cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ian homer (JIRA)" <j...@apache.org>
Subject [jira] Created: (CXF-2158) Mix up of ID and ID reference of security token in signature causes WCF service to throw Cannot resolve KeyInfo for verifying signature
Date Mon, 06 Apr 2009 16:04:12 GMT
Mix up of ID and ID reference of security token in signature causes WCF service to throw Cannot
resolve KeyInfo for verifying signature
---------------------------------------------------------------------------------------------------------------------------------------

                 Key: CXF-2158
                 URL: https://issues.apache.org/jira/browse/CXF-2158
             Project: CXF
          Issue Type: Bug
    Affects Versions: 2.2
         Environment: Java(TM) SE Runtime Environment (build 1.6.0_07-b06-153) - MacOS 10.5
and Windows Vista
            Reporter: ian homer


Issue

CXF client causes WCF to throw the error Cannot resolve KeyInfo for verifying signature: KeyInfo
'SecurityKeyIdentifier when connecting to a secured WCF service set up following the tutorial
"WCF Getting Started Sample Tutorial with Message Security User Name" @ http://msdn.microsoft.com/en-us/library/ms752233.aspx.
(WSDL attached on CXF ticket)

See analysis below for summary of the issue and indication of resolution.
[edit] CXF Client Test Case

$ java -version
java version "1.6.0_07"
Java(TM) SE Runtime Environment (build 1.6.0_07-b06-153)
Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_07-b06-57, mixed mode)
 
MacOS 10.5 and Windows Vista
CXF Version 2.2

import static org.junit.Assert.assertEquals;
import groovyx.net.ws.cxf.SSLHelper;
 
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
 
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.namespace.QName;
 
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.cxf.Bus;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.endpoint.Client;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.endpoint.EndpointImpl;
import org.apache.cxf.endpoint.dynamic.DynamicClientFactory;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.interceptor.LoggingInInterceptor;
import org.apache.cxf.interceptor.LoggingOutInterceptor;
import org.apache.cxf.message.Exchange;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.service.model.BindingOperationInfo;
import org.apache.cxf.service.model.EndpointInfo;
import org.apache.cxf.ws.policy.AbstractPolicyInterceptor;
import org.apache.cxf.ws.policy.EffectivePolicy;
import org.apache.cxf.ws.policy.PolicyEngine;
import org.apache.cxf.ws.policy.PolicyException;
import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor;
import org.apache.neethi.AbstractPolicyOperator;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.junit.Test;
 
public class SSLAWSWCFCalculatorIssueTestCase {
	protected static Log log = LogFactory.getLog(SSLAWSWCFCalculatorIssueTestCase.class);
 
	public static final String WCF_HOST = "host";
	private static final String WSDL_URI_REMOTE = "http://" + WCF_HOST
			+ "/ServiceModelSamples/service.svc?wsdl";
	/**
	 * Filters for a default WCF_SSLA integration
	 */
	public static final Class<?>[] WCF_SSLA = new Class<?>[] { SignedEncryptedParts.class
};
 
	@Test
	public void testOperationsOfSSLClientWithSoapAuthentication() throws Exception {
		QName service = new QName("http://tempuri.org/", "CalculatorService");
		QName port = new QName("http://tempuri.org/", "SSLCalculatorA");
 
		Client client = DynamicClientFactory.newInstance().createClient(WSDL_URI_REMOTE, service,
				SSLAWSWCFCalculatorIssueTestCase.class.getClassLoader(), port);
 
		SSLHelper sslHelper = new SSLHelper();
		sslHelper.initialize();
		sslHelper.enable(client);
 
		Bus bus = ((EndpointImpl) client.getEndpoint()).getBus();
		/*
		 * Apply default policy filter in interceptor to filter out the
		 * mandatory signing of body parts. Otherwise CXF policy validation
		 * fails since the response from WCF is not compliant with this
		 */
		bus.getInInterceptors().add(new PolicyFilterOutInterceptor(WCF_SSLA));
		Map<String, Object> outProps = new HashMap<String, Object>();
 
		outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);
		outProps.put(WSHandlerConstants.USER, "bart\\myname");
		outProps.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
		outProps.put(WSHandlerConstants.MUST_UNDERSTAND, "true");
		outProps.put(WSHandlerConstants.PW_CALLBACK_REF, new PasswordHandler("password"));
 
		bus.getOutInterceptors().add(new JustOnceWSS4JOutInterceptor(outProps));
 
		/*
		 * Add logging interceptors
		 */
		bus.getInInterceptors().add(new LoggingInInterceptor());
		bus.getOutInterceptors().add(new LoggingOutInterceptor());
 
		BindingOperationInfo add = client.getEndpoint().getEndpointInfo().getBinding()
				.getOperation(new QName("http://Microsoft.ServiceModel.Samples", "Add"))
				.getUnwrappedOperation();
		/**
		 * Now call some operations
		 */
		if (log.isDebugEnabled()) {
			log.debug("Invoking method add");
		}
		Object[] answer = client.invoke(add, new Object[] { "1", "2" });
		if (log.isDebugEnabled()) {
			log.debug("1 + 2 = " + answer[0]);
		}
		assertEquals("Add method not correct", new Double(3.0), answer[0]);
 
		if (log.isDebugEnabled()) {
			log.debug("Invoking method multiply");
		}
		BindingOperationInfo multiply = client.getEndpoint().getEndpointInfo().getBinding()
				.getOperation(new QName("http://Microsoft.ServiceModel.Samples", "Multiply"))
				.getUnwrappedOperation();
 
		answer = client.invoke(multiply, new Object[] { "3", "2" });
		assertEquals("Multiply method not correct", new Double(6.0), answer);
		if (log.isDebugEnabled()) {
			log.debug("3 x 2 = " + answer);
		}
	}
 
	/**
	 * Handler to get the password
	 */
	public class PasswordHandler implements CallbackHandler {
		private static final String DEFAULT_PASSWORD = "password";
		String password;
 
		public PasswordHandler() {
			this.password = DEFAULT_PASSWORD;
		}
 
		public PasswordHandler(String password) {
			this.password = password;
		}
 
		public void handle(Callback[] callbacks) {
			WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
			pc.setPassword(password);
		}
	}
 
	/**
	 * An WSS4J Interceptor that only includes the security header once, without
	 * this WCF service throws a security exception when username and password
	 * sent along with the SecurityContextToken in the second request
	 */
 
	public class JustOnceWSS4JOutInterceptor extends WSS4JOutInterceptor {
		int count = 0;
 
		/**
		 * @param outProps
		 */
		public JustOnceWSS4JOutInterceptor(Map<String, Object> outProps) {
			super(outProps);
		}
 
		@Override
		public void handleMessage(SoapMessage mc) throws Fault {
			if (count == 0) {
				if (log.isDebugEnabled()) {
					log.debug("Calling WSS4J interceptor : count = " + count);
				}
				super.handleMessage(mc);
			} else {
				if (log.isDebugEnabled()) {
					log.debug("Skipping WSS4J interceptor : count = " + count);
				}
			}
			count++;
		}
	}
 
	public class PolicyFilterOutInterceptor extends AbstractPolicyInterceptor {
 
		private Class<?>[] filters;
 
		public PolicyFilterOutInterceptor(Class<?>[] filters) {
			super(Phase.PRE_STREAM);
			this.filters = filters;
		}
 
		@Override
		protected void handle(Message message) throws PolicyException {
			if (log.isDebugEnabled()) {
				log.debug("Filtering policies for " + this.getClass().getName());
			}
 
			Exchange exchange = message.getExchange();
			BindingOperationInfo boi = exchange.get(BindingOperationInfo.class);
			if (null == boi) {
				if (log.isDebugEnabled()) {
					log.debug("No binding operation info.");
				}
				return;
			}
 
			Endpoint e = exchange.get(Endpoint.class);
			if (null == e) {
				if (log.isDebugEnabled()) {
					log.debug("No endpoint.");
				}
				return;
			}
			EndpointInfo ei = e.getEndpointInfo();
 
			Bus bus = exchange.get(Bus.class);
			PolicyEngine pe = bus.getExtension(PolicyEngine.class);
			if (null == pe) {
				return;
			}
 
			if (MessageUtils.isPartialResponse(message)) {
				if (log.isDebugEnabled()) {
					log.debug("Not verifying policies on inbound partial response.");
				}
				return;
			}
 
			getTransportAssertions(message);
 
			EffectivePolicy effectivePolicy = message.get(EffectivePolicy.class);
			if (effectivePolicy == null) {
				if (MessageUtils.isRequestor(message)) {
					effectivePolicy = pe.getEffectiveClientResponsePolicy(ei, boi);
				} else {
					effectivePolicy = pe.getEffectiveServerRequestPolicy(ei, boi);
				}
			}
 
			removePolicies(effectivePolicy.getPolicy(), filters);
		}
 
		public void removePolicy(AbstractPolicyOperator operator, Class<?> clazz) {
			removePolicies(operator, new Class<?>[] { clazz });
		}
 
		@SuppressWarnings("unchecked")
		public void removePolicies(AbstractPolicyOperator operator, Class<?>[] classes) {
			List<Object> childrenForRemoval = new ArrayList<Object>();
 
			for (Object child : operator.getPolicyComponents()) {
				if (child instanceof AbstractPolicyOperator) {
					removePolicies((AbstractPolicyOperator) child, classes);
				} else {
					for (int i = 0; i < classes.length; i++) {
						if (child.getClass() == classes[i]) {
							childrenForRemoval.add(child);
							if (log.isDebugEnabled()) {
								log.debug("Removing policy : " + child);
							}
						}
					}
				}
			}
 
			/*
			 * Remove all the children that have been marked for removal
			 */
			operator.getPolicyComponents().removeAll(childrenForRemoval);
		}
	}
}

[edit] WCF Exception

<Exception>
<ExceptionType>System.ServiceModel.Security.MessageSecurityException, System.ServiceModel,
Version=3.0.0.0, Culture=neutral, 
PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>Cannot resolve KeyInfo for verifying signature: KeyInfo 'SecurityKeyIdentifier
   (
   IsReadOnly = False,
   Count = 1,
   Clause[0] = LocalIdKeyIdentifierClause(LocalId = 'urn:uuid:67422cf9-69c5-4e15-802d-4c6d39cdc57d',
Owner = 'System.ServiceModel.Security.Tokens.SecurityContextSecurityToken')
   )
', available tokens 'SecurityTokenResolver
   (
   TokenCount = 1,
   TokenEntry[0] = (AllowedReferenceStyle=Internal, Token=System.ServiceModel.Security.Tokens.SecurityContextSecurityToken,

Parameters=System.ServiceModel.Security.Tokens.SecureConversationSecurityTokenParameters:
InclusionMode: AlwaysToRecipient
ReferenceStyle: Internal
RequireDerivedKeys: False
RequireCancellation: True
BootstrapSecurityBindingElement:
 System.ServiceModel.Channels.TransportSecurityBindingElement:
 DefaultAlgorithmSuite: Basic256
 IncludeTimestamp: True
 KeyEntropyMode: CombinedEntropy
 MessageSecurityVersion: WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
 SecurityHeaderLayout: Strict
 EndpointSupportingTokenParameters:
   No endorsing tokens.
   No signed tokens.
   SignedEncrypted[0]
     System.ServiceModel.Security.Tokens.UserNameSecurityTokenParameters:
     InclusionMode: AlwaysToRecipient
     ReferenceStyle: Internal
     RequireDerivedKeys: False
   No signed endorsing tokens.
 OptionalEndpointSupportingTokenParameters:
   No endorsing tokens.
   No signed tokens.
   No signed encrypted tokens.
   No signed endorsing tokens.
 OperationSupportingTokenParameters: none
 OptionalOperationSupportingTokenParameters: none)
   )
'.</Message>
<StackTrace>
at System.ServiceModel.Security.WSSecurityOneDotZeroReceiveSecurityHeader.ResolveSignatureToken(SecurityKeyIdentifier

keyIdentifier, SecurityTokenResolver resolver, Boolean isPrimarySignature)
at System.ServiceModel.Security.WSSecurityOneDotZeroReceiveSecurityHeader.VerifySignature(SignedXml
signedXml, Boolean isPrimarySignature, SecurityHeaderTokenResolver resolver, Object signatureTarget,
String id)
at System.ServiceModel.Security.ReceiveSecurityHeader.ProcessSupportingSignature(SignedXml
signedXml, Boolean isFromDecryptedSource)
at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader
reader)
at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout)
at System.ServiceModel.Security.AcceptorSessionSymmetricTransportSecurityProtocol.VerifyIncomingMessageCore(Message&amp;
message, TimeSpan timeout)
at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message&amp;
message, TimeSpan timeout)
at System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message&amp; message,
TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
at System.ServiceModel.Security.SecuritySessionServerSettings.ServerSecuritySessionChannel.ProcessRequestContext(RequestContext
requestContext, TimeSpan timeout, SecurityProtocolCorrelationState&amp; correlationState,
Boolean&amp; isSecurityProcessingFailure)
at System.ServiceModel.Security.SecuritySessionServerSettings.ServerSecuritySessionChannel.ReceiveRequestAsyncResult.WaitComplete()
at System.ServiceModel.Security.SecuritySessionServerSettings.ServerSecuritySessionChannel.ReceiveRequestAsyncResult..ctor(ServerSecuritySessionChannel
channel, TimeSpan timeout, AsyncCallback callback, Object state)
at System.ServiceModel.Security.SecuritySessionServerSettings.ServerSecuritySessionChannel.BeginTryReceiveRequest(TimeSpan
timeout, AsyncCallback callback, Object state)
at System.ServiceModel.Dispatcher.ReplyChannelBinder.BeginTryReceive(TimeSpan timeout, AsyncCallback
callback, Object state)
at System.ServiceModel.Dispatcher.ErrorHandlingReceiver.BeginTryReceive(TimeSpan timeout,
AsyncCallback callback, Object state)
at System.ServiceModel.Dispatcher.ChannelHandler.EnsurePump()
at System.ServiceModel.Dispatcher.ChannelHandler.OpenAndEnsurePump()
at System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.WorkItem.Invoke2()
at System.Security.SecurityContext.Run(SecurityContext securityContext, ContextCallback callback,
Object state)
at System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.WorkItem.Invoke()
at System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.ProcessCallbacks()
at System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.CompletionCallback(Object
state)
at System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.ScheduledOverlapped.IOCallback(UInt32
errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)
at System.ServiceModel.Diagnostics.Utility.IOCompletionThunk.UnhandledExceptionFrame(UInt32
error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped)
at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode, UInt32
numBytes, NativeOverlapped* pOVERLAP)
</StackTrace>
<ExceptionString>System.ServiceModel.Security.MessageSecurityException: Cannot resolve
KeyInfo for verifying signature: KeyInfo 'SecurityKeyIdentifier
   (
   IsReadOnly = False,
   Count = 1,
   Clause[0] = LocalIdKeyIdentifierClause(LocalId = 'urn:uuid:67422cf9-69c5-4e15-802d-4c6d39cdc57d',
Owner = 'System.ServiceModel.Security.Tokens.SecurityContextSecurityToken')
   )
', available tokens 'SecurityTokenResolver
   (
   TokenCount = 1,
   TokenEntry[0] = (AllowedReferenceStyle=Internal, Token=System.ServiceModel.Security.Tokens.SecurityContextSecurityToken,
Parameters=System.ServiceModel.Security.Tokens.SecureConversationSecurityTokenParameters:
InclusionMode: AlwaysToRecipient
ReferenceStyle: Internal
RequireDerivedKeys: False
RequireCancellation: True
BootstrapSecurityBindingElement:
 System.ServiceModel.Channels.TransportSecurityBindingElement:
 DefaultAlgorithmSuite: Basic256
 IncludeTimestamp: True
 KeyEntropyMode: CombinedEntropy
 MessageSecurityVersion: WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
 SecurityHeaderLayout: Strict
 EndpointSupportingTokenParameters:
   No endorsing tokens.
   No signed tokens.
   SignedEncrypted[0]
     System.ServiceModel.Security.Tokens.UserNameSecurityTokenParameters:
     InclusionMode: AlwaysToRecipient
     ReferenceStyle: Internal
     RequireDerivedKeys: False
   No signed endorsing tokens.
 OptionalEndpointSupportingTokenParameters:
   No endorsing tokens.
   No signed tokens.
   No signed encrypted tokens.
   No signed endorsing tokens.
 OperationSupportingTokenParameters: none
 OptionalOperationSupportingTokenParameters: none)
   )
'.</ExceptionString>
</Exception>

[edit] WCF Client with WCF Server
[edit] WCF Client Request 1

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"

        xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
        <a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</a:Action>
        <a:MessageID>urn:uuid:8151f398-b043-485e-a443-681fb698d334</a:MessageID>
        <a:ReplyTo>
            <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
        </a:ReplyTo>
        <a:To s:mustUnderstand="1">https://host/servicemodelsamples/service.svc/SSLA</a:To>
        <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <u:Timestamp u:Id="_0">
                <u:Created>2009-04-06T08:25:00.988Z</u:Created>
                <u:Expires>2009-04-06T08:30:00.988Z</u:Expires>
            </u:Timestamp>
            <o:UsernameToken u:Id="uuid-0403819d-3bc9-4fc8-be6f-0c1b01da7397-1">
                <o:Username>
                    <!-- Removed-->
                </o:Username>
                <o:Password>
                    <!-- Removed-->
                </o:Password>
            </o:UsernameToken>
        </o:Security>
    </s:Header>
    <s:Body>
        <t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
            <t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</t:TokenType>
            <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
            <t:Entropy>
                <!-- Removed-->
            </t:Entropy>
            <t:KeySize>256</t:KeySize>
        </t:RequestSecurityToken>
    </s:Body>
</s:Envelope>

[edit] WCF Client Response from Server 1

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"

xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
        <a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT</a:Action>
        <a:RelatesTo>urn:uuid:4f4996b9-4d71-47d8-91b8-ba75df9b3de6</a:RelatesTo>
        <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <u:Timestamp u:Id="_0">
                <u:Created>2009-04-06T08:59:01.713Z</u:Created>
                <u:Expires>2009-04-06T09:04:01.713Z</u:Expires>
            </u:Timestamp>
        </o:Security>
    </s:Header>
    <s:Body>
        <t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
            <t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</t:TokenType>
            <t:RequestedSecurityToken>
                <c:SecurityContextToken u:Id="uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"
xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
                    <c:Identifier>urn:uuid:33b535ab-9f44-431a-87c9-0d1cf8c71d8e</c:Identifier>
                </c:SecurityContextToken>
            </t:RequestedSecurityToken>
            <t:RequestedAttachedReference>
                <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                    <o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"
URI="#uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"></o:Reference>
                </o:SecurityTokenReference>
            </t:RequestedAttachedReference>
            <t:RequestedUnattachedReference>
                <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                    <o:Reference URI="urn:uuid:33b535ab-9f44-431a-87c9-0d1cf8c71d8e" ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"></o:Reference>
                </o:SecurityTokenReference>
            </t:RequestedUnattachedReference>
            <t:RequestedProofToken>
                <t:ComputedKey>http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1</t:ComputedKey>
            </t:RequestedProofToken>
            <t:Entropy>
                <!-- Removed-->
            </t:Entropy>
            <t:Lifetime>
                <u:Created>2009-04-06T08:59:01.701Z</u:Created>
                <u:Expires>2009-04-06T23:59:01.701Z</u:Expires>
            </t:Lifetime>
            <t:KeySize>256</t:KeySize>
        </t:RequestSecurityTokenResponse>
    </s:Body>
</s:Envelope>

[edit] WCF Client Request 2

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"

xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
        <a:Action s:mustUnderstand="1">http://Microsoft.ServiceModel.Samples/ICalculator/Add</a:Action>
        <a:MessageID>urn:uuid:3363fc9e-17e1-4e15-a0dc-ef56d63fa541</a:MessageID>
        <a:ReplyTo>
            <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
        </a:ReplyTo>
        <a:To s:mustUnderstand="1">https://host/servicemodelsamples/service.svc/SSLA</a:To>
        <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <u:Timestamp u:Id="_0">
                <u:Created>2009-04-06T08:59:01.737Z</u:Created>
                <u:Expires>2009-04-06T09:04:01.737Z</u:Expires>
            </u:Timestamp>
            <c:SecurityContextToken u:Id="uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"
xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
                <c:Identifier>urn:uuid:33b535ab-9f44-431a-87c9-0d1cf8c71d8e</c:Identifier>
            </c:SecurityContextToken>
            <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
                <SignedInfo>
                    <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
                    <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"></SignatureMethod>
                    <Reference URI="#_0">
                        <Transforms>
                            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
                        </Transforms>
                        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
                        <DigestValue>2VuDOwhOC2mm4YhQJEAzutsXuiU=</DigestValue>
                    </Reference>
                </SignedInfo>
                <SignatureValue>AZzmujJH/wkgEzq9jopInPW3exQ=</SignatureValue>
                <KeyInfo>
                    <o:SecurityTokenReference>
                        <o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"
URI="#uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"></o:Reference>
                    </o:SecurityTokenReference>
                </KeyInfo>
            </Signature>
        </o:Security>
    </s:Header>
    <s:Body>
        <Add xmlns="http://Microsoft.ServiceModel.Samples">
            <n1>100</n1>
            <n2>15.99</n2>
        </Add>
    </s:Body>
</s:Envelope>

[edit] WCF Client Response from Server 2

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"

xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
    <s:Header>
        <a:Action s:mustUnderstand="1">http://Microsoft.ServiceModel.Samples/ICalculator/AddResponse</a:Action>
        <a:RelatesTo>urn:uuid:3363fc9e-17e1-4e15-a0dc-ef56d63fa541</a:RelatesTo>
        <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <u:Timestamp u:Id="_0">
                <u:Created>2009-04-06T08:59:01.773Z</u:Created>
                <u:Expires>2009-04-06T09:04:01.773Z</u:Expires>
            </u:Timestamp>
        </o:Security>
    </s:Header>
    <s:Body>
        <AddResponse xmlns="http://Microsoft.ServiceModel.Samples">
            <AddResult>115.99</AddResult>
        </AddResponse>
    </s:Body>
</s:Envelope>

[edit] CXF Client with WCF Server
[edit] CXF Client Request 1

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
	<soap:Header>
		<Action xmlns="http://www.w3.org/2005/08/addressing">
			http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</Action>
		<MessageID xmlns="http://www.w3.org/2005/08/addressing">
			urn:uuid:ee3fd188-2a43-4d0e-b202-aac81f803bc5</MessageID>
		<To xmlns="http://www.w3.org/2005/08/addressing">
			https://host/ServiceModelSamples/service.svc/SSLA</To>
		<ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
			<Address>http://www.w3.org/2005/08/addressing/anonymous
			</Address>
		</ReplyTo>
		<wsse:Security
			xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
			soap:mustUnderstand="true">
			<wsu:Timestamp
				xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
				wsu:Id="Timestamp-1763636894">
				<wsu:Created>2009-04-06T10:00:47.466Z
				</wsu:Created>
				<wsu:Expires>2009-04-06T10:05:47.466Z
				</wsu:Expires>
			</wsu:Timestamp>
			<wsse:UsernameToken
				xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
				xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
				wsu:Id="UsernameToken-2095036283">
				<wsse:Username>bart\myuser</wsse:Username>
				<wsse:Password
					Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
			</wsse:UsernameToken>
		</wsse:Security>
	</soap:Header>
	<soap:Body>
		<wst:RequestSecurityToken
			xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
			<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
			</wst:RequestType>
			<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
				<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
					<wsa:Address>
						https://host/ServiceModelSamples/service.svc/SSLA
					</wsa:Address>
				</wsa:EndpointReference>
			</wsp:AppliesTo>
			<wst:Lifetime>
				<wsu:Created
					xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-04-06T10:00:46.692Z
				</wsu:Created>
				<wsu:Expires
					xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-04-06T10:05:46.692Z
				</wsu:Expires>
			</wst:Lifetime>
			<wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct
			</wst:TokenType>
			<wst:Entropy>
				<wst:BinarySecret
					Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce">7pPJRu/vrIfSeAzoq48kAd+55khFFbU/sLw0PeYkIKA=
				</wst:BinarySecret>
			</wst:Entropy>
			<wst:ComputedKeyAlgorithm>
				http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
			</wst:ComputedKeyAlgorithm>
		</wst:RequestSecurityToken>
	</soap:Body>
</soap:Envelope>

[edit] CXF Client Response from Server 1

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
	xmlns:a="http://www.w3.org/2005/08/addressing"
	xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
	<s:Header>
		<a:Action s:mustUnderstand="1">
			http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT</a:Action>
		<a:RelatesTo>urn:uuid:ee3fd188-2a43-4d0e-b202-aac81f803bc5
		</a:RelatesTo>
		<o:Security s:mustUnderstand="1"
			xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
			<u:Timestamp u:Id="_0">
				<u:Created>2009-04-06T10:00:28.212Z
				</u:Created>
				<u:Expires>2009-04-06T10:05:28.212Z
				</u:Expires>
			</u:Timestamp>
		</o:Security>
	</s:Header>
	<s:Body>
		<t:RequestSecurityTokenResponse
			xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
			<t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct
			</t:TokenType>
			<t:RequestedSecurityToken>
				<c:SecurityContextToken
					u:Id="uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-3" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
					<c:Identifier>urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20
					</c:Identifier>
				</c:SecurityContextToken>
			</t:RequestedSecurityToken>
			<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
				<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
					<Address>
						https://host/ServiceModelSamples/service.svc/SSLA
					</Address>
				</EndpointReference>
			</wsp:AppliesTo>
			<t:RequestedAttachedReference>
				<o:SecurityTokenReference
					xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
					<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"
						URI="#uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-3"></o:Reference>
				</o:SecurityTokenReference>
			</t:RequestedAttachedReference>
			<t:RequestedUnattachedReference>
				<o:SecurityTokenReference
					xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
					<o:Reference URI="urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20"
						ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"></o:Reference>
				</o:SecurityTokenReference>
			</t:RequestedUnattachedReference>
			<t:RequestedProofToken>
				<t:ComputedKey>http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
				</t:ComputedKey>
			</t:RequestedProofToken>
			<t:Entropy>
				<t:BinarySecret u:Id="uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-4"
					Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce">f6m4wEJy9gPMttOxzM+7yf1i5biWxbNaBfbx1sWvVPw=
				</t:BinarySecret>
			</t:Entropy>
			<t:Lifetime>
				<u:Created>2009-04-06T10:00:28.208Z
				</u:Created>
				<u:Expires>2009-04-07T01:00:28.208Z
				</u:Expires>
			</t:Lifetime>
			<t:KeySize>256</t:KeySize>
		</t:RequestSecurityTokenResponse>
	</s:Body>
</s:Envelope>

[edit] CXF Client Request 2

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
	<soap:Header>
		<Action xmlns="http://www.w3.org/2005/08/addressing">
			http://Microsoft.ServiceModel.Samples/ICalculator/Add</Action>
		<MessageID xmlns="http://www.w3.org/2005/08/addressing">
			urn:uuid:b879526c-68c1-4713-8912-6ee23264715f</MessageID>
		<To xmlns="http://www.w3.org/2005/08/addressing">
			https://host/ServiceModelSamples/service.svc/SSLA</To>
		<ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
			<Address>http://www.w3.org/2005/08/addressing/anonymous
			</Address>
		</ReplyTo>
		<wsse:Security
			xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
			soap:mustUnderstand="true">
			<wsu:Timestamp
				xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
				wsu:Id="Timestamp-937741416">
				<wsu:Created>2009-04-06T10:00:48.903Z
				</wsu:Created>
				<wsu:Expires>2009-04-06T10:05:48.903Z
				</wsu:Expires>
			</wsu:Timestamp>
			<c:SecurityContextToken xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc"
				xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
				u:Id="uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-3">
				<c:Identifier>urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20
				</c:Identifier>
			</c:SecurityContextToken>
			<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
				Id="Signature-1670444352">
				<ds:SignedInfo>
					<ds:CanonicalizationMethod
						Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
					<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" />
					<ds:Reference URI="#Timestamp-937741416">
						<ds:Transforms>
							<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
						</ds:Transforms>
						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
						<ds:DigestValue>/gRfeAVaxWCey/0KWfXh4VDIdGA=
						</ds:DigestValue>
					</ds:Reference>
				</ds:SignedInfo>
				<ds:SignatureValue>rhEDDQNJHxAKgsBz5ZVPma1TkeY=
				</ds:SignatureValue>
				<ds:KeyInfo Id="KeyId-451036744">
					<wsse:SecurityTokenReference
						xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
						xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
						wsu:Id="STRId-187592160">
						<wsse:Reference
							xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
							URI="#urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20" ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"
/>
					</wsse:SecurityTokenReference>
				</ds:KeyInfo>
			</ds:Signature>
		</wsse:Security>
	</soap:Header>
	<soap:Body>
		<ns1:Add xmlns:ns1="http://Microsoft.ServiceModel.Samples">
			<ns1:n1 xmlns:ns2="http://schemas.microsoft.com/2003/10/Serialization/"
				xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
				xsi:type="xs:string">1</ns1:n1>
			<ns1:n2 xmlns:ns2="http://schemas.microsoft.com/2003/10/Serialization/"
				xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
				xsi:type="xs:string">2</ns1:n2>
		</ns1:Add>
	</soap:Body>
</soap:Envelope>

[edit] CXF Client Response from Server 2

<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
	xmlns:a="http://www.w3.org/2005/08/addressing">
	<s:Header>
		<a:Action s:mustUnderstand="1">
			http://www.w3.org/2005/08/addressing/soap/fault</a:Action>
		<a:RelatesTo>urn:uuid:c20c8ac5-3e6d-4189-8db8-97dda22f7cdc
		</a:RelatesTo>
	</s:Header>
	<s:Body>
		<s:Fault>
			<s:Code>
				<s:Value>s:Sender</s:Value>
				<s:Subcode>
					<s:Value
						xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurity</s:Value>
				</s:Subcode>
			</s:Code>
			<s:Reason>
				<s:Text xml:lang="en-GB">An error occurred when verifying security
					for the message.</s:Text>
			</s:Reason>
		</s:Fault>
	</s:Body>
</s:Envelope>

[edit] Analysis

CXF client sends the following on request 2 with the URI attribute of the Reference element
equal to the element content of the Identifier element.

<c:SecurityContextToken u:Id="uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-3">
	<c:Identifier>urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20</c:Identifier>
</c:SecurityContextToken>
...
<ds:KeyInfo Id="KeyId-451036744">
	<wsse:SecurityTokenReference>
		<wsse:Reference
			URI="#urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20" 
			ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" />
	</wsse:SecurityTokenReference>
</ds:KeyInfo>

however, the WCF client sends the following for its second request with the URI element of
the Reference element equal to the Id attribute of the SecurityContextToken element

<c:SecurityContextToken u:Id="uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
    <c:Identifier>urn:uuid:33b535ab-9f44-431a-87c9-0d1cf8c71d8e</c:Identifier>
</c:SecurityContextToken>
...
<KeyInfo>
    <o:SecurityTokenReference>
        <o:Reference 
                ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" 
                URI="#uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"></o:Reference>
    </o:SecurityTokenReference>
</KeyInfo>

If the following change is made in the org.apache.cxf.ws.security.wss4j.policyhandler.TransportBindingHandler:

CXF trunk 2.2 version

sig.setCustomTokenId(secTok.getId());

changed to

Node firstChild = securityToken.getAttachedReference().getFirstChild();
Attr referenceUriAttribute = (Attr) firstChild.getAttributes().getNamedItem("URI");
String referenceUri = referenceUriAttribute.getValue().substring(1);
sig.setCustomTokenId(referenceUri)

then the CXF client communicates with the WCF server successfully. It is not expected that
this is the correct place for the fix, since there are other places in the CXF source which
set the custom token id on the signature. It is more likely that a correction is required
earlier in the logic such that security token allows the id reference (i.e. the Reference
URI) to be set correctly and made available for configuring in the signature. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message