WSS4J caches the UsernameToken nonces to prevent someone capturing and replaying the messages. Was the same message sent twice in a row or something? If you really need to, you can disable the caching via "ws-security.enable.nonce.cache" (See https://cxf.apache.org/docs/ws-securitypolicy.html).
Colm. On Tue, Apr 7, 2020 at 3:29 PM UMA JALADI <[email protected]> wrote: > wsse:Security> header (An error happened processing a Username Token “A > replay attack has been detected”) ] > > We are using Apache CXF and Apache WSS4J suddenly in the production > environment the invocation of web services is failing and getting the > following exception: > 2020-03-12 04:04:59,874 [catalina-exec-8] ERROR us.BaseWSS4JInInterceptor > Could not handle message with any listed interceptors: **[ An error was > discovered processing the <wsse: Security> header. ] [ An error was > discovered processing the <wsse: Security> header (An error happened to > process a Username Token "A replay attack has been detected") ]** > > 2020-03-12 04:04:59,874 [catalina-exec-8] **ERROR ws.BaseWSS4JInInterceptor > Could not handle message with any listed interceptors: An error was > discovered processing the <wsse:Security> header. > org.apache.cxf.binding.soap.SoapFault: An error was discovered processing > the <wsse:Security> header.** > at > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:779) > at > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:335) > at > com.gbac.pay.security.ws > .SpringUserWSS4JInInterceptor.handleMessage(SpringUserWSS4JInInterceptor.java:80) > at > com.gbac.pay.security.ws > .BaseWSS4JInInterceptor.handleMessage(BaseWSS4JInInterceptor.java:34) > at > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:94) > at > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) > at > > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > at > > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:240) > at > > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:239) > at > > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:213) > at > > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:131) > at > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:266) > at > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:186) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:650) > at > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:242) > at > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) > at > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) > at > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > at > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) > at > > org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118) > at > > org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) > at > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > > org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) > at > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > > org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) > at > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > > org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) > at > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > > org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:139) > at > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > > org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154) > at > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > > org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) > at > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > > org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilter(BasicAuthenticationFilter.java:150) > at > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > > org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter.doFilter(DefaultLoginPageGeneratingFilter.java:155) > at > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > > org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199) > at > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > > org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110) > at > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > > org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50) > at > > org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) > at > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > > org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) > at > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > > org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) > at > > org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) > at > > org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:344) > at > > org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:261) > at > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > at > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) > at > > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) > at > org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:44) > at > org.apache.tomee.catalina.OpenEJBValve.invoke(OpenEJBValve.java:44) > at > > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505) > at > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169) > at > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) > at > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423) > at > > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079) > at > > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:625) > at > org.apache.tomcat.util.net > .AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2517) > at > org.apache.tomcat.util.net > .AprEndpoint$SocketProcessor.run(AprEndpoint.java:2506) > at > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at > > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745) > **Caused by: org.apache.ws.security.WSSecurityException: General security > error (WSSecurityEngine: No password callback supplied)** > at > > org.apache.ws.security.validate.UsernameTokenValidator.verifyDigestPassword(UsernameTokenValidator.java:155) > at > > org.apache.ws.security.validate.UsernameTokenValidator.validate(UsernameTokenValidator.java:97) > at > > org.apache.ws.security.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:178) > at > > org.apache.ws.security.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:67) > at > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) > at > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:278) > ... 71 more > > > > **After Tomcat restart we are not seeing this issue**. > Versions of Jars: > Tomcat version: apache-tomcat-7.0.67 > Apache CXF: cxf-bundle-2.6.14 > Apache WSS4J: wss4j-1.6.15 > > Interceptors configurations maintained in applicationContext.xml: > <bean id="logOut" class="org.apache.cxf.interceptor.LoggingOutInterceptor" > /> > <bean id="logIn" > class="org.apache.cxf.interceptor.LoggingInInterceptor" > /> > > <bean id="wss4jInInterceptor" > class="com.gbac.*.security.ws.BaseWSS4JInInterceptor" > scope="singleton"> > <property name="interceptors"> > <list> > <ref bean="wss4jSpringUserInInterceptor"/> > <ref bean="wss4jX509InInterceptor"/> > </list> > </property> > </bean> > > <bean id="wss4jSpringUserInInterceptor" > class="com.gbac.*.security.ws > .SpringUserWSS4JInInterceptor" > scope="singleton"> > <property name="properties"> > <map> > <entry key="action" value="UsernameToken" > /> > <entry key="passwordType" > value="PasswordDigest" /> > </map> > </property> > > </bean> > > <bean > id="wss4jX509InInterceptor" > class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor" > > > <constructor-arg> > <map> > <entry key="timeToLive" value="3600"/> > <entry key="action" value="Signature Timestamp"/> > <entry key="signaturePropFile" > value="serviceKeystore.properties"/> > <entry key="decryptionPropFile" > value="serviceKeystore.properties"/> > <entry key="passwordCallbackClass" > value="com.gbac.*.security.ws.ServiceKeystorePasswordCallback"/> > </map> > </constructor-arg> > </bean> > > <bean id="wss4jOut" > class="com.gbac.*.security.ws.SpringUserWSS4JOutInterceptor"> > <constructor-arg> > <map> > <entry key="action" value="UsernameToken" /> > <entry key="passwordType" value="PasswordDigest" /> > <entry key="passwordCallbackRef" > value-ref="webServicePasswordCallback"/> > </map> > </constructor-arg> > </bean> > > <bean id="webServicePasswordCallback" > class="com.gbac.*.security.ws > .SpringUserWSPasswordCallback" > scope="singleton" > > </bean> > > <bean > class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor" > id="wss4jX509OutSoap12"> > <constructor-arg> > <map> > <entry key="action" value="Signature Timestamp"/> > <entry key="user" value="xpayclientkey"/> > <entry key="signaturePropFile" > value="clientKeystore.properties"/> > <entry key="encryptionPropFile" > value="clientKeystore.properties"/> > <entry key="encryptionUser" value="xpayservicekey"/> > <entry key="passwordCallbackClass" > value=”com.gbac.pay.security.ws.ClientKeystorePasswordCallback"/> > <entry key="signatureParts" > value="{Element}{http://www.w3.org/2003/05/soap-envelope}Body"/> > <entry key="encryptionSymAlgorithm" > value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> > </map> > </constructor-arg> > </bean> > > <bean > class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor" > id="wss4jX509Out"> > <constructor-arg> > <map> > <entry key="action" value="Signature Timestamp"/> > <entry key="user" value="xpayclientkey"/> > <entry key="signaturePropFile" > value="clientKeystore.properties"/> > <entry key="encryptionPropFile" > value="clientKeystore.properties"/> > <entry key="encryptionUser" value="xpayservicekey"/> > <entry key="passwordCallbackClass" > value="com.gbac.*.security.ws.ClientKeystorePasswordCallback"/> > <entry key="signatureParts" > value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/> > <entry key="encryptionSymAlgorithm" > value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> > </map> > </constructor-arg> > </bean> > > > And the declaration of web Service in applicationContext.xml is as follows: > <bean id="CDSUpdateWebService" > class="com.gbac.*.cds.model.service.ICDSUpdateWebService" > factory-bean="CDSUpdateServiceProxyFactory" > factory-method="create" > scope="prototype" lazy-init="true" /> > > > <bean id="UpdateServiceProxyFactory" > class=" > com.gbac.*.utility.impl.ConfigBasedWsProxyFactoryBean" > init-method="init" scope="prototype" lazy-init="true" > > <property name="connectionConfig" > ref="ConnectionConfiguration"></property> > <property name="serviceClass" > value=" > com.gbac.*.cds.model.service.ICDSUpdateWebService" /> > <property name="wsLogicalHost" > value="commonDataWeb" /> > <property name="address" > value="/commonDataWeb/CDSUpdateService" /> > <property name="bus" ref="cxf"/> > <property name="inInterceptors"> > <list> > <ref bean="logIn" /> > </list> > </property> > <property name="outInterceptors"> > <list> > <ref bean="logOut" /> > <ref bean="wss4jOut"/> > </list> > </property> > </bean> > Any suggestions on why I'm facing the issue suddenly,and after tomcat > restart we are not facing the issue. > > > > > > > -- > Sent from: http://cxf.547215.n5.nabble.com/cxf-dev-f569328.html >
