cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <markfu...@yahoo.com.INVALID>
Subject RE: Websphere 9 and CXF
Date Wed, 18 Oct 2017 14:17:14 GMT
Hi Colm,

 

I am still working on it, it looks like a different issue than the xml ordering.     Maybe
you can see the issue from this information?

 

Thanks!

 

Mark

 

>From the logs:

 

2017-10-18 10:09:33 - Found encrypted key element

2017-10-18 10:09:38 - Sym Enc Algo: http://www.w3.org/2001/04/xmlenc#rsa-1_5

….

2017-10-18 10:09:41 - The Key transport method does not match the requirement

 

Stack trace:

 

org.apache.cxf.binding.soap.SoapFault: A security error was encountered when verifying the
message

        at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:234)

        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:340)

        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:175)

        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:86)

        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)

        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)

        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)

        at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)

        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)

        at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)

        at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:191)

        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)

        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220)

        at javax.servlet.http.HttpServlet.service(HttpServlet.java:648)

        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)

        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)

        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)

        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

 

 

From: Colm O hEigeartaigh [mailto:coheigea@apache.org] 
Sent: Wednesday, October 18, 2017 9:44 AM
To: markfuini@yahoo.com
Cc: users@cxf.apache.org
Subject: Re: Websphere 9 and CXF

 

What was the error you saw when you moved the EncryptedKey Element above the EncryptedData
Element? What is actually stored inside the first EncryptedData Element?

Colm.

 

On Wed, Oct 18, 2017 at 1:04 PM, Mark Fuini <markfuini@yahoo.com <mailto:markfuini@yahoo.com>
> wrote:

Thank you so much for getting back to me.  This is an ongoing daily issue for us.

 

The conclusion you came to was my analysis also. 

 

But I not sure the actual xml ordering is part of the spec.  So their xml may be valid.  But
that means web service which use event driven xml parsing are at a disadvantage because the
security node  would have to be completely parsed before assuming the key is not there.

 

Regardless IBM is not going to change their security engine just for me.

 

Any ideas for work around?

 

One idea:

I tried a message change interceptor in cxf on the server side and reordered the encrypted
key to be first element in the security node.  Is this a valid way to resolve it on server
side?  It did not work completely.

 

The missing keyInfo message went away but then I received a security header error.  Can you
please try that with the sample xml or I can resend it?

Any other suggestions?


Thanks again.

On Wed, Oct 18, 2017 at 6:57 AM, Colm O hEigeartaigh

<coheigea@apache.org <mailto:coheigea@apache.org> > wrote:

The problem here is that the EncryptedKey structure, which contains the
ReferenceList pointing to the first EncryptedData structure, is below the
EncryptedData structure. WSS4J parses the security header in order, and so
when it hits the first EncryptedData structure it does not know how to
decrypt it. This is a problem with websphere - the ReferenceList or
EncryptedKey/ReferenceList must be above the EncryptedData element.

Colm.

On Tue, Oct 17, 2017 at 1:08 PM, <markfuini@yahoo.com.invalid <mailto:markfuini@yahoo.com.invalid>
> wrote:

> Hi Colm,
>
> Thanks for the help.  Please take a look at this xml generated by
> websphere 9 (with the exception of the ... where I replaced information)
> and let me know if you can think of any workaround.  To me it seems that
> CXF does not parse the reference list for the EncryptedKey.
>
> Here is the error also:
>
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
>    <soap:Body>
>        <soap:Fault>
>            <faultcode xmlns:ns1="http://ws.apache.org/wss4j
> ">ns1:SecurityError</faultcode>
>            <faultstring>A security error was encountered when verifying
> the message Caused by: EncryptedKey/EncryptedData does not contain
> ds:KeyInfo</faultstring>
>            <detail>
>                <stackTrace xmlns="http://cxf.apache.org/fault">Caused
> by: org.apache.wss4j.common.ext.WSSecurityException:
> EncryptedKey/EncryptedData does not contain ds:KeyInfo
> #*#org.apache.wss4j.dom.processor.EncryptedDataProcessor!handleToken!
> EncryptedDataProcessor.java!75#*#org.apache.wss4j.dom.
> engine.WSSecurityEngine!processSecurityHeader!WSSecurityEngine.java!340#*#
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor!handleMessageInternal!
> WSS4JInInterceptor.java!284#*#org.apache.cxf.ws.security.
> wss4j.WSS4JInInterceptor!handleMessage!WSS4JInInterceptor.java!175#*#
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor!handleMessage!
> WSS4JInInterceptor.java!86#*#org.apache.cxf.phase.PhaseInterceptorChain!
> doIntercept!PhaseInterceptorChain.java!308#*#org.apache.cxf.transport.
> ChainInitiationObserver!onMessage!ChainInitiationObserver.java!
> 121#*#org.apache.cxf.transport.http.AbstractHTTPDestination!invoke!
> AbstractHTTPDestination.java!267#*#org.apache.cxf.transport.servlet.
> ServletController!invokeDestination!ServletController.java!234#*#
> org.apache.cxf.transport.servlet.ServletController!
> invoke!ServletController.java!208#*#org.apache.cxf.transport.servlet.
> ServletController!invoke!ServletController.java!160#*#
> org.apache.cxf.transport.servlet.CXFNonSpringServlet!
> invoke!CXFNonSpringServlet.java!191#*#org.apache.cxf.transport.servlet.
> AbstractHTTPServlet!handleRequest!AbstractHTTPServlet.java!301#*
> #org.apache..cxf.transport.servlet.AbstractHTTPServlet!
> doPost!AbstractHTTPServlet.java!220#*#javax.servlethttp.
> HttpServlet!service!HttpServlet.java!648#*#org..
> apache.cxf.transport.servlet.AbstractHTTPServlet!service!
> AbstractHTTPServlet.java!276#*#org.apache.catalina.core.
> ApplicationFilterChain!internalDoFilter!ApplicationFilterChain.java!
> 291#*#org.apache.catalina.core.ApplicationFilterChain!doFilter!
> ApplicationFilterChain.java!206#*#org.apache.tomcat.
> websocket.server.WsFilter!doFilter!WsFilter.java!52#*#
> org.apache.catalina.core.ApplicationFilterChain!internalDoFilter!
> ApplicationFilterChain..java!239#*#org.apache.catalina.
> core.ApplicationFilterChain!doFilter!ApplicationFilterChain.java!
> 206#*#org.apache.catalina.core.StandardWrapperValve!
> invoke!StandardWrapperValve.java!212#*#org.apache.catalina.core.
> StandardContextValve!invoke!StandardContextValve.java!106#
> *#org.apache.catalina..authenticator.AuthenticatorBase!invoke!
> AuthenticatorBase.java!502#*#org.apache.catalina.core.
> StandardHostValve!invoke!StandardHostValve.java!141#*#
> org.apache.catalina.valves.ErrorReportValve!invoke!
> ErrorReportValve.java!79#*#org.apache.catalina.valves.
> AbstractAccessLogValve!invoke!AbstractAccessLogValve.java!
> 616#*#org.apache.catalina.core.StandardEngineValve!
> invoke!StandardEngineValve.java!88#*#org.apache.catalina.
> connector.CoyoteAdapter!service!CoyoteAdapter.java!
> 521#*#org.apache.coyote.http11.AbstractHttp11Processor!process!
> AbstractHttp11Processor.java!1096#*#org.apachecoyote.AbstractProtocol$
> AbstractConnectionHandler!process!AbstractProtocol.java!
> 674#*#org.apache.tomcat.util.net.NioEndpoint$SocketProcessor!doRun!
> NioEndpoint.java!1500#*#org.apache.tomcat.util.net <http://org.apache.tomcat.util.net>
.
> NioEndpoint$SocketProcessor!run!NioEndpoint.java!1456#*#
> java.util.concurrent.ThreadPoolExecutor!runWorker!
> ThreadPoolExecutor.java!1149#*#java.util.concurrent.
> ThreadPoolExecutor$Worker!run!ThreadPoolExecutor.java!624#*#
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable!run!
> TaskThread.java!61#*#java.lang.Thread!run!Thread.java!748#*#</stackTrace>
>            </detail>
>        </soap:Fault>
>    </soap:Body>
>
> Mark
>
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/
> ">
>    <soapenv:Header>
>        <wsse:Security xmlns:wsse="http://docs.oasis-
> open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> soapenv:mustUnderstand="1">
>            <enc:EncryptedData xmlns:enc="http://www.w3.org/
> 2001/04/xmlenc#" Id="wssecurity_encryption_id_24" Type="
> http://www.w3.org/2001/04/xmlenc#Element">
>                <enc:EncryptionMethod Algorithm="http://www.w3.org/
> 2001/04/xmlenc#aes128-cbc"></enc:EncryptionMethod>
>                <enc:CipherData>
>                    <enc:CipherValue>...</enc:CipherValue>
>                </enc:CipherData>
>            </enc:EncryptedData>
>            <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-
> open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd <http://open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd>
"
> wsu:Id="x509bst_22" EncodingType="http://docs.oasis-open.org/wss/2004/01/
> oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="
> http://docs.oasis-open.org/wss/2004/01/oasis-
> 200401-wss-x509-token-profile-1.0#X509v3">...</wsse:BinarySecurityToken>
>            <wsse:UsernameToken xmlns:wsu="http://docs.oasis-
> open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd <http://open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd>
"
> wsu:Id="unt_20">
>                <wsse:Username>...</wsse:Username>
>                <wsse:Password Type="http://docs.oasis-open.
> org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
> ">...</wsse:Password>
>            </wsse:UsernameToken>
>            <enc:EncryptedKey xmlns:enc="http://www.w3.org/2001/04/xmlenc# <http://www.w3.org/2001/04/xmlenc>

> ">
>                <enc:EncryptionMethod Algorithm="http://www.w3.org/
> 2001/04/xmlenc#rsa-1_5"></enc:EncryptionMethod>
>                <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig# <http://www.w3.org/2000/09/xmldsig>
">
>                    <wsse:SecurityTokenReference>
>                        <ds:X509Data>
>                            <ds:X509IssuerSerial>
>                                <ds:X509IssuerName>..</ds:X509IssuerName>
>                                <ds:X509SerialNumber>...</ds:
> X509SerialNumber>
>                            </ds:X509IssuerSerial>
>                        </ds:X509Data>
>                    </wsse:SecurityTokenReference>
>                </ds:KeyInfo>
>                <enc:CipherData>
>                    <enc:CipherValue>...</enc:CipherValue>
>                </enc:CipherData>
>                <enc:ReferenceList>
>                    <enc:DataReference URI="#wssecurity_encryption_
> id_24"></enc:DataReference>
>                    <enc:DataReference URI="#wssecurity_encryption_
> id_25"></enc:DataReference>
>                    <enc:DataReference URI="#wssecurity_encryption_
> id_26"></enc:DataReference>
>                </enc:ReferenceList>
>            </enc:EncryptedKey>
>            <enc:EncryptedData xmlns:enc="http://www.w3.org/
> 2001/04/xmlenc#" Id="wssecurity_encryption_id_25" Type="
> http://www.w3.org/2001/04/xmlenc#Element">
>                <enc:EncryptionMethod Algorithm="http://www.w3.org/
> 2001/04/xmlenc#aes128-cbc"></enc:EncryptionMethod>
>                <enc:CipherData>
>                    <enc:CipherValue>...</enc:CipherValue>
>                </enc:CipherData>
>            </enc:EncryptedData>
>        </wsse:Security>
>    </soapenv:Header>
>    <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-
> 200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wssecurity_signature_
> id_21">
>        <enc:EncryptedData xmlns:enc="http://www.w3.org/2001/04/xmlenc# <http://www.w3.org/2001/04/xmlenc>
"
> Id="wssecurity_encryption_id_26" Type="http://www.w3.org/2001/
> 04/xmlenc#Content">
>            <enc:EncryptionMethod Algorithm="http://www.w3.org/
> 2001/04/xmlenc#aes128-cbc"></enc:EncryptionMethod>
>            <enc:CipherData>
>                <enc:CipherValue>...</enc:CipherValue>
>            </enc:CipherData>
>        </enc:EncryptedData>
>    </soapenv:Body>
> </soapenv:Envelope>
>
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org <mailto:coheigea@apache.org>
]
> Sent: Tuesday, October 17, 2017 5:31 AM
> To: users@cxf.apache.org <mailto:users@cxf.apache.org> 
> Subject: Re: Websphere 9 and CXF
>
> Can you give an example of the websphere request that CXF does not parse
> correctly?
>
> Colm.
>
> On Mon, Oct 16, 2017 at 10:14 PM, <markfuini@yahoo.com.invalid <mailto:markfuini@yahoo.com.invalid>
> wrote:
>
> > Hi,
> >
> >
> >
> > I am trying to get the websphere 9 container's built in security
> > engine to programmatically generate a soap JAX-WS secure client
> > request to a CXF web service.
> >
> >
> >
> > The problem is that websphere's engine is not repeating the
> > EncryptedKey under each EncryptedData element and is using a reference
> > list to minimize how many times this information is in the message.
> >
> >
> >
> > However CXF 3.2.0 and 3.1.7 do not seem to parse the EncryptedKey Info
> > from the reference list and replace them.  So it reports the
> > EncryptedData has no keyInfo element.
> >
> >
> >
> > It seems to be an optimize on IBM's end that Apache CXF has not
> > implemented.
> >
> >
> >
> > Let me know if anyone has had this problem.
> >
> >
> >
> > Thanks in advance,
> >
> >
> >
> > Mark
> >
> >
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com


>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com




-- 

Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message