Mailing-List: contact users-help@cxf.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@cxf.apache.org
Received-SPF: pass (athena.apache.org: local policy)
From: "Ed Bras" <zooi@debrasjes.com>
To: <users@cxf.apache.org>,
	<coheigea@apache.org>
References: <01ad01cfcc44$03e363b0$0baa2b10$@com>
	<CAB8XdGDkGmoCidgi08QTnQcGmavecfu6a2hVAW6qAU4oCOFZJg@mail.gmail.com>
	<01b401cfcc5c$f426e140$dc74a3c0$@com>
 <CAB8XdGDJd8Zx=-7SQeANTzmSYEHtyBMEBx3qRS8Kh3c24HR9PA@mail.gmail.com>
In-Reply-To: 
 <CAB8XdGDJd8Zx=-7SQeANTzmSYEHtyBMEBx3qRS8Kh3c24HR9PA@mail.gmail.com>
Subject: RE: Cont: upgrading cxf client to 3.0.1
Date: Wed, 10 Sep 2014 17:05:41 +0200
Message-ID: <020201cfcd08$b0f6f200$12e4d600$@com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Thread-Index: Ac/M0utO9zZGxi5qQiGfjcf75z14DgALuX7w
Content-Language: nl

Thanks @Colm
If I understand you correctly it's not possible to use optional header =
fields in the Signature with SecurityPolicy.
As such I continue using the interceptor as explained by David (see link =
below).

However, when I use the new WSS4JStaxOutInterceptor interceptor it =
doesn't contain all the Signature info. As such, for now I continue =
using the WSS4JOutInterceptor that I was using before. It does contain =
all the signed info.
However, I then get xml validation error, in the cxf client, when =
reading the soap response from the remote end point.
This is because the response contains still some raw mime type kind of =
info. See below for the exact output.
This error occurs when the LoggingIn interceptor tries to output the =
message.
I tried to solve this by changing the order of the client interceptors, =
but it has no effect.
(Btw: When I disable the LoggingIn interceptor, I get the same error, =
but with different content (the sec:cipherSuitesFilter content), but it =
also has the mime type header info)
Below I also listed the client Spring config (works in cxf 2.X). And =
below the exception.
How can I solve this? (how/when is this raw "mime type" info stripped =
off)

Note: When I use the WSS4JStaxOutInterceptor interceptor, I don't get =
this mime-type kind of error. So I am not sure when direction to go: =
Stax and solve the sign issues, or the none-stax and solve the mime type =
issues :( Maybe I am mixing them both, but I can't seem to find it.

- Ed


The received response containing invalid xml output:
--------------------
--uuid:36d7c0e6-ad6e-4382-99a3-8401418deee9
Content-Type: text/xml; charset=3DUTF-8
Content-Transfer-Encoding: binary
Content-ID:
<root.message @ cxf.apache.org>

<?xml version=3D"1.0" encoding=3D"UTF-8"?>
	<soapenv:Envelope =
xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance" =
xmlns:xsd=3D"http://www.w3.org/2001/XMLSchema" =
xmlns:soapenv=3D"http://schemas.xmlsoap.org/soap/envelope/"
		xmlns:soapenc=3D"http://schemas.xmlsoap.org/soap/encoding/" =
xmlns:date=3D"http://exslt.org/dates-and-times" =
xmlns:SOAP=3D"http://schemas.xmlsoap.org/soap/envelope/">
		<soapenv:Header />
		<soapenv:Body>
			...........
			...........
		</soapenv:Body>
	</soapenv:Envelope>
--------------------


The cxf client config:
--------------------
	 <jaxws:client id=3D"preProductionDigipoortAanleveren" =
serviceClass=3D"AanleverServiceV12"  address=3D"${url.delivery}">
	 	=09
        <jaxws:inInterceptors>
            <ref bean=3D"preProductionSigningInterceptorIn"/>
            <ref bean=3D"preProductionWsaSignaturePartsInterceptor"/>
            <ref bean=3D"logInbound"/>=20
        </jaxws:inInterceptors>
       =20
        <jaxws:outInterceptors>
            <ref bean=3D"preProductionSigningInterceptorOut"/>
		<ref bean=3D"preProductionWsaSignaturePartsInterceptor"/>
		<ref bean=3D"preProductionLoggingOutInterceptor" />
            <ref bean=3D"logOutbound"/>
        </jaxws:outInterceptors>

        <jaxws:properties>
        	<entry key=3D"mtom-enabled" value=3D"true"/>=20
            <entry key=3D"signatureParts" =
value=3D"{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-ws=
s-wssecurity-utility-1.0.xsd}Timestamp;
   				 		{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
        </jaxws:properties>
    </jaxws:client>

    <bean id=3D"logInbound" =
class=3D"org.apache.cxf.interceptor.LoggingInInterceptor" />
    <bean id=3D"logOutbound" =
class=3D"org.apache.cxf.interceptor.LoggingOutInterceptor" />

	<!-- It will dynamically set the WSA signing parts if required, =
depending if they contain any value. See the class for details -->
	<bean id=3D"preProductionWsaSignaturePartsInterceptor" =
class=3D"SimpleDynamicWsaSignaturePartsInterceptor"/>
=09

    <bean id=3D"preProductionSigningInterceptorOut" =
class=3D"org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
    <!--bean id=3D"preProductionSigningInterceptorOut" =
class=3D"org.apache.cxf.ws.security.wss4j.WSS4JStaxOutInterceptor"-->
        <constructor-arg>
            <map>
                <entry key=3D"action" value=3D"Timestamp Signature"/>
                <entry key=3D"timeToLive" value=3D"300" /> <!-- =
Timestamp TTL in seconds, indicates how long the message is valid -->
                <entry key=3D"user" =
value=3D"${pre.production.delivery.keystore.private.sign.key.alias}"/>
               =20
                <entry key=3D"passwordCallbackRef" =
value-ref=3D"preProductionPwdCallback"/>=20
                <entry key=3D"signatureKeyIdentifier" =
value=3D"DirectReference" />
                <entry key=3D"signaturePropRefId" =
value=3D"cryptoProperties"/>
                <entry key=3D"cryptoProperties" =
value-ref=3D"preProductionCryptoProperties"/>
            </map>
        </constructor-arg>
    </bean>
   =20
    <bean id=3D"preProductionSigningInterceptorIn" =
class=3D"org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
    <!--bean id=3D"preProductionSigningInterceptorIn" =
class=3D"org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor"-->
        <constructor-arg>
            <map>
                <entry key=3D"action" value=3D"Timestamp Signature"/>
                <entry key=3D"signaturePropRefId" =
value=3D"cryptoProperties"/>
                <entry key=3D"cryptoProperties" =
value-ref=3D"preProductionCryptoProperties"/>
            </map>
        </constructor-arg>
    </bean>

	<bean id=3D"preProductionPwdCallback" =
class=3D"com.ited.cxf.ClientKeystorePasswordCallback">
	   <property name=3D"passwords">
	     <util:map key-type=3D"java.lang.String" =
value-type=3D"java.lang.String">
	       <entry key=3D"${private.sign.key.alias}" value=3D"${ =
private.sign.key.pwd}"/>
	     </util:map>
	   </property>
	</bean>

	<util:properties id=3D"preProductionCryptoProperties">
	    	<prop =
key=3D"org.apache.wss4j.crypto.merlin.keystore.file">${keystore.private}<=
/prop>
    		<prop =
key=3D"org.apache.wss4j.crypto.merlin.keystore.password">${keystore.priva=
te.pwd}</prop>

	    	<prop =
key=3D"org.apache.wss4j.crypto.merlin.truststore.file">${keystore.trusted=
}</prop>
    		<prop =
key=3D"org.apache.wss4j.crypto.merlin.truststore.password">${keystore.tru=
sted.pwd}</prop>
  	</util:properties>

--------------------


The stracktrace:
-------------------
	at =
org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor.handleMess=
age(ReadHeadersInterceptor.java:259) =
~[cxf-rt-bindings-soap-3.0.1.jar:3.0.1]
	at =
org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor.handleMess=
age(ReadHeadersInterceptor.java:62) =
~[cxf-rt-bindings-soap-3.0.1.jar:3.0.1]
	at =
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorCh=
ain.java:307) [cxf-core-3.0.1.jar:3.0.1]
	at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:798) =
~[cxf-core-3.0.1.jar:3.0.1]
	at =
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleRespo=
nseInternal(HTTPConduit.java:1636) =
~[cxf-rt-transports-http-3.0.1.jar:3.0.1]
	at =
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleRespo=
nse(HTTPConduit.java:1525) ~[cxf-rt-transports-http-3.0.1.jar:3.0.1]
	at =
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPC=
onduit.java:1330) ~[cxf-rt-transports-http-3.0.1.jar:3.0.1]
	at =
org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutput=
Stream.java:56) ~[cxf-core-3.0.1.jar:3.0.1]
	at =
org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:215) =
~[cxf-core-3.0.1.jar:3.0.1]
	at =
org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) =
~[cxf-core-3.0.1.jar:3.0.1]
	at =
org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:638) =
~[cxf-rt-transports-http-3.0.1.jar:3.0.1]
	at =
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingIn=
terceptor.handleMessage(MessageSenderInterceptor.java:62) =
~[cxf-core-3.0.1.jar:3.0.1]
	at =
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorCh=
ain.java:307) [cxf-core-3.0.1.jar:3.0.1]
	at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:514) =
~[cxf-core-3.0.1.jar:3.0.1]
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:423) =
~[cxf-core-3.0.1.jar:3.0.1]
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:326) =
~[cxf-core-3.0.1.jar:3.0.1]
	at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:279) =
~[cxf-core-3.0.1.jar:3.0.1]
	at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) =
~[cxf-rt-frontend-simple-3.0.1.jar:3.0.1]
	at =
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:137) =
~[cxf-rt-frontend-jaxws-3.0.1.jar:3.0.1]
	at com.sun.proxy.$Proxy72.aanleveren(Unknown Source) ~[na:na]
....
...
Caused by: com.ctc.wstx.exc.WstxUnexpectedCharException: Unexpected =
character '-' (code 45) in prolog; expected '<'
 at [row,col {unknown-source}]: [3,1]
	at =
com.ctc.wstx.sr.StreamScanner.throwUnexpectedChar(StreamScanner.java:647)=
 ~[woodstox-core-asl-4.4.0.jar:4.4.0]
	at =
com.ctc.wstx.sr.BasicStreamReader.nextFromProlog(BasicStreamReader.java:2=
054) ~[woodstox-core-asl-4.4.0.jar:4.4.0]
	at com.ctc.wstx.sr.BasicStreamReader.next(BasicStreamReader.java:1131) =
~[woodstox-core-asl-4.4.0.jar:4.4.0]
	at =
com.ctc.wstx.sr.BasicStreamReader.nextTag(BasicStreamReader.java:1154) =
~[woodstox-core-asl-4.4.0.jar:4.4.0]
	at =
org.apache.cxf.binding.soap.interceptor.ReadHeadersInterceptor.handleMess=
age(ReadHeadersInterceptor.java:158) =
~[cxf-rt-bindings-soap-3.0.1.jar:3.0.1]
	... 58 common frames omitted
-------------------


> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: woensdag 10 september 2014 10:41
> To: Ed Bras
> Cc: users@cxf.apache.org
> Subject: Re: Cont: upgrading cxf client to 3.0.1
>=20
> > > However WS-SecurityPolicy "SignedParts" should meet your
> > > requirements
> > How can I indicate that a certain signed part (like the RelatesTo
> > field) is optional?
> >
> > I thought this isn't possible and this was the reason of David's
> solution:
> >
> > http://davidvaleri.wordpress.com/2010/09/15/signing-ws-addressing-
> head
> > ers-in-apache-cxf/
> >
>=20
>  No, SignedParts only signs an Element (or enforces that it is signed)
> if it is present in the request.
>=20
> Colm.
>=20
>=20
>=20
> > > -----Original Message-----
> > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > > Sent: dinsdag 9 september 2014 19:47
> > > To: users@cxf.apache.org
> > > Subject: Re: Cont: upgrading cxf client to 3.0.1
> > >
> > > OPTIONAL_SIGNATURE_PARTS only works with the older approach of
> > > specifying "actions" for security - it doesn't work with WS-
> > > SecurityPolicy. However WS-SecurityPolicy "SignedParts" should =
meet
> > > your requirements. With regards to your other question, I think =
you
> > > need to create a testcase that reproduces the problem...
> > >
> > > Colm.
> > >
> > > On Tue, Sep 9, 2014 at 4:37 PM, Ed Bras <zooi@debrasjes.com> =
wrote:
> > >
> > > > Please some advice on the following cxf client config:
> > > >
> > > > After upgrading to 3.0.1. The security isn't included as it
> should.
> > > > To solve this I currently try to use WS-SecurityPolicy auto
> config
> > > > such that it's automatically included.
> > > > Before I did this manual as I have optional filled fields that
> > > > needed to be included in the signature, I used the solution as
> explained in:
> > > >
> > > > http://davidvaleri.wordpress.com/2010/09/15/signing-ws-
> addressing-
> > > head
> > > > ers-in
> > > > -apache-cxf/
> > > > I want to use the new WSS4J 2.0 OPTIONAL_SIGNATURE_PARTS as an
> > > alternative.
> > > >
> > > > Anyway: for some reason the policy info isn't used from the =
wsdl,
> > > > as such not used/included in the soap message.
> > > > I think because the wsdl location isn't known, so I added the
> > > > wsdLocation to the client, but then it complaints it can't find
> > > > the service definition.
> > > > How do I solve this? See the config below.
> > > >
> > > > Note: I define the serviceClass and address manually in the
> config
> > > > below as the Service and Port name in the wsdl are the same and
> > > > CXF didn't like that (at least not with version 2.X).
> > > > In the past I dropped a question about it in SO:
> > > >
> > > > http://stackoverflow.com/questions/13591514/how-to-deal-with-
> same-
> > > serv
> > > > ice-an
> > > > d-port-name-in-cxf
> > > >
> > > >
> > > > The client config snippet:
> > > > -------------------
> > > > <jaxws:client id=3D"preProductionClient"
> > > > serviceClass=3D"com.bla.service.DeliveryServiceV12"
> > > >
> > > > address=3D"https://preprod.bla.nl/wus/2.0/deliveryservice/1.2"
> > > > wsdlLocation=3D"/wsdl/DeliverPreProd_1.2.wsdl">
> > > > ------------
> > > >
> > > >
> > > > The exception:
> > > > --------------
> > > > Caused by:
> > > org.apache.cxf.service.factory.ServiceConstructionException:
> > > > Could not find definition for service {http://
> > > >
> > >
> =
https://preprod.bla.nl/wus/2.0/deliveryservice/1.2/}DeliveryServiceV12.
> > > > --------------
> > > >
> > > > - Ed
> > > >
> > > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> >
> >
>=20
>=20
> --
> Colm O hEigeartaigh
>=20
> Talend Community Coder
> http://coders.talend.com