You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Glen Mazza <gl...@gmail.com> on 2013/09/01 22:48:56 UTC
Regression w/UT over Symmetric Key encryption between CXF 2.7.3 &
more recent?
Hi, the following sample:
https://github.com/gmazza/blog-samples/tree/master/cxf_ut_messagelayer,
hardcoded to use CXF 2.7.3, works fine with UsernameToken over
Message-Layer Encryption (here, an X.509 symmetric key as explained in
the first part of this short blog article:
http://www.jroller.com/gmazza/entry/usernametoken_messagelayer_encryption).
To confirm, all that needs to be done is to run "mvn clean install
tomcat7:run-war" from the cxf_ut_messagelayer base folder and "mvn
exec:exec" from the client subfolder. However, once I upgrade
cxf_ut_messagelayer/pom.xml to CXF 2.7.4 or more recent (tried 2.7.5 and
2.7.6 as well), I get the following error upon running the client:
Sep 01, 2013 4:16:53 PM org.apache.cxf.phase.PhaseInterceptorChain
doDefaultLogging
WARNING: Interceptor for
{http://www.example.org/contract/DoubleIt}DoubleItService#{http://www.example.org/contract/DoubleIt}DoubleIt
has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: The security token could not be
authenticated or authorized
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:788)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:336)
at
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:120)
at
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:105)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239)
.....
Caused by: org.apache.ws.security.WSSecurityException: The security
token could not be authenticated or authorized
at
org.apache.ws.security.validate.UsernameTokenValidator.verifyUnknownPassword(UsernameTokenValidator.java:228)
at
org.apache.ws.security.validate.UsernameTokenValidator.validate(UsernameTokenValidator.java:110)
at
org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:172)
at
org.apache.ws.security.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:67)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:279)
Checking the dependencies via mvn dependency:tree, we upgrade from
Woodstox 4.1.4 to 4.2.0 between CXF 2.7.3 and CXF 2.7.4. However, even
if I force the use of Woodstox 4.1.4 in CXF 2.7.4 I get the same error
message above. I don't know if this is a regression in CXF or if there
is some configuration change that will require me to update my WSDL
configuration.
Thanks,
Glen
Re: Regression w/UT over Symmetric Key encryption between CXF 2.7.3
& more recent?
Posted by Glen Mazza <gl...@gmail.com>.
Yes, that fixed it.
Thanks,
Glen
On 09/04/2013 05:43 AM, Colm O hEigeartaigh wrote:
> Hi Glen,
>
> The requirement now is for the policy to explicitly state that no password
> is required in the UsernameToken, which will be the case for key
> derivation, e.g.:
>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
> <sp:WssUsernameToken10/>
> <sp:NoPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:ProtectionToken>
>
> There was a security bug in previous versions of CXF where it was allowing
> a UsernameToken with no passwords just to handle the key derivation case.
>
> Colm.
>
>
> On Sun, Sep 1, 2013 at 9:48 PM, Glen Mazza <gl...@gmail.com> wrote:
>
>> Hi, the following sample: https://github.com/gmazza/**
>> blog-samples/tree/master/cxf_**ut_messagelayer<https://github.com/gmazza/blog-samples/tree/master/cxf_ut_messagelayer>,
>> hardcoded to use CXF 2.7.3, works fine with UsernameToken over
>> Message-Layer Encryption (here, an X.509 symmetric key as explained in the
>> first part of this short blog article: http://www.jroller.com/gmazza/**
>> entry/usernametoken_**messagelayer_encryption<http://www.jroller.com/gmazza/entry/usernametoken_messagelayer_encryption>).
>> To confirm, all that needs to be done is to run "mvn clean install
>> tomcat7:run-war" from the cxf_ut_messagelayer base folder and "mvn
>> exec:exec" from the client subfolder. However, once I upgrade
>> cxf_ut_messagelayer/pom.xml to CXF 2.7.4 or more recent (tried 2.7.5 and
>> 2.7.6 as well), I get the following error upon running the client:
>>
>> Sep 01, 2013 4:16:53 PM org.apache.cxf.phase.**PhaseInterceptorChain
>> doDefaultLogging
>> WARNING: Interceptor for {http://www.example.org/**contract/DoubleIt}**
>> DoubleItService#{http://www.**example.org/contract/DoubleIt}**DoubleIt<http://www.example.org/contract/DoubleIt%7DDoubleItService#%7Bhttp://www.example.org/contract/DoubleIt%7DDoubleIt>has thrown exception, unwinding now
>> org.apache.cxf.binding.soap.**SoapFault: The security token could not be
>> authenticated or authorized
>> at org.apache.cxf.ws.security.**wss4j.WSS4JInInterceptor.**
>> createSoapFault(**WSS4JInInterceptor.java:788)
>> at org.apache.cxf.ws.security.**wss4j.WSS4JInInterceptor.**
>> handleMessage(**WSS4JInInterceptor.java:336)
>> at org.apache.cxf.ws.security.**wss4j.**PolicyBasedWSS4JInInterceptor.
>> **handleMessage(**PolicyBasedWSS4JInInterceptor.**java:120)
>> at org.apache.cxf.ws.security.**wss4j.**PolicyBasedWSS4JInInterceptor.
>> **handleMessage(**PolicyBasedWSS4JInInterceptor.**java:105)
>> at org.apache.cxf.phase.**PhaseInterceptorChain.**doIntercept(**
>> PhaseInterceptorChain.java:**271)
>> at org.apache.cxf.transport.**ChainInitiationObserver.**onMessage(**
>> ChainInitiationObserver.java:**121)
>> at org.apache.cxf.transport.http.**AbstractHTTPDestination.**invoke(**
>> AbstractHTTPDestination.java:**239)
>> .....
>> Caused by: org.apache.ws.security.**WSSecurityException: The security
>> token could not be authenticated or authorized
>> at org.apache.ws.security.**validate.**UsernameTokenValidator.**
>> verifyUnknownPassword(**UsernameTokenValidator.java:**228)
>> at org.apache.ws.security.**validate.**UsernameTokenValidator.**
>> validate(**UsernameTokenValidator.java:**110)
>> at org.apache.ws.security.**processor.**UsernameTokenProcessor.**
>> handleUsernameToken(**UsernameTokenProcessor.java:**172)
>> at org.apache.ws.security.**processor.**UsernameTokenProcessor.**
>> handleToken(**UsernameTokenProcessor.java:**67)
>> at org.apache.ws.security.**WSSecurityEngine.**processSecurityHeader(*
>> *WSSecurityEngine.java:396)
>> at org.apache.cxf.ws.security.**wss4j.WSS4JInInterceptor.**
>> handleMessage(**WSS4JInInterceptor.java:279)
>>
>> Checking the dependencies via mvn dependency:tree, we upgrade from
>> Woodstox 4.1.4 to 4.2.0 between CXF 2.7.3 and CXF 2.7.4. However, even if
>> I force the use of Woodstox 4.1.4 in CXF 2.7.4 I get the same error message
>> above. I don't know if this is a regression in CXF or if there is some
>> configuration change that will require me to update my WSDL configuration.
>>
>> Thanks,
>> Glen
>>
>>
>
Re: Regression w/UT over Symmetric Key encryption between CXF 2.7.3 &
more recent?
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Glen,
The requirement now is for the policy to explicitly state that no password
is required in the UsernameToken, which will be the case for key
derivation, e.g.:
<sp:ProtectionToken>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
">
<wsp:Policy>
<sp:WssUsernameToken10/>
<sp:NoPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:ProtectionToken>
There was a security bug in previous versions of CXF where it was allowing
a UsernameToken with no passwords just to handle the key derivation case.
Colm.
On Sun, Sep 1, 2013 at 9:48 PM, Glen Mazza <gl...@gmail.com> wrote:
> Hi, the following sample: https://github.com/gmazza/**
> blog-samples/tree/master/cxf_**ut_messagelayer<https://github.com/gmazza/blog-samples/tree/master/cxf_ut_messagelayer>,
> hardcoded to use CXF 2.7.3, works fine with UsernameToken over
> Message-Layer Encryption (here, an X.509 symmetric key as explained in the
> first part of this short blog article: http://www.jroller.com/gmazza/**
> entry/usernametoken_**messagelayer_encryption<http://www.jroller.com/gmazza/entry/usernametoken_messagelayer_encryption>).
> To confirm, all that needs to be done is to run "mvn clean install
> tomcat7:run-war" from the cxf_ut_messagelayer base folder and "mvn
> exec:exec" from the client subfolder. However, once I upgrade
> cxf_ut_messagelayer/pom.xml to CXF 2.7.4 or more recent (tried 2.7.5 and
> 2.7.6 as well), I get the following error upon running the client:
>
> Sep 01, 2013 4:16:53 PM org.apache.cxf.phase.**PhaseInterceptorChain
> doDefaultLogging
> WARNING: Interceptor for {http://www.example.org/**contract/DoubleIt}**
> DoubleItService#{http://www.**example.org/contract/DoubleIt}**DoubleIt<http://www.example.org/contract/DoubleIt%7DDoubleItService#%7Bhttp://www.example.org/contract/DoubleIt%7DDoubleIt>has thrown exception, unwinding now
> org.apache.cxf.binding.soap.**SoapFault: The security token could not be
> authenticated or authorized
> at org.apache.cxf.ws.security.**wss4j.WSS4JInInterceptor.**
> createSoapFault(**WSS4JInInterceptor.java:788)
> at org.apache.cxf.ws.security.**wss4j.WSS4JInInterceptor.**
> handleMessage(**WSS4JInInterceptor.java:336)
> at org.apache.cxf.ws.security.**wss4j.**PolicyBasedWSS4JInInterceptor.
> **handleMessage(**PolicyBasedWSS4JInInterceptor.**java:120)
> at org.apache.cxf.ws.security.**wss4j.**PolicyBasedWSS4JInInterceptor.
> **handleMessage(**PolicyBasedWSS4JInInterceptor.**java:105)
> at org.apache.cxf.phase.**PhaseInterceptorChain.**doIntercept(**
> PhaseInterceptorChain.java:**271)
> at org.apache.cxf.transport.**ChainInitiationObserver.**onMessage(**
> ChainInitiationObserver.java:**121)
> at org.apache.cxf.transport.http.**AbstractHTTPDestination.**invoke(**
> AbstractHTTPDestination.java:**239)
> .....
> Caused by: org.apache.ws.security.**WSSecurityException: The security
> token could not be authenticated or authorized
> at org.apache.ws.security.**validate.**UsernameTokenValidator.**
> verifyUnknownPassword(**UsernameTokenValidator.java:**228)
> at org.apache.ws.security.**validate.**UsernameTokenValidator.**
> validate(**UsernameTokenValidator.java:**110)
> at org.apache.ws.security.**processor.**UsernameTokenProcessor.**
> handleUsernameToken(**UsernameTokenProcessor.java:**172)
> at org.apache.ws.security.**processor.**UsernameTokenProcessor.**
> handleToken(**UsernameTokenProcessor.java:**67)
> at org.apache.ws.security.**WSSecurityEngine.**processSecurityHeader(*
> *WSSecurityEngine.java:396)
> at org.apache.cxf.ws.security.**wss4j.WSS4JInInterceptor.**
> handleMessage(**WSS4JInInterceptor.java:279)
>
> Checking the dependencies via mvn dependency:tree, we upgrade from
> Woodstox 4.1.4 to 4.2.0 between CXF 2.7.3 and CXF 2.7.4. However, even if
> I force the use of Woodstox 4.1.4 in CXF 2.7.4 I get the same error message
> above. I don't know if this is a regression in CXF or if there is some
> configuration change that will require me to update my WSDL configuration.
>
> Thanks,
> Glen
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com