You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Ed Bras <zo...@debrasjes.com> on 2013/05/07 20:20:18 UTC
A SOAP 1.2 message is not valid when sent to a SOAP 1.1 only endpoint
Hi All,
I don't know what I changed anymore :(... But I have ended up with this
exception which I don't seem to solve:
---
Caused by: javax.xml.ws.soap.SOAPFaultException: A SOAP 1.2 message is not
valid when sent to a SOAP 1.1 only endpoint.
---
I am using CXF 2.7.4 and have the classes generated from the wsdl. I am
using the MTOM and WSS4JOutInterceptor for signing outgoing messages.
The wsdl contains things like:
----
<wsdl:definitions ... xmlns:soap11="http ... >
<soap11:binding
<soap11:operation
soap11:address
----
So that all sound like soap 1.1, but somehow soap 1.2 is being used in the
client for the created message. I have added this in my jaxws client config,
but it had no effect.
----
<jaxws:binding>
<soap:soapBinding version="1.1"/>
</jaxws:binding>
----
Why does CXF try to use soap 1.2 at all?
Please some advice on how to solve this?
- Ed
Re: A SOAP 1.2 message is not valid when sent to a SOAP 1.1 only endpoint
Posted by Freeman Fang <fr...@gmail.com>.
Hi,
The problem is that in CXF with MTOM enabled, when use ws-security signature, it won't sign the MTOM attachment. This may not be a problem when both client and server sides are CXF, but it could be a problem if the other side is .net(WCF), as per the spec, the MTOM attachment should also be the part of the signature.
You can take a look at [1] to get more details.
BTW, this issue could get resolved when we upgrade to WSS4J 2.0
[1]http://cxf.547215.n5.nabble.com/Signature-digest-mismatch-when-NET-supplies-MTOM-attachment-td3270961.html
-------------
Freeman(Yue) Fang
Red Hat, Inc.
FuseSource is now part of Red Hat
Web: http://fusesource.com | http://www.redhat.com/
Twitter: freemanfang
Blog: http://freemanfang.blogspot.com
http://blog.sina.com.cn/u/1473905042
weibo: @Freeman小屋
On 2013-5-9, at 下午4:16, Ed Bras wrote:
> Hi,
> Thanks for the quick reply.
> I just did some more tests concerning your Mtom remark below, but I noticed that it seem to run ok, that is: I don't seem to get the "SOAP 1.1 only endpoint" error anymore. I also looked on the nightly build server, and it seem to run ok for the last few days... But I can't even remember changing anything... strange... Currently I do get another exception, but I am pretty sure that has to do with the test environment of the server I am connecting to. The "Soap 1.1." error I got was on the client side already.
>
> Anyway, I am a bit confused about your mtom remark below, as to me it seems to work (besides having the exception currently, it works during nightly build last night and before) and changing it has no effect on my unit tests.. I see in the debug that it goes out as with the correct mime type " <mimeType>application/octet-stream</mimeType>".
> Why does this not work together?
>
>
> The class DynamicWsaSignaturePartsInterceptor does basically what is described here:
> http://davidvaleri.wordpress.com/2010/09/15/signing-ws-addressing-headers-in-apache-cxf/
> I use this as I am signing some headers that can be null, such that they must be excluded.
>
> Sorry, but don't understand what more you want to see of client code, I don't have think I have more that what I list below. The DeliveryService bean comes from the cxf-client.xml config and is injected by Spring and is an cxf axWasClientProxy instance.
>
> - Ed
>
>
>
>
>> -----Original Message-----
>> From: Freeman Fang [mailto:freeman.fang@gmail.com]
>> Sent: donderdag 9 mei 2013 9:35
>> To: users@cxf.apache.org
>> Subject: Re: A SOAP 1.2 message is not valid when sent to a SOAP 1.1
>> only endpoint
>>
>> Hi,
>>
>> What's the
>> DynamicWsaSignaturePartsInterceptor
>> like?
>>
>> Also, could you please append the client code where you send out
>> request?
>>
>> Btw, now MTOM + WS-Security does not work together in CXF, please
>> remove <entry key="mtom-enabled" value="true"/> from your
>> configuration to see if it helps
>> -------------
>> Freeman(Yue) Fang
>>
>> Red Hat, Inc.
>> FuseSource is now part of Red Hat
>> Web: http://fusesource.com | http://www.redhat.com/
>> Twitter: freemanfang
>> Blog: http://freemanfang.blogspot.com
>> http://blog.sina.com.cn/u/1473905042
>> weibo: @Freeman??
>>
>> On 2013-5-9, at ??3:15, Ed Bras wrote:
>>
>>> Hi,
>>> I hoped the info below would be enough. Here the cxf client config
>> and code of usage.
>>> Spring config: I have 3 cxf spring config files, listed below:
>>> A) cxf-general.xml that includes the B) cxf-client.xml and C)
>>> cxf-tls.xml
>>>
>>> I hope you can see the cause of this error (see subject mail). If
>> more config/code is needed, please let me know.
>>>
>>>
>>> Code usage:
>>> ------------------
>>> private final DeliveryService digiDelivery; // injected by
>> Spring, contained in client spring config below.
>>> private Response deliver(final Request request) {
>>> return this.digiDelivery.deliver(request);
>>> }
>>>
>>> // The class DeliveryService is generated:
>>>
>>> @WebService(targetNamespace = "http://Bla/1.2/", name =
>>> "DeliveryService") @XmlSeeAlso({ObjectFactory.class })
>>> @SOAPBinding(parameterStyle = SOAPBinding.ParameterStyle.BARE) public
>>> interface DeliveryService {
>>>
>>> @WebResult(name = "response", targetNamespace =
>> "http://Bla/1.2/", partName = "response")
>>> @Action(output =
>> "http://Bka/1.2/DeliveryService/deliveryResponse", fault = {
>> @FaultAction(className = DeliveryServiceFault.class, value =
>> "http://Bla/1.2/DeliveryService/delivery/Fault/") })
>>> @WebMethod(action = "http://Bla/1.2/DeliveryService/Request")
>>> public Response aanleveren(@WebParam(partName = "request", name =
>>> "request", targetNamespace = "http://Bla/services/1.2/") Request
>>> request) throws AanleverServiceFault; }
>>> ------------------
>>>
>>>
>>>
>>> A) CXF-general.xml:
>>> ------------------
>>> <import resource="cxf-tls.xml" />
>>> <import resource="cxf-client.xml" />
>>>
>>> <!-- General CXF config:
>>> 1) http://cxf.apache.org/docs/configuration.html
>>> -->
>>> <cxf:bus>
>>> <cxf:features>
>>> <cxf:logging/>
>>>
>>> <policy:policies/>
>>>
>>> <!-- WS-addressing required, see 2) -->
>>> <wsa:addressing/> <!-- see:
>> http://en.wikipedia.org/wiki/WS-Addressing -->
>>> </cxf:features>
>>> </cxf:bus>
>>> ------------------
>>>
>>>
>>>
>>> B) CXF-tls.xml:
>>> ----------------------
>>> <http:conduit
>> name="{http://bla/1.2/}AanleverService_V1_2Port.http-conduit">
>>> <http:tlsClientParameters>
>>>
>>> <!-- "keyPassword" is the password to access/retrieve
>> the private key in the key store it self -->
>>> <sec:keyManagers
>> keyPassword="${tls.keystore.private.key.pwd}" >
>>> <!-- The keystore that contains our private key to
>> encrypt send data (1 key only) -->
>>> <sec:keyStore
>> resource="${tls.keystore.private}"
>> password="${tls.keystore.private.pwd}" />
>>> </sec:keyManagers>
>>>
>>> <sec:trustManagers>
>>> <!-- This list of certificates that is used to decide
>> whether or not to trust certificates -->
>>> <sec:keyStore
>> resource="${tls.keystore.trusted}"
>> password="${tls.keystore.trusted.pwd}"/>
>>> </sec:trustManagers>
>>>
>>> <sec:cipherSuitesFilter>
>>> <sec:include>.*_EXPORT_.*</sec:include>
>>> <sec:include>.*_EXPORT1024_.*</sec:include>
>>> <sec:include>.*_WITH_DES_.*</sec:include>
>>> <sec:include>.*_WITH_AES_.*</sec:include>
>>> <sec:include>.*_WITH_NULL_.*</sec:include>
>>> <sec:exclude>.*_DH_anon_.*</sec:exclude>
>>> </sec:cipherSuitesFilter>
>>> </http:tlsClientParameters>
>>> </http:conduit>
>>> ----------------------
>>>
>>>
>>>
>>> C) CXF client spring config (don't own the server side):
>>> ----------------------
>>> <jaxws:client id="digiDelivery" serviceClass="DeliverService"
>> address="${ deliver.url}">
>>> <jaxws:inInterceptors>
>>> <ref bean="SigningInterceptorIn"/>
>>> <ref bean="wsaSignaturePartsInterceptor"/>
>>> </jaxws:inInterceptors>
>>>
>>> <jaxws:outInterceptors>
>>> <ref bean="SigningInterceptorOut"/>
>>> <ref bean="wsaSignaturePartsInterceptor"/>
>>> </jaxws:outInterceptors>
>>>
>>> <jaxws:properties>
>>> <entry key="mtom-enabled" value="true"/>
>>> <entry key="signatureParts"
>> value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-
>> wss-wssecurity-utility-1.0.xsd}Timestamp;
>>>
>> {Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
>>> </jaxws:properties>
>>>
>>> <!--Tried this, but had no effect: jaxws:binding>
>>> <soap:soapBinding version="1.1"/>
>>> </jaxws:binding-->
>>> </jaxws:client>
>>>
>>> <!-- It will dynamically set the WSA signing parts if required,
>> depending if they contain any value.
>>> See the class for details -->
>>> <bean id="wsaSignaturePartsInterceptor"
>> class="DynamicWsaSignaturePartsInterceptor"/>
>>> <!-- Required to Sign an outgoing message. -->
>>> <bean id="SigningInterceptorOut"
>> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
>>> <constructor-arg>
>>> <map>
>>> <entry key="action" value="Timestamp Signature"/>
>>> <entry key="timeToLive" value="300" />
>>> <entry key="user"
>>> value="${deliver.keystore.private.sign.key.alias}"/>
>>>
>>> <!-- Used to retrieve the passwords of an alias. -->
>>> <entry key="passwordCallbackRef"
>>> value-ref="pwCallback"/>
>>>
>>> <!-- Required to send the signature certificate a
>> long with the message -->
>>> <entry key="signatureKeyIdentifier"
>>> value="DirectReference" />
>>>
>>> <!-- A reference to the Crypto security
>> properties -->
>>> <entry key="signaturePropRefId"
>> value="cryptoProperties"/>
>>> <entry key="cryptoProperties" value-
>> ref="cryptoProperties"/>
>>> </map>
>>> </constructor-arg>
>>> </bean>
>>>
>>> <!-- Required to validate an incoming signed message. -->
>>> <bean id="SigningInterceptorIn"
>> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
>>> <constructor-arg>
>>> <map>
>>> <entry key="action" value="Timestamp Signature"/>
>>> <entry key="signaturePropRefId"
>> value="cryptoProperties"/>
>>> <entry key="cryptoProperties" value-
>> ref="cryptoProperties"/>
>>> </map>
>>> </constructor-arg>
>>> </bean>
>>>
>>> <!-- A callback that returns the keystore password of an alias. -
>> ->
>>> <bean id="pwCallback" class="ClientKeystorePasswordCallback">
>>> <property name="passwords">
>>> <util:map key-type="java.lang.String" value-
>> type="java.lang.String">
>>> <entry key="${deliver.keystore.private.sign.key.alias}"
>> value="${deliver.keystore.private.sign.key.pwd}"/>
>>> </util:map>
>>> </property>
>>> </bean>
>>>
>>> <!-- Ref:
>>> 1) http://ws.apache.org/wss4j/config.html
>>> 2) https://sites.google.com/site/ddmwsst/ws-security-impl
>> -->
>>> <util:properties id="cryptoProperties">
>>> <!-- The private keystore info to sign the message -->
>>> <prop
>> key="org.apache.ws.security.crypto.merlin.keystore.file">${deliver.keys
>> tore.private}</prop>
>>> <prop
>> key="org.apache.ws.security.crypto.merlin.keystore.password">${deliver.
>> keystore.private.pwd}</prop>
>>> <!-- The trusted keystore info for unsigning received messages --
>>>
>>> <prop
>> key="org.apache.ws.security.crypto.merlin.truststore.file">${deliver.ke
>> ystore.trusted}</prop>
>>> <prop
>> key="org.apache.ws.security.crypto.merlin.truststore.password">${delive
>> r.keystore.trusted.pwd}</prop>
>>> </util:properties>
>>>
>>> ----------------------
>>>
>>>
>>>> -----Original Message-----
>>>> From: Freeman Fang [mailto:freeman.fang@gmail.com]
>>>> Sent: woensdag 8 mei 2013 5:00
>>>> To: users@cxf.apache.org
>>>> Subject: Re: A SOAP 1.2 message is not valid when sent to a SOAP 1.1
>>>> only endpoint
>>>>
>>>> Hi,
>>>>
>>>> You need append your client side configuration and code so that we
>>>> can take a look
>>>> -------------
>>>> Freeman(Yue) Fang
>>>>
>>>> Red Hat, Inc.
>>>> FuseSource is now part of Red Hat
>>>> Web: http://fusesource.com | http://www.redhat.com/
>>>> Twitter: freemanfang
>>>> Blog: http://freemanfang.blogspot.com
>>>> http://blog.sina.com.cn/u/1473905042
>>>> weibo: @Freeman??
>>>>
>>>> On 2013-5-8, at ??2:20, Ed Bras wrote:
>>>>
>>>>> Hi All,
>>>>> I don't know what I changed anymore :(... But I have ended up with
>>>>> this exception which I don't seem to solve:
>>>>> ---
>>>>> Caused by: javax.xml.ws.soap.SOAPFaultException: A SOAP 1.2 message
>>>> is
>>>>> not valid when sent to a SOAP 1.1 only endpoint.
>>>>> ---
>>>>>
>>>>> I am using CXF 2.7.4 and have the classes generated from the wsdl.
>> I
>>>>> am using the MTOM and WSS4JOutInterceptor for signing outgoing
>>>> messages.
>>>>>
>>>>> The wsdl contains things like:
>>>>> ----
>>>>> <wsdl:definitions ... xmlns:soap11="http ... > <soap11:binding
>>>>> <soap11:operation soap11:address
>>>>> ----
>>>>>
>>>>> So that all sound like soap 1.1, but somehow soap 1.2 is being used
>>>> in
>>>>> the client for the created message. I have added this in my jaxws
>>>>> client config, but it had no effect.
>>>>> ----
>>>>> <jaxws:binding>
>>>>> <soap:soapBinding version="1.1"/> </jaxws:binding>
>>>>> ----
>>>>>
>>>>> Why does CXF try to use soap 1.2 at all?
>>>>>
>>>>> Please some advice on how to solve this?
>>>>> - Ed
>>>>>
>>>
>>>
>
>
RE: A SOAP 1.2 message is not valid when sent to a SOAP 1.1 only endpoint
Posted by Ed Bras <zo...@debrasjes.com>.
Hi,
Thanks for the quick reply.
I just did some more tests concerning your Mtom remark below, but I noticed that it seem to run ok, that is: I don't seem to get the "SOAP 1.1 only endpoint" error anymore. I also looked on the nightly build server, and it seem to run ok for the last few days... But I can't even remember changing anything... strange... Currently I do get another exception, but I am pretty sure that has to do with the test environment of the server I am connecting to. The "Soap 1.1." error I got was on the client side already.
Anyway, I am a bit confused about your mtom remark below, as to me it seems to work (besides having the exception currently, it works during nightly build last night and before) and changing it has no effect on my unit tests.. I see in the debug that it goes out as with the correct mime type " <mimeType>application/octet-stream</mimeType>".
Why does this not work together?
The class DynamicWsaSignaturePartsInterceptor does basically what is described here:
http://davidvaleri.wordpress.com/2010/09/15/signing-ws-addressing-headers-in-apache-cxf/
I use this as I am signing some headers that can be null, such that they must be excluded.
Sorry, but don't understand what more you want to see of client code, I don't have think I have more that what I list below. The DeliveryService bean comes from the cxf-client.xml config and is injected by Spring and is an cxf axWasClientProxy instance.
- Ed
> -----Original Message-----
> From: Freeman Fang [mailto:freeman.fang@gmail.com]
> Sent: donderdag 9 mei 2013 9:35
> To: users@cxf.apache.org
> Subject: Re: A SOAP 1.2 message is not valid when sent to a SOAP 1.1
> only endpoint
>
> Hi,
>
> What's the
> DynamicWsaSignaturePartsInterceptor
> like?
>
> Also, could you please append the client code where you send out
> request?
>
> Btw, now MTOM + WS-Security does not work together in CXF, please
> remove <entry key="mtom-enabled" value="true"/> from your
> configuration to see if it helps
> -------------
> Freeman(Yue) Fang
>
> Red Hat, Inc.
> FuseSource is now part of Red Hat
> Web: http://fusesource.com | http://www.redhat.com/
> Twitter: freemanfang
> Blog: http://freemanfang.blogspot.com
> http://blog.sina.com.cn/u/1473905042
> weibo: @Freeman??
>
> On 2013-5-9, at ??3:15, Ed Bras wrote:
>
> > Hi,
> > I hoped the info below would be enough. Here the cxf client config
> and code of usage.
> > Spring config: I have 3 cxf spring config files, listed below:
> > A) cxf-general.xml that includes the B) cxf-client.xml and C)
> > cxf-tls.xml
> >
> > I hope you can see the cause of this error (see subject mail). If
> more config/code is needed, please let me know.
> >
> >
> > Code usage:
> > ------------------
> > private final DeliveryService digiDelivery; // injected by
> Spring, contained in client spring config below.
> > private Response deliver(final Request request) {
> > return this.digiDelivery.deliver(request);
> > }
> >
> > // The class DeliveryService is generated:
> >
> > @WebService(targetNamespace = "http://Bla/1.2/", name =
> > "DeliveryService") @XmlSeeAlso({ObjectFactory.class })
> > @SOAPBinding(parameterStyle = SOAPBinding.ParameterStyle.BARE) public
> > interface DeliveryService {
> >
> > @WebResult(name = "response", targetNamespace =
> "http://Bla/1.2/", partName = "response")
> > @Action(output =
> "http://Bka/1.2/DeliveryService/deliveryResponse", fault = {
> @FaultAction(className = DeliveryServiceFault.class, value =
> "http://Bla/1.2/DeliveryService/delivery/Fault/") })
> > @WebMethod(action = "http://Bla/1.2/DeliveryService/Request")
> > public Response aanleveren(@WebParam(partName = "request", name =
> > "request", targetNamespace = "http://Bla/services/1.2/") Request
> > request) throws AanleverServiceFault; }
> > ------------------
> >
> >
> >
> > A) CXF-general.xml:
> > ------------------
> > <import resource="cxf-tls.xml" />
> > <import resource="cxf-client.xml" />
> >
> > <!-- General CXF config:
> > 1) http://cxf.apache.org/docs/configuration.html
> > -->
> > <cxf:bus>
> > <cxf:features>
> > <cxf:logging/>
> >
> > <policy:policies/>
> >
> > <!-- WS-addressing required, see 2) -->
> > <wsa:addressing/> <!-- see:
> http://en.wikipedia.org/wiki/WS-Addressing -->
> > </cxf:features>
> > </cxf:bus>
> > ------------------
> >
> >
> >
> > B) CXF-tls.xml:
> > ----------------------
> > <http:conduit
> name="{http://bla/1.2/}AanleverService_V1_2Port.http-conduit">
> > <http:tlsClientParameters>
> >
> > <!-- "keyPassword" is the password to access/retrieve
> the private key in the key store it self -->
> > <sec:keyManagers
> keyPassword="${tls.keystore.private.key.pwd}" >
> > <!-- The keystore that contains our private key to
> encrypt send data (1 key only) -->
> > <sec:keyStore
> resource="${tls.keystore.private}"
> password="${tls.keystore.private.pwd}" />
> > </sec:keyManagers>
> >
> > <sec:trustManagers>
> > <!-- This list of certificates that is used to decide
> whether or not to trust certificates -->
> > <sec:keyStore
> resource="${tls.keystore.trusted}"
> password="${tls.keystore.trusted.pwd}"/>
> > </sec:trustManagers>
> >
> > <sec:cipherSuitesFilter>
> > <sec:include>.*_EXPORT_.*</sec:include>
> > <sec:include>.*_EXPORT1024_.*</sec:include>
> > <sec:include>.*_WITH_DES_.*</sec:include>
> > <sec:include>.*_WITH_AES_.*</sec:include>
> > <sec:include>.*_WITH_NULL_.*</sec:include>
> > <sec:exclude>.*_DH_anon_.*</sec:exclude>
> > </sec:cipherSuitesFilter>
> > </http:tlsClientParameters>
> > </http:conduit>
> > ----------------------
> >
> >
> >
> > C) CXF client spring config (don't own the server side):
> > ----------------------
> > <jaxws:client id="digiDelivery" serviceClass="DeliverService"
> address="${ deliver.url}">
> > <jaxws:inInterceptors>
> > <ref bean="SigningInterceptorIn"/>
> > <ref bean="wsaSignaturePartsInterceptor"/>
> > </jaxws:inInterceptors>
> >
> > <jaxws:outInterceptors>
> > <ref bean="SigningInterceptorOut"/>
> > <ref bean="wsaSignaturePartsInterceptor"/>
> > </jaxws:outInterceptors>
> >
> > <jaxws:properties>
> > <entry key="mtom-enabled" value="true"/>
> > <entry key="signatureParts"
> value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-
> wss-wssecurity-utility-1.0.xsd}Timestamp;
> >
> {Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
> > </jaxws:properties>
> >
> > <!--Tried this, but had no effect: jaxws:binding>
> > <soap:soapBinding version="1.1"/>
> > </jaxws:binding-->
> > </jaxws:client>
> >
> > <!-- It will dynamically set the WSA signing parts if required,
> depending if they contain any value.
> > See the class for details -->
> > <bean id="wsaSignaturePartsInterceptor"
> class="DynamicWsaSignaturePartsInterceptor"/>
> > <!-- Required to Sign an outgoing message. -->
> > <bean id="SigningInterceptorOut"
> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
> > <constructor-arg>
> > <map>
> > <entry key="action" value="Timestamp Signature"/>
> > <entry key="timeToLive" value="300" />
> > <entry key="user"
> > value="${deliver.keystore.private.sign.key.alias}"/>
> >
> > <!-- Used to retrieve the passwords of an alias. -->
> > <entry key="passwordCallbackRef"
> > value-ref="pwCallback"/>
> >
> > <!-- Required to send the signature certificate a
> long with the message -->
> > <entry key="signatureKeyIdentifier"
> > value="DirectReference" />
> >
> > <!-- A reference to the Crypto security
> properties -->
> > <entry key="signaturePropRefId"
> value="cryptoProperties"/>
> > <entry key="cryptoProperties" value-
> ref="cryptoProperties"/>
> > </map>
> > </constructor-arg>
> > </bean>
> >
> > <!-- Required to validate an incoming signed message. -->
> > <bean id="SigningInterceptorIn"
> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> > <constructor-arg>
> > <map>
> > <entry key="action" value="Timestamp Signature"/>
> > <entry key="signaturePropRefId"
> value="cryptoProperties"/>
> > <entry key="cryptoProperties" value-
> ref="cryptoProperties"/>
> > </map>
> > </constructor-arg>
> > </bean>
> >
> > <!-- A callback that returns the keystore password of an alias. -
> ->
> > <bean id="pwCallback" class="ClientKeystorePasswordCallback">
> > <property name="passwords">
> > <util:map key-type="java.lang.String" value-
> type="java.lang.String">
> > <entry key="${deliver.keystore.private.sign.key.alias}"
> value="${deliver.keystore.private.sign.key.pwd}"/>
> > </util:map>
> > </property>
> > </bean>
> >
> > <!-- Ref:
> > 1) http://ws.apache.org/wss4j/config.html
> > 2) https://sites.google.com/site/ddmwsst/ws-security-impl
> -->
> > <util:properties id="cryptoProperties">
> > <!-- The private keystore info to sign the message -->
> > <prop
> key="org.apache.ws.security.crypto.merlin.keystore.file">${deliver.keys
> tore.private}</prop>
> > <prop
> key="org.apache.ws.security.crypto.merlin.keystore.password">${deliver.
> keystore.private.pwd}</prop>
> > <!-- The trusted keystore info for unsigning received messages --
> >
> > <prop
> key="org.apache.ws.security.crypto.merlin.truststore.file">${deliver.ke
> ystore.trusted}</prop>
> > <prop
> key="org.apache.ws.security.crypto.merlin.truststore.password">${delive
> r.keystore.trusted.pwd}</prop>
> > </util:properties>
> >
> > ----------------------
> >
> >
> >> -----Original Message-----
> >> From: Freeman Fang [mailto:freeman.fang@gmail.com]
> >> Sent: woensdag 8 mei 2013 5:00
> >> To: users@cxf.apache.org
> >> Subject: Re: A SOAP 1.2 message is not valid when sent to a SOAP 1.1
> >> only endpoint
> >>
> >> Hi,
> >>
> >> You need append your client side configuration and code so that we
> >> can take a look
> >> -------------
> >> Freeman(Yue) Fang
> >>
> >> Red Hat, Inc.
> >> FuseSource is now part of Red Hat
> >> Web: http://fusesource.com | http://www.redhat.com/
> >> Twitter: freemanfang
> >> Blog: http://freemanfang.blogspot.com
> >> http://blog.sina.com.cn/u/1473905042
> >> weibo: @Freeman??
> >>
> >> On 2013-5-8, at ??2:20, Ed Bras wrote:
> >>
> >>> Hi All,
> >>> I don't know what I changed anymore :(... But I have ended up with
> >>> this exception which I don't seem to solve:
> >>> ---
> >>> Caused by: javax.xml.ws.soap.SOAPFaultException: A SOAP 1.2 message
> >> is
> >>> not valid when sent to a SOAP 1.1 only endpoint.
> >>> ---
> >>>
> >>> I am using CXF 2.7.4 and have the classes generated from the wsdl.
> I
> >>> am using the MTOM and WSS4JOutInterceptor for signing outgoing
> >> messages.
> >>>
> >>> The wsdl contains things like:
> >>> ----
> >>> <wsdl:definitions ... xmlns:soap11="http ... > <soap11:binding
> >>> <soap11:operation soap11:address
> >>> ----
> >>>
> >>> So that all sound like soap 1.1, but somehow soap 1.2 is being used
> >> in
> >>> the client for the created message. I have added this in my jaxws
> >>> client config, but it had no effect.
> >>> ----
> >>> <jaxws:binding>
> >>> <soap:soapBinding version="1.1"/> </jaxws:binding>
> >>> ----
> >>>
> >>> Why does CXF try to use soap 1.2 at all?
> >>>
> >>> Please some advice on how to solve this?
> >>> - Ed
> >>>
> >
> >
Re: A SOAP 1.2 message is not valid when sent to a SOAP 1.1 only endpoint
Posted by Freeman Fang <fr...@gmail.com>.
Hi,
What's the
DynamicWsaSignaturePartsInterceptor
like?
Also, could you please append the client code where you send out request?
Btw, now MTOM + WS-Security does not work together in CXF, please remove <entry key="mtom-enabled" value="true"/> from your configuration to see if it helps
-------------
Freeman(Yue) Fang
Red Hat, Inc.
FuseSource is now part of Red Hat
Web: http://fusesource.com | http://www.redhat.com/
Twitter: freemanfang
Blog: http://freemanfang.blogspot.com
http://blog.sina.com.cn/u/1473905042
weibo: @Freeman小屋
On 2013-5-9, at 下午3:15, Ed Bras wrote:
> Hi,
> I hoped the info below would be enough. Here the cxf client config and code of usage.
> Spring config: I have 3 cxf spring config files, listed below:
> A) cxf-general.xml that includes the B) cxf-client.xml and C) cxf-tls.xml
>
> I hope you can see the cause of this error (see subject mail). If more config/code is needed, please let me know.
>
>
> Code usage:
> ------------------
> private final DeliveryService digiDelivery; // injected by Spring, contained in client spring config below.
> private Response deliver(final Request request) {
> return this.digiDelivery.deliver(request);
> }
>
> // The class DeliveryService is generated:
>
> @WebService(targetNamespace = "http://Bla/1.2/", name = "DeliveryService")
> @XmlSeeAlso({ObjectFactory.class })
> @SOAPBinding(parameterStyle = SOAPBinding.ParameterStyle.BARE)
> public interface DeliveryService {
>
> @WebResult(name = "response", targetNamespace = "http://Bla/1.2/", partName = "response")
> @Action(output = "http://Bka/1.2/DeliveryService/deliveryResponse", fault = { @FaultAction(className = DeliveryServiceFault.class, value = "http://Bla/1.2/DeliveryService/delivery/Fault/") })
> @WebMethod(action = "http://Bla/1.2/DeliveryService/Request")
> public Response aanleveren(@WebParam(partName = "request", name = "request", targetNamespace = "http://Bla/services/1.2/") Request request) throws AanleverServiceFault;
> }
> ------------------
>
>
>
> A) CXF-general.xml:
> ------------------
> <import resource="cxf-tls.xml" />
> <import resource="cxf-client.xml" />
>
> <!-- General CXF config:
> 1) http://cxf.apache.org/docs/configuration.html
> -->
> <cxf:bus>
> <cxf:features>
> <cxf:logging/>
>
> <policy:policies/>
>
> <!-- WS-addressing required, see 2) -->
> <wsa:addressing/> <!-- see: http://en.wikipedia.org/wiki/WS-Addressing -->
> </cxf:features>
> </cxf:bus>
> ------------------
>
>
>
> B) CXF-tls.xml:
> ----------------------
> <http:conduit name="{http://bla/1.2/}AanleverService_V1_2Port.http-conduit">
> <http:tlsClientParameters>
>
> <!-- "keyPassword" is the password to access/retrieve the private key in the key store it self -->
> <sec:keyManagers keyPassword="${tls.keystore.private.key.pwd}" >
> <!-- The keystore that contains our private key to encrypt send data (1 key only) -->
> <sec:keyStore resource="${tls.keystore.private}" password="${tls.keystore.private.pwd}" />
> </sec:keyManagers>
>
> <sec:trustManagers>
> <!-- This list of certificates that is used to decide whether or not to trust certificates -->
> <sec:keyStore resource="${tls.keystore.trusted}" password="${tls.keystore.trusted.pwd}"/>
> </sec:trustManagers>
>
> <sec:cipherSuitesFilter>
> <sec:include>.*_EXPORT_.*</sec:include>
> <sec:include>.*_EXPORT1024_.*</sec:include>
> <sec:include>.*_WITH_DES_.*</sec:include>
> <sec:include>.*_WITH_AES_.*</sec:include>
> <sec:include>.*_WITH_NULL_.*</sec:include>
> <sec:exclude>.*_DH_anon_.*</sec:exclude>
> </sec:cipherSuitesFilter>
> </http:tlsClientParameters>
> </http:conduit>
> ----------------------
>
>
>
> C) CXF client spring config (don't own the server side):
> ----------------------
> <jaxws:client id="digiDelivery" serviceClass="DeliverService" address="${ deliver.url}">
> <jaxws:inInterceptors>
> <ref bean="SigningInterceptorIn"/>
> <ref bean="wsaSignaturePartsInterceptor"/>
> </jaxws:inInterceptors>
>
> <jaxws:outInterceptors>
> <ref bean="SigningInterceptorOut"/>
> <ref bean="wsaSignaturePartsInterceptor"/>
> </jaxws:outInterceptors>
>
> <jaxws:properties>
> <entry key="mtom-enabled" value="true"/>
> <entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;
> {Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
> </jaxws:properties>
>
> <!--Tried this, but had no effect: jaxws:binding>
> <soap:soapBinding version="1.1"/>
> </jaxws:binding-->
> </jaxws:client>
>
> <!-- It will dynamically set the WSA signing parts if required, depending if they contain any value.
> See the class for details -->
> <bean id="wsaSignaturePartsInterceptor" class="DynamicWsaSignaturePartsInterceptor"/>
> <!-- Required to Sign an outgoing message. -->
> <bean id="SigningInterceptorOut" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp Signature"/>
> <entry key="timeToLive" value="300" />
> <entry key="user" value="${deliver.keystore.private.sign.key.alias}"/>
>
> <!-- Used to retrieve the passwords of an alias. -->
> <entry key="passwordCallbackRef" value-ref="pwCallback"/>
>
> <!-- Required to send the signature certificate a long with the message -->
> <entry key="signatureKeyIdentifier" value="DirectReference" />
>
> <!-- A reference to the Crypto security properties -->
> <entry key="signaturePropRefId" value="cryptoProperties"/>
> <entry key="cryptoProperties" value-ref="cryptoProperties"/>
> </map>
> </constructor-arg>
> </bean>
>
> <!-- Required to validate an incoming signed message. -->
> <bean id="SigningInterceptorIn" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp Signature"/>
> <entry key="signaturePropRefId" value="cryptoProperties"/>
> <entry key="cryptoProperties" value-ref="cryptoProperties"/>
> </map>
> </constructor-arg>
> </bean>
>
> <!-- A callback that returns the keystore password of an alias. -->
> <bean id="pwCallback" class="ClientKeystorePasswordCallback">
> <property name="passwords">
> <util:map key-type="java.lang.String" value-type="java.lang.String">
> <entry key="${deliver.keystore.private.sign.key.alias}" value="${deliver.keystore.private.sign.key.pwd}"/>
> </util:map>
> </property>
> </bean>
>
> <!-- Ref:
> 1) http://ws.apache.org/wss4j/config.html
> 2) https://sites.google.com/site/ddmwsst/ws-security-impl -->
> <util:properties id="cryptoProperties">
> <!-- The private keystore info to sign the message -->
> <prop key="org.apache.ws.security.crypto.merlin.keystore.file">${deliver.keystore.private}</prop>
> <prop key="org.apache.ws.security.crypto.merlin.keystore.password">${deliver.keystore.private.pwd}</prop>
> <!-- The trusted keystore info for unsigning received messages -->
> <prop key="org.apache.ws.security.crypto.merlin.truststore.file">${deliver.keystore.trusted}</prop>
> <prop key="org.apache.ws.security.crypto.merlin.truststore.password">${deliver.keystore.trusted.pwd}</prop>
> </util:properties>
>
> ----------------------
>
>
>> -----Original Message-----
>> From: Freeman Fang [mailto:freeman.fang@gmail.com]
>> Sent: woensdag 8 mei 2013 5:00
>> To: users@cxf.apache.org
>> Subject: Re: A SOAP 1.2 message is not valid when sent to a SOAP 1.1
>> only endpoint
>>
>> Hi,
>>
>> You need append your client side configuration and code so that we can
>> take a look
>> -------------
>> Freeman(Yue) Fang
>>
>> Red Hat, Inc.
>> FuseSource is now part of Red Hat
>> Web: http://fusesource.com | http://www.redhat.com/
>> Twitter: freemanfang
>> Blog: http://freemanfang.blogspot.com
>> http://blog.sina.com.cn/u/1473905042
>> weibo: @Freeman??
>>
>> On 2013-5-8, at ??2:20, Ed Bras wrote:
>>
>>> Hi All,
>>> I don't know what I changed anymore :(... But I have ended up with
>>> this exception which I don't seem to solve:
>>> ---
>>> Caused by: javax.xml.ws.soap.SOAPFaultException: A SOAP 1.2 message
>> is
>>> not valid when sent to a SOAP 1.1 only endpoint.
>>> ---
>>>
>>> I am using CXF 2.7.4 and have the classes generated from the wsdl. I
>>> am using the MTOM and WSS4JOutInterceptor for signing outgoing
>> messages.
>>>
>>> The wsdl contains things like:
>>> ----
>>> <wsdl:definitions ... xmlns:soap11="http ... > <soap11:binding
>>> <soap11:operation soap11:address
>>> ----
>>>
>>> So that all sound like soap 1.1, but somehow soap 1.2 is being used
>> in
>>> the client for the created message. I have added this in my jaxws
>>> client config, but it had no effect.
>>> ----
>>> <jaxws:binding>
>>> <soap:soapBinding version="1.1"/> </jaxws:binding>
>>> ----
>>>
>>> Why does CXF try to use soap 1.2 at all?
>>>
>>> Please some advice on how to solve this?
>>> - Ed
>>>
>
>
RE: A SOAP 1.2 message is not valid when sent to a SOAP 1.1 only endpoint
Posted by Ed Bras <zo...@debrasjes.com>.
Hi,
I hoped the info below would be enough. Here the cxf client config and code of usage.
Spring config: I have 3 cxf spring config files, listed below:
A) cxf-general.xml that includes the B) cxf-client.xml and C) cxf-tls.xml
I hope you can see the cause of this error (see subject mail). If more config/code is needed, please let me know.
Code usage:
------------------
private final DeliveryService digiDelivery; // injected by Spring, contained in client spring config below.
private Response deliver(final Request request) {
return this.digiDelivery.deliver(request);
}
// The class DeliveryService is generated:
@WebService(targetNamespace = "http://Bla/1.2/", name = "DeliveryService")
@XmlSeeAlso({ObjectFactory.class })
@SOAPBinding(parameterStyle = SOAPBinding.ParameterStyle.BARE)
public interface DeliveryService {
@WebResult(name = "response", targetNamespace = "http://Bla/1.2/", partName = "response")
@Action(output = "http://Bka/1.2/DeliveryService/deliveryResponse", fault = { @FaultAction(className = DeliveryServiceFault.class, value = "http://Bla/1.2/DeliveryService/delivery/Fault/") })
@WebMethod(action = "http://Bla/1.2/DeliveryService/Request")
public Response aanleveren(@WebParam(partName = "request", name = "request", targetNamespace = "http://Bla/services/1.2/") Request request) throws AanleverServiceFault;
}
------------------
A) CXF-general.xml:
------------------
<import resource="cxf-tls.xml" />
<import resource="cxf-client.xml" />
<!-- General CXF config:
1) http://cxf.apache.org/docs/configuration.html
-->
<cxf:bus>
<cxf:features>
<cxf:logging/>
<policy:policies/>
<!-- WS-addressing required, see 2) -->
<wsa:addressing/> <!-- see: http://en.wikipedia.org/wiki/WS-Addressing -->
</cxf:features>
</cxf:bus>
------------------
B) CXF-tls.xml:
----------------------
<http:conduit name="{http://bla/1.2/}AanleverService_V1_2Port.http-conduit">
<http:tlsClientParameters>
<!-- "keyPassword" is the password to access/retrieve the private key in the key store it self -->
<sec:keyManagers keyPassword="${tls.keystore.private.key.pwd}" >
<!-- The keystore that contains our private key to encrypt send data (1 key only) -->
<sec:keyStore resource="${tls.keystore.private}" password="${tls.keystore.private.pwd}" />
</sec:keyManagers>
<sec:trustManagers>
<!-- This list of certificates that is used to decide whether or not to trust certificates -->
<sec:keyStore resource="${tls.keystore.trusted}" password="${tls.keystore.trusted.pwd}"/>
</sec:trustManagers>
<sec:cipherSuitesFilter>
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
</http:conduit>
----------------------
C) CXF client spring config (don't own the server side):
----------------------
<jaxws:client id="digiDelivery" serviceClass="DeliverService" address="${ deliver.url}">
<jaxws:inInterceptors>
<ref bean="SigningInterceptorIn"/>
<ref bean="wsaSignaturePartsInterceptor"/>
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<ref bean="SigningInterceptorOut"/>
<ref bean="wsaSignaturePartsInterceptor"/>
</jaxws:outInterceptors>
<jaxws:properties>
<entry key="mtom-enabled" value="true"/>
<entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;
{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
</jaxws:properties>
<!--Tried this, but had no effect: jaxws:binding>
<soap:soapBinding version="1.1"/>
</jaxws:binding-->
</jaxws:client>
<!-- It will dynamically set the WSA signing parts if required, depending if they contain any value.
See the class for details -->
<bean id="wsaSignaturePartsInterceptor" class="DynamicWsaSignaturePartsInterceptor"/>
<!-- Required to Sign an outgoing message. -->
<bean id="SigningInterceptorOut" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature"/>
<entry key="timeToLive" value="300" />
<entry key="user" value="${deliver.keystore.private.sign.key.alias}"/>
<!-- Used to retrieve the passwords of an alias. -->
<entry key="passwordCallbackRef" value-ref="pwCallback"/>
<!-- Required to send the signature certificate a long with the message -->
<entry key="signatureKeyIdentifier" value="DirectReference" />
<!-- A reference to the Crypto security properties -->
<entry key="signaturePropRefId" value="cryptoProperties"/>
<entry key="cryptoProperties" value-ref="cryptoProperties"/>
</map>
</constructor-arg>
</bean>
<!-- Required to validate an incoming signed message. -->
<bean id="SigningInterceptorIn" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature"/>
<entry key="signaturePropRefId" value="cryptoProperties"/>
<entry key="cryptoProperties" value-ref="cryptoProperties"/>
</map>
</constructor-arg>
</bean>
<!-- A callback that returns the keystore password of an alias. -->
<bean id="pwCallback" class="ClientKeystorePasswordCallback">
<property name="passwords">
<util:map key-type="java.lang.String" value-type="java.lang.String">
<entry key="${deliver.keystore.private.sign.key.alias}" value="${deliver.keystore.private.sign.key.pwd}"/>
</util:map>
</property>
</bean>
<!-- Ref:
1) http://ws.apache.org/wss4j/config.html
2) https://sites.google.com/site/ddmwsst/ws-security-impl -->
<util:properties id="cryptoProperties">
<!-- The private keystore info to sign the message -->
<prop key="org.apache.ws.security.crypto.merlin.keystore.file">${deliver.keystore.private}</prop>
<prop key="org.apache.ws.security.crypto.merlin.keystore.password">${deliver.keystore.private.pwd}</prop>
<!-- The trusted keystore info for unsigning received messages -->
<prop key="org.apache.ws.security.crypto.merlin.truststore.file">${deliver.keystore.trusted}</prop>
<prop key="org.apache.ws.security.crypto.merlin.truststore.password">${deliver.keystore.trusted.pwd}</prop>
</util:properties>
----------------------
> -----Original Message-----
> From: Freeman Fang [mailto:freeman.fang@gmail.com]
> Sent: woensdag 8 mei 2013 5:00
> To: users@cxf.apache.org
> Subject: Re: A SOAP 1.2 message is not valid when sent to a SOAP 1.1
> only endpoint
>
> Hi,
>
> You need append your client side configuration and code so that we can
> take a look
> -------------
> Freeman(Yue) Fang
>
> Red Hat, Inc.
> FuseSource is now part of Red Hat
> Web: http://fusesource.com | http://www.redhat.com/
> Twitter: freemanfang
> Blog: http://freemanfang.blogspot.com
> http://blog.sina.com.cn/u/1473905042
> weibo: @Freeman??
>
> On 2013-5-8, at ??2:20, Ed Bras wrote:
>
> > Hi All,
> > I don't know what I changed anymore :(... But I have ended up with
> > this exception which I don't seem to solve:
> > ---
> > Caused by: javax.xml.ws.soap.SOAPFaultException: A SOAP 1.2 message
> is
> > not valid when sent to a SOAP 1.1 only endpoint.
> > ---
> >
> > I am using CXF 2.7.4 and have the classes generated from the wsdl. I
> > am using the MTOM and WSS4JOutInterceptor for signing outgoing
> messages.
> >
> > The wsdl contains things like:
> > ----
> > <wsdl:definitions ... xmlns:soap11="http ... > <soap11:binding
> > <soap11:operation soap11:address
> > ----
> >
> > So that all sound like soap 1.1, but somehow soap 1.2 is being used
> in
> > the client for the created message. I have added this in my jaxws
> > client config, but it had no effect.
> > ----
> > <jaxws:binding>
> > <soap:soapBinding version="1.1"/> </jaxws:binding>
> > ----
> >
> > Why does CXF try to use soap 1.2 at all?
> >
> > Please some advice on how to solve this?
> > - Ed
> >
Re: A SOAP 1.2 message is not valid when sent to a SOAP 1.1 only endpoint
Posted by Freeman Fang <fr...@gmail.com>.
Hi,
You need append your client side configuration and code so that we can take a look
-------------
Freeman(Yue) Fang
Red Hat, Inc.
FuseSource is now part of Red Hat
Web: http://fusesource.com | http://www.redhat.com/
Twitter: freemanfang
Blog: http://freemanfang.blogspot.com
http://blog.sina.com.cn/u/1473905042
weibo: @Freeman小屋
On 2013-5-8, at 上午2:20, Ed Bras wrote:
> Hi All,
> I don't know what I changed anymore :(... But I have ended up with this
> exception which I don't seem to solve:
> ---
> Caused by: javax.xml.ws.soap.SOAPFaultException: A SOAP 1.2 message is not
> valid when sent to a SOAP 1.1 only endpoint.
> ---
>
> I am using CXF 2.7.4 and have the classes generated from the wsdl. I am
> using the MTOM and WSS4JOutInterceptor for signing outgoing messages.
>
> The wsdl contains things like:
> ----
> <wsdl:definitions ... xmlns:soap11="http ... >
> <soap11:binding
> <soap11:operation
> soap11:address
> ----
>
> So that all sound like soap 1.1, but somehow soap 1.2 is being used in the
> client for the created message. I have added this in my jaxws client config,
> but it had no effect.
> ----
> <jaxws:binding>
> <soap:soapBinding version="1.1"/>
> </jaxws:binding>
> ----
>
> Why does CXF try to use soap 1.2 at all?
>
> Please some advice on how to solve this?
> - Ed
>