cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CXF-4823) CXF - Rampart interoperability issue: order of signature and encrypted key elements in XML
Date Wed, 13 Feb 2013 09:30:13 GMT

    [ https://issues.apache.org/jira/browse/CXF-4823?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13577432#comment-13577432
] 

Sergey commented on CXF-4823:
-----------------------------

Eventually I found a workaround. I have implemented a javax.servlet.Filter which re-orders
XML elements before returning response to the client. I have also removed the message body
from the signature, now signature is computed on timestamp element only, otherwise re-ordering
"encrypted key" and "signature" elements causes an error when checking signature on the client
side.

Nevertheless this issue has to be fixed, because it is frustrating to not be able to serve
Axis2 clients out-of-the box. I think a new parameter has to be added to CXF endpoint configuration
to activate Axis2 compatibility mode.
                
> CXF - Rampart  interoperability issue: order of signature and encrypted key elements
in XML 
> --------------------------------------------------------------------------------------------
>
>                 Key: CXF-4823
>                 URL: https://issues.apache.org/jira/browse/CXF-4823
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>            Reporter: Sergey
>
> We have a CXF web service secured with WS-Security. The problem is that Axis2 client
which uses Rampart module cannot handle response generated by CXF. Rampart  expects that xenc:EncryptedKey
goes first, and ds:Signature is next. CXF puts elements in the opposite order. The workaround
is
> to re-order actions in Axis2 config file:
> {code:xml}
> <parameter name="InflowSecurity">
>       <action>
>         <!-- Signature Encrypt Timestamp  makes the Axis2 client to throw "Actions
mismatch" exception !-->
>         <items>Encrypt Signature Timestamp</items>
>       </action>
>     </parameter>
> {code}
> The question is: how to make CXF to change the order of signature and encrypted key elements
in security header of the SOAP response to make it compatible with Axis2 clients? Since the
order of action is the same in both Axis and CXF configuration files *Signature Encrypt Timestamp*,
then it should work out of the box, shouldn't it ?
> Response sample:
> {code:xml}
> <?xml version="1.0" encoding="utf-8"?>
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
>   <soap:Header>
>     <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>     xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>     soap:mustUnderstand="1">
>       <wsu:Timestamp wsu:Id="TS-6">
>         <wsu:Created>2013-02-10T20:22:51.879Z</wsu:Created>
>         <wsu:Expires>2013-02-10T20:27:51.879Z</wsu:Expires>
>       </wsu:Timestamp>     
>       <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
>       Id="SIG-8">
>         <ds:SignedInfo>
>           <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
/>
>           <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"
/>
>           <ds:Reference URI="#id-7">
>             <ds:Transforms>
>               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
>             </ds:Transforms>
>             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>             <ds:DigestValue>
>             otiRAVkSs777jSOZqqwBJlFILJo=</ds:DigestValue>
>           </ds:Reference>
>           <ds:Reference URI="#TS-6">
>             <ds:Transforms>
>               <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
>             </ds:Transforms>
>             <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>             <ds:DigestValue>
>             wAJxVtTNvbPX6aHqrrX7/SOPplQ=</ds:DigestValue>
>           </ds:Reference>
>         </ds:SignedInfo>
>         <ds:SignatureValue>
>         Dy/OVbJOTr1lfqzbZCGxUlanJ0YKVmnyDV9F3Z1aJtB093rXffnKX35o4CxfWqVY/k1COF1TG6mfDZ6nbd1PqM6Vlbk8hBL5iSUFZAKe6RgilD9nYZmWPl2KaLAVrHS66jdmczWGWUh/15YTWB1s8cyNbBSVrwcyKx9FlOgI3pY=</ds:SignatureValue>
>         <ds:KeyInfo Id="KI-6029833839643E518513605277718807">
>           <wsse:SecurityTokenReference wsu:Id="STR-6029833839643E518513605277718808">
>             <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
>             ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">
>             4ZQm/eQOxdcAHohj09+Uk4ex3Lw=</wsse:KeyIdentifier>
>           </wsse:SecurityTokenReference>
>         </ds:KeyInfo>
>       </ds:Signature>
>  <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>       Id="EK-6029833839643E518513605277718755">
>         <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"
/>
>         <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>           <wsse:SecurityTokenReference>
>             <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
>             ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">
>             mxCXzekKZqaJcrE3UmHFGOswTnI=</wsse:KeyIdentifier>
>           </wsse:SecurityTokenReference>
>         </ds:KeyInfo>
>         <xenc:CipherData>
>           <xenc:CipherValue>
>           SQWm0I/90/iJUEDAts1jBPC4/W67aDTwrWGzZn1sYYRKyiFx/SxaGj3rtO3Nx8548I0e0ymfGN78ukjcytsUZHoABSNPmJb773Ou4r1l/S7oPqrGCW87A3OpFj3ri62u+iVP3c0u58tnjdIyKXqyeuZTpjtRETlTviH7O4YyInk=</xenc:CipherValue>
>         </xenc:CipherData>
>         <xenc:ReferenceList>
>           <xenc:DataReference URI="#ED-5" />
>         </xenc:ReferenceList>
>       </xenc:EncryptedKey>
>     </wsse:Security>
>     <Action xmlns="http://www.w3.org/2005/08/addressing">
>     http://service.resadapter.myidtravel.lhsystems.com/RESAdapterServicePortType/getAvailabilityResponse</Action>
>     <MessageID xmlns="http://www.w3.org/2005/08/addressing">
>     urn:uuid:f8f2570d-cd35-404a-b413-e5322ca92d01</MessageID>
>     <To xmlns="http://www.w3.org/2005/08/addressing">
>     http://www.w3.org/2005/08/addressing/anonymous</To>
>     <RelatesTo xmlns="http://www.w3.org/2005/08/addressing">
>     urn:uuid:65935AD1BEED993E3D1360527858578</RelatesTo>
>   </soap:Header>
>   <soap:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>   wsu:Id="id-7">
>     <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>     Id="ED-5" Type="http://www.w3.org/2001/04/xmlenc#Content">
>       <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"
/>
>       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>         <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>         xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
>         wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
>           <wsse:Reference URI="#EK-6029833839643E518513605277718755" />
>         </wsse:SecurityTokenReference>
>       </ds:KeyInfo>
>       <xenc:CipherData>
>         <xenc:CipherValue>
>         hk6afclqW40YD/Lt91WdResuoUwzUwB9HYmcmmnMS2O3TdqOm7UC09l4h5Y2BCYoqM6+eBw8C1aS3Pg8TCYVksfVDRUW8Oai5VT+Hk7ihs/ABE2xZBeo2h50Nnx1EGVhizJfm2Be37yyJFz4i0MhI51Lto2LZvRppChyywe9GBdmxyC3+X+lM5cgSBRWPPi11KYgdNhcy6+FHaij5ZW4TjIlbg98gNGaGq8/5tR2H0luYadEq02bzMj0Qqjqxze7ixND9n750+BM89amhsnOXWCAbN9DXBjvA57qJSqmDRyyejUgj6srHV2n7VRMof75JpcmIdB0kfKMRPGXq0Jcd6LZIjjeG8+nit7HoJBRPk7VN3BO2A+5VZEjPW4Csb+4+KSx5+cmquIX+dxJvJ6M86iglkUVb+M+syekJffOVwOgFlZcZx54JL9O2VJIzsongff3KtYBg6Hxfhsx80ZfwTtH/6T8pf68rWF3MG6xSbP+cv6UjTegjQ/j84b7D2Gga5Vv5y+9c9PYlgpUIFX91Bx1RzmR+gkgEZ5EVG8OfhIlM6DGFyayXhSi0en4vpuRYu9qhOJKIgEjA7egc2G6rH81RQhObp4p9m1mlJrBakiUzxzayMsYXbzPduXTXdU7q2gEo/ZzjABnD9VVUY5oyMIGclnNDCNOtrVnnKm3zsM2xYlMhjIxUdTSFGHJmZXbGeApkZUef/b69hXvy3d0d6MP0L5zQatECj8NoOdIx5oJo26jsJId0wpPshkEAx+sgOu7Dnt+6sTnKg4zYQIKm4951d0nz9qP1bp3iWaRuid4oiZXfjBioqMom1teORmm1tEldTBen8Qa1p65y6sutb0D9B3E/j6ovHuaMs2J76+eU5q82N8fjkIPakvElVMBlvHIrgnyiburB9iCRjaI9SBcPbIlS1N6HExcdJSoB4o+glQb54o0KwV57919HvaZKii7tiIpDBMBPV7q3dyi5iXc0xYc7dFifwlxOyboH0ZlMBv2jmzo+sMZB7sN9BwAkJzRWKu9Bj44vZAqBSWL3dLIyKWSzDFchOV7xu8BBREr2sJKk2v0eFlIFwO8rfAowpgt0JLex0txXqIRx8gMq94lrAjquv4ADu91ImckDI8x7bURCax3O1YYA0un/oM5xH+kCuBk6dJNj+mUGOtM7qaJJEqGNpfMIIhoOCnc2BVP8WIt7CMVHM71DxOCWBZkQPFH+HlNs8MilXxWUFEjOFF5Fao8Cx62erSK3JBauiCdeMzVVyX8Xewwhg4pklYS/6fEpvovxgAt6DijH5cWfUDcwJIUMwY0JAMzC7uDB6kjTgYyphtcxHnS01xZISJeLqpPn8XOoQW1V2eUpcrITFHFgXd+85uCnP+vfVS9Z0Uv/ZNmYDqOnm837Y7VRNb9NIlUlgb6HNFVUThhqm6w0QzYMT3Vc304sc4LrvL/kfrLtqVzQwAT8zoikyOEj3kUOUdehJNWu4/yvyxZsyeQn436m/bPiZcYxQaN596VGRTOk8sYL5wDP7hWolBijswT9MFLb/lyK6fUinFc84pgq7gt8u7MoPWl4fxtzoMgyBvr85Rgtoyqopb0h+1XGcXd6rdC2JkEr3fCeM6M7CBAO/VycaLzDOkLW7TWlWEZDN/bQRGaV6QphY1l7qN3IpS8g1tnPSvbW0ots8OtLgyjIDidb6kPRKIzT16q8cTUuUZT8cO3NXMaIOwfbEKPN928pkQF8V15Bma2KBdMCWN5jHmLmLJZGWhXVi/flgo86Eoy8GpCJmr5IowrDfYOZZZbsw6m4bdTUsksDLpdXczlsY+8m6N1kQNwxXOJHbnbEb/e/qHAXmjgJ+fDVRjBd3MrJEZkcOf+bKP7NGjbY8AQzUgpZ/RdOfJ19WlwpvfPPG9f3UbifcUBliDTHFD2igeal3IUBVgYaGzmsw1fzT+G5nip64MadaVAF33TTMqFgQ3Pm/U+f/f0jKnJ9DnV4eH/k9XQyyvpbm58wHwBauI99vqWmce9gRkOwSc4X8eURM9I4ajCwod7iUUugbXvUegh9VckQncZPromBwL3R55RCPfj7XcbfjhSIrPbSbM+/TgP+0yTnwdJogm6F26IlfoPbbxWBhjgaGOW8P42ytJupbnVZUzChaC1Xip6UHDaYdy6WOsoasbp2LExY+LTmOrt/m1dy18z2DkO4nmlGBB8+KjjFh+7bD71a0shOoXImmW3paIudcDLMyhjUp0VfwXPUwiQnmgBLqj0FEF3yvul5ptJvzq6ZYWJ293IOVZFbxKmhyJVYctl2EmfaPtEYUMak3QIntWYr6PT5FRj2YBqiuhqsqOwA7CGSetbJ+9ArRd8JKZS5KEmsPlVloESzD7kwCjfkto+l+rb/dkDa5Bjk3X29dQC/U9vyxb5YZ8zxAYNii67e+LhfpxoCkFi22WXjFPsmRctFwpIVuTgObObRAqAcwNwk5QGrb9hNdCQZZ8RyVBx3T1m6k+5ZdRUkv9Vo/gdrh5WQa5oONa0J7e5jO/Ursim1/z86xbs0Wupu/90XHRuAtmxBBbvCv6ja2DquhvUFldhPueW+B1Ltr11OlZZ9jrGwmfGlwr5Z83v/PK9+nOvai9ibbOAe9j02uZBurigBPMRo0lBtcqu2Pj90WlR00HHZ8gPuxhL5siPr9f5aPWaVoPJtbACA+ukQveq5094B59Ez2vEFf3fZySHqgqMXtP+E19chT32mkF/ggq9I84jKurvDlmRRlFt/D/UAqVpON3W/0+CI7CeJ2/70IWgvdPghCuu70/sGXnXLX7EpdAnzDSwuCdt1KU5ZXvWKyWH86pizkRXNx3drSsLYVz1zbA5Y189aE4TvbYVvvxfxfe1CehLsJxzOmtmgu5fOUEEAyv6386PNPOBapsOW0Py46xpzAF9C9oqG4T+FHukaJGnMhk/oLMwIpruWfJt5qV2ydhCgQcWDf/biTQUUomK6mo+Bs/KuShUo+z0Ki4YbdjtQtYhNeqJqFYMKUSmBVqf+Pm5e63SuxXUBNqAaJtF9k4ZeolYoTfIILuNBytuuk6a5BGNhJ3gl+AKQBxFs8tjiharbLC0ckoECSheAPdb2OT7aCP5dxQfP5ovgRNQXIWlQJj7gxXQQjzIS3BcbaLegbi3VIt569bUiLT0wMnLgseBGmW9W+ue8pGEq/hqejgaaHn44qW7eNNwWojhSSjPq3FBQb0L3OedyYPom/w/F62fFTpe1WxTr3xMFOMp0JtXnAMx+tJvW1pI04wqXaIzV8AdBBGMvqTtJZ0pVgtxI3bBcIZP9ymIIIQ/odC96cZbM9ywVNknJHtptH0VUq2r0iWM62BHrSDYHJd+6rBwRQf9/LOk/JkVEPfggKkYkVPGMix3DB3ZvNUGxjbuZO/ReT+1XktijvOJX5sCcGn/pFIWKIxepiB5dtZ5AJeNqrbnc8asHb+bh5rPn/RkUCTcyEFCKGjgqpX5df9h+To0f5mkaTZP84g2dKDG+O08PojTdXr+QOHug5yPlC1cABbpkpnUbqnpJAh+lWl48GugnoIZZTbTISeGOFPNy4wdRKWaoFNITTnuST+X8HLGsybQPHhB0PaCDz8VKxq2gQw3rgNND78I6aLdNfaV9hZnOZuCX2qDNH34zXl4zCZd09r77mFQyCLO7lgQlTUT+tt+8+VAe6yTje34xX7W3jreDoVjVeL/+rzJmS6geg0RCYjE5I8OScYbx3vDyy8ONP+w0TByhOqb8LHEqfHSjUki3rQ9/2KZHJhHt7ZZ7bMCVJdzlEZOh/SF8auL83FKLkMxv9kdH9b8noZMtZzu1U7Q8j77J6kRx3wfJI3PCPzI7OOy7TN0w+/uqEwQSQ/LEqwdkBZKL9R68ngCKjxeIOEctqI0wc1fc/IwQ6iTZujYwdZNmMbiDKxM9gbklUOL4+iLrpmAOiaTXamAkrN7Xh29XGMvxtv7uC2derda0LszlGejRJISAqX1vkPclLU1q5UEUB6CrF0ilPQ7fkuJVaL920ooOW2LZoXBvUJ1Kl1OvqoRbbfiZIWzNZXTujRcwOOo9mxbWt5YBiLZN84tBWySeDuSqeNX4dXOs2rFz7IVBgLQH//64hSCG4GIBs00RElF8Fg/FqLg8wEowJA1OpZn49/j3Y9ZeNjGsBboRd7ZsOZjIY9w9Tn2wxpP3rXWMaKgUQkYU03cHdiSefQO4qGgpbQq8CQrBMQY1ZahEVPVPP33BST8XgDB9wQh5E7r8BqeDTMSpYmaObCnv3xRQzvZ6SBtWtkco/XbkEPNgMleFu0e3Lte/PmsstvNABfGbA==</xenc:CipherValue>
>       </xenc:CipherData>
>     </xenc:EncryptedData>
>   </soap:Body>
> </soap:Envelope>
> {code}
> Rampart configuration : 
> {code:xml}
> <parameter name="InflowSecurity">
>       <action>
>         <items>Signature Encrypt Timestamp</items>
>       </action>
>     </parameter>
> {code}
> CXF configuration:
> {code:xml}
> <?xml version="1.0" encoding="UTF-8"?>
> <beans xmlns="http://www.springframework.org/schema/beans"
>        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>        xmlns:jaxws="http://cxf.apache.org/jaxws"
>        xmlns:wsa="http://cxf.apache.org/ws/addressing"
>     xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
>                         http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
>                         http://cxf.apache.org/ws/addressing http://cxf.apache.org/schemas/ws-addr-conf.xsd">
>     <import resource="classpath:META-INF/cxf/cxf.xml" />
>     <import resource="classpath:META-INF/cxf/cxf-extension-*.xml" />
>     <import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
>     <!-- Spring manage ServiceBean -->
>     <bean id="RESAdapterService" class="net.worldticket.edi.protocol.ota.RESAdapterService"
/>
>     <!--
>     Log4j is set to be used in META-INF\cxf\org.apache.cxf.Logger
>     Make sure that log4j INFO level is set for the following interceptors or
>     for the package org.apache.cxf to make them work.
>     -->
>     <bean id="logInInterceptor" class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
>     <bean id="logOutInterceptor" class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
>     <!--
>          WSS4JInInterceptor for decrypting and validating the signature of the SOAP request.
>     -->
>     <bean
>         id="TimestampSignEncrypt_Request"
>         class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
>         <constructor-arg>
>             <map>
>                 <entry key="action" value="Signature Encrypt Timestamp"/>
>                 <entry key="signaturePropFile" value="interop.properties"/>
>                 <entry key="decryptionPropFile" value="interop.properties"/>
>                 <entry key="passwordCallbackClass" value="net.worldticket.myIdTravel.PasswordCallback"/>
>             </map>
>         </constructor-arg>
>     </bean>
>     <!--
>          WSS4JOutInterceptor for encoding and signing the SOAP response.
>     -->
>     <bean
>         id="TimestampSignEncrypt_Response"
>         class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
>         <constructor-arg>
>             <map>
>                 <entry key="action" value="Signature Encrypt Timestamp"/>
>                 <entry key="user" value="useReqSigCert"/>
>                 <entry key="signatureUser" value="bob"/>
>                 <entry key="signaturePropFile" value="interop.properties"/>
>                 <entry key="encryptionPropFile" value="interop.properties"/>
>                 <entry key="passwordCallbackClass" value="net.worldticket.myIdTravel.PasswordCallback"/>
>                 <entry key="signatureParts" value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp"/>
>                 <entry key="encryptionParts" value="{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
>                 <entry key="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
>                 <entry key="encryptionKeyTransportAlgorithm" value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
>                 <entry key="encryptionKeyIdentifier" value="Thumbprint"/>
>                 <entry key="signatureKeyIdentifier" value="Thumbprint"/>
>             </map>
>         </constructor-arg>
>     </bean>
>     <!-- JAX-WS Service Endpoint -->
>     <jaxws:endpoint id="resadapter" implementor="#RESAdapterService" address="/resadapter">
>         <jaxws:outInterceptors>
>              <ref bean="logOutInterceptor"/>
>              <ref bean="TimestampSignEncrypt_Response"/>
>          </jaxws:outInterceptors>
>          <jaxws:inInterceptors>
>              <ref bean="logInInterceptor"/>
>              <ref bean="TimestampSignEncrypt_Request"/>
>          </jaxws:inInterceptors>
>         <jaxws:features>
>             <wsa:addressing allowDuplicates="false"/>
>         </jaxws:features>
>     </jaxws:endpoint>
> </beans>
> {code}

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message