cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fred Dushin <f...@dushin.net>
Subject Re: Problems using encryption together with username token
Date Tue, 14 Oct 2008 12:17:23 GMT
Hold on a sec -- you don't need to sign a message, if you dont' want  
to, right?  In other words, you could just encrypt the UsernameToken  
element using the public key of the server, and there'd be no need to  
sign anything (hence posess a private key).

Note that you'll also want some sort of timestamp or nonce in the  
UsernameToken, since the encrypted token would be completely  
replayable.  You'd also want some detection of replay in the server,  
which you'll need to do yourself, since neither WSS4J nor CXF does  
that for you.

You do care about replay attacks, right?

-Fred

On Oct 13, 2008, at 11:34 PM, Glen Mazza wrote:

>
> Hopefully someone else can answer your question, but AFAICT Username +
> Encryption is largely redundant, because you still need to sign your  
> SOAP
> request with the client's private key to make sure that the request  
> hasn't
> been altered in transit[1].  And since you're signing, the server will
> already have your public key, so they would know who you are--a
> username/password would not be necessary.
>
> BTW, the cryptic message "Unexpected number of X509Data:..." has  
> been fixed
> in the latest WSS4J (although I don't know what it now says, but as I
> understand it is more comprehensible.)
>
> Glen
>
> [1] http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the
>
>
> ChristianD wrote:
>>
>> Hi there,
>>
>> as the subject says, i have problems to get my web service running  
>> with
>> encryption and username token activated. But when I only use  
>> encryption
>> everything is fine.
>>
>> Here is my config for the server:
>>
>> 1) cxf.xml:
>> <jaxws:inInterceptors>
>> 	<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
>> 	<constructor-arg>
>> 		<map>
>> 			<entry key="action" value="Encrypt UsernameToken" />
>> 			<entry key="decryptionPropFile" value="server.properties" />
>> 			<entry key="passwordCallbackClass"
>> 			value="de.sms_stiewi.services.PwCallbackHandler" />
>> 		</map>
>> 	</constructor-arg>
>> 	</bean>			
>> </jaxws:inInterceptors>
>>
>> 2) server.properties:
>> org 
>> .apache 
>> .ws 
>> .security 
>> .crypto.provider=org.apache.ws.security.components.crypto.Merlin
>> org.apache.ws.security.crypto.merlin.keystore.type=jks
>> org.apache.ws.security.crypto.merlin.keystore.alias=serveralias
>> org.apache.ws.security.crypto.merlin.keystore.password=serversecret
>> org.apache.ws.security.crypto.merlin.file=serverkeystore.jks
>>
>> 3) PwCallbackHandler Class:
>> public class PwCallbackHandler implements CallbackHandler {
>> 	public void handle(Callback[] callbacks) throws IOException,
>> UnsupportedCallbackException {
>> 		WSPasswordCallback passwordCallback = (WSPasswordCallback)  
>> callbacks[0];
>> 		
>> 		if (passwordCallback.getIdentifer().equals("Anonymous")) {
>> 			passwordCallback.setPassword("secret");
>> 		}
>> 	}
>> }
>>
>>
>> And here the configuration for the client to test it:
>>
>> 1) Interceptor configuration:
>> WSS4JOutInterceptor wss4jOutInterceptor = new WSS4JOutInterceptor();
>> wss4jOutInterceptor.setProperty(WSHandlerConstants.ACTION,
>> WSHandlerConstants.USERNAME_TOKEN + " " +  
>> WSHandlerConstants.ENCRYPT);
>> wss4jOutInterceptor.setProperty(WSHandlerConstants.USER,  
>> "Anonymous");
>> wss4jOutInterceptor.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS,
>> "de.sms_stiewi.services.PwCallbackHandler");
>> wss4jOutInterceptor.setProperty(WSHandlerConstants.ENC_PROP_FILE,
>> "client.properties");
>>
>> 2) client.properties:
>> org 
>> .apache 
>> .ws 
>> .security 
>> .crypto.provider=org.apache.ws.security.components.crypto.Merlin
>> org.apache.ws.security.crypto.merlin.keystore.type=jks
>> org.apache.ws.security.crypto.merlin.keystore.alias=clientalias
>> org.apache.ws.security.crypto.merlin.keystore.password=clientsecret
>> org.apache.ws.security.crypto.merlin.file=clientkeystore.jks
>>
>> 3) PwCallbackHandler Class:
>> public class PwCallbackHandler implements CallbackHandler {
>> 	public void handle(Callback[] callbacks) throws IOException,
>> UnsupportedCallbackException {
>> 		WSPasswordCallback passwordCallback = (WSPasswordCallback)  
>> callbacks[0];
>> 		
>> 		passwordCallback.setPassword("secret");
>> 	}
>> }
>>
>> But if I run the client, i get the following Exception:
>> org.apache.cxf.binding.soap.SoapFault: Security processing failed.
>> 	at
>> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor 
>> $WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java: 
>> 234)
>> 	at
>> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor 
>> $WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java: 
>> 107)
>> 	at
>> org 
>> .apache 
>> .cxf 
>> .phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java: 
>> 220)
>> 	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:296)
>> 	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:242)
>> 	at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java: 
>> 73)
>> 	at
>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java: 
>> 178)
>> 	at $Proxy46.importiereKlrStammdaten(Unknown Source)
>> 	at de.sms_stiewi.services.MainClient.main(MainClient.java:37)
>> Caused by: org.apache.ws.security.WSSecurityException: WSHandler:
>> Encryption: error during message
>> processingorg.apache.ws.security.WSSecurityException: General  
>> security
>> error (Unexpected number of X509Data: for Encryption)
>> 	at
>> org 
>> .apache 
>> .ws.security.action.EncryptionAction.execute(EncryptionAction.java: 
>> 65)
>> 	at
>> org 
>> .apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java: 
>> 197)
>> 	at
>> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access 
>> $200(WSS4JOutInterceptor.java:47)
>> 	at
>> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor 
>> $WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java: 
>> 219)
>> 	... 8 more
>>
>> When I only use encryption, I had to set the USER property of the
>> out-interceptor to the alias in the keystore (e.g. "clientalias").  
>> But
>> when I do this with UsernameToken activated, I get the following
>> Exception:
>> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException:  
>> General
>> security error (WSSecurityEngine: Callback supplied no password for:
>> serveralias)
>> 	at
>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java: 
>> 199)
>> 	at $Proxy46.importiereKlrStammdaten(Unknown Source)
>> 	at de.sms_stiewi.services.MainClient.main(MainClient.java:37)
>> Caused by: org.apache.cxf.binding.soap.SoapFault: General security  
>> error
>> (WSSecurityEngine: Callback supplied no password for: serveralias)
>> 	at
>> org 
>> .apache 
>> .cxf 
>> .binding 
>> .soap 
>> .interceptor 
>> .Soap11FaultInInterceptor 
>> .handleMessage(Soap11FaultInInterceptor.java:70)
>> 	at
>> org 
>> .apache 
>> .cxf 
>> .binding 
>> .soap 
>> .interceptor 
>> .Soap11FaultInInterceptor 
>> .handleMessage(Soap11FaultInInterceptor.java:35)
>> 	at
>> org 
>> .apache 
>> .cxf 
>> .phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java: 
>> 220)
>> 	at
>> org 
>> .apache 
>> .cxf 
>> .interceptor 
>> .AbstractFaultChainInitiatorObserver 
>> .onMessage(AbstractFaultChainInitiatorObserver.java:96)
>> 	at
>> org 
>> .apache 
>> .cxf 
>> .binding 
>> .soap 
>> .interceptor 
>> .CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
>> 	at
>> org 
>> .apache 
>> .cxf 
>> .binding 
>> .soap 
>> .interceptor 
>> .CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
>> 	at
>> org 
>> .apache 
>> .cxf 
>> .phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java: 
>> 220)
>> 	at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:449)
>> 	at
>> org.apache.cxf.transport.http.HTTPConduit 
>> $WrappedOutputStream.handleResponse(HTTPConduit.java:2029)
>> 	at
>> org.apache.cxf.transport.http.HTTPConduit 
>> $WrappedOutputStream.close(HTTPConduit.java:1865)
>> 	at
>> org 
>> .apache 
>> .cxf 
>> .io 
>> .CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java: 
>> 47)
>> 	at
>> org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java: 
>> 170)
>> 	at
>> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java: 
>> 66)
>> 	at  
>> org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:593)
>> 	at
>> org.apache.cxf.interceptor.MessageSenderInterceptor 
>> $ 
>> MessageSenderEndingInterceptor 
>> .handleMessage(MessageSenderInterceptor.java:62)
>> 	at
>> org 
>> .apache 
>> .cxf 
>> .phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java: 
>> 220)
>> 	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:296)
>> 	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:242)
>> 	at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java: 
>> 73)
>> 	at
>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java: 
>> 178)
>> 	... 2 more
>>
>> If someone can help me, I would be very thankful.
>>
>> Greetings
>> Christian
>>
>
> -- 
> View this message in context: http://www.nabble.com/Problems-using-encryption-together-with-username-token-tp19953282p19966539.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>


Mime
View raw message