You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Andrew Hart <ah...@akimeka.com> on 2013/04/23 00:04:28 UTC
Understanding WSS4J actions
Ok, wrt my earlier message, I decided to just go ahead and write a
simple java web service client rather than try to figure out why SoapUi
wasn't working.
Unfortunately, I'm back into "actions mismatch" hell.
I understand that the actions need to match up on the client request to
the server, i.e., from the client OutInterceptor to the server
InInterceptor and that the inverse is true,
>From the server response OutInterceptor to the client InInterceptor.
So, my client is configured like this in a cxf.xml file:
(note: the jaxws:client element didn't work for me and I had to replace
it with the cxf:bus before my interceptors would load.)
------------------------------------------------------------------------
-----------------
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:cxf="http://cxf.apache.org/core"
xsi:schemaLocation="http://cxf.apache.org/core
http://cxf.apache.org/schemas/core.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd">
<!--
<jaxws:client name=" MyWebServicePort" createdFromAPI="true">
<jaxws:inInterceptors>
<ref bean="TimestampSignEncrypt_Response"/>
<ref bean="logInbound" />
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<ref bean="TimestampSignEncrypt_Request"/>
<ref bean="logOutbound" />
</jaxws:outInterceptors>
</jaxws:client>
-->
<cxf:bus>
<cxf:outInterceptors>
<ref bean="ClientRequest_Interceptor"/>
<ref bean="logOutbound" />
</cxf:outInterceptors>
<cxf:inInterceptors>
<ref bean="ServerResponse_Interceptor"/>
<ref bean="logInbound" />
</cxf:inInterceptors>
</cxf:bus>
<bean id="logInbound"
class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
<bean id="logOutbound"
class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
id="ClientRequest_Interceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature"/>
<entry key="user" value="client1alias"/>
<entry key="signaturePropFile"
value="clientKeystore.properties"/>
<entry key="signatureKeyIdentifier"
value="DirectReference"/>
<entry key="passwordCallbackClass"
value="com.akimeka.ws.testclient.clientsample.ClientKeystorePasswordCall
back"/>
<entry key="signatureAlgorithm"
value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<entry key="signatureParts"
value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;{Element
}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-uti
lity-1.0.xsd}Timestamp"/>
</map>
</constructor-arg>
</bean>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"
id="ServerResponse_Interceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature
Encrypt"/>
<entry key="signaturePropFile"
value="clientKeystore.properties"/>
<entry key="decryptionPropFile"
value="clientKeystore.properties"/>
<entry key="passwordCallbackClass"
value="com.akimeka.ws.testclient.clientsample.ClientKeystorePasswordCall
back"/>
<entry key="encryptionKeyTransportAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<entry key="signatureAlgorithm"
value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
</map>
</constructor-arg>
</bean>
</beans>
------------------------------------------------------------------------
----------
The server has a jbossws-cxf.xml file and is configured like this:
------------------------------------------------------------------------
----------
<beans
xmlns='http://www.springframework.org/schema/beans'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns:beans='http://www.springframework.org/schema/beans'
xmlns:jaxws='http://cxf.apache.org/jaxws'
xsi:schemaLocation='http://cxf.apache.org/core
http://cxf.apache.org/schemas/core.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd'>
<bean id="Sign_Request"
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature"/>
<entry key="signaturePropFile" value="security.properties"/>
<entry key="decryptionPropFile" value="security.properties"/>
<entry key="passwordCallbackClass"
value="com.akimeka.ws.common.KeystorePasswordCallback"/>
</map>
</constructor-arg>
</bean>
<bean id="Sign_Response"
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="user" value="server.akimeka.com"/>
<entry key="signaturePropFile" value="security.properties"/>
<entry key="encryptionPropFile" value="security.properties"/>
<entry key="encryptionUser" value="useReqSigCert"/>
<!-- <entry key="encryptionUser" value="client1.akimeka.com" />
-->
<entry key="signatureKeyIdentifier" value="DirectReference"/>
<!-- <entry key="encryptionKeyIdentifier"
value="DirectReference" /> -->
<entry key="passwordCallbackClass"
value="com.akimeka.ws.common.KeystorePasswordCallback"/>
<entry key="signatureParts"
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss
-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.o
rg/soap/envelope/}Body"/>
<entry key="encryptionParts"
value="{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionKeyTransportAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
<entry key="signatureAlgorithm"
value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
</map>
</constructor-arg>
</bean>
<jaxws:endpoint
id='CipService'
address='http://@jboss.bind.address@:8080/ws-cip'
implementor='com.akimeka.cip.ws.CipService'>
<jaxws:invoker>
<bean class='org.jboss.wsf.stack.cxf.InvokerJSE'/>
</jaxws:invoker>
<jaxws:inInterceptors>
<bean
class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
<ref bean="Sign_Request"/>
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<bean
class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor"/>
<ref bean="Sign_Response"/>
</jaxws:outInterceptors>
</jaxws:endpoint>
</beans>
------------------------------------------------------------------------
-------------------------------
And, so the server sees the incoming message here...
--------------------------------------
16:43:36,935 INFO [org.apache.cxf.interceptor.LoggingInInterceptor]
Inbound Message
----------------------------
ID: 16
Address: /ws-cip/CipService
Encoding: UTF-8
Content-Type: text/xml; charset=UTF-8
Headers: {cache-control=[no-cache], content-type=[text/xml;
charset=UTF-8], connection=[keep-alive],
host=[msat-ah-01.akimeka.com:8080], Content-Length=[3496],
SOAPAction=[""], user-agent=[Apache CXF 2.3.1-patch-01],
Content-Type=[text/xml; charset=UTF-8], Accept=[*/*], pragma=[no-cache]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><wss
e:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curity-secext-1.0.xsd" soap:mustUnderstand="1"><wsse:BinarySecurityToken
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-so
ap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-
token-profile-1.0#X509v3"
wsu:Id="CertId-8FE55E1C1DB8D8548C13666670167941">MIIBozCCAQygAwIBAgIEUXV
eiTANBgkqhkiG9w0BAQUFADAWMRQwEgYDVQQDEwtjbGllbnQxdXNlcjAeFw0xMzA0MjIxNjA
wMDlaFw0xNTA0MjIxNjAwMDlaMBYxFDASBgNVBAMTC2NsaWVudDF1c2VyMIGfMA0GCSqGSIb
3DQEBAQUAA4GNADCBiQKBgQCd4AXM4VgvaScl6kdJVyaej50gr08XXSOntVki80znasD1tjE
+TwUBBIjMzWUtLN+vWO211cbggaNP8mLZ2Tti3mEY0sS4ixZHLZz41/mLHU4YcQEFFZ5p61W
p1L3C37gQ7pm37SfKerwlrM4HnxSY6y7MinJSfQ0iDYaMu+XizQIDAQABMA0GCSqGSIb3DQE
BBQUAA4GBACiZwyRmSfjcjZDrIRe1A4PPHp+fMNHVssnvtOSaVEKjDRPeS1uXM7RLFUIvjEO
sbiSGMWSswFj/M61dRwNQreUxK737EpX8yko0gzKG+mH9bZZnEzroX5BROxa1luUTDmK2dUg
oPmLIwZI8gB8rJL6W3F3I6zfHwqHGbW6Xqt+J</wsse:BinarySecurityToken><ds:Sign
ature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-2">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id-3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>Ki9mmuZ/IPEazLZiTmt1cqDq7pQ=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Timestamp-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>dc/iT6EKpqAL9crdJORImAfavcU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
FmXE1n5OKy4PVtLkTeuycQf6d6gMl4fgIrucJw6Ms8OnFLs4jbN6PMbkKIkv3DogfYPzSrr6
Incd
Gus2miH1Qb5dFOhRDUSTDBaMeROxCyfKtzpvhTezboS1lYTF1jgFlmih5Ly1pTEwK46XmBL4
KKeD
Jjo5xjN6eqUAYgrcGjs=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-8FE55E1C1DB8D8548C13666670168262">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd"
wsu:Id="STRId-8FE55E1C1DB8D8548C13666670168263"><wsse:Reference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curity-secext-1.0.xsd" URI="#CertId-8FE55E1C1DB8D8548C13666670167941"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-
token-profile-1.0#X509v3" /></wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature><wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd"
wsu:Id="Timestamp-1"><wsu:Created>2013-04-22T21:43:36.793Z</wsu:Created>
<wsu:Expires>2013-04-22T21:48:36.793Z</wsu:Expires></wsu:Timestamp></wss
e:Security></soap:Header><soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd" wsu:Id="id-3"><ns2:testWebService
xmlns:ns2="http://akimeka.com"><arg0>Test
String</arg0></ns2:testWebService></soap:Body></soap:Envelope>
--------------------------------------
And then blows up with this stacktrace and sends back a fault:
16:43:36,935 WARN [org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor]
Security processing failed (actions mismatch)
16:43:36,935 WARN [org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor]
: org.apache.ws.security.WSSecurityException: An error was discovered
processing the <wsse:Security> header
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.checkActions(WSS4JIn
Interceptor.java:294) [:2.3.1-patch-01]
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JI
nInterceptor.java:234) [:2.3.1-patch-01]
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JI
nInterceptor.java:81) [:2.3.1-patch-01]
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
hain.java:255) [:2.3.1-patch-01]
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiati
onObserver.java:113) [:2.3.1-patch-01]
at
org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestin
ation.java:97) [:2.3.1-patch-01]
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(Ser
vletController.java:461) [:2.3.1-patch-01]
at
org.jboss.wsf.stack.cxf.ServletControllerExt.invoke(ServletControllerExt
.java:172) [:3.4.1.GA]
at
org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHand
lerImpl.java:57) [:3.4.1.GA]
at
org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(Servl
etHelper.java:156) [:3.4.1.GA]
at
org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:90)
[:3.4.1.GA]
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(Abstr
actHTTPServlet.java:179) [:2.3.1-patch-01]
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTP
Servlet.java:103) [:2.3.1-patch-01]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
[:1.0.0.Final]
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTT
PServlet.java:159) [:2.3.1-patch-01]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:324) [:6.1.0.Final]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:242) [:6.1.0.Final]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:275) [:6.1.0.Final]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:161) [:6.1.0.Final]
at
org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAs
sociationValve.java:181) [:6.1.0.Final]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator
Base.java:501) [:6.1.0.Final]
at
org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.event
(CatalinaContext.java:285) [:1.1.0.Final]
at
org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.invok
e(CatalinaContext.java:261) [:1.1.0.Final]
at
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.j
ava:88) [:6.1.0.Final]
at
org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(S
ecurityContextEstablishmentValve.java:100) [:6.1.0.Final]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:159) [:6.1.0.Final]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:102) [:6.1.0.Final]
at
org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConn
ectionValve.java:158) [:6.1.0.Final]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:109) [:6.1.0.Final]
at
org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.inv
oke(ActiveRequestResponseCacheValve.java:53) [:6.1.0.Final]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:3
62) [:6.1.0.Final]
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:87
7) [:6.1.0.Final]
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
Http11Protocol.java:654) [:6.1.0.Final]
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951)
[:6.1.0.Final]
at java.lang.Thread.run(Thread.java:662) [:1.6.0_35]
16:43:36,936 WARN [org.apache.cxf.phase.PhaseInterceptorChain]
Interceptor for {http://akimeka.com}TMDS_CIP_Web_Service has thrown
exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: An
error was discovered processing the <wsse:Security> header
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4
JInInterceptor.java:654) [:2.3.1-patch-01]
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JI
nInterceptor.java:275) [:2.3.1-patch-01]
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JI
nInterceptor.java:81) [:2.3.1-patch-01]
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
hain.java:255) [:2.3.1-patch-01]
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiati
onObserver.java:113) [:2.3.1-patch-01]
at
org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestin
ation.java:97) [:2.3.1-patch-01]
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(Ser
vletController.java:461) [:2.3.1-patch-01]
at
org.jboss.wsf.stack.cxf.ServletControllerExt.invoke(ServletControllerExt
.java:172) [:3.4.1.GA]
at
org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHand
lerImpl.java:57) [:3.4.1.GA]
at
org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(Servl
etHelper.java:156) [:3.4.1.GA]
at
org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:90)
[:3.4.1.GA]
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(Abstr
actHTTPServlet.java:179) [:2.3.1-patch-01]
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTP
Servlet.java:103) [:2.3.1-patch-01]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
[:1.0.0.Final]
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTT
PServlet.java:159) [:2.3.1-patch-01]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:324) [:6.1.0.Final]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:242) [:6.1.0.Final]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:275) [:6.1.0.Final]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:161) [:6.1.0.Final]
at
org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAs
sociationValve.java:181) [:6.1.0.Final]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator
Base.java:501) [:6.1.0.Final]
at
org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.event
(CatalinaContext.java:285) [:1.1.0.Final]
at
org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.invok
e(CatalinaContext.java:261) [:1.1.0.Final]
at
org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.j
ava:88) [:6.1.0.Final]
at
org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(S
ecurityContextEstablishmentValve.java:100) [:6.1.0.Final]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:159) [:6.1.0.Final]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:102) [:6.1.0.Final]
at
org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConn
ectionValve.java:158) [:6.1.0.Final]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:109) [:6.1.0.Final]
at
org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.inv
oke(ActiveRequestResponseCacheValve.java:53) [:6.1.0.Final]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:3
62) [:6.1.0.Final]
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:87
7) [:6.1.0.Final]
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
Http11Protocol.java:654) [:6.1.0.Final]
at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951)
[:6.1.0.Final]
at java.lang.Thread.run(Thread.java:662) [:1.6.0_35]
Caused by: org.apache.ws.security.WSSecurityException: An error was
discovered processing the <wsse:Security> header
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.checkActions(WSS4JIn
Interceptor.java:294) [:2.3.1-patch-01]
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JI
nInterceptor.java:234) [:2.3.1-patch-01]
... 33 more
------------------------------------------------------------------------
-------------------------------------------
So, the client actions for the request are "Timestamp Signature" and
the server inInterceptor actions match that.
What am I failing to understand about this? Is there a simple
explanation anywhere of what it means to specify a list of actions on a
web service incoming interceptor EXACTLY what is required fo on the
client end to match up, including details about specific parts that have
to be signed?
NOTICE: This transmission (including all attachments) is company confidential, is intended only for the individual or entity named above, and is likely to contain privileged, proprietary and confidential information that is exempt from disclosure requests under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, use of or reliance upon any of the information contained in this transmission is strictly prohibited. Any inadvertent or unauthorized disclosure shall not compromise or waive the confidentiality of this transmission. If you have received this transmission in error, please forward this message immediately to postmaster@akimeka.com <ma...@akimeka.com> and delete or otherwise remove this email from your system. Thank you
Re: Understanding WSS4J actions
Posted by Colm O hEigeartaigh <co...@apache.org>.
You are probably running into these issues:
https://issues.apache.org/jira/browse/WSS-231
https://issues.apache.org/jira/browse/WSS-424
Essentially, the ordering is the problem (I suspect).
Colm.
On Tue, Apr 23, 2013 at 3:13 PM, Andrew Hart <ah...@akimeka.com> wrote:
> Upgrading to a newer version is difficult in some DoD settings where
> there are lists of "approved" open source software and versions.
> Believe me, I'm not using out of date software by choice.
> I am constrained to use JBoss AS 6.x, which contains CXF 2.3.1, which I
> *think* contains WSS4J 1.5.8. I'm lobbying to upgrade some of this
> but, if I am allowed to do so, it will be by upgrading JBossWS-CXF in
> that version of JBoss and I won't be surprised if that opens up a
> completely different can of worms.
>
> What I am really asking for here is a basic explanation of the actions.
> If the WSS4J action is on an inbound interceptor is "signature", then
> what parts need to be signed? If the actions are "timestamp signature",
> then does that mean the timestamp is expected to be signed? If the
> action is encrypt, then what needs to be encrypted, the head, the body,
> the entire envelope? That sort of thing. Is there some documentation,
> or does everybody just debug step through the code and have to figure it
> out for themselves? My configuration below looked ok to you??
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Tuesday, April 23, 2013 4:02 AM
> To: users@cxf.apache.org
> Subject: Re: Understanding WSS4J actions
>
> Newer versions of CXF do not require that the actions match in the exact
> order, but only that they match in some order. So your best bet is to
> upgrade to a newer version.
>
> Colm.
>
>
> On Mon, Apr 22, 2013 at 11:04 PM, Andrew Hart <ah...@akimeka.com> wrote:
>
> > Ok, wrt my earlier message, I decided to just go ahead and write a
> > simple java web service client rather than try to figure out why
> > SoapUi wasn't working.
> > Unfortunately, I'm back into "actions mismatch" hell.
> >
> > I understand that the actions need to match up on the client request
> > to the server, i.e., from the client OutInterceptor to the server
> > InInterceptor and that the inverse is true, From the server response
> > OutInterceptor to the client InInterceptor.
> >
> > So, my client is configured like this in a cxf.xml file:
> > (note: the jaxws:client element didn't work for me and I had to
> > replace it with the cxf:bus before my interceptors would load.)
> > ----------------------------------------------------------------------
> > --
> > -----------------
> >
> > <beans xmlns="http://www.springframework.org/schema/beans"
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > xmlns:jaxws="http://cxf.apache.org/jaxws"
> > xmlns:cxf="http://cxf.apache.org/core"
> > xsi:schemaLocation="http://cxf.apache.org/core
> > http://cxf.apache.org/schemas/core.xsd
> > http://www.springframework.org/schema/beans
> >
> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
> > http://cxf.apache.org/jaxws
> > http://cxf.apache.org/schemas/jaxws.xsd">
> >
> > <!--
> > <jaxws:client name=" MyWebServicePort" createdFromAPI="true">
> > <jaxws:inInterceptors>
> > <ref bean="TimestampSignEncrypt_Response"/>
> > <ref bean="logInbound" />
> > </jaxws:inInterceptors>
> > <jaxws:outInterceptors>
> > <ref bean="TimestampSignEncrypt_Request"/>
> > <ref bean="logOutbound" />
> > </jaxws:outInterceptors>
> > </jaxws:client>
> > -->
> >
> > <cxf:bus>
> > <cxf:outInterceptors>
> > <ref bean="ClientRequest_Interceptor"/>
> > <ref bean="logOutbound" />
> > </cxf:outInterceptors>
> > <cxf:inInterceptors>
> > <ref bean="ServerResponse_Interceptor"/>
> > <ref bean="logInbound" />
> > </cxf:inInterceptors>
> > </cxf:bus>
> >
> > <bean id="logInbound"
> > class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
> > <bean id="logOutbound"
> > class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
> > <bean
> > class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
> > id="ClientRequest_Interceptor">
> > <constructor-arg>
> > <map>
> > <entry key="action" value="Timestamp Signature"/>
> > <entry key="user" value="client1alias"/>
> > <entry key="signaturePropFile"
> > value="clientKeystore.properties"/>
> > <entry key="signatureKeyIdentifier"
> > value="DirectReference"/>
> > <entry key="passwordCallbackClass"
> > value="com.akimeka.ws.testclient.clientsample.ClientKeystorePasswordCa
> > ll
> > back"/>
> > <entry key="signatureAlgorithm"
> > value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> > <entry key="signatureParts"
> > value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;{Eleme
> > nt
> > }{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-u
> > ti
> > lity-1.0.xsd}Timestamp"/>
> >
> > </map>
> > </constructor-arg>
> > </bean>
> > <bean
> > class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"
> > id="ServerResponse_Interceptor">
> > <constructor-arg>
> > <map>
> > <entry key="action" value="Timestamp Signature
> > Encrypt"/>
> > <entry key="signaturePropFile"
> > value="clientKeystore.properties"/>
> > <entry key="decryptionPropFile"
> > value="clientKeystore.properties"/>
> > <entry key="passwordCallbackClass"
> > value="com.akimeka.ws.testclient.clientsample.ClientKeystorePasswordCa
> > ll
> > back"/>
> > <entry key="encryptionKeyTransportAlgorithm"
> > value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
> > <entry key="signatureAlgorithm"
> > value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> > </map>
> > </constructor-arg>
> > </bean>
> > </beans>
> >
> >
> > ----------------------------------------------------------------------
> > --
> > ----------
> > The server has a jbossws-cxf.xml file and is configured like this:
> > ----------------------------------------------------------------------
> > --
> > ----------
> > <beans
> > xmlns='http://www.springframework.org/schema/beans'
> > xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
> > xmlns:beans='http://www.springframework.org/schema/beans'
> > xmlns:jaxws='http://cxf.apache.org/jaxws'
> > xsi:schemaLocation='http://cxf.apache.org/core
> > http://cxf.apache.org/schemas/core.xsd
> > http://www.springframework.org/schema/beans
> > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
> > http://cxf.apache.org/jaxws
> > http://cxf.apache.org/schemas/jaxws.xsd'>
> >
> >
> > <bean id="Sign_Request"
> > class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> > <constructor-arg>
> > <map>
> > <entry key="action" value="Timestamp Signature"/>
> > <entry key="signaturePropFile" value="security.properties"/>
> > <entry key="decryptionPropFile" value="security.properties"/>
> > <entry key="passwordCallbackClass"
> > value="com.akimeka.ws.common.KeystorePasswordCallback"/>
> > </map>
> > </constructor-arg>
> > </bean>
> >
> >
> > <bean id="Sign_Response"
> > class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
> > <constructor-arg>
> > <map>
> > <entry key="action" value="Timestamp Signature Encrypt"/>
> > <entry key="user" value="server.akimeka.com"/>
> > <entry key="signaturePropFile" value="security.properties"/>
> > <entry key="encryptionPropFile" value="security.properties"/>
> > <entry key="encryptionUser" value="useReqSigCert"/>
> > <!-- <entry key="encryptionUser" value="client1.akimeka.com"
> > />
> > -->
> > <entry key="signatureKeyIdentifier" value="DirectReference"/>
> > <!-- <entry key="encryptionKeyIdentifier"
> > value="DirectReference" /> -->
> > <entry key="passwordCallbackClass"
> > value="com.akimeka.ws.common.KeystorePasswordCallback"/>
> > <entry key="signatureParts"
> > value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-w
> > ss
> > -wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap
> > .o
> > rg/soap/envelope/}Body"/>
> > <entry key="encryptionParts"
> > value="{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
> > <entry key="encryptionKeyTransportAlgorithm"
> > value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
> > <entry key="encryptionSymAlgorithm"
> > value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
> > <entry key="signatureAlgorithm"
> > value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> > </map>
> > </constructor-arg>
> > </bean>
> >
> > <jaxws:endpoint
> > id='CipService'
> > address='http://@jboss.bind.address@:8080/ws-cip'
> > implementor='com.akimeka.cip.ws.CipService'>
> > <jaxws:invoker>
> > <bean class='org.jboss.wsf.stack.cxf.InvokerJSE'/>
> > </jaxws:invoker>
> >
> > <jaxws:inInterceptors>
> > <bean
> > class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
> > <ref bean="Sign_Request"/>
> > </jaxws:inInterceptors>
> >
> > <jaxws:outInterceptors>
> > <bean
> > class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor"/>
> > <ref bean="Sign_Response"/>
> > </jaxws:outInterceptors>
> >
> > </jaxws:endpoint>
> > </beans>
> > ----------------------------------------------------------------------
> > --
> > -------------------------------
> >
> > And, so the server sees the incoming message here...
> >
> > --------------------------------------
> > 16:43:36,935 INFO [org.apache.cxf.interceptor.LoggingInInterceptor]
> > Inbound Message
> > ----------------------------
> > ID: 16
> > Address: /ws-cip/CipService
> > Encoding: UTF-8
> > Content-Type: text/xml; charset=UTF-8
> > Headers: {cache-control=[no-cache], content-type=[text/xml;
> > charset=UTF-8], connection=[keep-alive],
> > host=[msat-ah-01.akimeka.com:8080], Content-Length=[3496],
> > SOAPAction=[""], user-agent=[Apache CXF 2.3.1-patch-01],
> > Content-Type=[text/xml; charset=UTF-8], Accept=[*/*],
> > pragma=[no-cache]}
> > Payload: <soap:Envelope
> > xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><w
> > ss
> > e:Security
> > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws
> > se curity-secext-1.0.xsd"
> > soap:mustUnderstand="1"><wsse:BinarySecurityToken
> > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws
> > se
> > curity-secext-1.0.xsd"
> > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
> > ec
> > urity-utility-1.0.xsd"
> > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
> > so
> > ap-message-security-1.0#Base64Binary"
> > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x50
> > 9-
> > token-profile-1.0#X509v3"
> > wsu:Id="CertId-8FE55E1C1DB8D8548C13666670167941">MIIBozCCAQygAwIBAgIEU
> > XV
> > eiTANBgkqhkiG9w0BAQUFADAWMRQwEgYDVQQDEwtjbGllbnQxdXNlcjAeFw0xMzA0MjIxN
> > jA
> > wMDlaFw0xNTA0MjIxNjAwMDlaMBYxFDASBgNVBAMTC2NsaWVudDF1c2VyMIGfMA0GCSqGS
> > Ib
> > 3DQEBAQUAA4GNADCBiQKBgQCd4AXM4VgvaScl6kdJVyaej50gr08XXSOntVki80znasD1t
> > jE
> > +TwUBBIjMzWUtLN+vWO211cbggaNP8mLZ2Tti3mEY0sS4ixZHLZz41/mLHU4YcQEFFZ5p6
> > +TwUBBIjMzWUtLN+1W
> > p1L3C37gQ7pm37SfKerwlrM4HnxSY6y7MinJSfQ0iDYaMu+XizQIDAQABMA0GCSqGSIb3D
> > p1L3C37gQ7pm37SfKerwlrM4HnxSY6y7MinJSfQ0iDYaMu+QE
> > BBQUAA4GBACiZwyRmSfjcjZDrIRe1A4PPHp+fMNHVssnvtOSaVEKjDRPeS1uXM7RLFUIvj
> > BBQUAA4GBACiZwyRmSfjcjZDrIRe1A4PPHp+EO
> > sbiSGMWSswFj/M61dRwNQreUxK737EpX8yko0gzKG+mH9bZZnEzroX5BROxa1luUTDmK2d
> > Ug
> > oPmLIwZI8gB8rJL6W3F3I6zfHwqHGbW6Xqt+J</wsse:BinarySecurityToken><ds:Si
> > oPmLIwZI8gB8rJL6W3F3I6zfHwqHGbW6Xqt+gn
> > ature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-2">
> > <ds:SignedInfo> <ds:CanonicalizationMethod
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> > <ds:SignatureMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> > <ds:Reference URI="#id-3"> <ds:Transforms> <ds:Transform
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> > </ds:Transforms> <ds:DigestMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> > <ds:DigestValue>Ki9mmuZ/IPEazLZiTmt1cqDq7pQ=</ds:DigestValue>
> > </ds:Reference>
> > <ds:Reference URI="#Timestamp-1">
> > <ds:Transforms>
> > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> > </ds:Transforms> <ds:DigestMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> > <ds:DigestValue>dc/iT6EKpqAL9crdJORImAfavcU=</ds:DigestValue>
> > </ds:Reference>
> > </ds:SignedInfo>
> > <ds:SignatureValue>
> > FmXE1n5OKy4PVtLkTeuycQf6d6gMl4fgIrucJw6Ms8OnFLs4jbN6PMbkKIkv3DogfYPzSr
> > r6
> > Incd
> > Gus2miH1Qb5dFOhRDUSTDBaMeROxCyfKtzpvhTezboS1lYTF1jgFlmih5Ly1pTEwK46XmB
> > L4
> > KKeD
> > Jjo5xjN6eqUAYgrcGjs=
> > </ds:SignatureValue>
> > <ds:KeyInfo Id="KeyId-8FE55E1C1DB8D8548C13666670168262">
> > <wsse:SecurityTokenReference
> > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws
> > se
> > curity-secext-1.0.xsd"
> > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
> > ec
> > urity-utility-1.0.xsd"
> > wsu:Id="STRId-8FE55E1C1DB8D8548C13666670168263"><wsse:Reference
> > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws
> > se curity-secext-1.0.xsd"
> > URI="#CertId-8FE55E1C1DB8D8548C13666670167941"
> > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x50
> > 9- token-profile-1.0#X509v3" /></wsse:SecurityTokenReference>
> > </ds:KeyInfo> </ds:Signature><wsu:Timestamp
> > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
> > ec
> > urity-utility-1.0.xsd"
> > wsu:Id="Timestamp-1"><wsu:Created>2013-04-22T21:43:36.793Z</wsu:Create
> > d>
> > <wsu:Expires>2013-04-22T21:48:36.793Z</wsu:Expires></wsu:Timestamp></w
> > ss
> > e:Security></soap:Header><soap:Body
> > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
> > ec urity-utility-1.0.xsd" wsu:Id="id-3"><ns2:testWebService
> > xmlns:ns2="http://akimeka.com"><arg0>Test
> > String</arg0></ns2:testWebService></soap:Body></soap:Envelope>
> > --------------------------------------
> >
> > And then blows up with this stacktrace and sends back a fault:
> >
> > 16:43:36,935 WARN
> > [org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor]
> > Security processing failed (actions mismatch)
> > 16:43:36,935 WARN
> > [org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor]
> > : org.apache.ws.security.WSSecurityException: An error was discovered
> > processing the <wsse:Security> header
> > at
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.checkActions(WSS4J
> > In
> > Interceptor.java:294) [:2.3.1-patch-01]
> > at
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4
> > JI
> > nInterceptor.java:234) [:2.3.1-patch-01]
> > at
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4
> > JI
> > nInterceptor.java:81) [:2.3.1-patch-01]
> > at
> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseIntercepto
> > rC
> > hain.java:255) [:2.3.1-patch-01]
> > at
> > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitia
> > ti
> > onObserver.java:113) [:2.3.1-patch-01]
> > at
> > org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDest
> > in
> > ation.java:97) [:2.3.1-patch-01]
> > at
> > org.apache.cxf.transport.servlet.ServletController.invokeDestination(S
> > er
> > vletController.java:461) [:2.3.1-patch-01]
> > at
> > org.jboss.wsf.stack.cxf.ServletControllerExt.invoke(ServletControllerE
> > xt
> > .java:172) [:3.4.1.GA]
> > at
> > org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHa
> > nd
> > lerImpl.java:57) [:3.4.1.GA]
> > at
> > org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(Ser
> > vl
> > etHelper.java:156) [:3.4.1.GA]
> > at
> > org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:90)
> > [:3.4.1.GA]
> > at
> > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(Abs
> > tr
> > actHTTPServlet.java:179) [:2.3.1-patch-01]
> > at
> > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHT
> > TP
> > Servlet.java:103) [:2.3.1-patch-01]
> > at
> > javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
> > [:1.0.0.Final]
> > at
> > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractH
> > TT
> > PServlet.java:159) [:2.3.1-patch-01]
> > at
> > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli
> > ca
> > tionFilterChain.java:324) [:6.1.0.Final]
> > at
> > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi
> > lt
> > erChain.java:242) [:6.1.0.Final]
> > at
> > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVa
> > lv
> > e.java:275) [:6.1.0.Final]
> > at
> > org.apache.catalina.core.StandardContextValve.invoke(StandardContextVa
> > lv
> > e.java:161) [:6.1.0.Final]
> > at
> > org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(Security
> > As
> > sociationValve.java:181) [:6.1.0.Final]
> > at
> > org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticat
> > or
> > Base.java:501) [:6.1.0.Final]
> > at
> > org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.eve
> > nt
> > (CatalinaContext.java:285) [:1.1.0.Final]
> > at
> > org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.inv
> > ok
> > e(CatalinaContext.java:261) [:1.1.0.Final]
> > at
> > org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve
> > .j
> > ava:88) [:6.1.0.Final]
> > at
> > org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke
> > (S
> > ecurityContextEstablishmentValve.java:100) [:6.1.0.Final]
> > at
> > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.ja
> > va
> > :159) [:6.1.0.Final]
> > at
> > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.ja
> > va
> > :102) [:6.1.0.Final]
> > at
> > org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedCo
> > nn
> > ectionValve.java:158) [:6.1.0.Final]
> > at
> >
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
> > java:109) [:6.1.0.Final]
> > at
> > org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.i
> > nv
> > oke(ActiveRequestResponseCacheValve.java:53) [:6.1.0.Final]
> > at
> > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java
> > :3
> > 62) [:6.1.0.Final]
> > at
> > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:
> > 87
> > 7) [:6.1.0.Final]
> > at
> > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proces
> > s(
> > Http11Protocol.java:654) [:6.1.0.Final]
> > at
> > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951
> > )
> > [:6.1.0.Final]
> > at java.lang.Thread.run(Thread.java:662) [:1.6.0_35]
> >
> > 16:43:36,936 WARN [org.apache.cxf.phase.PhaseInterceptorChain]
> > Interceptor for {http://akimeka.com}TMDS_CIP_Web_Service has thrown
> > exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: An
> > error was discovered processing the <wsse:Security> header
> > at
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WS
> > S4
> > JInInterceptor.java:654) [:2.3.1-patch-01]
> > at
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4
> > JI
> > nInterceptor.java:275) [:2.3.1-patch-01]
> > at
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4
> > JI
> > nInterceptor.java:81) [:2.3.1-patch-01]
> > at
> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseIntercepto
> > rC
> > hain.java:255) [:2.3.1-patch-01]
> > at
> > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitia
> > ti
> > onObserver.java:113) [:2.3.1-patch-01]
> > at
> > org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDest
> > in
> > ation.java:97) [:2.3.1-patch-01]
> > at
> > org.apache.cxf.transport.servlet.ServletController.invokeDestination(S
> > er
> > vletController.java:461) [:2.3.1-patch-01]
> > at
> > org.jboss.wsf.stack.cxf.ServletControllerExt.invoke(ServletControllerE
> > xt
> > .java:172) [:3.4.1.GA]
> > at
> > org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHa
> > nd
> > lerImpl.java:57) [:3.4.1.GA]
> > at
> > org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(Ser
> > vl
> > etHelper.java:156) [:3.4.1.GA]
> > at
> > org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:90)
> > [:3.4.1.GA]
> > at
> > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(Abs
> > tr
> > actHTTPServlet.java:179) [:2.3.1-patch-01]
> > at
> > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHT
> > TP
> > Servlet.java:103) [:2.3.1-patch-01]
> > at
> > javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
> > [:1.0.0.Final]
> > at
> > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractH
> > TT
> > PServlet.java:159) [:2.3.1-patch-01]
> > at
> > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli
> > ca
> > tionFilterChain.java:324) [:6.1.0.Final]
> > at
> > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi
> > lt
> > erChain.java:242) [:6.1.0.Final]
> > at
> > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVa
> > lv
> > e.java:275) [:6.1.0.Final]
> > at
> > org.apache.catalina.core.StandardContextValve.invoke(StandardContextVa
> > lv
> > e.java:161) [:6.1.0.Final]
> > at
> > org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(Security
> > As
> > sociationValve.java:181) [:6.1.0.Final]
> > at
> > org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticat
> > or
> > Base.java:501) [:6.1.0.Final]
> > at
> > org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.eve
> > nt
> > (CatalinaContext.java:285) [:1.1.0.Final]
> > at
> > org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.inv
> > ok
> > e(CatalinaContext.java:261) [:1.1.0.Final]
> > at
> > org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve
> > .j
> > ava:88) [:6.1.0.Final]
> > at
> > org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke
> > (S
> > ecurityContextEstablishmentValve.java:100) [:6.1.0.Final]
> > at
> > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.ja
> > va
> > :159) [:6.1.0.Final]
> > at
> > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.ja
> > va
> > :102) [:6.1.0.Final]
> > at
> > org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedCo
> > nn
> > ectionValve.java:158) [:6.1.0.Final]
> > at
> >
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
> > java:109) [:6.1.0.Final]
> > at
> > org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.i
> > nv
> > oke(ActiveRequestResponseCacheValve.java:53) [:6.1.0.Final]
> > at
> > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java
> > :3
> > 62) [:6.1.0.Final]
> > at
> > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:
> > 87
> > 7) [:6.1.0.Final]
> > at
> > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proces
> > s(
> > Http11Protocol.java:654) [:6.1.0.Final]
> > at
> > org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951
> > )
> > [:6.1.0.Final]
> > at java.lang.Thread.run(Thread.java:662) [:1.6.0_35] Caused
> > by: org.apache.ws.security.WSSecurityException: An error was
> > discovered processing the <wsse:Security> header
> > at
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.checkActions(WSS4J
> > In
> > Interceptor.java:294) [:2.3.1-patch-01]
> > at
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4
> > JI
> > nInterceptor.java:234) [:2.3.1-patch-01]
> > ... 33 more
> >
> >
> > ----------------------------------------------------------------------
> > --
> > -------------------------------------------
> >
> > So, the client actions for the request are "Timestamp Signature" and
> > the server inInterceptor actions match that.
> >
> > What am I failing to understand about this? Is there a simple
> > explanation anywhere of what it means to specify a list of actions on
> > a web service incoming interceptor EXACTLY what is required fo on the
> > client end to match up, including details about specific parts that
> > have to be signed?
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > NOTICE: This transmission (including all attachments) is company
> > confidential, is intended only for the individual or entity named
> > above, and is likely to contain privileged, proprietary and
> > confidential information that is exempt from disclosure requests under
> applicable law.
> > If you are not the intended recipient, you are hereby notified that
> > any disclosure, copying, distribution, use of or reliance upon any of
> > the information contained in this transmission is strictly prohibited.
>
> > Any inadvertent or unauthorized disclosure shall not compromise or
> > waive the confidentiality of this transmission. If you have received
> > this transmission in error, please forward this message immediately to
>
> > postmaster@akimeka.com <ma...@akimeka.com> and delete or
> > otherwise remove this email from your system. Thank you
> >
> >
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: Understanding WSS4J actions
Posted by Andrew Hart <ah...@akimeka.com>.
Upgrading to a newer version is difficult in some DoD settings where
there are lists of "approved" open source software and versions.
Believe me, I'm not using out of date software by choice.
I am constrained to use JBoss AS 6.x, which contains CXF 2.3.1, which I
*think* contains WSS4J 1.5.8. I'm lobbying to upgrade some of this
but, if I am allowed to do so, it will be by upgrading JBossWS-CXF in
that version of JBoss and I won't be surprised if that opens up a
completely different can of worms.
What I am really asking for here is a basic explanation of the actions.
If the WSS4J action is on an inbound interceptor is "signature", then
what parts need to be signed? If the actions are "timestamp signature",
then does that mean the timestamp is expected to be signed? If the
action is encrypt, then what needs to be encrypted, the head, the body,
the entire envelope? That sort of thing. Is there some documentation,
or does everybody just debug step through the code and have to figure it
out for themselves? My configuration below looked ok to you??
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Tuesday, April 23, 2013 4:02 AM
To: users@cxf.apache.org
Subject: Re: Understanding WSS4J actions
Newer versions of CXF do not require that the actions match in the exact
order, but only that they match in some order. So your best bet is to
upgrade to a newer version.
Colm.
On Mon, Apr 22, 2013 at 11:04 PM, Andrew Hart <ah...@akimeka.com> wrote:
> Ok, wrt my earlier message, I decided to just go ahead and write a
> simple java web service client rather than try to figure out why
> SoapUi wasn't working.
> Unfortunately, I'm back into "actions mismatch" hell.
>
> I understand that the actions need to match up on the client request
> to the server, i.e., from the client OutInterceptor to the server
> InInterceptor and that the inverse is true, From the server response
> OutInterceptor to the client InInterceptor.
>
> So, my client is configured like this in a cxf.xml file:
> (note: the jaxws:client element didn't work for me and I had to
> replace it with the cxf:bus before my interceptors would load.)
> ----------------------------------------------------------------------
> --
> -----------------
>
> <beans xmlns="http://www.springframework.org/schema/beans"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:jaxws="http://cxf.apache.org/jaxws"
> xmlns:cxf="http://cxf.apache.org/core"
> xsi:schemaLocation="http://cxf.apache.org/core
> http://cxf.apache.org/schemas/core.xsd
> http://www.springframework.org/schema/beans
>
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
> http://cxf.apache.org/jaxws
> http://cxf.apache.org/schemas/jaxws.xsd">
>
> <!--
> <jaxws:client name=" MyWebServicePort" createdFromAPI="true">
> <jaxws:inInterceptors>
> <ref bean="TimestampSignEncrypt_Response"/>
> <ref bean="logInbound" />
> </jaxws:inInterceptors>
> <jaxws:outInterceptors>
> <ref bean="TimestampSignEncrypt_Request"/>
> <ref bean="logOutbound" />
> </jaxws:outInterceptors>
> </jaxws:client>
> -->
>
> <cxf:bus>
> <cxf:outInterceptors>
> <ref bean="ClientRequest_Interceptor"/>
> <ref bean="logOutbound" />
> </cxf:outInterceptors>
> <cxf:inInterceptors>
> <ref bean="ServerResponse_Interceptor"/>
> <ref bean="logInbound" />
> </cxf:inInterceptors>
> </cxf:bus>
>
> <bean id="logInbound"
> class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
> <bean id="logOutbound"
> class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
> <bean
> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
> id="ClientRequest_Interceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp Signature"/>
> <entry key="user" value="client1alias"/>
> <entry key="signaturePropFile"
> value="clientKeystore.properties"/>
> <entry key="signatureKeyIdentifier"
> value="DirectReference"/>
> <entry key="passwordCallbackClass"
> value="com.akimeka.ws.testclient.clientsample.ClientKeystorePasswordCa
> ll
> back"/>
> <entry key="signatureAlgorithm"
> value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <entry key="signatureParts"
> value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;{Eleme
> nt
> }{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-u
> ti
> lity-1.0.xsd}Timestamp"/>
>
> </map>
> </constructor-arg>
> </bean>
> <bean
> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"
> id="ServerResponse_Interceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp Signature
> Encrypt"/>
> <entry key="signaturePropFile"
> value="clientKeystore.properties"/>
> <entry key="decryptionPropFile"
> value="clientKeystore.properties"/>
> <entry key="passwordCallbackClass"
> value="com.akimeka.ws.testclient.clientsample.ClientKeystorePasswordCa
> ll
> back"/>
> <entry key="encryptionKeyTransportAlgorithm"
> value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
> <entry key="signatureAlgorithm"
> value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> </map>
> </constructor-arg>
> </bean>
> </beans>
>
>
> ----------------------------------------------------------------------
> --
> ----------
> The server has a jbossws-cxf.xml file and is configured like this:
> ----------------------------------------------------------------------
> --
> ----------
> <beans
> xmlns='http://www.springframework.org/schema/beans'
> xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
> xmlns:beans='http://www.springframework.org/schema/beans'
> xmlns:jaxws='http://cxf.apache.org/jaxws'
> xsi:schemaLocation='http://cxf.apache.org/core
> http://cxf.apache.org/schemas/core.xsd
> http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
> http://cxf.apache.org/jaxws
> http://cxf.apache.org/schemas/jaxws.xsd'>
>
>
> <bean id="Sign_Request"
> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp Signature"/>
> <entry key="signaturePropFile" value="security.properties"/>
> <entry key="decryptionPropFile" value="security.properties"/>
> <entry key="passwordCallbackClass"
> value="com.akimeka.ws.common.KeystorePasswordCallback"/>
> </map>
> </constructor-arg>
> </bean>
>
>
> <bean id="Sign_Response"
> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp Signature Encrypt"/>
> <entry key="user" value="server.akimeka.com"/>
> <entry key="signaturePropFile" value="security.properties"/>
> <entry key="encryptionPropFile" value="security.properties"/>
> <entry key="encryptionUser" value="useReqSigCert"/>
> <!-- <entry key="encryptionUser" value="client1.akimeka.com"
> />
> -->
> <entry key="signatureKeyIdentifier" value="DirectReference"/>
> <!-- <entry key="encryptionKeyIdentifier"
> value="DirectReference" /> -->
> <entry key="passwordCallbackClass"
> value="com.akimeka.ws.common.KeystorePasswordCallback"/>
> <entry key="signatureParts"
> value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-w
> ss
> -wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap
> .o
> rg/soap/envelope/}Body"/>
> <entry key="encryptionParts"
> value="{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
> <entry key="encryptionKeyTransportAlgorithm"
> value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
> <entry key="encryptionSymAlgorithm"
> value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
> <entry key="signatureAlgorithm"
> value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> </map>
> </constructor-arg>
> </bean>
>
> <jaxws:endpoint
> id='CipService'
> address='http://@jboss.bind.address@:8080/ws-cip'
> implementor='com.akimeka.cip.ws.CipService'>
> <jaxws:invoker>
> <bean class='org.jboss.wsf.stack.cxf.InvokerJSE'/>
> </jaxws:invoker>
>
> <jaxws:inInterceptors>
> <bean
> class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
> <ref bean="Sign_Request"/>
> </jaxws:inInterceptors>
>
> <jaxws:outInterceptors>
> <bean
> class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor"/>
> <ref bean="Sign_Response"/>
> </jaxws:outInterceptors>
>
> </jaxws:endpoint>
> </beans>
> ----------------------------------------------------------------------
> --
> -------------------------------
>
> And, so the server sees the incoming message here...
>
> --------------------------------------
> 16:43:36,935 INFO [org.apache.cxf.interceptor.LoggingInInterceptor]
> Inbound Message
> ----------------------------
> ID: 16
> Address: /ws-cip/CipService
> Encoding: UTF-8
> Content-Type: text/xml; charset=UTF-8
> Headers: {cache-control=[no-cache], content-type=[text/xml;
> charset=UTF-8], connection=[keep-alive],
> host=[msat-ah-01.akimeka.com:8080], Content-Length=[3496],
> SOAPAction=[""], user-agent=[Apache CXF 2.3.1-patch-01],
> Content-Type=[text/xml; charset=UTF-8], Accept=[*/*],
> pragma=[no-cache]}
> Payload: <soap:Envelope
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><w
> ss
> e:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws
> se curity-secext-1.0.xsd"
> soap:mustUnderstand="1"><wsse:BinarySecurityToken
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws
> se
> curity-secext-1.0.xsd"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
> ec
> urity-utility-1.0.xsd"
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
> so
> ap-message-security-1.0#Base64Binary"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x50
> 9-
> token-profile-1.0#X509v3"
> wsu:Id="CertId-8FE55E1C1DB8D8548C13666670167941">MIIBozCCAQygAwIBAgIEU
> XV
> eiTANBgkqhkiG9w0BAQUFADAWMRQwEgYDVQQDEwtjbGllbnQxdXNlcjAeFw0xMzA0MjIxN
> jA
> wMDlaFw0xNTA0MjIxNjAwMDlaMBYxFDASBgNVBAMTC2NsaWVudDF1c2VyMIGfMA0GCSqGS
> Ib
> 3DQEBAQUAA4GNADCBiQKBgQCd4AXM4VgvaScl6kdJVyaej50gr08XXSOntVki80znasD1t
> jE
> +TwUBBIjMzWUtLN+vWO211cbggaNP8mLZ2Tti3mEY0sS4ixZHLZz41/mLHU4YcQEFFZ5p6
> +TwUBBIjMzWUtLN+1W
> p1L3C37gQ7pm37SfKerwlrM4HnxSY6y7MinJSfQ0iDYaMu+XizQIDAQABMA0GCSqGSIb3D
> p1L3C37gQ7pm37SfKerwlrM4HnxSY6y7MinJSfQ0iDYaMu+QE
> BBQUAA4GBACiZwyRmSfjcjZDrIRe1A4PPHp+fMNHVssnvtOSaVEKjDRPeS1uXM7RLFUIvj
> BBQUAA4GBACiZwyRmSfjcjZDrIRe1A4PPHp+EO
> sbiSGMWSswFj/M61dRwNQreUxK737EpX8yko0gzKG+mH9bZZnEzroX5BROxa1luUTDmK2d
> Ug
> oPmLIwZI8gB8rJL6W3F3I6zfHwqHGbW6Xqt+J</wsse:BinarySecurityToken><ds:Si
> oPmLIwZI8gB8rJL6W3F3I6zfHwqHGbW6Xqt+gn
> ature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-2">
> <ds:SignedInfo> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> <ds:Reference URI="#id-3"> <ds:Transforms> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> </ds:Transforms> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> <ds:DigestValue>Ki9mmuZ/IPEazLZiTmt1cqDq7pQ=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#Timestamp-1">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> </ds:Transforms> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> <ds:DigestValue>dc/iT6EKpqAL9crdJORImAfavcU=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
> FmXE1n5OKy4PVtLkTeuycQf6d6gMl4fgIrucJw6Ms8OnFLs4jbN6PMbkKIkv3DogfYPzSr
> r6
> Incd
> Gus2miH1Qb5dFOhRDUSTDBaMeROxCyfKtzpvhTezboS1lYTF1jgFlmih5Ly1pTEwK46XmB
> L4
> KKeD
> Jjo5xjN6eqUAYgrcGjs=
> </ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-8FE55E1C1DB8D8548C13666670168262">
> <wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws
> se
> curity-secext-1.0.xsd"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
> ec
> urity-utility-1.0.xsd"
> wsu:Id="STRId-8FE55E1C1DB8D8548C13666670168263"><wsse:Reference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-ws
> se curity-secext-1.0.xsd"
> URI="#CertId-8FE55E1C1DB8D8548C13666670167941"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x50
> 9- token-profile-1.0#X509v3" /></wsse:SecurityTokenReference>
> </ds:KeyInfo> </ds:Signature><wsu:Timestamp
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
> ec
> urity-utility-1.0.xsd"
> wsu:Id="Timestamp-1"><wsu:Created>2013-04-22T21:43:36.793Z</wsu:Create
> d>
> <wsu:Expires>2013-04-22T21:48:36.793Z</wsu:Expires></wsu:Timestamp></w
> ss
> e:Security></soap:Header><soap:Body
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wss
> ec urity-utility-1.0.xsd" wsu:Id="id-3"><ns2:testWebService
> xmlns:ns2="http://akimeka.com"><arg0>Test
> String</arg0></ns2:testWebService></soap:Body></soap:Envelope>
> --------------------------------------
>
> And then blows up with this stacktrace and sends back a fault:
>
> 16:43:36,935 WARN
> [org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor]
> Security processing failed (actions mismatch)
> 16:43:36,935 WARN
> [org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor]
> : org.apache.ws.security.WSSecurityException: An error was discovered
> processing the <wsse:Security> header
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.checkActions(WSS4J
> In
> Interceptor.java:294) [:2.3.1-patch-01]
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4
> JI
> nInterceptor.java:234) [:2.3.1-patch-01]
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4
> JI
> nInterceptor.java:81) [:2.3.1-patch-01]
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseIntercepto
> rC
> hain.java:255) [:2.3.1-patch-01]
> at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitia
> ti
> onObserver.java:113) [:2.3.1-patch-01]
> at
> org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDest
> in
> ation.java:97) [:2.3.1-patch-01]
> at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(S
> er
> vletController.java:461) [:2.3.1-patch-01]
> at
> org.jboss.wsf.stack.cxf.ServletControllerExt.invoke(ServletControllerE
> xt
> .java:172) [:3.4.1.GA]
> at
> org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHa
> nd
> lerImpl.java:57) [:3.4.1.GA]
> at
> org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(Ser
> vl
> etHelper.java:156) [:3.4.1.GA]
> at
> org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:90)
> [:3.4.1.GA]
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(Abs
> tr
> actHTTPServlet.java:179) [:2.3.1-patch-01]
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHT
> TP
> Servlet.java:103) [:2.3.1-patch-01]
> at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
> [:1.0.0.Final]
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractH
> TT
> PServlet.java:159) [:2.3.1-patch-01]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli
> ca
> tionFilterChain.java:324) [:6.1.0.Final]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi
> lt
> erChain.java:242) [:6.1.0.Final]
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVa
> lv
> e.java:275) [:6.1.0.Final]
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextVa
> lv
> e.java:161) [:6.1.0.Final]
> at
> org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(Security
> As
> sociationValve.java:181) [:6.1.0.Final]
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticat
> or
> Base.java:501) [:6.1.0.Final]
> at
> org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.eve
> nt
> (CatalinaContext.java:285) [:1.1.0.Final]
> at
> org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.inv
> ok
> e(CatalinaContext.java:261) [:1.1.0.Final]
> at
> org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve
> .j
> ava:88) [:6.1.0.Final]
> at
> org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke
> (S
> ecurityContextEstablishmentValve.java:100) [:6.1.0.Final]
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.ja
> va
> :159) [:6.1.0.Final]
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.ja
> va
> :102) [:6.1.0.Final]
> at
> org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedCo
> nn
> ectionValve.java:158) [:6.1.0.Final]
> at
>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
> java:109) [:6.1.0.Final]
> at
> org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.i
> nv
> oke(ActiveRequestResponseCacheValve.java:53) [:6.1.0.Final]
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java
> :3
> 62) [:6.1.0.Final]
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:
> 87
> 7) [:6.1.0.Final]
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proces
> s(
> Http11Protocol.java:654) [:6.1.0.Final]
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951
> )
> [:6.1.0.Final]
> at java.lang.Thread.run(Thread.java:662) [:1.6.0_35]
>
> 16:43:36,936 WARN [org.apache.cxf.phase.PhaseInterceptorChain]
> Interceptor for {http://akimeka.com}TMDS_CIP_Web_Service has thrown
> exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: An
> error was discovered processing the <wsse:Security> header
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WS
> S4
> JInInterceptor.java:654) [:2.3.1-patch-01]
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4
> JI
> nInterceptor.java:275) [:2.3.1-patch-01]
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4
> JI
> nInterceptor.java:81) [:2.3.1-patch-01]
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseIntercepto
> rC
> hain.java:255) [:2.3.1-patch-01]
> at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitia
> ti
> onObserver.java:113) [:2.3.1-patch-01]
> at
> org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDest
> in
> ation.java:97) [:2.3.1-patch-01]
> at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(S
> er
> vletController.java:461) [:2.3.1-patch-01]
> at
> org.jboss.wsf.stack.cxf.ServletControllerExt.invoke(ServletControllerE
> xt
> .java:172) [:3.4.1.GA]
> at
> org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHa
> nd
> lerImpl.java:57) [:3.4.1.GA]
> at
> org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(Ser
> vl
> etHelper.java:156) [:3.4.1.GA]
> at
> org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:90)
> [:3.4.1.GA]
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(Abs
> tr
> actHTTPServlet.java:179) [:2.3.1-patch-01]
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHT
> TP
> Servlet.java:103) [:2.3.1-patch-01]
> at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
> [:1.0.0.Final]
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractH
> TT
> PServlet.java:159) [:2.3.1-patch-01]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli
> ca
> tionFilterChain.java:324) [:6.1.0.Final]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi
> lt
> erChain.java:242) [:6.1.0.Final]
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVa
> lv
> e.java:275) [:6.1.0.Final]
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextVa
> lv
> e.java:161) [:6.1.0.Final]
> at
> org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(Security
> As
> sociationValve.java:181) [:6.1.0.Final]
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticat
> or
> Base.java:501) [:6.1.0.Final]
> at
> org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.eve
> nt
> (CatalinaContext.java:285) [:1.1.0.Final]
> at
> org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.inv
> ok
> e(CatalinaContext.java:261) [:1.1.0.Final]
> at
> org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve
> .j
> ava:88) [:6.1.0.Final]
> at
> org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke
> (S
> ecurityContextEstablishmentValve.java:100) [:6.1.0.Final]
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.ja
> va
> :159) [:6.1.0.Final]
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.ja
> va
> :102) [:6.1.0.Final]
> at
> org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedCo
> nn
> ectionValve.java:158) [:6.1.0.Final]
> at
>
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
> java:109) [:6.1.0.Final]
> at
> org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.i
> nv
> oke(ActiveRequestResponseCacheValve.java:53) [:6.1.0.Final]
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java
> :3
> 62) [:6.1.0.Final]
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:
> 87
> 7) [:6.1.0.Final]
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proces
> s(
> Http11Protocol.java:654) [:6.1.0.Final]
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951
> )
> [:6.1.0.Final]
> at java.lang.Thread.run(Thread.java:662) [:1.6.0_35] Caused
> by: org.apache.ws.security.WSSecurityException: An error was
> discovered processing the <wsse:Security> header
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.checkActions(WSS4J
> In
> Interceptor.java:294) [:2.3.1-patch-01]
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4
> JI
> nInterceptor.java:234) [:2.3.1-patch-01]
> ... 33 more
>
>
> ----------------------------------------------------------------------
> --
> -------------------------------------------
>
> So, the client actions for the request are "Timestamp Signature" and
> the server inInterceptor actions match that.
>
> What am I failing to understand about this? Is there a simple
> explanation anywhere of what it means to specify a list of actions on
> a web service incoming interceptor EXACTLY what is required fo on the
> client end to match up, including details about specific parts that
> have to be signed?
>
>
>
>
>
>
>
>
>
> NOTICE: This transmission (including all attachments) is company
> confidential, is intended only for the individual or entity named
> above, and is likely to contain privileged, proprietary and
> confidential information that is exempt from disclosure requests under
applicable law.
> If you are not the intended recipient, you are hereby notified that
> any disclosure, copying, distribution, use of or reliance upon any of
> the information contained in this transmission is strictly prohibited.
> Any inadvertent or unauthorized disclosure shall not compromise or
> waive the confidentiality of this transmission. If you have received
> this transmission in error, please forward this message immediately to
> postmaster@akimeka.com <ma...@akimeka.com> and delete or
> otherwise remove this email from your system. Thank you
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Understanding WSS4J actions
Posted by Colm O hEigeartaigh <co...@apache.org>.
Newer versions of CXF do not require that the actions match in the exact
order, but only that they match in some order. So your best bet is to
upgrade to a newer version.
Colm.
On Mon, Apr 22, 2013 at 11:04 PM, Andrew Hart <ah...@akimeka.com> wrote:
> Ok, wrt my earlier message, I decided to just go ahead and write a
> simple java web service client rather than try to figure out why SoapUi
> wasn't working.
> Unfortunately, I'm back into "actions mismatch" hell.
>
> I understand that the actions need to match up on the client request to
> the server, i.e., from the client OutInterceptor to the server
> InInterceptor and that the inverse is true,
> From the server response OutInterceptor to the client InInterceptor.
>
> So, my client is configured like this in a cxf.xml file:
> (note: the jaxws:client element didn't work for me and I had to replace
> it with the cxf:bus before my interceptors would load.)
> ------------------------------------------------------------------------
> -----------------
>
> <beans xmlns="http://www.springframework.org/schema/beans"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:jaxws="http://cxf.apache.org/jaxws"
> xmlns:cxf="http://cxf.apache.org/core"
> xsi:schemaLocation="http://cxf.apache.org/core
> http://cxf.apache.org/schemas/core.xsd
> http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
> http://cxf.apache.org/jaxws
> http://cxf.apache.org/schemas/jaxws.xsd">
>
> <!--
> <jaxws:client name=" MyWebServicePort" createdFromAPI="true">
> <jaxws:inInterceptors>
> <ref bean="TimestampSignEncrypt_Response"/>
> <ref bean="logInbound" />
> </jaxws:inInterceptors>
> <jaxws:outInterceptors>
> <ref bean="TimestampSignEncrypt_Request"/>
> <ref bean="logOutbound" />
> </jaxws:outInterceptors>
> </jaxws:client>
> -->
>
> <cxf:bus>
> <cxf:outInterceptors>
> <ref bean="ClientRequest_Interceptor"/>
> <ref bean="logOutbound" />
> </cxf:outInterceptors>
> <cxf:inInterceptors>
> <ref bean="ServerResponse_Interceptor"/>
> <ref bean="logInbound" />
> </cxf:inInterceptors>
> </cxf:bus>
>
> <bean id="logInbound"
> class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
> <bean id="logOutbound"
> class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
> <bean
> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
> id="ClientRequest_Interceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp Signature"/>
> <entry key="user" value="client1alias"/>
> <entry key="signaturePropFile"
> value="clientKeystore.properties"/>
> <entry key="signatureKeyIdentifier"
> value="DirectReference"/>
> <entry key="passwordCallbackClass"
> value="com.akimeka.ws.testclient.clientsample.ClientKeystorePasswordCall
> back"/>
> <entry key="signatureAlgorithm"
> value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <entry key="signatureParts"
> value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;{Element
> }{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-uti
> lity-1.0.xsd}Timestamp"/>
>
> </map>
> </constructor-arg>
> </bean>
> <bean
> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"
> id="ServerResponse_Interceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp Signature
> Encrypt"/>
> <entry key="signaturePropFile"
> value="clientKeystore.properties"/>
> <entry key="decryptionPropFile"
> value="clientKeystore.properties"/>
> <entry key="passwordCallbackClass"
> value="com.akimeka.ws.testclient.clientsample.ClientKeystorePasswordCall
> back"/>
> <entry key="encryptionKeyTransportAlgorithm"
> value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
> <entry key="signatureAlgorithm"
> value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> </map>
> </constructor-arg>
> </bean>
> </beans>
>
>
> ------------------------------------------------------------------------
> ----------
> The server has a jbossws-cxf.xml file and is configured like this:
> ------------------------------------------------------------------------
> ----------
> <beans
> xmlns='http://www.springframework.org/schema/beans'
> xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
> xmlns:beans='http://www.springframework.org/schema/beans'
> xmlns:jaxws='http://cxf.apache.org/jaxws'
> xsi:schemaLocation='http://cxf.apache.org/core
> http://cxf.apache.org/schemas/core.xsd
> http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
> http://cxf.apache.org/jaxws
> http://cxf.apache.org/schemas/jaxws.xsd'>
>
>
> <bean id="Sign_Request"
> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp Signature"/>
> <entry key="signaturePropFile" value="security.properties"/>
> <entry key="decryptionPropFile" value="security.properties"/>
> <entry key="passwordCallbackClass"
> value="com.akimeka.ws.common.KeystorePasswordCallback"/>
> </map>
> </constructor-arg>
> </bean>
>
>
> <bean id="Sign_Response"
> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp Signature Encrypt"/>
> <entry key="user" value="server.akimeka.com"/>
> <entry key="signaturePropFile" value="security.properties"/>
> <entry key="encryptionPropFile" value="security.properties"/>
> <entry key="encryptionUser" value="useReqSigCert"/>
> <!-- <entry key="encryptionUser" value="client1.akimeka.com" />
> -->
> <entry key="signatureKeyIdentifier" value="DirectReference"/>
> <!-- <entry key="encryptionKeyIdentifier"
> value="DirectReference" /> -->
> <entry key="passwordCallbackClass"
> value="com.akimeka.ws.common.KeystorePasswordCallback"/>
> <entry key="signatureParts"
> value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss
> -wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.o
> rg/soap/envelope/}Body"/>
> <entry key="encryptionParts"
> value="{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
> <entry key="encryptionKeyTransportAlgorithm"
> value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
> <entry key="encryptionSymAlgorithm"
> value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
> <entry key="signatureAlgorithm"
> value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> </map>
> </constructor-arg>
> </bean>
>
> <jaxws:endpoint
> id='CipService'
> address='http://@jboss.bind.address@:8080/ws-cip'
> implementor='com.akimeka.cip.ws.CipService'>
> <jaxws:invoker>
> <bean class='org.jboss.wsf.stack.cxf.InvokerJSE'/>
> </jaxws:invoker>
>
> <jaxws:inInterceptors>
> <bean
> class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
> <ref bean="Sign_Request"/>
> </jaxws:inInterceptors>
>
> <jaxws:outInterceptors>
> <bean
> class="org.apache.cxf.binding.soap.saaj.SAAJOutInterceptor"/>
> <ref bean="Sign_Response"/>
> </jaxws:outInterceptors>
>
> </jaxws:endpoint>
> </beans>
> ------------------------------------------------------------------------
> -------------------------------
>
> And, so the server sees the incoming message here...
>
> --------------------------------------
> 16:43:36,935 INFO [org.apache.cxf.interceptor.LoggingInInterceptor]
> Inbound Message
> ----------------------------
> ID: 16
> Address: /ws-cip/CipService
> Encoding: UTF-8
> Content-Type: text/xml; charset=UTF-8
> Headers: {cache-control=[no-cache], content-type=[text/xml;
> charset=UTF-8], connection=[keep-alive],
> host=[msat-ah-01.akimeka.com:8080], Content-Length=[3496],
> SOAPAction=[""], user-agent=[Apache CXF 2.3.1-patch-01],
> Content-Type=[text/xml; charset=UTF-8], Accept=[*/*], pragma=[no-cache]}
> Payload: <soap:Envelope
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><wss
> e:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
> curity-secext-1.0.xsd" soap:mustUnderstand="1"><wsse:BinarySecurityToken
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
> curity-secext-1.0.xsd"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
> urity-utility-1.0.xsd"
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-so
> ap-message-security-1.0#Base64Binary"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-
> token-profile-1.0#X509v3"
> wsu:Id="CertId-8FE55E1C1DB8D8548C13666670167941">MIIBozCCAQygAwIBAgIEUXV
> eiTANBgkqhkiG9w0BAQUFADAWMRQwEgYDVQQDEwtjbGllbnQxdXNlcjAeFw0xMzA0MjIxNjA
> wMDlaFw0xNTA0MjIxNjAwMDlaMBYxFDASBgNVBAMTC2NsaWVudDF1c2VyMIGfMA0GCSqGSIb
> 3DQEBAQUAA4GNADCBiQKBgQCd4AXM4VgvaScl6kdJVyaej50gr08XXSOntVki80znasD1tjE
> +TwUBBIjMzWUtLN+vWO211cbggaNP8mLZ2Tti3mEY0sS4ixZHLZz41/mLHU4YcQEFFZ5p61W
> p1L3C37gQ7pm37SfKerwlrM4HnxSY6y7MinJSfQ0iDYaMu+XizQIDAQABMA0GCSqGSIb3DQE
> BBQUAA4GBACiZwyRmSfjcjZDrIRe1A4PPHp+fMNHVssnvtOSaVEKjDRPeS1uXM7RLFUIvjEO
> sbiSGMWSswFj/M61dRwNQreUxK737EpX8yko0gzKG+mH9bZZnEzroX5BROxa1luUTDmK2dUg
> oPmLIwZI8gB8rJL6W3F3I6zfHwqHGbW6Xqt+J</wsse:BinarySecurityToken><ds:Sign
> ature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-2">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
> <ds:Reference URI="#id-3">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> <ds:DigestValue>Ki9mmuZ/IPEazLZiTmt1cqDq7pQ=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#Timestamp-1">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> <ds:DigestValue>dc/iT6EKpqAL9crdJORImAfavcU=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
> FmXE1n5OKy4PVtLkTeuycQf6d6gMl4fgIrucJw6Ms8OnFLs4jbN6PMbkKIkv3DogfYPzSrr6
> Incd
> Gus2miH1Qb5dFOhRDUSTDBaMeROxCyfKtzpvhTezboS1lYTF1jgFlmih5Ly1pTEwK46XmBL4
> KKeD
> Jjo5xjN6eqUAYgrcGjs=
> </ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-8FE55E1C1DB8D8548C13666670168262">
> <wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
> curity-secext-1.0.xsd"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
> urity-utility-1.0.xsd"
> wsu:Id="STRId-8FE55E1C1DB8D8548C13666670168263"><wsse:Reference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
> curity-secext-1.0.xsd" URI="#CertId-8FE55E1C1DB8D8548C13666670167941"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-
> token-profile-1.0#X509v3" /></wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature><wsu:Timestamp
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
> urity-utility-1.0.xsd"
> wsu:Id="Timestamp-1"><wsu:Created>2013-04-22T21:43:36.793Z</wsu:Created>
> <wsu:Expires>2013-04-22T21:48:36.793Z</wsu:Expires></wsu:Timestamp></wss
> e:Security></soap:Header><soap:Body
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
> urity-utility-1.0.xsd" wsu:Id="id-3"><ns2:testWebService
> xmlns:ns2="http://akimeka.com"><arg0>Test
> String</arg0></ns2:testWebService></soap:Body></soap:Envelope>
> --------------------------------------
>
> And then blows up with this stacktrace and sends back a fault:
>
> 16:43:36,935 WARN [org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor]
> Security processing failed (actions mismatch)
> 16:43:36,935 WARN [org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor]
> : org.apache.ws.security.WSSecurityException: An error was discovered
> processing the <wsse:Security> header
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.checkActions(WSS4JIn
> Interceptor.java:294) [:2.3.1-patch-01]
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JI
> nInterceptor.java:234) [:2.3.1-patch-01]
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JI
> nInterceptor.java:81) [:2.3.1-patch-01]
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
> hain.java:255) [:2.3.1-patch-01]
> at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiati
> onObserver.java:113) [:2.3.1-patch-01]
> at
> org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestin
> ation.java:97) [:2.3.1-patch-01]
> at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(Ser
> vletController.java:461) [:2.3.1-patch-01]
> at
> org.jboss.wsf.stack.cxf.ServletControllerExt.invoke(ServletControllerExt
> .java:172) [:3.4.1.GA]
> at
> org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHand
> lerImpl.java:57) [:3.4.1.GA]
> at
> org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(Servl
> etHelper.java:156) [:3.4.1.GA]
> at
> org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:90)
> [:3.4.1.GA]
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(Abstr
> actHTTPServlet.java:179) [:2.3.1-patch-01]
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTP
> Servlet.java:103) [:2.3.1-patch-01]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
> [:1.0.0.Final]
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTT
> PServlet.java:159) [:2.3.1-patch-01]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
> tionFilterChain.java:324) [:6.1.0.Final]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
> erChain.java:242) [:6.1.0.Final]
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
> e.java:275) [:6.1.0.Final]
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
> e.java:161) [:6.1.0.Final]
> at
> org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAs
> sociationValve.java:181) [:6.1.0.Final]
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator
> Base.java:501) [:6.1.0.Final]
> at
> org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.event
> (CatalinaContext.java:285) [:1.1.0.Final]
> at
> org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.invok
> e(CatalinaContext.java:261) [:1.1.0.Final]
> at
> org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.j
> ava:88) [:6.1.0.Final]
> at
> org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(S
> ecurityContextEstablishmentValve.java:100) [:6.1.0.Final]
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
> :159) [:6.1.0.Final]
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
> :102) [:6.1.0.Final]
> at
> org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConn
> ectionValve.java:158) [:6.1.0.Final]
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
> java:109) [:6.1.0.Final]
> at
> org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.inv
> oke(ActiveRequestResponseCacheValve.java:53) [:6.1.0.Final]
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:3
> 62) [:6.1.0.Final]
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:87
> 7) [:6.1.0.Final]
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
> Http11Protocol.java:654) [:6.1.0.Final]
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951)
> [:6.1.0.Final]
> at java.lang.Thread.run(Thread.java:662) [:1.6.0_35]
>
> 16:43:36,936 WARN [org.apache.cxf.phase.PhaseInterceptorChain]
> Interceptor for {http://akimeka.com}TMDS_CIP_Web_Service has thrown
> exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: An
> error was discovered processing the <wsse:Security> header
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4
> JInInterceptor.java:654) [:2.3.1-patch-01]
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JI
> nInterceptor.java:275) [:2.3.1-patch-01]
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JI
> nInterceptor.java:81) [:2.3.1-patch-01]
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorC
> hain.java:255) [:2.3.1-patch-01]
> at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiati
> onObserver.java:113) [:2.3.1-patch-01]
> at
> org.apache.cxf.transport.servlet.ServletDestination.invoke(ServletDestin
> ation.java:97) [:2.3.1-patch-01]
> at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(Ser
> vletController.java:461) [:2.3.1-patch-01]
> at
> org.jboss.wsf.stack.cxf.ServletControllerExt.invoke(ServletControllerExt
> .java:172) [:3.4.1.GA]
> at
> org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHand
> lerImpl.java:57) [:3.4.1.GA]
> at
> org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(Servl
> etHelper.java:156) [:3.4.1.GA]
> at
> org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:90)
> [:3.4.1.GA]
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(Abstr
> actHTTPServlet.java:179) [:2.3.1-patch-01]
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTP
> Servlet.java:103) [:2.3.1-patch-01]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
> [:1.0.0.Final]
> at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTT
> PServlet.java:159) [:2.3.1-patch-01]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
> tionFilterChain.java:324) [:6.1.0.Final]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
> erChain.java:242) [:6.1.0.Final]
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
> e.java:275) [:6.1.0.Final]
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
> e.java:161) [:6.1.0.Final]
> at
> org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAs
> sociationValve.java:181) [:6.1.0.Final]
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator
> Base.java:501) [:6.1.0.Final]
> at
> org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.event
> (CatalinaContext.java:285) [:1.1.0.Final]
> at
> org.jboss.modcluster.catalina.CatalinaContext$RequestListenerValve.invok
> e(CatalinaContext.java:261) [:1.1.0.Final]
> at
> org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.j
> ava:88) [:6.1.0.Final]
> at
> org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(S
> ecurityContextEstablishmentValve.java:100) [:6.1.0.Final]
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
> :159) [:6.1.0.Final]
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
> :102) [:6.1.0.Final]
> at
> org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConn
> ectionValve.java:158) [:6.1.0.Final]
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
> java:109) [:6.1.0.Final]
> at
> org.jboss.web.tomcat.service.request.ActiveRequestResponseCacheValve.inv
> oke(ActiveRequestResponseCacheValve.java:53) [:6.1.0.Final]
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:3
> 62) [:6.1.0.Final]
> at
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:87
> 7) [:6.1.0.Final]
> at
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(
> Http11Protocol.java:654) [:6.1.0.Final]
> at
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:951)
> [:6.1.0.Final]
> at java.lang.Thread.run(Thread.java:662) [:1.6.0_35]
> Caused by: org.apache.ws.security.WSSecurityException: An error was
> discovered processing the <wsse:Security> header
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.checkActions(WSS4JIn
> Interceptor.java:294) [:2.3.1-patch-01]
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JI
> nInterceptor.java:234) [:2.3.1-patch-01]
> ... 33 more
>
>
> ------------------------------------------------------------------------
> -------------------------------------------
>
> So, the client actions for the request are "Timestamp Signature" and
> the server inInterceptor actions match that.
>
> What am I failing to understand about this? Is there a simple
> explanation anywhere of what it means to specify a list of actions on a
> web service incoming interceptor EXACTLY what is required fo on the
> client end to match up, including details about specific parts that have
> to be signed?
>
>
>
>
>
>
>
>
>
> NOTICE: This transmission (including all attachments) is company
> confidential, is intended only for the individual or entity named above,
> and is likely to contain privileged, proprietary and confidential
> information that is exempt from disclosure requests under applicable law.
> If you are not the intended recipient, you are hereby notified that any
> disclosure, copying, distribution, use of or reliance upon any of the
> information contained in this transmission is strictly prohibited. Any
> inadvertent or unauthorized disclosure shall not compromise or waive the
> confidentiality of this transmission. If you have received this
> transmission in error, please forward this message immediately to
> postmaster@akimeka.com <ma...@akimeka.com> and delete or
> otherwise remove this email from your system. Thank you
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com