You are viewing a plain text version of this content. The canonical link for it is here.
Posted to wss4j-dev@ws.apache.org by ma...@fsb.se on 2006/04/27 11:46:52 UTC
Trouble when securing the response
Hi
I have a working webservice (using axis) and I have successfully secured
the request to the server with the following deployment configurations:
Client
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
<parameter name="action" value="Signature Encrypt Timestamp"/>
<parameter name="user" value="UserA"/>
<parameter name="passwordCallbackClass"
value="security.PWCallback"/>
<parameter name="signaturePropFile" value="cryptoclient.properties"
/>
<parameter name="encryptionUser" value="UserB" />
</handler>
</requestFlow>
Server
<requestFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
<parameter name="passwordCallbackClass"
value="sekerhet.PWCallback"/>
<parameter name="action" value="Signature Encrypt Timestamp"/>
<parameter name="signaturePropFile" value="cryptoserver.properties"
/>
</handler>
</requestFlow>
Cryptoclient.properties
org.apache.ws.security.crypto.provider=org.apache.ws.security.components
.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=JKS
org.apache.ws.security.crypto.merlin.keystore.password=secretpassword
org.apache.ws.security.crypto.merlin.keystore.alias=UserA
org.apache.ws.security.crypto.merlin.file=UserAkeystore
Cryptoserver.properties
org.apache.ws.security.crypto.provider=org.apache.ws.security.components
.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=JKS
org.apache.ws.security.crypto.merlin.keystore.password=secretpassword
org.apache.ws.security.crypto.merlin.keystore.alias=UserB
org.apache.ws.security.crypto.merlin.file=UserBkeystore
This works like a charm. The request is being signed, encrypted and
timestamped. So the next logical step was to do the same for the
response from the server. I extended the deployment descriptions on the
server and the client to the following:
Client
<responseFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllReceiver" >
<parameter name="action" value="Signature Encrypt Timestamp"/>
<parameter name="passwordCallbackClass"
value="security.PWCallback"/>
<parameter name="signaturePropFile" value="cryptoclient.properties"
/>
</handler>
</responseFlow>
Server
<responseFlow>
<handler type="java:org.apache.ws.axis.security.WSDoAllSender">
<parameter name="action" value="Signature Encrypt Timestamp"/>
<parameter name="user" value="UserB"/>
<parameter name="passwordCallbackClass"
value="sekerhet.PWCallback"/>
<parameter name="signaturePropFile" value="cryptoserver.properties"
/>
<parameter name="encryptionUser" value="UserA" />
</handler>
</responseFlow>
When I view the http POST and the coresponding response it looks right.
I have attached the output in this mail. Unfortunate when the client
recievies the response and starts to verify the signing, timestamp and
decrypt the message a null pointer occures. I have debugged to the
method decryptDataRef in WSSecurityEngine. So the password and the
location of the private key works fine. When the
WSSecurityUtil.getElementByWsuId(wssConfig, doc, dataRefURI) is called a
null pointer occurs. Further debug shows that the null pointer occures
in the WSSecurityUtil class in the method findElementById(Node
startNode, String value, String namespace) where value is
EncDataId-17351095 and namespace
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utili
ty-1.0.xsd. The startnode is:
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse
curity-secext-1.0.xsd">
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd"><wsu:Created>2006-04-27T09:38:38.454Z</wsu:Create
d><wsu:Expires>2006-04-27T09:43:38.454Z</wsu:Expires></wsu:Timestamp>
<xenc:EncryptedKey>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference><ds:X509IssuerSerial>
<ds:X509IssuerName>CN=UserA</ds:X509IssuerName>
<ds:X509SerialNumber>1141738619</ds:X509SerialNumber>
</ds:X509IssuerSerial></wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData><xenc:CipherValue>xfq+orbQx69rMT3jqirpSFJI3IyUfRwoKTAiW
ok8bSwd5ZQpf1qrpRVmGfd9j+PTmpP3iXfHzsh8
mFFAVaX8rztYqiMMxFsG1K2l8MkFGslGrGeu7VGal3oKaPfx5PZUBT1ItEOTY6XQ6PcOPcEj
NM6u
riWlELWgFq20Q+paQ4M=</xenc:CipherValue></xenc:CipherData>
<xenc:ReferenceList><xenc:DataReference URI="#EncDataId-17351095"
/></xenc:ReferenceList></xenc:EncryptedKey><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#id-17351095">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>tPv0iDcb6Bwn2YVsYIO1qW7myKw=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
XraagTh/ZA5iUJeCjkxvlEJVbeJOFPv2yAG+Htf8nUGPSuE0rZ6tH1ysyIpIMOvDb9zfiMmv
3eCm
E8UtfaL8xLOCNykZH4CUuxDvF4j5LwSAnT/8mm5pEXhJWn9jgT27o3eE+bDrerEbTNXj4wxf
UEhS
KNz/+o2k0qdJe4U2JxA=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-2850754">
<wsse:SecurityTokenReference wsu:Id="STRId-30456965"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd"><ds:X509IssuerSerial>
<ds:X509IssuerName>CN=UserB</ds:X509IssuerName>
<ds:X509SerialNumber>1141738621</ds:X509SerialNumber>
</ds:X509IssuerSerial></wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature></wsse:Security></soapenv:Header><soapenv:Body
wsu:Id="id-17351095"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
urity-utility-1.0.xsd"><xenc:EncryptedData Id="EncDataId-17351095"
Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"
/><xenc:CipherData><xenc:CipherValue>RQEuGbKefpDGgyk3hEsKSCI+OqtX7hvFJ+h
1mCTu6e3usrc9KvW5MlJAny9fxFNMWcRLYOXOJEir
s7kzX1hDC54HfrTZ1MkEOelZQ7eUkmjplWtSSphGeAVqvF2BWyvYsd+6oNqx3nEfap9mSnnR
rRwk
6I0bi546CU9wAEMCaz5U/hCua91mzASVZmg4XkQIvh7/AkB+stCAvuwyN03U0lwP8y5ZL13B
BHv6
eDxsn5o3Ltc7sMpOqjRjENaJp0FDd5wnbQOiAq+m1dHAzQHOuybOcQz/Lnj80Nve44t9MR+C
aV17
3kK08JcBp+wc42xUwQqzxB7oQ3TbNeSEjsjIq3gWtlSE9ULKGU1AWQB+WrRu6cy/V2czrOcu
7fMZ
Fxn/q/v5MTAIyIYTve7UZ7l/35WgJLIfmS63I7G43KsGgHptV5rHwIM2DFMDp7zBic3PbF7g
xi6e
d1sE5gMpH43kmWgoCiC0vi91rlUprIPbvOtRjFzpVeoUmIluFjToQYg0Ur26o1C7EXe1Y2oq
oiFT
6w4fBYbZRgVgSLTtEv1iM7c=</xenc:CipherValue></xenc:CipherData></xenc:Encr
yptedData></soapenv:Body></soapenv:Envelope>
I am guessing it tries to find the element right under the body for
decrypting the body. But I can't understund why it doesnt find it. The
EncDataId is there and the element also. Does anyone has any guess on
whats causing this?
Thanks
Markus