Return-Path: X-Original-To: apmail-ws-dev-archive@www.apache.org Delivered-To: apmail-ws-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5C60811E56 for ; Tue, 8 Jul 2014 13:51:12 +0000 (UTC) Received: (qmail 86658 invoked by uid 500); 8 Jul 2014 13:51:12 -0000 Delivered-To: apmail-ws-dev-archive@ws.apache.org Received: (qmail 86493 invoked by uid 500); 8 Jul 2014 13:51:11 -0000 Mailing-List: contact dev-help@ws.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ws.apache.org Delivered-To: mailing list dev@ws.apache.org Received: (qmail 86483 invoked by uid 99); 8 Jul 2014 13:51:11 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Jul 2014 13:51:11 +0000 Received: from localhost (HELO mail-we0-f175.google.com) (127.0.0.1) (smtp-auth username coheigea, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Jul 2014 13:51:11 +0000 Received: by mail-we0-f175.google.com with SMTP id k48so5925536wev.6 for ; Tue, 08 Jul 2014 06:51:09 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.195.11.34 with SMTP id ef2mr3915444wjd.123.1404827469662; Tue, 08 Jul 2014 06:51:09 -0700 (PDT) Reply-To: coheigea@apache.org Received: by 10.194.82.8 with HTTP; Tue, 8 Jul 2014 06:51:09 -0700 (PDT) In-Reply-To: References: Date: Tue, 8 Jul 2014 14:51:09 +0100 Message-ID: Subject: Re: Apache Rampart test failure with wss4j 1.6.5 and later From: Colm O hEigeartaigh To: "dev@ws.apache.org" Content-Type: multipart/alternative; boundary=047d7b86dea64cd47704fdaee25d --047d7b86dea64cd47704fdaee25d Content-Type: text/plain; charset=UTF-8 Are you sure that the commit you referenced above is causing the problem? Rampart trunk fails on that test for me with WSS4J 1.6.4. Rampart 1.6.x branch fails on something else... If you have time to look into it, you could try checking out that SNAPSHOT version of WSS4J (Before the commit) + check that it works + then apply each change and see what change causes the failure. Ultimately, it looks like Rampart might be at fault, as the response message is not composed properly Colm. On Tue, Jul 8, 2014 at 12:55 PM, wrote: > Hi everyone, > Our team worked on new functionality that is to be released with > upcoming wss4j 1.6.16 (WSS-500 > & WSS-501 > ). We have managed to > integrate this functionality within Apache Rampart 1.6.2 and are willing to > contribute the necessary pieces there as well. However, so far we have been > using wss4j 1.6.4 + the corresponding patches and they seem to work fine > with Rampart 1.6.2. > Once I saw the vote for releasing wss4j 1.6.16, I decided to try to build > Rampart 1.6.2 against it, just to make sure it can adopt this new version > in near future. > However, I stumbled upon a test failure in Rampart integration module, > which I managed to track down to a specific commit in wss4j. The commit is > quite old, it is released in wss4j 1.6.5 (latest Rampart uses 1.6.4). The > change that causes trouble is the following: > > http://svn.apache.org/viewvc?view=revision&revision=1294114 > > Log message says "Only decrypt a Data Reference in the > ReferenceListProcessor, if it hasn't already been decrypted by the > EncryptedDataProcessor". > > The specific Rampart test that fails is > "org.apache.rampart.RampartTest#testWithPolicy()" using the following > security policy: > > > http://svn.apache.org/repos/asf/axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/7.xml > > I'm attaching the SOAP request and response (request.xml and > response.xml), the actual error message is on the client side, when > processing the response from the service: > java.lang.StringIndexOutOfBoundsException: String index out of range: 0 > at java.lang.String.charAt(String.java:658) > at org.apache.ws.security.WSDocInfo.getResult(WSDocInfo.java:225) > at > org.apache.ws.security.str.DerivedKeyTokenSTRParser.parseSecurityTokenReference(DerivedKeyTokenSTRParser.java:90) > at > org.apache.ws.security.processor.DerivedKeyTokenProcessor.handleToken(DerivedKeyTokenProcessor.java:53) > at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:398) > at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:304) > at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249) > at org.apache.rampart.RampartEngine.process(RampartEngine.java:147) > > The stack trace is generated using wss4j revision 1294114. > > It can be seen that the response contains invalid references (URI not > correctly set): > > wsu:Id="STR-AA4ACE8415228CCC8E140481886870110"> > /> > > > I'm now trying to figure out what is the root cause of this and whether > the problem is on the wss4j side or on Rampart's side, but I would be glad > if anyone more experienced takes a look into this and provides some > feedback. > > Thanks! > > Detelin > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org > For additional commands, e-mail: dev-help@ws.apache.org > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com --047d7b86dea64cd47704fdaee25d Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Are you sure that the commit you refer= enced above is causing the problem? Rampart trunk fails on that test for me= with WSS4J 1.6.4. Rampart 1.6.x branch fails on something else...

If you have time to look into it, you could try checking out that SNA= PSHOT version of WSS4J (Before the commit) + check that it works + then app= ly each change and see what change causes the failure. Ultimately, it looks= like Rampart might be at fault, as the response message is not composed pr= operly

Colm.


On Tue, Jul 8, 2014 at 12:55 PM, <detelinyordanov@gmail.com= > wrote:
Hi everyone,
=C2=A0=C2=A0 Our team worked on new func= tionality that is to be released with upcoming wss4j 1.6.16 (WSS-500 &= amp; WSS-501). We have managed to integrate this functionality within = Apache Rampart 1.6.2 and are willing to contribute the necessary pieces the= re as well. However, so far we have been using wss4j 1.6.4 + the correspond= ing patches and they seem to work fine with Rampart 1.6.2.
Once I saw the vote for releasing wss4j 1.6.16, I decided to try to b= uild Rampart 1.6.2 against it, just to make sure it can adopt this new vers= ion in near future.
However, I stumbled upon a test failure in Ram= part integration module, which I managed to track down to a specific commit= in wss4j. The commit is quite old, it is released in wss4j 1.6.5 (latest R= ampart uses 1.6.4). The change that causes trouble is the following:

http://svn.apache.org/viewvc?view=3Drevision&= ;revision=3D1294114

Log message says "Only decrypt a = Data Reference in the ReferenceListProcessor, if it hasn't already been= decrypted by the EncryptedDataProcessor".

The specific Rampart test that fails is "org.apache.rampart.= RampartTest#testWithPolicy()" using the following security policy:
=
http://svn.apache.org/repos/asf/axis/axis2/java/rampart/trunk= /modules/rampart-integration/src/test/resources/rampart/policy/7.xml

I'm attaching the SOAP request and response (request.xml and = response.xml), the actual error message is on the client side, when process= ing the response from the service:
java.lang.StringIndexOutOfBoundsExcep= tion: String index out of range: 0
=C2=A0=C2=A0=C2=A0 at java.lang.String.charAt(String.java:658)
=C2=A0=C2= =A0=C2=A0 at org.apache.ws.security.WSDocInfo.getResult(WSDocInfo.java:225)=
=C2=A0=C2=A0=C2=A0 at org.apache.ws.security.str.DerivedKeyTokenSTRPars= er.parseSecurityTokenReference(DerivedKeyTokenSTRParser.java:90)
=C2=A0=C2=A0=C2=A0 at org.apache.ws.security.processor.DerivedKeyTokenProce= ssor.handleToken(DerivedKeyTokenProcessor.java:53)
=C2=A0=C2=A0=C2=A0 at= org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEn= gine.java:398)
=C2=A0=C2=A0=C2=A0 at org.apache.ws.security.WSSecurityEn= gine.processSecurityHeader(WSSecurityEngine.java:304)
=C2=A0=C2=A0=C2=A0 at org.apache.ws.security.WSSecurityEngine.processSecuri= tyHeader(WSSecurityEngine.java:249)
=C2=A0=C2=A0=C2=A0 at org.apache.ram= part.RampartEngine.process(RampartEngine.java:147)

The stack t= race is generated using wss4j revision 1294114.

It can be seen that the response contains invalid references (URI= not correctly set):

<wsse:SecurityTokenReference ...=C2=A0 wsu:I= d=3D"STR-AA4ACE8415228CCC8E140481886870110">
=C2=A0=C2=A0= =C2=A0 <wsse:Reference URI=3D"#"=C2=A0 ValueType=3D"http://docs.oasis-open.org/wss/oasis-wss-soap= -message-security-1.1#EncryptedKey" />
</wsse:SecurityTokenReference>

I'= ;m now trying to figure out what is the root cause of this and whether the = problem is on the wss4j side or on Rampart's side, but I would be glad = if anyone more experienced takes a look into this and provides some feedbac= k.

Thanks!

=C2=A0=C2=A0 Detelin


---------------------------------------------------------------------
To unsubscribe, e-mail: de= v-unsubscribe@ws.apache.org
For additional commands, e-mail: = dev-help@ws.apache.org



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
--047d7b86dea64cd47704fdaee25d--