You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by St...@faa.gov on 2014/09/23 19:48:13 UTC
Help loading signature properties
I'm working on migrating some legacy code I've been stuck with from CXF 2.3/WSS4J 1.5 up to CXF 2.7/WSS4J 1.6, and I'm having some troubles. The latest issue is something that I'm sure is obvious and I'm just not seeing ... I am getting this exception when I run one of my tests:
org.apache.cxf.binding.soap.SoapFault: Security processing failed.
at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:280)
at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:141)
....
Caused by: org.apache.ws.security.WSSecurityException: Error during Signature:
at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:122)
at org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:232)
at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOutInterceptor.java:52)
at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:265)
... 47 more
Caused by: org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied to verify signature)
at org.apache.ws.security.message.WSSecSignature.getSigningCerts(WSSecSignature.java:789)
at org.apache.ws.security.message.WSSecSignature.prepare(WSSecSignature.java:169)
at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:71)
... 50 more
I've shortened the stack trace a bit but that should be the most important parts. Now the exception itself I think is clear - there's a problem with the crypto properties. It's the exact problem that eludes me. In my Spring configuration, the original developers referenced a Crypto bean rather than using an external file. This is the bean configuration:
<bean id="wss4jOutInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature" />
<entry key="user" value="test-user (test ca 1)" />
<entry key="timeToLive" value="60" />
<entry key="signatureUser" value="test-user (test ca 1)" />
<entry key="signatureKeyIdentifier" value="DirectReference" />
<entry key="SignaturePropRefId" value="signatureProperties" />
<entry key="signatureProperties" value-ref="cryptoProperties" />
<entry key="signatureParts" value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body; {Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp" />
<entry key="signatureAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<entry key="signatureDigestAlgorithm" value="http://www.w3.org/2001/04/xmlenc#sha256"/>
<entry key="passwordCallbackRef" value-ref="pwCallback" />
</map>
</constructor-arg>
</bean>
<bean id="wss4jInInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="Signature Timestamp Encrypt" />
<entry key="SignaturePropRefId" value="cryptoProperties" />
<entry key="decryptionPropRefId" value="cryptoProperties" />
<entry key="cryptoProperties" value-ref="cryptoProperties" />
<entry key="passwordCallbackRef" value-ref="pwCallback" />
</map>
</constructor-arg>
</bean>
<util:properties id="cryptoProperties">
<prop key="org.apache.ws.security.crypto.provider">org.apache.ws.security.components.crypto.Merlin</prop>
<prop key="org.apache.ws.security.crypto.merlin.keystore.file">test-user.jks</prop>
<prop key="org.apache.ws.security.crypto.merlin.keystore.type">jks</prop>
<prop key="org.apache.ws.security.crypto.merlin.keystore.provider"></prop> -->
<prop key="org.apache.ws.security.crypto.merlin.keystore.password">xxxxx</prop>
<prop key="org.apache.ws.security.crypto.merlin.load.cacerts">false</prop>
</util:properties>
Does anyone have any ideas on what may be off here? Thanx,
Stephen W. Chappell
RE: Help loading signature properties
Posted by St...@faa.gov.
Solved, again. Same problem, different file. Sorry about that.
Stephen W. Chappell
-----Original Message-----
From: Chappell, Stephen CTR (FAA)
Sent: Tuesday, September 23, 2014 2:54 PM
To: users@cxf.apache.org
Subject: RE: Help loading signature properties
As usual, I spoke too soon. The problem has moved, not been solved. Now I have this (very similar) exception, against the inInterceptor this time:
org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied to verify signature)
at org.apache.ws.security.validate.SignatureTrustValidator.validate(SignatureTrustValidator.java:64)
at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:186)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:402)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:270)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:95)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:355)
at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.doService(JettyHTTPDestination.java:319)
at org.apache.cxf.transport.http_jetty.JettyHTTPHandler.handle(JettyHTTPHandler.java:65)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1088)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1024)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:255)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at org.eclipse.jetty.server.Server.handle(Server.java:370)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:982)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1043)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:957)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at java.lang.Thread.run(Thread.java:662)
Stephen W. Chappell
-----Original Message-----
From: Chappell, Stephen CTR (FAA)
Sent: Tuesday, September 23, 2014 2:41 PM
To: users@cxf.apache.org
Subject: RE: Help loading signature properties
Problem solved. I found a discussion here on a similar problem: http://cxf.547215.n5.nabble.com/WS-Security-Properties-Reference-td5505704.html. For anyone who is interested, "SignaturePropRefId" was used in WSS4J 1.5, but was changed to "signaturePropRefId" in WSS4J 1.6.
Thanx,
Stephen W. Chappell
-----Original Message-----
From: Chappell, Stephen CTR (FAA)
Sent: Tuesday, September 23, 2014 2:04 PM
To: users@cxf.apache.org
Subject: RE: Help loading signature properties
Thanx, Glen. I think the dependencies are there. There are several layers of pom file to decode, but the pom file building this bit has this:
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-ws-security</artifactId>
<version>${cxf-version}</version>
<scope>test</scope>
</dependency>
And it's parent pom file has this:
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${spring-version}</version>
<scope>test</scope>
</dependency>
So I think I'm covered dependency-wise. I've specified Spring 3.1.0, because I was having issues with ehCache that seemed to warrant it.
Stephen W. Chappell
-----Original Message-----
From: Glen Mazza [mailto:glen.mazza@gmail.com]
Sent: Tuesday, September 23, 2014 1:53 PM
To: users@cxf.apache.org
Subject: Re: Help loading signature properties
Did you add the required Spring dependencies (necessary to read your Spring config) to your code as part of the upgrade? CXF 2.3 automatically included dependencies that later versions do not.
http://web-gmazza.rhcloud.com/blog/entry/cxf-usernametoken-profile#UTCXF2
Glen
On 09/23/2014 01:48 PM, Stephen.CTR.Chappell@faa.gov wrote:
> I'm working on migrating some legacy code I've been stuck with from CXF 2.3/WSS4J 1.5 up to CXF 2.7/WSS4J 1.6, and I'm having some troubles. The latest issue is something that I'm sure is obvious and I'm just not seeing ... I am getting this exception when I run one of my tests:
>
> org.apache.cxf.binding.soap.SoapFault: Security processing failed.
> at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:280)
> at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:141)
> ....
> Caused by: org.apache.ws.security.WSSecurityException: Error during Signature:
> at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:122)
> at org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:232)
> at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOutInterceptor.java:52)
> at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:265)
> ... 47 more
> Caused by: org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied to verify signature)
> at org.apache.ws.security.message.WSSecSignature.getSigningCerts(WSSecSignature.java:789)
> at org.apache.ws.security.message.WSSecSignature.prepare(WSSecSignature.java:169)
> at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:71)
> ... 50 more
>
> I've shortened the stack trace a bit but that should be the most important parts. Now the exception itself I think is clear - there's a problem with the crypto properties. It's the exact problem that eludes me. In my Spring configuration, the original developers referenced a Crypto bean rather than using an external file. This is the bean configuration:
>
> <bean id="wss4jOutInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp Signature" />
> <entry key="user" value="test-user (test ca 1)" />
> <entry key="timeToLive" value="60" />
> <entry key="signatureUser" value="test-user (test ca 1)" />
> <entry key="signatureKeyIdentifier" value="DirectReference" />
> <entry key="SignaturePropRefId" value="signatureProperties" />
> <entry key="signatureProperties" value-ref="cryptoProperties" />
> <entry key="signatureParts" value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body; {Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp" />
> <entry key="signatureAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <entry key="signatureDigestAlgorithm" value="http://www.w3.org/2001/04/xmlenc#sha256"/>
> <entry key="passwordCallbackRef" value-ref="pwCallback" />
> </map>
> </constructor-arg>
> </bean>
>
> <bean id="wss4jInInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Signature Timestamp Encrypt" />
> <entry key="SignaturePropRefId" value="cryptoProperties" />
> <entry key="decryptionPropRefId" value="cryptoProperties" />
> <entry key="cryptoProperties" value-ref="cryptoProperties" />
> <entry key="passwordCallbackRef" value-ref="pwCallback" />
> </map>
> </constructor-arg>
> </bean>
>
> <util:properties id="cryptoProperties">
> <prop key="org.apache.ws.security.crypto.provider">org.apache.ws.security.components.crypto.Merlin</prop>
> <prop key="org.apache.ws.security.crypto.merlin.keystore.file">test-user.jks</prop>
> <prop key="org.apache.ws.security.crypto.merlin.keystore.type">jks</prop>
> <prop key="org.apache.ws.security.crypto.merlin.keystore.provider"></prop> -->
> <prop key="org.apache.ws.security.crypto.merlin.keystore.password">xxxxx</prop>
> <prop key="org.apache.ws.security.crypto.merlin.load.cacerts">false</prop>
> </util:properties>
>
> Does anyone have any ideas on what may be off here? Thanx,
>
> Stephen W. Chappell
>
RE: Help loading signature properties
Posted by St...@faa.gov.
As usual, I spoke too soon. The problem has moved, not been solved. Now I have this (very similar) exception, against the inInterceptor this time:
org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied to verify signature)
at org.apache.ws.security.validate.SignatureTrustValidator.validate(SignatureTrustValidator.java:64)
at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:186)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:402)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:270)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:95)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:355)
at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.doService(JettyHTTPDestination.java:319)
at org.apache.cxf.transport.http_jetty.JettyHTTPHandler.handle(JettyHTTPHandler.java:65)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1088)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1024)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:255)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)
at org.eclipse.jetty.server.Server.handle(Server.java:370)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:494)
at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:982)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:1043)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:957)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SslConnection.handle(SslConnection.java:196)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:696)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:53)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at java.lang.Thread.run(Thread.java:662)
Stephen W. Chappell
-----Original Message-----
From: Chappell, Stephen CTR (FAA)
Sent: Tuesday, September 23, 2014 2:41 PM
To: users@cxf.apache.org
Subject: RE: Help loading signature properties
Problem solved. I found a discussion here on a similar problem: http://cxf.547215.n5.nabble.com/WS-Security-Properties-Reference-td5505704.html. For anyone who is interested, "SignaturePropRefId" was used in WSS4J 1.5, but was changed to "signaturePropRefId" in WSS4J 1.6.
Thanx,
Stephen W. Chappell
-----Original Message-----
From: Chappell, Stephen CTR (FAA)
Sent: Tuesday, September 23, 2014 2:04 PM
To: users@cxf.apache.org
Subject: RE: Help loading signature properties
Thanx, Glen. I think the dependencies are there. There are several layers of pom file to decode, but the pom file building this bit has this:
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-ws-security</artifactId>
<version>${cxf-version}</version>
<scope>test</scope>
</dependency>
And it's parent pom file has this:
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${spring-version}</version>
<scope>test</scope>
</dependency>
So I think I'm covered dependency-wise. I've specified Spring 3.1.0, because I was having issues with ehCache that seemed to warrant it.
Stephen W. Chappell
-----Original Message-----
From: Glen Mazza [mailto:glen.mazza@gmail.com]
Sent: Tuesday, September 23, 2014 1:53 PM
To: users@cxf.apache.org
Subject: Re: Help loading signature properties
Did you add the required Spring dependencies (necessary to read your Spring config) to your code as part of the upgrade? CXF 2.3 automatically included dependencies that later versions do not.
http://web-gmazza.rhcloud.com/blog/entry/cxf-usernametoken-profile#UTCXF2
Glen
On 09/23/2014 01:48 PM, Stephen.CTR.Chappell@faa.gov wrote:
> I'm working on migrating some legacy code I've been stuck with from CXF 2.3/WSS4J 1.5 up to CXF 2.7/WSS4J 1.6, and I'm having some troubles. The latest issue is something that I'm sure is obvious and I'm just not seeing ... I am getting this exception when I run one of my tests:
>
> org.apache.cxf.binding.soap.SoapFault: Security processing failed.
> at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:280)
> at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:141)
> ....
> Caused by: org.apache.ws.security.WSSecurityException: Error during Signature:
> at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:122)
> at org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:232)
> at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOutInterceptor.java:52)
> at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:265)
> ... 47 more
> Caused by: org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied to verify signature)
> at org.apache.ws.security.message.WSSecSignature.getSigningCerts(WSSecSignature.java:789)
> at org.apache.ws.security.message.WSSecSignature.prepare(WSSecSignature.java:169)
> at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:71)
> ... 50 more
>
> I've shortened the stack trace a bit but that should be the most important parts. Now the exception itself I think is clear - there's a problem with the crypto properties. It's the exact problem that eludes me. In my Spring configuration, the original developers referenced a Crypto bean rather than using an external file. This is the bean configuration:
>
> <bean id="wss4jOutInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp Signature" />
> <entry key="user" value="test-user (test ca 1)" />
> <entry key="timeToLive" value="60" />
> <entry key="signatureUser" value="test-user (test ca 1)" />
> <entry key="signatureKeyIdentifier" value="DirectReference" />
> <entry key="SignaturePropRefId" value="signatureProperties" />
> <entry key="signatureProperties" value-ref="cryptoProperties" />
> <entry key="signatureParts" value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body; {Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp" />
> <entry key="signatureAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <entry key="signatureDigestAlgorithm" value="http://www.w3.org/2001/04/xmlenc#sha256"/>
> <entry key="passwordCallbackRef" value-ref="pwCallback" />
> </map>
> </constructor-arg>
> </bean>
>
> <bean id="wss4jInInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Signature Timestamp Encrypt" />
> <entry key="SignaturePropRefId" value="cryptoProperties" />
> <entry key="decryptionPropRefId" value="cryptoProperties" />
> <entry key="cryptoProperties" value-ref="cryptoProperties" />
> <entry key="passwordCallbackRef" value-ref="pwCallback" />
> </map>
> </constructor-arg>
> </bean>
>
> <util:properties id="cryptoProperties">
> <prop key="org.apache.ws.security.crypto.provider">org.apache.ws.security.components.crypto.Merlin</prop>
> <prop key="org.apache.ws.security.crypto.merlin.keystore.file">test-user.jks</prop>
> <prop key="org.apache.ws.security.crypto.merlin.keystore.type">jks</prop>
> <prop key="org.apache.ws.security.crypto.merlin.keystore.provider"></prop> -->
> <prop key="org.apache.ws.security.crypto.merlin.keystore.password">xxxxx</prop>
> <prop key="org.apache.ws.security.crypto.merlin.load.cacerts">false</prop>
> </util:properties>
>
> Does anyone have any ideas on what may be off here? Thanx,
>
> Stephen W. Chappell
>
RE: Help loading signature properties
Posted by St...@faa.gov.
Problem solved. I found a discussion here on a similar problem: http://cxf.547215.n5.nabble.com/WS-Security-Properties-Reference-td5505704.html. For anyone who is interested, "SignaturePropRefId" was used in WSS4J 1.5, but was changed to "signaturePropRefId" in WSS4J 1.6.
Thanx,
Stephen W. Chappell
-----Original Message-----
From: Chappell, Stephen CTR (FAA)
Sent: Tuesday, September 23, 2014 2:04 PM
To: users@cxf.apache.org
Subject: RE: Help loading signature properties
Thanx, Glen. I think the dependencies are there. There are several layers of pom file to decode, but the pom file building this bit has this:
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-ws-security</artifactId>
<version>${cxf-version}</version>
<scope>test</scope>
</dependency>
And it's parent pom file has this:
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${spring-version}</version>
<scope>test</scope>
</dependency>
So I think I'm covered dependency-wise. I've specified Spring 3.1.0, because I was having issues with ehCache that seemed to warrant it.
Stephen W. Chappell
-----Original Message-----
From: Glen Mazza [mailto:glen.mazza@gmail.com]
Sent: Tuesday, September 23, 2014 1:53 PM
To: users@cxf.apache.org
Subject: Re: Help loading signature properties
Did you add the required Spring dependencies (necessary to read your Spring config) to your code as part of the upgrade? CXF 2.3 automatically included dependencies that later versions do not.
http://web-gmazza.rhcloud.com/blog/entry/cxf-usernametoken-profile#UTCXF2
Glen
On 09/23/2014 01:48 PM, Stephen.CTR.Chappell@faa.gov wrote:
> I'm working on migrating some legacy code I've been stuck with from CXF 2.3/WSS4J 1.5 up to CXF 2.7/WSS4J 1.6, and I'm having some troubles. The latest issue is something that I'm sure is obvious and I'm just not seeing ... I am getting this exception when I run one of my tests:
>
> org.apache.cxf.binding.soap.SoapFault: Security processing failed.
> at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:280)
> at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:141)
> ....
> Caused by: org.apache.ws.security.WSSecurityException: Error during Signature:
> at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:122)
> at org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:232)
> at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOutInterceptor.java:52)
> at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:265)
> ... 47 more
> Caused by: org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied to verify signature)
> at org.apache.ws.security.message.WSSecSignature.getSigningCerts(WSSecSignature.java:789)
> at org.apache.ws.security.message.WSSecSignature.prepare(WSSecSignature.java:169)
> at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:71)
> ... 50 more
>
> I've shortened the stack trace a bit but that should be the most important parts. Now the exception itself I think is clear - there's a problem with the crypto properties. It's the exact problem that eludes me. In my Spring configuration, the original developers referenced a Crypto bean rather than using an external file. This is the bean configuration:
>
> <bean id="wss4jOutInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp Signature" />
> <entry key="user" value="test-user (test ca 1)" />
> <entry key="timeToLive" value="60" />
> <entry key="signatureUser" value="test-user (test ca 1)" />
> <entry key="signatureKeyIdentifier" value="DirectReference" />
> <entry key="SignaturePropRefId" value="signatureProperties" />
> <entry key="signatureProperties" value-ref="cryptoProperties" />
> <entry key="signatureParts" value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body; {Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp" />
> <entry key="signatureAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <entry key="signatureDigestAlgorithm" value="http://www.w3.org/2001/04/xmlenc#sha256"/>
> <entry key="passwordCallbackRef" value-ref="pwCallback" />
> </map>
> </constructor-arg>
> </bean>
>
> <bean id="wss4jInInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Signature Timestamp Encrypt" />
> <entry key="SignaturePropRefId" value="cryptoProperties" />
> <entry key="decryptionPropRefId" value="cryptoProperties" />
> <entry key="cryptoProperties" value-ref="cryptoProperties" />
> <entry key="passwordCallbackRef" value-ref="pwCallback" />
> </map>
> </constructor-arg>
> </bean>
>
> <util:properties id="cryptoProperties">
> <prop key="org.apache.ws.security.crypto.provider">org.apache.ws.security.components.crypto.Merlin</prop>
> <prop key="org.apache.ws.security.crypto.merlin.keystore.file">test-user.jks</prop>
> <prop key="org.apache.ws.security.crypto.merlin.keystore.type">jks</prop>
> <prop key="org.apache.ws.security.crypto.merlin.keystore.provider"></prop> -->
> <prop key="org.apache.ws.security.crypto.merlin.keystore.password">xxxxx</prop>
> <prop key="org.apache.ws.security.crypto.merlin.load.cacerts">false</prop>
> </util:properties>
>
> Does anyone have any ideas on what may be off here? Thanx,
>
> Stephen W. Chappell
>
RE: Help loading signature properties
Posted by St...@faa.gov.
Thanx, Glen. I think the dependencies are there. There are several layers of pom file to decode, but the pom file building this bit has this:
<dependency>
<groupId>org.apache.cxf</groupId>
<artifactId>cxf-rt-ws-security</artifactId>
<version>${cxf-version}</version>
<scope>test</scope>
</dependency>
And it's parent pom file has this:
<dependency>
<groupId>org.springframework</groupId>
<artifactId>spring-context</artifactId>
<version>${spring-version}</version>
<scope>test</scope>
</dependency>
So I think I'm covered dependency-wise. I've specified Spring 3.1.0, because I was having issues with ehCache that seemed to warrant it.
Stephen W. Chappell
-----Original Message-----
From: Glen Mazza [mailto:glen.mazza@gmail.com]
Sent: Tuesday, September 23, 2014 1:53 PM
To: users@cxf.apache.org
Subject: Re: Help loading signature properties
Did you add the required Spring dependencies (necessary to read your Spring config) to your code as part of the upgrade? CXF 2.3 automatically included dependencies that later versions do not.
http://web-gmazza.rhcloud.com/blog/entry/cxf-usernametoken-profile#UTCXF2
Glen
On 09/23/2014 01:48 PM, Stephen.CTR.Chappell@faa.gov wrote:
> I'm working on migrating some legacy code I've been stuck with from CXF 2.3/WSS4J 1.5 up to CXF 2.7/WSS4J 1.6, and I'm having some troubles. The latest issue is something that I'm sure is obvious and I'm just not seeing ... I am getting this exception when I run one of my tests:
>
> org.apache.cxf.binding.soap.SoapFault: Security processing failed.
> at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:280)
> at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:141)
> ....
> Caused by: org.apache.ws.security.WSSecurityException: Error during Signature:
> at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:122)
> at org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:232)
> at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOutInterceptor.java:52)
> at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:265)
> ... 47 more
> Caused by: org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied to verify signature)
> at org.apache.ws.security.message.WSSecSignature.getSigningCerts(WSSecSignature.java:789)
> at org.apache.ws.security.message.WSSecSignature.prepare(WSSecSignature.java:169)
> at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:71)
> ... 50 more
>
> I've shortened the stack trace a bit but that should be the most important parts. Now the exception itself I think is clear - there's a problem with the crypto properties. It's the exact problem that eludes me. In my Spring configuration, the original developers referenced a Crypto bean rather than using an external file. This is the bean configuration:
>
> <bean id="wss4jOutInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp Signature" />
> <entry key="user" value="test-user (test ca 1)" />
> <entry key="timeToLive" value="60" />
> <entry key="signatureUser" value="test-user (test ca 1)" />
> <entry key="signatureKeyIdentifier" value="DirectReference" />
> <entry key="SignaturePropRefId" value="signatureProperties" />
> <entry key="signatureProperties" value-ref="cryptoProperties" />
> <entry key="signatureParts" value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body; {Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp" />
> <entry key="signatureAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <entry key="signatureDigestAlgorithm" value="http://www.w3.org/2001/04/xmlenc#sha256"/>
> <entry key="passwordCallbackRef" value-ref="pwCallback" />
> </map>
> </constructor-arg>
> </bean>
>
> <bean id="wss4jInInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Signature Timestamp Encrypt" />
> <entry key="SignaturePropRefId" value="cryptoProperties" />
> <entry key="decryptionPropRefId" value="cryptoProperties" />
> <entry key="cryptoProperties" value-ref="cryptoProperties" />
> <entry key="passwordCallbackRef" value-ref="pwCallback" />
> </map>
> </constructor-arg>
> </bean>
>
> <util:properties id="cryptoProperties">
> <prop key="org.apache.ws.security.crypto.provider">org.apache.ws.security.components.crypto.Merlin</prop>
> <prop key="org.apache.ws.security.crypto.merlin.keystore.file">test-user.jks</prop>
> <prop key="org.apache.ws.security.crypto.merlin.keystore.type">jks</prop>
> <prop key="org.apache.ws.security.crypto.merlin.keystore.provider"></prop> -->
> <prop key="org.apache.ws.security.crypto.merlin.keystore.password">xxxxx</prop>
> <prop key="org.apache.ws.security.crypto.merlin.load.cacerts">false</prop>
> </util:properties>
>
> Does anyone have any ideas on what may be off here? Thanx,
>
> Stephen W. Chappell
>
Re: Help loading signature properties
Posted by Glen Mazza <gl...@gmail.com>.
Did you add the required Spring dependencies (necessary to read your
Spring config) to your code as part of the upgrade? CXF 2.3
automatically included dependencies that later versions do not.
http://web-gmazza.rhcloud.com/blog/entry/cxf-usernametoken-profile#UTCXF2
Glen
On 09/23/2014 01:48 PM, Stephen.CTR.Chappell@faa.gov wrote:
> I'm working on migrating some legacy code I've been stuck with from CXF 2.3/WSS4J 1.5 up to CXF 2.7/WSS4J 1.6, and I'm having some troubles. The latest issue is something that I'm sure is obvious and I'm just not seeing ... I am getting this exception when I run one of my tests:
>
> org.apache.cxf.binding.soap.SoapFault: Security processing failed.
> at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:280)
> at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:141)
> ....
> Caused by: org.apache.ws.security.WSSecurityException: Error during Signature:
> at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:122)
> at org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:232)
> at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOutInterceptor.java:52)
> at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:265)
> ... 47 more
> Caused by: org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied to verify signature)
> at org.apache.ws.security.message.WSSecSignature.getSigningCerts(WSSecSignature.java:789)
> at org.apache.ws.security.message.WSSecSignature.prepare(WSSecSignature.java:169)
> at org.apache.ws.security.action.SignatureAction.execute(SignatureAction.java:71)
> ... 50 more
>
> I've shortened the stack trace a bit but that should be the most important parts. Now the exception itself I think is clear - there's a problem with the crypto properties. It's the exact problem that eludes me. In my Spring configuration, the original developers referenced a Crypto bean rather than using an external file. This is the bean configuration:
>
> <bean id="wss4jOutInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp Signature" />
> <entry key="user" value="test-user (test ca 1)" />
> <entry key="timeToLive" value="60" />
> <entry key="signatureUser" value="test-user (test ca 1)" />
> <entry key="signatureKeyIdentifier" value="DirectReference" />
> <entry key="SignaturePropRefId" value="signatureProperties" />
> <entry key="signatureProperties" value-ref="cryptoProperties" />
> <entry key="signatureParts" value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body; {Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp" />
> <entry key="signatureAlgorithm" value="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <entry key="signatureDigestAlgorithm" value="http://www.w3.org/2001/04/xmlenc#sha256"/>
> <entry key="passwordCallbackRef" value-ref="pwCallback" />
> </map>
> </constructor-arg>
> </bean>
>
> <bean id="wss4jInInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Signature Timestamp Encrypt" />
> <entry key="SignaturePropRefId" value="cryptoProperties" />
> <entry key="decryptionPropRefId" value="cryptoProperties" />
> <entry key="cryptoProperties" value-ref="cryptoProperties" />
> <entry key="passwordCallbackRef" value-ref="pwCallback" />
> </map>
> </constructor-arg>
> </bean>
>
> <util:properties id="cryptoProperties">
> <prop key="org.apache.ws.security.crypto.provider">org.apache.ws.security.components.crypto.Merlin</prop>
> <prop key="org.apache.ws.security.crypto.merlin.keystore.file">test-user.jks</prop>
> <prop key="org.apache.ws.security.crypto.merlin.keystore.type">jks</prop>
> <prop key="org.apache.ws.security.crypto.merlin.keystore.provider"></prop> -->
> <prop key="org.apache.ws.security.crypto.merlin.keystore.password">xxxxx</prop>
> <prop key="org.apache.ws.security.crypto.merlin.load.cacerts">false</prop>
> </util:properties>
>
> Does anyone have any ideas on what may be off here? Thanx,
>
> Stephen W. Chappell
>