You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2013/12/17 13:09:07 UTC
[jira] [Commented] (CXF-5464) An error was discovered processing
the header
[ https://issues.apache.org/jira/browse/CXF-5464?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13850388#comment-13850388 ]
Colm O hEigeartaigh commented on CXF-5464:
------------------------------------------
You are resending a UsernameToken with the same "nonce" value. The runtime detects a replay attack and throws an exception. You can either generate a new nonce per request, or else disable nonce caching on the receiving side.
Colm.
> An error was discovered processing the <wsse:Security> header
> -------------------------------------------------------------
>
> Key: CXF-5464
> URL: https://issues.apache.org/jira/browse/CXF-5464
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.7.9
> Environment: 1.Apache CXF 2.7.8
> 2.Jboss EAP 6
> 3.SoapUI for testing client Side
> 4. Windows 7
> Reporter: Mahesh Narke
> Labels: apache, cxf, digest, password, token
> Fix For: 2.7.9
>
> Original Estimate: 10h
> Remaining Estimate: 10h
>
> I tried to implement for simple authentication i.e with password simple text type, it is working but when i tried to implement for password digest type ,then giving me exception:
> An error was discovered processing the <wsse:Security> header (An error happened processing a Username Token "A replay attack has been detected")
> WSS4JInInterceptor Bean class defination:
> <jaxws:inInterceptors>
> <bean
> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <!-- <map>
> <entry key="action" value="UsernameToken"/>
> <entry key="passwordType" value="PasswordText"/>
> <entry key="passwordCallbackRef" value-ref="myPasswordCallback"/>
> </map> -->
> <map>
> <entry key="action" value="UsernameToken"/>
> <entry key="passwordType" value="PasswordDigest"/>
> <entry key="passwordCallbackRef" value-ref="myPasswordCallback"/>
> </map>
> </constructor-arg>
> </bean>
> </jaxws:inInterceptors>
> Client xml request Code:
> <soapenv:Header>
> <wsse:Security soapenv:mustUnderstand="true">
> <wsse:UsernameToken>
> <wsu:Created>2013-12-17T13:47:15Z</wsu:Created>
> <wsse:Username>joe</wsse:Username>
> <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">rePSkfHXTM6NWODD1Cdsbw==</wsse:Nonce>
> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">PE7F51/oyWFVMsiZURuUwjoZVPY=</wsse:Password>
> </wsse:UsernameToken>
> </wsse:Security>
> </soapenv:Header>
> Exception:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Body>
> <soap:Fault>
> <faultcode xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:InvalidSecurity</faultcode>
> <faultstring>An error was discovered processing the <wsse:Security> header (An error happened processing a Username Token "A replay attack has been detected")</faultstring>
> </soap:Fault>
> </soap:Body>
> </soap:Envelope>
> What am i missing?
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)