cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: ws-policy/ws-security and a encrypted header part
Date Wed, 26 Oct 2016 14:31:31 GMT
If it's a CXF service then turn on debug logging to figure out why it is
rejecting the message.

Colm.

On Wed, Oct 26, 2016 at 3:29 PM, Martin Fernau <martin.fernau@fernausoft.de>
wrote:

> Thanks a lot.
> It turns out that I already implemented it this way but simply did a
> mistake for the namespace.
> After correction the outgoing XML seems to be correct.
> Nonetheless the request is rejected with "An error occurred when verifying
> security for the message."
>
> Thanks
> Martin
>
> Am 24.10.2016 um 13:21 schrieb Colm O hEigeartaigh:
>
>> Yes it's possible to add headers and sign and encrypt them. There is a
>> test
>> which demonstrates how to do this for encryption, although Signature works
>> as well:
>>
>> https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=s
>> ystests/ws-security/src/test/java/org/apache/cxf/systest/ws/
>> x509/X509TokenTest.java;h=55b8298aa93bed4622c3f2f283a04b8294
>> 725aad;hb=HEAD
>>
>> See "testKeyIdentifier2". The header is added with:
>>
>> List<Header> headers = new ArrayList<Header>();
>> Header dummyHeader = new Header(new QName("uri:org.apache.cxf", "dummy"),
>> "dummy-header",
>>                                           new
>> JAXBDataBinding(String.class));
>> headers.add(dummyHeader);
>> ((BindingProvider)x509Port).getRequestContext().put(Header.HEADER_LIST,
>> headers);
>>
>> The WSDL is here. You can see that the header is added to the encryption
>> parts for the "DoubleIt2" operation:
>>
>> https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=s
>> ystests/ws-security/src/test/resources/org/apache/cxf/systes
>> t/ws/x509/DoubleItOperations.wsdl;h=836f02e0c4c7ae851f4f475
>> ca84a17724dbf2236;hb=HEAD
>>
>> On Mon, Oct 24, 2016 at 10:19 AM, Martin Fernau <
>> martin.fernau@fernausoft.de
>>
>>> wrote:
>>> No one?
>>>
>>> Is it not possible with CXF or is it an unusual demand?
>>> I need to consume this webservice. If its not possible with CXF I need to
>>> find another way but I'd like to stick with CXF.
>>>
>>> Thanks
>>> Martin
>>>
>>>
>>> Am 20.10.2016 um 10:00 schrieb Martin Fernau:
>>>
>>> Hi,
>>>>
>>>> is it possible to call a webservice with the following ws-security
>>>> content:
>>>> --cut
>>>>      <wsp:Policy wsu:Id="CustomBinding_IService
>>>> Customer_InsertCustomer_Input_policy">
>>>>          <wsp:ExactlyOne>
>>>>              <wsp:All>
>>>>                  <sp:SignedParts xmlns:sp="http://schemas.xmlso
>>>> ap.org/ws/2005/07/securitypolicy">
>>>>                      <sp:Body/>
>>>>                      <sp:Header Name="FfeHeader" Namespace="
>>>> http://tempuri.org/"/>
>>>>                      <sp:Header Name="To" Namespace="
>>>> http://www.w3.org/2
>>>> 005/08/addressing"/>
>>>>                      <sp:Header Name="From" Namespace="
>>>> http://www.w3.org/2
>>>> 005/08/addressing"/>
>>>>                      <sp:Header Name="FaultTo" Namespace="
>>>> http://www.w3.org/2005/08/addressing"/>
>>>>                      <sp:Header Name="ReplyTo" Namespace="
>>>> http://www.w3.org/2005/08/addressing"/>
>>>>                      <sp:Header Name="MessageID" Namespace="
>>>> http://www.w3.org/2005/08/addressing"/>
>>>>                      <sp:Header Name="RelatesTo" Namespace="
>>>> http://www.w3.org/2005/08/addressing"/>
>>>>                      <sp:Header Name="Action" Namespace="
>>>> http://www.w3.org/2005/08/addressing"/>
>>>>                  </sp:SignedParts>
>>>>                  <sp:EncryptedParts xmlns:sp="http://schemas.xmlso
>>>> ap.org/ws/2005/07/securitypolicy">
>>>>                      <sp:Body/>
>>>>                      <sp:Header Name="FfeHeader" Namespace="
>>>> http://tempuri.org/"/>
>>>>                  </sp:EncryptedParts>
>>>>              </wsp:All>
>>>>          </wsp:ExactlyOne>
>>>>      </wsp:Policy>
>>>> --cut
>>>>
>>>> The problematic part is the "FfeHeader" which needs to be encrypted and
>>>> signed.
>>>> All the other parts are working (as far as I can tell).
>>>> If I use wsdl2java a class file for the FfeHeader-Type is generated but
>>>> I
>>>> can find a way how to add it to my request. Thus the resulting request
>>>> contains no such header and therefore the server fails to understand my
>>>> request:
>>>> --cut
>>>> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: Object
>>>> reference not set to an instance of an object.
>>>> --cut
>>>>
>>>> I only know the following way to add a custom header to my request:
>>>> --cut
>>>> ObjectFactory of = new ObjectFactory();
>>>> List<Header> headersList = new ArrayList<Header>();
>>>> // HeaderType is the generated class for FfeHeader
>>>> HeaderType type = of.createHeaderType();
>>>> // call several setters on 'type'
>>>> [...]
>>>>
>>>> Header ffeHeader = new Header(new QName("http://tempuri.org",
>>>> "FfeHeader"), type, new JAXBDataBinding(HeaderType.class));
>>>> headersList.add(ffeHeader);
>>>> client.getRequestContext().put(Header.HEADER_LIST, headersList);
>>>> --cut
>>>> But this way the FfeHeader is neither signed nor encrypted and the call
>>>> fails with exact the same error message.
>>>>
>>>> I would appreciate any kind of help.
>>>>
>>>> Thanks
>>>> Martin
>>>>
>>>>
>>>
>>>
>>
>>
> --
> FERNAUSOFT GmbH
> Gartenstraße 42 - 37269 Eschwege
>
> Telefon (0 56 51) 95 99-0
> Telefax (0 56 51) 95 99-90
>
> eMail martin.fernau@fernausoft.de
> Internet http://www.fernausoft.de
>
> Handelsregister Eschwege, HRB 1585
> Geschäftsführer: Axel Fernau, Ulrich Fernau, Martin Fernau
> Steuernummer 025 233 00041
> USt-ID-Nr. DE 178 554 622
>
>
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message