.ws<https://isolate.menlosecurity.com/1/3735928037/http:/org.apache.ws>.security.crypto.merlin.keystore.file",
> "server.jks");
> signatureProperties.put("org.apache.ws<https://isolate.menlosecurity.com/1/3735928037/http:/org.apache.ws>.security.crypto.merlin.keystore.password",
> "password");
> signatureProperties.put("org.apache.ws<https://isolate.menlosecurity.com/1/3735928037/http:/org.apache.ws>.security.crypto.merlin.keystore.alias",
> "myAlias");
>
> signatureProperties.put("org.apache.ws<https://isolate.menlosecurity.com/1/3735928037/http:/org.apache.ws>.security.crypto.merlin.keystore.private.password", "password");
>
> Map<String,Object> outProps = new HashMap<>();
> outProps.put(WSHandlerConstants.USER, "myAlias");
> outProps.put(WSHandlerConstants.SIG_KEY_ID, "X509KeyIdentifier");
> outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE);
>
> outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, ServiceKeystorePasswordCallback.class.getName());
> outProps.put(WSHandlerConstants.SIG_ALGO, "http://www.w3.org/2000/09/xmldsig#sha1<https://isolate.menlosecurity.com/1/3735928037/http:/www.w3.org/2000/09/xmldsig#sha1>");
> outProps.put(WSHandlerConstants.SIG_C14N_ALGO, "http://www.w3.org/2001/10/xml-exc-c14n#<https://isolate.menlosecurity.com/1/3735928037/http:/www.w3.org/2001/10/xml-exc-c14n>");
> outProps.put(WSHandlerConstants.SIG_PROP_REF_ID, "signatureProperties");
> outProps.put("signatureProperties", signatureProperties);
>
>
> org.apache.cxf.endpoint.Client client = ClientProxy.getClient(this.service);
> org.apache.cxf.endpoint.Endpoint cxfEndpoint = client.getEndpoint();
>
> WSS4JInInterceptor wssIn = new WSS4JInInterceptor(outProps);
> cxfEndpoint.getOutInterceptors().add(wssIn);
>
> But I am experiencing the following error : "Security processing failed (actions mismatch)"
>
> I traced the exception and it boils down to the following snippet
>
>
> if (!checkReceiverResultsAnyOrder(wsResult, actions)) {
> LOG.warning("Security processing failed (actions mismatch)");
> throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
> }
>
> Where actions != wsResult(it is empty)
>
> I am not sure how to populate wsResult in this case. Any help would be greatly appreciated
>
>
>
> American Express made the following annotations
>
> "This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank you."
> American Express a ajouté le commentaire suivant
> Ce courrier et toute pièce jointe qu'il contient sont réservés au seul destinataire indiqué et peuvent contenir des renseignements confidentiels et privilégiés. Si vous n'êtes pas le destinataire prévu, toute divulgation, duplication, utilisation ou distribution du courrier ou de toute pièce jointe est interdite. Si vous avez reçu cette communication par erreur, veuillez nous en aviser par courrier et détruire immédiatement le courrier et les pièces jointes. Merci.
>
American Express made the following annotations
"This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank you."
American Express a ajouté le commentaire suivant
Ce courrier et toute pièce jointe qu'il contient sont réservés au seul destinataire indiqué et peuvent contenir des renseignements confidentiels et privilégiés. Si vous n'êtes pas le destinataire prévu, toute divulgation, duplication, utilisation ou distribution du courrier ou de toute pièce jointe est interdite. Si vous avez reçu cette communication par erreur, veuillez nous en aviser par courrier et détruire immédiatement le courrier et les pièces jointes. Merci.
Re: Apache CXF WS-Security: "Security processing failed (actions mismatch)
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi,
Could you put together a test-case that reproduces the problem that we can run?
Colm.
On Tue, Jan 18, 2022 at 12:46 AM Yeikel Valdes Santana
<Ye...@aexp.com.invalid> wrote:
>
> I am trying to generate a SOAP request using Apache CXF WS-Security similar to the following request(I generated it using SoapUI) :
>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
> <soapenv:Header>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
> <ds:Signature Id="SIG-xxx" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> <ec:InclusiveNamespaces PrefixList="soapenv"
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:CanonicalizationMethod>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="#xxxx">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> <ec:InclusiveNamespaces PrefixList=""
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>xxxx</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>xxxx
> </ds:SignatureValue>
> <ds:KeyInfo Id="xxxxx">
> <wsse:SecurityTokenReference wsu:Id="xxxxx">
> <wsse:KeyIdentifier
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">
> xxxx
> </wsse:KeyIdentifier>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
>
> </soapenv:Header>
> <soapenv:Body wsu:Id="id-xxx"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
> <v3:AccountRequest
> xmlns:v3="http://services.mysiste.com/V3">
> <Request>
> <SearchParametersBlock>
> <MktCd>
> <MktCdData>
> <MktCd>US</MktCd>
> </MktCdData>
> </MktCd>
> </SearchParametersBlock>
> </Request>
> </v3:AccountRequest>
> </soapenv:Body>
> </soapenv:Envelope>
>
>
> I am using the following code to generate my Java request :
>
>
> Properties signatureProperties = new Properties();
> signatureProperties.put("org.apache.ws.security.crypto.provider",
> "org.apache.ws.security.components.crypto.Merlin");
> signatureProperties.put("org.apache.ws.security.crypto.merlin.keystore.type",
> "jks");
> signatureProperties.put("org.apache.ws.security.crypto.merlin.keystore.file",
> "server.jks");
> signatureProperties.put("org.apache.ws.security.crypto.merlin.keystore.password",
> "password");
> signatureProperties.put("org.apache.ws.security.crypto.merlin.keystore.alias",
> "myAlias");
>
> signatureProperties.put("org.apache.ws.security.crypto.merlin.keystore.private.password", "password");
>
> Map<String,Object> outProps = new HashMap<>();
> outProps.put(WSHandlerConstants.USER, "myAlias");
> outProps.put(WSHandlerConstants.SIG_KEY_ID, "X509KeyIdentifier");
> outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE);
>
> outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, ServiceKeystorePasswordCallback.class.getName());
> outProps.put(WSHandlerConstants.SIG_ALGO, "http://www.w3.org/2000/09/xmldsig#sha1");
> outProps.put(WSHandlerConstants.SIG_C14N_ALGO, "http://www.w3.org/2001/10/xml-exc-c14n#");
> outProps.put(WSHandlerConstants.SIG_PROP_REF_ID, "signatureProperties");
> outProps.put("signatureProperties", signatureProperties);
>
>
> org.apache.cxf.endpoint.Client client = ClientProxy.getClient(this.service);
> org.apache.cxf.endpoint.Endpoint cxfEndpoint = client.getEndpoint();
>
> WSS4JInInterceptor wssIn = new WSS4JInInterceptor(outProps);
> cxfEndpoint.getOutInterceptors().add(wssIn);
>
> But I am experiencing the following error : "Security processing failed (actions mismatch)"
>
> I traced the exception and it boils down to the following snippet
>
>
> if (!checkReceiverResultsAnyOrder(wsResult, actions)) {
> LOG.warning("Security processing failed (actions mismatch)");
> throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
> }
>
> Where actions != wsResult(it is empty)
>
> I am not sure how to populate wsResult in this case. Any help would be greatly appreciated
>
>
>
> American Express made the following annotations
>
> "This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank you."
> American Express a ajouté le commentaire suivant
> Ce courrier et toute pièce jointe qu'il contient sont réservés au seul destinataire indiqué et peuvent contenir des renseignements confidentiels et privilégiés. Si vous n'êtes pas le destinataire prévu, toute divulgation, duplication, utilisation ou distribution du courrier ou de toute pièce jointe est interdite. Si vous avez reçu cette communication par erreur, veuillez nous en aviser par courrier et détruire immédiatement le courrier et les pièces jointes. Merci.
>