cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lattermann, Dirk" <Dirk.Latterm...@datagroup.de>
Subject AW: CryptoCoverageChecker and SOAP Fault responses
Date Thu, 25 Apr 2013 11:15:14 GMT
Hello Colm,

I added an WSS4JOutInterceptor using the  @OutFaultInterceptors annotation. In the server
logs, I see that the the message is signed and encrypted, but the result is not added to the
outgoing response. The client receives a HTTP response with status 500 (that is correct as
it's a fault) but with a content length of 0 bytes.

I couldn't deduct much from the interceptor chains involved in the different cases, but maybe
a clue lies in there?

Fault response without trying to timestamp/sign/encrypt:
12:15:52,224 FINE  [org.apache.cxf.phase.PhaseInterceptorChain] (http-/0.0.0.0:80-1) Chain
org.apache.cxf.phase.PhaseInterceptorChain@181b1ac1 was modified. Current flow:
  setup [ServerPolicyOutFaultInterceptor]
  prepare-send [MessageSenderInterceptor, Soap11FaultOutInterceptor]
  pre-stream [StaxOutInterceptor]
  pre-protocol [WebFaultOutInterceptor]
  pre-protocol-frontend [SOAPHandlerFaultOutInterceptor]
  write [SoapOutInterceptor]
  pre-marshal [LogicalHandlerFaultOutInterceptor]
  marshal [Soap11FaultOutInterceptorInternal]
  user-protocol [org.apache.cxf.jaxws.handler.soap.SOAPHandlerFaultOutInterceptor.ENDING]
  write-ending [SoapOutEndingInterceptor]
  pre-protocol-ending [SAAJOutEndingInterceptor]
  pre-stream-ending [StaxOutEndingInterceptor]
  prepare-send-ending [MessageSenderEndingInterceptor]
Result: Correct Fault response without security elements.

Fault response with WSS4JOutInterceptor, trying to timestamp/sign/encrypt:
11:45:07,177 FINE  [org.apache.cxf.phase.PhaseInterceptorChain] (http-/0.0.0.0:80-1) Chain
org.apache.cxf.phase.PhaseInterceptorChain@2286a92d was modified. Current flow:
  setup [ServerPolicyOutFaultInterceptor]
  prepare-send [MessageSenderInterceptor, Soap11FaultOutInterceptor]
  pre-stream [StaxOutInterceptor]
  pre-protocol [WebFaultOutInterceptor, ConfiguringWSOutInterceptor]
  pre-protocol-frontend [SOAPHandlerFaultOutInterceptor]
  write [SoapOutInterceptor]
  pre-marshal [LogicalHandlerFaultOutInterceptor]
  marshal [Soap11FaultOutInterceptorInternal]
  user-protocol [org.apache.cxf.jaxws.handler.soap.SOAPHandlerFaultOutInterceptor.ENDING]
  post-protocol [WSS4JOutInterceptorInternal]
  write-ending [SoapOutEndingInterceptor]
  pre-protocol-ending [SAAJOutEndingInterceptor]
  pre-stream-ending [StaxOutEndingInterceptor]
  prepare-send-ending [MessageSenderEndingInterceptor]
Result: Response with content length 0

Regular (non-fault) response with WSS4JOutputInterceptor:
12:32:55,808 FINE  [org.apache.cxf.phase.PhaseInterceptorChain] (http-/0.0.0.0:80-1) Chain
org.apache.cxf.phase.PhaseInterceptorChain@2df65112 was modified. Current flow:
  setup [PolicyOutInterceptor]
  pre-logical [HolderOutInterceptor, SwAOutInterceptor, WrapperClassOutInterceptor, SoapHeaderOutFilterInterceptor]
  post-logical [SoapPreProtocolOutInterceptor]
  prepare-send [MessageSenderInterceptor]
  pre-stream [AttachmentOutInterceptor, StaxOutInterceptor]
  pre-protocol [ConfiguringWSOutInterceptor]
  pre-protocol-frontend [SOAPHandlerInterceptor]
  write [SoapOutInterceptor]
  pre-marshal [LogicalHandlerOutInterceptor]
  marshal [BareOutInterceptor]
  user-protocol [org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.ENDING]
  post-protocol [WSS4JOutInterceptorInternal]
  write-ending [SoapOutEndingInterceptor]
  pre-protocol-ending [SAAJOutEndingInterceptor]
  pre-stream-ending [StaxOutEndingInterceptor]
  prepare-send-ending [MessageSenderEndingInterceptor]
Result: regular response with timestamp token, signature and encryption in place.


Thank you,
Dirk

-----Ursprüngliche Nachricht-----
Von: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Gesendet: Freitag, 19. April 2013 16:10
An: users@cxf.apache.org
Betreff: Re: CryptoCoverageChecker and SOAP Fault responses

Have you tried adding it to the outbound fault interceptor chain?

Colm.


On Mon, Apr 15, 2013 at 3:46 PM, Lattermann, Dirk < Dirk.Lattermann@datagroup.de> wrote:

> Would it perhaps be possible to configure the WSS4JOutInterceptor that
> it applies the security means (timestamp, signature, encryption) also
> in case of an outgoing Fault message?
> Then, the receiving client would get at the real exception from the
> SOAPFault and not the one from the CryptoCoverageChecker.
>
> Thanks again,
> Dirk.
>
> -----Ursprüngliche Nachricht-----
> Von: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Gesendet: Dienstag, 9. April 2013 17:38
> An: users@cxf.apache.org
> Betreff: Re: CryptoCoverageChecker and SOAP Fault responses
>
> > I'll look at the custom AlgorithmSuites, but I am a bit sceptical:
> > what's
> the use of WS-SecurityPolicy, when using an unknown, unofficial >
> algorithm suite (identifier) that has to be communicated out of line
> the the web service clients anyway? (But thanks again, I am curious >
> anyway.)
>
> Well for one it gives you all of the standard validation that is done
> of a message against a policy, that you don't get with the "Action"
> based approach. It also gives you the ability not to have to hard-wire
> (e.g.) the Algorithm Suite you are using in the client, if the client
> can have access to the WSDL of the service via a registry or even WSDL publish.
>
> Colm.
>
>
> On Tue, Apr 9, 2013 at 4:03 PM, Lattermann, Dirk <
> Dirk.Lattermann@datagroup.de> wrote:
>
> > Hi Colm,
> >
> > thank you, I just logged Issue 4954.
> >
> > I'll look at the custom AlgorithmSuites, but I am a bit sceptical:
> > what's the use of WS-SecurityPolicy, when using an unknown,
> > unofficial algorithm suite (identifier) that has to be communicated
> > out of line the the web service clients anyway? (But thanks again, I
> > am curious
> > anyway.)
> >
> > Dirk
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > Gesendet: Dienstag, 9. April 2013 14:46
> > An: users@cxf.apache.org
> > Betreff: Re: CryptoCoverageChecker and SOAP Fault responses
> >
> > Hi Dirk,
> >
> > It appears that this is not currently supported. Could you log a JIRA?
> >
> > Incidentally, custom AlgorithmSuites are supported in CXF using
> > WS-SecurityPolicy. See here for an example:
> >
> >
> > http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test
> > /j
> > ava/org/apache/cxf/systest/ws/gcm/
> >
> > http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test
> > /r esources/org/apache/cxf/systest/ws/gcm/
> >
> > Colm.
> >
> >
> > On Tue, Apr 9, 2013 at 8:14 AM, Lattermann, Dirk <
> > Dirk.Lattermann@datagroup.de> wrote:
> >
> > > Hi,
> > >
> > > Using CXF 2.4.6 in JBoss EAP 6, I'm securing my web services with
> > > WS-Security (no WS-SecurityPolicy as the algorithm suite is not
> > > supported there).
> > >
> > > For this, I have configured WSS4JInInterceptors and
> > > WSS4JOutInterceptors on both client and server, and the setup works.
> > >
> > > To check if incoming messages are signed, encrypted, and with
> > > timestamp token, I also have configured a CryptoCoverageChecker on
> > > both client and server. Now I have the problem that I cannot
> > > obtain Fault answers from the server on the client any more
> > > because the CryptoCoverageChecker kicks in and I don't have a
> > > chance to access the
> > SOAPFaultException from the server.
> > > The server doesn't sign and encrypt Fault answers (which is ok,
> > > and this is the case also when using easy WS-SecurityPolicy
> configurations).
> > >
> > > How can I configure the CryptoCoverageChecker to only check
> > > regular
> > > (non-fault) web service responses? Or how can I configure CXF to
> > > only use a CryptoCoverageChecker on non-fault responses? (With
> > > WS-SecurityPolicy, this problem seems solved).
> > >
> > > Thank you,
> > > Dirk Lattermann
> > > --------------------------------------------------------
> > > DATAGROUP BGS GmbH
> > > Dirk Lattermann
> > >
> > >
> > > Auf den Tongruben 3
> > > D-53721 Siegburg
> > > Fon: +49 2241 166-531
> > > Fax: +49 2241 166-680
> > > E-Mail: Dirk.Lattermann@datagroup.de http://www.datagroup.de
> > >
> > > Sie finden uns auch auf:
> > > Facebook<https://www.facebook.com/#!/datagroupag/> | Xing<
> > > https://www.xing.com/companies/datagroupag/updates/> | Google+<
> > > https://plus.google.com/s/datagroup#112017044868465108697/posts> |
> > > LinkedIn<http://www.linkedin.com/company/datagroup-ag/> | Kununu<
> > > http://www.kununu.com/de/all/de/it/datagroup/>
> > >
> > > Geschäftsführung: Hans-Hermann Schaber Amtsgericht Mainz, HRB
> > > 44217
> > >
> > > DATAGROUP ist als einer von wenigen IT-Dienstleistern zertifiziert
> > > nach ISO 20000, der höchstmöglichen Auszeichnung für
> > > professionelles IT Service Management.
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> > --------------------------------------------------------
> > DATAGROUP BGS GmbH
> > Dirk Lattermann
> >
> >
> > Auf den Tongruben 3
> > D-53721 Siegburg
> > Fon: +49 2241 166-531
> > Fax: +49 2241 166-680
> > E-Mail: Dirk.Lattermann@datagroup.de http://www.datagroup.de
> >
> > Sie finden uns auch auf:
> > Facebook<https://www.facebook.com/#!/datagroupag/> | Xing<
> > https://www.xing.com/companies/datagroupag/updates/> | Google+<
> > https://plus.google.com/s/datagroup#112017044868465108697/posts> |
> > LinkedIn<http://www.linkedin.com/company/datagroup-ag/> | Kununu<
> > http://www.kununu.com/de/all/de/it/datagroup/>
> >
> > Geschäftsführung: Hans-Hermann Schaber Amtsgericht Mainz, HRB 44217
> >
> > DATAGROUP ist als einer von wenigen IT-Dienstleistern zertifiziert
> > nach ISO 20000, der höchstmöglichen Auszeichnung für professionelles
> > IT Service Management.
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
> --------------------------------------------------------
> DATAGROUP BGS GmbH
> Dirk Lattermann
>
>
> Auf den Tongruben 3
> D-53721 Siegburg
> Fon: +49 2241 166-531
> Fax: +49 2241 166-680
> E-Mail: Dirk.Lattermann@datagroup.de
> http://www.datagroup.de
>
> Sie finden uns auch auf:
> Facebook<https://www.facebook.com/#!/datagroupag/> | Xing<
> https://www.xing.com/companies/datagroupag/updates/> | Google+<
> https://plus.google.com/s/datagroup#112017044868465108697/posts> |
> LinkedIn<http://www.linkedin.com/company/datagroup-ag/> | Kununu<
> http://www.kununu.com/de/all/de/it/datagroup/>
>
> Geschäftsführung: Hans-Hermann Schaber Amtsgericht Mainz, HRB 44217
>
> DATAGROUP ist als einer von wenigen IT-Dienstleistern zertifiziert
> nach ISO 20000, der höchstmöglichen Auszeichnung für professionelles
> IT Service Management.
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
--------------------------------------------------------
DATAGROUP BGS GmbH
Dirk Lattermann


Auf den Tongruben 3
D-53721 Siegburg
Fon: +49 2241 166-531
Fax: +49 2241 166-680
E-Mail: Dirk.Lattermann@datagroup.de
http://www.datagroup.de

Sie finden uns auch auf:
Facebook<https://www.facebook.com/#!/datagroupag/> | Xing<https://www.xing.com/companies/datagroupag/updates/>
| Google+<https://plus.google.com/s/datagroup#112017044868465108697/posts> | LinkedIn<http://www.linkedin.com/company/datagroup-ag/>
| Kununu<http://www.kununu.com/de/all/de/it/datagroup/>

Geschäftsführung: Hans-Hermann Schaber
Amtsgericht Mainz, HRB 44217

DATAGROUP ist als einer von wenigen IT-Dienstleistern zertifiziert nach ISO 20000, der höchstmöglichen
Auszeichnung für professionelles IT Service Management.

Mime
View raw message