You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Glen Mazza <gl...@gmail.com> on 2013/09/01 22:48:56 UTC

Regression w/UT over Symmetric Key encryption between CXF 2.7.3 & more recent?

Hi, the following sample: 
https://github.com/gmazza/blog-samples/tree/master/cxf_ut_messagelayer, 
hardcoded to use CXF 2.7.3, works fine with UsernameToken over 
Message-Layer Encryption (here, an X.509 symmetric key as explained in 
the first part of this short blog article: 
http://www.jroller.com/gmazza/entry/usernametoken_messagelayer_encryption). 
To confirm, all that needs to be done is to run "mvn clean install 
tomcat7:run-war" from the cxf_ut_messagelayer base folder and "mvn 
exec:exec" from the client subfolder.  However, once I upgrade 
cxf_ut_messagelayer/pom.xml to CXF 2.7.4 or more recent (tried 2.7.5 and 
2.7.6 as well), I get the following error upon running the client:

Sep 01, 2013 4:16:53 PM org.apache.cxf.phase.PhaseInterceptorChain 
doDefaultLogging
WARNING: Interceptor for 
{http://www.example.org/contract/DoubleIt}DoubleItService#{http://www.example.org/contract/DoubleIt}DoubleIt 
has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: The security token could not be 
authenticated or authorized
     at 
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:788)
     at 
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:336)
     at 
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:120)
     at 
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:105)
     at 
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
     at 
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
     at 
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)
.....
Caused by: org.apache.ws.security.WSSecurityException: The security 
token could not be authenticated or authorized
     at 
org.apache.ws.security.validate.UsernameTokenValidator.verifyUnknownPassword(UsernameTokenValidator.java:228)
     at 
org.apache.ws.security.validate.UsernameTokenValidator.validate(UsernameTokenValidator.java:110)
     at 
org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:172)
     at 
org.apache.ws.security.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:67)
     at 
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
     at 
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:279)

Checking the dependencies via mvn dependency:tree, we upgrade from 
Woodstox 4.1.4 to 4.2.0 between CXF 2.7.3 and CXF 2.7.4.  However, even 
if I force the use of Woodstox 4.1.4 in CXF 2.7.4 I get the same error 
message above.  I don't know if this is a regression in CXF or if there 
is some configuration change that will require me to update my WSDL 
configuration.

Thanks,
Glen

Re: Regression w/UT over Symmetric Key encryption between CXF 2.7.3 & more recent?

Posted by Glen Mazza <gl...@gmail.com>.

Yes, that fixed it.

Thanks,
Glen

On 09/04/2013 05:43 AM, Colm O hEigeartaigh wrote:
> Hi Glen,
>
> The requirement now is for the policy to explicitly state that no password
> is required in the UsernameToken, which will be the case for key
> derivation, e.g.:
>
> <sp:ProtectionToken>
>      <wsp:Policy>
>          <sp:UsernameToken
>              sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
>             <wsp:Policy>
>                 <sp:WssUsernameToken10/>
>                 <sp:NoPassword/>
>            </wsp:Policy>
>         </sp:UsernameToken>
>     </wsp:Policy>
> </sp:ProtectionToken>
>
> There was a security bug in previous versions of CXF where it was allowing
> a UsernameToken with no passwords just to handle the key derivation case.
>
> Colm.
>
>
> On Sun, Sep 1, 2013 at 9:48 PM, Glen Mazza <gl...@gmail.com> wrote:
>
>> Hi, the following sample: https://github.com/gmazza/**
>> blog-samples/tree/master/cxf_**ut_messagelayer<https://github.com/gmazza/blog-samples/tree/master/cxf_ut_messagelayer>,
>> hardcoded to use CXF 2.7.3, works fine with UsernameToken over
>> Message-Layer Encryption (here, an X.509 symmetric key as explained in the
>> first part of this short blog article: http://www.jroller.com/gmazza/**
>> entry/usernametoken_**messagelayer_encryption<http://www.jroller.com/gmazza/entry/usernametoken_messagelayer_encryption>).
>> To confirm, all that needs to be done is to run "mvn clean install
>> tomcat7:run-war" from the cxf_ut_messagelayer base folder and "mvn
>> exec:exec" from the client subfolder.  However, once I upgrade
>> cxf_ut_messagelayer/pom.xml to CXF 2.7.4 or more recent (tried 2.7.5 and
>> 2.7.6 as well), I get the following error upon running the client:
>>
>> Sep 01, 2013 4:16:53 PM org.apache.cxf.phase.**PhaseInterceptorChain
>> doDefaultLogging
>> WARNING: Interceptor for {http://www.example.org/**contract/DoubleIt}**
>> DoubleItService#{http://www.**example.org/contract/DoubleIt}**DoubleIt<http://www.example.org/contract/DoubleIt%7DDoubleItService#%7Bhttp://www.example.org/contract/DoubleIt%7DDoubleIt>has thrown exception, unwinding now
>> org.apache.cxf.binding.soap.**SoapFault: The security token could not be
>> authenticated or authorized
>>      at org.apache.cxf.ws.security.**wss4j.WSS4JInInterceptor.**
>> createSoapFault(**WSS4JInInterceptor.java:788)
>>      at org.apache.cxf.ws.security.**wss4j.WSS4JInInterceptor.**
>> handleMessage(**WSS4JInInterceptor.java:336)
>>      at org.apache.cxf.ws.security.**wss4j.**PolicyBasedWSS4JInInterceptor.
>> **handleMessage(**PolicyBasedWSS4JInInterceptor.**java:120)
>>      at org.apache.cxf.ws.security.**wss4j.**PolicyBasedWSS4JInInterceptor.
>> **handleMessage(**PolicyBasedWSS4JInInterceptor.**java:105)
>>      at org.apache.cxf.phase.**PhaseInterceptorChain.**doIntercept(**
>> PhaseInterceptorChain.java:**271)
>>      at org.apache.cxf.transport.**ChainInitiationObserver.**onMessage(**
>> ChainInitiationObserver.java:**121)
>>      at org.apache.cxf.transport.http.**AbstractHTTPDestination.**invoke(**
>> AbstractHTTPDestination.java:**239)
>> .....
>> Caused by: org.apache.ws.security.**WSSecurityException: The security
>> token could not be authenticated or authorized
>>      at org.apache.ws.security.**validate.**UsernameTokenValidator.**
>> verifyUnknownPassword(**UsernameTokenValidator.java:**228)
>>      at org.apache.ws.security.**validate.**UsernameTokenValidator.**
>> validate(**UsernameTokenValidator.java:**110)
>>      at org.apache.ws.security.**processor.**UsernameTokenProcessor.**
>> handleUsernameToken(**UsernameTokenProcessor.java:**172)
>>      at org.apache.ws.security.**processor.**UsernameTokenProcessor.**
>> handleToken(**UsernameTokenProcessor.java:**67)
>>      at org.apache.ws.security.**WSSecurityEngine.**processSecurityHeader(*
>> *WSSecurityEngine.java:396)
>>      at org.apache.cxf.ws.security.**wss4j.WSS4JInInterceptor.**
>> handleMessage(**WSS4JInInterceptor.java:279)
>>
>> Checking the dependencies via mvn dependency:tree, we upgrade from
>> Woodstox 4.1.4 to 4.2.0 between CXF 2.7.3 and CXF 2.7.4.  However, even if
>> I force the use of Woodstox 4.1.4 in CXF 2.7.4 I get the same error message
>> above.  I don't know if this is a regression in CXF or if there is some
>> configuration change that will require me to update my WSDL configuration.
>>
>> Thanks,
>> Glen
>>
>>
>

Re: Regression w/UT over Symmetric Key encryption between CXF 2.7.3 & more recent?

Posted by Colm O hEigeartaigh <co...@apache.org>.

Hi Glen,

The requirement now is for the policy to explicitly state that no password
is required in the UsernameToken, which will be the case for key
derivation, e.g.:

<sp:ProtectionToken>
    <wsp:Policy>
        <sp:UsernameToken
            sp:IncludeToken="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
">
           <wsp:Policy>
               <sp:WssUsernameToken10/>
               <sp:NoPassword/>
          </wsp:Policy>
       </sp:UsernameToken>
   </wsp:Policy>
</sp:ProtectionToken>

There was a security bug in previous versions of CXF where it was allowing
a UsernameToken with no passwords just to handle the key derivation case.

Colm.


On Sun, Sep 1, 2013 at 9:48 PM, Glen Mazza <gl...@gmail.com> wrote:

> Hi, the following sample: https://github.com/gmazza/**
> blog-samples/tree/master/cxf_**ut_messagelayer<https://github.com/gmazza/blog-samples/tree/master/cxf_ut_messagelayer>,
> hardcoded to use CXF 2.7.3, works fine with UsernameToken over
> Message-Layer Encryption (here, an X.509 symmetric key as explained in the
> first part of this short blog article: http://www.jroller.com/gmazza/**
> entry/usernametoken_**messagelayer_encryption<http://www.jroller.com/gmazza/entry/usernametoken_messagelayer_encryption>).
> To confirm, all that needs to be done is to run "mvn clean install
> tomcat7:run-war" from the cxf_ut_messagelayer base folder and "mvn
> exec:exec" from the client subfolder.  However, once I upgrade
> cxf_ut_messagelayer/pom.xml to CXF 2.7.4 or more recent (tried 2.7.5 and
> 2.7.6 as well), I get the following error upon running the client:
>
> Sep 01, 2013 4:16:53 PM org.apache.cxf.phase.**PhaseInterceptorChain
> doDefaultLogging
> WARNING: Interceptor for {http://www.example.org/**contract/DoubleIt}**
> DoubleItService#{http://www.**example.org/contract/DoubleIt}**DoubleIt<http://www.example.org/contract/DoubleIt%7DDoubleItService#%7Bhttp://www.example.org/contract/DoubleIt%7DDoubleIt>has thrown exception, unwinding now
> org.apache.cxf.binding.soap.**SoapFault: The security token could not be
> authenticated or authorized
>     at org.apache.cxf.ws.security.**wss4j.WSS4JInInterceptor.**
> createSoapFault(**WSS4JInInterceptor.java:788)
>     at org.apache.cxf.ws.security.**wss4j.WSS4JInInterceptor.**
> handleMessage(**WSS4JInInterceptor.java:336)
>     at org.apache.cxf.ws.security.**wss4j.**PolicyBasedWSS4JInInterceptor.
> **handleMessage(**PolicyBasedWSS4JInInterceptor.**java:120)
>     at org.apache.cxf.ws.security.**wss4j.**PolicyBasedWSS4JInInterceptor.
> **handleMessage(**PolicyBasedWSS4JInInterceptor.**java:105)
>     at org.apache.cxf.phase.**PhaseInterceptorChain.**doIntercept(**
> PhaseInterceptorChain.java:**271)
>     at org.apache.cxf.transport.**ChainInitiationObserver.**onMessage(**
> ChainInitiationObserver.java:**121)
>     at org.apache.cxf.transport.http.**AbstractHTTPDestination.**invoke(**
> AbstractHTTPDestination.java:**239)
> .....
> Caused by: org.apache.ws.security.**WSSecurityException: The security
> token could not be authenticated or authorized
>     at org.apache.ws.security.**validate.**UsernameTokenValidator.**
> verifyUnknownPassword(**UsernameTokenValidator.java:**228)
>     at org.apache.ws.security.**validate.**UsernameTokenValidator.**
> validate(**UsernameTokenValidator.java:**110)
>     at org.apache.ws.security.**processor.**UsernameTokenProcessor.**
> handleUsernameToken(**UsernameTokenProcessor.java:**172)
>     at org.apache.ws.security.**processor.**UsernameTokenProcessor.**
> handleToken(**UsernameTokenProcessor.java:**67)
>     at org.apache.ws.security.**WSSecurityEngine.**processSecurityHeader(*
> *WSSecurityEngine.java:396)
>     at org.apache.cxf.ws.security.**wss4j.WSS4JInInterceptor.**
> handleMessage(**WSS4JInInterceptor.java:279)
>
> Checking the dependencies via mvn dependency:tree, we upgrade from
> Woodstox 4.1.4 to 4.2.0 between CXF 2.7.3 and CXF 2.7.4.  However, even if
> I force the use of Woodstox 4.1.4 in CXF 2.7.4 I get the same error message
> above.  I don't know if this is a regression in CXF or if there is some
> configuration change that will require me to update my WSDL configuration.
>
> Thanks,
> Glen
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com