Return-Path: X-Original-To: apmail-ws-dev-archive@www.apache.org Delivered-To: apmail-ws-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CB1BF10FDB for ; Fri, 11 Jul 2014 10:51:31 +0000 (UTC) Received: (qmail 98609 invoked by uid 500); 11 Jul 2014 10:51:30 -0000 Delivered-To: apmail-ws-dev-archive@ws.apache.org Received: (qmail 98461 invoked by uid 500); 11 Jul 2014 10:51:30 -0000 Mailing-List: contact dev-help@ws.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ws.apache.org Delivered-To: mailing list dev@ws.apache.org Received: (qmail 98450 invoked by uid 99); 11 Jul 2014 10:51:29 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Jul 2014 10:51:29 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of detelinyordanov@gmail.com designates 209.85.215.45 as permitted sender) Received: from [209.85.215.45] (HELO mail-la0-f45.google.com) (209.85.215.45) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 11 Jul 2014 10:51:26 +0000 Received: by mail-la0-f45.google.com with SMTP id ty20so673670lab.32 for ; Fri, 11 Jul 2014 03:51:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=oOZM5ceavB+twiefwU3uNrAPCUYYOfZiljaYVypRd14=; b=Hhn2679WAq2sYl8Ea57NJcsrbZdoX29WTvrspHcQhpLcIiwxCnJ8qG3WHxfVyj5laG MEjgVlSLuYtt7xUljvV3FojCVln/gUi19cFRRmewQUZj2adPx7tnCI/GCKBeuBYceDP4 AYaHWmg5wQlAz+O/U/IjoJ0mKWD/bwCVlW4uVTpTLton8yIojpaWHDofioSaqX5lzWC6 wuW5EspVMIj3OBx0rySXU07rIeRTw8uCDnlxPUWnvagDw0wSKnTBZ/QZNbQYtlHmkjV2 uXpWlQxsH8vUQWp4rTWrrfM8kx+whftMaREoCS70SK1COVbFbPSwPSlEUcBOS4pF++5n ioww== MIME-Version: 1.0 X-Received: by 10.152.42.138 with SMTP id o10mr3948671lal.36.1405075861913; Fri, 11 Jul 2014 03:51:01 -0700 (PDT) Received: by 10.152.185.40 with HTTP; Fri, 11 Jul 2014 03:51:01 -0700 (PDT) In-Reply-To: References: Date: Fri, 11 Jul 2014 13:51:01 +0300 Message-ID: Subject: Re: Apache Rampart test failure with wss4j 1.6.5 and later From: detelinyordanov@gmail.com To: "dev@ws.apache.org" , Martin Gainty Content-Type: multipart/alternative; boundary=001a11c35338a1c75904fde8b787 X-Virus-Checked: Checked by ClamAV on apache.org --001a11c35338a1c75904fde8b787 Content-Type: text/plain; charset=UTF-8 Hi again, I opened a request in Rampart JIRA to upgrade to wss4j 1.6.16: RAMPART-415 . I provided the patch there, also mentioned about another issue which I discovered after applying the workaround for the empty Ids. Regards, Detelin On Fri, Jul 11, 2014 at 2:21 AM, wrote: > Hi Martin, > What about this one - it would log empty ids with debug level: > > Index: > modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java > =================================================================== > --- > modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java > (revision 1609336) > +++ > modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java > (working copy) > @@ -1472,7 +1472,12 @@ > > String encrKeyId = (String) > wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID); > if (actInt == WSConstants.ENCR && > encrKeyId != null) { > - return encrKeyId; > + if (encrKeyId.length() > 0) { > + return encrKeyId; > + } > + else if (log.isDebugEnabled()) { > + log.debug("Found encryption security processing > result with empty id, skipping it: " + wsSecEngineResult); > + } > } > } > } > > Regards, > Detelin > > > On Thu, Jul 10, 2014 at 2:30 AM, Martin Gainty > wrote: > >> >> ------------------------------ >> Date: Wed, 9 Jul 2014 22:48:36 +0300 >> >> Subject: Re: Apache Rampart test failure with wss4j 1.6.5 and later >> From: detelinyordanov@gmail.com >> To: mgainty@hotmail.com >> CC: dev@ws.apache.org >> >> Hi Martin, >> I think that the code you are referring to is in >> SymmetricBindingBuilder and it indeed checks if the Id is empty. However, >> the one in RampartUtil.getRequestEncryptedKeyId() does not do so. The fix >> is to add a check for empty Id there as well: >> >> Index: >> modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java >> =================================================================== >> --- >> modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java >> (revision 1608682) >> +++ >> modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java >> (working copy) >> @@ -1471,7 +1471,7 @@ >> Integer actInt = (Integer) >> wsSecEngineResult.get(WSSecurityEngineResult.TAG_ACTION); >> String encrKeyId = (String) >> wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID); >> if (actInt == WSConstants.ENCR && >> - encrKeyId != null) { >> + encrKeyId != null && encrKeyId.length() > 0) { >> return encrKeyId; >> } >> } >> >> MG>good that you are not using a null Id ..BETTER if you tell the op they >> have a NULL ID >> MG>wsu spec is here >> MG> >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd >> >> This fix would be needed if/when Rampart upgrades to wss4j version higher >> than 1.6.4. Once wss4j 1.6.17 is released, the fix will no longer be >> needed, but it still does not hurt to have it there. Would you like me to >> open a jira issue about this in Rampart? I was planning to file a request >> for wss4j upgrade in Rampart and I could mention this issue there and >> attach the above patch. >> MG>good idea *if* you log the error otherwise the next guy that >> implements Rampart will run into the same problem >> >> Regards, >> Detelin >> MG>Regards >> MG>Martin >> >> >> On Wed, Jul 9, 2014 at 5:05 PM, Martin Gainty >> wrote: >> >> >> >> ------------------------------ >> Date: Wed, 9 Jul 2014 14:23:47 +0100 >> Subject: Re: Apache Rampart test failure with wss4j 1.6.5 and later >> From: coheigea@apache.org >> To: detelinyordanov@gmail.com >> CC: dev@ws.apache.org >> >> >> Well the thing is that WSS4J 1.6.16 was just released, and so the next >> release won't happen for a couple of months probably. So if you want to see >> a Rampart release before then, you could just submit a patch to check that >> the Id isn't empty. >> >> Colm. >> >> >> On Wed, Jul 9, 2014 at 1:32 PM, wrote: >> >> I can open a defect in Rampart, but I'm not sure what should be the >> proposed change there - I was thinking that it can check for empty id tag >> and skip the result, but if wss4j does not generate results with empty id >> anymore, this will not be required. Rampart uses the following code to >> identify the encryption key id from the request, for which a response in >> generated: >> >> for (WSSecurityEngineResult wsSecEngineResult : wsSecEngineResults) { >> Integer actInt = (Integer) >> wsSecEngineResult.get(WSSecurityEngineResult.TAG_ACTION); >> String encrKeyId = (String) >> wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID); >> if (actInt == WSConstants.ENCR && encrKeyId != null) { >> return encrKeyId; >> } >> } >> >> If you think the above is improper or can be improved, just let me know >> and I will follow up with Rampart devs. >> >> Detelin >> >> MG>the rampart distro that accompanies Axis2-1.6.2 detected the missing >> tag 'id' >> >> for (WSSecurityEngineResult wsSecEngineResult : >> wsSecEngineResults) { >> Integer actInt = (Integer) >> wsSecEngineResult.get(WSSecurityEngineResult.TAG_ACTION); >> if (actInt == WSConstants.ENCR) { >> if >> (wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID) != null && >> ((String) >> wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID)).length() != 0) { >> try { >> String encryptedKeyID = (String) >> wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID); >> >> Date created = new Date(); >> Date expires = new Date(); >> expires.setTime(System.currentTimeMillis() + >> 300000); >> EncryptedKeyToken tempTok = new >> EncryptedKeyToken(encryptedKeyID, created, expires); >> tempTok.setSecret((byte[]) >> wsSecEngineResult.get(WSSecurityEngineResult.TAG_SECRET)); >> tempTok.setSHA1(getSHA1((byte[]) >> wsSecEngineResult. >> >> get(WSSecurityEngineResult.TAG_ENCRYPTED_EPHEMERAL_KEY))); >> rmd.getTokenStorage().add(tempTok); >> >> return encryptedKeyID; >> >> } catch (TrustException e) { >> throw new >> RampartException("errorInAddingTokenIntoStore"); >> } >> MG>i would add a else condition to toss a message to the op >> else >> { >> throw new >> RampartException("security_engine_result_missing_id"); >> } >> MG>end else >> MG>errors.properties would contain new entry: >> security_engine_result_missing_id=Rampart >> Security Engine Result is missing 'id' token element >> MG>if you make the suggestion for correction I will follow thru and make >> sure it gets implemented >> MG>https://issues.apache.org/jira/browse >> MG>Thanks Detelin, >> MG>Martin >> >> >> On Wed, Jul 9, 2014 at 12:45 PM, Colm O hEigeartaigh > > wrote: >> >> >> Thanks for the investigation. It turns out Maven 3.0.x is required to >> build Rampart. >> >> I've merged a "fix" for this issue in WSS4J, where we don't store the >> token Id if it is an empty String. IMO Rampart should also be fixed. >> >> Colm. >> >> >> On Tue, Jul 8, 2014 at 6:03 PM, wrote: >> >> I have not seen these, probably it is the "copy-mars" execution in the >> integration module that is causing them. It could be some dependency >> resolution problem for "mar" artifacts, I'm using Maven 3.0.4 and did not >> experience such issues. >> >> I have some more input on the problem - I think that the introduction of >> an "id" tag for reference list results is confusing Rampart, specifically >> the first change here: >> >> >> http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java?r1=1294114&r2=1294113&pathrev=1294114 >> >> In the example request that I attached, there is a ReferenceList element >> that looks like this: >> >> > URI="#ED-5"/> >> >> When processing this, the ReferenceListProcessor with the mentioned >> change now creates a result instance, but with an empty "id" tag, since the >> ReferenceList element does not have "Id" attribute. The result object looks >> like this: >> >> {id=, data-ref-uris=[org.apache.ws.security.WSDataRef@3e9c6879], >> action=4, validated-token=false} >> >> When generating the response, Rampart's AssymetricBindingBuilder searches >> for the encrypted key by iterating over the results list and checking for a >> result with action=4 (ENCR) and a non-empty id tag, see >> AsymmetricBindingBuilder.setupEncryptedKey and >> RampartUtil.getRequestEncryptedKeyId methods: >> >> >> http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/1_6/modules/rampart-core/src/main/java/org/apache/rampart/builder/AsymmetricBindingBuilder.java?view=markup#l868 >> >> http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/1_6/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java?view=markup#l1442 >> >> Apparently, it now picks up the result of the ReferenceListProcessor >> since it has an "id" tag, but since it has empty value, the >> "AssymetricBindingBuilder.encryptedKeyId" field is also left out empty and >> this leads to missing token in response... >> Commenting out the line in the ReferenceListProcessor that adds the "id" >> tag fixes the issue - Rampart then properly finds the result of the >> DerivedKeyTokenProcessor and not the one of the ReferenceListProcessor. >> >> Now the question is whether this has to be fixed in Rampart or in WSS4J? >> >> Regards, >> Detelin >> >> >> >> >> >> >> >> On Tue, Jul 8, 2014 at 6:39 PM, Colm O hEigeartaigh >> wrote: >> >> I keep getting these "Could not find file >> .../target/artifacts/addressing-1.6.3-SNAPSHOT.mar to copy" type errors on >> the 1.6.x branch. How do I work around this? >> >> Colm. >> >> >> On Tue, Jul 8, 2014 at 4:21 PM, wrote: >> >> Hi Colm, >> What I did so far is to checkout Rampart (I have tried both trunk and >> 1.6 branches), increase the wss4j dependency to 1.6.5 and run "mvn clean >> package -Dtest=RampartTest". This fails on the "Testing WS-Sec: custom >> scenario 7" with the error I described. Switching the dependency back to >> 1.6.4 fixes this issue, but still there is one additional scenario (28) >> which is failing, however I presume it is not related with wss4j but >> probably with Axiom. >> >> I have checked out wss4j 1.6.x branch and build it locally, then switched >> Rampart to this version and re-executed the tests. The tests succeeded up >> until the point I switched to wss4j revision 1294114. With previous 1294094 >> revision, this scenario is working fine. >> >> I was thinking it might be related with changes of other dependencies, >> but I doubt this is the case, since this revision does not introduce >> dependency changes. >> >> I will continue with the investigation and let you know once I have more >> information. >> >> Thanks, >> Detelin >> >> >> On Tue, Jul 8, 2014 at 4:51 PM, Colm O hEigeartaigh >> wrote: >> >> >> Are you sure that the commit you referenced above is causing the problem? >> Rampart trunk fails on that test for me with WSS4J 1.6.4. Rampart 1.6.x >> branch fails on something else... >> >> If you have time to look into it, you could try checking out that >> SNAPSHOT version of WSS4J (Before the commit) + check that it works + then >> apply each change and see what change causes the failure. Ultimately, it >> looks like Rampart might be at fault, as the response message is not >> composed properly >> >> Colm. >> >> >> On Tue, Jul 8, 2014 at 12:55 PM, wrote: >> >> Hi everyone, >> Our team worked on new functionality that is to be released with >> upcoming wss4j 1.6.16 (WSS-500 >> & WSS-501 >> ). We have managed to >> integrate this functionality within Apache Rampart 1.6.2 and are willing to >> contribute the necessary pieces there as well. However, so far we have been >> using wss4j 1.6.4 + the corresponding patches and they seem to work fine >> with Rampart 1.6.2. >> Once I saw the vote for releasing wss4j 1.6.16, I decided to try to build >> Rampart 1.6.2 against it, just to make sure it can adopt this new version >> in near future. >> However, I stumbled upon a test failure in Rampart integration module, >> which I managed to track down to a specific commit in wss4j. The commit is >> quite old, it is released in wss4j 1.6.5 (latest Rampart uses 1.6.4). The >> change that causes trouble is the following: >> >> http://svn.apache.org/viewvc?view=revision&revision=1294114 >> >> Log message says "Only decrypt a Data Reference in the >> ReferenceListProcessor, if it hasn't already been decrypted by the >> EncryptedDataProcessor". >> >> The specific Rampart test that fails is >> "org.apache.rampart.RampartTest#testWithPolicy()" using the following >> security policy: >> >> >> http://svn.apache.org/repos/asf/axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/7.xml >> >> I'm attaching the SOAP request and response (request.xml and >> response.xml), the actual error message is on the client side, when >> processing the response from the service: >> java.lang.StringIndexOutOfBoundsException: String index out of range: 0 >> at java.lang.String.charAt(String.java:658) >> at org.apache.ws.security.WSDocInfo.getResult(WSDocInfo.java:225) >> at >> org.apache.ws.security.str.DerivedKeyTokenSTRParser.parseSecurityTokenReference(DerivedKeyTokenSTRParser.java:90) >> at >> org.apache.ws.security.processor.DerivedKeyTokenProcessor.handleToken(DerivedKeyTokenProcessor.java:53) >> at >> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:398) >> at >> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:304) >> at >> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249) >> at org.apache.rampart.RampartEngine.process(RampartEngine.java:147) >> >> The stack trace is generated using wss4j revision 1294114. >> >> It can be seen that the response contains invalid references (URI not >> correctly set): >> >> > wsu:Id="STR-AA4ACE8415228CCC8E140481886870110"> >> > /> >> >> >> I'm now trying to figure out what is the root cause of this and whether >> the problem is on the wss4j side or on Rampart's side, but I would be glad >> if anyone more experienced takes a look into this and provides some >> feedback. >> >> Thanks! >> >> Detelin >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org >> For additional commands, e-mail: dev-help@ws.apache.org >> >> >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com >> >> >> >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com >> >> >> >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com >> >> >> >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com >> >> >> > --001a11c35338a1c75904fde8b787 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi again,
=C2=A0=C2=A0 I opened a request in = Rampart JIRA to upgrade to wss4j 1.6.16: RAMPART-415. I provided the patch there, al= so mentioned about another issue which I discovered after applying the work= around for the empty Ids.

Regards,
=C2=A0=C2=A0 Detelin


On Fri, Jul 11, 2014 at 2:21 A= M, <detelinyordanov@gmail.com> wrote:
Hi Martin,
=C2=A0 What about this one - it would log empty ids with debug level:
Index: modules/rampart-core/src/main/java/org/apache/rampart/util/Ramp= artUtil.java
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.= java=C2=A0=C2=A0=C2=A0 (revision 1609336)
+++ modules/rampart-core/src/m= ain/java/org/apache/rampart/util/RampartUtil.java=C2=A0=C2=A0=C2=A0 (workin= g copy)
@@ -1472,7 +1472,12 @@

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 String encrKeyId =3D (String) wsSecEngineResult.get(W= SSecurityEngineResult.TAG_ID);
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (actInt =3D=3D= WSConstants.ENCR &&
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 encrKeyId !=3D null) {
-=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 return encrKeyId;
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (encrKeyId.length() > 0) {=
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 retur= n encrKeyId;
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 }
+=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 else if (log.isDebugEnabled()) {
+=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 log.debug("F= ound encryption security processing result with empty id, skipping it: &quo= t; + wsSecEngineResult);
+=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 }
=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 }
= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 }<= br>=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 }

Reg= ards,
=C2=A0=C2=A0 Detelin


On Thu, Jul 10, 2014 at 2:30 AM, Martin Gainty <mgainty@hotmail.com&= gt; wrote:

Date: Wed, 9 Jul 2014 22:48:36 +0300
Subject: Re: Apache Rampart test failure with wss4j 1.6.5 and later
From: detelinyordanov@gmail.com
To: mgainty@hotmai= l.com
CC: dev= @ws.apache.org

Hi Mart= in,
=C2=A0=C2=A0 I think that the code you are referring to is in Symmetr= icBindingBuilder and it indeed checks if the Id is empty. However, the one = in RampartUtil.getRequestEncryptedKeyId() does not do so. The fix is to add= a check for empty Id there as well:

Index: modules/rampart-core/src/main/java/org/apache/rampart/util/Rampa= rtUtil.java
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- m= odules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java= =C2=A0=C2=A0=C2=A0 (revision 1608682)
+++ modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.= java=C2=A0=C2=A0=C2=A0 (working copy)
@@ -1471,7 +1471,7 @@
=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 Integer actInt =3D (Integer) wsSecEngineResult.get(WSSecurityE= ngineResult.TAG_ACTION);
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 String encrKeyId =3D (String) wsSecEngineResult.get(W= SSecurityEngineResult.TAG_ID);
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (actInt =3D=3D= WSConstants.ENCR &&
-=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0 encrKeyId !=3D null) {
+=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 encrKeyId !=3D null && encr= KeyId.length() > 0) {
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return encrKeyId;
=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0 }
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 }

MG>good that you are not using a null = Id ..BETTER if you tell the op they have a NULL ID
MG>wsu spec is her= e
MG>http://docs.oasis-open.org= /wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd

This fix would be needed if/when Rampart upgrades to wss4j v= ersion higher than 1.6.4. Once wss4j 1.6.17 is released, the fix will no lo= nger be needed, but it still does not hurt to have it there. Would you like= me to open a jira issue about this in Rampart? I was planning to file a re= quest for wss4j upgrade in Rampart and I could mention this issue there and= attach the above patch.
MG>good idea *if* you log the error otherwise the next guy that im= plements Rampart will run into the same problem

Regards,
=C2=A0=C2=A0 Detelin
MG>Regards
MG>= Martin


On Wed, Jul 9, 2014 at 5:05 PM,= Martin Gainty <mgainty@hotmail.com> wrote:


Date: Wed, 9 Jul 2014 14:23:47 +0100=
Subject: Re: Apache Rampart test failure with wss4j 1.6.5 and later
= From: coheigea@apa= che.org
To: deteliny= ordanov@gmail.com
CC: dev@ws.apache.org


Well the thing = is that WSS4J 1.6.16 was just released, and so the next release won't h= appen for a couple of months probably. So if you want to see a Rampart rele= ase before then, you could just submit a patch to check that the Id isn'= ;t empty.

Colm.


On Wed, Jul 9, 2014 at 1:32= PM, <detelinyordanov@gmail.com> wrote:
I can open a defect in Rampart, bu= t I'm not sure what should be the proposed change there - I was thinkin= g that it can check for empty id tag and skip the result, but if wss4j does= not generate results with empty id anymore, this will not be required. Ram= part uses the following code to identify the encryption key id from the req= uest, for which a response in generated:

for (WSSecurityEngineResult wsSecEngineResult : wsSecEngineResults) {=C2=A0=C2=A0=C2=A0 Integer actInt =3D (Integer) wsSecEngineResult.get(WSS= ecurityEngineResult.TAG_ACTION);
=C2=A0=C2=A0=C2=A0 String encrKeyId =3D= (String) wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID);
=C2=A0=C2=A0=C2=A0 if (actInt =3D=3D WSConstants.ENCR && encrKeyId = !=3D null) {
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 return encrKeyId= ;
=C2=A0=C2=A0=C2=A0 }
}

If you think the above is impro= per or can be improved, just let me know and I will follow up with Rampart = devs.

Detelin

MG>the rampart distro that accompanies Ax= is2-1.6.2 detected the missing tag 'id'

=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 for (WSSecurityEngineResult wsSe= cEngineResult : wsSecEngineResults) {
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0 Integer actInt =3D (Integer) wsSecEngineResult.get(WSSecuri= tyEngineResult.TAG_ACTION);
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (actInt =3D=3D WS= Constants.ENCR) {
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 if (wsSecEngin= eResult.get(WSSecurityEngineResult.TAG_ID) !=3D null &&
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 ((String) wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID)= ).length() !=3D 0) {
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 try {
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 String encryptedKeyID =3D (String) wsS= ecEngineResult.get(WSSecurityEngineResult.TAG_ID);

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 Date created =3D new Date();
=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 Date expire= s =3D new Date();
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 expires.setTime(System.currentTimeMillis(= ) + 300000);
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 EncryptedKeyToken tempTok =3D new EncryptedK= eyToken(encryptedKeyID, created, expires);
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 tempTok.setSecret((byte[]) wsSecEngineResult.get(WSSecurityEng= ineResult.TAG_SECRET));
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 tempTok.setSHA1(getSHA1((byte[]) ws= SecEngineResult.
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 get(WSSecurityEngineResult.TAG_ENCRYPTED_EPHEMERAL_KEY)));
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 rmd.getTokenStorage().add(tempTok);

=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 retur= n encryptedKeyID;

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0 } catch (TrustException e) {
=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 throw new Ramp= artException("errorInAddingTokenIntoStore");
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 }
MG>= i would add a else condition to toss a message to the op
=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 else
=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 {
=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 throw= new RampartException("security_engine_result_missing_id");
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 }
MG>= end else
MG>errors.properties would contain new entry:
=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 security_engine_resu= lt_missing_id=3DRampart Security Engine Result is missing 'id' toke= n element
MG>if you make the suggestion for correction I will follow thru and make= sure it gets implemented
MG>https://issues.apache.org/jira/browse
MG= >Thanks Detelin,
MG>Martin


On Wed, Jul 9, 2014 at 12= :45 PM, Colm O hEigeartaigh <coheigea@apache.org> wrote:

Thanks for the investigation. = It turns out Maven 3.0.x is required to build Rampart.

I've merged a "fix" for this issue in WSS4J, where = we don't store the token Id if it is an empty String. IMO Rampart shoul= d also be fixed.

Colm.


On Tue, Jul 8, 2014 at 6:03 PM, <detelinyordanov@gmail.com> wrote:
I have not= seen these, probably it is the "copy-mars" execution in the inte= gration module that is causing them. It could be some dependency resolution= problem for "mar" artifacts, I'm using Maven 3.0.4 and did n= ot experience such issues.

I have some more input on the problem - I think that the introduc= tion of an "id" tag for reference list results is confusing Rampa= rt, specifically the first change here:

http://svn.apache.org/viewvc/webservices/ws= s4j/trunk/src/main/java/org/apache/ws/security/processor/ReferenceListProce= ssor.java?r1=3D1294114&r2=3D1294113&pathrev=3D1294114

In the example request that I attached, there is a ReferenceList = element that looks like this:

<xenc:ReferenceList xmlns:xenc=3D&q= uot;http://= www.w3.org/2001/04/xmlenc#"><xenc:DataReference URI=3D"= #ED-5"/></xenc:ReferenceList>

When processing this, the ReferenceListProcessor with the mention= ed change now creates a result instance, but with an empty "id" t= ag, since the ReferenceList element does not have "Id" attribute.= The result object looks like this:

{id=3D, data-ref-uris=3D[org.apache.ws.security.WSDataRef@3e9c6879], ac= tion=3D4, validated-token=3Dfalse}

When generating the respons= e, Rampart's AssymetricBindingBuilder searches for the encrypted key by= iterating over the results list and checking for a result with action=3D4 = (ENCR) and a non-empty id tag, see AsymmetricBindingBuilder.setupEncryptedK= ey and RampartUtil.getRequestEncryptedKeyId methods:

http://svn.apa= che.org/viewvc/axis/axis2/java/rampart/branches/1_6/modules/rampart-core/sr= c/main/java/org/apache/rampart/builder/AsymmetricBindingBuilder.java?view= =3Dmarkup#l868
http://svn.apache.org/viewvc/axis= /axis2/java/rampart/branches/1_6/modules/rampart-core/src/main/java/org/apa= che/rampart/util/RampartUtil.java?view=3Dmarkup#l1442

Apparently, it now picks up the result of the ReferenceListProces= sor since it has an "id" tag, but since it has empty value, the &= quot;AssymetricBindingBuilder.encryptedKeyId" field is also left out e= mpty and this leads to missing token in response...
Commenting out the line in the ReferenceListProcessor that adds the &= quot;id" tag fixes the issue - Rampart then properly finds the result = of the DerivedKeyTokenProcessor and not the one of the ReferenceListProcess= or.

Now the question is whether this has to be fixed in Rampart or in= WSS4J?

Regards,
=C2=A0=C2=A0 Detelin







On Tue, Jul 8, 2014 at 6:39 PM, Colm O hEigeartaigh <cohe= igea@apache.org> wrote:
I keep getting these "Could not find file .../targ= et/artifacts/addressing-1.6.3-SNAPSHOT.mar to copy" type errors on the= 1.6.x branch. How do I work around this?

Colm.


On Tue, Jul 8, 2014 at 4:21 PM, <detelinyordanov@gma= il.com> wrote:
Hi Colm,
=C2=A0 What I d= id so far is to checkout Rampart (I have tried both trunk and 1.6 branches)= , increase the wss4j dependency to 1.6.5 and run "mvn clean package -D= test=3DRampartTest". This fails on the "Testing WS-Sec: custom sc= enario 7" with the error I described. Switching the dependency back to= 1.6.4 fixes this issue, but still there is one additional scenario (28) wh= ich is failing, however I presume it is not related with wss4j but probably= with Axiom.

I have checked out wss4j 1.6.x branch and build it locally, then = switched Rampart to this version and re-executed the tests. The tests succe= eded up until the point I switched to wss4j revision 1294114. With previous= 1294094 revision, this scenario is working fine.

I was thinking it might be related with changes of other dependen= cies, but I doubt this is the case, since this revision does not introduce = dependency changes.

I will continue with the investigation and= let you know once I have more information.

Thanks,
=C2=A0=C2=A0 Detelin

<= br>
On Tue, Jul 8, 2014 at 4:51 PM, Colm O hEigeartaigh <coheigea@ap= ache.org> wrote:

Are you sure that the commit you re= ferenced above is causing the problem? Rampart trunk fails on that test for= me with WSS4J 1.6.4. Rampart 1.6.x branch fails on something else...

If you have time to look into it, you could try checking out that SNA= PSHOT version of WSS4J (Before the commit) + check that it works + then app= ly each change and see what change causes the failure. Ultimately, it looks= like Rampart might be at fault, as the response message is not composed pr= operly

Colm.


On Tue, Jul 8, 2014 at 12:55= PM, <detelinyordanov@gmail.com> wrote:
Hi everyone,
=C2=A0=C2=A0 Our team worked on new functional= ity that is to be released with upcoming wss4j 1.6.16 (WSS-500 & <= a href=3D"https://issues.apache.org/jira/browse/WSS-501" target=3D"_blank">= WSS-501). We have managed to integrate this functionality within Apache= Rampart 1.6.2 and are willing to contribute the necessary pieces there as = well. However, so far we have been using wss4j 1.6.4 + the corresponding pa= tches and they seem to work fine with Rampart 1.6.2.
Once I saw the vote for releasing wss4j 1.6.16, I decided to try to b= uild Rampart 1.6.2 against it, just to make sure it can adopt this new vers= ion in near future.
However, I stumbled upon a test failure in Ram= part integration module, which I managed to track down to a specific commit= in wss4j. The commit is quite old, it is released in wss4j 1.6.5 (latest R= ampart uses 1.6.4). The change that causes trouble is the following:

http://svn.apache.org/viewvc?view=3Drevision&= ;revision=3D1294114

Log message says "Only decrypt a = Data Reference in the ReferenceListProcessor, if it hasn't already been= decrypted by the EncryptedDataProcessor".

The specific Rampart test that fails is "org.apache.rampart.= RampartTest#testWithPolicy()" using the following security policy:
=
http://svn.apache.org/repos/asf/axis/axis2/java/rampart/trunk= /modules/rampart-integration/src/test/resources/rampart/policy/7.xml

I'm attaching the SOAP request and response (request.xml and = response.xml), the actual error message is on the client side, when process= ing the response from the service:
java.lang.StringIndexOutOfBoundsExcep= tion: String index out of range: 0
=C2=A0=C2=A0=C2=A0 at java.lang.String.charAt(String.java:658)
=C2=A0=C2= =A0=C2=A0 at org.apache.ws.security.WSDocInfo.getResult(WSDocInfo.java:225)=
=C2=A0=C2=A0=C2=A0 at org.apache.ws.security.str.DerivedKeyTokenSTRPars= er.parseSecurityTokenReference(DerivedKeyTokenSTRParser.java:90)
=C2=A0=C2=A0=C2=A0 at org.apache.ws.security.processor.DerivedKeyTokenProce= ssor.handleToken(DerivedKeyTokenProcessor.java:53)
=C2=A0=C2=A0=C2=A0 at= org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEn= gine.java:398)
=C2=A0=C2=A0=C2=A0 at org.apache.ws.security.WSSecurityEn= gine.processSecurityHeader(WSSecurityEngine.java:304)
=C2=A0=C2=A0=C2=A0 at org.apache.ws.security.WSSecurityEngine.processSecuri= tyHeader(WSSecurityEngine.java:249)
=C2=A0=C2=A0=C2=A0 at org.apache.ram= part.RampartEngine.process(RampartEngine.java:147)

The stack t= race is generated using wss4j revision 1294114.

It can be seen that the response contains invalid references (URI= not correctly set):

<wsse:SecurityTokenReference ...=C2=A0 wsu:I= d=3D"STR-AA4ACE8415228CCC8E140481886870110">
=C2=A0=C2=A0= =C2=A0 <wsse:Reference URI=3D"#"=C2=A0 ValueType=3D"http://docs.oasis-open.org/wss/oasis-wss-soap= -message-security-1.1#EncryptedKey" />
</wsse:SecurityTokenReference>

I'= ;m now trying to figure out what is the root cause of this and whether the = problem is on the wss4j side or on Rampart's side, but I would be glad = if anyone more experienced takes a look into this and provides some feedbac= k.

Thanks!

=C2=A0=C2=A0 Detelin


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org<= br>


<= font color=3D"#888888">
--
Colm O hEig= eartaigh

Talend Community Coder
http://coders.talend.com




--
Colm O hEigeartaigh
<= br>Talend Community Coder
http://coders.talend.com
=



--
Colm O hEigeartaigh

Talend Community Coder
<= a href=3D"http://coders.talend.com" target=3D"_blank">http://coders.talend.= com




--
C= olm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--001a11c35338a1c75904fde8b787--