You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by pmarkus <ph...@certex.at> on 2015/07/01 12:26:00 UTC
EJB Webservice does not handle policy
I created a webservice on JBoss AS 7.1.1 (which uses CXF 2.6.8) as a
Stateless Session Bean using code first approach.
@Stateless
@WebService(targetNamespace = "http://mycompany/mynamespace", serviceName =
"myService", name = "myService", portName = "myServicePort")
@EndpointProperties
({
@EndpointProperty(key = "endpoint-processes-headers", value
=
"{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security"),
@EndpointProperty(key = "ws-security.signature.properties",
value = "signature.properties"),
@EndpointProperty(key =
"ws-security.encryption.properties", value = "encryption.properties"),
@EndpointProperty(key = "ws-security.signature.username",
value = "sig-user"),
@EndpointProperty(key = "ws-security.encryption.username",
value = "enc-user"),
@EndpointProperty(key = "ws-security.callback-handler",
value = "my.company.ClientCallback")
})
@Features(features = "org.apache.cxf.ws.policy.WSPolicyFeature")
@Policy(placement = Policy.Placement.BINDING, uri =
"/META-INF/pw-reset-policy.xml")
@InInterceptors(interceptors = {
"org.apache.cxf.ws.policy.PolicyOutInterceptor" } )
@OutInterceptors(interceptors =
{"org.apache.cxf.ws.policy.PolicyOutInterceptor"})
public class MyServiceBean implements MyService
{...}
The policy I attach looks like this:
<wsp:Policy xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="SecurityServiceSignThenEncryptPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding >
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V1Token11/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V1Token11/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDesRsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:EncryptSignature/>
<sp:OnlySignEntireHeadersAndBody/>
<sp:SignBeforeEncrypting/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:SignedParts >
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts >
<sp:Body/>
</sp:EncryptedParts>
<sp:Wss10>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial/>
</wsp:Policy>
</sp:Wss10>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
I use the interface MyService (and all the other data classes) on the client
as well to generate a service Stub on the fly using jax-ws Service.create
pointing to the WSDL this service creates.
The client (provided with all the keystores and properties) does correctly
encrypt the the message, or at least I assume it does because the server
always produces an exception:
Interceptor for {http://www.tenfold-security.com/password}passwordReset has
thrown exception, unwinding now: org.apache.cxf.interceptor.Fault: Message
part {http://www.w3.org/2001/04/xmlenc#}EncryptedData was not recognized.
(Does it exist in service WSDL?)
at
org.apache.cxf.interceptor.DocLiteralInInterceptor.validatePart(DocLiteralInInterceptor.java:237)
[cxf-api.jar:2.6.8]
at
org.apache.cxf.interceptor.DocLiteralInInterceptor.handleMessage(DocLiteralInInterceptor.java:191)
[cxf-api.jar:2.6.8]
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
[cxf-api.jar:2.6.8]
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
[cxf-api.jar:2.6.8]
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:237)
[cxf-rt-transports-http.jar:2.6.8]
at
org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:95)
at
org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:156)
at
org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:87)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:225)
[cxf-rt-transports-http.jar:2.6.8]
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:145)
[cxf-rt-transports-http.jar:2.6.8]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
[jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
at
org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:135)
at
org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140)
[jbossws-spi.jar:2.1.1.Final]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
[jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161)
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
at
org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:897)
at
org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:626)
at
org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:2039)
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
I tried a lot of things to make this work, but nothing did so far.
I added @Features(features = "org.apache.cxf.ws.policy.WSPolicyFeature")
which apparently did nothing.
I tried to use the WSS4JInInterceptor and WSS4JOutInterceptor which only
complained that there is no Security action defined.
I also tried to configure the interceptors via cxf.xml but then it
complained about not being able to read the file because it could not find
some schemas (http://cxf.apache.org/configuration/parameterized-types which
was referenced in http://cxf.apache.org/core).
I also didn't find any way to configure the WSS4J interceptors via
annotations.
I tried to use JBoss-WS's @EndpointConfig annotation providing the
configuration via a endpoint-config.xml file. Same result.
I did subclass WSS4JInInterceptor and set the action property in the
constructor. But then it complained about not finding the signature
properties file.
So in the end nothing worked. Did I miss something? Am I doing something
wrong?
So far the client (also using CXF 2.6.8 on another JBoss server) seems to
correctly read the policy from the WSDL with no other configuration than
keystores, etc required. I didn't need to specify anything in particular for
policy handling. Yet the server just cannot handle it.
Kind Regards,
Philip.
--
View this message in context: http://cxf.547215.n5.nabble.com/EJB-Webservice-does-not-handle-policy-tp5758729.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: EJB Webservice does not handle policy
Posted by Colm O hEigeartaigh <co...@apache.org>.
I would recommend trying with a more recent version of CXF to see if the
problem has been fixed.
Colm.
On Wed, Jul 1, 2015 at 11:26 AM, pmarkus <ph...@certex.at> wrote:
> I created a webservice on JBoss AS 7.1.1 (which uses CXF 2.6.8) as a
> Stateless Session Bean using code first approach.
>
> @Stateless
> @WebService(targetNamespace = "http://mycompany/mynamespace", serviceName
> =
> "myService", name = "myService", portName = "myServicePort")
> @EndpointProperties
> ({
> @EndpointProperty(key = "endpoint-processes-headers",
> value
> =
> "{
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security
> "),
> @EndpointProperty(key =
> "ws-security.signature.properties",
> value = "signature.properties"),
> @EndpointProperty(key =
> "ws-security.encryption.properties", value = "encryption.properties"),
> @EndpointProperty(key = "ws-security.signature.username",
> value = "sig-user"),
> @EndpointProperty(key = "ws-security.encryption.username",
> value = "enc-user"),
> @EndpointProperty(key = "ws-security.callback-handler",
> value = "my.company.ClientCallback")
> })
> @Features(features = "org.apache.cxf.ws.policy.WSPolicyFeature")
> @Policy(placement = Policy.Placement.BINDING, uri =
> "/META-INF/pw-reset-policy.xml")
> @InInterceptors(interceptors = {
> "org.apache.cxf.ws.policy.PolicyOutInterceptor" } )
> @OutInterceptors(interceptors =
> {"org.apache.cxf.ws.policy.PolicyOutInterceptor"})
> public class MyServiceBean implements MyService
> {...}
>
> The policy I attach looks like this:
> <wsp:Policy xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
> "
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> wsu:Id="SecurityServiceSignThenEncryptPolicy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:AsymmetricBinding >
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
> <sp:WssX509V1Token11/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> <wsp:Policy>
> <sp:WssX509V1Token11/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:TripleDesRsa15/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> <sp:EncryptSignature/>
> <sp:OnlySignEntireHeadersAndBody/>
> <sp:SignBeforeEncrypting/>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:SignedParts >
> <sp:Body/>
> </sp:SignedParts>
> <sp:EncryptedParts >
> <sp:Body/>
> </sp:EncryptedParts>
> <sp:Wss10>
> <wsp:Policy>
> <sp:MustSupportRefIssuerSerial/>
> </wsp:Policy>
> </sp:Wss10>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> I use the interface MyService (and all the other data classes) on the
> client
> as well to generate a service Stub on the fly using jax-ws Service.create
> pointing to the WSDL this service creates.
>
> The client (provided with all the keystores and properties) does correctly
> encrypt the the message, or at least I assume it does because the server
> always produces an exception:
>
> Interceptor for {http://www.tenfold-security.com/password}passwordReset
> has
> thrown exception, unwinding now: org.apache.cxf.interceptor.Fault: Message
> part {http://www.w3.org/2001/04/xmlenc#}EncryptedData was not recognized.
> (Does it exist in service WSDL?)
> at
>
> org.apache.cxf.interceptor.DocLiteralInInterceptor.validatePart(DocLiteralInInterceptor.java:237)
> [cxf-api.jar:2.6.8]
> at
>
> org.apache.cxf.interceptor.DocLiteralInInterceptor.handleMessage(DocLiteralInInterceptor.java:191)
> [cxf-api.jar:2.6.8]
> at
>
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
> [cxf-api.jar:2.6.8]
> at
>
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> [cxf-api.jar:2.6.8]
> at
>
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:237)
> [cxf-rt-transports-http.jar:2.6.8]
> at
>
> org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:95)
> at
>
> org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:156)
> at
> org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:87)
> at
>
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:225)
> [cxf-rt-transports-http.jar:2.6.8]
> at
>
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:145)
> [cxf-rt-transports-http.jar:2.6.8]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
> [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
> at
> org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:135)
> at
> org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140)
> [jbossws-spi.jar:2.1.1.Final]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
> [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
> at
>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248)
> at
>
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275)
> at
>
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161)
> at
>
> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153)
> at
>
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155)
> at
>
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> at
>
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368)
> at
>
> org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:897)
> at
>
> org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:626)
> at
> org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:2039)
> at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_45]
>
>
> I tried a lot of things to make this work, but nothing did so far.
> I added @Features(features = "org.apache.cxf.ws.policy.WSPolicyFeature")
> which apparently did nothing.
>
> I tried to use the WSS4JInInterceptor and WSS4JOutInterceptor which only
> complained that there is no Security action defined.
>
> I also tried to configure the interceptors via cxf.xml but then it
> complained about not being able to read the file because it could not find
> some schemas (http://cxf.apache.org/configuration/parameterized-types
> which
> was referenced in http://cxf.apache.org/core).
>
> I also didn't find any way to configure the WSS4J interceptors via
> annotations.
>
> I tried to use JBoss-WS's @EndpointConfig annotation providing the
> configuration via a endpoint-config.xml file. Same result.
>
> I did subclass WSS4JInInterceptor and set the action property in the
> constructor. But then it complained about not finding the signature
> properties file.
>
> So in the end nothing worked. Did I miss something? Am I doing something
> wrong?
>
> So far the client (also using CXF 2.6.8 on another JBoss server) seems to
> correctly read the policy from the WSDL with no other configuration than
> keystores, etc required. I didn't need to specify anything in particular
> for
> policy handling. Yet the server just cannot handle it.
>
> Kind Regards,
> Philip.
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/EJB-Webservice-does-not-handle-policy-tp5758729.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: EJB Webservice does not handle policy
Posted by pmarkus <ph...@certex.at>.
I made it work now.
I had to take the generated WSDL and turn the Webservice into a
Contract-First Webservice (using the wsdlLocation of the @WebService
annotation). Now everything works fine.
--
View this message in context: http://cxf.547215.n5.nabble.com/EJB-Webservice-does-not-handle-policy-tp5758729p5758736.html
Sent from the cxf-user mailing list archive at Nabble.com.