cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ian homer (JIRA)" <j...@apache.org>
Subject [jira] Updated: (CXF-2158) Mix up of ID and ID reference of security token in signature causes WCF service to throw Cannot resolve KeyInfo for verifying signature
Date Mon, 06 Apr 2009 16:12:12 GMT

     [ https://issues.apache.org/jira/browse/CXF-2158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

ian homer updated CXF-2158:
---------------------------

    Component/s: WS-* Components

> Mix up of ID and ID reference of security token in signature causes WCF service to throw
Cannot resolve KeyInfo for verifying signature
> ---------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-2158
>                 URL: https://issues.apache.org/jira/browse/CXF-2158
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.2
>         Environment: Java(TM) SE Runtime Environment (build 1.6.0_07-b06-153) - MacOS
10.5 and Windows Vista
>            Reporter: ian homer
>         Attachments: CalculatorService1339.wsdl
>
>
> Issue
> CXF client causes WCF to throw the error Cannot resolve KeyInfo for verifying signature:
KeyInfo 'SecurityKeyIdentifier when connecting to a secured WCF service set up following the
tutorial "WCF Getting Started Sample Tutorial with Message Security User Name" @ http://msdn.microsoft.com/en-us/library/ms752233.aspx.
(WSDL attached on CXF ticket)
> See analysis below for summary of the issue and indication of resolution.
> [edit] CXF Client Test Case
> $ java -version
> java version "1.6.0_07"
> Java(TM) SE Runtime Environment (build 1.6.0_07-b06-153)
> Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_07-b06-57, mixed mode)
>  
> MacOS 10.5 and Windows Vista
> CXF Version 2.2
> import static org.junit.Assert.assertEquals;
> import groovyx.net.ws.cxf.SSLHelper;
>  
> import java.util.ArrayList;
> import java.util.HashMap;
> import java.util.List;
> import java.util.Map;
>  
> import javax.security.auth.callback.Callback;
> import javax.security.auth.callback.CallbackHandler;
> import javax.xml.namespace.QName;
>  
> import org.apache.commons.logging.Log;
> import org.apache.commons.logging.LogFactory;
> import org.apache.cxf.Bus;
> import org.apache.cxf.binding.soap.SoapMessage;
> import org.apache.cxf.endpoint.Client;
> import org.apache.cxf.endpoint.Endpoint;
> import org.apache.cxf.endpoint.EndpointImpl;
> import org.apache.cxf.endpoint.dynamic.DynamicClientFactory;
> import org.apache.cxf.interceptor.Fault;
> import org.apache.cxf.interceptor.LoggingInInterceptor;
> import org.apache.cxf.interceptor.LoggingOutInterceptor;
> import org.apache.cxf.message.Exchange;
> import org.apache.cxf.message.Message;
> import org.apache.cxf.message.MessageUtils;
> import org.apache.cxf.phase.Phase;
> import org.apache.cxf.service.model.BindingOperationInfo;
> import org.apache.cxf.service.model.EndpointInfo;
> import org.apache.cxf.ws.policy.AbstractPolicyInterceptor;
> import org.apache.cxf.ws.policy.EffectivePolicy;
> import org.apache.cxf.ws.policy.PolicyEngine;
> import org.apache.cxf.ws.policy.PolicyException;
> import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
> import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor;
> import org.apache.neethi.AbstractPolicyOperator;
> import org.apache.ws.security.WSConstants;
> import org.apache.ws.security.WSPasswordCallback;
> import org.apache.ws.security.handler.WSHandlerConstants;
> import org.junit.Test;
>  
> public class SSLAWSWCFCalculatorIssueTestCase {
> 	protected static Log log = LogFactory.getLog(SSLAWSWCFCalculatorIssueTestCase.class);
>  
> 	public static final String WCF_HOST = "host";
> 	private static final String WSDL_URI_REMOTE = "http://" + WCF_HOST
> 			+ "/ServiceModelSamples/service.svc?wsdl";
> 	/**
> 	 * Filters for a default WCF_SSLA integration
> 	 */
> 	public static final Class<?>[] WCF_SSLA = new Class<?>[] { SignedEncryptedParts.class
};
>  
> 	@Test
> 	public void testOperationsOfSSLClientWithSoapAuthentication() throws Exception {
> 		QName service = new QName("http://tempuri.org/", "CalculatorService");
> 		QName port = new QName("http://tempuri.org/", "SSLCalculatorA");
>  
> 		Client client = DynamicClientFactory.newInstance().createClient(WSDL_URI_REMOTE, service,
> 				SSLAWSWCFCalculatorIssueTestCase.class.getClassLoader(), port);
>  
> 		SSLHelper sslHelper = new SSLHelper();
> 		sslHelper.initialize();
> 		sslHelper.enable(client);
>  
> 		Bus bus = ((EndpointImpl) client.getEndpoint()).getBus();
> 		/*
> 		 * Apply default policy filter in interceptor to filter out the
> 		 * mandatory signing of body parts. Otherwise CXF policy validation
> 		 * fails since the response from WCF is not compliant with this
> 		 */
> 		bus.getInInterceptors().add(new PolicyFilterOutInterceptor(WCF_SSLA));
> 		Map<String, Object> outProps = new HashMap<String, Object>();
>  
> 		outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.USERNAME_TOKEN);
> 		outProps.put(WSHandlerConstants.USER, "bart\\myname");
> 		outProps.put(WSHandlerConstants.PASSWORD_TYPE, WSConstants.PW_TEXT);
> 		outProps.put(WSHandlerConstants.MUST_UNDERSTAND, "true");
> 		outProps.put(WSHandlerConstants.PW_CALLBACK_REF, new PasswordHandler("password"));
>  
> 		bus.getOutInterceptors().add(new JustOnceWSS4JOutInterceptor(outProps));
>  
> 		/*
> 		 * Add logging interceptors
> 		 */
> 		bus.getInInterceptors().add(new LoggingInInterceptor());
> 		bus.getOutInterceptors().add(new LoggingOutInterceptor());
>  
> 		BindingOperationInfo add = client.getEndpoint().getEndpointInfo().getBinding()
> 				.getOperation(new QName("http://Microsoft.ServiceModel.Samples", "Add"))
> 				.getUnwrappedOperation();
> 		/**
> 		 * Now call some operations
> 		 */
> 		if (log.isDebugEnabled()) {
> 			log.debug("Invoking method add");
> 		}
> 		Object[] answer = client.invoke(add, new Object[] { "1", "2" });
> 		if (log.isDebugEnabled()) {
> 			log.debug("1 + 2 = " + answer[0]);
> 		}
> 		assertEquals("Add method not correct", new Double(3.0), answer[0]);
>  
> 		if (log.isDebugEnabled()) {
> 			log.debug("Invoking method multiply");
> 		}
> 		BindingOperationInfo multiply = client.getEndpoint().getEndpointInfo().getBinding()
> 				.getOperation(new QName("http://Microsoft.ServiceModel.Samples", "Multiply"))
> 				.getUnwrappedOperation();
>  
> 		answer = client.invoke(multiply, new Object[] { "3", "2" });
> 		assertEquals("Multiply method not correct", new Double(6.0), answer);
> 		if (log.isDebugEnabled()) {
> 			log.debug("3 x 2 = " + answer);
> 		}
> 	}
>  
> 	/**
> 	 * Handler to get the password
> 	 */
> 	public class PasswordHandler implements CallbackHandler {
> 		private static final String DEFAULT_PASSWORD = "password";
> 		String password;
>  
> 		public PasswordHandler() {
> 			this.password = DEFAULT_PASSWORD;
> 		}
>  
> 		public PasswordHandler(String password) {
> 			this.password = password;
> 		}
>  
> 		public void handle(Callback[] callbacks) {
> 			WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
> 			pc.setPassword(password);
> 		}
> 	}
>  
> 	/**
> 	 * An WSS4J Interceptor that only includes the security header once, without
> 	 * this WCF service throws a security exception when username and password
> 	 * sent along with the SecurityContextToken in the second request
> 	 */
>  
> 	public class JustOnceWSS4JOutInterceptor extends WSS4JOutInterceptor {
> 		int count = 0;
>  
> 		/**
> 		 * @param outProps
> 		 */
> 		public JustOnceWSS4JOutInterceptor(Map<String, Object> outProps) {
> 			super(outProps);
> 		}
>  
> 		@Override
> 		public void handleMessage(SoapMessage mc) throws Fault {
> 			if (count == 0) {
> 				if (log.isDebugEnabled()) {
> 					log.debug("Calling WSS4J interceptor : count = " + count);
> 				}
> 				super.handleMessage(mc);
> 			} else {
> 				if (log.isDebugEnabled()) {
> 					log.debug("Skipping WSS4J interceptor : count = " + count);
> 				}
> 			}
> 			count++;
> 		}
> 	}
>  
> 	public class PolicyFilterOutInterceptor extends AbstractPolicyInterceptor {
>  
> 		private Class<?>[] filters;
>  
> 		public PolicyFilterOutInterceptor(Class<?>[] filters) {
> 			super(Phase.PRE_STREAM);
> 			this.filters = filters;
> 		}
>  
> 		@Override
> 		protected void handle(Message message) throws PolicyException {
> 			if (log.isDebugEnabled()) {
> 				log.debug("Filtering policies for " + this.getClass().getName());
> 			}
>  
> 			Exchange exchange = message.getExchange();
> 			BindingOperationInfo boi = exchange.get(BindingOperationInfo.class);
> 			if (null == boi) {
> 				if (log.isDebugEnabled()) {
> 					log.debug("No binding operation info.");
> 				}
> 				return;
> 			}
>  
> 			Endpoint e = exchange.get(Endpoint.class);
> 			if (null == e) {
> 				if (log.isDebugEnabled()) {
> 					log.debug("No endpoint.");
> 				}
> 				return;
> 			}
> 			EndpointInfo ei = e.getEndpointInfo();
>  
> 			Bus bus = exchange.get(Bus.class);
> 			PolicyEngine pe = bus.getExtension(PolicyEngine.class);
> 			if (null == pe) {
> 				return;
> 			}
>  
> 			if (MessageUtils.isPartialResponse(message)) {
> 				if (log.isDebugEnabled()) {
> 					log.debug("Not verifying policies on inbound partial response.");
> 				}
> 				return;
> 			}
>  
> 			getTransportAssertions(message);
>  
> 			EffectivePolicy effectivePolicy = message.get(EffectivePolicy.class);
> 			if (effectivePolicy == null) {
> 				if (MessageUtils.isRequestor(message)) {
> 					effectivePolicy = pe.getEffectiveClientResponsePolicy(ei, boi);
> 				} else {
> 					effectivePolicy = pe.getEffectiveServerRequestPolicy(ei, boi);
> 				}
> 			}
>  
> 			removePolicies(effectivePolicy.getPolicy(), filters);
> 		}
>  
> 		public void removePolicy(AbstractPolicyOperator operator, Class<?> clazz) {
> 			removePolicies(operator, new Class<?>[] { clazz });
> 		}
>  
> 		@SuppressWarnings("unchecked")
> 		public void removePolicies(AbstractPolicyOperator operator, Class<?>[] classes)
{
> 			List<Object> childrenForRemoval = new ArrayList<Object>();
>  
> 			for (Object child : operator.getPolicyComponents()) {
> 				if (child instanceof AbstractPolicyOperator) {
> 					removePolicies((AbstractPolicyOperator) child, classes);
> 				} else {
> 					for (int i = 0; i < classes.length; i++) {
> 						if (child.getClass() == classes[i]) {
> 							childrenForRemoval.add(child);
> 							if (log.isDebugEnabled()) {
> 								log.debug("Removing policy : " + child);
> 							}
> 						}
> 					}
> 				}
> 			}
>  
> 			/*
> 			 * Remove all the children that have been marked for removal
> 			 */
> 			operator.getPolicyComponents().removeAll(childrenForRemoval);
> 		}
> 	}
> }
> [edit] WCF Exception
> <Exception>
> <ExceptionType>System.ServiceModel.Security.MessageSecurityException, System.ServiceModel,
Version=3.0.0.0, Culture=neutral, 
> PublicKeyToken=b77a5c561934e089</ExceptionType>
> <Message>Cannot resolve KeyInfo for verifying signature: KeyInfo 'SecurityKeyIdentifier
>    (
>    IsReadOnly = False,
>    Count = 1,
>    Clause[0] = LocalIdKeyIdentifierClause(LocalId = 'urn:uuid:67422cf9-69c5-4e15-802d-4c6d39cdc57d',
Owner = 'System.ServiceModel.Security.Tokens.SecurityContextSecurityToken')
>    )
> ', available tokens 'SecurityTokenResolver
>    (
>    TokenCount = 1,
>    TokenEntry[0] = (AllowedReferenceStyle=Internal, Token=System.ServiceModel.Security.Tokens.SecurityContextSecurityToken,

> Parameters=System.ServiceModel.Security.Tokens.SecureConversationSecurityTokenParameters:
> InclusionMode: AlwaysToRecipient
> ReferenceStyle: Internal
> RequireDerivedKeys: False
> RequireCancellation: True
> BootstrapSecurityBindingElement:
>  System.ServiceModel.Channels.TransportSecurityBindingElement:
>  DefaultAlgorithmSuite: Basic256
>  IncludeTimestamp: True
>  KeyEntropyMode: CombinedEntropy
>  MessageSecurityVersion: WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
>  SecurityHeaderLayout: Strict
>  EndpointSupportingTokenParameters:
>    No endorsing tokens.
>    No signed tokens.
>    SignedEncrypted[0]
>      System.ServiceModel.Security.Tokens.UserNameSecurityTokenParameters:
>      InclusionMode: AlwaysToRecipient
>      ReferenceStyle: Internal
>      RequireDerivedKeys: False
>    No signed endorsing tokens.
>  OptionalEndpointSupportingTokenParameters:
>    No endorsing tokens.
>    No signed tokens.
>    No signed encrypted tokens.
>    No signed endorsing tokens.
>  OperationSupportingTokenParameters: none
>  OptionalOperationSupportingTokenParameters: none)
>    )
> '.</Message>
> <StackTrace>
> at System.ServiceModel.Security.WSSecurityOneDotZeroReceiveSecurityHeader.ResolveSignatureToken(SecurityKeyIdentifier

> keyIdentifier, SecurityTokenResolver resolver, Boolean isPrimarySignature)
> at System.ServiceModel.Security.WSSecurityOneDotZeroReceiveSecurityHeader.VerifySignature(SignedXml
signedXml, Boolean isPrimarySignature, SecurityHeaderTokenResolver resolver, Object signatureTarget,
String id)
> at System.ServiceModel.Security.ReceiveSecurityHeader.ProcessSupportingSignature(SignedXml
signedXml, Boolean isFromDecryptedSource)
> at System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader
reader)
> at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout)
> at System.ServiceModel.Security.AcceptorSessionSymmetricTransportSecurityProtocol.VerifyIncomingMessageCore(Message&amp;
message, TimeSpan timeout)
> at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message&amp;
message, TimeSpan timeout)
> at System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message&amp;
message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
> at System.ServiceModel.Security.SecuritySessionServerSettings.ServerSecuritySessionChannel.ProcessRequestContext(RequestContext
requestContext, TimeSpan timeout, SecurityProtocolCorrelationState&amp; correlationState,
Boolean&amp; isSecurityProcessingFailure)
> at System.ServiceModel.Security.SecuritySessionServerSettings.ServerSecuritySessionChannel.ReceiveRequestAsyncResult.WaitComplete()
> at System.ServiceModel.Security.SecuritySessionServerSettings.ServerSecuritySessionChannel.ReceiveRequestAsyncResult..ctor(ServerSecuritySessionChannel
channel, TimeSpan timeout, AsyncCallback callback, Object state)
> at System.ServiceModel.Security.SecuritySessionServerSettings.ServerSecuritySessionChannel.BeginTryReceiveRequest(TimeSpan
timeout, AsyncCallback callback, Object state)
> at System.ServiceModel.Dispatcher.ReplyChannelBinder.BeginTryReceive(TimeSpan timeout,
AsyncCallback callback, Object state)
> at System.ServiceModel.Dispatcher.ErrorHandlingReceiver.BeginTryReceive(TimeSpan timeout,
AsyncCallback callback, Object state)
> at System.ServiceModel.Dispatcher.ChannelHandler.EnsurePump()
> at System.ServiceModel.Dispatcher.ChannelHandler.OpenAndEnsurePump()
> at System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.WorkItem.Invoke2()
> at System.Security.SecurityContext.Run(SecurityContext securityContext, ContextCallback
callback, Object state)
> at System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.WorkItem.Invoke()
> at System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.ProcessCallbacks()
> at System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.CompletionCallback(Object
state)
> at System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.ScheduledOverlapped.IOCallback(UInt32
errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)
> at System.ServiceModel.Diagnostics.Utility.IOCompletionThunk.UnhandledExceptionFrame(UInt32
error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped)
> at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode,
UInt32 numBytes, NativeOverlapped* pOVERLAP)
> </StackTrace>
> <ExceptionString>System.ServiceModel.Security.MessageSecurityException: Cannot
resolve KeyInfo for verifying signature: KeyInfo 'SecurityKeyIdentifier
>    (
>    IsReadOnly = False,
>    Count = 1,
>    Clause[0] = LocalIdKeyIdentifierClause(LocalId = 'urn:uuid:67422cf9-69c5-4e15-802d-4c6d39cdc57d',
Owner = 'System.ServiceModel.Security.Tokens.SecurityContextSecurityToken')
>    )
> ', available tokens 'SecurityTokenResolver
>    (
>    TokenCount = 1,
>    TokenEntry[0] = (AllowedReferenceStyle=Internal, Token=System.ServiceModel.Security.Tokens.SecurityContextSecurityToken,
Parameters=System.ServiceModel.Security.Tokens.SecureConversationSecurityTokenParameters:
> InclusionMode: AlwaysToRecipient
> ReferenceStyle: Internal
> RequireDerivedKeys: False
> RequireCancellation: True
> BootstrapSecurityBindingElement:
>  System.ServiceModel.Channels.TransportSecurityBindingElement:
>  DefaultAlgorithmSuite: Basic256
>  IncludeTimestamp: True
>  KeyEntropyMode: CombinedEntropy
>  MessageSecurityVersion: WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
>  SecurityHeaderLayout: Strict
>  EndpointSupportingTokenParameters:
>    No endorsing tokens.
>    No signed tokens.
>    SignedEncrypted[0]
>      System.ServiceModel.Security.Tokens.UserNameSecurityTokenParameters:
>      InclusionMode: AlwaysToRecipient
>      ReferenceStyle: Internal
>      RequireDerivedKeys: False
>    No signed endorsing tokens.
>  OptionalEndpointSupportingTokenParameters:
>    No endorsing tokens.
>    No signed tokens.
>    No signed encrypted tokens.
>    No signed endorsing tokens.
>  OperationSupportingTokenParameters: none
>  OptionalOperationSupportingTokenParameters: none)
>    )
> '.</ExceptionString>
> </Exception>
> [edit] WCF Client with WCF Server
> [edit] WCF Client Request 1
> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"

>         xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
>     <s:Header>
>         <a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</a:Action>
>         <a:MessageID>urn:uuid:8151f398-b043-485e-a443-681fb698d334</a:MessageID>
>         <a:ReplyTo>
>             <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
>         </a:ReplyTo>
>         <a:To s:mustUnderstand="1">https://host/servicemodelsamples/service.svc/SSLA</a:To>
>         <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>             <u:Timestamp u:Id="_0">
>                 <u:Created>2009-04-06T08:25:00.988Z</u:Created>
>                 <u:Expires>2009-04-06T08:30:00.988Z</u:Expires>
>             </u:Timestamp>
>             <o:UsernameToken u:Id="uuid-0403819d-3bc9-4fc8-be6f-0c1b01da7397-1">
>                 <o:Username>
>                     <!-- Removed-->
>                 </o:Username>
>                 <o:Password>
>                     <!-- Removed-->
>                 </o:Password>
>             </o:UsernameToken>
>         </o:Security>
>     </s:Header>
>     <s:Body>
>         <t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
>             <t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</t:TokenType>
>             <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
>             <t:Entropy>
>                 <!-- Removed-->
>             </t:Entropy>
>             <t:KeySize>256</t:KeySize>
>         </t:RequestSecurityToken>
>     </s:Body>
> </s:Envelope>
> [edit] WCF Client Response from Server 1
> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"

> xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
>     <s:Header>
>         <a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT</a:Action>
>         <a:RelatesTo>urn:uuid:4f4996b9-4d71-47d8-91b8-ba75df9b3de6</a:RelatesTo>
>         <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>             <u:Timestamp u:Id="_0">
>                 <u:Created>2009-04-06T08:59:01.713Z</u:Created>
>                 <u:Expires>2009-04-06T09:04:01.713Z</u:Expires>
>             </u:Timestamp>
>         </o:Security>
>     </s:Header>
>     <s:Body>
>         <t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
>             <t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</t:TokenType>
>             <t:RequestedSecurityToken>
>                 <c:SecurityContextToken u:Id="uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"
xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
>                     <c:Identifier>urn:uuid:33b535ab-9f44-431a-87c9-0d1cf8c71d8e</c:Identifier>
>                 </c:SecurityContextToken>
>             </t:RequestedSecurityToken>
>             <t:RequestedAttachedReference>
>                 <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>                     <o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"
URI="#uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"></o:Reference>
>                 </o:SecurityTokenReference>
>             </t:RequestedAttachedReference>
>             <t:RequestedUnattachedReference>
>                 <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>                     <o:Reference URI="urn:uuid:33b535ab-9f44-431a-87c9-0d1cf8c71d8e"
ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"></o:Reference>
>                 </o:SecurityTokenReference>
>             </t:RequestedUnattachedReference>
>             <t:RequestedProofToken>
>                 <t:ComputedKey>http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1</t:ComputedKey>
>             </t:RequestedProofToken>
>             <t:Entropy>
>                 <!-- Removed-->
>             </t:Entropy>
>             <t:Lifetime>
>                 <u:Created>2009-04-06T08:59:01.701Z</u:Created>
>                 <u:Expires>2009-04-06T23:59:01.701Z</u:Expires>
>             </t:Lifetime>
>             <t:KeySize>256</t:KeySize>
>         </t:RequestSecurityTokenResponse>
>     </s:Body>
> </s:Envelope>
> [edit] WCF Client Request 2
> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"

> xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
>     <s:Header>
>         <a:Action s:mustUnderstand="1">http://Microsoft.ServiceModel.Samples/ICalculator/Add</a:Action>
>         <a:MessageID>urn:uuid:3363fc9e-17e1-4e15-a0dc-ef56d63fa541</a:MessageID>
>         <a:ReplyTo>
>             <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
>         </a:ReplyTo>
>         <a:To s:mustUnderstand="1">https://host/servicemodelsamples/service.svc/SSLA</a:To>
>         <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>             <u:Timestamp u:Id="_0">
>                 <u:Created>2009-04-06T08:59:01.737Z</u:Created>
>                 <u:Expires>2009-04-06T09:04:01.737Z</u:Expires>
>             </u:Timestamp>
>             <c:SecurityContextToken u:Id="uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"
xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
>                 <c:Identifier>urn:uuid:33b535ab-9f44-431a-87c9-0d1cf8c71d8e</c:Identifier>
>             </c:SecurityContextToken>
>             <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
>                 <SignedInfo>
>                     <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
>                     <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"></SignatureMethod>
>                     <Reference URI="#_0">
>                         <Transforms>
>                             <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
>                         </Transforms>
>                         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
>                         <DigestValue>2VuDOwhOC2mm4YhQJEAzutsXuiU=</DigestValue>
>                     </Reference>
>                 </SignedInfo>
>                 <SignatureValue>AZzmujJH/wkgEzq9jopInPW3exQ=</SignatureValue>
>                 <KeyInfo>
>                     <o:SecurityTokenReference>
>                         <o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"
URI="#uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"></o:Reference>
>                     </o:SecurityTokenReference>
>                 </KeyInfo>
>             </Signature>
>         </o:Security>
>     </s:Header>
>     <s:Body>
>         <Add xmlns="http://Microsoft.ServiceModel.Samples">
>             <n1>100</n1>
>             <n2>15.99</n2>
>         </Add>
>     </s:Body>
> </s:Envelope>
> [edit] WCF Client Response from Server 2
> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"

> xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
>     <s:Header>
>         <a:Action s:mustUnderstand="1">http://Microsoft.ServiceModel.Samples/ICalculator/AddResponse</a:Action>
>         <a:RelatesTo>urn:uuid:3363fc9e-17e1-4e15-a0dc-ef56d63fa541</a:RelatesTo>
>         <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>             <u:Timestamp u:Id="_0">
>                 <u:Created>2009-04-06T08:59:01.773Z</u:Created>
>                 <u:Expires>2009-04-06T09:04:01.773Z</u:Expires>
>             </u:Timestamp>
>         </o:Security>
>     </s:Header>
>     <s:Body>
>         <AddResponse xmlns="http://Microsoft.ServiceModel.Samples">
>             <AddResult>115.99</AddResult>
>         </AddResponse>
>     </s:Body>
> </s:Envelope>
> [edit] CXF Client with WCF Server
> [edit] CXF Client Request 1
> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
> 	<soap:Header>
> 		<Action xmlns="http://www.w3.org/2005/08/addressing">
> 			http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</Action>
> 		<MessageID xmlns="http://www.w3.org/2005/08/addressing">
> 			urn:uuid:ee3fd188-2a43-4d0e-b202-aac81f803bc5</MessageID>
> 		<To xmlns="http://www.w3.org/2005/08/addressing">
> 			https://host/ServiceModelSamples/service.svc/SSLA</To>
> 		<ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
> 			<Address>http://www.w3.org/2005/08/addressing/anonymous
> 			</Address>
> 		</ReplyTo>
> 		<wsse:Security
> 			xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> 			soap:mustUnderstand="true">
> 			<wsu:Timestamp
> 				xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> 				wsu:Id="Timestamp-1763636894">
> 				<wsu:Created>2009-04-06T10:00:47.466Z
> 				</wsu:Created>
> 				<wsu:Expires>2009-04-06T10:05:47.466Z
> 				</wsu:Expires>
> 			</wsu:Timestamp>
> 			<wsse:UsernameToken
> 				xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> 				xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> 				wsu:Id="UsernameToken-2095036283">
> 				<wsse:Username>bart\myuser</wsse:Username>
> 				<wsse:Password
> 					Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">password</wsse:Password>
> 			</wsse:UsernameToken>
> 		</wsse:Security>
> 	</soap:Header>
> 	<soap:Body>
> 		<wst:RequestSecurityToken
> 			xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
> 			<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
> 			</wst:RequestType>
> 			<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> 				<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
> 					<wsa:Address>
> 						https://host/ServiceModelSamples/service.svc/SSLA
> 					</wsa:Address>
> 				</wsa:EndpointReference>
> 			</wsp:AppliesTo>
> 			<wst:Lifetime>
> 				<wsu:Created
> 					xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-04-06T10:00:46.692Z
> 				</wsu:Created>
> 				<wsu:Expires
> 					xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2009-04-06T10:05:46.692Z
> 				</wsu:Expires>
> 			</wst:Lifetime>
> 			<wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct
> 			</wst:TokenType>
> 			<wst:Entropy>
> 				<wst:BinarySecret
> 					Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce">7pPJRu/vrIfSeAzoq48kAd+55khFFbU/sLw0PeYkIKA=
> 				</wst:BinarySecret>
> 			</wst:Entropy>
> 			<wst:ComputedKeyAlgorithm>
> 				http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
> 			</wst:ComputedKeyAlgorithm>
> 		</wst:RequestSecurityToken>
> 	</soap:Body>
> </soap:Envelope>
> [edit] CXF Client Response from Server 1
> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
> 	xmlns:a="http://www.w3.org/2005/08/addressing"
> 	xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
> 	<s:Header>
> 		<a:Action s:mustUnderstand="1">
> 			http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT</a:Action>
> 		<a:RelatesTo>urn:uuid:ee3fd188-2a43-4d0e-b202-aac81f803bc5
> 		</a:RelatesTo>
> 		<o:Security s:mustUnderstand="1"
> 			xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> 			<u:Timestamp u:Id="_0">
> 				<u:Created>2009-04-06T10:00:28.212Z
> 				</u:Created>
> 				<u:Expires>2009-04-06T10:05:28.212Z
> 				</u:Expires>
> 			</u:Timestamp>
> 		</o:Security>
> 	</s:Header>
> 	<s:Body>
> 		<t:RequestSecurityTokenResponse
> 			xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
> 			<t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct
> 			</t:TokenType>
> 			<t:RequestedSecurityToken>
> 				<c:SecurityContextToken
> 					u:Id="uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-3" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
> 					<c:Identifier>urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20
> 					</c:Identifier>
> 				</c:SecurityContextToken>
> 			</t:RequestedSecurityToken>
> 			<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
> 				<EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
> 					<Address>
> 						https://host/ServiceModelSamples/service.svc/SSLA
> 					</Address>
> 				</EndpointReference>
> 			</wsp:AppliesTo>
> 			<t:RequestedAttachedReference>
> 				<o:SecurityTokenReference
> 					xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> 					<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"
> 						URI="#uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-3"></o:Reference>
> 				</o:SecurityTokenReference>
> 			</t:RequestedAttachedReference>
> 			<t:RequestedUnattachedReference>
> 				<o:SecurityTokenReference
> 					xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> 					<o:Reference URI="urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20"
> 						ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"></o:Reference>
> 				</o:SecurityTokenReference>
> 			</t:RequestedUnattachedReference>
> 			<t:RequestedProofToken>
> 				<t:ComputedKey>http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
> 				</t:ComputedKey>
> 			</t:RequestedProofToken>
> 			<t:Entropy>
> 				<t:BinarySecret u:Id="uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-4"
> 					Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce">f6m4wEJy9gPMttOxzM+7yf1i5biWxbNaBfbx1sWvVPw=
> 				</t:BinarySecret>
> 			</t:Entropy>
> 			<t:Lifetime>
> 				<u:Created>2009-04-06T10:00:28.208Z
> 				</u:Created>
> 				<u:Expires>2009-04-07T01:00:28.208Z
> 				</u:Expires>
> 			</t:Lifetime>
> 			<t:KeySize>256</t:KeySize>
> 		</t:RequestSecurityTokenResponse>
> 	</s:Body>
> </s:Envelope>
> [edit] CXF Client Request 2
> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
> 	<soap:Header>
> 		<Action xmlns="http://www.w3.org/2005/08/addressing">
> 			http://Microsoft.ServiceModel.Samples/ICalculator/Add</Action>
> 		<MessageID xmlns="http://www.w3.org/2005/08/addressing">
> 			urn:uuid:b879526c-68c1-4713-8912-6ee23264715f</MessageID>
> 		<To xmlns="http://www.w3.org/2005/08/addressing">
> 			https://host/ServiceModelSamples/service.svc/SSLA</To>
> 		<ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
> 			<Address>http://www.w3.org/2005/08/addressing/anonymous
> 			</Address>
> 		</ReplyTo>
> 		<wsse:Security
> 			xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> 			soap:mustUnderstand="true">
> 			<wsu:Timestamp
> 				xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> 				wsu:Id="Timestamp-937741416">
> 				<wsu:Created>2009-04-06T10:00:48.903Z
> 				</wsu:Created>
> 				<wsu:Expires>2009-04-06T10:05:48.903Z
> 				</wsu:Expires>
> 			</wsu:Timestamp>
> 			<c:SecurityContextToken xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc"
> 				xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> 				u:Id="uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-3">
> 				<c:Identifier>urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20
> 				</c:Identifier>
> 			</c:SecurityContextToken>
> 			<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> 				Id="Signature-1670444352">
> 				<ds:SignedInfo>
> 					<ds:CanonicalizationMethod
> 						Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> 					<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1" />
> 					<ds:Reference URI="#Timestamp-937741416">
> 						<ds:Transforms>
> 							<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
> 						</ds:Transforms>
> 						<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
> 						<ds:DigestValue>/gRfeAVaxWCey/0KWfXh4VDIdGA=
> 						</ds:DigestValue>
> 					</ds:Reference>
> 				</ds:SignedInfo>
> 				<ds:SignatureValue>rhEDDQNJHxAKgsBz5ZVPma1TkeY=
> 				</ds:SignatureValue>
> 				<ds:KeyInfo Id="KeyId-451036744">
> 					<wsse:SecurityTokenReference
> 						xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> 						xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> 						wsu:Id="STRId-187592160">
> 						<wsse:Reference
> 							xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> 							URI="#urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20" ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"
/>
> 					</wsse:SecurityTokenReference>
> 				</ds:KeyInfo>
> 			</ds:Signature>
> 		</wsse:Security>
> 	</soap:Header>
> 	<soap:Body>
> 		<ns1:Add xmlns:ns1="http://Microsoft.ServiceModel.Samples">
> 			<ns1:n1 xmlns:ns2="http://schemas.microsoft.com/2003/10/Serialization/"
> 				xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> 				xsi:type="xs:string">1</ns1:n1>
> 			<ns1:n2 xmlns:ns2="http://schemas.microsoft.com/2003/10/Serialization/"
> 				xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> 				xsi:type="xs:string">2</ns1:n2>
> 		</ns1:Add>
> 	</soap:Body>
> </soap:Envelope>
> [edit] CXF Client Response from Server 2
> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
> 	xmlns:a="http://www.w3.org/2005/08/addressing">
> 	<s:Header>
> 		<a:Action s:mustUnderstand="1">
> 			http://www.w3.org/2005/08/addressing/soap/fault</a:Action>
> 		<a:RelatesTo>urn:uuid:c20c8ac5-3e6d-4189-8db8-97dda22f7cdc
> 		</a:RelatesTo>
> 	</s:Header>
> 	<s:Body>
> 		<s:Fault>
> 			<s:Code>
> 				<s:Value>s:Sender</s:Value>
> 				<s:Subcode>
> 					<s:Value
> 						xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">a:InvalidSecurity</s:Value>
> 				</s:Subcode>
> 			</s:Code>
> 			<s:Reason>
> 				<s:Text xml:lang="en-GB">An error occurred when verifying security
> 					for the message.</s:Text>
> 			</s:Reason>
> 		</s:Fault>
> 	</s:Body>
> </s:Envelope>
> [edit] Analysis
> CXF client sends the following on request 2 with the URI attribute of the Reference element
equal to the element content of the Identifier element.
> <c:SecurityContextToken u:Id="uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-3">
> 	<c:Identifier>urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20</c:Identifier>
> </c:SecurityContextToken>
> ...
> <ds:KeyInfo Id="KeyId-451036744">
> 	<wsse:SecurityTokenReference>
> 		<wsse:Reference
> 			URI="#urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20" 
> 			ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" />
> 	</wsse:SecurityTokenReference>
> </ds:KeyInfo>
> however, the WCF client sends the following for its second request with the URI element
of the Reference element equal to the Id attribute of the SecurityContextToken element
> <c:SecurityContextToken u:Id="uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1" xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc">
>     <c:Identifier>urn:uuid:33b535ab-9f44-431a-87c9-0d1cf8c71d8e</c:Identifier>
> </c:SecurityContextToken>
> ...
> <KeyInfo>
>     <o:SecurityTokenReference>
>         <o:Reference 
>                 ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct" 
>                 URI="#uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"></o:Reference>
>     </o:SecurityTokenReference>
> </KeyInfo>
> If the following change is made in the org.apache.cxf.ws.security.wss4j.policyhandler.TransportBindingHandler:
> CXF trunk 2.2 version
> sig.setCustomTokenId(secTok.getId());
> changed to
> Node firstChild = securityToken.getAttachedReference().getFirstChild();
> Attr referenceUriAttribute = (Attr) firstChild.getAttributes().getNamedItem("URI");
> String referenceUri = referenceUriAttribute.getValue().substring(1);
> sig.setCustomTokenId(referenceUri)
> then the CXF client communicates with the WCF server successfully. It is not expected
that this is the correct place for the fix, since there are other places in the CXF source
which set the custom token id on the signature. It is more likely that a correction is required
earlier in the logic such that security token allows the id reference (i.e. the Reference
URI) to be set correctly and made available for configuring in the signature. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message