wsse:Security> header (An error happened processing a Username Token “A
replay attack has been detected”) ]
We are using Apache CXF and Apache WSS4J suddenly in the production
environment the invocation of web services is failing and getting the
following exception:
2020-03-12 04:04:59,874 [catalina-exec-8] ERROR us.BaseWSS4JInInterceptor
Could not handle message with any listed interceptors: **[ An error was
discovered processing the <wsse: Security> header. ] [ An error was
discovered processing the <wsse: Security> header (An error happened to
process a Username Token "A replay attack has been detected") ]**
2020-03-12 04:04:59,874 [catalina-exec-8] **ERROR ws.BaseWSS4JInInterceptor
Could not handle message with any listed interceptors: An error was
discovered processing the <wsse:Security> header.
org.apache.cxf.binding.soap.SoapFault: An error was discovered processing
the <wsse:Security> header.**
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:779)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:335)
at
com.gbac.pay.security.ws.SpringUserWSS4JInInterceptor.handleMessage(SpringUserWSS4JInInterceptor.java:80)
at
com.gbac.pay.security.ws.BaseWSS4JInInterceptor.handleMessage(BaseWSS4JInInterceptor.java:34)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:94)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:240)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:239)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:213)
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:131)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:266)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:186)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:242)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
at
org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:139)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:155)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at
org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at
org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at
org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344)
at
org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:44)
at org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:44)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625)
at
org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2517)
at
org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2506)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
**Caused by: org.apache.ws.security.WSSecurityException: General security
error (WSSecurityEngine: No password callback supplied)**
at
org.apache.ws.security.validate.UsernameTokenValidator.verifyDigestPassword(UsernameTokenValidator.java:155)
at
org.apache.ws.security.validate.UsernameTokenValidator.validate(UsernameTokenValidator.java:97)
at
org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:178)
at
org.apache.ws.security.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:67)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:278)
... 71 more
**After Tomcat restart we are not seeing this issue**.
Versions of Jars:
Tomcat version: apache-tomcat-7.0.67
Apache CXF: cxf-bundle-2.6.14
Apache WSS4J: wss4j-1.6.15
Interceptors configurations maintained in applicationContext.xml:
<bean id="logOut" class="org.apache.cxf.interceptor.LoggingOutInterceptor"
/>
<bean id="logIn" class="org.apache.cxf.interceptor.LoggingInInterceptor"
/>
<bean id="wss4jInInterceptor"
class="com.gbac.*.security.ws.BaseWSS4JInInterceptor"
scope="singleton">
<property name="interceptors">
<list>
<ref bean="wss4jSpringUserInInterceptor"/>
<ref bean="wss4jX509InInterceptor"/>
</list>
</property>
</bean>
<bean id="wss4jSpringUserInInterceptor"
class="com.gbac.*.security.ws.SpringUserWSS4JInInterceptor"
scope="singleton">
<property name="properties">
<map>
<entry key="action" value="UsernameToken" />
<entry key="passwordType"
value="PasswordDigest" />
</map>
</property>
</bean>
<bean
id="wss4jX509InInterceptor"
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"
>
<constructor-arg>
<map>
<entry key="timeToLive" value="3600"/>
<entry key="action" value="Signature Timestamp"/>
<entry key="signaturePropFile"
value="serviceKeystore.properties"/>
<entry key="decryptionPropFile"
value="serviceKeystore.properties"/>
<entry key="passwordCallbackClass"
value="com.gbac.*.security.ws.ServiceKeystorePasswordCallback"/>
</map>
</constructor-arg>
</bean>
<bean id="wss4jOut"
class="com.gbac.*.security.ws.SpringUserWSS4JOutInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken" />
<entry key="passwordType" value="PasswordDigest" />
<entry key="passwordCallbackRef"
value-ref="webServicePasswordCallback"/>
</map>
</constructor-arg>
</bean>
<bean id="webServicePasswordCallback"
class="com.gbac.*.security.ws.SpringUserWSPasswordCallback"
scope="singleton" >
</bean>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
id="wss4jX509OutSoap12">
<constructor-arg>
<map>
<entry key="action" value="Signature Timestamp"/>
<entry key="user" value="xpayclientkey"/>
<entry key="signaturePropFile"
value="clientKeystore.properties"/>
<entry key="encryptionPropFile"
value="clientKeystore.properties"/>
<entry key="encryptionUser" value="xpayservicekey"/>
<entry key="passwordCallbackClass"
value=”com.gbac.pay.security.ws.ClientKeystorePasswordCallback"/>
<entry key="signatureParts"
value="{Element}{http://www.w3.org/2003/05/soap-envelope}Body"/>
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</map>
</constructor-arg>
</bean>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
id="wss4jX509Out">
<constructor-arg>
<map>
<entry key="action" value="Signature Timestamp"/>
<entry key="user" value="xpayclientkey"/>
<entry key="signaturePropFile"
value="clientKeystore.properties"/>
<entry key="encryptionPropFile"
value="clientKeystore.properties"/>
<entry key="encryptionUser" value="xpayservicekey"/>
<entry key="passwordCallbackClass"
value="com.gbac.*.security.ws.ClientKeystorePasswordCallback"/>
<entry key="signatureParts"
value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</map>
</constructor-arg>
</bean>
And the declaration of web Service in applicationContext.xml is as follows:
<bean id="CDSUpdateWebService"
class="com.gbac.*.cds.model.service.ICDSUpdateWebService"
factory-bean="CDSUpdateServiceProxyFactory"
factory-method="create"
scope="prototype" lazy-init="true" />
<bean id="UpdateServiceProxyFactory"
class=" com.gbac.*.utility.impl.ConfigBasedWsProxyFactoryBean"
init-method="init" scope="prototype" lazy-init="true" >
<property name="connectionConfig"
ref="ConnectionConfiguration"></property>
<property name="serviceClass"
value="
com.gbac.*.cds.model.service.ICDSUpdateWebService" />
<property name="wsLogicalHost"
value="commonDataWeb" />
<property name="address"
value="/commonDataWeb/CDSUpdateService" />
<property name="bus" ref="cxf"/>
<property name="inInterceptors">
<list>
<ref bean="logIn" />
</list>
</property>
<property name="outInterceptors">
<list>
<ref bean="logOut" />
<ref bean="wss4jOut"/>
</list>
</property>
</bean>
Any suggestions on why I'm facing the issue suddenly,and after tomcat
restart we are not facing the issue.
--
Sent from: http://cxf.547215.n5.nabble.com/cxf-dev-f569328.html
