cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CXF-4823) CXF - Rampart interoperability issue
Date Tue, 12 Feb 2013 14:01:13 GMT
Sergey created CXF-4823:
---------------------------

             Summary: CXF - Rampart  interoperability issue
                 Key: CXF-4823
                 URL: https://issues.apache.org/jira/browse/CXF-4823
             Project: CXF
          Issue Type: Bug
          Components: WS-* Components
            Reporter: Sergey


We have a CXF web service secured with WS-Security. The problem is that Axis2 client which
uses Rampart module cannot handle response. Rampart  expects that xenc:EncryptedKey goes first,
and ds:Signature is next. CXF puts elements in the opposite order. 

Response sample:
{code:xml}


<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">

  <soap:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
    xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
    soap:mustUnderstand="1">
      <wsu:Timestamp wsu:Id="TS-6">
        <wsu:Created>2013-02-10T20:22:51.879Z</wsu:Created>
        <wsu:Expires>2013-02-10T20:27:51.879Z</wsu:Expires>
      </wsu:Timestamp>     
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
      Id="SIG-8">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
          <ds:Reference URI="#id-7">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <ds:DigestValue>
            otiRAVkSs777jSOZqqwBJlFILJo=</ds:DigestValue>
          </ds:Reference>
          <ds:Reference URI="#TS-6">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <ds:DigestValue>
            wAJxVtTNvbPX6aHqrrX7/SOPplQ=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
        Dy/OVbJOTr1lfqzbZCGxUlanJ0YKVmnyDV9F3Z1aJtB093rXffnKX35o4CxfWqVY/k1COF1TG6mfDZ6nbd1PqM6Vlbk8hBL5iSUFZAKe6RgilD9nYZmWPl2KaLAVrHS66jdmczWGWUh/15YTWB1s8cyNbBSVrwcyKx9FlOgI3pY=</ds:SignatureValue>
        <ds:KeyInfo Id="KI-6029833839643E518513605277718807">
          <wsse:SecurityTokenReference wsu:Id="STR-6029833839643E518513605277718808">

            <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
            ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">
            4ZQm/eQOxdcAHohj09+Uk4ex3Lw=</wsse:KeyIdentifier>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
 <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
      Id="EK-6029833839643E518513605277718755">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <wsse:SecurityTokenReference>
            <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
            ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">
            mxCXzekKZqaJcrE3UmHFGOswTnI=</wsse:KeyIdentifier>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
          <xenc:CipherValue>
          SQWm0I/90/iJUEDAts1jBPC4/W67aDTwrWGzZn1sYYRKyiFx/SxaGj3rtO3Nx8548I0e0ymfGN78ukjcytsUZHoABSNPmJb773Ou4r1l/S7oPqrGCW87A3OpFj3ri62u+iVP3c0u58tnjdIyKXqyeuZTpjtRETlTviH7O4YyInk=</xenc:CipherValue>
        </xenc:CipherData>
        <xenc:ReferenceList>
          <xenc:DataReference URI="#ED-5" />
        </xenc:ReferenceList>
      </xenc:EncryptedKey>
    </wsse:Security>
    <Action xmlns="http://www.w3.org/2005/08/addressing">
    http://service.resadapter.myidtravel.lhsystems.com/RESAdapterServicePortType/getAvailabilityResponse</Action>
    <MessageID xmlns="http://www.w3.org/2005/08/addressing">
    urn:uuid:f8f2570d-cd35-404a-b413-e5322ca92d01</MessageID>
    <To xmlns="http://www.w3.org/2005/08/addressing">
    http://www.w3.org/2005/08/addressing/anonymous</To>
    <RelatesTo xmlns="http://www.w3.org/2005/08/addressing">
    urn:uuid:65935AD1BEED993E3D1360527858578</RelatesTo>
  </soap:Header>
  <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
  wsu:Id="id-7">
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
    Id="ED-5" Type="http://www.w3.org/2001/04/xmlenc#Content">
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"
/>
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
        xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
        wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">

          <wsse:Reference URI="#EK-6029833839643E518513605277718755" />
        </wsse:SecurityTokenReference>
      </ds:KeyInfo>
      <xenc:CipherData>
        <xenc:CipherValue>
        hk6afclqW40YD/Lt91WdResuoUwzUwB9HYmcmmnMS2O3TdqOm7UC09l4h5Y2BCYoqM6+eBw8C1aS3Pg8TCYVksfVDRUW8Oai5VT+Hk7ihs/ABE2xZBeo2h50Nnx1EGVhizJfm2Be37yyJFz4i0MhI51Lto2LZvRppChyywe9GBdmxyC3+X+lM5cgSBRWPPi11KYgdNhcy6+FHaij5ZW4TjIlbg98gNGaGq8/5tR2H0luYadEq02bzMj0Qqjqxze7ixND9n750+BM89amhsnOXWCAbN9DXBjvA57qJSqmDRyyejUgj6srHV2n7VRMof75JpcmIdB0kfKMRPGXq0Jcd6LZIjjeG8+nit7HoJBRPk7VN3BO2A+5VZEjPW4Csb+4+KSx5+cmquIX+dxJvJ6M86iglkUVb+M+syekJffOVwOgFlZcZx54JL9O2VJIzsongff3KtYBg6Hxfhsx80ZfwTtH/6T8pf68rWF3MG6xSbP+cv6UjTegjQ/j84b7D2Gga5Vv5y+9c9PYlgpUIFX91Bx1RzmR+gkgEZ5EVG8OfhIlM6DGFyayXhSi0en4vpuRYu9qhOJKIgEjA7egc2G6rH81RQhObp4p9m1mlJrBakiUzxzayMsYXbzPduXTXdU7q2gEo/ZzjABnD9VVUY5oyMIGclnNDCNOtrVnnKm3zsM2xYlMhjIxUdTSFGHJmZXbGeApkZUef/b69hXvy3d0d6MP0L5zQatECj8NoOdIx5oJo26jsJId0wpPshkEAx+sgOu7Dnt+6sTnKg4zYQIKm4951d0nz9qP1bp3iWaRuid4oiZXfjBioqMom1teORmm1tEldTBen8Qa1p65y6sutb0D9B3E/j6ovHuaMs2J76+eU5q82N8fjkIPakvElVMBlvHIrgnyiburB9iCRjaI9SBcPbIlS1N6HExcdJSoB4o+glQb54o0KwV57919HvaZKii7tiIpDBMBPV7q3dyi5iXc0xYc7dFifwlxOyboH0ZlMBv2jmzo+sMZB7sN9BwAkJzRWKu9Bj44vZAqBSWL3dLIyKWSzDFchOV7xu8BBREr2sJKk2v0eFlIFwO8rfAowpgt0JLex0txXqIRx8gMq94lrAjquv4ADu91ImckDI8x7bURCax3O1YYA0un/oM5xH+kCuBk6dJNj+mUGOtM7qaJJEqGNpfMIIhoOCnc2BVP8WIt7CMVHM71DxOCWBZkQPFH+HlNs8MilXxWUFEjOFF5Fao8Cx62erSK3JBauiCdeMzVVyX8Xewwhg4pklYS/6fEpvovxgAt6DijH5cWfUDcwJIUMwY0JAMzC7uDB6kjTgYyphtcxHnS01xZISJeLqpPn8XOoQW1V2eUpcrITFHFgXd+85uCnP+vfVS9Z0Uv/ZNmYDqOnm837Y7VRNb9NIlUlgb6HNFVUThhqm6w0QzYMT3Vc304sc4LrvL/kfrLtqVzQwAT8zoikyOEj3kUOUdehJNWu4/yvyxZsyeQn436m/bPiZcYxQaN596VGRTOk8sYL5wDP7hWolBijswT9MFLb/lyK6fUinFc84pgq7gt8u7MoPWl4fxtzoMgyBvr85Rgtoyqopb0h+1XGcXd6rdC2JkEr3fCeM6M7CBAO/VycaLzDOkLW7TWlWEZDN/bQRGaV6QphY1l7qN3IpS8g1tnPSvbW0ots8OtLgyjIDidb6kPRKIzT16q8cTUuUZT8cO3NXMaIOwfbEKPN928pkQF8V15Bma2KBdMCWN5jHmLmLJZGWhXVi/flgo86Eoy8GpCJmr5IowrDfYOZZZbsw6m4bdTUsksDLpdXczlsY+8m6N1kQNwxXOJHbnbEb/e/qHAXmjgJ+fDVRjBd3MrJEZkcOf+bKP7NGjbY8AQzUgpZ/RdOfJ19WlwpvfPPG9f3UbifcUBliDTHFD2igeal3IUBVgYaGzmsw1fzT+G5nip64MadaVAF33TTMqFgQ3Pm/U+f/f0jKnJ9DnV4eH/k9XQyyvpbm58wHwBauI99vqWmce9gRkOwSc4X8eURM9I4ajCwod7iUUugbXvUegh9VckQncZPromBwL3R55RCPfj7XcbfjhSIrPbSbM+/TgP+0yTnwdJogm6F26IlfoPbbxWBhjgaGOW8P42ytJupbnVZUzChaC1Xip6UHDaYdy6WOsoasbp2LExY+LTmOrt/m1dy18z2DkO4nmlGBB8+KjjFh+7bD71a0shOoXImmW3paIudcDLMyhjUp0VfwXPUwiQnmgBLqj0FEF3yvul5ptJvzq6ZYWJ293IOVZFbxKmhyJVYctl2EmfaPtEYUMak3QIntWYr6PT5FRj2YBqiuhqsqOwA7CGSetbJ+9ArRd8JKZS5KEmsPlVloESzD7kwCjfkto+l+rb/dkDa5Bjk3X29dQC/U9vyxb5YZ8zxAYNii67e+LhfpxoCkFi22WXjFPsmRctFwpIVuTgObObRAqAcwNwk5QGrb9hNdCQZZ8RyVBx3T1m6k+5ZdRUkv9Vo/gdrh5WQa5oONa0J7e5jO/Ursim1/z86xbs0Wupu/90XHRuAtmxBBbvCv6ja2DquhvUFldhPueW+B1Ltr11OlZZ9jrGwmfGlwr5Z83v/PK9+nOvai9ibbOAe9j02uZBurigBPMRo0lBtcqu2Pj90WlR00HHZ8gPuxhL5siPr9f5aPWaVoPJtbACA+ukQveq5094B59Ez2vEFf3fZySHqgqMXtP+E19chT32mkF/ggq9I84jKurvDlmRRlFt/D/UAqVpON3W/0+CI7CeJ2/70IWgvdPghCuu70/sGXnXLX7EpdAnzDSwuCdt1KU5ZXvWKyWH86pizkRXNx3drSsLYVz1zbA5Y189aE4TvbYVvvxfxfe1CehLsJxzOmtmgu5fOUEEAyv6386PNPOBapsOW0Py46xpzAF9C9oqG4T+FHukaJGnMhk/oLMwIpruWfJt5qV2ydhCgQcWDf/biTQUUomK6mo+Bs/KuShUo+z0Ki4YbdjtQtYhNeqJqFYMKUSmBVqf+Pm5e63SuxXUBNqAaJtF9k4ZeolYoTfIILuNBytuuk6a5BGNhJ3gl+AKQBxFs8tjiharbLC0ckoECSheAPdb2OT7aCP5dxQfP5ovgRNQXIWlQJj7gxXQQjzIS3BcbaLegbi3VIt569bUiLT0wMnLgseBGmW9W+ue8pGEq/hqejgaaHn44qW7eNNwWojhSSjPq3FBQb0L3OedyYPom/w/F62fFTpe1WxTr3xMFOMp0JtXnAMx+tJvW1pI04wqXaIzV8AdBBGMvqTtJZ0pVgtxI3bBcIZP9ymIIIQ/odC96cZbM9ywVNknJHtptH0VUq2r0iWM62BHrSDYHJd+6rBwRQf9/LOk/JkVEPfggKkYkVPGMix3DB3ZvNUGxjbuZO/ReT+1XktijvOJX5sCcGn/pFIWKIxepiB5dtZ5AJeNqrbnc8asHb+bh5rPn/RkUCTcyEFCKGjgqpX5df9h+To0f5mkaTZP84g2dKDG+O08PojTdXr+QOHug5yPlC1cABbpkpnUbqnpJAh+lWl48GugnoIZZTbTISeGOFPNy4wdRKWaoFNITTnuST+X8HLGsybQPHhB0PaCDz8VKxq2gQw3rgNND78I6aLdNfaV9hZnOZuCX2qDNH34zXl4zCZd09r77mFQyCLO7lgQlTUT+tt+8+VAe6yTje34xX7W3jreDoVjVeL/+rzJmS6geg0RCYjE5I8OScYbx3vDyy8ONP+w0TByhOqb8LHEqfHSjUki3rQ9/2KZHJhHt7ZZ7bMCVJdzlEZOh/SF8auL83FKLkMxv9kdH9b8noZMtZzu1U7Q8j77J6kRx3wfJI3PCPzI7OOy7TN0w+/uqEwQSQ/LEqwdkBZKL9R68ngCKjxeIOEctqI0wc1fc/IwQ6iTZujYwdZNmMbiDKxM9gbklUOL4+iLrpmAOiaTXamAkrN7Xh29XGMvxtv7uC2derda0LszlGejRJISAqX1vkPclLU1q5UEUB6CrF0ilPQ7fkuJVaL920ooOW2LZoXBvUJ1Kl1OvqoRbbfiZIWzNZXTujRcwOOo9mxbWt5YBiLZN84tBWySeDuSqeNX4dXOs2rFz7IVBgLQH//64hSCG4GIBs00RElF8Fg/FqLg8wEowJA1OpZn49/j3Y9ZeNjGsBboRd7ZsOZjIY9w9Tn2wxpP3rXWMaKgUQkYU03cHdiSefQO4qGgpbQq8CQrBMQY1ZahEVPVPP33BST8XgDB9wQh5E7r8BqeDTMSpYmaObCnv3xRQzvZ6SBtWtkco/XbkEPNgMleFu0e3Lte/PmsstvNABfGbA==</xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
  </soap:Body>
</soap:Envelope>


{code}



Rampart configuration : 
{code:xml}
<parameter name="InflowSecurity">
      <action>
        <items>Signature Encrypt Timestamp</items>
      </action>
    </parameter>
{code}

CXF configuration:
{code:xml}
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xmlns:jaxws="http://cxf.apache.org/jaxws"
       xmlns:wsa="http://cxf.apache.org/ws/addressing"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
                        http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
                        http://cxf.apache.org/ws/addressing http://cxf.apache.org/schemas/ws-addr-conf.xsd">

    <import resource="classpath:META-INF/cxf/cxf.xml" />
    <import resource="classpath:META-INF/cxf/cxf-extension-*.xml" />
    <import resource="classpath:META-INF/cxf/cxf-servlet.xml" />

    <!-- Spring manage ServiceBean -->
    <bean id="RESAdapterService" class="net.worldticket.edi.protocol.ota.RESAdapterService"
/>

    <!--
    Log4j is set to be used in META-INF\cxf\org.apache.cxf.Logger
    Make sure that log4j INFO level is set for the following interceptors or
    for the package org.apache.cxf to make them work.
    -->
    <bean id="logInInterceptor" class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
    <bean id="logOutInterceptor" class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>

    <!--
         WSS4JInInterceptor for decrypting and validating the signature of the SOAP request.
    -->
    <bean
        id="TimestampSignEncrypt_Request"
        class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
        <constructor-arg>
            <map>
                <entry key="action" value="Signature Encrypt Timestamp"/>
                <entry key="signaturePropFile" value="interop.properties"/>
                <entry key="decryptionPropFile" value="interop.properties"/>
                <entry key="passwordCallbackClass" value="net.worldticket.myIdTravel.PasswordCallback"/>
            </map>
        </constructor-arg>
    </bean>

    <!--
         WSS4JOutInterceptor for encoding and signing the SOAP response.
    -->
    <bean
        id="TimestampSignEncrypt_Response"
        class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
        <constructor-arg>
            <map>
                <entry key="action" value="Signature Encrypt Timestamp"/>
                <entry key="user" value="useReqSigCert"/>
                <entry key="signatureUser" value="bob"/>
                <entry key="signaturePropFile" value="interop.properties"/>
                <entry key="encryptionPropFile" value="interop.properties"/>
                <entry key="passwordCallbackClass" value="net.worldticket.myIdTravel.PasswordCallback"/>
                <entry key="signatureParts" value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp"/>
                <entry key="encryptionParts" value="{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
                <entry key="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
                <entry key="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
                <entry key="encryptionKeyIdentifier" value="Thumbprint"/>
                <entry key="signatureKeyIdentifier" value="Thumbprint"/>
            </map>
        </constructor-arg>
    </bean>

    <!-- JAX-WS Service Endpoint -->
    <jaxws:endpoint id="resadapter" implementor="#RESAdapterService" address="/resadapter">
        <jaxws:outInterceptors>
             <ref bean="logOutInterceptor"/>
             <ref bean="TimestampSignEncrypt_Response"/>
         </jaxws:outInterceptors>
         <jaxws:inInterceptors>
             <ref bean="logInInterceptor"/>
             <ref bean="TimestampSignEncrypt_Request"/>
         </jaxws:inInterceptors>
        <jaxws:features>
            <wsa:addressing allowDuplicates="false"/>
        </jaxws:features>
    </jaxws:endpoint>

</beans>
{code}


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message