wsse:Security> header (An error happened processing a Username Token “A replay attack has been detected”) ]
We are using Apache CXF and Apache WSS4J suddenly in the production environment the invocation of web services is failing and getting the following exception: 2020-03-12 04:04:59,874 [catalina-exec-8] ERROR us.BaseWSS4JInInterceptor Could not handle message with any listed interceptors: **[ An error was discovered processing the <wsse: Security> header. ] [ An error was discovered processing the <wsse: Security> header (An error happened to process a Username Token "A replay attack has been detected") ]** 2020-03-12 04:04:59,874 [catalina-exec-8] **ERROR ws.BaseWSS4JInInterceptor Could not handle message with any listed interceptors: An error was discovered processing the <wsse:Security> header. org.apache.cxf.binding.soap.SoapFault: An error was discovered processing the <wsse:Security> header.** at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:779) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:335) at com.gbac.pay.security.ws.SpringUserWSS4JInInterceptor.handleMessage(SpringUserWSS4JInInterceptor.java:80) at com.gbac.pay.security.ws.BaseWSS4JInInterceptor.handleMessage(BaseWSS4JInInterceptor.java:34) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:94) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:240) at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:239) at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:213) at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:131) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:266) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:186) at javax.servlet.http.HttpServlet.service(HttpServlet.java:650) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:242) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118) at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:139) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:155) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50) at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344) at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) at org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:44) at org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:44) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2517) at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2506) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) **Caused by: org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No password callback supplied)** at org.apache.ws.security.validate.UsernameTokenValidator.verifyDigestPassword(UsernameTokenValidator.java:155) at org.apache.ws.security.validate.UsernameTokenValidator.validate(UsernameTokenValidator.java:97) at org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:178) at org.apache.ws.security.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:67) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:278) ... 71 more **After Tomcat restart we are not seeing this issue**. Versions of Jars: Tomcat version: apache-tomcat-7.0.67 Apache CXF: cxf-bundle-2.6.14 Apache WSS4J: wss4j-1.6.15 Interceptors configurations maintained in applicationContext.xml: <bean id="logOut" class="org.apache.cxf.interceptor.LoggingOutInterceptor" /> <bean id="logIn" class="org.apache.cxf.interceptor.LoggingInInterceptor" /> <bean id="wss4jInInterceptor" class="com.gbac.*.security.ws.BaseWSS4JInInterceptor" scope="singleton"> <property name="interceptors"> <list> <ref bean="wss4jSpringUserInInterceptor"/> <ref bean="wss4jX509InInterceptor"/> </list> </property> </bean> <bean id="wss4jSpringUserInInterceptor" class="com.gbac.*.security.ws.SpringUserWSS4JInInterceptor" scope="singleton"> <property name="properties"> <map> <entry key="action" value="UsernameToken" /> <entry key="passwordType" value="PasswordDigest" /> </map> </property> </bean> <bean id="wss4jX509InInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor" > <constructor-arg> <map> <entry key="timeToLive" value="3600"/> <entry key="action" value="Signature Timestamp"/> <entry key="signaturePropFile" value="serviceKeystore.properties"/> <entry key="decryptionPropFile" value="serviceKeystore.properties"/> <entry key="passwordCallbackClass" value="com.gbac.*.security.ws.ServiceKeystorePasswordCallback"/> </map> </constructor-arg> </bean> <bean id="wss4jOut" class="com.gbac.*.security.ws.SpringUserWSS4JOutInterceptor"> <constructor-arg> <map> <entry key="action" value="UsernameToken" /> <entry key="passwordType" value="PasswordDigest" /> <entry key="passwordCallbackRef" value-ref="webServicePasswordCallback"/> </map> </constructor-arg> </bean> <bean id="webServicePasswordCallback" class="com.gbac.*.security.ws.SpringUserWSPasswordCallback" scope="singleton" > </bean> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor" id="wss4jX509OutSoap12"> <constructor-arg> <map> <entry key="action" value="Signature Timestamp"/> <entry key="user" value="xpayclientkey"/> <entry key="signaturePropFile" value="clientKeystore.properties"/> <entry key="encryptionPropFile" value="clientKeystore.properties"/> <entry key="encryptionUser" value="xpayservicekey"/> <entry key="passwordCallbackClass" value=”com.gbac.pay.security.ws.ClientKeystorePasswordCallback"/> <entry key="signatureParts" value="{Element}{http://www.w3.org/2003/05/soap-envelope}Body"/> <entry key="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> </map> </constructor-arg> </bean> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor" id="wss4jX509Out"> <constructor-arg> <map> <entry key="action" value="Signature Timestamp"/> <entry key="user" value="xpayclientkey"/> <entry key="signaturePropFile" value="clientKeystore.properties"/> <entry key="encryptionPropFile" value="clientKeystore.properties"/> <entry key="encryptionUser" value="xpayservicekey"/> <entry key="passwordCallbackClass" value="com.gbac.*.security.ws.ClientKeystorePasswordCallback"/> <entry key="signatureParts" value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/> <entry key="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> </map> </constructor-arg> </bean> And the declaration of web Service in applicationContext.xml is as follows: <bean id="CDSUpdateWebService" class="com.gbac.*.cds.model.service.ICDSUpdateWebService" factory-bean="CDSUpdateServiceProxyFactory" factory-method="create" scope="prototype" lazy-init="true" /> <bean id="UpdateServiceProxyFactory" class=" com.gbac.*.utility.impl.ConfigBasedWsProxyFactoryBean" init-method="init" scope="prototype" lazy-init="true" > <property name="connectionConfig" ref="ConnectionConfiguration"></property> <property name="serviceClass" value=" com.gbac.*.cds.model.service.ICDSUpdateWebService" /> <property name="wsLogicalHost" value="commonDataWeb" /> <property name="address" value="/commonDataWeb/CDSUpdateService" /> <property name="bus" ref="cxf"/> <property name="inInterceptors"> <list> <ref bean="logIn" /> </list> </property> <property name="outInterceptors"> <list> <ref bean="logOut" /> <ref bean="wss4jOut"/> </list> </property> </bean> Any suggestions on why I'm facing the issue suddenly,and after tomcat restart we are not facing the issue. -- Sent from: http://cxf.547215.n5.nabble.com/cxf-dev-f569328.html