cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paweł Lipka <p.li...@amg.net.pl>
Subject Re: WS-SecurityPolicy and faults
Date Fri, 24 Jul 2009 13:28:00 GMT
I filed a bug and attached a maven project with the test to it.
https://issues.apache.org/jira/browse/CXF-2356


thanks,
On Thu, 2009-07-23 at 14:59 -0400, Daniel Kulp wrote:
> This definitely sounds like a bug (or collection of bugs).   Is there any 
> chance you could create a small "Hello World" type test case that shows this 
> and attach it to a JIRA?    That's definitely the best way for be to get a 
> test case up and running to see how hard it is to fix.
> 
> Thanks!
> Dan
> 
> 
> On Thu July 23 2009 12:01:26 pm Paweł Lipka wrote:
> > Hi,
> >
> > I have a secure WS that is described by a WS-Policy document that's
> > pasted below.
> > Policy A is attached to the wsdl:binding while policy B is attached to
> > the wsdl:input,wsdl:output and wsdl:fault
> >
> > When my WS throws a soap fault there's a couple of problems:
> > 1) the soap:Body element is not encrypted
> > 2) the soap:Body element is not signed
> > 3) the WS client fails to validate the WS-Security header with the
> > that's also pasted below.
> >
> > The problem seems to be in the way CXF handles WS-Security header using
> > the PolicyBasedWSS4JInterceptor.
> > When the response arrives it passes through the in interceptor chain and
> > the encrypted parts are decrypted. The way wss4j handles decryption is
> > that it replaces the xmlenc:EncryptedData element in the SOAP document
> > with the decrypted content but it does not remove the corresponding
> > xmlenc:ReferenceData/xmlenc:DataReference element from the Security
> > header. After decryption is done some other interceptor detects that the
> > message is actually a fault and triggers the inFault interceptor chain.
> >
> > The inFault interceptor chain again contains the
> > PolicyBasedWSS4JInterceptor and it should contain it since not all the
> > policy assertions have been asserted by the 'in' chain. (e.g.
> > UsingAddressing  assertion).
> > The PolicyBasedWSS4JInterceptor runs wss4j again on a document that has
> > already been decrypted and fails with the error below because the
> > xmlenc:ReferenceData/xmlenc:DataReference elements point to nothing.
> >
> > Has anyone ever hit a problem like that? Is there any workaround for
> > that  (other than chainging the WS-Policy document)?
> >
> > thanks in advance,
> >
> > 7038 [main] WARN org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor  -
> > org.apache.ws.security.WSSecurityException: An error was discovered
> > processing the <wsse:Security> header (WSSecurityEngine: DataReference -
> > referenced data not found)
> > 	at
> > org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbed
> >ded(ReferenceListProcessor.java:141) at
> > org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList
> >(ReferenceListProcessor.java:113) at
> > org.apache.ws.security.processor.ReferenceListProcessor.handleToken(Referen
> >ceListProcessor.java:76) at
> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEng
> >ine.java:326) at
> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEng
> >ine.java:243) at
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInIn
> >terceptor.java:179) at
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInIn
> >terceptor.java:77) at
> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChai
> >n.java:236) at
> > org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(Ab
> >stractFaultChainInitiatorObserver.java:96) at
> > org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage
> >(CheckFaultInterceptor.java:69) at
> > org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage
> >(CheckFaultInterceptor.java:34) at
> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChai
> >n.java:236) at
> > org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:645) at
> > org.apache.cxf.transport.http.HTTPConduit
> > $WrappedOutputStream.handleResponseInternal(HTTPConduit.java:2132)
> > 	at org.apache.cxf.transport.http.HTTPConduit
> > $WrappedOutputStream.handleResponse(HTTPConduit.java:2015)
> > 	at org.apache.cxf.transport.http.HTTPConduit
> > $WrappedOutputStream.close(HTTPConduit.java:1940)
> > 	at
> > org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputSt
> >ream.java:47) at
> > org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:180)
> > 	at
> > org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66)
> > 	at
> > org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:627)
> > 	at org.apache.cxf.interceptor.MessageSenderInterceptor
> > $MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java
> >:62) at
> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChai
> >n.java:236) at
> > org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:471) at
> > org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:301) at
> > org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:253) at
> > org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73) at
> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:121)
> > 	at $Proxy38.sendMessage(Unknown Source)
> >
> > <wsp:Policy wsu:Id="A">
> > 		<wsp:ExactlyOne>
> > 			<wsp:All>
> > 				<sp:SymmetricBinding
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > 					<wsp:Policy>
> > 						<sp:ProtectionToken>
> > 							<wsp:Policy>
> > 								<sp:X509Token
> > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/Inclu
> >deToken/Never"> <wsp:Policy>
> > 										<sp:RequireDerivedKeys />
> > 										<sp:RequireThumbprintReference />
> > 										<sp:WssX509V3Token10 />
> > 									</wsp:Policy>
> > 								</sp:X509Token>
> > 							</wsp:Policy>
> > 						</sp:ProtectionToken>
> > 						<sp:AlgorithmSuite>
> > 							<wsp:Policy>
> > 								<sp:Basic128 />
> > 							</wsp:Policy>
> > 						</sp:AlgorithmSuite>
> > 						<sp:Layout>
> > 							<wsp:Policy>
> > 								<sp:Strict />
> > 							</wsp:Policy>
> > 						</sp:Layout>
> > 						<sp:IncludeTimestamp />
> > 						<sp:EncryptSignature />
> > 						<sp:OnlySignEntireHeadersAndBody />
> > 					</wsp:Policy>
> > 				</sp:SymmetricBinding>
> > 				<sp:EndorsingSupportingTokens
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > 					<wsp:Policy>
> > 						<sp:X509Token
> > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/Inclu
> >deToken/AlwaysToRecipient"> <wsp:Policy>
> > 								<sp:RequireThumbprintReference />
> > 								<sp:WssX509V3Token10 />
> > 							</wsp:Policy>
> > 						</sp:X509Token>
> > 					</wsp:Policy>
> > 				</sp:EndorsingSupportingTokens>
> > 				<sp:Wss11
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > 					<wsp:Policy>
> > 						<sp:MustSupportRefKeyIdentifier />
> > 						<sp:MustSupportRefIssuerSerial />
> > 						<sp:MustSupportRefThumbprint />
> > 						<sp:MustSupportRefEncryptedKey />
> > 						<sp:RequireSignatureConfirmation />
> > 					</wsp:Policy>
> > 				</sp:Wss11>
> > 				<sp:Trust10
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > 					<wsp:Policy>
> > 						<sp:MustSupportIssuedTokens />
> > 						<sp:RequireClientEntropy />
> > 						<sp:RequireServerEntropy />
> > 					</wsp:Policy>
> > 				</sp:Trust10>
> > 				<wsaw:UsingAddressing />
> > 			</wsp:All>
> > 		</wsp:ExactlyOne>
> > 	</wsp:Policy>
> > 	<wsp:Policy wsu:Id="B">
> > 		<wsp:ExactlyOne>
> > 			<wsp:All>
> > 				<sp:SignedParts
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > 					<sp:Body />
> > 					<sp:Header Name="To"
> > Namespace="http://www.w3.org/2005/08/addressing" />
> > 					<sp:Header Name="From"
> > Namespace="http://www.w3.org/2005/08/addressing" />
> > 					<sp:Header Name="FaultTo"
> > Namespace="http://www.w3.org/2005/08/addressing" />
> > 					<sp:Header Name="ReplyTo"
> > Namespace="http://www.w3.org/2005/08/addressing" />
> > 					<sp:Header Name="MessageID"
> > Namespace="http://www.w3.org/2005/08/addressing" />
> > 					<sp:Header Name="RelatesTo"
> > Namespace="http://www.w3.org/2005/08/addressing" />
> > 					<sp:Header Name="Action"
> > Namespace="http://www.w3.org/2005/08/addressing" />
> > 				</sp:SignedParts>
> > 				<sp:EncryptedParts
> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > 					<sp:Body />
> > 				</sp:EncryptedParts>
> > 			</wsp:All>
> > 		</wsp:ExactlyOne>
> > 	</wsp:Policy>
> 
-- 
Paweł Lipka
Senior IT Architect
AMG.net, A Bull Group Company
ul. Łąkowa 29
90-554 Łódź
tel.: (+48 42) 634 56 78
www.amg.net.pl

Treść niniejszej wiadomości może być poufna.
Jeżeli nie jesteście Państwo jej adresatem, to rozprowadzanie
lub wykorzystywanie zawartych tu informacji jest zabronione.

This e-mail contains material that is confidential for the sole
use of the intended recipient. Any review, reliance or distribution
by others or forwarding without express permission is strictly
prohibited. If you are not the intended recipient, please contact
the sender and delete all copies.


Mime
View raw message