cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: CXF 3.0.6 MTOM + WS-Security Exception
Date Thu, 10 Nov 2016 10:13:02 GMT
Hi,

Signature + MTOM does not work in CXF at the moment. I plan on revisiting
this soon, possibly next month. Right now, if an attachment is referenced
via xop:Include in the SOAP Body for example, a CXF client will only sign
the SOAP Body "as is", and not dereference the attachment. Therefore you
are not actually signing the attachment at all. If you want to support
attachment signing, then you need to add the sp:Attachment policy to
sp:SignedParts, but disable MTOM.

The reason that you are seeing a failure with CXF 3.0.6 is due to an
enhancement to support inlining BASE-64 content in attachments. By default,
WSS4J automatically expands an xop:Include element, so make sure that the
content is signed, and not just the reference. I'll probably address this
as part of the MTOM work. In the meantime, you can change this if you
really need to, by specifying "<entry key="expandXOPIncludeForSignature"
value="false"/>" on the server side.

Colm.

On Mon, Nov 7, 2016 at 8:12 PM, hammadk <khanh@ca.ibm.com> wrote:

> Hi,
> We are trying to get MTOM and WS-Security working together using CXF. Both
> client and service are using cxf 3.0.6.
>
> The data that needs to be sent as attachment has the
> "application/octect-stream" expectedContentTypes in the wsdl:
> <xs:complexType name="StoreData">
>   <xs:sequence>
>     <xs:element name="storeID" type="xs:long"/>
>     <xs:element minOccurs="0" name="dataFileName" type="xs:string"/>
>     <xs:element minOccurs="0" name="data" type="xs:base64Binary"
> xmime:expectedContentTypes="application/octet-stream"/>
>     <xs:element name="dataLen" type="xs:long"/>
>   </xs:sequence>
> </xs:complexType>
>
> And we enable mtom for both client and service in the spring config using:
> <jaxws:properties>
>   <entry key="mtom-enabled" value="true"/>
>   ...
> </jaxws:properties>
> in the jaxws:client and jaxws:endpoint respectively.
>
> The binding policy we are using in our wsdl is:
> <wsp:Policy wsu:Id="ServiceSoapBindingPolicy"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-
> 200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
> xmlns:wsaw="http://www.w3.org/2005/08/addressing"
> xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
> xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"
> xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">
>         <wsp:ExactlyOne>
>                 <wsp:All>
>                         <wsap10:UsingAddressing/>
>                         <sp:SymmetricBinding>
>                                 <wsp:Policy>
>                                         <sp:ProtectionToken>
>                                                 <wsp:Policy>
>                                                         <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-
> securitypolicy/200702/IncludeToken/Never">
>
> <wsp:Policy>
>
> <sp:RequireDerivedKeys/>
>
> <sp:RequireThumbprintReference/>
>
> <sp:WssX509V3Token10/>
>
> </wsp:Policy>
>                                                         </sp:X509Token>
>                                                 </wsp:Policy>
>                                         </sp:ProtectionToken>
>                                         <sp:AlgorithmSuite>
>                                                 <wsp:Policy>
>                                                         <sp:Basic256/>
>                                                 </wsp:Policy>
>                                         </sp:AlgorithmSuite>
>                                         <sp:Layout>
>                                                 <wsp:Policy>
>                                                         <sp:Strict/>
>                                                 </wsp:Policy>
>                                         </sp:Layout>
>                                         <sp:IncludeTimestamp/>
>                                         <sp:EncryptSignature/>
>                                         <sp:OnlySignEntireHeadersAndBody/>
>                                 </wsp:Policy>
>                         </sp:SymmetricBinding>
>                         <sp:EndorsingSupportingTokens>
>                                 <wsp:Policy>
>                                         <sp:IssuedToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-
> securitypolicy/200702/IncludeToken/AlwaysToRecipient">
>                                                 <sp:Issuer>
>
> <wsaw:Address>http://localhost:8080/DefaultSTS/
> DefaultSTS/DefaultSTSService</wsaw:Address>
>                                                 </sp:Issuer>
>                                                 <sp:
> RequestSecurityTokenTemplate>
>
> <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-
> saml-token-profile-1.1#SAMLV1.1</t:TokenType>
>
> <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
> </t:KeyType>
>
> <t:KeySize>256</t:KeySize>
>                                                         <t:Claims
> xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity"
> Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity">
>
> <ic:ClaimType Uri="http://schemas.merge.com/icc/claims/storagespace"
> Optional="true"/>
>                                                         </t:Claims>
>                                                         <wsp:AppliesTo>
>
> <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
>
> <Address>urn:merge:icc:services:all</Address>
>
> </EndpointReference>
>                                                         </wsp:AppliesTo>
>                                                 </sp:
> RequestSecurityTokenTemplate>
>                                                 <wsp:Policy>
>
> <sp:RequireDerivedKeys/>
>
> <sp:RequireInternalReference/>
>                                                 </wsp:Policy>
>                                         </sp:IssuedToken>
>                                 </wsp:Policy>
>                         </sp:EndorsingSupportingTokens>
>                         <sp:Wss11>
>                                 <wsp:Policy>
>                                         <sp:MustSupportRefKeyIdentifier/>
>                                         <sp:MustSupportRefIssuerSerial/>
>                                         <sp:MustSupportRefThumbprint/>
>                                         <sp:MustSupportRefEncryptedKey/>
>                                         <sp:RequireSignatureConfirmation/>
>                                 </wsp:Policy>
>                         </sp:Wss11>
>                         <sp:Trust13>
>                                 <wsp:Policy>
>                                         <sp:MustSupportIssuedTokens/>
>                                         <sp:RequireClientEntropy/>
>                                         <sp:RequireServerEntropy/>
>                                 </wsp:Policy>
>                         </sp:Trust13>
>                 </wsp:All>
>         </wsp:ExactlyOne>
> </wsp:Policy>
> <wsp:Policy wsu:Id="ServicePortBinding_Input_Policy"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-
> 200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
> xmlns:wsaw="http://www.w3.org/2005/08/addressing"
> xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
> xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"
> xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">
>         <wsp:ExactlyOne>
>                 <wsp:All>
>                         <sp:EncryptedParts>
>                                 <sp:Body/>
>                         </sp:EncryptedParts>
>                         <sp:SignedParts>
>                                 <sp:Body/>
>                                 <sp:Header Name="To" Namespace="
> http://www.w3.org/2005/08/addressing"/>
>                                 <sp:Header Name="From"
> Namespace="http://www.w3.org/2005/08/addressing"/>
>                                 <sp:Header Name="FaultTo"
> Namespace="http://www.w3.org/2005/08/addressing"/>
>                                 <sp:Header Name="ReplyTo"
> Namespace="http://www.w3.org/2005/08/addressing"/>
>                                 <sp:Header Name="MessageID"
> Namespace="http://www.w3.org/2005/08/addressing"/>
>                                 <sp:Header Name="RelatesTo"
> Namespace="http://www.w3.org/2005/08/addressing"/>
>                                 <sp:Header Name="Action"
> Namespace="http://www.w3.org/2005/08/addressing"/>
>                                 <sp:Header Name="AckRequested"
> Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
>                                 <sp:Header Name="SequenceAcknowledgement"
> Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
>                                 <sp:Header Name="Sequence"
> Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
>                                 <sp:Header Name="CreateSequence"
> Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
>                         </sp:SignedParts>
>                 </wsp:All>
>         </wsp:ExactlyOne>
> </wsp:Policy>
>
> With these settings we get the following exception on the receiving side
> (in
> our case the service - since we are trying to "upload" data):
> WARNING: Interceptor for
> {http://merge.com/icc/services/test/largedatatransfer/}
> LargeDataTransfer#{http://merge.com/icc/services/test/
> largedatatransfer/}Store
> has thrown exception, unwinding now
>         org.apache.cxf.binding.soap.SoapFault: A security error was
> encountered
> when verifying the message
>         at
> org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.
> java:270)
>         at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(
> WSS4JInInterceptor.java:333)
>         at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(
> WSS4JInInterceptor.java:190)
>         at
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.
> handleMessage(PolicyBasedWSS4JInInterceptor.java:127)
>         at
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.
> handleMessage(PolicyBasedWSS4JInInterceptor.java:112)
>         at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
> PhaseInterceptorChain.java:307)
>         at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(
> ChainInitiationObserver.java:121)
>         at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(
> AbstractHTTPDestination.java:251)
>         at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(
> ServletController.java:234)
>         at
> org.apache.cxf.transport.servlet.ServletController.
> invoke(ServletController.java:208)
>         at
> org.apache.cxf.transport.servlet.ServletController.
> invoke(ServletController.java:160)
>         at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.
> invoke(CXFNonSpringServlet.java:171)
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(
> AbstractHTTPServlet.java:293)
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.
> doPost(AbstractHTTPServlet.java:212)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.
> service(AbstractHTTPServlet.java:268)
>         at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
> ApplicationFilterChain.java:303)
>         at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(
> ApplicationFilterChain.java:208)
>         at org.apache.tomcat.websocket.server.WsFilter.doFilter(
> WsFilter.java:52)
>         at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
> ApplicationFilterChain.java:241)
>         at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(
> ApplicationFilterChain.java:208)
>         at
> org.apache.catalina.core.StandardWrapperValve.invoke(
> StandardWrapperValve.java:218)
>         at
> org.apache.catalina.core.StandardContextValve.invoke(
> StandardContextValve.java:122)
>         at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(
> AuthenticatorBase.java:505)
>         at
> org.apache.catalina.core.StandardHostValve.invoke(
> StandardHostValve.java:169)
>         at
> org.apache.catalina.valves.ErrorReportValve.invoke(
> ErrorReportValve.java:103)
>         at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
>         at
> org.apache.catalina.core.StandardEngineValve.invoke(
> StandardEngineValve.java:116)
>         at
> org.apache.catalina.connector.CoyoteAdapter.service(
> CoyoteAdapter.java:442)
>         at
> org.apache.coyote.http11.AbstractHttp11Processor.process(
> AbstractHttp11Processor.java:1082)
>         at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.
> process(AbstractProtocol.java:623)
>         at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.
> run(JIoEndpoint.java:318)
>         at
> java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1145)
>         at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:615)
>         at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(
> TaskThread.java:61)
>         at java.lang.Thread.run(Thread.java:745)
> Caused by: org.apache.wss4j.common.ext.WSSecurityException: The signature
> or
> decryption was invalid
>         at
> org.apache.wss4j.dom.processor.SignatureProcessor.verifyXMLSignature(
> SignatureProcessor.java:450)
>         at
> org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(
> SignatureProcessor.java:224)
>         at
> org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(
> WSSecurityEngine.java:428)
>         at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(
> WSS4JInInterceptor.java:278)
>         ... 34 more
>
>
> Some options we tried and the conclusion from these options:
> 1) The exact settings mentioned above work fine with cxf 3.0.5 but not for
> 3.0.6 - 3.0.11. We have not tried 3.1.x.
>
> 2) In cxf 3.0.6 Adding <sp:Attachment/> to <sp:SignedParts> element does
> not
> help; We still get the same exception.
>
> 2) In cxf 3.0.6, if we remove <sp:Body/> from the <sp:SignedParts> element
> then it works fine.
>
>
> Any pointers on what is going on here and how to fix it will be greatly
> appreciated.
>
> Thanks.
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.
> com/CXF-3-0-6-MTOM-WS-Security-Exception-tp5774657.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message