You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by martin <sk...@gmail.com> on 2012/03/01 21:46:46 UTC
Re: WS-Security policy not being enabled in CXF
Hello again. I have used the tutorial found here to implement security now
(Favouring interceptors instead of WS security policy):
http://www.jroller.com/gmazza/entry/cxf_x509_profile
This has activated encryption on the service as far as I can see, as the old
client now complains over missing security headers as such:
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: An error
was discovered processing the <wsse:Security> header
So far so good.
But then I tried building the client from the tutorial and that didn't work
as well. (by the way very good tutorial, I really got a good idea of how
interceptors work)
I did not use the tutorial 1-1 but I used it to modify my own functioning
web service. This is the error I am getting:
Mar 1, 2012 9:28:25 PM
org.springframework.beans.factory.xml.XmlBeanDefinitionReader
loadBeanDefinitions
INFO: Loading XML bean definitions from class path resource
[orgserver/common/Resources/Client.xml]
Mar 1, 2012 9:28:26 PM
org.apache.cxf.service.factory.ReflectionServiceFactoryBean
buildServiceFromClass
INFO: Creating Service {http://localhost:8080/}SEILoginService from class
orgserver.services.interfaces.SEILogin
Mar 1, 2012 9:28:27 PM
org.apache.cxf.services.SEILoginService.LoginServicePort.LoginService
INFO: Outbound Message
---------------------------
ID: 1
Address: http://localhost:8080/LoginService/services/Login
Encoding: UTF-8
Content-Type: text/xml
Headers: {Accept=[*/*], SOAPAction=[""]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="1"><xenc:EncryptedKey
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="EK-4C079C7FA871DAB16E13306337076504"><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=localhost</ds:X509IssuerName><ds:X509SerialNumber>1330071969</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>D+6WuPyhXg+UwVDaZhzGOoHp10+Ob7NRaQk9Wtjw9DRBswI7GYpzEfZx5NBE0JMy/Znz8lIgVdlF9+REC1vsarYtgWe1rCKfaZAXZQnzzzdbEw2uD6ilhng5JSS/YITrfZOcDXiHB/bKtOf9ETPJHTTuauzc0FZsYLT6tCEgEu0=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference
URI="#ED-4"/><xenc:DataReference
URI="#ED-5"/></xenc:ReferenceList></xenc:EncryptedKey><xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-4"
Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"><wsse:Reference
URI="#EK-4C079C7FA871DAB16E13306337076504"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>rEfGWpgj8FgUzp9Krz9ezyCTTw9fiasjuha58hsDibYSnbdAUy/k2mZdvfo+8oIaxnwaTuW43eNV5EVnHbMcK0ri0V9ZnNEB9xK2D8A0c2w3whppC/fRTyS6ms7bE0W4tRCSFSaHDuFXsYMi7KlfOCyNH4ZJ78o65798zBbA8foNDyHFpokbH6ecSRDNv+cuN7CarVlXX33LXuxVpU7t8NcESjpGzlmLehYhValKIHbWapKF4L8gqM3aIghd9GdlWyQRPO5j1q3iHfzd0lelP92w2KSvbps5OhaakyQSuRNnkMTOu5wECJ23r01v4bQ0LvhaDQViTzeFRRj92vCAQNfWNkyq1+QzQbFVtljc8IEaCDZe0uzND721XBPx9Ub0Pp/WkUg+qFJDrEx+nYoXu9kB/wmVSUkE54twX8yCSu15ZEwOxwhUHgRrxw5xSnHV/5d1akY/Tb1bmoD1vZiSrAFZDwhUeIJURdz+Xsg0GRrg0Ex49rX947m1AUoDJ1OKpPoetzClXsylqTecgalv3FZm0V3fXfYShuAs5bZZR/iA9WwFuh/SpFRc2qjnh2+zXPRM8UAplUaFFc7GyUsVQS0EXExduhHUIqOXAk97SRoPzxCN/a2Or2z9514g3rHhU/4imFkGUHDLf/9E8LSI57CSH18sIs2v34ZLo/BfaM49GVkI+MuUnKYO+d1kBYZoN4b09QHgwW/SDxI3bHFHhj8jwtMSZCt9Fh4LyYw9a2NFu0VLoo+MTw5gIBltgUQc19zDNtJTgPQAOF+d7w7Wjaif0owKBVnabKKl3FSmCm5kSwnHbsadG9TzL5chqVvPupIPYRpV43u8ptHzQmtE9h15LOikEo+qtGjpkA4h+KbEiM42AbqxKV52mHIM2Fh1L6Q3oxXGoAi7f2YHhDcsVxcAo3fvGFwpuy7LJOUvqtv3UgnyV67qipdwjPXss+qq3IxXv+mVLRx9OiJtgnX7BbxRyEJ4B9nyabiSRvsPJcXZ0WA0aoL9AGorPh8jLevfO2+kEi/KLetmOHbDfg1jWMsymWM17OBscj7MJ+iWBAsCF5QjJMdGYCIWGo9Mj3UfsvnA/D5N2NKoTHAwn6OpjOWd4YhBXz7QFO1lDIaCiv3Tvcxc4jonBCwaOTnZoxkLCGQbEOyl+8/VH7wmpmQEYT0zapFSROe1YZk4xGBNV/pGje7MTe3Zr8PUxUIdixW8+m2JWzUczrhO8xBV24LbBQs3jq/kqV+66E187tQUz9hEiOGIIoLNfWo2yhQEhqS0LLktHvDG+UNOcL29kdYsB4Be3z6VJGJfqMB86K/ey6YMt9ig1ni6E04mXaBViiaEa/LQDsgA+cfFaLTSfqQVdTt3WaGEQqL8eTG5/xrXPapNwJH0khFPNNUJdqCYnRAM+j8C1vrsabU5HvqMOqG/mwODqxywRkWcbUZ0vH3m+0pn4m9uwQbo7oYer8AwicGHKtsDmMd0RAZjdirJtEr/wXpcnzLqpMlsQIJy3BBT1GHmtDe2cJOSnNRwS3RcLW+wbLvltMaphXJk0ah25b/dUhFH3NPTrtYVwqdxemdNC/FZEvKCjZ0aIzx9bpC5/GlhqkbWQDXQniv7h2WUwMXtfQ9vUU9a4A9G22Qzie97qyZLKOsYXV9wgYtNJ5CWuUU1XGYWdn5iapc6mYkx1XH4eUcjQnzJthrLbk4uGFtkZN1yFlUg4HUtH6mfDItQGAg2WvWUKsG2CDpxrYU5+47+vHP4ghe6Tq0n24vfT/GVVmoKT1CMZoBtG7OgHGphc6wkP9eipmLyYHaFindODjOX0s7q3Clf2+LnRRGKQsaEC4u0keX7bbGVEcJ+u0Lbf2WWD1tCtN3K2QpXMATRODvWH6sIiFLB4RSPxThvzeTeHrJeuaaHCTwFRNb5b5o4tJZLJMDh8wWh0csKdyrboIZuwnusg4ToEgYUU1G18QYitxVDd5SXSd/BCf7mD31ktWWH0Yb6YtWaYjofg/dydUqzdu4iMNC/STMOJvIytWvFBozrwmKXcThFLlNwvAqexPnz6SgjnI/fd3czJXo5DAXxFXisOrFTsfAzs4KQa9VbBnwU77N4XP6zwavhQaoz6EcyKxwB9WMZlwq18JnPjQiODJL9yxbRF0mVAeji8JHMjjoZMZiPuk0lrb3S4uZpFPEZ7lboLr+e2zfWoZgpGQuuLi//tZdbuwrCRGJ48ZHiT3B5kfvn/DxAygfLs2M7VO3TFOrv6GJRXulOoskujRWXIuizSd6GOCF2ERWznhwb2KSl230CFqrNXdSEgYZ+XNfTawBM6cHGbHDuBRoyayEOVs/IMf3wFx4IqbdnGUItPhg2wbQp7yqvVqcYjSXXzhlEuFf7PpcDybFyaN7lAX76Y9xJaYUYtFJdJu8fVqgtsMLN0N/I4BD8H65aykrNEpNJg4HoGHsgsJMDRDjMJvjUdZedYodP/R6A6vCeenP29jxfXF0tE1F1tMXstiG+BExUq5yJAH3Ulk2Ibi5+4n5wx/JV5W5GVzJ1W+Brn+lhdkTbOhbqgT4uIoS9Jks5JcHVZVRSkiI15L4niQbqbk+bPlJSuLOgz0+C7NrQqD98u5oY3H0axz5d2+2XaJOehURoEBXFqZMgoJ/0HBiq1tPVF4viblukf1BBcW2SX3DQT+GRQaJSJNDzKBI6tAo6YfspOKkD3gjfUV5zPVSEzE/f3tV72asY2dXJhCKtP+4r3ZO6azrMHWOyRrki/pPvEbndecDNbGePQ27/CQ8GUUZgKxuu2XOTwueK</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData><wsu:Timestamp
wsu:Id="TS-1"><wsu:Created>2012-03-01T20:28:27.357Z</wsu:Created><wsu:Expires>2012-03-01T20:33:27.357Z</wsu:Expires></wsu:Timestamp></wsse:Security></soap:Header><soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="id-2"><xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-5"
Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"><wsse:Reference
URI="#EK-4C079C7FA871DAB16E13306337076504"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>VzTHmncSp9ky9+P/nhJQyY3Zn0iGtswtdyrp1VDOvyAxNmeTlTBsRBR1fHOdo7CCmWF8PhNfRHdhfFq7x0+hg/yteIpIyGHCOw2P68n5+kN8nb6EwEZmITrFKJBs0HDzFWVRuExWrByv1xLTi/1LEAiiXdRkygFwhyRDJ1fcRFk=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
--------------------------------------
Mar 1, 2012 9:28:27 PM
org.apache.cxf.services.SEILoginService.LoginServicePort.LoginService
INFO: Inbound Message
----------------------------
ID: 1
Response-Code: 500
Encoding: UTF-8
Content-Type: text/xml;charset=UTF-8
Headers: {connection=[close], Content-Length=[332],
content-type=[text/xml;charset=UTF-8], Date=[Thu, 01 Mar 2012 20:28:27 GMT],
Server=[Apache-Coyote/1.1]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode
xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:FailedCheck</faultcode><faultstring>The
signature or decryption was
invalid</faultstring></soap:Fault></soap:Body></soap:Envelope>
--------------------------------------
Mar 1, 2012 9:28:27 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
handleMessage
WARNING: Request does not contain Security header, but it's a fault.
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: The
signature or decryption was invalid
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:156)
at $Proxy34.Validate(Unknown Source)
at orgserver.clienttest.EncClient.Validate(EncClient.java:32)
at orgserver.clienttest.EncClient.main(EncClient.java:27)
Caused by: org.apache.cxf.binding.soap.SoapFault: The signature or
decryption was invalid
at
org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(Soap11FaultInInterceptor.java:75)
at
org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:46)
at
org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:35)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at
org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:113)
at
org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
at
org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:799)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1627)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1494)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1402)
at
org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47)
at
org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:195)
at
org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at
org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:649)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:533)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319)
at
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
... 3 more
Java Result: 1
BUILD SUCCESSFUL (total time: 2 seconds)
Im sorry for the long ugly post, but I don't want to omit anything. But the
issue here seems to be that the server sends a soapfault back complaining
over the signature or encryption method. This seems to indicate that the
client encryption/signing does not match the server.
Client XML
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd">
<bean id="client" class="orgserver.services.interfaces.SEILogin"
factory-bean="clientFactory" factory-method="create"/>
<bean id="clientFactory"
class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
<property name="serviceClass"
value="orgserver.services.interfaces.SEILogin"/>
<property name="address"
value="http://localhost:8080/LoginService/services/Login"/>
<property name="inInterceptors">
<list>
<ref bean="TimestampSignEncrypt_Response"/>
</list>
</property>
<property name="outInterceptors">
<list>
<ref bean="TimestampSignEncrypt_Request"/>
</list>
</property>
</bean>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
id="TimestampSignEncrypt_Request">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="user" value="myclientkey"/>
<entry key="signaturePropFile"
value="orgserver/common/Resources/clientKeystore.properties"/>
<entry key="encryptionPropFile"
value="orgserver/common/Resources/clientKeystore.properties"/>
<entry key="encryptionUser" value="myservicekey"/>
<entry key="passwordCallbackClass"
value="orgserver.clienttest.ClientPasswordCallback"/>
<entry key="signatureParts"
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionParts"
value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</map>
</constructor-arg>
</bean>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"
id="TimestampSignEncrypt_Response">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="signaturePropFile"
value="orgserver/common/Resources/clientKeystore.properties"/>
<entry key="decryptionPropFile"
value="orgserver/common/Resources/clientKeystore.properties"/>
<entry key="passwordCallbackClass"
value="orgserver.clienttest.ClientPasswordCallback"/>
</map>
</constructor-arg>
</bean>
</beans>
Server XML
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:soap="http://cxf.apache.org/bindings/soap"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd">
<jaxws:endpoint
id="LoginService"
implementor="orgserver.services.Login"
address="/Login">
<jaxws:outInterceptors>
<ref bean="TimestampSignEncrypt_Response"/>
</jaxws:outInterceptors>
<jaxws:inInterceptors>
<ref bean="TimestampSignEncrypt_Request"/>
</jaxws:inInterceptors>
</jaxws:endpoint>
<bean
id="TimestampSignEncrypt_Request"
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"
>
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="signaturePropFile"
value="server-crypto.properties"/>
<entry key="decryptionPropFile"
value="server-crypto.properties"/>
<entry key="passwordCallbackClass"
value="orgserver.common.services.ServerCallback"/>
</map>
</constructor-arg>
</bean>
<bean
id="TimestampSignEncrypt_Response"
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
>
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="user" value="myservicekey"/>
<entry key="signaturePropFile"
value="server-crypto.properties"/>
<entry key="encryptionPropFile"
value="server-crypto.properties"/>
<entry key="encryptionUser" value="useReqSigCert"/>
<entry key="passwordCallbackClass"
value="orgserver.common.services.ServerCallback"/>
<entry key="signatureParts"
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionParts"
value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</map>
</constructor-arg>
</bean>
</beans>
Client callback
public ClientPasswordCallback() {
passwords.put("myclientkey", "ckpass");
}
Server Callback
public ServerCallback() {
passwords.put("myservicekey", "skpass");
}
Server-Crypto
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.file=serviceKeystore.jks
org.apache.ws.security.crypto.merlin.keystore.password=sspass
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.alias=myservicekey
Client-Crypto
org.apache.ws.security.crypto.merlin.keystore.file=clientKeystore.jks
org.apache.ws.security.crypto.merlin.keystore.password=cspass
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.alias=myclientkey
I have made certain that all the files are where they are supposed to be
(And they do throw exceptions if I move them, I checked). I have used the
key tool as described in the tutorial, I shamelessly copied/pasted into my
terminal.
Can anyone see my problem. The only alarm bell I see is the tag
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
used in both client and server xmls. Does this describe a symmetric
algorithm? Because the keys used are RSA keys (which is an assymetric key)
These are the keys in question:
keytool -genkey -alias myservicekey -keyalg RSA -sigalg SHA1withRSA -keypass
skpass -storepass sspass -keystore serviceKeystore.jks -dname "cn=localhost"
keytool -genkey -alias myclientkey -keyalg RSA -sigalg SHA1withRSA -keypass
ckpass -storepass cspass -keystore clientKeystore.jks -dname "cn=clientuser"
keytool -genkey -alias myclient2key -keyalg RSA -sigalg SHA1withRSA -keypass
ck2pass -storepass cs2pass -keystore client2Keystore.jks -dname
"cn=client2user"
Am i missing a symmetric key to be transported by the RSA or what am i doing
wrong?
HELP!
-Martin
And thank you in advance.
-Although it's WSDL-first, link #14 (WS-SecPol method) might help you
-determine the Policy statements needed:
-http://www.jroller.com/gmazza/entry/blog_article_index
-Since you're doing Java-first you'll need to wire in the WS-Policy
-statements as described elsewhere (@Policy annotation).
-Glen
On 02/27/2012 01:53 PM, martin wrote:
> Thank you for your reply.
> I have been trying to find an example of how to write the policy.xml file.
> Do you know of any example i can use?
> Do I have to include namespaces in the policy file?
> Do I have to include something in other files beside the policy
> exceptions?
> Thank you for your time
>
>
>> You're wsdl doesn't contain any security policy fragments or anything to
>> define the security requirements. There are two options:
>> 1) Use the WSS4JInInterceptor documented at:
>> http://cxf.apache.org/docs/ws-security.html
>
>> 2) Create a WS-Policy document that describes the policy you want to
> enforce
>> and attach that to the service via something like the @Policy annotation
>> or
>> similar.
>> Dan
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/WS-Security-policy-not-being-enabled-in-CXF-tp5512888p5519791.html
> Sent from the cxf-user mailing list archive at Nabble.com.
... [show rest of quote]
--
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza
--
View this message in context: http://cxf.547215.n5.nabble.com/WS-Security-policy-not-being-enabled-in-CXF-tp5512888p5529180.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: WS-Security policy not being enabled in CXF
Posted by Glen Mazza <gm...@talend.com>.
OK, I just downloaded and ran the sample from the tutorial (from
scratch, everything new) on my machine and it worked fine after creating
the keys and placing them in the locations specified in the tutorial.
(Incidentally I just posted a small update to the download, it now uses
CXF 2.5.2 instead of 2.4.2.)
Next, checking if there might have been a problem with your key
creation, I created two or three sets of {client, server} keys and had
some keys have the wrong client or server key in their respective
truststores. I wasn't able to duplicate your error message, instead for
any type of wrong key what I would get is:
Mar 02, 2012 2:33:03 PM
org.apache.cxf.interceptor.AbstractLoggingInterceptor log
INFO: Inbound Message
----------------------------
ID: 1
Response-Code: 500
Encoding: UTF-8
Content-Type: text/xml;charset=UTF-8
Headers: {connection=[close], Content-Length=[269],
content-type=[text/xml;charset=UTF-8], Date=[Fri, 02 Mar 2012 19:33:03
GMT], Server=[Apache-Coyote/1.1]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode>soap:Client</faultcode><faultstring>General
security error (No certificates were found for decryption
(KeyId))</faultstring></soap:Fault></soap:Body></soap:Envelope>
--------------------------------------
Mar 02, 2012 2:33:03 PM
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage
WARNING: Request does not contain Security header, but it's a fault.
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: General
security error (No certificates were found for decryption (KeyId))
Finally, I downgraded to the non-unlimited encryption in the JDK
(shouldn't be required to do so) but that wasn't it either, the SOAP
calls worked regardless of whether or not I was doing unlimited encryption.
Note I'm using JDK 7 and Tomcat 7, but the tutorial was written under
JDK 6 / Tomcat 6 so it should work for both. Also note, when you update
the keys and place them in the location specified in the tutorial you
need to run an mvn clean install for the client and a mvn clean install
tomcat:redeploy so they move to the proper classpath locations.
Bottom line, I'm not sure why my tutorial download isn't working on your
machine. If you'd like, if you ZIP up my blog tutorial project (do an
mvn clean first) but keep your sample keys in the project (assuming
you're creating them just as in my blog entry) at the exact locations
you're using, you can email it to me (glen dot mazza at gmail dot com)
and I can run it on my machine to see if I can duplicate your error
using exactly your code. (Make sure you have no sensitive passwords or
other config information within it.)
Glen
On 03/02/2012 12:25 PM, martin wrote:
> First: I am sorry for being a blind idiot. Of cause it was there. I looked
> too many times to admit without finding it. Blech.
>
> Anyway I installed the doubleit example. Added the keystores (copy paste
> from the tutorial). And I am getting this message.
> Payload:<soap:Envelope
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode
> xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:FailedCheck</faultcode><faultstring>The
> signature or decryption was
> invalid</faultstring></soap:Fault></soap:Body></soap:Envelope>
>
>
> So the problem is here too. Please can anyone help me figure out what is
> wrong? I have tried multiple key combinations, and even tried using the same
> key combination in both ends.
>
> Whole dump:
>
> INFO: Outbound Message
> ---------------------------
> ID: 1
> Address: http://localhost:8080/doubleit/services/doubleit
> Encoding: UTF-8
> Content-Type: text/xml
> Headers: {Accept=[*/*], SOAPAction=[""]}
> Payload:<soap:Envelope
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> soap:mustUnderstand="1"><xenc:EncryptedKey
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
> Id="EK-E35BA3DBFF70783C7813307086058634"><xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><ds:KeyInfo
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=localhost</ds:X509IssuerName><ds:X509SerialNumber>1330708376</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>QesYkLXIUhEuX1FjJEYL1+yZomYNq+9OGQiL/3oLBlvJdJE4E3aqCgVUeH2wjj7nmGf5H9Q8gNtNbMtF9/+k4H8fxMwaqOlK5TI01jb/qU0VfcBz3E+tanEeIiRn2z6SNRED3BMWeL5tJuA7f+jS7RmiPCeHOpDQDgyYkI3CCcY=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference
> URI="#ED-4"/><xenc:DataReference
> URI="#ED-5"/></xenc:ReferenceList></xenc:EncryptedKey><xenc:EncryptedData
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-4"
> Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><ds:KeyInfo
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
> wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"><wsse:Reference
> URI="#EK-E35BA3DBFF70783C7813307086058634"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>1yIB8yUoD8/FElWZiqcFcS2CU6bsIjmh+zoxK1n2AG8AJY63qQVMRaRD2m1fL/svuktREl3IhfcBUjBhQtLaNOM0lgudPw8ntVC8rRCi4qzo2jN9cwbFZoGV4SYB+QaWPByuW0LwazpMAGZ2IhcELNjEZdz8RQ/A0VWqkyPzx+lzLr4zyZKTjlZyR9FHCeBzY9JbC7rwfcOhMZPt+7n9n/rgqQgn7JA87FRePpAgVkj0oWuEJgXMgcNY3ksKtoNY6hiKrBYMuExzH4gRZfOJIssqlo4HcyvHIg951ml4FNqgiHdC5kS3mWqI4s/nCIbiVgsCaBnFCeASsDyneoG4o5yHKZqs6dEZgEhoHqM51q2906Yvm0/XSG+5Ex5Hm17mamBh4uUawD6T4OpJ+/X2mTyazFrmCDhEyjFhoN0K6WJrRRM9s1agiIWzinQY4LO5TPIybHhOCOKJrAG5QXGSPOkgvJECV7ZFBu7zf+vVYBDlD0W6Z7HX72ssdngBnIA/6FcvEvsNq0Fw4vQGaXvEx50M1J//32jsyonetR6WU2E3cfiN8KD/Tb0ckdT8kIB1DvmU3y2wu8xPKCuzcy1HFO7d9ueuxi3ZLM8t6+m+pBUNQNfSVtWxb86a84XUMXTZ6td7gs2GG1wQdy6SilsXlaPjLCoeQ4S+GUeGa0gznP8HLvYdIZz3kacy/6CXK3fffw+wiNJv5gBLJugWa+5rjPOjnL7+4Cg87Y2ndIfE5cCKF/G18ZjOrqEAOXVLj8x/X6hIfONpXG2TIPUhomfm4Qy33aVRfSmQmliOrIs91ogdIzftjVkH1WiwPmMxU8Yrq49Wb2l/fBzBublxY+QoFge6VbPKeV6A866a64/FxnBhdt4+NSDOPzVTu5Ovo1jsgxO0H/G7C7AB/kfKLdI22MlV/u0K1ZKx530eUDATXvjquS3/SWekCB7A6RL3ZwDCL5s/8jcd0A8UF9PFEOwvwkCW6vC7pX6XVIvhXgoP4Br0tV3pS19K+rldC0BfnpotPdysoAqq314JEZ0/4AHWMLMjm0UqdvbdLt1Sqv6+Aodjci964lH2F4N1vAE2G6eyPdkXliFtlq701JWjlWrtEOPQXu+QgX1JbGae+5ZWzzV31WLmK5Mthd7EDmOUW3SpRDpBtdmMqj0jKZfGQLo5V3TnVyrALYvzzFTFjPirkJUJ5K1PUVjFh0A6r+6Bxq98o8ggdnDmQApuB/3cd9yjSu9obGYesRHmzfP55/bCvEgPWDCqilBpUfSc05CWiDk2w/wIH9WnURHUo92Kk3dzJqbV7E8KL9AymhWZpa3M5aEstpFbKeS+riDFnFcShGPIC1JGk42JyozbjtFoehQmJ7iwcF34ekAPjWXehMbV6he9GOSJE8hrAmDOK/hUmjRJWIraR3IICBVfbPaKZ/WqDH38gRs1u9EFZ1WXoC5TPQO79ttLZujTRidz1YsgQDbfjhRnu85/xinddAlBB+D58s5jHShXEnfpTx4bPMTjNeCbNbNumdrOKbVfFGS/MFicCaQX5ry2t7WWGYF6kV3RDSBgPxhUPcUdGkJ/XE9nVQzyKLOsYzJDBGf++4A/GdCRDWqliUyk9GqKs47Wfj1dLKJVG/4qbLmrJKGp71cIDUOChPshKxWus/n7Oz7bs96aBcItW7DMYjWTyUr3iS4WZ/nJVIYHSN1NV+n1dc2hfUkBdIBrVPEvRJSfvalnqyU76U7OVxTcYKcWMAytRYKLVQLJws9ROhTBHnow6+/CUGamMeWvue+WxrArYARxqzVfldhY7kE3ktFrnJrlNeFTK4eLnJ3DLj207JwJ+zC203XrpJVzng57V8BV3f/ZdUcXNOx6RfJrwiO8H3ajZxiaUz2dParYF8A7e2xqcnwhDmL3XK5ZcC/Dlu3aq2PMWA96GrDhl7k9m2UXhrwpWHmCV90QA8HqszBld/RWM/WGjHfoZB2VLaZdmiIdXnspXttNl5gda4VE24zW+C7sIAh6iBmmOn0npXItg8JLXjMIMrmZdt+SAz3BY/sB/aqGs4kJVbt/k+0KFM2FSoZcF0rixihRc26U7GaTd3tc209J5SETewSVBo1wOZTaBoyeDUu0xUHYukE074ExAFeH9W+kApgOU91mN5q9pJklyUs/4YCJHyXVxECwcnoUNUTXkoxs1s9ZlosflzDtHD/QoKsJvMG5PslOT7dcio66lE1p5xM3+W3xeudY6TNuL9xi58nXqyHJtgf6igCJhYyFfQWcA8dMxywux3Xg8alARyYU0JyO3IDkJagRQSAiJtx8dP+T3LIxLZV8oA2QPNQPcIrJGLEP0FhrbDYz+5Ulzjx9aijySqNYJd6L0fxVdZgRUuOLMnKFaSNoROk9imxbflFK4b6+CNNSL83IBot9UFbmed6YGlBPIc3Le3Fs5KXgmFuFE9cSwahXooiirh3rxAtW0IbiNLI7BBYrntjxCiroXYURAXXRlvO6PjvtV7Y94JPviOMIK4NX4xnLCs86G5lhcGJIf+QelxFFJaERYJi1oBAt5/YxBX+bhXxnULMM1T7rQd/xVJiPivmDVxBnAgoHbdBleHr6abJY8bTsii5J/VrmGlqE3K94LueggLL2ePddEP0gV98XiSKlOpoyzYv3irKf6Be6VeFSRgT0zkITxkB7/2VJt2Ns3aHmciWbPdJeP5cKqn7G86+6Hf04rjGQ44mcHvYzc2mjxM9uws6idTNeQIixbd5qd2YDgF/DMwdNp2r9TQszc3EziaJxPTfCn8BmyqPUnDlx</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData><wsu:Timestamp
> wsu:Id="TS-1"><wsu:Created>2012-03-02T17:16:45.390Z</wsu:Created><wsu:Expires>2012-03-02T17:21:45.390Z</wsu:Expires></wsu:Timestamp></wsse:Security></soap:Header><soap:Body
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="id-2"><xenc:EncryptedData
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-5"
> Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><ds:KeyInfo
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
> wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"><wsse:Reference
> URI="#EK-E35BA3DBFF70783C7813307086058634"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>YDdHFiDqFw9/4aYgINYNYcqshIJ85+neI6+HLCd25XADb31XFB/VrEd0m9alKSCMI38HCXIurEh3hoXXn/U64fenBiT4sZCbqK2Xoegs3kN5vUdZZj/B4ikyzRbaHwJRrvqJtx1j0Iep8ls0R1K7I83eYy96AQVWqlfcISVUFw4=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
> --------------------------------------
> Mar 2, 2012 6:16:46 PM org.apache.cxf.interceptor.AbstractLoggingInterceptor
> log
> INFO: Inbound Message
> ----------------------------
> ID: 1
> Response-Code: 500
> Encoding: UTF-8
> Content-Type: text/xml;charset=UTF-8
> Headers: {connection=[close], Content-Length=[332],
> content-type=[text/xml;charset=UTF-8], Date=[Fri, 02 Mar 2012 17:16:46 GMT],
> Server=[Apache-Coyote/1.1]}
> Payload:<soap:Envelope
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode
> xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:FailedCheck</faultcode><faultstring>The
> signature or decryption was
> invalid</faultstring></soap:Fault></soap:Body></soap:Envelope>
> --------------------------------------
> Mar 2, 2012 6:16:46 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
> handleMessage
> WARNING: Request does not contain Security header, but it's a fault.
> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: The
> signature or decryption was invalid
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:156)
> at $Proxy35.doubleIt(Unknown Source)
> at client.WSClient.doubleIt(WSClient.java:28)
> at client.WSClient.main(WSClient.java:23)
> Caused by: org.apache.cxf.binding.soap.SoapFault: The signature or
> decryption was invalid
> at
> org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(Soap11FaultInInterceptor.java:75)
> at
> org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:46)
> at
> org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:35)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> at
> org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:105)
> at
> org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
> at
> org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:771)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1600)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1485)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1393)
> at
> org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47)
> at
> org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:188)
> at
> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
> at
> org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:640)
> at
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:519)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304)
> at
> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
> ... 3 more
>
>
> ---Original Message---
>
>
> 2nd paragraph, from the top:
> http://www.jroller.com/gmazza/entry/cxf_x509_profile
>
> Glen
>
> On 03/02/2012 04:19 AM, martin wrote:
>
>> Hello again Glen
>>
>> I have control over the web service provider. I am running on a Tomcat
>> server on a local machine.
>>
>> I tried to reload the keys again thinking I made an error last time (I
>> only
>> used one client and one server key this time, just to be sure), but I am
>> still getting the exact same error.
>>
>> Lastly, you are saying that you put the entire example somewhere on your
>> blog, but I can't seem to find it. I might just be blind, but I have
>> looked
>> over the blog entry a couple of times not but I just can't find it. Can
>> you
>> tell me where it is?
> --
> View this message in context: http://cxf.547215.n5.nabble.com/WS-Security-policy-not-being-enabled-in-CXF-tp5512888p5531617.html
> Sent from the cxf-user mailing list archive at Nabble.com.
--
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza
Re: WS-Security policy not being enabled in CXF
Posted by martin <sk...@gmail.com>.
First: I am sorry for being a blind idiot. Of cause it was there. I looked
too many times to admit without finding it. Blech.
Anyway I installed the doubleit example. Added the keystores (copy paste
from the tutorial). And I am getting this message.
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode
xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:FailedCheck</faultcode><faultstring>The
signature or decryption was
invalid</faultstring></soap:Fault></soap:Body></soap:Envelope>
So the problem is here too. Please can anyone help me figure out what is
wrong? I have tried multiple key combinations, and even tried using the same
key combination in both ends.
Whole dump:
INFO: Outbound Message
---------------------------
ID: 1
Address: http://localhost:8080/doubleit/services/doubleit
Encoding: UTF-8
Content-Type: text/xml
Headers: {Accept=[*/*], SOAPAction=[""]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="1"><xenc:EncryptedKey
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="EK-E35BA3DBFF70783C7813307086058634"><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=localhost</ds:X509IssuerName><ds:X509SerialNumber>1330708376</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>QesYkLXIUhEuX1FjJEYL1+yZomYNq+9OGQiL/3oLBlvJdJE4E3aqCgVUeH2wjj7nmGf5H9Q8gNtNbMtF9/+k4H8fxMwaqOlK5TI01jb/qU0VfcBz3E+tanEeIiRn2z6SNRED3BMWeL5tJuA7f+jS7RmiPCeHOpDQDgyYkI3CCcY=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference
URI="#ED-4"/><xenc:DataReference
URI="#ED-5"/></xenc:ReferenceList></xenc:EncryptedKey><xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-4"
Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"><wsse:Reference
URI="#EK-E35BA3DBFF70783C7813307086058634"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>1yIB8yUoD8/FElWZiqcFcS2CU6bsIjmh+zoxK1n2AG8AJY63qQVMRaRD2m1fL/svuktREl3IhfcBUjBhQtLaNOM0lgudPw8ntVC8rRCi4qzo2jN9cwbFZoGV4SYB+QaWPByuW0LwazpMAGZ2IhcELNjEZdz8RQ/A0VWqkyPzx+lzLr4zyZKTjlZyR9FHCeBzY9JbC7rwfcOhMZPt+7n9n/rgqQgn7JA87FRePpAgVkj0oWuEJgXMgcNY3ksKtoNY6hiKrBYMuExzH4gRZfOJIssqlo4HcyvHIg951ml4FNqgiHdC5kS3mWqI4s/nCIbiVgsCaBnFCeASsDyneoG4o5yHKZqs6dEZgEhoHqM51q2906Yvm0/XSG+5Ex5Hm17mamBh4uUawD6T4OpJ+/X2mTyazFrmCDhEyjFhoN0K6WJrRRM9s1agiIWzinQY4LO5TPIybHhOCOKJrAG5QXGSPOkgvJECV7ZFBu7zf+vVYBDlD0W6Z7HX72ssdngBnIA/6FcvEvsNq0Fw4vQGaXvEx50M1J//32jsyonetR6WU2E3cfiN8KD/Tb0ckdT8kIB1DvmU3y2wu8xPKCuzcy1HFO7d9ueuxi3ZLM8t6+m+pBUNQNfSVtWxb86a84XUMXTZ6td7gs2GG1wQdy6SilsXlaPjLCoeQ4S+GUeGa0gznP8HLvYdIZz3kacy/6CXK3fffw+wiNJv5gBLJugWa+5rjPOjnL7+4Cg87Y2ndIfE5cCKF/G18ZjOrqEAOXVLj8x/X6hIfONpXG2TIPUhomfm4Qy33aVRfSmQmliOrIs91ogdIzftjVkH1WiwPmMxU8Yrq49Wb2l/fBzBublxY+QoFge6VbPKeV6A866a64/FxnBhdt4+NSDOPzVTu5Ovo1jsgxO0H/G7C7AB/kfKLdI22MlV/u0K1ZKx530eUDATXvjquS3/SWekCB7A6RL3ZwDCL5s/8jcd0A8UF9PFEOwvwkCW6vC7pX6XVIvhXgoP4Br0tV3pS19K+rldC0BfnpotPdysoAqq314JEZ0/4AHWMLMjm0UqdvbdLt1Sqv6+Aodjci964lH2F4N1vAE2G6eyPdkXliFtlq701JWjlWrtEOPQXu+QgX1JbGae+5ZWzzV31WLmK5Mthd7EDmOUW3SpRDpBtdmMqj0jKZfGQLo5V3TnVyrALYvzzFTFjPirkJUJ5K1PUVjFh0A6r+6Bxq98o8ggdnDmQApuB/3cd9yjSu9obGYesRHmzfP55/bCvEgPWDCqilBpUfSc05CWiDk2w/wIH9WnURHUo92Kk3dzJqbV7E8KL9AymhWZpa3M5aEstpFbKeS+riDFnFcShGPIC1JGk42JyozbjtFoehQmJ7iwcF34ekAPjWXehMbV6he9GOSJE8hrAmDOK/hUmjRJWIraR3IICBVfbPaKZ/WqDH38gRs1u9EFZ1WXoC5TPQO79ttLZujTRidz1YsgQDbfjhRnu85/xinddAlBB+D58s5jHShXEnfpTx4bPMTjNeCbNbNumdrOKbVfFGS/MFicCaQX5ry2t7WWGYF6kV3RDSBgPxhUPcUdGkJ/XE9nVQzyKLOsYzJDBGf++4A/GdCRDWqliUyk9GqKs47Wfj1dLKJVG/4qbLmrJKGp71cIDUOChPshKxWus/n7Oz7bs96aBcItW7DMYjWTyUr3iS4WZ/nJVIYHSN1NV+n1dc2hfUkBdIBrVPEvRJSfvalnqyU76U7OVxTcYKcWMAytRYKLVQLJws9ROhTBHnow6+/CUGamMeWvue+WxrArYARxqzVfldhY7kE3ktFrnJrlNeFTK4eLnJ3DLj207JwJ+zC203XrpJVzng57V8BV3f/ZdUcXNOx6RfJrwiO8H3ajZxiaUz2dParYF8A7e2xqcnwhDmL3XK5ZcC/Dlu3aq2PMWA96GrDhl7k9m2UXhrwpWHmCV90QA8HqszBld/RWM/WGjHfoZB2VLaZdmiIdXnspXttNl5gda4VE24zW+C7sIAh6iBmmOn0npXItg8JLXjMIMrmZdt+SAz3BY/sB/aqGs4kJVbt/k+0KFM2FSoZcF0rixihRc26U7GaTd3tc209J5SETewSVBo1wOZTaBoyeDUu0xUHYukE074ExAFeH9W+kApgOU91mN5q9pJklyUs/4YCJHyXVxECwcnoUNUTXkoxs1s9ZlosflzDtHD/QoKsJvMG5PslOT7dcio66lE1p5xM3+W3xeudY6TNuL9xi58nXqyHJtgf6igCJhYyFfQWcA8dMxywux3Xg8alARyYU0JyO3IDkJagRQSAiJtx8dP+T3LIxLZV8oA2QPNQPcIrJGLEP0FhrbDYz+5Ulzjx9aijySqNYJd6L0fxVdZgRUuOLMnKFaSNoROk9imxbflFK4b6+CNNSL83IBot9UFbmed6YGlBPIc3Le3Fs5KXgmFuFE9cSwahXooiirh3rxAtW0IbiNLI7BBYrntjxCiroXYURAXXRlvO6PjvtV7Y94JPviOMIK4NX4xnLCs86G5lhcGJIf+QelxFFJaERYJi1oBAt5/YxBX+bhXxnULMM1T7rQd/xVJiPivmDVxBnAgoHbdBleHr6abJY8bTsii5J/VrmGlqE3K94LueggLL2ePddEP0gV98XiSKlOpoyzYv3irKf6Be6VeFSRgT0zkITxkB7/2VJt2Ns3aHmciWbPdJeP5cKqn7G86+6Hf04rjGQ44mcHvYzc2mjxM9uws6idTNeQIixbd5qd2YDgF/DMwdNp2r9TQszc3EziaJxPTfCn8BmyqPUnDlx</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData><wsu:Timestamp
wsu:Id="TS-1"><wsu:Created>2012-03-02T17:16:45.390Z</wsu:Created><wsu:Expires>2012-03-02T17:21:45.390Z</wsu:Expires></wsu:Timestamp></wsse:Security></soap:Header><soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="id-2"><xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-5"
Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"><wsse:Reference
URI="#EK-E35BA3DBFF70783C7813307086058634"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>YDdHFiDqFw9/4aYgINYNYcqshIJ85+neI6+HLCd25XADb31XFB/VrEd0m9alKSCMI38HCXIurEh3hoXXn/U64fenBiT4sZCbqK2Xoegs3kN5vUdZZj/B4ikyzRbaHwJRrvqJtx1j0Iep8ls0R1K7I83eYy96AQVWqlfcISVUFw4=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
--------------------------------------
Mar 2, 2012 6:16:46 PM org.apache.cxf.interceptor.AbstractLoggingInterceptor
log
INFO: Inbound Message
----------------------------
ID: 1
Response-Code: 500
Encoding: UTF-8
Content-Type: text/xml;charset=UTF-8
Headers: {connection=[close], Content-Length=[332],
content-type=[text/xml;charset=UTF-8], Date=[Fri, 02 Mar 2012 17:16:46 GMT],
Server=[Apache-Coyote/1.1]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode
xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:FailedCheck</faultcode><faultstring>The
signature or decryption was
invalid</faultstring></soap:Fault></soap:Body></soap:Envelope>
--------------------------------------
Mar 2, 2012 6:16:46 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
handleMessage
WARNING: Request does not contain Security header, but it's a fault.
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: The
signature or decryption was invalid
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:156)
at $Proxy35.doubleIt(Unknown Source)
at client.WSClient.doubleIt(WSClient.java:28)
at client.WSClient.main(WSClient.java:23)
Caused by: org.apache.cxf.binding.soap.SoapFault: The signature or
decryption was invalid
at
org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(Soap11FaultInInterceptor.java:75)
at
org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:46)
at
org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:35)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at
org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:105)
at
org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
at
org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:771)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1600)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1485)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1393)
at
org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47)
at
org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:188)
at
org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at
org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:640)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:519)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304)
at
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
... 3 more
---Original Message---
2nd paragraph, from the top:
http://www.jroller.com/gmazza/entry/cxf_x509_profile
Glen
On 03/02/2012 04:19 AM, martin wrote:
> Hello again Glen
>
> I have control over the web service provider. I am running on a Tomcat
> server on a local machine.
>
> I tried to reload the keys again thinking I made an error last time (I
> only
> used one client and one server key this time, just to be sure), but I am
> still getting the exact same error.
>
> Lastly, you are saying that you put the entire example somewhere on your
> blog, but I can't seem to find it. I might just be blind, but I have
> looked
> over the blog entry a couple of times not but I just can't find it. Can
> you
> tell me where it is?
--
View this message in context: http://cxf.547215.n5.nabble.com/WS-Security-policy-not-being-enabled-in-CXF-tp5512888p5531617.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: WS-Security policy not being enabled in CXF
Posted by Glen Mazza <gm...@talend.com>.
2nd paragraph, from the top:
http://www.jroller.com/gmazza/entry/cxf_x509_profile
Glen
On 03/02/2012 04:19 AM, martin wrote:
> Hello again Glen
>
> I have control over the web service provider. I am running on a Tomcat
> server on a local machine.
>
> I tried to reload the keys again thinking I made an error last time (I only
> used one client and one server key this time, just to be sure), but I am
> still getting the exact same error.
>
> Lastly, you are saying that you put the entire example somewhere on your
> blog, but I can't seem to find it. I might just be blind, but I have looked
> over the blog entry a couple of times not but I just can't find it. Can you
> tell me where it is?
>
>
>
>> Do you have control over the web service provider, or it's external and
>> you're only building a client?
>> I provided the source code in that blog entry, you might wish to
>> download and at least confirm *that* works, then it's an issue of trying
>> to extrapolate why my client's OK but yours is having problems (of
>> course, the fact that you're using a different web service provider that
>> might have some peculiar requirements is probably going to be the source
>> of the problem.) Using Wireshark
>> (http://www.jroller.com/gmazza/entry/soap_calls_over_wireshark) can also
>> help with your debugging a bit, by making it clearer where the error
>> messages are coming from.
>> It appears the "The signature or decryption was invalid" message came
> >from the web service provider, that might mean the service has the wrong
>> client public key in its truststore (when it tried to validate the
>> client's signature, it's comparing it with the wrong public key) or, if
>> you're using assymmetric (2-key) binding, your client has the wrong
>> public key of the service (The client encrypted the message with the
>> wrong public key and hence the decryption failure when the service tried
>> to decrypt it with its private key.)
>> Finally, one of the keys you mentioned below:
>> keytool -genkey -alias myclient2key -keyalg RSA -sigalg SHA1withRSA
> -keypass
>> ck2pass -storepass cs2pass -keystore client2Keystore.jks -dname
>> Is unnecessary, it was placed in the tutorial for educational purposes
> only.
>
>> HTH,
>> Glen
> --
> View this message in context: http://cxf.547215.n5.nabble.com/WS-Security-policy-not-being-enabled-in-CXF-tp5512888p5530444.html
> Sent from the cxf-user mailing list archive at Nabble.com.
--
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza
Re: WS-Security policy not being enabled in CXF
Posted by martin <sk...@gmail.com>.
Hello again Glen
I have control over the web service provider. I am running on a Tomcat
server on a local machine.
I tried to reload the keys again thinking I made an error last time (I only
used one client and one server key this time, just to be sure), but I am
still getting the exact same error.
Lastly, you are saying that you put the entire example somewhere on your
blog, but I can't seem to find it. I might just be blind, but I have looked
over the blog entry a couple of times not but I just can't find it. Can you
tell me where it is?
>Do you have control over the web service provider, or it's external and
>you're only building a client?
>I provided the source code in that blog entry, you might wish to
>download and at least confirm *that* works, then it's an issue of trying
>to extrapolate why my client's OK but yours is having problems (of
>course, the fact that you're using a different web service provider that
>might have some peculiar requirements is probably going to be the source
>of the problem.) Using Wireshark
>(http://www.jroller.com/gmazza/entry/soap_calls_over_wireshark) can also
>help with your debugging a bit, by making it clearer where the error
>messages are coming from.
>It appears the "The signature or decryption was invalid" message came
>from the web service provider, that might mean the service has the wrong
>client public key in its truststore (when it tried to validate the
>client's signature, it's comparing it with the wrong public key) or, if
>you're using assymmetric (2-key) binding, your client has the wrong
>public key of the service (The client encrypted the message with the
>wrong public key and hence the decryption failure when the service tried
>to decrypt it with its private key.)
>Finally, one of the keys you mentioned below:
>keytool -genkey -alias myclient2key -keyalg RSA -sigalg SHA1withRSA
-keypass
>ck2pass -storepass cs2pass -keystore client2Keystore.jks -dname
>Is unnecessary, it was placed in the tutorial for educational purposes
only.
>HTH,
>Glen
--
View this message in context: http://cxf.547215.n5.nabble.com/WS-Security-policy-not-being-enabled-in-CXF-tp5512888p5530444.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: WS-Security policy not being enabled in CXF
Posted by Glen Mazza <gm...@talend.com>.
Do you have control over the web service provider, or it's external and
you're only building a client?
I provided the source code in that blog entry, you might wish to
download and at least confirm *that* works, then it's an issue of trying
to extrapolate why my client's OK but yours is having problems (of
course, the fact that you're using a different web service provider that
might have some peculiar requirements is probably going to be the source
of the problem.) Using Wireshark
(http://www.jroller.com/gmazza/entry/soap_calls_over_wireshark) can also
help with your debugging a bit, by making it clearer where the error
messages are coming from.
It appears the "The signature or decryption was invalid" message came
from the web service provider, that might mean the service has the wrong
client public key in its truststore (when it tried to validate the
client's signature, it's comparing it with the wrong public key) or, if
you're using assymmetric (2-key) binding, your client has the wrong
public key of the service (The client encrypted the message with the
wrong public key and hence the decryption failure when the service tried
to decrypt it with its private key.)
Finally, one of the keys you mentioned below:
keytool -genkey -alias myclient2key -keyalg RSA -sigalg SHA1withRSA -keypass
ck2pass -storepass cs2pass -keystore client2Keystore.jks -dname
Is unnecessary, it was placed in the tutorial for educational purposes only.
HTH,
Glen
On 03/01/2012 03:46 PM, martin wrote:
>
>
> Hello again. I have used the tutorial found here to implement security now
> (Favouring interceptors instead of WS security policy):
> http://www.jroller.com/gmazza/entry/cxf_x509_profile
>
>
> This has activated encryption on the service as far as I can see, as the old
> client now complains over missing security headers as such:
> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: An error
> was discovered processing the<wsse:Security> header
>
> So far so good.
>
> But then I tried building the client from the tutorial and that didn't work
> as well. (by the way very good tutorial, I really got a good idea of how
> interceptors work)
>
> I did not use the tutorial 1-1 but I used it to modify my own functioning
> web service. This is the error I am getting:
> Mar 1, 2012 9:28:25 PM
> org.springframework.beans.factory.xml.XmlBeanDefinitionReader
> loadBeanDefinitions
> INFO: Loading XML bean definitions from class path resource
> [orgserver/common/Resources/Client.xml]
> Mar 1, 2012 9:28:26 PM
> org.apache.cxf.service.factory.ReflectionServiceFactoryBean
> buildServiceFromClass
> INFO: Creating Service {http://localhost:8080/}SEILoginService from class
> orgserver.services.interfaces.SEILogin
> Mar 1, 2012 9:28:27 PM
> org.apache.cxf.services.SEILoginService.LoginServicePort.LoginService
> INFO: Outbound Message
> ---------------------------
> ID: 1
> Address: http://localhost:8080/LoginService/services/Login
> Encoding: UTF-8
> Content-Type: text/xml
> Headers: {Accept=[*/*], SOAPAction=[""]}
> Payload:<soap:Envelope
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> soap:mustUnderstand="1"><xenc:EncryptedKey
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
> Id="EK-4C079C7FA871DAB16E13306337076504"><xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><ds:KeyInfo
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=localhost</ds:X509IssuerName><ds:X509SerialNumber>1330071969</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>D+6WuPyhXg+UwVDaZhzGOoHp10+Ob7NRaQk9Wtjw9DRBswI7GYpzEfZx5NBE0JMy/Znz8lIgVdlF9+REC1vsarYtgWe1rCKfaZAXZQnzzzdbEw2uD6ilhng5JSS/YITrfZOcDXiHB/bKtOf9ETPJHTTuauzc0FZsYLT6tCEgEu0=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference
> URI="#ED-4"/><xenc:DataReference
> URI="#ED-5"/></xenc:ReferenceList></xenc:EncryptedKey><xenc:EncryptedData
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-4"
> Type="http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><ds:KeyInfo
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
> wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"><wsse:Reference
> URI="#EK-4C079C7FA871DAB16E13306337076504"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>rEfGWpgj8FgUzp9Krz9ezyCTTw9fiasjuha58hsDibYSnbdAUy/k2mZdvfo+8oIaxnwaTuW43eNV5EVnHbMcK0ri0V9ZnNEB9xK2D8A0c2w3whppC/fRTyS6ms7bE0W4tRCSFSaHDuFXsYMi7KlfOCyNH4ZJ78o65798zBbA8foNDyHFpokbH6ecSRDNv+cuN7CarVlXX33LXuxVpU7t8NcESjpGzlmLehYhValKIHbWapKF4L8gqM3aIghd9GdlWyQRPO5j1q3iHfzd0lelP92w2KSvbps5OhaakyQSuRNnkMTOu5wECJ23r01v4bQ0LvhaDQViTzeFRRj92vCAQNfWNkyq1+QzQbFVtljc8IEaCDZe0uzND721XBPx9Ub0Pp/WkUg+qFJDrEx+nYoXu9kB/wmVSUkE54twX8yCSu15ZEwOxwhUHgRrxw5xSnHV/5d1akY/Tb1bmoD1vZiSrAFZDwhUeIJURdz+Xsg0GRrg0Ex49rX947m1AUoDJ1OKpPoetzClXsylqTecgalv3FZm0V3fXfYShuAs5bZZR/iA9WwFuh/SpFRc2qjnh2+zXPRM8UAplUaFFc7GyUsVQS0EXExduhHUIqOXAk97SRoPzxCN/a2Or2z9514g3rHhU/4imFkGUHDLf/9E8LSI57CSH18sIs2v34ZLo/BfaM49GVkI+MuUnKYO+d1kBYZoN4b09QHgwW/SDxI3bHFHhj8jwtMSZCt9Fh4LyYw9a2NFu0VLoo+MTw5gIBltgUQc19zDNtJTgPQAOF+d7w7Wjaif0owKBVnabKKl3FSmCm5kSwnHbsadG9TzL5chqVvPupIPYRpV43u8ptHzQmtE9h15LOikEo+qtGjpkA4h+KbEiM42AbqxKV52mHIM2Fh1L6Q3oxXGoAi7f2YHhDcsVxcAo3fvGFwpuy7LJOUvqtv3UgnyV67qipdwjPXss+qq3IxXv+mVLRx9OiJtgnX7BbxRyEJ4B9nyabiSRvsPJcXZ0WA0aoL9AGorPh8jLevfO2+kEi/KLetmOHbDfg1jWMsymWM17OBscj7MJ+iWBAsCF5QjJMdGYCIWGo9Mj3UfsvnA/D5N2NKoTHAwn6OpjOWd4YhBXz7QFO1lDIaCiv3Tvcxc4jonBCwaOTnZoxkLCGQbEOyl+8/VH7wmpmQEYT0zapFSROe1YZk4xGBNV/pGje7MTe3Zr8PUxUIdixW8+m2JWzUczrhO8xBV24LbBQs3jq/kqV+66E187tQUz9hEiOGIIoLNfWo2yhQEhqS0LLktHvDG+UNOcL29kdYsB4Be3z6VJGJfqMB86K/ey6YMt9ig1ni6E04mXaBViiaEa/LQDsgA+cfFaLTSfqQVdTt3WaGEQqL8eTG5/xrXPapNwJH0khFPNNUJdqCYnRAM+j8C1vrsabU5HvqMOqG/mwODqxywRkWcbUZ0vH3m+0pn4m9uwQbo7oYer8AwicGHKtsDmMd0RAZjdirJtEr/wXpcnzLqpMlsQIJy3BBT1GHmtDe2cJOSnNRwS3RcLW+wbLvltMaphXJk0ah25b/dUhFH3NPTrtYVwqdxemdNC/FZEvKCjZ0aIzx9bpC5/GlhqkbWQDXQniv7h2WUwMXtfQ9vUU9a4A9G22Qzie97qyZLKOsYXV9wgYtNJ5CWuUU1XGYWdn5iapc6mYkx1XH4eUcjQnzJthrLbk4uGFtkZN1yFlUg4HUtH6mfDItQGAg2WvWUKsG2CDpxrYU5+47+vHP4ghe6Tq0n24vfT/GVVmoKT1CMZoBtG7OgHGphc6wkP9eipmLyYHaFindODjOX0s7q3Clf2+LnRRGKQsaEC4u0keX7bbGVEcJ+u0Lbf2WWD1tCtN3K2QpXMATRODvWH6sIiFLB4RSPxThvzeTeHrJeuaaHCTwFRNb5b5o4tJZLJMDh8wWh0csKdyrboIZuwnusg4ToEgYUU1G18QYitxVDd5SXSd/BCf7mD31ktWWH0Yb6YtWaYjofg/dydUqzdu4iMNC/STMOJvIytWvFBozrwmKXcThFLlNwvAqexPnz6SgjnI/fd3czJXo5DAXxFXisOrFTsfAzs4KQa9VbBnwU77N4XP6zwavhQaoz6EcyKxwB9WMZlwq18JnPjQiODJL9yxbRF0mVAeji8JHMjjoZMZiPuk0lrb3S4uZpFPEZ7lboLr+e2zfWoZgpGQuuLi//tZdbuwrCRGJ48ZHiT3B5kfvn/DxAygfLs2M7VO3TFOrv6GJRXulOoskujRWXIuizSd6GOCF2ERWznhwb2KSl230CFqrNXdSEgYZ+XNfTawBM6cHGbHDuBRoyayEOVs/IMf3wFx4IqbdnGUItPhg2wbQp7yqvVqcYjSXXzhlEuFf7PpcDybFyaN7lAX76Y9xJaYUYtFJdJu8fVqgtsMLN0N/I4BD8H65aykrNEpNJg4HoGHsgsJMDRDjMJvjUdZedYodP/R6A6vCeenP29jxfXF0tE1F1tMXstiG+BExUq5yJAH3Ulk2Ibi5+4n5wx/JV5W5GVzJ1W+Brn+lhdkTbOhbqgT4uIoS9Jks5JcHVZVRSkiI15L4niQbqbk+bPlJSuLOgz0+C7NrQqD98u5oY3H0axz5d2+2XaJOehURoEBXFqZMgoJ/0HBiq1tPVF4viblukf1BBcW2SX3DQT+GRQaJSJNDzKBI6tAo6YfspOKkD3gjfUV5zPVSEzE/f3tV72asY2dXJhCKtP+4r3ZO6azrMHWOyRrki/pPvEbndecDNbGePQ27/CQ8GUUZgKxuu2XOTwueK</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData><wsu:Timestamp
> wsu:Id="TS-1"><wsu:Created>2012-03-01T20:28:27.357Z</wsu:Created><wsu:Expires>2012-03-01T20:33:27.357Z</wsu:Expires></wsu:Timestamp></wsse:Security></soap:Header><soap:Body
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="id-2"><xenc:EncryptedData
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-5"
> Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><ds:KeyInfo
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
> wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"><wsse:Reference
> URI="#EK-4C079C7FA871DAB16E13306337076504"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>VzTHmncSp9ky9+P/nhJQyY3Zn0iGtswtdyrp1VDOvyAxNmeTlTBsRBR1fHOdo7CCmWF8PhNfRHdhfFq7x0+hg/yteIpIyGHCOw2P68n5+kN8nb6EwEZmITrFKJBs0HDzFWVRuExWrByv1xLTi/1LEAiiXdRkygFwhyRDJ1fcRFk=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
> --------------------------------------
> Mar 1, 2012 9:28:27 PM
> org.apache.cxf.services.SEILoginService.LoginServicePort.LoginService
> INFO: Inbound Message
> ----------------------------
> ID: 1
> Response-Code: 500
> Encoding: UTF-8
> Content-Type: text/xml;charset=UTF-8
> Headers: {connection=[close], Content-Length=[332],
> content-type=[text/xml;charset=UTF-8], Date=[Thu, 01 Mar 2012 20:28:27 GMT],
> Server=[Apache-Coyote/1.1]}
> Payload:<soap:Envelope
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode
> xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:FailedCheck</faultcode><faultstring>The
> signature or decryption was
> invalid</faultstring></soap:Fault></soap:Body></soap:Envelope>
> --------------------------------------
> Mar 1, 2012 9:28:27 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
> handleMessage
> WARNING: Request does not contain Security header, but it's a fault.
> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: The
> signature or decryption was invalid
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:156)
> at $Proxy34.Validate(Unknown Source)
> at orgserver.clienttest.EncClient.Validate(EncClient.java:32)
> at orgserver.clienttest.EncClient.main(EncClient.java:27)
> Caused by: org.apache.cxf.binding.soap.SoapFault: The signature or
> decryption was invalid
> at
> org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(Soap11FaultInInterceptor.java:75)
> at
> org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:46)
> at
> org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:35)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> at
> org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:113)
> at
> org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
> at
> org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:799)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1627)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1494)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1402)
> at
> org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47)
> at
> org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:195)
> at
> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
> at
> org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:649)
> at
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:533)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319)
> at
> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
> ... 3 more
> Java Result: 1
> BUILD SUCCESSFUL (total time: 2 seconds)
>
>
>
> Im sorry for the long ugly post, but I don't want to omit anything. But the
> issue here seems to be that the server sends a soapfault back complaining
> over the signature or encryption method. This seems to indicate that the
> client encryption/signing does not match the server.
>
> Client XML
> <beans xmlns="http://www.springframework.org/schema/beans"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:jaxws="http://cxf.apache.org/jaxws"
> xmlns:http="http://cxf.apache.org/transports/http/configuration"
> xsi:schemaLocation="http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans.xsd
> http://cxf.apache.org/jaxws
> http://cxf.apache.org/schemas/jaxws.xsd">
>
> <bean id="client" class="orgserver.services.interfaces.SEILogin"
> factory-bean="clientFactory" factory-method="create"/>
>
> <bean id="clientFactory"
> class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
> <property name="serviceClass"
> value="orgserver.services.interfaces.SEILogin"/>
> <property name="address"
> value="http://localhost:8080/LoginService/services/Login"/>
> <property name="inInterceptors">
> <list>
> <ref bean="TimestampSignEncrypt_Response"/>
> </list>
> </property>
> <property name="outInterceptors">
> <list>
> <ref bean="TimestampSignEncrypt_Request"/>
> </list>
> </property>
> </bean>
>
>
> <bean
> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
> id="TimestampSignEncrypt_Request">
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp Signature Encrypt"/>
> <entry key="user" value="myclientkey"/>
> <entry key="signaturePropFile"
> value="orgserver/common/Resources/clientKeystore.properties"/>
> <entry key="encryptionPropFile"
> value="orgserver/common/Resources/clientKeystore.properties"/>
> <entry key="encryptionUser" value="myservicekey"/>
> <entry key="passwordCallbackClass"
> value="orgserver.clienttest.ClientPasswordCallback"/>
> <entry key="signatureParts"
> value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
> <entry key="encryptionParts"
> value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
> <entry key="encryptionSymAlgorithm"
> value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
> </map>
> </constructor-arg>
> </bean>
>
>
> <bean
> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"
> id="TimestampSignEncrypt_Response">
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp Signature Encrypt"/>
> <entry key="signaturePropFile"
> value="orgserver/common/Resources/clientKeystore.properties"/>
> <entry key="decryptionPropFile"
> value="orgserver/common/Resources/clientKeystore.properties"/>
> <entry key="passwordCallbackClass"
> value="orgserver.clienttest.ClientPasswordCallback"/>
> </map>
> </constructor-arg>
> </bean>
>
> </beans>
>
> Server XML
> <beans xmlns="http://www.springframework.org/schema/beans"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:jaxws="http://cxf.apache.org/jaxws"
> xmlns:soap="http://cxf.apache.org/bindings/soap"
> xsi:schemaLocation="
> http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
> http://cxf.apache.org/jaxws
> http://cxf.apache.org/schemas/jaxws.xsd">
>
>
> <jaxws:endpoint
> id="LoginService"
> implementor="orgserver.services.Login"
> address="/Login">
>
> <jaxws:outInterceptors>
> <ref bean="TimestampSignEncrypt_Response"/>
> </jaxws:outInterceptors>
> <jaxws:inInterceptors>
> <ref bean="TimestampSignEncrypt_Request"/>
> </jaxws:inInterceptors>
>
> </jaxws:endpoint>
>
>
> <bean
> id="TimestampSignEncrypt_Request"
> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"
> >
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp Signature Encrypt"/>
> <entry key="signaturePropFile"
> value="server-crypto.properties"/>
> <entry key="decryptionPropFile"
> value="server-crypto.properties"/>
> <entry key="passwordCallbackClass"
> value="orgserver.common.services.ServerCallback"/>
> </map>
> </constructor-arg>
> </bean>
>
>
> <bean
> id="TimestampSignEncrypt_Response"
> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
> >
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp Signature Encrypt"/>
> <entry key="user" value="myservicekey"/>
> <entry key="signaturePropFile"
> value="server-crypto.properties"/>
> <entry key="encryptionPropFile"
> value="server-crypto.properties"/>
> <entry key="encryptionUser" value="useReqSigCert"/>
> <entry key="passwordCallbackClass"
> value="orgserver.common.services.ServerCallback"/>
> <entry key="signatureParts"
> value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
> <entry key="encryptionParts"
> value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
> <entry key="encryptionSymAlgorithm"
> value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
> </map>
> </constructor-arg>
> </bean>
> </beans>
>
>
> Client callback
> public ClientPasswordCallback() {
> passwords.put("myclientkey", "ckpass");
> }
>
> Server Callback
> public ServerCallback() {
> passwords.put("myservicekey", "skpass");
> }
>
> Server-Crypto
> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> org.apache.ws.security.crypto.merlin.keystore.file=serviceKeystore.jks
> org.apache.ws.security.crypto.merlin.keystore.password=sspass
> org.apache.ws.security.crypto.merlin.keystore.type=jks
> org.apache.ws.security.crypto.merlin.keystore.alias=myservicekey
>
>
> Client-Crypto
> org.apache.ws.security.crypto.merlin.keystore.file=clientKeystore.jks
> org.apache.ws.security.crypto.merlin.keystore.password=cspass
> org.apache.ws.security.crypto.merlin.keystore.type=jks
> org.apache.ws.security.crypto.merlin.keystore.alias=myclientkey
>
>
> I have made certain that all the files are where they are supposed to be
> (And they do throw exceptions if I move them, I checked). I have used the
> key tool as described in the tutorial, I shamelessly copied/pasted into my
> terminal.
>
> Can anyone see my problem. The only alarm bell I see is the tag
> <entry key="encryptionSymAlgorithm"
> value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
> used in both client and server xmls. Does this describe a symmetric
> algorithm? Because the keys used are RSA keys (which is an assymetric key)
> These are the keys in question:
> keytool -genkey -alias myservicekey -keyalg RSA -sigalg SHA1withRSA -keypass
> skpass -storepass sspass -keystore serviceKeystore.jks -dname "cn=localhost"
> keytool -genkey -alias myclientkey -keyalg RSA -sigalg SHA1withRSA -keypass
> ckpass -storepass cspass -keystore clientKeystore.jks -dname "cn=clientuser"
> keytool -genkey -alias myclient2key -keyalg RSA -sigalg SHA1withRSA -keypass
> ck2pass -storepass cs2pass -keystore client2Keystore.jks -dname
> "cn=client2user"
>
> Am i missing a symmetric key to be transported by the RSA or what am i doing
> wrong?
>
>
> HELP!
> -Martin
> And thank you in advance.
>
>
>
>
>
>
>
>
>
>
>
>
>
> -Although it's WSDL-first, link #14 (WS-SecPol method) might help you
> -determine the Policy statements needed:
> -http://www.jroller.com/gmazza/entry/blog_article_index
>
> -Since you're doing Java-first you'll need to wire in the WS-Policy
> -statements as described elsewhere (@Policy annotation).
>
> -Glen
>
> On 02/27/2012 01:53 PM, martin wrote:
>
>> Thank you for your reply.
>> I have been trying to find an example of how to write the policy.xml file.
>> Do you know of any example i can use?
>> Do I have to include namespaces in the policy file?
>> Do I have to include something in other files beside the policy
>> exceptions?
>> Thank you for your time
>>
>>
>>> You're wsdl doesn't contain any security policy fragments or anything to
>>> define the security requirements. There are two options:
>>> 1) Use the WSS4JInInterceptor documented at:
>>> http://cxf.apache.org/docs/ws-security.html
>>> 2) Create a WS-Policy document that describes the policy you want to
>> enforce
>>> and attach that to the service via something like the @Policy annotation
>>> or
>>> similar.
>>> Dan
>> --
>> View this message in context:
>> http://cxf.547215.n5.nabble.com/WS-Security-policy-not-being-enabled-in-CXF-tp5512888p5519791.html
>> Sent from the cxf-user mailing list archive at Nabble.com.
> ... [show rest of quote]
>
>
--
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza