You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by "martijn.list" <ma...@gmail.com> on 2017/01/14 09:20:27 UTC
Getting "Security processing failed (actions mismatch)" with
UsernameToken authentication and SoapUI
Hi,
I have CXF configured server side with spring and enabled UsernameToken
authentication:
<bean id="publicWebServicePasswordInterceptor"
class="org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken" />
<entry key="passwordType" value="PasswordText" />
<entry key="passwordCallbackRef">
<ref bean="publicWebServicePasswordHandler"/>
</entry>
</map>
</constructor-arg>
</bean>
<jaxws:inInterceptors>
<ref bean="publicWebServicePasswordInterceptor"/>
</jaxws:inInterceptors>
This works when the SOAP client is created with CXF. However when I use
SoapUI to test the web service I always get the following error in the
SOAP server:
"Security processing failed (actions mismatch)"
With some debugging I noticed that the "incomingSecurityEventList" is
empty when
From StaxActionInInterceptor:
public void handleMessage(SoapMessage soapMessage)
{
[SNIP]
...
List<SecurityEvent> incomingSecurityEventList =
(List)soapMessage.get(SecurityEvent.class.getName() + ".in");
...
This is why a few lines later a SoapFault exception is thrown because
the incomingSecurityEventList should not be empty.
If I use the CXF SOAP client (which works), the
incomingSecurityEventList contains the following object:
org.apache.wss4j.stax.securityEvent.UsernameTokenSecurityEvent
It might be that the SOAP call from SoapUI is incorrect or that
something is missing but I have not figured out why this is not working.
I hope someone can tell me what's not correct with the SOAP call from
SoapUI:
SOAP call from SoapUI (from tcpdump):
POST /usersws HTTP/1.1
Content-Type: text/xml;charset=UTF-8
SOAPAction: ""
Content-Length: 829
Host: 127.0.0.1:9009
Connection: Keep-Alive
User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ws="http://ws.djigzo.application.mitm/">
<soapenv:Header><wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:UsernameToken
wsu:Id="UsernameToken-A74ECD7A71C7695F3D148438453965395"><wsse:Username>admin</wsse:Username><wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password></wsse:UsernameToken></wsse:Security></soapenv:Header>
<soapenv:Body>
<ws:isUser>
<!--Optional:-->
<email>?</email>
</ws:isUser>
</soapenv:Body>
</soapenv:Envelope>
I have tested it with CXF 3.0.9 and with 3.0.12
Any idea why this is not working?
Kind regards,
Martijn Brinkers
Re: Getting "Security processing failed (actions mismatch)" with
UsernameToken authentication and SoapUI
Posted by Colm O hEigeartaigh <co...@apache.org>.
This is now fixed: https://issues.apache.org/jira/browse/CXF-7220
Colm.
On Thu, Jan 19, 2017 at 10:04 AM, martijn.list <ma...@gmail.com>
wrote:
> On 01/16/2017 03:32 PM, Colm O hEigeartaigh wrote:
> > It's a bug...either in CXF or WSS4J. It manifests when there is
> whitespace
> > between the SOAP Body tag and the first Element in the Body itself. For a
> > workaround, you can just use the DOM WSS4JInInterceptor instead.
>
> Enabling "strip whitespace" in SoapUI also works.
>
> Kind regards,
>
> Martijn Brinkers
>
>
> >> I have CXF configured server side with spring and enabled UsernameToken
> >> authentication:
> >>
> >> <bean id="publicWebServicePasswordInterceptor"
> >> class="org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor">
> >> <constructor-arg>
> >> <map>
> >> <entry key="action" value="UsernameToken" />
> >> <entry key="passwordType" value="PasswordText" />
> >> <entry key="passwordCallbackRef">
> >> <ref bean="publicWebServicePasswordHandler"/>
> >> </entry>
> >> </map>
> >> </constructor-arg>
> >> </bean>
> >>
> >> <jaxws:inInterceptors>
> >> <ref bean="publicWebServicePasswordInterceptor"/>
> >> </jaxws:inInterceptors>
> >>
> >> This works when the SOAP client is created with CXF. However when I use
> >> SoapUI to test the web service I always get the following error in the
> >> SOAP server:
> >>
> >> "Security processing failed (actions mismatch)"
> >>
> >> With some debugging I noticed that the "incomingSecurityEventList" is
> >> empty when
> >>
> >> From StaxActionInInterceptor:
> >>
> >> public void handleMessage(SoapMessage soapMessage)
> >> {
> >> [SNIP]
> >> ...
> >> List<SecurityEvent> incomingSecurityEventList =
> >> (List)soapMessage.get(SecurityEvent.class.getName() + ".in");
> >> ...
> >>
> >> This is why a few lines later a SoapFault exception is thrown because
> >> the incomingSecurityEventList should not be empty.
> >>
> >> If I use the CXF SOAP client (which works), the
> >> incomingSecurityEventList contains the following object:
> >>
> >> org.apache.wss4j.stax.securityEvent.UsernameTokenSecurityEvent
> >>
> >> It might be that the SOAP call from SoapUI is incorrect or that
> >> something is missing but I have not figured out why this is not working.
> >>
> >> I hope someone can tell me what's not correct with the SOAP call from
> >> SoapUI:
> >>
> >> SOAP call from SoapUI (from tcpdump):
> >>
> >> POST /usersws HTTP/1.1
> >>
> >> Content-Type: text/xml;charset=UTF-8
> >>
> >> SOAPAction: ""
> >>
> >> Content-Length: 829
> >>
> >> Host: 127.0.0.1:9009
> >>
> >> Connection: Keep-Alive
> >>
> >> User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
> >>
> >>
> >>
> >> <soapenv:Envelope
> >> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
> >> xmlns:ws="http://ws.djigzo.application.mitm/">
> >> <soapenv:Header><wsse:Security soapenv:mustUnderstand="1"
> >> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-
> >> 200401-wss-wssecurity-secext-1.0.xsd"
> >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-
> >> 200401-wss-wssecurity-utility-1.0.xsd"><wsse:UsernameToken
> >> wsu:Id="UsernameToken-A74ECD7A71C7695F3D148438453965
> >> 395"><wsse:Username>admin</wsse:Username><wsse:Password
> >> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
> >> wss-username-token-profile-1.0#PasswordText">password</
> >> wsse:Password></wsse:UsernameToken></wsse:Security></soapenv:Header>
> >> <soapenv:Body>
> >> <ws:isUser>
> >> <!--Optional:-->
> >> <email>?</email>
> >> </ws:isUser>
> >> </soapenv:Body>
> >> </soapenv:Envelope>
> >>
> >> I have tested it with CXF 3.0.9 and with 3.0.12
> >>
> >> Any idea why this is not working?
> >>
> >> Kind regards,
> >>
> >> Martijn Brinkers
> >>
> >
> >
> >
>
>
> --
> CipherMail email encryption
>
> Email encryption with support for S/MIME, OpenPGP, PDF encryption and
> secure webmail pull.
>
> https://www.ciphermail.com
>
> Twitter: http://twitter.com/CipherMail
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Getting "Security processing failed (actions mismatch)" with
UsernameToken authentication and SoapUI
Posted by "martijn.list" <ma...@gmail.com>.
On 01/16/2017 03:32 PM, Colm O hEigeartaigh wrote:
> It's a bug...either in CXF or WSS4J. It manifests when there is whitespace
> between the SOAP Body tag and the first Element in the Body itself. For a
> workaround, you can just use the DOM WSS4JInInterceptor instead.
Enabling "strip whitespace" in SoapUI also works.
Kind regards,
Martijn Brinkers
>> I have CXF configured server side with spring and enabled UsernameToken
>> authentication:
>>
>> <bean id="publicWebServicePasswordInterceptor"
>> class="org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor">
>> <constructor-arg>
>> <map>
>> <entry key="action" value="UsernameToken" />
>> <entry key="passwordType" value="PasswordText" />
>> <entry key="passwordCallbackRef">
>> <ref bean="publicWebServicePasswordHandler"/>
>> </entry>
>> </map>
>> </constructor-arg>
>> </bean>
>>
>> <jaxws:inInterceptors>
>> <ref bean="publicWebServicePasswordInterceptor"/>
>> </jaxws:inInterceptors>
>>
>> This works when the SOAP client is created with CXF. However when I use
>> SoapUI to test the web service I always get the following error in the
>> SOAP server:
>>
>> "Security processing failed (actions mismatch)"
>>
>> With some debugging I noticed that the "incomingSecurityEventList" is
>> empty when
>>
>> From StaxActionInInterceptor:
>>
>> public void handleMessage(SoapMessage soapMessage)
>> {
>> [SNIP]
>> ...
>> List<SecurityEvent> incomingSecurityEventList =
>> (List)soapMessage.get(SecurityEvent.class.getName() + ".in");
>> ...
>>
>> This is why a few lines later a SoapFault exception is thrown because
>> the incomingSecurityEventList should not be empty.
>>
>> If I use the CXF SOAP client (which works), the
>> incomingSecurityEventList contains the following object:
>>
>> org.apache.wss4j.stax.securityEvent.UsernameTokenSecurityEvent
>>
>> It might be that the SOAP call from SoapUI is incorrect or that
>> something is missing but I have not figured out why this is not working.
>>
>> I hope someone can tell me what's not correct with the SOAP call from
>> SoapUI:
>>
>> SOAP call from SoapUI (from tcpdump):
>>
>> POST /usersws HTTP/1.1
>>
>> Content-Type: text/xml;charset=UTF-8
>>
>> SOAPAction: ""
>>
>> Content-Length: 829
>>
>> Host: 127.0.0.1:9009
>>
>> Connection: Keep-Alive
>>
>> User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
>>
>>
>>
>> <soapenv:Envelope
>> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
>> xmlns:ws="http://ws.djigzo.application.mitm/">
>> <soapenv:Header><wsse:Security soapenv:mustUnderstand="1"
>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-
>> 200401-wss-wssecurity-secext-1.0.xsd"
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-
>> 200401-wss-wssecurity-utility-1.0.xsd"><wsse:UsernameToken
>> wsu:Id="UsernameToken-A74ECD7A71C7695F3D148438453965
>> 395"><wsse:Username>admin</wsse:Username><wsse:Password
>> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
>> wss-username-token-profile-1.0#PasswordText">password</
>> wsse:Password></wsse:UsernameToken></wsse:Security></soapenv:Header>
>> <soapenv:Body>
>> <ws:isUser>
>> <!--Optional:-->
>> <email>?</email>
>> </ws:isUser>
>> </soapenv:Body>
>> </soapenv:Envelope>
>>
>> I have tested it with CXF 3.0.9 and with 3.0.12
>>
>> Any idea why this is not working?
>>
>> Kind regards,
>>
>> Martijn Brinkers
>>
>
>
>
--
CipherMail email encryption
Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.
https://www.ciphermail.com
Twitter: http://twitter.com/CipherMail
Re: Getting "Security processing failed (actions mismatch)" with
UsernameToken authentication and SoapUI
Posted by "martijn.list" <ma...@gmail.com>.
On 01/19/2017 10:32 AM, martijn.list wrote:
> On 01/17/2017 05:47 PM, Colm O hEigeartaigh wrote:
>> On Mon, Jan 16, 2017 at 10:05 PM, martijn.list <ma...@gmail.com>
>> wrote:
>>
>>>
>>>
>>> Is this reported somewhere?
>>>
>>
>> No, not yet. Not sure yet whether it's a bug in CXF or WSS4J.
>>
>>
>>>
>>>> For a workaround, you can just use the DOM WSS4JInInterceptor instead.
>>>
>>> Changing it to org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor did
>>> not solve the issue. I get the same error.
>>>
>>
>> It works for me. What stacktrace do you see on the server side?
Sorry my bad. You are right. Replacing WSS4JStaxInInterceptor with
WSS4JInInterceptor actually works (in SoapUI it's not always clear where
to configure authentication).
Kind regards,
Martijn Brinkers
> I get the same error and a more or less similar stack trace:
>
> 19 Jan 2017 10:29:23 | WARN Security processing failed (actions
> mismatch) (org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor)
> [defaultEventExecutorGroup-6-1]
> 19 Jan 2017 10:29:23 | WARN Interceptor for {http://ws.djigzo.com}Users
> has thrown exception, unwinding now
> (org.apache.cxf.phase.PhaseInterceptorChain)
> [defaultEventExecutorGroup-6-1]
> org.apache.cxf.binding.soap.SoapFault: A security error was encountered
> when verifying the message
> at
> org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:275)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:333)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:190)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:96)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
> at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:252)
> at
> org.apache.cxf.transport.http.netty.server.NettyHttpDestination.doService(NettyHttpDestination.java:174)
> at
> org.apache.cxf.transport.http.netty.server.NettyHttpHandler.handle(NettyHttpHandler.java:64)
> at
> org.apache.cxf.transport.http.netty.server.NettyHttpContextHandler.handle(NettyHttpContextHandler.java:83)
> at
> org.apache.cxf.transport.http.netty.server.NettyHttpServletHandler.handleHttpServletRequest(NettyHttpServletHandler.java:135)
> at
> org.apache.cxf.transport.http.netty.server.NettyHttpServletHandler.channelRead(NettyHttpServletHandler.java:110)
> at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:292)
> at
> io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:32)
> at
> io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:283)
> at
> io.netty.util.concurrent.DefaultEventExecutor.run(DefaultEventExecutor.java:36)
> at
> io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:112)
> at
> io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: org.apache.wss4j.common.ext.WSSecurityException: An error was
> discovered processing the <wsse:Security> header
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.checkActions(WSS4JInInterceptor.java:380)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:317)
>
> Kind regards,
>
> Martijn Brinkers
>
>
>
>
>>>> On Sat, Jan 14, 2017 at 9:20 AM, martijn.list <ma...@gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I have CXF configured server side with spring and enabled UsernameToken
>>>>> authentication:
>>>>>
>>>>> <bean id="publicWebServicePasswordInterceptor"
>>>>> class="org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor">
>>>>> <constructor-arg>
>>>>> <map>
>>>>> <entry key="action" value="UsernameToken" />
>>>>> <entry key="passwordType" value="PasswordText" />
>>>>> <entry key="passwordCallbackRef">
>>>>> <ref bean="publicWebServicePasswordHandler"/>
>>>>> </entry>
>>>>> </map>
>>>>> </constructor-arg>
>>>>> </bean>
>>>>>
>>>>> <jaxws:inInterceptors>
>>>>> <ref bean="publicWebServicePasswordInterceptor"/>
>>>>> </jaxws:inInterceptors>
>>>>>
>>>>> This works when the SOAP client is created with CXF. However when I use
>>>>> SoapUI to test the web service I always get the following error in the
>>>>> SOAP server:
>>>>>
>>>>> "Security processing failed (actions mismatch)"
>>>>>
>>>>> With some debugging I noticed that the "incomingSecurityEventList" is
>>>>> empty when
>>>>>
>>>>> From StaxActionInInterceptor:
>>>>>
>>>>> public void handleMessage(SoapMessage soapMessage)
>>>>> {
>>>>> [SNIP]
>>>>> ...
>>>>> List<SecurityEvent> incomingSecurityEventList =
>>>>> (List)soapMessage.get(SecurityEvent.class.getName() + ".in");
>>>>> ...
>>>>>
>>>>> This is why a few lines later a SoapFault exception is thrown because
>>>>> the incomingSecurityEventList should not be empty.
>>>>>
>>>>> If I use the CXF SOAP client (which works), the
>>>>> incomingSecurityEventList contains the following object:
>>>>>
>>>>> org.apache.wss4j.stax.securityEvent.UsernameTokenSecurityEvent
>>>>>
>>>>> It might be that the SOAP call from SoapUI is incorrect or that
>>>>> something is missing but I have not figured out why this is not working.
>>>>>
>>>>> I hope someone can tell me what's not correct with the SOAP call from
>>>>> SoapUI:
>>>>>
>>>>> SOAP call from SoapUI (from tcpdump):
>>>>>
>>>>> POST /usersws HTTP/1.1
>>>>>
>>>>> Content-Type: text/xml;charset=UTF-8
>>>>>
>>>>> SOAPAction: ""
>>>>>
>>>>> Content-Length: 829
>>>>>
>>>>> Host: 127.0.0.1:9009
>>>>>
>>>>> Connection: Keep-Alive
>>>>>
>>>>> User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
>>>>>
>>>>>
>>>>>
>>>>> <soapenv:Envelope
>>>>> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
>>>>> xmlns:ws="http://ws.djigzo.application.mitm/">
>>>>> <soapenv:Header><wsse:Security soapenv:mustUnderstand="1"
>>>>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-
>>>>> 200401-wss-wssecurity-secext-1.0.xsd"
>>>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-
>>>>> 200401-wss-wssecurity-utility-1.0.xsd"><wsse:UsernameToken
>>>>> wsu:Id="UsernameToken-A74ECD7A71C7695F3D148438453965
>>>>> 395"><wsse:Username>admin</wsse:Username><wsse:Password
>>>>> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
>>>>> wss-username-token-profile-1.0#PasswordText">password</
>>>>> wsse:Password></wsse:UsernameToken></wsse:Security></soapenv:Header>
>>>>> <soapenv:Body>
>>>>> <ws:isUser>
>>>>> <!--Optional:-->
>>>>> <email>?</email>
>>>>> </ws:isUser>
>>>>> </soapenv:Body>
>>>>> </soapenv:Envelope>
>>>>>
>>>>> I have tested it with CXF 3.0.9 and with 3.0.12
>>>>>
>>>>> Any idea why this is not working?
>>>>>
>>>>> Kind regards,
>>>>>
>>>>> Martijn Brinkers
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> CipherMail email encryption
>>>
>>> Email encryption with support for S/MIME, OpenPGP, PDF encryption and
>>> secure webmail pull.
>>>
>>> https://www.ciphermail.com
>>>
>>> Twitter: http://twitter.com/CipherMail
>>>
>>
>>
>>
>
>
--
CipherMail email encryption
Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.
https://www.ciphermail.com
Twitter: http://twitter.com/CipherMail
Re: Getting "Security processing failed (actions mismatch)" with
UsernameToken authentication and SoapUI
Posted by "martijn.list" <ma...@gmail.com>.
On 01/17/2017 05:47 PM, Colm O hEigeartaigh wrote:
> On Mon, Jan 16, 2017 at 10:05 PM, martijn.list <ma...@gmail.com>
> wrote:
>
>>
>>
>> Is this reported somewhere?
>>
>
> No, not yet. Not sure yet whether it's a bug in CXF or WSS4J.
>
>
>>
>>> For a workaround, you can just use the DOM WSS4JInInterceptor instead.
>>
>> Changing it to org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor did
>> not solve the issue. I get the same error.
>>
>
> It works for me. What stacktrace do you see on the server side?
I get the same error and a more or less similar stack trace:
19 Jan 2017 10:29:23 | WARN Security processing failed (actions
mismatch) (org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor)
[defaultEventExecutorGroup-6-1]
19 Jan 2017 10:29:23 | WARN Interceptor for {http://ws.djigzo.com}Users
has thrown exception, unwinding now
(org.apache.cxf.phase.PhaseInterceptorChain)
[defaultEventExecutorGroup-6-1]
org.apache.cxf.binding.soap.SoapFault: A security error was encountered
when verifying the message
at
org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:275)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:333)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:190)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:96)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:252)
at
org.apache.cxf.transport.http.netty.server.NettyHttpDestination.doService(NettyHttpDestination.java:174)
at
org.apache.cxf.transport.http.netty.server.NettyHttpHandler.handle(NettyHttpHandler.java:64)
at
org.apache.cxf.transport.http.netty.server.NettyHttpContextHandler.handle(NettyHttpContextHandler.java:83)
at
org.apache.cxf.transport.http.netty.server.NettyHttpServletHandler.handleHttpServletRequest(NettyHttpServletHandler.java:135)
at
org.apache.cxf.transport.http.netty.server.NettyHttpServletHandler.channelRead(NettyHttpServletHandler.java:110)
at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:292)
at
io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:32)
at
io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:283)
at
io.netty.util.concurrent.DefaultEventExecutor.run(DefaultEventExecutor.java:36)
at
io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:112)
at
io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.wss4j.common.ext.WSSecurityException: An error was
discovered processing the <wsse:Security> header
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.checkActions(WSS4JInInterceptor.java:380)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:317)
Kind regards,
Martijn Brinkers
>>> On Sat, Jan 14, 2017 at 9:20 AM, martijn.list <ma...@gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I have CXF configured server side with spring and enabled UsernameToken
>>>> authentication:
>>>>
>>>> <bean id="publicWebServicePasswordInterceptor"
>>>> class="org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor">
>>>> <constructor-arg>
>>>> <map>
>>>> <entry key="action" value="UsernameToken" />
>>>> <entry key="passwordType" value="PasswordText" />
>>>> <entry key="passwordCallbackRef">
>>>> <ref bean="publicWebServicePasswordHandler"/>
>>>> </entry>
>>>> </map>
>>>> </constructor-arg>
>>>> </bean>
>>>>
>>>> <jaxws:inInterceptors>
>>>> <ref bean="publicWebServicePasswordInterceptor"/>
>>>> </jaxws:inInterceptors>
>>>>
>>>> This works when the SOAP client is created with CXF. However when I use
>>>> SoapUI to test the web service I always get the following error in the
>>>> SOAP server:
>>>>
>>>> "Security processing failed (actions mismatch)"
>>>>
>>>> With some debugging I noticed that the "incomingSecurityEventList" is
>>>> empty when
>>>>
>>>> From StaxActionInInterceptor:
>>>>
>>>> public void handleMessage(SoapMessage soapMessage)
>>>> {
>>>> [SNIP]
>>>> ...
>>>> List<SecurityEvent> incomingSecurityEventList =
>>>> (List)soapMessage.get(SecurityEvent.class.getName() + ".in");
>>>> ...
>>>>
>>>> This is why a few lines later a SoapFault exception is thrown because
>>>> the incomingSecurityEventList should not be empty.
>>>>
>>>> If I use the CXF SOAP client (which works), the
>>>> incomingSecurityEventList contains the following object:
>>>>
>>>> org.apache.wss4j.stax.securityEvent.UsernameTokenSecurityEvent
>>>>
>>>> It might be that the SOAP call from SoapUI is incorrect or that
>>>> something is missing but I have not figured out why this is not working.
>>>>
>>>> I hope someone can tell me what's not correct with the SOAP call from
>>>> SoapUI:
>>>>
>>>> SOAP call from SoapUI (from tcpdump):
>>>>
>>>> POST /usersws HTTP/1.1
>>>>
>>>> Content-Type: text/xml;charset=UTF-8
>>>>
>>>> SOAPAction: ""
>>>>
>>>> Content-Length: 829
>>>>
>>>> Host: 127.0.0.1:9009
>>>>
>>>> Connection: Keep-Alive
>>>>
>>>> User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
>>>>
>>>>
>>>>
>>>> <soapenv:Envelope
>>>> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
>>>> xmlns:ws="http://ws.djigzo.application.mitm/">
>>>> <soapenv:Header><wsse:Security soapenv:mustUnderstand="1"
>>>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-
>>>> 200401-wss-wssecurity-secext-1.0.xsd"
>>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-
>>>> 200401-wss-wssecurity-utility-1.0.xsd"><wsse:UsernameToken
>>>> wsu:Id="UsernameToken-A74ECD7A71C7695F3D148438453965
>>>> 395"><wsse:Username>admin</wsse:Username><wsse:Password
>>>> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
>>>> wss-username-token-profile-1.0#PasswordText">password</
>>>> wsse:Password></wsse:UsernameToken></wsse:Security></soapenv:Header>
>>>> <soapenv:Body>
>>>> <ws:isUser>
>>>> <!--Optional:-->
>>>> <email>?</email>
>>>> </ws:isUser>
>>>> </soapenv:Body>
>>>> </soapenv:Envelope>
>>>>
>>>> I have tested it with CXF 3.0.9 and with 3.0.12
>>>>
>>>> Any idea why this is not working?
>>>>
>>>> Kind regards,
>>>>
>>>> Martijn Brinkers
>>>>
>>>
>>>
>>>
>>
>>
>> --
>> CipherMail email encryption
>>
>> Email encryption with support for S/MIME, OpenPGP, PDF encryption and
>> secure webmail pull.
>>
>> https://www.ciphermail.com
>>
>> Twitter: http://twitter.com/CipherMail
>>
>
>
>
--
CipherMail email encryption
Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.
https://www.ciphermail.com
Twitter: http://twitter.com/CipherMail
Re: Getting "Security processing failed (actions mismatch)" with
UsernameToken authentication and SoapUI
Posted by Colm O hEigeartaigh <co...@apache.org>.
On Mon, Jan 16, 2017 at 10:05 PM, martijn.list <ma...@gmail.com>
wrote:
>
>
> Is this reported somewhere?
>
No, not yet. Not sure yet whether it's a bug in CXF or WSS4J.
>
> > For a workaround, you can just use the DOM WSS4JInInterceptor instead.
>
> Changing it to org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor did
> not solve the issue. I get the same error.
>
It works for me. What stacktrace do you see on the server side?
Colm.
> Kind regards,
>
> Martijn Brinkers
>
>
> > On Sat, Jan 14, 2017 at 9:20 AM, martijn.list <ma...@gmail.com>
> > wrote:
> >
> >> Hi,
> >>
> >> I have CXF configured server side with spring and enabled UsernameToken
> >> authentication:
> >>
> >> <bean id="publicWebServicePasswordInterceptor"
> >> class="org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor">
> >> <constructor-arg>
> >> <map>
> >> <entry key="action" value="UsernameToken" />
> >> <entry key="passwordType" value="PasswordText" />
> >> <entry key="passwordCallbackRef">
> >> <ref bean="publicWebServicePasswordHandler"/>
> >> </entry>
> >> </map>
> >> </constructor-arg>
> >> </bean>
> >>
> >> <jaxws:inInterceptors>
> >> <ref bean="publicWebServicePasswordInterceptor"/>
> >> </jaxws:inInterceptors>
> >>
> >> This works when the SOAP client is created with CXF. However when I use
> >> SoapUI to test the web service I always get the following error in the
> >> SOAP server:
> >>
> >> "Security processing failed (actions mismatch)"
> >>
> >> With some debugging I noticed that the "incomingSecurityEventList" is
> >> empty when
> >>
> >> From StaxActionInInterceptor:
> >>
> >> public void handleMessage(SoapMessage soapMessage)
> >> {
> >> [SNIP]
> >> ...
> >> List<SecurityEvent> incomingSecurityEventList =
> >> (List)soapMessage.get(SecurityEvent.class.getName() + ".in");
> >> ...
> >>
> >> This is why a few lines later a SoapFault exception is thrown because
> >> the incomingSecurityEventList should not be empty.
> >>
> >> If I use the CXF SOAP client (which works), the
> >> incomingSecurityEventList contains the following object:
> >>
> >> org.apache.wss4j.stax.securityEvent.UsernameTokenSecurityEvent
> >>
> >> It might be that the SOAP call from SoapUI is incorrect or that
> >> something is missing but I have not figured out why this is not working.
> >>
> >> I hope someone can tell me what's not correct with the SOAP call from
> >> SoapUI:
> >>
> >> SOAP call from SoapUI (from tcpdump):
> >>
> >> POST /usersws HTTP/1.1
> >>
> >> Content-Type: text/xml;charset=UTF-8
> >>
> >> SOAPAction: ""
> >>
> >> Content-Length: 829
> >>
> >> Host: 127.0.0.1:9009
> >>
> >> Connection: Keep-Alive
> >>
> >> User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
> >>
> >>
> >>
> >> <soapenv:Envelope
> >> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
> >> xmlns:ws="http://ws.djigzo.application.mitm/">
> >> <soapenv:Header><wsse:Security soapenv:mustUnderstand="1"
> >> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-
> >> 200401-wss-wssecurity-secext-1.0.xsd"
> >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-
> >> 200401-wss-wssecurity-utility-1.0.xsd"><wsse:UsernameToken
> >> wsu:Id="UsernameToken-A74ECD7A71C7695F3D148438453965
> >> 395"><wsse:Username>admin</wsse:Username><wsse:Password
> >> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
> >> wss-username-token-profile-1.0#PasswordText">password</
> >> wsse:Password></wsse:UsernameToken></wsse:Security></soapenv:Header>
> >> <soapenv:Body>
> >> <ws:isUser>
> >> <!--Optional:-->
> >> <email>?</email>
> >> </ws:isUser>
> >> </soapenv:Body>
> >> </soapenv:Envelope>
> >>
> >> I have tested it with CXF 3.0.9 and with 3.0.12
> >>
> >> Any idea why this is not working?
> >>
> >> Kind regards,
> >>
> >> Martijn Brinkers
> >>
> >
> >
> >
>
>
> --
> CipherMail email encryption
>
> Email encryption with support for S/MIME, OpenPGP, PDF encryption and
> secure webmail pull.
>
> https://www.ciphermail.com
>
> Twitter: http://twitter.com/CipherMail
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Getting "Security processing failed (actions mismatch)" with
UsernameToken authentication and SoapUI
Posted by "martijn.list" <ma...@gmail.com>.
On 01/16/2017 03:32 PM, Colm O hEigeartaigh wrote:
> It's a bug...either in CXF or WSS4J. It manifests when there is whitespace
> between the SOAP Body tag and the first Element in the Body itself.
Is this reported somewhere?
> For a workaround, you can just use the DOM WSS4JInInterceptor instead.
Changing it to org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor did
not solve the issue. I get the same error.
Kind regards,
Martijn Brinkers
> On Sat, Jan 14, 2017 at 9:20 AM, martijn.list <ma...@gmail.com>
> wrote:
>
>> Hi,
>>
>> I have CXF configured server side with spring and enabled UsernameToken
>> authentication:
>>
>> <bean id="publicWebServicePasswordInterceptor"
>> class="org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor">
>> <constructor-arg>
>> <map>
>> <entry key="action" value="UsernameToken" />
>> <entry key="passwordType" value="PasswordText" />
>> <entry key="passwordCallbackRef">
>> <ref bean="publicWebServicePasswordHandler"/>
>> </entry>
>> </map>
>> </constructor-arg>
>> </bean>
>>
>> <jaxws:inInterceptors>
>> <ref bean="publicWebServicePasswordInterceptor"/>
>> </jaxws:inInterceptors>
>>
>> This works when the SOAP client is created with CXF. However when I use
>> SoapUI to test the web service I always get the following error in the
>> SOAP server:
>>
>> "Security processing failed (actions mismatch)"
>>
>> With some debugging I noticed that the "incomingSecurityEventList" is
>> empty when
>>
>> From StaxActionInInterceptor:
>>
>> public void handleMessage(SoapMessage soapMessage)
>> {
>> [SNIP]
>> ...
>> List<SecurityEvent> incomingSecurityEventList =
>> (List)soapMessage.get(SecurityEvent.class.getName() + ".in");
>> ...
>>
>> This is why a few lines later a SoapFault exception is thrown because
>> the incomingSecurityEventList should not be empty.
>>
>> If I use the CXF SOAP client (which works), the
>> incomingSecurityEventList contains the following object:
>>
>> org.apache.wss4j.stax.securityEvent.UsernameTokenSecurityEvent
>>
>> It might be that the SOAP call from SoapUI is incorrect or that
>> something is missing but I have not figured out why this is not working.
>>
>> I hope someone can tell me what's not correct with the SOAP call from
>> SoapUI:
>>
>> SOAP call from SoapUI (from tcpdump):
>>
>> POST /usersws HTTP/1.1
>>
>> Content-Type: text/xml;charset=UTF-8
>>
>> SOAPAction: ""
>>
>> Content-Length: 829
>>
>> Host: 127.0.0.1:9009
>>
>> Connection: Keep-Alive
>>
>> User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
>>
>>
>>
>> <soapenv:Envelope
>> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
>> xmlns:ws="http://ws.djigzo.application.mitm/">
>> <soapenv:Header><wsse:Security soapenv:mustUnderstand="1"
>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-
>> 200401-wss-wssecurity-secext-1.0.xsd"
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-
>> 200401-wss-wssecurity-utility-1.0.xsd"><wsse:UsernameToken
>> wsu:Id="UsernameToken-A74ECD7A71C7695F3D148438453965
>> 395"><wsse:Username>admin</wsse:Username><wsse:Password
>> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
>> wss-username-token-profile-1.0#PasswordText">password</
>> wsse:Password></wsse:UsernameToken></wsse:Security></soapenv:Header>
>> <soapenv:Body>
>> <ws:isUser>
>> <!--Optional:-->
>> <email>?</email>
>> </ws:isUser>
>> </soapenv:Body>
>> </soapenv:Envelope>
>>
>> I have tested it with CXF 3.0.9 and with 3.0.12
>>
>> Any idea why this is not working?
>>
>> Kind regards,
>>
>> Martijn Brinkers
>>
>
>
>
--
CipherMail email encryption
Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.
https://www.ciphermail.com
Twitter: http://twitter.com/CipherMail
Re: Getting "Security processing failed (actions mismatch)" with
UsernameToken authentication and SoapUI
Posted by Colm O hEigeartaigh <co...@apache.org>.
It's a bug...either in CXF or WSS4J. It manifests when there is whitespace
between the SOAP Body tag and the first Element in the Body itself. For a
workaround, you can just use the DOM WSS4JInInterceptor instead.
Colm.
On Sat, Jan 14, 2017 at 9:20 AM, martijn.list <ma...@gmail.com>
wrote:
> Hi,
>
> I have CXF configured server side with spring and enabled UsernameToken
> authentication:
>
> <bean id="publicWebServicePasswordInterceptor"
> class="org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="UsernameToken" />
> <entry key="passwordType" value="PasswordText" />
> <entry key="passwordCallbackRef">
> <ref bean="publicWebServicePasswordHandler"/>
> </entry>
> </map>
> </constructor-arg>
> </bean>
>
> <jaxws:inInterceptors>
> <ref bean="publicWebServicePasswordInterceptor"/>
> </jaxws:inInterceptors>
>
> This works when the SOAP client is created with CXF. However when I use
> SoapUI to test the web service I always get the following error in the
> SOAP server:
>
> "Security processing failed (actions mismatch)"
>
> With some debugging I noticed that the "incomingSecurityEventList" is
> empty when
>
> From StaxActionInInterceptor:
>
> public void handleMessage(SoapMessage soapMessage)
> {
> [SNIP]
> ...
> List<SecurityEvent> incomingSecurityEventList =
> (List)soapMessage.get(SecurityEvent.class.getName() + ".in");
> ...
>
> This is why a few lines later a SoapFault exception is thrown because
> the incomingSecurityEventList should not be empty.
>
> If I use the CXF SOAP client (which works), the
> incomingSecurityEventList contains the following object:
>
> org.apache.wss4j.stax.securityEvent.UsernameTokenSecurityEvent
>
> It might be that the SOAP call from SoapUI is incorrect or that
> something is missing but I have not figured out why this is not working.
>
> I hope someone can tell me what's not correct with the SOAP call from
> SoapUI:
>
> SOAP call from SoapUI (from tcpdump):
>
> POST /usersws HTTP/1.1
>
> Content-Type: text/xml;charset=UTF-8
>
> SOAPAction: ""
>
> Content-Length: 829
>
> Host: 127.0.0.1:9009
>
> Connection: Keep-Alive
>
> User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
>
>
>
> <soapenv:Envelope
> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
> xmlns:ws="http://ws.djigzo.application.mitm/">
> <soapenv:Header><wsse:Security soapenv:mustUnderstand="1"
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-
> 200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-
> 200401-wss-wssecurity-utility-1.0.xsd"><wsse:UsernameToken
> wsu:Id="UsernameToken-A74ECD7A71C7695F3D148438453965
> 395"><wsse:Username>admin</wsse:Username><wsse:Password
> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
> wss-username-token-profile-1.0#PasswordText">password</
> wsse:Password></wsse:UsernameToken></wsse:Security></soapenv:Header>
> <soapenv:Body>
> <ws:isUser>
> <!--Optional:-->
> <email>?</email>
> </ws:isUser>
> </soapenv:Body>
> </soapenv:Envelope>
>
> I have tested it with CXF 3.0.9 and with 3.0.12
>
> Any idea why this is not working?
>
> Kind regards,
>
> Martijn Brinkers
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com