Return-Path: 
 <users-return-11231-apmail-cxf-users-archive=cxf.apache.org@cxf.apache.org>
Delivered-To: apmail-cxf-users-archive@www.apache.org
Received: (qmail 12769 invoked from network); 14 Oct 2008 12:18:39 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 14 Oct 2008 12:18:39 -0000
Received: (qmail 3598 invoked by uid 500); 14 Oct 2008 12:18:34 -0000
Delivered-To: apmail-cxf-users-archive@cxf.apache.org
Received: (qmail 3548 invoked by uid 500); 14 Oct 2008 12:18:34 -0000
Mailing-List: contact users-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@cxf.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@cxf.apache.org>
List-Post: <mailto:users@cxf.apache.org>
List-Id: <users.cxf.apache.org>
Reply-To: users@cxf.apache.org
Delivered-To: mailing list users@cxf.apache.org
Received: (qmail 3537 invoked by uid 99); 14 Oct 2008 12:18:34 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 14 Oct 2008 05:18:34 -0700
X-ASF-Spam-Status: No, hits=1.4 required=10.0
	tests=FM_FAKE_HELO_VERIZON,SPF_NEUTRAL,WHOIS_MYPRIVREG
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [206.46.252.42] (HELO vms042pub.verizon.net) (206.46.252.42)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 14 Oct 2008 12:17:25 +0000
Received: from [192.168.1.4] ([71.245.235.76])
 by vms042.mailsrvcs.net (Sun Java System Messaging Server 6.2-6.01 (built Apr
 3 2006)) with ESMTPA id <0K8Q00GIJA4ZTYM0@vms042.mailsrvcs.net> for
 users@cxf.apache.org; Tue, 14 Oct 2008 07:17:24 -0500 (CDT)
Date: Tue, 14 Oct 2008 08:17:23 -0400
From: Fred Dushin <fred@dushin.net>
Subject: Re: Problems using encryption together with username token
In-reply-to: <19966539.post@talk.nabble.com>
To: users@cxf.apache.org
Message-id: <93375D49-17BA-406C-8FD2-EFB2D5272067@dushin.net>
MIME-version: 1.0 (Apple Message framework v929.2)
X-Mailer: Apple Mail (2.929.2)
Content-type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-transfer-encoding: 7bit
References: <19953282.post@talk.nabble.com> <19966539.post@talk.nabble.com>
X-Virus-Checked: Checked by ClamAV on apache.org

Hold on a sec -- you don't need to sign a message, if you dont' want  
to, right?  In other words, you could just encrypt the UsernameToken  
element using the public key of the server, and there'd be no need to  
sign anything (hence posess a private key).

Note that you'll also want some sort of timestamp or nonce in the  
UsernameToken, since the encrypted token would be completely  
replayable.  You'd also want some detection of replay in the server,  
which you'll need to do yourself, since neither WSS4J nor CXF does  
that for you.

You do care about replay attacks, right?

-Fred

On Oct 13, 2008, at 11:34 PM, Glen Mazza wrote:

>
> Hopefully someone else can answer your question, but AFAICT Username +
> Encryption is largely redundant, because you still need to sign your  
> SOAP
> request with the client's private key to make sure that the request  
> hasn't
> been altered in transit[1].  And since you're signing, the server will
> already have your public key, so they would know who you are--a
> username/password would not be necessary.
>
> BTW, the cryptic message "Unexpected number of X509Data:..." has  
> been fixed
> in the latest WSS4J (although I don't know what it now says, but as I
> understand it is more comprehensible.)
>
> Glen
>
> [1] http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the
>
>
> ChristianD wrote:
>>
>> Hi there,
>>
>> as the subject says, i have problems to get my web service running  
>> with
>> encryption and username token activated. But when I only use  
>> encryption
>> everything is fine.
>>
>> Here is my config for the server:
>>
>> 1) cxf.xml:
>> <jaxws:inInterceptors>
>> 	<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
>> 	<constructor-arg>
>> 		<map>
>> 			<entry key="action" value="Encrypt UsernameToken" />
>> 			<entry key="decryptionPropFile" value="server.properties" />
>> 			<entry key="passwordCallbackClass"
>> 			value="de.sms_stiewi.services.PwCallbackHandler" />
>> 		</map>
>> 	</constructor-arg>
>> 	</bean>			
>> </jaxws:inInterceptors>
>>
>> 2) server.properties:
>> org 
>> .apache 
>> .ws 
>> .security 
>> .crypto.provider=org.apache.ws.security.components.crypto.Merlin
>> org.apache.ws.security.crypto.merlin.keystore.type=jks
>> org.apache.ws.security.crypto.merlin.keystore.alias=serveralias
>> org.apache.ws.security.crypto.merlin.keystore.password=serversecret
>> org.apache.ws.security.crypto.merlin.file=serverkeystore.jks
>>
>> 3) PwCallbackHandler Class:
>> public class PwCallbackHandler implements CallbackHandler {
>> 	public void handle(Callback[] callbacks) throws IOException,
>> UnsupportedCallbackException {
>> 		WSPasswordCallback passwordCallback = (WSPasswordCallback)  
>> callbacks[0];
>> 		
>> 		if (passwordCallback.getIdentifer().equals("Anonymous")) {
>> 			passwordCallback.setPassword("secret");
>> 		}
>> 	}
>> }
>>
>>
>> And here the configuration for the client to test it:
>>
>> 1) Interceptor configuration:
>> WSS4JOutInterceptor wss4jOutInterceptor = new WSS4JOutInterceptor();
>> wss4jOutInterceptor.setProperty(WSHandlerConstants.ACTION,
>> WSHandlerConstants.USERNAME_TOKEN + " " +  
>> WSHandlerConstants.ENCRYPT);
>> wss4jOutInterceptor.setProperty(WSHandlerConstants.USER,  
>> "Anonymous");
>> wss4jOutInterceptor.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS,
>> "de.sms_stiewi.services.PwCallbackHandler");
>> wss4jOutInterceptor.setProperty(WSHandlerConstants.ENC_PROP_FILE,
>> "client.properties");
>>
>> 2) client.properties:
>> org 
>> .apache 
>> .ws 
>> .security 
>> .crypto.provider=org.apache.ws.security.components.crypto.Merlin
>> org.apache.ws.security.crypto.merlin.keystore.type=jks
>> org.apache.ws.security.crypto.merlin.keystore.alias=clientalias
>> org.apache.ws.security.crypto.merlin.keystore.password=clientsecret
>> org.apache.ws.security.crypto.merlin.file=clientkeystore.jks
>>
>> 3) PwCallbackHandler Class:
>> public class PwCallbackHandler implements CallbackHandler {
>> 	public void handle(Callback[] callbacks) throws IOException,
>> UnsupportedCallbackException {
>> 		WSPasswordCallback passwordCallback = (WSPasswordCallback)  
>> callbacks[0];
>> 		
>> 		passwordCallback.setPassword("secret");
>> 	}
>> }
>>
>> But if I run the client, i get the following Exception:
>> org.apache.cxf.binding.soap.SoapFault: Security processing failed.
>> 	at
>> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor 
>> $WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java: 
>> 234)
>> 	at
>> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor 
>> $WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java: 
>> 107)
>> 	at
>> org 
>> .apache 
>> .cxf 
>> .phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java: 
>> 220)
>> 	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:296)
>> 	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:242)
>> 	at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java: 
>> 73)
>> 	at
>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java: 
>> 178)
>> 	at $Proxy46.importiereKlrStammdaten(Unknown Source)
>> 	at de.sms_stiewi.services.MainClient.main(MainClient.java:37)
>> Caused by: org.apache.ws.security.WSSecurityException: WSHandler:
>> Encryption: error during message
>> processingorg.apache.ws.security.WSSecurityException: General  
>> security
>> error (Unexpected number of X509Data: for Encryption)
>> 	at
>> org 
>> .apache 
>> .ws.security.action.EncryptionAction.execute(EncryptionAction.java: 
>> 65)
>> 	at
>> org 
>> .apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java: 
>> 197)
>> 	at
>> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access 
>> $200(WSS4JOutInterceptor.java:47)
>> 	at
>> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor 
>> $WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java: 
>> 219)
>> 	... 8 more
>>
>> When I only use encryption, I had to set the USER property of the
>> out-interceptor to the alias in the keystore (e.g. "clientalias").  
>> But
>> when I do this with UsernameToken activated, I get the following
>> Exception:
>> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException:  
>> General
>> security error (WSSecurityEngine: Callback supplied no password for:
>> serveralias)
>> 	at
>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java: 
>> 199)
>> 	at $Proxy46.importiereKlrStammdaten(Unknown Source)
>> 	at de.sms_stiewi.services.MainClient.main(MainClient.java:37)
>> Caused by: org.apache.cxf.binding.soap.SoapFault: General security  
>> error
>> (WSSecurityEngine: Callback supplied no password for: serveralias)
>> 	at
>> org 
>> .apache 
>> .cxf 
>> .binding 
>> .soap 
>> .interceptor 
>> .Soap11FaultInInterceptor 
>> .handleMessage(Soap11FaultInInterceptor.java:70)
>> 	at
>> org 
>> .apache 
>> .cxf 
>> .binding 
>> .soap 
>> .interceptor 
>> .Soap11FaultInInterceptor 
>> .handleMessage(Soap11FaultInInterceptor.java:35)
>> 	at
>> org 
>> .apache 
>> .cxf 
>> .phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java: 
>> 220)
>> 	at
>> org 
>> .apache 
>> .cxf 
>> .interceptor 
>> .AbstractFaultChainInitiatorObserver 
>> .onMessage(AbstractFaultChainInitiatorObserver.java:96)
>> 	at
>> org 
>> .apache 
>> .cxf 
>> .binding 
>> .soap 
>> .interceptor 
>> .CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
>> 	at
>> org 
>> .apache 
>> .cxf 
>> .binding 
>> .soap 
>> .interceptor 
>> .CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
>> 	at
>> org 
>> .apache 
>> .cxf 
>> .phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java: 
>> 220)
>> 	at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:449)
>> 	at
>> org.apache.cxf.transport.http.HTTPConduit 
>> $WrappedOutputStream.handleResponse(HTTPConduit.java:2029)
>> 	at
>> org.apache.cxf.transport.http.HTTPConduit 
>> $WrappedOutputStream.close(HTTPConduit.java:1865)
>> 	at
>> org 
>> .apache 
>> .cxf 
>> .io 
>> .CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java: 
>> 47)
>> 	at
>> org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java: 
>> 170)
>> 	at
>> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java: 
>> 66)
>> 	at  
>> org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:593)
>> 	at
>> org.apache.cxf.interceptor.MessageSenderInterceptor 
>> $ 
>> MessageSenderEndingInterceptor 
>> .handleMessage(MessageSenderInterceptor.java:62)
>> 	at
>> org 
>> .apache 
>> .cxf 
>> .phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java: 
>> 220)
>> 	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:296)
>> 	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:242)
>> 	at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java: 
>> 73)
>> 	at
>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java: 
>> 178)
>> 	... 2 more
>>
>> If someone can help me, I would be very thankful.
>>
>> Greetings
>> Christian
>>
>
> -- 
> View this message in context: http://www.nabble.com/Problems-using-encryption-together-with-username-token-tp19953282p19966539.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>