You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Łukasz Toboła <lu...@gmail.com> on 2014/10/31 16:21:10 UTC
possible wss4j bug?
We have kerberos token profile web service implemented - modified
wcftestservice example in .net.
.net client is working now - we had to fix spn on service
service wsdl
http://pastebin.com/eFHyCDFv
c:\windows\krb5.ini - so i don't have to set location
http://pastebin.com/QsYnUy7t
c:\kerberos\login.conf
http://pastebin.com/guAuri0z
client code uses wsdl2java generated code(not included)
http://pastebin.com/KDrWdqZE
Resulting in actually getting the right ticket but the code can't handle it
- not sure why
http://i.imgur.com/H2WGrdU.jpg
and stactrace
http://pastebin.com/rP5BcbpB
Am i missing something(parameter not set/doing something wrong) or is there
a bug?
Generally it fails inside KerberosSecurity class
Key sessionKey = krbCtx.getSecretKey();
if (sessionKey != null)
{
this.secretKey = new SecretKeySpec(sessionKey.getEncoded(),
sessionKey.getAlgorithm());
}
else
{
KerberosTicket serviceTicket = getKerberosTicket(clientSubject, tgt); <<<
this returns null most likely
this.secretKey = serviceTicket.getSessionKey(); <<<here nullpointer then
}
Regards
Lucas Tobola
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
3.0.2 we are restricted to 1.6(1.6.0_37)
can installing those additional java cryptography that wss4j trunk tests
require break things up?
This is only thing that comes to my mind - didn't revert it so far
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5750550.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: possible wss4j bug?
Posted by Colm O hEigeartaigh <co...@apache.org>.
Strange, it appears that there is no TGT credential available. What version
of CXF are you using?
Colm.
On Fri, Oct 31, 2014 at 3:21 PM, Łukasz Toboła <lu...@gmail.com>
wrote:
> We have kerberos token profile web service implemented - modified
> wcftestservice example in .net.
> .net client is working now - we had to fix spn on service
>
> service wsdl
> http://pastebin.com/eFHyCDFv
>
> c:\windows\krb5.ini - so i don't have to set location
> http://pastebin.com/QsYnUy7t
>
> c:\kerberos\login.conf
> http://pastebin.com/guAuri0z
>
> client code uses wsdl2java generated code(not included)
> http://pastebin.com/KDrWdqZE
>
> Resulting in actually getting the right ticket but the code can't handle it
> - not sure why
> http://i.imgur.com/H2WGrdU.jpg
>
> and stactrace
> http://pastebin.com/rP5BcbpB
>
> Am i missing something(parameter not set/doing something wrong) or is there
> a bug?
>
> Generally it fails inside KerberosSecurity class
> Key sessionKey = krbCtx.getSecretKey();
> if (sessionKey != null)
> {
> this.secretKey = new SecretKeySpec(sessionKey.getEncoded(),
> sessionKey.getAlgorithm());
> }
> else
> {
> KerberosTicket serviceTicket = getKerberosTicket(clientSubject, tgt); <<<
> this returns null most likely
> this.secretKey = serviceTicket.getSessionKey(); <<<here nullpointer then
> }
>
> Regards
> Lucas Tobola
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
The issue is solved - had some bad wss4j jar(built one with my "debug"
changes).
I might have other questions but those will be rather performance/tomcat
setup related and not in this topic.
Thank you Colm for support and bugfixes ;).
Regards
Lucas
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5751555.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: possible wss4j bug?
Posted by Colm O hEigeartaigh <co...@apache.org>.
Ok, looks like BouncyCastle is kicking in ok. I'm not seeing any WSS4J logs
yet in that output though...
Could you put a breakpoint in the "getKerberosTicket" method here? How many
credentials are in the "privateCredentials" set?
http://svn.apache.org/viewvc/webservices/wss4j/tags/wss4j-2.0.2/ws-security-dom/src/main/java/org/apache/wss4j/dom/message/token/KerberosSecurity.java?view=markup
Colm.
On Wed, Nov 26, 2014 at 9:15 AM, tobee <lu...@gmail.com> wrote:
> In order to do wss4j logging you need this:
>
> http://www.slf4j.org/manual.html
> "To switch logging frameworks, just replace slf4j bindings on your class
> path. For example, to switch from java.util.logging to log4j, just replace
> slf4j-jdk14-1.7.7.jar with slf4j-log4j12-1.7.7.jar."
>
> While cxf picks META-INF/cxf/org.apache.cxf.Logger it doesn't impact wss4j
> in any way.
> Replacing this jar did the trick.
> Can check if removing META-INF/cxf/org.apache.cxf.Logger will work for
> both.
>
> also added System.setProperty("log4j.configuration","log4j.properties"); -
> not required most likely unless you move the file to some specific folder.
>
> 2014-11-26 10:01:39 DEBUG WSProviderConfig:346 - The provider STRTransform
> was added at position: 10
> 2014-11-26 10:01:39 DEBUG WSProviderConfig:346 - The provider STRTransform
> was added at position: 10
> 2014-11-26 10:01:39 DEBUG WSProviderConfig:346 - The provider STRTransform
> was added at position: 10
> 2014-11-26 10:01:39 DEBUG WSProviderConfig:346 - The provider
> AttachmentContentSignatureTransform was added at position: 11
> 2014-11-26 10:01:39 DEBUG WSProviderConfig:346 - The provider
> AttachmentContentSignatureTransform was added at position: 11
> 2014-11-26 10:01:39 DEBUG WSProviderConfig:346 - The provider
> AttachmentContentSignatureTransform was added at position: 11
> 2014-11-26 10:01:39 DEBUG WSProviderConfig:346 - The provider
> AttachmentCompleteSignatureTransform was added at position: 12
> 2014-11-26 10:01:39 DEBUG WSProviderConfig:346 - The provider
> AttachmentCompleteSignatureTransform was added at position: 12
> 2014-11-26 10:01:39 DEBUG WSProviderConfig:346 - The provider
> AttachmentCompleteSignatureTransform was added at position: 12
> 2014-11-26 10:01:39 DEBUG ResourceResolver:247 - Registered resolver:
> org.apache.wss4j.dom.resolvers.ResolverAttachment@1cdfd19
> 2014-11-26 10:01:39 DEBUG ResourceResolver:247 - Registered resolver:
> org.apache.wss4j.dom.resolvers.ResolverAttachment@1cdfd19
> 2014-11-26 10:01:39 DEBUG WSS4JResourceBundle:52 - Can't find bundle for
> base name org/apache/xml/security/resource/xmlsecurity, locale pl_PL
> 2014-11-26 10:01:39 DEBUG WSS4JResourceBundle:52 - Can't find bundle for
> base name org/apache/xml/security/resource/xmlsecurity, locale pl_PL
> 2014-11-26 10:01:39 DEBUG WSS4JResourceBundle:52 - Can't find bundle for
> base name org/apache/xml/security/resource/xmlsecurity, locale pl_PL
> 2014-11-26 10:01:39 DEBUG Init:111 - Registering default algorithms
> 2014-11-26 10:01:39 DEBUG Init:111 - Registering default algorithms
> 2014-11-26 10:01:39 DEBUG WSProviderConfig:271 - The provider ApacheXMLDSig
> - 2.02 was added at position: 2
> 2014-11-26 10:01:39 DEBUG WSProviderConfig:271 - The provider ApacheXMLDSig
> - 2.02 was added at position: 2
> 2014-11-26 10:01:39 DEBUG WSProviderConfig:271 - The provider ApacheXMLDSig
> - 2.02 was added at position: 2
> 2014-11-26 10:01:39 DEBUG WSProviderConfig:271 - The provider BC - 1.51 was
> added at position: 2
> 2014-11-26 10:01:39 DEBUG WSProviderConfig:271 - The provider BC - 1.51 was
> added at position: 2
> 2014-11-26 10:01:39 DEBUG WSProviderConfig:271 - The provider BC - 1.51 was
> added at position: 2
>
> Full debug with WSProviderConfig entries:
> http://pastebin.com/8Z4ueYn7
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5751483.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
In order to do wss4j logging you need this:
http://www.slf4j.org/manual.html
"To switch logging frameworks, just replace slf4j bindings on your class
path. For example, to switch from java.util.logging to log4j, just replace
slf4j-jdk14-1.7.7.jar with slf4j-log4j12-1.7.7.jar."
While cxf picks META-INF/cxf/org.apache.cxf.Logger it doesn't impact wss4j
in any way.
Replacing this jar did the trick.
Can check if removing META-INF/cxf/org.apache.cxf.Logger will work for both.
also added System.setProperty("log4j.configuration","log4j.properties"); -
not required most likely unless you move the file to some specific folder.
2014-11-26 10:01:39 DEBUG WSProviderConfig:346 - The provider STRTransform
was added at position: 10
2014-11-26 10:01:39 DEBUG WSProviderConfig:346 - The provider STRTransform
was added at position: 10
2014-11-26 10:01:39 DEBUG WSProviderConfig:346 - The provider STRTransform
was added at position: 10
2014-11-26 10:01:39 DEBUG WSProviderConfig:346 - The provider
AttachmentContentSignatureTransform was added at position: 11
2014-11-26 10:01:39 DEBUG WSProviderConfig:346 - The provider
AttachmentContentSignatureTransform was added at position: 11
2014-11-26 10:01:39 DEBUG WSProviderConfig:346 - The provider
AttachmentContentSignatureTransform was added at position: 11
2014-11-26 10:01:39 DEBUG WSProviderConfig:346 - The provider
AttachmentCompleteSignatureTransform was added at position: 12
2014-11-26 10:01:39 DEBUG WSProviderConfig:346 - The provider
AttachmentCompleteSignatureTransform was added at position: 12
2014-11-26 10:01:39 DEBUG WSProviderConfig:346 - The provider
AttachmentCompleteSignatureTransform was added at position: 12
2014-11-26 10:01:39 DEBUG ResourceResolver:247 - Registered resolver:
org.apache.wss4j.dom.resolvers.ResolverAttachment@1cdfd19
2014-11-26 10:01:39 DEBUG ResourceResolver:247 - Registered resolver:
org.apache.wss4j.dom.resolvers.ResolverAttachment@1cdfd19
2014-11-26 10:01:39 DEBUG WSS4JResourceBundle:52 - Can't find bundle for
base name org/apache/xml/security/resource/xmlsecurity, locale pl_PL
2014-11-26 10:01:39 DEBUG WSS4JResourceBundle:52 - Can't find bundle for
base name org/apache/xml/security/resource/xmlsecurity, locale pl_PL
2014-11-26 10:01:39 DEBUG WSS4JResourceBundle:52 - Can't find bundle for
base name org/apache/xml/security/resource/xmlsecurity, locale pl_PL
2014-11-26 10:01:39 DEBUG Init:111 - Registering default algorithms
2014-11-26 10:01:39 DEBUG Init:111 - Registering default algorithms
2014-11-26 10:01:39 DEBUG WSProviderConfig:271 - The provider ApacheXMLDSig
- 2.02 was added at position: 2
2014-11-26 10:01:39 DEBUG WSProviderConfig:271 - The provider ApacheXMLDSig
- 2.02 was added at position: 2
2014-11-26 10:01:39 DEBUG WSProviderConfig:271 - The provider ApacheXMLDSig
- 2.02 was added at position: 2
2014-11-26 10:01:39 DEBUG WSProviderConfig:271 - The provider BC - 1.51 was
added at position: 2
2014-11-26 10:01:39 DEBUG WSProviderConfig:271 - The provider BC - 1.51 was
added at position: 2
2014-11-26 10:01:39 DEBUG WSProviderConfig:271 - The provider BC - 1.51 was
added at position: 2
Full debug with WSProviderConfig entries:
http://pastebin.com/8Z4ueYn7
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5751483.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: possible wss4j bug?
Posted by Colm O hEigeartaigh <co...@apache.org>.
Make sure that you have the following dependencies...it looks like it is
not picking up the log information from WSS4J:
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-jdk14</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>jcl-over-slf4j</artifactId>
<scope>test</scope>
</dependency>
What I am looking for is:
Nov 25, 2014 4:03:52 PM org.apache.wss4j.common.crypto.WSProviderConfig
addJceProvider
FINE: The provider ApacheXMLDSig - 2.02 was added at position: 2
Nov 25, 2014 4:03:53 PM org.apache.wss4j.common.crypto.WSProviderConfig
addJceProvider
FINE: The provider BC - 1.51 was added at position: 2
The latter tells me that the WSS4J has successfully installed BouncyCastle
in the correct position.
Colm.
On Mon, Nov 24, 2014 at 7:56 PM, tobee <lu...@gmail.com> wrote:
> CLASSPATH=.;C:\jdk1.6\lib\tools.jar
>
> No progress after doing those:
> 1 removed all the java.security entries for BC
> 2 removed all the jars except folder where i unpacked it(one in JRE was in
> use)
> 3 when I copied it to same folder i run it from(where testcxf is located) -
> still same issue
> 2014-11-24 20:08 <DIR> .
> 2014-11-24 20:08 <DIR> ..
> 2014-11-24 20:07 2 908 223 bcprov-ext-jdk15on-151.jar
> 2014-11-24 20:07 2 842 667 bcprov-jdk15on-151.jar
> 2014-11-24 20:07 24 331 testcxf.jar
> 2014-11-24 20:08 <DIR> lib
> 4 setting classpath explicitly or calling from BC directory doesn't change
> anything
>
> full trace without kerberos debug:
> http://pastebin.com/TCwcAREJ
>
> I guess i don't have to add anything in cxf.xml where i had to put logging
> for bus in order to capture SOAP.
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5751410.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
CLASSPATH=.;C:\jdk1.6\lib\tools.jar
No progress after doing those:
1 removed all the java.security entries for BC
2 removed all the jars except folder where i unpacked it(one in JRE was in
use)
3 when I copied it to same folder i run it from(where testcxf is located) -
still same issue
2014-11-24 20:08 <DIR> .
2014-11-24 20:08 <DIR> ..
2014-11-24 20:07 2 908 223 bcprov-ext-jdk15on-151.jar
2014-11-24 20:07 2 842 667 bcprov-jdk15on-151.jar
2014-11-24 20:07 24 331 testcxf.jar
2014-11-24 20:08 <DIR> lib
4 setting classpath explicitly or calling from BC directory doesn't change
anything
full trace without kerberos debug:
http://pastebin.com/TCwcAREJ
I guess i don't have to add anything in cxf.xml where i had to put logging
for bus in order to capture SOAP.
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5751410.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: possible wss4j bug?
Posted by Colm O hEigeartaigh <co...@apache.org>.
Ok good. I've fixed two bugs so far in pursuit of this issue :-)
I think that your setup of BouncyCastle is actually causing it not to be
used with JDK 6. All you need to do is add the bcprov jar to the classpath
of your project, and WSS4J should take care of installing it in the correct
place in the interceptor chain. Could you try again with this (i.e. don't
add BouncyCastle yourself in either code or configuration)? If this fails,
could you enable DEBUG logging + send the first part of it to the mailing
list. You should see an excerpt where it tells you about where the
BouncyCastle provider was installed.
Colm.
On Mon, Nov 24, 2014 at 4:23 PM, tobee <lu...@gmail.com> wrote:
> finally got the response in 1.7 - works well now
> in 1.6 still "java.lang.IllegalArgumentException: Missing argument" :(
> 1.6 without BC the same error
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5751397.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
finally got the response in 1.7 - works well now
in 1.6 still "java.lang.IllegalArgumentException: Missing argument" :(
1.6 without BC the same error
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5751397.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: possible wss4j bug?
Posted by Colm O hEigeartaigh <co...@apache.org>.
Ok thanks. It's hard to tell what the problem is exactly here. However,
I've merged some code to CXF to make the "signature protection" policy
validation more robust, this might fix the problem. Can you try again with
the latest code?
Colm.
On Mon, Nov 24, 2014 at 2:43 PM, tobee <lu...@gmail.com> wrote:
> The request was sent in 1.7 - response:
> http://pastebin.com/uttdvtCL
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5751390.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
The request was sent in 1.7 - response:
http://pastebin.com/uttdvtCL
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5751390.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: possible wss4j bug?
Posted by Colm O hEigeartaigh <co...@apache.org>.
Is this for the CXF request or processing the response? What does the
message look like?
Colm.
On Mon, Nov 24, 2014 at 9:52 AM, tobee <lu...@gmail.com> wrote:
> result of run on 1.7 without BC and with JCE installed
> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These
> policy alternatives can not be satisfied:
> at
> org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:638)
> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}SymmetricBinding:
> The
> signature is not protected
> at
>
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}ProtectionToken
> at
>
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}RequireDerivedKeys
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516)
> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}EncryptSignature
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160)
> at com.sun.proxy.$Proxy42.getData(Unknown Source)
> at cxf.Cxf.main(Cxf.java:74)
> Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
> alternatives can not be satisfied:
> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}SymmetricBinding:
> The
> signature is not protected
> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}ProtectionToken
> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}RequireDerivedKeys
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)
> at
>
> org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:837)
> {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}EncryptSignature
> at
>
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:62)
> at
>
> org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179)
> at
>
> org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:102)
> at
>
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:56)
> at
>
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:52)
> at
>
> org.apache.cxf.ws.security.policy.interceptors.SecureConversationOutInterceptor.issueToken(SecureConversationOutInterceptor.java:197)
> at
>
> org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
> at
>
> org.apache.cxf.ws.security.policy.interceptors.SecureConversationOutInterceptor.handleMessage(SecureConversationOutInterceptor.java:78)
> at
>
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
> at
>
> org.apache.cxf.ws.security.policy.interceptors.SecureConversationOutInterceptor.handleMessage(SecureConversationOutInterceptor.java:48)
> at
> org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)
> at
>
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516)
> at
>
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1638)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)
> at
>
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1527)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)
> at
>
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1330)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)
> at
> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
> at
>
> org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:56)
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:138)
> at
> org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:215)
> at com.sun.proxy.$Proxy42.getData(Unknown Source)
> at
> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
> at cxf.Cxf.main(Cxf.java:74)
> at
> org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:638)
> at
>
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
> at
>
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)
> at
>
> org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:837)
> at
>
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:62)
> at
>
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:56)
> at
>
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:52)
> at
>
> org.apache.cxf.ws.security.policy.interceptors.SecureConversationOutInterceptor.issueToken(SecureConversationOutInterceptor.java:197)
> at
>
> org.apache.cxf.ws.security.policy.interceptors.SecureConversationOutInterceptor.handleMessage(SecureConversationOutInterceptor.java:78)
> at
>
> org.apache.cxf.ws.security.policy.interceptors.SecureConversationOutInterceptor.handleMessage(SecureConversationOutInterceptor.java:48)
> at
>
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)
> at
> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:138)
>
> Regards
> Lucas
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5751366.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
result of run on 1.7 without BC and with JCE installed
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These
policy alternatives can not be satisfied:
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:638)
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}SymmetricBinding: The
signature is not protected
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}ProtectionToken
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}RequireDerivedKeys
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516)
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}EncryptSignature
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:160)
at com.sun.proxy.$Proxy42.getData(Unknown Source)
at cxf.Cxf.main(Cxf.java:74)
Caused by: org.apache.cxf.ws.policy.PolicyException: These policy
alternatives can not be satisfied:
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}SymmetricBinding: The
signature is not protected
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}ProtectionToken
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}RequireDerivedKeys
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)
at
org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:837)
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}EncryptSignature
at
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:62)
at
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179)
at
org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:102)
at
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:56)
at
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:52)
at
org.apache.cxf.ws.security.policy.interceptors.SecureConversationOutInterceptor.issueToken(SecureConversationOutInterceptor.java:197)
at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
at
org.apache.cxf.ws.security.policy.interceptors.SecureConversationOutInterceptor.handleMessage(SecureConversationOutInterceptor.java:78)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at
org.apache.cxf.ws.security.policy.interceptors.SecureConversationOutInterceptor.handleMessage(SecureConversationOutInterceptor.java:48)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:802)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1638)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1527)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1330)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at
org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:56)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:138)
at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:215)
at com.sun.proxy.$Proxy42.getData(Unknown Source)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at cxf.Cxf.main(Cxf.java:74)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:638)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)
at
org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:837)
at
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:62)
at
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:56)
at
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:52)
at
org.apache.cxf.ws.security.policy.interceptors.SecureConversationOutInterceptor.issueToken(SecureConversationOutInterceptor.java:197)
at
org.apache.cxf.ws.security.policy.interceptors.SecureConversationOutInterceptor.handleMessage(SecureConversationOutInterceptor.java:78)
at
org.apache.cxf.ws.security.policy.interceptors.SecureConversationOutInterceptor.handleMessage(SecureConversationOutInterceptor.java:48)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:516)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:425)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:138)
Regards
Lucas
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5751366.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: possible wss4j bug?
Posted by Colm O hEigeartaigh <co...@apache.org>.
I recommend working directly with the 3.0.3-fixes branch. The error appears
to be that no secret key is extracted from the kerberos token. If you still
get the error with the latest CXF 3.0.x-fixes code, then make sure that
BouncyCastle is installed.
If you are still getting the same error with BouncyCastle installed, then
would it be possible to try with JDK 1.7 to see if this works (I know you
can't use it, but it would narrow the problem area down).
Colm.
On Tue, Nov 18, 2014 at 5:48 PM, tobee <lu...@gmail.com> wrote:
> I tried with 3.0.2 myself and applied your fix - used 4 files you changed
> http://pastebin.com/GqEHYsaS
>
> Did I pull wrong version?
>
> https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tag;h=3ec631c97e9eccf62490b176aab61044b3b9ab9f
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5751265.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
I tried with 3.0.2 myself and applied your fix - used 4 files you changed
http://pastebin.com/GqEHYsaS
Did I pull wrong version?
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tag;h=3ec631c97e9eccf62490b176aab61044b3b9ab9f
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5751265.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
invalid target release: 1.7
can you apply it to older release as well?
the one i used was 3.0.2 - 1.6 limitation
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5751175.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: possible wss4j bug?
Posted by Colm O hEigeartaigh <co...@apache.org>.
Ok, that enabled me to figure out that CXF 3.0.x was not using the
WS-SecurityPolicy 1.1 namespace properly:
https://issues.apache.org/jira/browse/CXF-6105
I've now fixed this. Could you try again with the latest CXF 3.0.3-SNAPSHOT
code (you will have to build it yourself until the latest SNAPSHOT code
deploys).
Colm.
On Fri, Nov 14, 2014 at 4:29 PM, tobee <lu...@gmail.com> wrote:
> we managed to enable audit:
> " XmlException: Cannot read the token from the 'DerivedKeyToken' element
> with the 'http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512'
> namespace for BinarySecretSecurityToken, with a '' ValueType. If this
> element is expected to be valid, ensure that security is configured to
> consume tokens with the name, namespace and value type specified."
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5751155.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
we managed to enable audit:
" XmlException: Cannot read the token from the 'DerivedKeyToken' element
with the 'http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512'
namespace for BinarySecretSecurityToken, with a '' ValueType. If this
element is expected to be valid, ensure that security is configured to
consume tokens with the name, namespace and value type specified."
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5751155.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
Had it inside cxf.xml but the file was in wrong directory(package instead of
root)
thanks alot - I continue digging.
We try to trace it on .net end. I will let you know if we succeed.
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5750781.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: possible wss4j bug?
Posted by Colm O hEigeartaigh <co...@apache.org>.
If you add the CXF logging feature to the bus, and enable "INFO" logging
you should see the outbound and inbound messages being logged, e.g.:
<cxf:bus>
<cxf:features>
<cxf:logging/>
</cxf:features>
</cxf:bus>
Colm.
On Wed, Nov 5, 2014 at 7:59 PM, tobee <lu...@gmail.com> wrote:
> maybe way i capture this soap will tell you more
> Only time I get something logged was when i attached interceptor to
> bus(http://stackoverflow.com/a/22786371):
> MyCxfSoapOutInterceptor outInt = new MyCxfSoapOutInterceptor();
> client.getBus().getOutInterceptors().add(outInt);
> Maybe I should attach different one somewhere else to capture proper soap
> call?
> Could not sniff it as i did with .net client since it is not being marked
> as
> SOAP in message analyzer.
> Using log4j with debug/all doesn't log it as well - but as I've read it's
> normal.
>
> After disabling SecurityConversation on .net end replyTo is swapped with To
> in outgoing XML compared to .net.
> I suspect .net being sensitive to node order - I have to check it still.
> Is there any way I could force nodes order just to test if that is the
> case?
> I also disabled chunking though it doesn't change anything.
> I try to solve it from java end - not sure if it is even possible to debug
> xml serializing on .net side to see what fails.
>
> I finally managed to sniff whole message that is being sent as soap
> http://pastebin.com/n67Fp4Xj
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5750766.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
maybe way i capture this soap will tell you more
Only time I get something logged was when i attached interceptor to
bus(http://stackoverflow.com/a/22786371):
MyCxfSoapOutInterceptor outInt = new MyCxfSoapOutInterceptor();
client.getBus().getOutInterceptors().add(outInt);
Maybe I should attach different one somewhere else to capture proper soap
call?
Could not sniff it as i did with .net client since it is not being marked as
SOAP in message analyzer.
Using log4j with debug/all doesn't log it as well - but as I've read it's
normal.
After disabling SecurityConversation on .net end replyTo is swapped with To
in outgoing XML compared to .net.
I suspect .net being sensitive to node order - I have to check it still.
Is there any way I could force nodes order just to test if that is the case?
I also disabled chunking though it doesn't change anything.
I try to solve it from java end - not sure if it is even possible to debug
xml serializing on .net side to see what fails.
I finally managed to sniff whole message that is being sent as soap
http://pastebin.com/n67Fp4Xj
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5750766.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: possible wss4j bug?
Posted by Colm O hEigeartaigh <co...@apache.org>.
Yes, CXF supports Kerberos with SecureConversation. The SOAP request you
attached for CXF looks like the Ws-SecurityConversation call, whereas the
.NET request looks like the service call (after the initial WS-SC call).
BTW I checked in a test for CXF for a similar security policy (newer
security namespace):
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=eb746f58
Colm.
On Wed, Nov 5, 2014 at 11:20 AM, tobee <lu...@gmail.com> wrote:
> SOAP sent from
> java:
> http://pastebin.com/fKY27tqW
> .net:
> http://pastebin.com/BEK2b3Tc
>
> First thing that you can notice is that .net client is sending
> SecurityContextToken after Timestamp
> while java places BinarySecurityToken there
> googled this:
>
> http://cxf.547215.n5.nabble.com/Apache-CXF-with-WS-Security-tp5747114p5747238.html
> We will try to disable it on .net side and see if it works.
>
> Does cxf support kerberos token with SecureConversation? if it does how can
> i force it to do so?
>
> Regards
> Lucas
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5750718.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
SOAP sent from
java:
http://pastebin.com/fKY27tqW
.net:
http://pastebin.com/BEK2b3Tc
First thing that you can notice is that .net client is sending
SecurityContextToken after Timestamp
while java places BinarySecurityToken there
googled this:
http://cxf.547215.n5.nabble.com/Apache-CXF-with-WS-Security-tp5747114p5747238.html
We will try to disable it on .net side and see if it works.
Does cxf support kerberos token with SecureConversation? if it does how can
i force it to do so?
Regards
Lucas
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5750718.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: possible wss4j bug?
Posted by Colm O hEigeartaigh <co...@apache.org>.
Your best bet is to enable debug logging on the service to find out where
the error is being thrown.
Colm.
On Tue, Nov 4, 2014 at 9:12 AM, tobee <lu...@gmail.com> wrote:
> now i get
> <?xml version="1.0"?>
> <Body>
> <Fault>
> <Code>
> <Value>s:Sender</Value>
> <Subcode>
> <Value
> xmlns:a="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">a:InvalidSecurity</Value>
> </Subcode>
> </Code>
> <Reason>
> <Text xml:lang="pl-PL">An error occurred when verifying security for
> the message.</Text>
> </Reason>
> </Fault>
> </Body>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5750652.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
now i get
<?xml version="1.0"?>
<Body>
<Fault>
<Code>
<Value>s:Sender</Value>
<Subcode>
<Value
xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurity</Value>
</Subcode>
</Code>
<Reason>
<Text xml:lang="pl-PL">An error occurred when verifying security for
the message.</Text>
</Reason>
</Fault>
</Body>
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5750652.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
Finally the issue is solved though second arose
most likely my keytab/cache was broken
Now the question is what is wrong with wsdl or do i have to tweak it or
wcftestservice somehow in order to make it work?
.net client works fine since we sorted out spn and service configuration
INFO: Can not initialize the default wsdl from wcftestservice.wsdl
2014-11-04 09:37:12
org.apache.cxf.wsdl.service.factory.ReflectionServiceFactoryBean
buildServiceFromWSDL
INFO: Creating Service {http://tempuri.org/}Service from WSDL:
http://dvm-acc01/WCFTestService/Service.svc?singlewsdl
Invoking getData...
2014-11-04 09:37:13 org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl
handleNoRegisteredBuilder
WARNING: No assertion builder for type
{http://schemas.microsoft.com/ws/06/2004/policy/http}NegotiateAuthentication
registered.
Config name: C:\Windows\krb5.ini
>>> KdcAccessibility: reset
>>> KdcAccessibility: reset
Acquire TGT from Cache
>>>KinitOptions cache name is C:\Users\my_user\krb5cc_my_user
>>>DEBUG <CCacheInputStream> client principal is my_user@somedomain
>>>DEBUG <CCacheInputStream> server principal is
krbtgt/somedomain@somedomain
>>>DEBUG <CCacheInputStream> key type: 23
>>>DEBUG <CCacheInputStream> auth time: Fri Oct 31 14:59:37 CET 2014
>>>DEBUG <CCacheInputStream> start time: Fri Oct 31 14:59:37 CET 2014
>>>DEBUG <CCacheInputStream> end time: Sat Nov 01 00:59:37 CET 2014
>>>DEBUG <CCacheInputStream> renew_till time: Thu Jan 01 01:00:00 CET 1970
>>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH;
Host address is /10.x.x.x
Host address is /0:0:0:0:0:0:0:1
>>> KrbCreds found the default ticket granting ticket in credential cache.
>>> LSA contains TGT for my_user@somedomain not testuser@somedomain
Principal is testuser@somedomain
null credentials from Ticket Cache
>>> KeyTabInputStream, readName(): somedomain
>>> KeyTabInputStream, readName(): testuser
>>> KeyTab: load() entry length: 54; type: 23
>>> KeyTabInputStream, readName(): somedomain
>>> KeyTabInputStream, readName(): testuser
>>> KeyTab: load() entry length: 70; type: 18
>>> KeyTabInputStream, readName(): somedomain
>>> KeyTabInputStream, readName(): testuser
>>> KeyTab: load() entry length: 54; type: 17
>>> KeyTabInputStream, readName(): somedomain
>>> KeyTabInputStream, readName(): testuser
>>> KeyTab: load() entry length: 62; type: 16
>>> KeyTabInputStream, readName(): somedomain
>>> KeyTabInputStream, readName(): testuser
>>> KeyTab: load() entry length: 46; type: 3
>>> KeyTabInputStream, readName(): somedomain
>>> KeyTabInputStream, readName(): testuser
>>> KeyTab: load() entry length: 46; type: 1
Added key: 1version: 1
Added key: 3version: 1
Added key: 16version: 1
Added key: 17version: 1
Added key: 18version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17 16 3 1.
0: EncryptionKey: keyType=23 kvno=1 keyValue (hex dump)=
1: EncryptionKey: keyType=18 kvno=1 keyValue (hex dump)=
2: EncryptionKey: keyType=17 kvno=1 keyValue (hex dump)=
3: EncryptionKey: keyType=16 kvno=1 keyValue (hex dump)=
4: EncryptionKey: keyType=3 kvno=1 keyValue (hex dump)=
5: EncryptionKey: keyType=1 kvno=1 keyValue (hex dump)=
principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23 18 17 16 3 1.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=somekdc UDP:88, timeout=30000, number of retries =3,
>>> #bytes=151
>>> KDCCommunication: kdc=somekdc UDP:88, timeout=30000,Attempt =1,
>>> #bytes=151
>>> KrbKdcReq send: #bytes read=213
>>> KrbKdcReq send: #bytes read=213
>>> KdcAccessibility: remove somekdc
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Tue Nov 04 09:37:13 CET 2014 1415090233000
suSec is 147001
error code is 25
error Message is Additional pre-authentication required
realm is somedomain
sname is krbtgt/somedomain
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18
PA-ETYPE-INFO2 salt = somedomaintestuser
PA-ETYPE-INFO2 s2kparams = null
PA-ETYPE-INFO2 etype = 23
PA-ETYPE-INFO2 salt = null
PA-ETYPE-INFO2 s2kparams = null
PA-ETYPE-INFO2 etype = 3
PA-ETYPE-INFO2 salt = somedomaintestuser
PA-ETYPE-INFO2 s2kparams = null
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
Updated salt from pre-auth = somedomaintestuser
>>>KrbAsReq salt is somedomaintestuser
default etypes for default_tkt_enctypes: 23 18 17 16 3 1.
Pre-Authenticaton: find key for etype = 18
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=somekdc UDP:88, timeout=30000, number of retries =3,
>>> #bytes=238
>>> KDCCommunication: kdc=somekdc UDP:88, timeout=30000,Attempt =1,
>>> #bytes=238
>>> KrbKdcReq send: #bytes read=1365
>>> KrbKdcReq send: #bytes read=1365
>>> KdcAccessibility: remove somekdc
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply testuser
principal is testuser@somedomain
EncryptionKey: keyType=23 keyBytes (hex dump)=0000:
EncryptionKey: keyType=18 keyBytes (hex dump)=0000:
EncryptionKey: keyType=17 keyBytes (hex dump)=0000:
EncryptionKey: keyType=16 keyBytes (hex dump)=0000:
EncryptionKey: keyType=3 keyBytes (hex dump)=0000:
EncryptionKey: keyType=1 keyBytes (hex dump)=0000:
Commit Succeeded
equals = false
Found ticket for testuser@somedomain to go to krbtgt/somedomain@somedomain
expiring on Tue Nov 04 19:37:13 CET 2014
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 23 18 17 16 3 1.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbKdcReq send: kdc=somekdc UDP:88, timeout=30000, number of retries =3,
>>> #bytes=1325
>>> KDCCommunication: kdc=somekdc UDP:88, timeout=30000,Attempt =1,
>>> #bytes=1325
>>> KrbKdcReq send: #bytes read=1288
>>> KrbKdcReq send: #bytes read=1288
>>> KdcAccessibility: remove somekdc
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 798381327
Krb5Context setting peerSeqNumber to: 0
Created InitSecContextToken:
2014-11-04 09:37:14 org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
handleMessageInternal
WARNING: Request does not contain Security header, but it's a fault.
2014-11-04 09:37:14 org.apache.cxf.phase.PhaseInterceptorChain
doDefaultLogging
WARNING: Interceptor for
{http://tempuri.org/}Service#{http://tempuri.org/}GetData has thrown
exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: An error occurred when verifying
security for the message.
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5750651.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
i deleted keytab and cache and recreated them with
ktab -a testuser pwd -k FILE:c:\kerberos\testuser.keytab
Done!
Service key for testuser is saved in c:\kerberos\testuser.keytab
kinit -t c:\kerberos\testuser.keytab testuser pwd -c
FILE:c:/kerberos/krb5cache
will post new debug in a sec
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5750650.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
krb5 debug:
Config name: C:\Windows\krb5.ini
>>> KdcAccessibility: reset
>>> KdcAccessibility: reset
Acquire TGT from Cache
>>>KinitOptions cache name is C:\Users\my_user\krb5cc_my_user
>>>DEBUG <CCacheInputStream> client principal is my_user@somedomain
>>>DEBUG <CCacheInputStream> server principal is
krbtgt/somedomain@somedomain
>>>DEBUG <CCacheInputStream> key type: 23
>>>DEBUG <CCacheInputStream> auth time: Fri Oct 31 14:59:37 CET 2014
>>>DEBUG <CCacheInputStream> start time: Fri Oct 31 14:59:37 CET 2014
>>>DEBUG <CCacheInputStream> end time: Sat Nov 01 00:59:37 CET 2014
>>>DEBUG <CCacheInputStream> renew_till time: Thu Jan 01 01:00:00 CET 1970
>>> CCacheInputStream: readFlags() INITIAL; PRE_AUTH;
Host address is /10.x.x.x
Host address is /0:0:0:0:0:0:0:1
>>> KrbCreds found the default ticket granting ticket in credential cache.
>>> LSA contains TGT for my_user@somedomain not testuser@somedomain
Principal is testuser@somedomain
null credentials from Ticket Cache
>>> KeyTabInputStream, readName(): somedomain
>>> KeyTabInputStream, readName(): testuser
>>> KeyTab: load() entry length: 54; type: 23
>>> KeyTabInputStream, readName(): somedomain
>>> KeyTabInputStream, readName(): testuser
>>> KeyTab: load() entry length: 70; type: 18
>>> KeyTabInputStream, readName(): somedomain
>>> KeyTabInputStream, readName(): testuser
>>> KeyTab: load() entry length: 54; type: 17
>>> KeyTabInputStream, readName(): somedomain
>>> KeyTabInputStream, readName(): testuser
>>> KeyTab: load() entry length: 62; type: 16
>>> KeyTabInputStream, readName(): somedomain
>>> KeyTabInputStream, readName(): testuser
>>> KeyTab: load() entry length: 46; type: 3
>>> KeyTabInputStream, readName(): somedomain
>>> KeyTabInputStream, readName(): testuser
>>> KeyTab: load() entry length: 46; type: 1
Added key: 1version: 1
Added key: 3version: 1
Added key: 16version: 1
Added key: 17version: 1
Added key: 18version: 1
Added key: 23version: 1
Ordering keys wrt default_tkt_enctypes list
default etypes for default_tkt_enctypes: 23 18 17 16 3 1.
0: EncryptionKey: keyType=23 kvno=1 keyValue (hex dump)=
0000: 9B 47 C6 62 E6 06 7F 82 AF 3D B2 A8 37 0C 14 AE .G.b.....=..7...
1: EncryptionKey: keyType=18 kvno=1 keyValue (hex dump)=
0000: 05 83 E7 FD 3C 71 A5 56 07 07 A9 8D 96 88 04 63 ....<q.V.......c
0010: 50 34 D0 D7 A3 0C 08 A0 F8 EA DB B3 8A DC 3D 0E P4............=.
2: EncryptionKey: keyType=17 kvno=1 keyValue (hex dump)=
0000: EB F3 B4 06 42 9A 6D 6C 9D FE 93 F8 E0 5B 47 65 ....B.ml.....[Ge
3: EncryptionKey: keyType=16 kvno=1 keyValue (hex dump)=
0000: B5 04 3B CE 0E EC 3D 68 68 0B A2 70 1C 37 13 67 ..;...=hh..p.7.g
0010: B9 1C 3E 04 08 80 73 EF
4: EncryptionKey: keyType=3 kvno=1 keyValue (hex dump)=
0000: 6B 51 67 C7 02 51 FD CE
5: EncryptionKey: keyType=1 kvno=1 keyValue (hex dump)=
0000: 6B 51 67 C7 02 51 FD CE
principal's key obtained from the keytab
Acquire TGT using AS Exchange
default etypes for default_tkt_enctypes: 23 18 17 16 3 1.
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=somekdc UDP:88, timeout=30000, number of retries =3,
>>> #bytes=151
>>> KDCCommunication: kdc=somekdc UDP:88, timeout=30000,Attempt =1,
>>> #bytes=151
>>> KrbKdcReq send: #bytes read=213
>>> KrbKdcReq send: #bytes read=213
>>> KdcAccessibility: remove somekdc
>>> KDCRep: init() encoding tag is 126 req type is 11
>>>KRBError:
sTime is Tue Nov 04 09:14:25 CET 2014 1415088865000
suSec is 764190
error code is 25
error Message is Additional pre-authentication required
realm is somedomain
sname is krbtgt/somedomain
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 18
PA-ETYPE-INFO2 salt = somedomaintestuser
PA-ETYPE-INFO2 s2kparams = null
PA-ETYPE-INFO2 etype = 23
PA-ETYPE-INFO2 salt = null
PA-ETYPE-INFO2 s2kparams = null
PA-ETYPE-INFO2 etype = 3
PA-ETYPE-INFO2 salt = somedomaintestuser
PA-ETYPE-INFO2 s2kparams = null
AcquireTGT: PREAUTH FAILED/REQUIRED, re-send AS-REQ
Updated salt from pre-auth = somedomaintestuser
>>>KrbAsReq salt is somedomaintestuser
default etypes for default_tkt_enctypes: 23 18 17 16 3 1.
Pre-Authenticaton: find key for etype = 18
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsReq calling createMessage
>>> KrbAsReq in createMessage
>>> KrbKdcReq send: kdc=somekdc UDP:88, timeout=30000, number of retries =3,
>>> #bytes=238
>>> KDCCommunication: kdc=somekdc UDP:88, timeout=30000,Attempt =1,
>>> #bytes=238
>>> KrbKdcReq send: #bytes read=1365
>>> KrbKdcReq send: #bytes read=1365
>>> KdcAccessibility: remove somekdc
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
>>> KrbAsRep cons in KrbAsReq.getReply testuser
principal is testuser@somedomain
Commit Succeeded
equals = false
Found ticket for testuser@somedomain to go to krbtgt/somedomain@somedomain
expiring on Tue Nov 04 19:14:25 CET 2014
Entered Krb5Context.initSecContext with state=STATE_NEW
Service ticket not found in the subject
>>> Credentials acquireServiceCreds: same realm
default etypes for default_tgs_enctypes: 23 18 17 16 3 1.
>>> CksumType: sun.security.krb5.internal.crypto.RsaMd5CksumType
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbKdcReq send: kdc=somekdc UDP:88, timeout=30000, number of retries =3,
>>> #bytes=1325
>>> KDCCommunication: kdc=somekdc UDP:88, timeout=30000,Attempt =1,
>>> #bytes=1325
>>> KrbKdcReq send: #bytes read=1288
>>> KrbKdcReq send: #bytes read=1288
>>> KdcAccessibility: remove somekdc
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbApReq: APOptions are 00000000 00000000 00000000 00000000
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
Krb5Context setting mySeqNumber to: 6323637
Krb5Context setting peerSeqNumber to: 0
Created InitSecContextToken:
0000: 01 00 6E 82 04 C6 30 82 04 C2 A0 03 02 01 05 A1 ..n...0.........
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5750648.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
http://pastebin.com/HLnu0QzW
I did little "debug" myself of this part(setting property didn't work and i
had maven build working already)
commented out results from getKerberosTicket:
prev = priv in this case (hex dump is the same and all the rest that
toString from KerberosTicket shows)
count=1
equals = true
since they are equal it returns null
now the last change result:
clientPrincipals.iterator().next() = someuser@DOMAIN
serviceName = test@DVM-ACC01
cisUsernameServiceNameForm = false
requestCredDeleg = false
delegatedCredential = null
krbCtx.secretKey = null <- made those public
krbCtx.disposed = false
krbCtx.gssContext = sun.security.jgss.GSSContextImpl@6cc2a4
krbCtx.kerberosToken = [B@5ead9d
token is there but there is no secret key
Regards
Lucas
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5750625.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: possible wss4j bug?
Posted by Colm O hEigeartaigh <co...@apache.org>.
Could you set the System property "sun.security.krb5.
*debug" to "true" + attach the output, when run with JDK 6?Colm.*
On Mon, Nov 3, 2014 at 3:09 PM, tobee <lu...@gmail.com> wrote:
> I only have version 8 on other machine (it is in another domain as well)
> it seems to contact WCFTest properly and there is no problem with TGS_REP
> at
> least
> http://pastebin.com/2Bw71Lv5
> Do I have to install jce on 8 as well?
> I did quick setup here only - jar+login.config+krb5.ini+cxf 3.0.2 libs.
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5750614.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
I only have version 8 on other machine (it is in another domain as well)
it seems to contact WCFTest properly and there is no problem with TGS_REP at
least
http://pastebin.com/2Bw71Lv5
Do I have to install jce on 8 as well?
I did quick setup here only - jar+login.config+krb5.ini+cxf 3.0.2 libs.
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5750614.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
I will test it with 1.7 - though it will not change anything for me if it
works anyway(1.6 limitation).
This is company internal KDC and I am more then sure it can't be exposed.
Only options i see are:
1 I can debug myself with a little help.
2 send you saved sniffed session to private email if this would be of any
help for you.
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5750613.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: possible wss4j bug?
Posted by Colm O hEigeartaigh <co...@apache.org>.
Could you see if it works with JDK 7? Beyond that I don't really have any
ideas. Is it possible to expose your KDC publically so that I can test
against it?
Colm.
On Mon, Nov 3, 2014 at 12:47 PM, tobee <lu...@gmail.com> wrote:
> I did
>
> 1 reinstall jdk (same version - 1.6.0_37-b06)
> 2 install jce in c:\jdk1.6\jre\lib\security(kept old ones this time)
> 3 add bcprov-jdk15on-151.jar + bcprov-ext-jdk15on-151.jar to project
> libraries(netbeans)
> 4 add in java.security entry
> security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider
> 5 in client code as well java.security.Security.addProvider(new
> BouncyCastleProvider());
>
> Still getting null pointer.
> Am I missing something?
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5750603.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
Did also for jre and dynamic loading is not needed(5) since BC is listed
this one helped
http://www.itcsolutions.eu/2011/08/22/how-to-use-bouncy-castle-cryptographic-api-in-netbeans-or-eclipse-for-java-jse-projects/
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5750607.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
I did
1 reinstall jdk (same version - 1.6.0_37-b06)
2 install jce in c:\jdk1.6\jre\lib\security(kept old ones this time)
3 add bcprov-jdk15on-151.jar + bcprov-ext-jdk15on-151.jar to project
libraries(netbeans)
4 add in java.security entry
security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider
5 in client code as well java.security.Security.addProvider(new
BouncyCastleProvider());
Still getting null pointer.
Am I missing something?
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5750603.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: possible wss4j bug?
Posted by Colm O hEigeartaigh <co...@apache.org>.
I would start by checking the following two things:
a) Make sure that you have unlimited security policies installed in your JDK
b) Make sure that the BouncyCastle provider (1.51) is added as a dependency
to your project
There is special support in WSS4J for JDK 7+ to get secret keys from
Kerberos tickets. It should fall back to working with BouncyCastle for JDK
1.6 though.
In the meantime I'll fix the NPE.
Colm.
On Fri, Oct 31, 2014 at 10:00 PM, tobee <lu...@gmail.com> wrote:
> aes256-cts-hmac-sha1-96 is used as default when I remove whole section
> other than that rc4-hmac is supported only from the list i have in krb5.ini
> both result in nullpointer so it is not the case here
> this is how response looks like:
> http://imgur.com/Ep1ULPW
> If you need more data let me know
> Also i'm running tests on different user then i work on if that changes
> anything
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5750557.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
aes256-cts-hmac-sha1-96 is used as default when I remove whole section
other than that rc4-hmac is supported only from the list i have in krb5.ini
both result in nullpointer so it is not the case here
this is how response looks like:
http://imgur.com/Ep1ULPW
If you need more data let me know
Also i'm running tests on different user then i work on if that changes
anything
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5750557.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: possible wss4j bug?
Posted by tobee <lu...@gmail.com>.
I can try shrinking or removing cyphers from krb5.ini to test if it changes
anything.
--
View this message in context: http://cxf.547215.n5.nabble.com/possible-wss4j-bug-tp5750539p5750552.html
Sent from the cxf-user mailing list archive at Nabble.com.