MTOM with WS-Security

[Paul Avijit <pa...@yahoo.com>]

Hi,

Please help on this topic.

When CXF is not at both ends of the wire, MTOM upload is not working with WS-Security. This happens when I am testing a CXF Web service with SoapUI. It works fine when CXF is at both ends of the wire.

Is this a CXF issue or a SoapUI issue. I can see SoapUI constructing a valid input SOAP message but Service after receiving request is not able to read the MTOM attachment. Following are the details of the Web Service.

I have a CXF Web Service with MTOM (separate operations for upload and download) and WS-Security (UsernameToken Timestamp Signature Encrypt).

Both upload and download operation with MTOM works fine when tested using CXF client.

When testing with SoapUI, download operation works fine.

There are no errors even for upload operation but the Web Service is not able to read the attached file. SoapUI is sending a well formed SOAP message with MTOM attachment. When SOAP message is sent by SoapUI to CXF Service, the service is able to:

1. Decrypt the message
2. Verify signature
3. Verify Timestamp
4. Verify Username token
5. Read all data elements in the SOAP body
6. Not able to read the file sent as MTOM attachment
7. Response back with a SOAP message (with Timestamp Signature Encrypt)

SoapUI is able to Decrypt, verify signature and timestamp.

Following are my CXF service In/Out Interceptors:

<bean id="UT_TimestampSignEncrypt_Request" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
    <constructor-arg>
        <map>
            <entry key="action" value="UsernameToken Timestamp Signature Encrypt"/>
            <entry key="passwordType" value="PasswordDigest"/>
            <entry key="passwordCallbackRef" value-ref="myKeystorePasswordCallback"/>
            <entry key="signaturePropFile" value="serviceKeystore.properties"/>
            <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <entry key="decryptionPropFile" value="serviceKeystore.properties"/>
            <entry key="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
        </map>
    </constructor-arg>
</bean>

<bean id="TimestampSignEncrypt_Response" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
    <constructor-arg>
        <map>
            <entry key="action" value="Timestamp Signature Encrypt"/>
            <entry key="timeToLive" value="10" />
            <entry key="passwordCallbackRef" value-ref="myKeystorePasswordCallback"/>
            <entry key="user" value="myservicekey"/>
            <entry key="signaturePropFile" value="serviceKeystore.properties"/>
            <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://www.w3.org/2003/05/soap-envelope}Body"/>
            <entry key="signatureAlgorithm" value="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <entry key="encryptionPropFile" value="serviceKeystore.properties"/>
            <entry key="encryptionUser" value="useReqSigCert"/>
            <entry key="encryptionParts" value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://www.w3.org/2003/05/soap-envelope}Body"/>
            <entry key="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
            <entry key="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
        </map>
    </constructor-arg>
    <property name="allowMTOM" value="true"/>
</bean>



The SOAP message sent by SoapUI is present below:

INFO: Inbound Message
----------------------------
ID: 3
Address: https://localhost:7002/bes-hc-poc-caqhcore-web/services/Core
Encoding: ISO-8859-1
Http-Method: POST
Content-Type: multipart/related; type="application/xop+xml"; start="<ro...@soapui.org>"; start-info="application/soap+xml"; action="BatchSubmitTransaction"; boundary="----=_Part_2_1401538319.1398513008102"
Headers: {accept-encoding=[gzip,deflate], connection=[Keep-Alive], Content-Length=[9142], content-type=[multipart/related; type="application/xop+xml"; start="<ro...@soapui.org>"; start-info="application/soap+xml"; action="BatchSubmitTransaction"; boundary="----=_Part_2_1401538319.1398513008102"], Host=[localhost:7002], MIME-Version=[1.0], User-Agent=[Apache-HttpClient/4.1.1 (java 1.5)]}
Payload: 
------=_Part_2_1401538319.1398513008102
Content-Type: application/xop+xml; charset=UTF-8; type="application/soap+xml; action=\"BatchSubmitTransaction\""
Content-Transfer-Encoding: 8bit
Content-ID: <ro...@soapui.org>

<soap:Envelope xmlns:cor="http://www.caqh.org/SOAP/WSDL/CORERule2.2.0.xsd" xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
   <soap:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><xenc:EncryptedKey Id="EK-C60D03DB1FCA570C29139851300809612" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
 ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3">MIIBnzCCAQigAwIBAgIEU05SjzANBgkqhkiG9w0BAQUFADAUMRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTQwNDE2MDk1MTExWhcNMTYwNDE1MDk1MTExWjAUMRIwEAYDVQQDEwlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAImydZjGWfawadlhFR5DCXEA704TmG9NVbIkmGZugNDH9NHOrnEpk9SAaaZ63lpy9Buow0dJZnlVvZao/LEGJSyFdHrL+gNQU0F1UF+dGsHSKV0PZw/7miH0qWEb9x7aSpK7RAsWAdLUGRbSQgQ3NgfJuExLjEc1ThXWEWO/DmENAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAg7aSHDXDuOgUU2qeg7T+VwCisz1EtJUSCS8Zb958+lRBpe2kbphqbcFsrLVB10/05ogx7s8G8w+73v6+HBUksf9GbPM/C9yaSdg1JmJ6mNO9NwxvJzD1HrAZ7bVCLy1YzXAmcF4QCny+tRrzTceEC4lI1cw+PqmjXPeGetw0YmI=</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>Dd5JFnmx4ra0lJFtfD8tW2FrgWe9wjXahKzgX0B8b6yUW0DqDYO7f/da2nVG1HrlEgmoT0oWj8kucoudtJnTKzqBs43qgV36anDwfxvP8KZHtgNqDE7UYQAweeJntFJW6o/gPWgFEFznqEI/04gJWtKvHPkJ/HZCCSfLi4Xqy9I=</xenc:CipherValue></xenc:CipherData>
<xenc:ReferenceList><xenc:DataReference URI="#ED-17"/><xenc:DataReference URI="#ED-18"/></xenc:ReferenceList></xenc:EncryptedKey><xenc:EncryptedData Id="ED-17" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><wsse:Reference
 URI="#EK-C60D03DB1FCA570C29139851300809612"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>wfdQpa8Yx0vhRMVL73KMtCuqJunjZ61Ea/gAWIvdj5bDfMUO7VB+XWRh+IJZP66uaK9otRy3RrYzDKUAx+k16K95INGMglXw08jnZNM0Sg1XNcZJkEyqy32euruHmv1zcTEIKn3gE747PSKkujL4/fKdQ1D2qIYG/9ksz0JnxdeshLof++0wngMSeAKM2C9mpSRli/ifr2Zzm/FOlVp71CyL5F93IQ90fwxshknMEZPNw1THYlJDVx2okFRGEmV5aO5bWV4DTAqZO5DI+E+fKPeIAiaqemRtJSZC1ltdrSxccPJCf+enEMMbKDUW158GdjycvfldNInQ1+AyH7QIivuRz9Uc4WqPq+1rkdGlmVsAqZ9bGtSxp88avz08tit2Vl36nJUYl+ecfXC7o0ACjJH5X3umm0t93xOK9rZ9sMdCKiC+mgqUwIGRlKyR22vq+PxIYq+YhDbv1D2sKRjshBV6SKmf7dhyznSxN36dqC6Oq3exOCpXb5s6CE+fdQpDy7B46sGNSU41DR9V1P+1VeM0WOmAy8TyZ3CkWQb142+etgBzvmrrJGaPeIjV0+1fKCfLTmuuWTcLPE6NMuFzOZogY44xN4abT/2Mxlm53weA446JriqxWWVexhImDFgHLaY4kxPKWcVNFaS0YM+ikpz1kh4mTOTAFBsY/Nc59BbcMBhKhrd0nBRmZ3KIvXHudB05Nhg9wAJzpSrcd5hAr2wQGszd6Ru7DC+KvdEU88FO4kdNPrcTBZEdZ1oLKoZE/NOwQ6RRPcj6AAldjzd5V3DjwapQaNOn9T79bJySmRQX7Rr3Ph5Kd2YjNZ6nRVul7RlZqxEQdCT
MTjBh83J2dQxQVsi8l+pFapFLlBr5dQv2OLgrY0S/8qGAbkE3iOidhdmRpz2tw+lmcxn6ijt+JxiD45WLPx1dNTDMB7V6wqBP3Ql10LaKvBJf+i5u7eIjxm5KNlf1zkGJqd/078aU527uZT0BkC7wpsN3TT7pc/YlsAu1rcfX1Lfs0uGeM/WNOX/kDv2DK7rvaFxcGDm7d8N/2QpaMmc9+q0gWsnac/wO4KGLuFYlK52GW0qXjshqz3EOHiibxgHRNf/Y2F1XMZrmmU6BLPMuBsYE7KqfBpGWgrKBjeNwRt5espj1sPnzBAmEdmj19b3IDRAHDyJRK6FnMcPT8wwo7PHaTWbm8a1qUqQOWFNw8UFBCTTuCfQKvryyNaZIMstWaB+SsJSaNVDr4oxcIjA0Ky6EvYWFMeIPCd2vrLrujITREiY9Nv8TkrBiOdn6Xf17zmNsxhtEf1Ry8N76xsmopTf/59QeaOgInH8C5A9Jh+8XoJuDYol88MNPi1qbSpQwYGsCibUX4ykZ8KI1wpGg9NxiW4RA4CtWgdGwYqBR05hPgHfWPIiYC65zctjjVAPrMj1wvAoSvj1Vxfy4P1DfayF2a1+uc9WVX6cT7sMCOPqKiN3kvgRB3TF06zd/yiHW/1sxbG4j+v1YVRmqfxf7xkXoKovqfMi8D8BtUQZ2GtxxsBPBJx1yuMEz86owN0kIUSSdCJFgaELTqBYce6FrMsrBbumk3c5B8N/GTgyG8WrOhTujCedpuAk/7B0dkm5QQa92X+1J2kYZsG+RLZqrF+LWD7MM/YgICPSsrI+BCwnAVsQPDH596CLdir6eeMGh+QE/2Ttop4gLpU4Vzd4A4CDbjaj/AHkxjKAWBQViubkWixccN5YRCH3Cfh/GDEwxKUXesq4JsA+tAISobVe8wqbi8sjyVZaGnb04RI3xn9OnE/rzQEdcFzefj0J9G+bG2ofO3a
6RbWQVkAkphmJIxpGNtr82BnOWfcJJlFZLsqJlPBR7DluSbJt9Ui23KMMXj4zXjWdqntJX2F0Z3u8Ewp/30760lLYzb/bXe4dGtKFjNGMNgecCcdeAQnhgJWd2pJbfsH97r0Vl2HMrddXHs9/MD8EF6oynCBP8sdqLuxxEkUE5xeSZlIURo/SXaG124CcS9eg2cb38JStITcbDoSz9ItMEEc2c0dIz5p6veeXB/jzjlz0mDbgy8WrawMQIe1KAmu8HazUZ6S24ZveCK5vRzY5uoc17QtaDrAby06AUboouBy28sK6tES03nYKgNxQIhdfVTIwoIUQ65jBFx/OCw2R1IzETNsz4igbA3kcuj4I3LOCFqdDGERKW/4QLI+/x5mRd4lc6k3q1sb8Et4TCYoo81edn/q7GEAZaNvFD2LwK0JWeDCzWuxx9wfjfWPi4E9WZAdJIBPHerh/CIPmU2zc5Tdc6d9/k+0mN35JseD+Au4c17Lhs/CMb7jodmVq9Oik8JvaSEAmjShnlFli4tjN9MaJTcBmzUHWDfYYTn79Uo9jJK1jLirxYqJwt3i+oUMvQCJLJ97+NiHciFeBi37TvRWJrxT4PzVlY/fhew2mZXd4yeyQbj2LtyoOKBsUsoeIFnYIJLKT3CQCcHNtA2gTp+CbMNZ1y9geWLz8w/OdrLW13eXWBipWmlUOpwOR43ESjonz9w4M7y3RvlXvFTesviHgL0MEV/GnVBV/4y9JrUGrOvjb8yfscOoI2k5opNIoJFSwtBlSoxwYvhwg5rgCFO6KY8hq+huh3zx88Ow0kDfVLbiE8aIcx1qodCl/0N1pvjClzHOO7wCCLxPX0oBKoclA8/z9tW/4raIlze/ZbkATKojdmdCwxPgsL6b21zlkDtAlpdykHZUCO6KrHRQso0Pm2n+aX4inODadbw4H86NVhRgC0kt16+6GO1mB+7rm7c+d2r
GprmrxtzlS40smaBSbIiiwdoAd5F5BwBfiMGRBfIiCQiGLjDRBJi/P+ufh4iOpMxwrT1gupnl8uwK1cqM7MaNrp+REPxpQS4O9boNtw5W1ZoD3HxqT95rNA+GwN0w2DkchWgzaZo0/uALVKIJa/JwtGv9j6HSn7hFYseUMtNU7RxHs4+Gj+KYX6hJ0GbUpYSRRD/UXT20gqzfA5GobQ9NfnrsDwVCUxFGn2TGapS5X93TQEf+D97W1qAkCww6emrkCIMrU31LQmUvlmBu0aIQLT6h59wRDlRBGMzsKaj3KAKuI4kwdLt8iiJTEpzbOceRcB0mUzNTbOXZdgAKzuiC3lda9ChGfA+jwQAYGvkbpeIYWhCcxAV7gVYXjvRdB4k3u+xe5W4Ubv5b1mGYVCCRQWNpDC06sNvnwzPt6Qa9kAMYC9pB/iw6Oy8XEzbzpbxqFpxT4jxv41v6leX3T/KgTXO1XaQHwsEEAtSk6kCMzLxaGWdQd78vOR/GWPjiCKSC+hDDKmlIPuFQ65TKw9I2cWmQMqC7maVRQq4+7RMPHt+iwJGofDDYyxTpdqdo1miqHHC44Y2XqhnxubajR37pXavbv/W2YJkNKptFJHZv1cYTBdlR+f0GnqgqFvAyZzs4+pKv/YiQ68E4dBVqXy4cVx0DLjHLFzETJeWUFsiX+P81s4fB4RB5r6vwtfaPPDjUHjvGaQMC+14H3ZmcMW+2t5VuDpqMIHt4XcDqayWCvBrcgEOz9mcq0hmjAogslad7dhe0J2y6iL5guoUavvaUZDewzkpdp3l2YGPnF1IB1m4+idkDKCgH9CYbufKo+UR/7OeIyEjfMNqGnwp157VGSwzXBMCVK7L113P+s5OUG8Tb0R8oDy2KslJ5y7HWN4CF5/QuYI3Ja5UGIDlr0mQy6VN1cA8MJ8Hf1o0CYgPkEzUamk8dHJqHFl4BX4/Q==</xenc:C
ipherValue></xenc:CipherData></xenc:EncryptedData><wsu:Timestamp wsu:Id="TS-14"><wsu:Created>2014-04-26T11:50:08.080Z</wsu:Created><wsu:Expires>2014-04-26T11:50:18.080Z</wsu:Expires></wsu:Timestamp><wsse:UsernameToken wsu:Id="UsernameToken-13"><wsse:Username>POC-Username</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">I2Pw32RLANbTrH6sF3OZakPNnFA=</wsse:Password><wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">56mNOeA3JWwvapjrF1H8Bg==</wsse:Nonce><wsu:Created>2014-04-26T11:50:08.080Z</wsu:Created></wsse:UsernameToken></wsse:Security></soap:Header>
   <soap:Body wsu:Id="id-15" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><xenc:EncryptedData Id="ED-18" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><wsse:Reference
 URI="#EK-C60D03DB1FCA570C29139851300809612"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>3R70hTNEIGMzN+wskHGSb3I6H8ULadOmn9/txdvhUIjbF4Fu+eGCmmllaDqdjnrdmCnTrRN6cj37FXIpw6htANJgg+A1tIcS23hNFekc9Yz03CA4RK3E2BYbFr8rUjnSCdwU+Y40cTUUvqVz7Xy9pDWsQUk/1kuKK7sNezZHoKiqROtLBSAh/942JYTaagHJvjmJeaVrmYthzfah4FnyADGRgPsOGU45nNg+ZbhaHC8TZ1NdxBPas4GsefH5GaJRji5R2pOQQOZk0sTtyI/7g79HSlaw7VPO105HwIGD1QHrmKlqCO4JgJ1cwG98bgE/7yCub8DTezIe5y1de3AXEC7sjt7F1+KPeirTlzi6QiASKQI7YeWsKZ/vj/fp1nGtjie4S45m7T4Y9p4cpFVgNO1uM1jppLmUJzh7vra+feLI7CItZtv3wMePnSz8IZvc/9Js2AFH3muK2gA6ScvlC+v3zrpY/SSEiyfS8dxb8fSopi27jasvQOlFr6DESYQ7aO9aWXpOqeh0Jzy8YFUw0INa0MON5Gs6TzafOLAEnm7B5ocP9y3tL8Xmv9aX90KdWo9V1bP7HBDMFNgVIWyp6mVt4ds4K58pRpikgvhoncv0b8xm50SnghOu+ubpS4TGurt31idv4zkpn8pNYj5fhkk1DXoMO/c8WSPvURgDiu+2GakRztTaxNOUv5o99LzGlqM8y2jjKwS/76Jy7AJceeUFagF+5dN9</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body>
</soap:Envelope>
------=_Part_2_1401538319.1398513008102
Content-Type: text/plain; charset=us-ascii; name=test.txt
Content-Transfer-Encoding: 7bit
Content-ID: <249996952948>
Content-Disposition: attachment; name="test.txt"; filename="test.txt"

This is Test file for testing MTOM File Upload...
------=_Part_2_1401538319.1398513008102--

--------------------------------------

Regards
Paul