cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Wabi Sabi <wabisabi2...@gmail.com>
Subject Re: Configuring SwA to work with WS-Security in a CXF client
Date Tue, 11 Feb 2014 16:37:44 GMT
I can't find the reference to AlgorithmSuite in the associated WSDL.
Somehow this worked ok with CXF 2.7

Here is how the failing response looks like.

ID: 1
Response-Code: 200
Encoding: ISO-8859-1
Content-Type: text/xml
Headers: {Cache-Control=[no-cache, no-store], connection=[Keep-Alive],
Content-Language=[en-CA], content-type=[text/xml], Date=[Tue, 11 Feb 2014
16:04:05 GMT], Server=[Apache], transfer-encoding=[chunked],
X-Backside-Transport=[OK OK], X-Client-IP=[111.111.11.111]}
Payload: <?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Header><wsse:Security
soapenv:mustUnderstand="1" xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><xenc:EncryptedKey
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" xmlns:dsig="
http://www.w3.org/2000/09/xmldsig#"/><dsig:KeyInfo xmlns:dsig="
http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><wsse:KeyIdentifier
ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier"
EncodingType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">qXzKaOt1jDRiRhI85g=</wsse:KeyIdentifier></wsse:SecurityTokenReference></dsig:KeyInfo><xenc:CipherData
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><xenc:CipherValue>...</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference
URI="#G0x7fda3d296d98-46D"/></xenc:ReferenceList></xenc:EncryptedKey><wsu:Timestamp
wsu:Id="Timestamp-18d293c0-d26e-4042-9cfc-f026872122f7" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsu:Created>2014-02-11T16:04:07Z</wsu:Created><wsu:Expires>2014-02-11T16:09:07Z</wsu:Expires></wsu:Timestamp><wsse:BinarySecurityToken
wsu:Id="SecurityToken-fcfdab51-096f-4475-b46d-236871b8145e" EncodingType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">....</wsse:BinarySecurityToken><Signature
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
  <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#
"/>
  <SignatureMethod Algorithm="
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
  <Reference URI="#Timestamp-18d293c0-d26e-4042-9cfc-f026872122f7">
    <Transforms>
      <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <DigestValue>...</DigestValue>
  </Reference>
  <Reference URI="#Body-00d89df1-048f-4cc6-9cc2-39c33900dca4">
    <Transforms>
      <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    </Transforms>
    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
    <DigestValue>...</DigestValue>
  </Reference>
</SignedInfo>

<SignatureValue>...</SignatureValue><KeyInfo><wsse:SecurityTokenReference
xmlns=""><wsse:Reference
URI="#SecurityToken-fcfdab51-096f-4475-b46d-236871b8145e" ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></KeyInfo></Signature></wsse:Security></soapenv:Header><soapenv:Body
wsu:Id="Body-00d89df1-048f-4cc6-9cc2-39c33900dca4" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><ns2:listResponse
xmlns:ns4="http://srv.gov.ca/" xmlns:ns3="http://ip.srv.gov.ca/" xmlns:ns2="
http://et.srv.gov.ca/"><xenc:EncryptedData Id="G0x7fda3d296d98-46D" Type="
http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="
http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes128-cbc
"/><xenc:CipherData><xenc:CipherValue>......</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></ns2:listResponse></soapenv:Body></soapenv:Envelope>

Thank you very much, Colm, for your help looking into this!



On Tue, Feb 11, 2014 at 11:13 AM, Colm O hEigeartaigh
<coheigea@apache.org>wrote:

> There are no CXF 2.7.x based solutions. The exception message seems to be
> that you are using the RSA 1.5 key transport algorithm even though there is
> no RSA 1.5 security policy in effect. What "AlgorithmSuite" policy are you
> using? Is it a CXF client or some other stack? What does the failing
> request look like?
>
> Colm.
>
>
> On Tue, Feb 11, 2014 at 4:08 PM, Wabi Sabi <wabisabi2004@gmail.com> wrote:
>
> > Thank you very much, Colm for detailed and complete responses. I tried
> > building client with CXF 3, but it seems to break even the calls that
> > worked before. I now get:
> >
> > Caused by: *org.apache.wss4j.common.ext.WSSecurityException*: An error
> was
> > discovered processing the <wsse:Security> header
> >
> > Thrown by org.apache.wss4j.dom.processor.EncryptedKeyProcessor:
> >
> >         if
> > (WSConstants.KEYTRANSPORT_RSA15.equals(encryptedKeyTransportMethod)
> >             && !data.isAllowRSA15KeyTransportAlgorithm()
> >             &&
> >
> >
> !algorithmSuite.getKeyWrapAlgorithms().contains(WSConstants.KEYTRANSPORT_RSA15))
> > {
> >             log.debug(
> >                 "The Key transport method does not match the requirement"
> >             );
> >             throw new
> > WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY);
> >         }
> >
> >
> > I would greatly appreciate any pointers for implementing a CXF 2.7-based
> > solution for the decryption...
> >
> >
> >
> > On Mon, Feb 10, 2014 at 11:38 AM, Colm O hEigeartaigh
> > <coheigea@apache.org>wrote:
> >
> > > Here is a blog article describing how to use this new functionality in
> > > CXF...
> > >
> > > http://coheigea.blogspot.ie/2014/02/apache-wss4j-200-part-v.html
> > >
> > > Colm.
> > >
> > >
> > > On Fri, Feb 7, 2014 at 3:27 PM, Colm O hEigeartaigh <
> coheigea@apache.org
> > > >wrote:
> > >
> > > >
> > > > Signing + encrypting/decrypting SOAP Attachments is not supported in
> > CXF
> > > > 2.7.x. However it is supported on CXF trunk at the moment, and will
> be
> > > > included in the forthcoming CXF 3.0.0 release. Here are some tests if
> > you
> > > > are interested:
> > > >
> > > >
> > > >
> > >
> >
> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/swa/
> > > >
> > > > Colm.
> > > >
> > > >
> > > > On Fri, Feb 7, 2014 at 3:19 PM, Wabi Sabi <wabisabi2004@gmail.com>
> > > wrote:
> > > >
> > > >> Hello,
> > > >>
> > > >> I wonder if CXF can be configured to decrypt attachments that come
> as
> > a
> > > >> web
> > > >> service response?
> > > >>
> > > >> I hoped that WSS4JInInterceptor will take care of this use case, but
> > it
> > > >> fails with "The signature or decryption was invalid" exception,
> which
> > is
> > > >> caused by
> "org.apache.xml.security.encryption.XMLEncryptionException:
> > > >> Could
> > > >> not find a resolver for URI
> > > >> cid:urn%3Auuid%@apache.org and Base null
> > > >>
> > > >> I managed to write a custom resolver to provide attachment data, but
> > > then
> > > >> it fails with yet another exception:
> > > >> org.apache.xml.security.encryption.XMLEncryptionException:
> > > >> Unknown transformation. No handler installed for URI
> > > >>
> > > >>
> > >
> >
> http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Ciphertext-Transform
> > > >>
> > > >> Can somebody point me in the right direction, please? Any help is
> > > greatly
> > > >> appreciated.
> > > >>
> > > >> Thanks in advance.
> > > >>
> > > >
> > > >
> > > >
> > > > --
> > > > Colm O hEigeartaigh
> > > >
> > > > Talend Community Coder
> > > > http://coders.talend.com
> > > >
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> > >
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message