Return-Path: X-Original-To: apmail-cxf-users-archive@www.apache.org Delivered-To: apmail-cxf-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 680C1FB98 for ; Thu, 25 Apr 2013 11:15:49 +0000 (UTC) Received: (qmail 65691 invoked by uid 500); 25 Apr 2013 11:15:48 -0000 Delivered-To: apmail-cxf-users-archive@cxf.apache.org Received: (qmail 65328 invoked by uid 500); 25 Apr 2013 11:15:46 -0000 Mailing-List: contact users-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cxf.apache.org Delivered-To: mailing list users@cxf.apache.org Received: (qmail 65296 invoked by uid 99); 25 Apr 2013 11:15:44 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 25 Apr 2013 11:15:44 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [193.37.149.27] (HELO mx2.datagroup.de) (193.37.149.27) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 25 Apr 2013 11:15:39 +0000 Received: from DGDC-EXHUB-02.datagroup.local (dgdc-exhub-02.datagroup.local [10.255.0.126]) by mx2.datagroup.de (8.14.5/8.14.5) with ESMTP id r3PBFG0c001606 for ; Thu, 25 Apr 2013 13:15:16 +0200 Received: from DGDC-EXMBOX-02.datagroup.local ([169.254.2.248]) by DGDC-EXHUB-02.datagroup.local ([10.255.0.126]) with mapi id 14.03.0123.003; Thu, 25 Apr 2013 13:15:16 +0200 From: "Lattermann, Dirk" To: "users@cxf.apache.org" Subject: AW: CryptoCoverageChecker and SOAP Fault responses Thread-Topic: CryptoCoverageChecker and SOAP Fault responses Thread-Index: Ac408d7V5PhAAv0tSHidB0+hBG2JZAAHZ5EAAAjKO1D//+l7gP/2gHxwgBkeQwD/9q9osA== Date: Thu, 25 Apr 2013 11:15:14 +0000 Message-ID: References: In-Reply-To: Accept-Language: de-DE, en-US Content-Language: de-DE X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.88.6.27] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Virus-Checked: Checked by ClamAV on apache.org Hello Colm, I added an WSS4JOutInterceptor using the @OutFaultInterceptors annotation.= In the server logs, I see that the the message is signed and encrypted, bu= t the result is not added to the outgoing response. The client receives a H= TTP response with status 500 (that is correct as it's a fault) but with a c= ontent length of 0 bytes. I couldn't deduct much from the interceptor chains involved in the differen= t cases, but maybe a clue lies in there? Fault response without trying to timestamp/sign/encrypt: 12:15:52,224 FINE [org.apache.cxf.phase.PhaseInterceptorChain] (http-/0.0.= 0.0:80-1) Chain org.apache.cxf.phase.PhaseInterceptorChain@181b1ac1 was mod= ified. Current flow: setup [ServerPolicyOutFaultInterceptor] prepare-send [MessageSenderInterceptor, Soap11FaultOutInterceptor] pre-stream [StaxOutInterceptor] pre-protocol [WebFaultOutInterceptor] pre-protocol-frontend [SOAPHandlerFaultOutInterceptor] write [SoapOutInterceptor] pre-marshal [LogicalHandlerFaultOutInterceptor] marshal [Soap11FaultOutInterceptorInternal] user-protocol [org.apache.cxf.jaxws.handler.soap.SOAPHandlerFaultOutInter= ceptor.ENDING] write-ending [SoapOutEndingInterceptor] pre-protocol-ending [SAAJOutEndingInterceptor] pre-stream-ending [StaxOutEndingInterceptor] prepare-send-ending [MessageSenderEndingInterceptor] Result: Correct Fault response without security elements. Fault response with WSS4JOutInterceptor, trying to timestamp/sign/encrypt: 11:45:07,177 FINE [org.apache.cxf.phase.PhaseInterceptorChain] (http-/0.0.= 0.0:80-1) Chain org.apache.cxf.phase.PhaseInterceptorChain@2286a92d was mod= ified. Current flow: setup [ServerPolicyOutFaultInterceptor] prepare-send [MessageSenderInterceptor, Soap11FaultOutInterceptor] pre-stream [StaxOutInterceptor] pre-protocol [WebFaultOutInterceptor, ConfiguringWSOutInterceptor] pre-protocol-frontend [SOAPHandlerFaultOutInterceptor] write [SoapOutInterceptor] pre-marshal [LogicalHandlerFaultOutInterceptor] marshal [Soap11FaultOutInterceptorInternal] user-protocol [org.apache.cxf.jaxws.handler.soap.SOAPHandlerFaultOutInter= ceptor.ENDING] post-protocol [WSS4JOutInterceptorInternal] write-ending [SoapOutEndingInterceptor] pre-protocol-ending [SAAJOutEndingInterceptor] pre-stream-ending [StaxOutEndingInterceptor] prepare-send-ending [MessageSenderEndingInterceptor] Result: Response with content length 0 Regular (non-fault) response with WSS4JOutputInterceptor: 12:32:55,808 FINE [org.apache.cxf.phase.PhaseInterceptorChain] (http-/0.0.= 0.0:80-1) Chain org.apache.cxf.phase.PhaseInterceptorChain@2df65112 was mod= ified. Current flow: setup [PolicyOutInterceptor] pre-logical [HolderOutInterceptor, SwAOutInterceptor, WrapperClassOutInte= rceptor, SoapHeaderOutFilterInterceptor] post-logical [SoapPreProtocolOutInterceptor] prepare-send [MessageSenderInterceptor] pre-stream [AttachmentOutInterceptor, StaxOutInterceptor] pre-protocol [ConfiguringWSOutInterceptor] pre-protocol-frontend [SOAPHandlerInterceptor] write [SoapOutInterceptor] pre-marshal [LogicalHandlerOutInterceptor] marshal [BareOutInterceptor] user-protocol [org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.E= NDING] post-protocol [WSS4JOutInterceptorInternal] write-ending [SoapOutEndingInterceptor] pre-protocol-ending [SAAJOutEndingInterceptor] pre-stream-ending [StaxOutEndingInterceptor] prepare-send-ending [MessageSenderEndingInterceptor] Result: regular response with timestamp token, signature and encryption in = place. Thank you, Dirk -----Urspr=FCngliche Nachricht----- Von: Colm O hEigeartaigh [mailto:coheigea@apache.org] Gesendet: Freitag, 19. April 2013 16:10 An: users@cxf.apache.org Betreff: Re: CryptoCoverageChecker and SOAP Fault responses Have you tried adding it to the outbound fault interceptor chain? Colm. On Mon, Apr 15, 2013 at 3:46 PM, Lattermann, Dirk < Dirk.Lattermann@datagro= up.de> wrote: > Would it perhaps be possible to configure the WSS4JOutInterceptor that > it applies the security means (timestamp, signature, encryption) also > in case of an outgoing Fault message? > Then, the receiving client would get at the real exception from the > SOAPFault and not the one from the CryptoCoverageChecker. > > Thanks again, > Dirk. > > -----Urspr=FCngliche Nachricht----- > Von: Colm O hEigeartaigh [mailto:coheigea@apache.org] > Gesendet: Dienstag, 9. April 2013 17:38 > An: users@cxf.apache.org > Betreff: Re: CryptoCoverageChecker and SOAP Fault responses > > > I'll look at the custom AlgorithmSuites, but I am a bit sceptical: > > what's > the use of WS-SecurityPolicy, when using an unknown, unofficial > > algorithm suite (identifier) that has to be communicated out of line > the the web service clients anyway? (But thanks again, I am curious > > anyway.) > > Well for one it gives you all of the standard validation that is done > of a message against a policy, that you don't get with the "Action" > based approach. It also gives you the ability not to have to hard-wire > (e.g.) the Algorithm Suite you are using in the client, if the client > can have access to the WSDL of the service via a registry or even WSDL pu= blish. > > Colm. > > > On Tue, Apr 9, 2013 at 4:03 PM, Lattermann, Dirk < > Dirk.Lattermann@datagroup.de> wrote: > > > Hi Colm, > > > > thank you, I just logged Issue 4954. > > > > I'll look at the custom AlgorithmSuites, but I am a bit sceptical: > > what's the use of WS-SecurityPolicy, when using an unknown, > > unofficial algorithm suite (identifier) that has to be communicated > > out of line the the web service clients anyway? (But thanks again, I > > am curious > > anyway.) > > > > Dirk > > > > -----Urspr=FCngliche Nachricht----- > > Von: Colm O hEigeartaigh [mailto:coheigea@apache.org] > > Gesendet: Dienstag, 9. April 2013 14:46 > > An: users@cxf.apache.org > > Betreff: Re: CryptoCoverageChecker and SOAP Fault responses > > > > Hi Dirk, > > > > It appears that this is not currently supported. Could you log a JIRA? > > > > Incidentally, custom AlgorithmSuites are supported in CXF using > > WS-SecurityPolicy. See here for an example: > > > > > > http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test > > /j > > ava/org/apache/cxf/systest/ws/gcm/ > > > > http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test > > /r esources/org/apache/cxf/systest/ws/gcm/ > > > > Colm. > > > > > > On Tue, Apr 9, 2013 at 8:14 AM, Lattermann, Dirk < > > Dirk.Lattermann@datagroup.de> wrote: > > > > > Hi, > > > > > > Using CXF 2.4.6 in JBoss EAP 6, I'm securing my web services with > > > WS-Security (no WS-SecurityPolicy as the algorithm suite is not > > > supported there). > > > > > > For this, I have configured WSS4JInInterceptors and > > > WSS4JOutInterceptors on both client and server, and the setup works. > > > > > > To check if incoming messages are signed, encrypted, and with > > > timestamp token, I also have configured a CryptoCoverageChecker on > > > both client and server. Now I have the problem that I cannot > > > obtain Fault answers from the server on the client any more > > > because the CryptoCoverageChecker kicks in and I don't have a > > > chance to access the > > SOAPFaultException from the server. > > > The server doesn't sign and encrypt Fault answers (which is ok, > > > and this is the case also when using easy WS-SecurityPolicy > configurations). > > > > > > How can I configure the CryptoCoverageChecker to only check > > > regular > > > (non-fault) web service responses? Or how can I configure CXF to > > > only use a CryptoCoverageChecker on non-fault responses? (With > > > WS-SecurityPolicy, this problem seems solved). > > > > > > Thank you, > > > Dirk Lattermann > > > -------------------------------------------------------- > > > DATAGROUP BGS GmbH > > > Dirk Lattermann > > > > > > > > > Auf den Tongruben 3 > > > D-53721 Siegburg > > > Fon: +49 2241 166-531 > > > Fax: +49 2241 166-680 > > > E-Mail: Dirk.Lattermann@datagroup.de http://www.datagroup.de > > > > > > Sie finden uns auch auf: > > > Facebook | Xing< > > > https://www.xing.com/companies/datagroupag/updates/> | Google+< > > > https://plus.google.com/s/datagroup#112017044868465108697/posts> | > > > LinkedIn | Kununu< > > > http://www.kununu.com/de/all/de/it/datagroup/> > > > > > > Gesch=E4ftsf=FChrung: Hans-Hermann Schaber Amtsgericht Mainz, HRB > > > 44217 > > > > > > DATAGROUP ist als einer von wenigen IT-Dienstleistern zertifiziert > > > nach ISO 20000, der h=F6chstm=F6glichen Auszeichnung f=FCr > > > professionelles IT Service Management. > > > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > -------------------------------------------------------- > > DATAGROUP BGS GmbH > > Dirk Lattermann > > > > > > Auf den Tongruben 3 > > D-53721 Siegburg > > Fon: +49 2241 166-531 > > Fax: +49 2241 166-680 > > E-Mail: Dirk.Lattermann@datagroup.de http://www.datagroup.de > > > > Sie finden uns auch auf: > > Facebook | Xing< > > https://www.xing.com/companies/datagroupag/updates/> | Google+< > > https://plus.google.com/s/datagroup#112017044868465108697/posts> | > > LinkedIn | Kununu< > > http://www.kununu.com/de/all/de/it/datagroup/> > > > > Gesch=E4ftsf=FChrung: Hans-Hermann Schaber Amtsgericht Mainz, HRB 44217 > > > > DATAGROUP ist als einer von wenigen IT-Dienstleistern zertifiziert > > nach ISO 20000, der h=F6chstm=F6glichen Auszeichnung f=FCr professionel= les > > IT Service Management. > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -------------------------------------------------------- > DATAGROUP BGS GmbH > Dirk Lattermann > > > Auf den Tongruben 3 > D-53721 Siegburg > Fon: +49 2241 166-531 > Fax: +49 2241 166-680 > E-Mail: Dirk.Lattermann@datagroup.de > http://www.datagroup.de > > Sie finden uns auch auf: > Facebook | Xing< > https://www.xing.com/companies/datagroupag/updates/> | Google+< > https://plus.google.com/s/datagroup#112017044868465108697/posts> | > LinkedIn | Kununu< > http://www.kununu.com/de/all/de/it/datagroup/> > > Gesch=E4ftsf=FChrung: Hans-Hermann Schaber Amtsgericht Mainz, HRB 44217 > > DATAGROUP ist als einer von wenigen IT-Dienstleistern zertifiziert > nach ISO 20000, der h=F6chstm=F6glichen Auszeichnung f=FCr professionelle= s > IT Service Management. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com -------------------------------------------------------- DATAGROUP BGS GmbH Dirk Lattermann Auf den Tongruben 3 D-53721 Siegburg Fon: +49 2241 166-531 Fax: +49 2241 166-680 E-Mail: Dirk.Lattermann@datagroup.de http://www.datagroup.de Sie finden uns auch auf: Facebook | Xing | Google+ | LinkedIn | Kununu Gesch=E4ftsf=FChrung: Hans-Hermann Schaber Amtsgericht Mainz, HRB 44217 DATAGROUP ist als einer von wenigen IT-Dienstleistern zertifiziert nach ISO= 20000, der h=F6chstm=F6glichen Auszeichnung f=FCr professionelles IT Servi= ce Management.