Return-Path: <users-return-50697-archive-asf-public=cust-asf.ponee.io@cxf.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 2848B200BBB
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu, 10 Nov 2016 11:13:07 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id 26DDE160B01; Thu, 10 Nov 2016 10:13:07 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 1C68F160AF6
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 10 Nov 2016 11:13:05 +0100 (CET)
Received: (qmail 29291 invoked by uid 500); 10 Nov 2016 10:13:05 -0000
Mailing-List: contact users-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@cxf.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@cxf.apache.org>
List-Post: <mailto:users@cxf.apache.org>
List-Id: <users.cxf.apache.org>
Reply-To: users@cxf.apache.org
Delivered-To: mailing list users@cxf.apache.org
Received: (qmail 29279 invoked by uid 99); 10 Nov 2016 10:13:04 -0000
Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 10 Nov 2016 10:13:04 +0000
Received: from mail-wm0-f49.google.com (mail-wm0-f49.google.com [74.125.82.49])
	by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id 479F11A08C2
	for <users@cxf.apache.org>; Thu, 10 Nov 2016 10:13:04 +0000 (UTC)
Received: by mail-wm0-f49.google.com with SMTP id t79so20969661wmt.0
        for <users@cxf.apache.org>; Thu, 10 Nov 2016 02:13:04 -0800 (PST)
X-Gm-Message-State: ABUngvfLdi2Frp+GANrhafYxkqr2tYDZuD0r5SKHvodJmaXcOS+3S8xQZVQyllpBWFj5nzPu3BZLdzFX+3t2bQ==
X-Received: by 10.28.150.20 with SMTP id y20mr24240456wmd.67.1478772782838;
 Thu, 10 Nov 2016 02:13:02 -0800 (PST)
MIME-Version: 1.0
Reply-To: coheigea@apache.org
Received: by 10.28.152.145 with HTTP; Thu, 10 Nov 2016 02:13:02 -0800 (PST)
In-Reply-To: <1478549563325-5774657.post@n5.nabble.com>
References: <1478549563325-5774657.post@n5.nabble.com>
From: Colm O hEigeartaigh <coheigea@apache.org>
Date: Thu, 10 Nov 2016 10:13:02 +0000
X-Gmail-Original-Message-ID: <CAB8XdGCbgmaz7odnmQKWa16JVNBUgrBhLrSFAS69StbE90cVMQ@mail.gmail.com>
Message-ID: <CAB8XdGCbgmaz7odnmQKWa16JVNBUgrBhLrSFAS69StbE90cVMQ@mail.gmail.com>
Subject: Re: CXF 3.0.6 MTOM + WS-Security Exception
To: "users@cxf.apache.org" <users@cxf.apache.org>
Content-Type: multipart/alternative; boundary=001a114b3c946cbfa70540ef9eed
archived-at: Thu, 10 Nov 2016 10:13:07 -0000

--001a114b3c946cbfa70540ef9eed
Content-Type: text/plain; charset=UTF-8

Hi,

Signature + MTOM does not work in CXF at the moment. I plan on revisiting
this soon, possibly next month. Right now, if an attachment is referenced
via xop:Include in the SOAP Body for example, a CXF client will only sign
the SOAP Body "as is", and not dereference the attachment. Therefore you
are not actually signing the attachment at all. If you want to support
attachment signing, then you need to add the sp:Attachment policy to
sp:SignedParts, but disable MTOM.

The reason that you are seeing a failure with CXF 3.0.6 is due to an
enhancement to support inlining BASE-64 content in attachments. By default,
WSS4J automatically expands an xop:Include element, so make sure that the
content is signed, and not just the reference. I'll probably address this
as part of the MTOM work. In the meantime, you can change this if you
really need to, by specifying "<entry key="expandXOPIncludeForSignature"
value="false"/>" on the server side.

Colm.

On Mon, Nov 7, 2016 at 8:12 PM, hammadk <khanh@ca.ibm.com> wrote:

> Hi,
> We are trying to get MTOM and WS-Security working together using CXF. Both
> client and service are using cxf 3.0.6.
>
> The data that needs to be sent as attachment has the
> "application/octect-stream" expectedContentTypes in the wsdl:
> <xs:complexType name="StoreData">
>   <xs:sequence>
>     <xs:element name="storeID" type="xs:long"/>
>     <xs:element minOccurs="0" name="dataFileName" type="xs:string"/>
>     <xs:element minOccurs="0" name="data" type="xs:base64Binary"
> xmime:expectedContentTypes="application/octet-stream"/>
>     <xs:element name="dataLen" type="xs:long"/>
>   </xs:sequence>
> </xs:complexType>
>
> And we enable mtom for both client and service in the spring config using:
> <jaxws:properties>
>   <entry key="mtom-enabled" value="true"/>
>   ...
> </jaxws:properties>
> in the jaxws:client and jaxws:endpoint respectively.
>
> The binding policy we are using in our wsdl is:
> <wsp:Policy wsu:Id="ServiceSoapBindingPolicy"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-
> 200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
> xmlns:wsaw="http://www.w3.org/2005/08/addressing"
> xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
> xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"
> xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">
>         <wsp:ExactlyOne>
>                 <wsp:All>
>                         <wsap10:UsingAddressing/>
>                         <sp:SymmetricBinding>
>                                 <wsp:Policy>
>                                         <sp:ProtectionToken>
>                                                 <wsp:Policy>
>                                                         <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-
> securitypolicy/200702/IncludeToken/Never">
>
> <wsp:Policy>
>
> <sp:RequireDerivedKeys/>
>
> <sp:RequireThumbprintReference/>
>
> <sp:WssX509V3Token10/>
>
> </wsp:Policy>
>                                                         </sp:X509Token>
>                                                 </wsp:Policy>
>                                         </sp:ProtectionToken>
>                                         <sp:AlgorithmSuite>
>                                                 <wsp:Policy>
>                                                         <sp:Basic256/>
>                                                 </wsp:Policy>
>                                         </sp:AlgorithmSuite>
>                                         <sp:Layout>
>                                                 <wsp:Policy>
>                                                         <sp:Strict/>
>                                                 </wsp:Policy>
>                                         </sp:Layout>
>                                         <sp:IncludeTimestamp/>
>                                         <sp:EncryptSignature/>
>                                         <sp:OnlySignEntireHeadersAndBody/>
>                                 </wsp:Policy>
>                         </sp:SymmetricBinding>
>                         <sp:EndorsingSupportingTokens>
>                                 <wsp:Policy>
>                                         <sp:IssuedToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-
> securitypolicy/200702/IncludeToken/AlwaysToRecipient">
>                                                 <sp:Issuer>
>
> <wsaw:Address>http://localhost:8080/DefaultSTS/
> DefaultSTS/DefaultSTSService</wsaw:Address>
>                                                 </sp:Issuer>
>                                                 <sp:
> RequestSecurityTokenTemplate>
>
> <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-
> saml-token-profile-1.1#SAMLV1.1</t:TokenType>
>
> <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
> </t:KeyType>
>
> <t:KeySize>256</t:KeySize>
>                                                         <t:Claims
> xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity"
> Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity">
>
> <ic:ClaimType Uri="http://schemas.merge.com/icc/claims/storagespace"
> Optional="true"/>
>                                                         </t:Claims>
>                                                         <wsp:AppliesTo>
>
> <EndpointReference xmlns="http://www.w3.org/2005/08/addressing">
>
> <Address>urn:merge:icc:services:all</Address>
>
> </EndpointReference>
>                                                         </wsp:AppliesTo>
>                                                 </sp:
> RequestSecurityTokenTemplate>
>                                                 <wsp:Policy>
>
> <sp:RequireDerivedKeys/>
>
> <sp:RequireInternalReference/>
>                                                 </wsp:Policy>
>                                         </sp:IssuedToken>
>                                 </wsp:Policy>
>                         </sp:EndorsingSupportingTokens>
>                         <sp:Wss11>
>                                 <wsp:Policy>
>                                         <sp:MustSupportRefKeyIdentifier/>
>                                         <sp:MustSupportRefIssuerSerial/>
>                                         <sp:MustSupportRefThumbprint/>
>                                         <sp:MustSupportRefEncryptedKey/>
>                                         <sp:RequireSignatureConfirmation/>
>                                 </wsp:Policy>
>                         </sp:Wss11>
>                         <sp:Trust13>
>                                 <wsp:Policy>
>                                         <sp:MustSupportIssuedTokens/>
>                                         <sp:RequireClientEntropy/>
>                                         <sp:RequireServerEntropy/>
>                                 </wsp:Policy>
>                         </sp:Trust13>
>                 </wsp:All>
>         </wsp:ExactlyOne>
> </wsp:Policy>
> <wsp:Policy wsu:Id="ServicePortBinding_Input_Policy"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-
> 200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
> xmlns:wsaw="http://www.w3.org/2005/08/addressing"
> xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
> xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"
> xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex">
>         <wsp:ExactlyOne>
>                 <wsp:All>
>                         <sp:EncryptedParts>
>                                 <sp:Body/>
>                         </sp:EncryptedParts>
>                         <sp:SignedParts>
>                                 <sp:Body/>
>                                 <sp:Header Name="To" Namespace="
> http://www.w3.org/2005/08/addressing"/>
>                                 <sp:Header Name="From"
> Namespace="http://www.w3.org/2005/08/addressing"/>
>                                 <sp:Header Name="FaultTo"
> Namespace="http://www.w3.org/2005/08/addressing"/>
>                                 <sp:Header Name="ReplyTo"
> Namespace="http://www.w3.org/2005/08/addressing"/>
>                                 <sp:Header Name="MessageID"
> Namespace="http://www.w3.org/2005/08/addressing"/>
>                                 <sp:Header Name="RelatesTo"
> Namespace="http://www.w3.org/2005/08/addressing"/>
>                                 <sp:Header Name="Action"
> Namespace="http://www.w3.org/2005/08/addressing"/>
>                                 <sp:Header Name="AckRequested"
> Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
>                                 <sp:Header Name="SequenceAcknowledgement"
> Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
>                                 <sp:Header Name="Sequence"
> Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
>                                 <sp:Header Name="CreateSequence"
> Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
>                         </sp:SignedParts>
>                 </wsp:All>
>         </wsp:ExactlyOne>
> </wsp:Policy>
>
> With these settings we get the following exception on the receiving side
> (in
> our case the service - since we are trying to "upload" data):
> WARNING: Interceptor for
> {http://merge.com/icc/services/test/largedatatransfer/}
> LargeDataTransfer#{http://merge.com/icc/services/test/
> largedatatransfer/}Store
> has thrown exception, unwinding now
>         org.apache.cxf.binding.soap.SoapFault: A security error was
> encountered
> when verifying the message
>         at
> org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.
> java:270)
>         at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(
> WSS4JInInterceptor.java:333)
>         at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(
> WSS4JInInterceptor.java:190)
>         at
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.
> handleMessage(PolicyBasedWSS4JInInterceptor.java:127)
>         at
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.
> handleMessage(PolicyBasedWSS4JInInterceptor.java:112)
>         at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
> PhaseInterceptorChain.java:307)
>         at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(
> ChainInitiationObserver.java:121)
>         at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(
> AbstractHTTPDestination.java:251)
>         at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(
> ServletController.java:234)
>         at
> org.apache.cxf.transport.servlet.ServletController.
> invoke(ServletController.java:208)
>         at
> org.apache.cxf.transport.servlet.ServletController.
> invoke(ServletController.java:160)
>         at
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.
> invoke(CXFNonSpringServlet.java:171)
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(
> AbstractHTTPServlet.java:293)
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.
> doPost(AbstractHTTPServlet.java:212)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
>         at
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.
> service(AbstractHTTPServlet.java:268)
>         at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
> ApplicationFilterChain.java:303)
>         at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(
> ApplicationFilterChain.java:208)
>         at org.apache.tomcat.websocket.server.WsFilter.doFilter(
> WsFilter.java:52)
>         at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
> ApplicationFilterChain.java:241)
>         at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(
> ApplicationFilterChain.java:208)
>         at
> org.apache.catalina.core.StandardWrapperValve.invoke(
> StandardWrapperValve.java:218)
>         at
> org.apache.catalina.core.StandardContextValve.invoke(
> StandardContextValve.java:122)
>         at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(
> AuthenticatorBase.java:505)
>         at
> org.apache.catalina.core.StandardHostValve.invoke(
> StandardHostValve.java:169)
>         at
> org.apache.catalina.valves.ErrorReportValve.invoke(
> ErrorReportValve.java:103)
>         at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
>         at
> org.apache.catalina.core.StandardEngineValve.invoke(
> StandardEngineValve.java:116)
>         at
> org.apache.catalina.connector.CoyoteAdapter.service(
> CoyoteAdapter.java:442)
>         at
> org.apache.coyote.http11.AbstractHttp11Processor.process(
> AbstractHttp11Processor.java:1082)
>         at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.
> process(AbstractProtocol.java:623)
>         at
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.
> run(JIoEndpoint.java:318)
>         at
> java.util.concurrent.ThreadPoolExecutor.runWorker(
> ThreadPoolExecutor.java:1145)
>         at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(
> ThreadPoolExecutor.java:615)
>         at
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(
> TaskThread.java:61)
>         at java.lang.Thread.run(Thread.java:745)
> Caused by: org.apache.wss4j.common.ext.WSSecurityException: The signature
> or
> decryption was invalid
>         at
> org.apache.wss4j.dom.processor.SignatureProcessor.verifyXMLSignature(
> SignatureProcessor.java:450)
>         at
> org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(
> SignatureProcessor.java:224)
>         at
> org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(
> WSSecurityEngine.java:428)
>         at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(
> WSS4JInInterceptor.java:278)
>         ... 34 more
>
>
> Some options we tried and the conclusion from these options:
> 1) The exact settings mentioned above work fine with cxf 3.0.5 but not for
> 3.0.6 - 3.0.11. We have not tried 3.1.x.
>
> 2) In cxf 3.0.6 Adding <sp:Attachment/> to <sp:SignedParts> element does
> not
> help; We still get the same exception.
>
> 2) In cxf 3.0.6, if we remove <sp:Body/> from the <sp:SignedParts> element
> then it works fine.
>
>
> Any pointers on what is going on here and how to fix it will be greatly
> appreciated.
>
> Thanks.
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.
> com/CXF-3-0-6-MTOM-WS-Security-Exception-tp5774657.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

--001a114b3c946cbfa70540ef9eed--