Hi Martin,
What about this one - it would log empty ids with debug level:
Index:
modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
===================================================================
---
modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
(revision 1609336)
+++
modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
(working copy)
@@ -1472,7 +1472,12 @@
String encrKeyId = (String)
wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID);
if (actInt == WSConstants.ENCR &&
encrKeyId != null) {
- return encrKeyId;
+ if (encrKeyId.length() > 0) {
+ return encrKeyId;
+ }
+ else if (log.isDebugEnabled()) {
+ log.debug("Found encryption security processing
result with empty id, skipping it: " + wsSecEngineResult);
+ }
}
}
}
Regards,
Detelin
On Thu, Jul 10, 2014 at 2:30 AM, Martin Gainty <[email protected]> wrote:
>
> ------------------------------
> Date: Wed, 9 Jul 2014 22:48:36 +0300
>
> Subject: Re: Apache Rampart test failure with wss4j 1.6.5 and later
> From: [email protected]
> To: [email protected]
> CC: [email protected]
>
> Hi Martin,
> I think that the code you are referring to is in
> SymmetricBindingBuilder and it indeed checks if the Id is empty. However,
> the one in RampartUtil.getRequestEncryptedKeyId() does not do so. The fix
> is to add a check for empty Id there as well:
>
> Index:
> modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
> ===================================================================
> ---
> modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
> (revision 1608682)
> +++
> modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
> (working copy)
> @@ -1471,7 +1471,7 @@
> Integer actInt = (Integer)
> wsSecEngineResult.get(WSSecurityEngineResult.TAG_ACTION);
> String encrKeyId = (String)
> wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID);
> if (actInt == WSConstants.ENCR &&
> - encrKeyId != null) {
> + encrKeyId != null && encrKeyId.length() > 0) {
> return encrKeyId;
> }
> }
>
> MG>good that you are not using a null Id ..BETTER if you tell the op they
> have a NULL ID
> MG>wsu spec is here
> MG>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
>
> This fix would be needed if/when Rampart upgrades to wss4j version higher
> than 1.6.4. Once wss4j 1.6.17 is released, the fix will no longer be
> needed, but it still does not hurt to have it there. Would you like me to
> open a jira issue about this in Rampart? I was planning to file a request
> for wss4j upgrade in Rampart and I could mention this issue there and
> attach the above patch.
> MG>good idea *if* you log the error otherwise the next guy that implements
> Rampart will run into the same problem
>
> Regards,
> Detelin
> MG>Regards
> MG>Martin
>
>
> On Wed, Jul 9, 2014 at 5:05 PM, Martin Gainty <[email protected]> wrote:
>
>
>
> ------------------------------
> Date: Wed, 9 Jul 2014 14:23:47 +0100
> Subject: Re: Apache Rampart test failure with wss4j 1.6.5 and later
> From: [email protected]
> To: [email protected]
> CC: [email protected]
>
>
> Well the thing is that WSS4J 1.6.16 was just released, and so the next
> release won't happen for a couple of months probably. So if you want to see
> a Rampart release before then, you could just submit a patch to check that
> the Id isn't empty.
>
> Colm.
>
>
> On Wed, Jul 9, 2014 at 1:32 PM, <[email protected]> wrote:
>
> I can open a defect in Rampart, but I'm not sure what should be the
> proposed change there - I was thinking that it can check for empty id tag
> and skip the result, but if wss4j does not generate results with empty id
> anymore, this will not be required. Rampart uses the following code to
> identify the encryption key id from the request, for which a response in
> generated:
>
> for (WSSecurityEngineResult wsSecEngineResult : wsSecEngineResults) {
> Integer actInt = (Integer)
> wsSecEngineResult.get(WSSecurityEngineResult.TAG_ACTION);
> String encrKeyId = (String)
> wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID);
> if (actInt == WSConstants.ENCR && encrKeyId != null) {
> return encrKeyId;
> }
> }
>
> If you think the above is improper or can be improved, just let me know
> and I will follow up with Rampart devs.
>
> Detelin
>
> MG>the rampart distro that accompanies Axis2-1.6.2 detected the missing
> tag 'id'
>
> for (WSSecurityEngineResult wsSecEngineResult :
> wsSecEngineResults) {
> Integer actInt = (Integer)
> wsSecEngineResult.get(WSSecurityEngineResult.TAG_ACTION);
> if (actInt == WSConstants.ENCR) {
> if
> (wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID) != null &&
> ((String)
> wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID)).length() != 0) {
> try {
> String encryptedKeyID = (String)
> wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID);
>
> Date created = new Date();
> Date expires = new Date();
> expires.setTime(System.currentTimeMillis() +
> 300000);
> EncryptedKeyToken tempTok = new
> EncryptedKeyToken(encryptedKeyID, created, expires);
> tempTok.setSecret((byte[])
> wsSecEngineResult.get(WSSecurityEngineResult.TAG_SECRET));
> tempTok.setSHA1(getSHA1((byte[])
> wsSecEngineResult.
>
> get(WSSecurityEngineResult.TAG_ENCRYPTED_EPHEMERAL_KEY)));
> rmd.getTokenStorage().add(tempTok);
>
> return encryptedKeyID;
>
> } catch (TrustException e) {
> throw new
> RampartException("errorInAddingTokenIntoStore");
> }
> MG>i would add a else condition to toss a message to the op
> else
> {
> throw new
> RampartException("security_engine_result_missing_id");
> }
> MG>end else
> MG>errors.properties would contain new entry:
> security_engine_result_missing_id=Rampart Security
> Engine Result is missing 'id' token element
> MG>if you make the suggestion for correction I will follow thru and make
> sure it gets implemented
> MG>https://issues.apache.org/jira/browse
> MG>Thanks Detelin,
> MG>Martin
>
>
> On Wed, Jul 9, 2014 at 12:45 PM, Colm O hEigeartaigh <[email protected]>
> wrote:
>
>
> Thanks for the investigation. It turns out Maven 3.0.x is required to
> build Rampart.
>
> I've merged a "fix" for this issue in WSS4J, where we don't store the
> token Id if it is an empty String. IMO Rampart should also be fixed.
>
> Colm.
>
>
> On Tue, Jul 8, 2014 at 6:03 PM, <[email protected]> wrote:
>
> I have not seen these, probably it is the "copy-mars" execution in the
> integration module that is causing them. It could be some dependency
> resolution problem for "mar" artifacts, I'm using Maven 3.0.4 and did not
> experience such issues.
>
> I have some more input on the problem - I think that the introduction of
> an "id" tag for reference list results is confusing Rampart, specifically
> the first change here:
>
>
> http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/security/processor/ReferenceListProcessor.java?r1=1294114&r2=1294113&pathrev=1294114
>
> In the example request that I attached, there is a ReferenceList element
> that looks like this:
>
> <xenc:ReferenceList
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:DataReference
> URI="#ED-5"/></xenc:ReferenceList>
>
> When processing this, the ReferenceListProcessor with the mentioned change
> now creates a result instance, but with an empty "id" tag, since the
> ReferenceList element does not have "Id" attribute. The result object looks
> like this:
>
> {id=, data-ref-uris=[org.apache.ws.security.WSDataRef@3e9c6879],
> action=4, validated-token=false}
>
> When generating the response, Rampart's AssymetricBindingBuilder searches
> for the encrypted key by iterating over the results list and checking for a
> result with action=4 (ENCR) and a non-empty id tag, see
> AsymmetricBindingBuilder.setupEncryptedKey and
> RampartUtil.getRequestEncryptedKeyId methods:
>
>
> http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/1_6/modules/rampart-core/src/main/java/org/apache/rampart/builder/AsymmetricBindingBuilder.java?view=markup#l868
>
> http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/1_6/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java?view=markup#l1442
>
> Apparently, it now picks up the result of the ReferenceListProcessor since
> it has an "id" tag, but since it has empty value, the
> "AssymetricBindingBuilder.encryptedKeyId" field is also left out empty and
> this leads to missing token in response...
> Commenting out the line in the ReferenceListProcessor that adds the "id"
> tag fixes the issue - Rampart then properly finds the result of the
> DerivedKeyTokenProcessor and not the one of the ReferenceListProcessor.
>
> Now the question is whether this has to be fixed in Rampart or in WSS4J?
>
> Regards,
> Detelin
>
>
>
>
>
>
>
> On Tue, Jul 8, 2014 at 6:39 PM, Colm O hEigeartaigh <[email protected]>
> wrote:
>
> I keep getting these "Could not find file
> .../target/artifacts/addressing-1.6.3-SNAPSHOT.mar to copy" type errors on
> the 1.6.x branch. How do I work around this?
>
> Colm.
>
>
> On Tue, Jul 8, 2014 at 4:21 PM, <[email protected]> wrote:
>
> Hi Colm,
> What I did so far is to checkout Rampart (I have tried both trunk and
> 1.6 branches), increase the wss4j dependency to 1.6.5 and run "mvn clean
> package -Dtest=RampartTest". This fails on the "Testing WS-Sec: custom
> scenario 7" with the error I described. Switching the dependency back to
> 1.6.4 fixes this issue, but still there is one additional scenario (28)
> which is failing, however I presume it is not related with wss4j but
> probably with Axiom.
>
> I have checked out wss4j 1.6.x branch and build it locally, then switched
> Rampart to this version and re-executed the tests. The tests succeeded up
> until the point I switched to wss4j revision 1294114. With previous 1294094
> revision, this scenario is working fine.
>
> I was thinking it might be related with changes of other dependencies, but
> I doubt this is the case, since this revision does not introduce dependency
> changes.
>
> I will continue with the investigation and let you know once I have more
> information.
>
> Thanks,
> Detelin
>
>
> On Tue, Jul 8, 2014 at 4:51 PM, Colm O hEigeartaigh <[email protected]>
> wrote:
>
>
> Are you sure that the commit you referenced above is causing the problem?
> Rampart trunk fails on that test for me with WSS4J 1.6.4. Rampart 1.6.x
> branch fails on something else...
>
> If you have time to look into it, you could try checking out that SNAPSHOT
> version of WSS4J (Before the commit) + check that it works + then apply
> each change and see what change causes the failure. Ultimately, it looks
> like Rampart might be at fault, as the response message is not composed
> properly
>
> Colm.
>
>
> On Tue, Jul 8, 2014 at 12:55 PM, <[email protected]> wrote:
>
> Hi everyone,
> Our team worked on new functionality that is to be released with
> upcoming wss4j 1.6.16 (WSS-500
> <https://issues.apache.org/jira/browse/WSS-500> & WSS-501
> <https://issues.apache.org/jira/browse/WSS-501>). We have managed to
> integrate this functionality within Apache Rampart 1.6.2 and are willing to
> contribute the necessary pieces there as well. However, so far we have been
> using wss4j 1.6.4 + the corresponding patches and they seem to work fine
> with Rampart 1.6.2.
> Once I saw the vote for releasing wss4j 1.6.16, I decided to try to build
> Rampart 1.6.2 against it, just to make sure it can adopt this new version
> in near future.
> However, I stumbled upon a test failure in Rampart integration module,
> which I managed to track down to a specific commit in wss4j. The commit is
> quite old, it is released in wss4j 1.6.5 (latest Rampart uses 1.6.4). The
> change that causes trouble is the following:
>
> http://svn.apache.org/viewvc?view=revision&revision=1294114
>
> Log message says "Only decrypt a Data Reference in the
> ReferenceListProcessor, if it hasn't already been decrypted by the
> EncryptedDataProcessor".
>
> The specific Rampart test that fails is
> "org.apache.rampart.RampartTest#testWithPolicy()" using the following
> security policy:
>
>
> http://svn.apache.org/repos/asf/axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/7.xml
>
> I'm attaching the SOAP request and response (request.xml and
> response.xml), the actual error message is on the client side, when
> processing the response from the service:
> java.lang.StringIndexOutOfBoundsException: String index out of range: 0
> at java.lang.String.charAt(String.java:658)
> at org.apache.ws.security.WSDocInfo.getResult(WSDocInfo.java:225)
> at
> org.apache.ws.security.str.DerivedKeyTokenSTRParser.parseSecurityTokenReference(DerivedKeyTokenSTRParser.java:90)
> at
> org.apache.ws.security.processor.DerivedKeyTokenProcessor.handleToken(DerivedKeyTokenProcessor.java:53)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:398)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:304)
> at
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
> at org.apache.rampart.RampartEngine.process(RampartEngine.java:147)
>
> The stack trace is generated using wss4j revision 1294114.
>
> It can be seen that the response contains invalid references (URI not
> correctly set):
>
> <wsse:SecurityTokenReference ...
> wsu:Id="STR-AA4ACE8415228CCC8E140481886870110">
> <wsse:Reference URI="#" ValueType="
> http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
> />
> </wsse:SecurityTokenReference>
>
> I'm now trying to figure out what is the root cause of this and whether
> the problem is on the wss4j side or on Rampart's side, but I would be glad
> if anyone more experienced takes a look into this and provides some
> feedback.
>
> Thanks!
>
> Detelin
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
>
