cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jair Lopes (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CXF-4758) Receive error message when trying to connect to crm 2011 Webservices with https binding - javax.xml.ws.soap.SOAPFaultException: An error occurred when verifying security for the message.
Date Wed, 16 Jan 2013 14:54:13 GMT

     [ https://issues.apache.org/jira/browse/CXF-4758?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jair Lopes updated CXF-4758:
----------------------------

    Description: 
I am trying to connect from a Java client with cxf to crm 2011 Web Services(on premise). When
I connected over http everything worked fine. But when I switched to HTTPS(Port 443)I suddenly
got this error:

FEIN: Invoking handleMessage on interceptor org.apache.cxf.ws.policy.PolicyVerificationInFaultInterceptor@17698cbe
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: An error occurred when verifying
security for the message.
	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:155)
	at $Proxy46.create(Unknown Source)
	at GetCRm.doIt(GetCRm.java:322)
	at RunHttpSpnego.main(RunHttpSpnego.java:20)
Caused by: org.apache.cxf.binding.soap.SoapFault: An error occurred when verifying security
for the message.
	at org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.unmarshalFault(Soap12FaultInInterceptor.java:133)
	at org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.handleMessage(Soap12FaultInInterceptor.java:59)
	at org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.handleMessage(Soap12FaultInInterceptor.java:46)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
	at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:114)
	at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
	at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
	at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:800)
	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1590)
	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1488)
	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1307)
	at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:50)
	at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:229)
	at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
	at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:622)
	at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
	at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530)
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463)
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366)
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319)
	at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:133)
	... 3 more 



Against first thoughts, this was not a time issue between the server and client.
I activated WCF Tracing and got the following error:

<Exception><ExceptionType>System.ServiceModel.Security.MessageSecurityException,
System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>A
supporting token that satisfies parameters 'System.ServiceModel.Security.Tokens.SspiSecurityTokenParameters:
InclusionMode: AlwaysToRecipient
ReferenceStyle: Internal
RequireDerivedKeys: False
RequireCancellation: True' and attachment mode 'Endorsing' was not provided.</Message><StackTrace>
  at System.ServiceModel.Security.ReceiveSecurityHeader.VerifySupportingToken(TokenTracker
tracker)
   at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding
channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
   at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message&amp;amp;
message, TimeSpan timeout)
   at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message&amp;amp;
message, TimeSpan timeout)
   at System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message&amp;amp;
message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
   at System.ServiceModel.Channels.SecurityChannelListener`1.ServerSecurityChannel`1.VerifyIncomingMessage(Message&amp;amp;
message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationState)
   at System.ServiceModel.Channels.SecurityChannelListener`1.SecurityReplyChannel.ProcessReceivedRequest(RequestContext
requestContext, TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.OnInnerReceiveDone()
   at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.InnerTryReceiveCompletedCallback(IAsyncResult
result)
   at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
   at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
   at System.Runtime.InputQueue`1.AsyncQueueReader.Set(Item item)
   at System.Runtime.InputQueue`1.Dispatch()
   at System.Runtime.IOThreadScheduler.ScheduledOverlapped.IOCallback(UInt32 errorCode, UInt32
numBytes, NativeOverlapped* nativeOverlapped)
   at System.Runtime.Fx.IOCompletionThunk.UnhandledExceptionFrame(UInt32 error, UInt32 bytesRead,
NativeOverlapped* nativeOverlapped)
   at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode,
UInt32 numBytes, NativeOverlapped* pOVERLAP)
</StackTrace><ExceptionString>System.ServiceModel.Security.MessageSecurityException:
A supporting token that satisfies parameters 'System.ServiceModel.Security.Tokens.SspiSecurityTokenParameters:
InclusionMode: AlwaysToRecipient
ReferenceStyle: Internal
RequireDerivedKeys: False
RequireCancellation: True' and attachment mode 'Endorsing' was not provided.</ExceptionString></Exception></TraceRecord></DataItem></TraceData></ApplicationData></E2ETraceEvent><E2ETraceEvent
xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent"><System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system"><EventID>458802</EventID><Type>3</Type><SubType
Name="Warning">0</SubType><Level>4</Level><TimeCreated SystemTime="2013-01-16T13:55:44.5998534Z"
/><Source Name="System.ServiceModel" /><Correlation ActivityID="{00000000-0000-0000-0000-000000000000}"
/><Execution ProcessName="w3wp" ProcessID="8504" ThreadID="16" /><Channel/><Computer>LOGICALIS-ALT</Computer></System><ApplicationData><TraceData><DataItem><TraceRecord
xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Warning"><TraceIdentifier>http://msdn.microsoft.com/de-DE/library/System.ServiceModel.Security.SecurityBindingVerifyIncomingMessageFailure.aspx</TraceIdentifier><Description>The
security protocol cannot verify the incoming message.</Description>

This only happens when trying to connect over HTTPS.

I connect to my endpoint by using a servicestub generated with WSDL to java. The authentication
policy for the Webservice Looks like this:

<?xml version="1.0" encoding="utf-8" ?> 
- <wsdl:definitions targetNamespace="http://schemas.microsoft.com/xrm/2011/Contracts/Services"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"
xmlns:wsa10="http://www.w3.org/2005/08/addressing" xmlns:tns="http://schemas.microsoft.com/xrm/2011/Contracts/Services"
xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy"
xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
- <wsp:Policy wsu:Id="CustomBinding_IOrganizationService_policy">
- <wsp:ExactlyOne>
- <wsp:All>
- <ms-xrm:AuthenticationPolicy xmlns:ms-xrm="http://schemas.microsoft.com/xrm/2011/Contracts/Services">
  <ms-xrm:Authentication>ActiveDirectory</ms-xrm:Authentication> 
  </ms-xrm:AuthenticationPolicy>
- <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
- <wsp:Policy>
- <sp:TransportToken>
- <wsp:Policy>
  <sp:HttpsToken RequireClientCertificate="false" /> 
  </wsp:Policy>
  </sp:TransportToken>
- <sp:AlgorithmSuite>
- <wsp:Policy>
  <sp:Basic256 /> 
  </wsp:Policy>
  </sp:AlgorithmSuite>
- <sp:Layout>
- <wsp:Policy>
  <sp:Strict /> 
  </wsp:Policy>
  </sp:Layout>
  <sp:IncludeTimestamp /> 
  </wsp:Policy>
  </sp:TransportBinding>
- <sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
- <wsp:Policy>
- <sp:SpnegoContextToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
  <wsp:Policy /> 
  </sp:SpnegoContextToken>
  </wsp:Policy>
  </sp:EndorsingSupportingTokens>
- <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  <wsp:Policy /> 
  </sp:Wss11>
- <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
- <wsp:Policy>
  <sp:MustSupportIssuedTokens /> 
  <sp:RequireClientEntropy /> 
  <sp:RequireServerEntropy /> 
  </wsp:Policy>
  </sp:Trust10>
  <wsaw:UsingAddressing /> 
  </wsp:All>
  </wsp:ExactlyOne>
  </wsp:Policy>

The authentication process is handled by Spnego.
I simply changed the Webservice endpoint for my URL and imported the neccessary certificates
into the respective java certca store
besides that I didn´t make any changes to the code.
I have tried for a long time to make it work but without success. Can you guys tell me more
about this?
Am I missing something in my code that I have to add to make this work?

  was:
I am trying to connect from a Java client with cxf to crm 2011 Web Services(on premise). When
I connected over http everything worked fine. But when I switched to HTTPS(Port 443)I suddenly
got this error:

FEIN: Invoking handleMessage on interceptor org.apache.cxf.ws.policy.PolicyVerificationInFaultInterceptor@17698cbe
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: An error occurred when verifying
security for the message.
	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:155)
	at $Proxy46.create(Unknown Source)
	at GetCRm.doIt(GetCRm.java:322)
	at RunHttpSpnego.main(RunHttpSpnego.java:20)
Caused by: org.apache.cxf.binding.soap.SoapFault: An error occurred when verifying security
for the message.
	at org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.unmarshalFault(Soap12FaultInInterceptor.java:133)
	at org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.handleMessage(Soap12FaultInInterceptor.java:59)
	at org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.handleMessage(Soap12FaultInInterceptor.java:46)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
	at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:114)
	at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
	at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
	at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:800)
	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1590)
	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1488)
	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1307)
	at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:50)
	at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:229)
	at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
	at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:622)
	at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
	at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530)
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463)
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366)
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319)
	at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:133)
	... 3 more 



Against first thoughts, this was not a time issue between the server and client.
I activated WCF Tracing and got the following error:

<Exception><ExceptionType>System.ServiceModel.Security.MessageSecurityException,
System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>A
supporting token that satisfies parameters 'System.ServiceModel.Security.Tokens.SspiSecurityTokenParameters:
InclusionMode: AlwaysToRecipient
ReferenceStyle: Internal
RequireDerivedKeys: False
RequireCancellation: True' and attachment mode 'Endorsing' was not provided.</Message><StackTrace>
  at System.ServiceModel.Security.ReceiveSecurityHeader.VerifySupportingToken(TokenTracker
tracker)
   at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding
channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
   at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message&amp;amp;
message, TimeSpan timeout)
   at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message&amp;amp;
message, TimeSpan timeout)
   at System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message&amp;amp;
message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
   at System.ServiceModel.Channels.SecurityChannelListener`1.ServerSecurityChannel`1.VerifyIncomingMessage(Message&amp;amp;
message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationState)
   at System.ServiceModel.Channels.SecurityChannelListener`1.SecurityReplyChannel.ProcessReceivedRequest(RequestContext
requestContext, TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.OnInnerReceiveDone()
   at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.InnerTryReceiveCompletedCallback(IAsyncResult
result)
   at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
   at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
   at System.Runtime.InputQueue`1.AsyncQueueReader.Set(Item item)
   at System.Runtime.InputQueue`1.Dispatch()
   at System.Runtime.IOThreadScheduler.ScheduledOverlapped.IOCallback(UInt32 errorCode, UInt32
numBytes, NativeOverlapped* nativeOverlapped)
   at System.Runtime.Fx.IOCompletionThunk.UnhandledExceptionFrame(UInt32 error, UInt32 bytesRead,
NativeOverlapped* nativeOverlapped)
   at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode,
UInt32 numBytes, NativeOverlapped* pOVERLAP)
</StackTrace><ExceptionString>System.ServiceModel.Security.MessageSecurityException:
A supporting token that satisfies parameters 'System.ServiceModel.Security.Tokens.SspiSecurityTokenParameters:
InclusionMode: AlwaysToRecipient
ReferenceStyle: Internal
RequireDerivedKeys: False
RequireCancellation: True' and attachment mode 'Endorsing' was not provided.</ExceptionString></Exception></TraceRecord></DataItem></TraceData></ApplicationData></E2ETraceEvent><E2ETraceEvent
xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent"><System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system"><EventID>458802</EventID><Type>3</Type><SubType
Name="Warning">0</SubType><Level>4</Level><TimeCreated SystemTime="2013-01-16T13:55:44.5998534Z"
/><Source Name="System.ServiceModel" /><Correlation ActivityID="{00000000-0000-0000-0000-000000000000}"
/><Execution ProcessName="w3wp" ProcessID="8504" ThreadID="16" /><Channel/><Computer>LOGICALIS-ALT</Computer></System><ApplicationData><TraceData><DataItem><TraceRecord
xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Warning"><TraceIdentifier>http://msdn.microsoft.com/de-DE/library/System.ServiceModel.Security.SecurityBindingVerifyIncomingMessageFailure.aspx</TraceIdentifier><Description>The
security protocol cannot verify the incoming message.</Description>

This only happens when trying to connect over HTTPS.

I connect to my endpoint by using a servicestub generated with WSDL to java. The authentication
policy for the Webservice Looks like this:

<?xml version="1.0" encoding="utf-8" ?> 
- <wsdl:definitions targetNamespace="http://schemas.microsoft.com/xrm/2011/Contracts/Services"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"
xmlns:wsa10="http://www.w3.org/2005/08/addressing" xmlns:tns="http://schemas.microsoft.com/xrm/2011/Contracts/Services"
xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy"
xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
- <wsp:Policy wsu:Id="CustomBinding_IOrganizationService_policy">
- <wsp:ExactlyOne>
- <wsp:All>
- <ms-xrm:AuthenticationPolicy xmlns:ms-xrm="http://schemas.microsoft.com/xrm/2011/Contracts/Services">
  <ms-xrm:Authentication>ActiveDirectory</ms-xrm:Authentication> 
  </ms-xrm:AuthenticationPolicy>
- <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
- <wsp:Policy>
- <sp:TransportToken>
- <wsp:Policy>
  <sp:HttpsToken RequireClientCertificate="false" /> 
  </wsp:Policy>
  </sp:TransportToken>
- <sp:AlgorithmSuite>
- <wsp:Policy>
  <sp:Basic256 /> 
  </wsp:Policy>
  </sp:AlgorithmSuite>
- <sp:Layout>
- <wsp:Policy>
  <sp:Strict /> 
  </wsp:Policy>
  </sp:Layout>
  <sp:IncludeTimestamp /> 
  </wsp:Policy>
  </sp:TransportBinding>
- <sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
- <wsp:Policy>
- <sp:SpnegoContextToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
  <wsp:Policy /> 
  </sp:SpnegoContextToken>
  </wsp:Policy>
  </sp:EndorsingSupportingTokens>
- <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
  <wsp:Policy /> 
  </sp:Wss11>
- <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
- <wsp:Policy>
  <sp:MustSupportIssuedTokens /> 
  <sp:RequireClientEntropy /> 
  <sp:RequireServerEntropy /> 
  </wsp:Policy>
  </sp:Trust10>
  <wsaw:UsingAddressing /> 
  </wsp:All>
  </wsp:ExactlyOne>
  </wsp:Policy>

The authentication process is handled by Spnego.
I simple changed the Webservice endpoint for my URL and imported the neccessary certificates
into the respective java certca store
besides that I didn´t make any changes to the code.
I have tried for a long time to make it work but without success. Can you guys tell me more
about this?
Am I missing something in my code that I have to add to make this work?

    
> Receive error message when trying to connect to crm 2011 Webservices with https binding
- javax.xml.ws.soap.SOAPFaultException: An error occurred when verifying security for the
message.
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: CXF-4758
>                 URL: https://issues.apache.org/jira/browse/CXF-4758
>             Project: CXF
>          Issue Type: Bug
>    Affects Versions: 2.7.2
>         Environment: Windows 7 64 Bit. Java 1.6.37 runtime environment
>            Reporter: Jair Lopes
>            Priority: Critical
>
> I am trying to connect from a Java client with cxf to crm 2011 Web Services(on premise).
When I connected over http everything worked fine. But when I switched to HTTPS(Port 443)I
suddenly got this error:
> FEIN: Invoking handleMessage on interceptor org.apache.cxf.ws.policy.PolicyVerificationInFaultInterceptor@17698cbe
> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: An error occurred when
verifying security for the message.
> 	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:155)
> 	at $Proxy46.create(Unknown Source)
> 	at GetCRm.doIt(GetCRm.java:322)
> 	at RunHttpSpnego.main(RunHttpSpnego.java:20)
> Caused by: org.apache.cxf.binding.soap.SoapFault: An error occurred when verifying security
for the message.
> 	at org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.unmarshalFault(Soap12FaultInInterceptor.java:133)
> 	at org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.handleMessage(Soap12FaultInInterceptor.java:59)
> 	at org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.handleMessage(Soap12FaultInInterceptor.java:46)
> 	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
> 	at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:114)
> 	at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
> 	at org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
> 	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
> 	at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:800)
> 	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1590)
> 	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1488)
> 	at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1307)
> 	at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:50)
> 	at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:229)
> 	at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
> 	at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:622)
> 	at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
> 	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
> 	at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530)
> 	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463)
> 	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366)
> 	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319)
> 	at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
> 	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:133)
> 	... 3 more 
> Against first thoughts, this was not a time issue between the server and client.
> I activated WCF Tracing and got the following error:
> <Exception><ExceptionType>System.ServiceModel.Security.MessageSecurityException,
System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType><Message>A
supporting token that satisfies parameters 'System.ServiceModel.Security.Tokens.SspiSecurityTokenParameters:
> InclusionMode: AlwaysToRecipient
> ReferenceStyle: Internal
> RequireDerivedKeys: False
> RequireCancellation: True' and attachment mode 'Endorsing' was not provided.</Message><StackTrace>
  at System.ServiceModel.Security.ReceiveSecurityHeader.VerifySupportingToken(TokenTracker
tracker)
>    at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout, ChannelBinding
channelBinding, ExtendedProtectionPolicy extendedProtectionPolicy)
>    at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message&amp;amp;
message, TimeSpan timeout)
>    at System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message&amp;amp;
message, TimeSpan timeout)
>    at System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message&amp;amp;
message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationStates)
>    at System.ServiceModel.Channels.SecurityChannelListener`1.ServerSecurityChannel`1.VerifyIncomingMessage(Message&amp;amp;
message, TimeSpan timeout, SecurityProtocolCorrelationState[] correlationState)
>    at System.ServiceModel.Channels.SecurityChannelListener`1.SecurityReplyChannel.ProcessReceivedRequest(RequestContext
requestContext, TimeSpan timeout)
>    at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.OnInnerReceiveDone()
>    at System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.InnerTryReceiveCompletedCallback(IAsyncResult
result)
>    at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult result)
>    at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
>    at System.Runtime.InputQueue`1.AsyncQueueReader.Set(Item item)
>    at System.Runtime.InputQueue`1.Dispatch()
>    at System.Runtime.IOThreadScheduler.ScheduledOverlapped.IOCallback(UInt32 errorCode,
UInt32 numBytes, NativeOverlapped* nativeOverlapped)
>    at System.Runtime.Fx.IOCompletionThunk.UnhandledExceptionFrame(UInt32 error, UInt32
bytesRead, NativeOverlapped* nativeOverlapped)
>    at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 errorCode,
UInt32 numBytes, NativeOverlapped* pOVERLAP)
> </StackTrace><ExceptionString>System.ServiceModel.Security.MessageSecurityException:
A supporting token that satisfies parameters 'System.ServiceModel.Security.Tokens.SspiSecurityTokenParameters:
> InclusionMode: AlwaysToRecipient
> ReferenceStyle: Internal
> RequireDerivedKeys: False
> RequireCancellation: True' and attachment mode 'Endorsing' was not provided.</ExceptionString></Exception></TraceRecord></DataItem></TraceData></ApplicationData></E2ETraceEvent><E2ETraceEvent
xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent"><System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system"><EventID>458802</EventID><Type>3</Type><SubType
Name="Warning">0</SubType><Level>4</Level><TimeCreated SystemTime="2013-01-16T13:55:44.5998534Z"
/><Source Name="System.ServiceModel" /><Correlation ActivityID="{00000000-0000-0000-0000-000000000000}"
/><Execution ProcessName="w3wp" ProcessID="8504" ThreadID="16" /><Channel/><Computer>LOGICALIS-ALT</Computer></System><ApplicationData><TraceData><DataItem><TraceRecord
xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Warning"><TraceIdentifier>http://msdn.microsoft.com/de-DE/library/System.ServiceModel.Security.SecurityBindingVerifyIncomingMessageFailure.aspx</TraceIdentifier><Description>The
security protocol cannot verify the incoming message.</Description>
> This only happens when trying to connect over HTTPS.
> I connect to my endpoint by using a servicestub generated with WSDL to java. The authentication
policy for the Webservice Looks like this:
> <?xml version="1.0" encoding="utf-8" ?> 
> - <wsdl:definitions targetNamespace="http://schemas.microsoft.com/xrm/2011/Contracts/Services"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"
xmlns:wsa10="http://www.w3.org/2005/08/addressing" xmlns:tns="http://schemas.microsoft.com/xrm/2011/Contracts/Services"
xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy"
xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
> - <wsp:Policy wsu:Id="CustomBinding_IOrganizationService_policy">
> - <wsp:ExactlyOne>
> - <wsp:All>
> - <ms-xrm:AuthenticationPolicy xmlns:ms-xrm="http://schemas.microsoft.com/xrm/2011/Contracts/Services">
>   <ms-xrm:Authentication>ActiveDirectory</ms-xrm:Authentication> 
>   </ms-xrm:AuthenticationPolicy>
> - <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> - <wsp:Policy>
> - <sp:TransportToken>
> - <wsp:Policy>
>   <sp:HttpsToken RequireClientCertificate="false" /> 
>   </wsp:Policy>
>   </sp:TransportToken>
> - <sp:AlgorithmSuite>
> - <wsp:Policy>
>   <sp:Basic256 /> 
>   </wsp:Policy>
>   </sp:AlgorithmSuite>
> - <sp:Layout>
> - <wsp:Policy>
>   <sp:Strict /> 
>   </wsp:Policy>
>   </sp:Layout>
>   <sp:IncludeTimestamp /> 
>   </wsp:Policy>
>   </sp:TransportBinding>
> - <sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> - <wsp:Policy>
> - <sp:SpnegoContextToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
>   <wsp:Policy /> 
>   </sp:SpnegoContextToken>
>   </wsp:Policy>
>   </sp:EndorsingSupportingTokens>
> - <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>   <wsp:Policy /> 
>   </sp:Wss11>
> - <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> - <wsp:Policy>
>   <sp:MustSupportIssuedTokens /> 
>   <sp:RequireClientEntropy /> 
>   <sp:RequireServerEntropy /> 
>   </wsp:Policy>
>   </sp:Trust10>
>   <wsaw:UsingAddressing /> 
>   </wsp:All>
>   </wsp:ExactlyOne>
>   </wsp:Policy>
> The authentication process is handled by Spnego.
> I simply changed the Webservice endpoint for my URL and imported the neccessary certificates
into the respective java certca store
> besides that I didn´t make any changes to the code.
> I have tried for a long time to make it work but without success. Can you guys tell me
more about this?
> Am I missing something in my code that I have to add to make this work?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message