Mix up of ID and ID reference of security token in signature causes WCF service
to throw Cannot resolve KeyInfo for verifying signature
---------------------------------------------------------------------------------------------------------------------------------------
Key: CXF-2158
URL: https://issues.apache.org/jira/browse/CXF-2158
Project: CXF
Issue Type: Bug
Affects Versions: 2.2
Environment: Java(TM) SE Runtime Environment (build 1.6.0_07-b06-153)
- MacOS 10.5 and Windows Vista
Reporter: ian homer
Issue
CXF client causes WCF to throw the error Cannot resolve KeyInfo for verifying
signature: KeyInfo 'SecurityKeyIdentifier when connecting to a secured WCF
service set up following the tutorial "WCF Getting Started Sample Tutorial with
Message Security User Name" @
http://msdn.microsoft.com/en-us/library/ms752233.aspx. (WSDL attached on CXF
ticket)
See analysis below for summary of the issue and indication of resolution.
[edit] CXF Client Test Case
$ java -version
java version "1.6.0_07"
Java(TM) SE Runtime Environment (build 1.6.0_07-b06-153)
Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_07-b06-57, mixed mode)
MacOS 10.5 and Windows Vista
CXF Version 2.2
import static org.junit.Assert.assertEquals;
import groovyx.net.ws.cxf.SSLHelper;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.xml.namespace.QName;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.cxf.Bus;
import org.apache.cxf.binding.soap.SoapMessage;
import org.apache.cxf.endpoint.Client;
import org.apache.cxf.endpoint.Endpoint;
import org.apache.cxf.endpoint.EndpointImpl;
import org.apache.cxf.endpoint.dynamic.DynamicClientFactory;
import org.apache.cxf.interceptor.Fault;
import org.apache.cxf.interceptor.LoggingInInterceptor;
import org.apache.cxf.interceptor.LoggingOutInterceptor;
import org.apache.cxf.message.Exchange;
import org.apache.cxf.message.Message;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.service.model.BindingOperationInfo;
import org.apache.cxf.service.model.EndpointInfo;
import org.apache.cxf.ws.policy.AbstractPolicyInterceptor;
import org.apache.cxf.ws.policy.EffectivePolicy;
import org.apache.cxf.ws.policy.PolicyEngine;
import org.apache.cxf.ws.policy.PolicyException;
import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor;
import org.apache.neethi.AbstractPolicyOperator;
import org.apache.ws.security.WSConstants;
import org.apache.ws.security.WSPasswordCallback;
import org.apache.ws.security.handler.WSHandlerConstants;
import org.junit.Test;
public class SSLAWSWCFCalculatorIssueTestCase {
protected static Log log =
LogFactory.getLog(SSLAWSWCFCalculatorIssueTestCase.class);
public static final String WCF_HOST = "host";
private static final String WSDL_URI_REMOTE = "http://"; + WCF_HOST
+ "/ServiceModelSamples/service.svc?wsdl";
/**
* Filters for a default WCF_SSLA integration
*/
public static final Class<?>[] WCF_SSLA = new Class<?>[] {
SignedEncryptedParts.class };
@Test
public void testOperationsOfSSLClientWithSoapAuthentication() throws
Exception {
QName service = new QName("http://tempuri.org/";,
"CalculatorService");
QName port = new QName("http://tempuri.org/";, "SSLCalculatorA");
Client client =
DynamicClientFactory.newInstance().createClient(WSDL_URI_REMOTE, service,
SSLAWSWCFCalculatorIssueTestCase.class.getClassLoader(), port);
SSLHelper sslHelper = new SSLHelper();
sslHelper.initialize();
sslHelper.enable(client);
Bus bus = ((EndpointImpl) client.getEndpoint()).getBus();
/*
* Apply default policy filter in interceptor to filter out the
* mandatory signing of body parts. Otherwise CXF policy
validation
* fails since the response from WCF is not compliant with this
*/
bus.getInInterceptors().add(new
PolicyFilterOutInterceptor(WCF_SSLA));
Map<String, Object> outProps = new HashMap<String, Object>();
outProps.put(WSHandlerConstants.ACTION,
WSHandlerConstants.USERNAME_TOKEN);
outProps.put(WSHandlerConstants.USER, "bart\\myname");
outProps.put(WSHandlerConstants.PASSWORD_TYPE,
WSConstants.PW_TEXT);
outProps.put(WSHandlerConstants.MUST_UNDERSTAND, "true");
outProps.put(WSHandlerConstants.PW_CALLBACK_REF, new
PasswordHandler("password"));
bus.getOutInterceptors().add(new
JustOnceWSS4JOutInterceptor(outProps));
/*
* Add logging interceptors
*/
bus.getInInterceptors().add(new LoggingInInterceptor());
bus.getOutInterceptors().add(new LoggingOutInterceptor());
BindingOperationInfo add =
client.getEndpoint().getEndpointInfo().getBinding()
.getOperation(new
QName("http://Microsoft.ServiceModel.Samples";, "Add"))
.getUnwrappedOperation();
/**
* Now call some operations
*/
if (log.isDebugEnabled()) {
log.debug("Invoking method add");
}
Object[] answer = client.invoke(add, new Object[] { "1", "2" });
if (log.isDebugEnabled()) {
log.debug("1 + 2 = " + answer[0]);
}
assertEquals("Add method not correct", new Double(3.0),
answer[0]);
if (log.isDebugEnabled()) {
log.debug("Invoking method multiply");
}
BindingOperationInfo multiply =
client.getEndpoint().getEndpointInfo().getBinding()
.getOperation(new
QName("http://Microsoft.ServiceModel.Samples";, "Multiply"))
.getUnwrappedOperation();
answer = client.invoke(multiply, new Object[] { "3", "2" });
assertEquals("Multiply method not correct", new Double(6.0),
answer);
if (log.isDebugEnabled()) {
log.debug("3 x 2 = " + answer);
}
}
/**
* Handler to get the password
*/
public class PasswordHandler implements CallbackHandler {
private static final String DEFAULT_PASSWORD = "password";
String password;
public PasswordHandler() {
this.password = DEFAULT_PASSWORD;
}
public PasswordHandler(String password) {
this.password = password;
}
public void handle(Callback[] callbacks) {
WSPasswordCallback pc = (WSPasswordCallback)
callbacks[0];
pc.setPassword(password);
}
}
/**
* An WSS4J Interceptor that only includes the security header once,
without
* this WCF service throws a security exception when username and
password
* sent along with the SecurityContextToken in the second request
*/
public class JustOnceWSS4JOutInterceptor extends WSS4JOutInterceptor {
int count = 0;
/**
* @param outProps
*/
public JustOnceWSS4JOutInterceptor(Map<String, Object>
outProps) {
super(outProps);
}
@Override
public void handleMessage(SoapMessage mc) throws Fault {
if (count == 0) {
if (log.isDebugEnabled()) {
log.debug("Calling WSS4J interceptor :
count = " + count);
}
super.handleMessage(mc);
} else {
if (log.isDebugEnabled()) {
log.debug("Skipping WSS4J interceptor :
count = " + count);
}
}
count++;
}
}
public class PolicyFilterOutInterceptor extends
AbstractPolicyInterceptor {
private Class<?>[] filters;
public PolicyFilterOutInterceptor(Class<?>[] filters) {
super(Phase.PRE_STREAM);
this.filters = filters;
}
@Override
protected void handle(Message message) throws PolicyException {
if (log.isDebugEnabled()) {
log.debug("Filtering policies for " +
this.getClass().getName());
}
Exchange exchange = message.getExchange();
BindingOperationInfo boi =
exchange.get(BindingOperationInfo.class);
if (null == boi) {
if (log.isDebugEnabled()) {
log.debug("No binding operation info.");
}
return;
}
Endpoint e = exchange.get(Endpoint.class);
if (null == e) {
if (log.isDebugEnabled()) {
log.debug("No endpoint.");
}
return;
}
EndpointInfo ei = e.getEndpointInfo();
Bus bus = exchange.get(Bus.class);
PolicyEngine pe = bus.getExtension(PolicyEngine.class);
if (null == pe) {
return;
}
if (MessageUtils.isPartialResponse(message)) {
if (log.isDebugEnabled()) {
log.debug("Not verifying policies on
inbound partial response.");
}
return;
}
getTransportAssertions(message);
EffectivePolicy effectivePolicy =
message.get(EffectivePolicy.class);
if (effectivePolicy == null) {
if (MessageUtils.isRequestor(message)) {
effectivePolicy =
pe.getEffectiveClientResponsePolicy(ei, boi);
} else {
effectivePolicy =
pe.getEffectiveServerRequestPolicy(ei, boi);
}
}
removePolicies(effectivePolicy.getPolicy(), filters);
}
public void removePolicy(AbstractPolicyOperator operator,
Class<?> clazz) {
removePolicies(operator, new Class<?>[] { clazz });
}
@SuppressWarnings("unchecked")
public void removePolicies(AbstractPolicyOperator operator,
Class<?>[] classes) {
List<Object> childrenForRemoval = new
ArrayList<Object>();
for (Object child : operator.getPolicyComponents()) {
if (child instanceof AbstractPolicyOperator) {
removePolicies((AbstractPolicyOperator)
child, classes);
} else {
for (int i = 0; i < classes.length;
i++) {
if (child.getClass() ==
classes[i]) {
childrenForRemoval.add(child);
if
(log.isDebugEnabled()) {
log.debug("Removing policy : " + child);
}
}
}
}
}
/*
* Remove all the children that have been marked for
removal
*/
operator.getPolicyComponents().removeAll(childrenForRemoval);
}
}
}
[edit] WCF Exception
<Exception>
<ExceptionType>System.ServiceModel.Security.MessageSecurityException,
System.ServiceModel, Version=3.0.0.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089</ExceptionType>
<Message>Cannot resolve KeyInfo for verifying signature: KeyInfo
'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = LocalIdKeyIdentifierClause(LocalId =
'urn:uuid:67422cf9-69c5-4e15-802d-4c6d39cdc57d', Owner =
'System.ServiceModel.Security.Tokens.SecurityContextSecurityToken')
)
', available tokens 'SecurityTokenResolver
(
TokenCount = 1,
TokenEntry[0] = (AllowedReferenceStyle=Internal,
Token=System.ServiceModel.Security.Tokens.SecurityContextSecurityToken,
Parameters=System.ServiceModel.Security.Tokens.SecureConversationSecurityTokenParameters:
InclusionMode: AlwaysToRecipient
ReferenceStyle: Internal
RequireDerivedKeys: False
RequireCancellation: True
BootstrapSecurityBindingElement:
System.ServiceModel.Channels.TransportSecurityBindingElement:
DefaultAlgorithmSuite: Basic256
IncludeTimestamp: True
KeyEntropyMode: CombinedEntropy
MessageSecurityVersion:
WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
SecurityHeaderLayout: Strict
EndpointSupportingTokenParameters:
No endorsing tokens.
No signed tokens.
SignedEncrypted[0]
System.ServiceModel.Security.Tokens.UserNameSecurityTokenParameters:
InclusionMode: AlwaysToRecipient
ReferenceStyle: Internal
RequireDerivedKeys: False
No signed endorsing tokens.
OptionalEndpointSupportingTokenParameters:
No endorsing tokens.
No signed tokens.
No signed encrypted tokens.
No signed endorsing tokens.
OperationSupportingTokenParameters: none
OptionalOperationSupportingTokenParameters: none)
)
'.</Message>
<StackTrace>
at
System.ServiceModel.Security.WSSecurityOneDotZeroReceiveSecurityHeader.ResolveSignatureToken(SecurityKeyIdentifier
keyIdentifier, SecurityTokenResolver resolver, Boolean isPrimarySignature)
at
System.ServiceModel.Security.WSSecurityOneDotZeroReceiveSecurityHeader.VerifySignature(SignedXml
signedXml, Boolean isPrimarySignature, SecurityHeaderTokenResolver resolver,
Object signatureTarget, String id)
at
System.ServiceModel.Security.ReceiveSecurityHeader.ProcessSupportingSignature(SignedXml
signedXml, Boolean isFromDecryptedSource)
at
System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader
reader)
at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan timeout)
at
System.ServiceModel.Security.AcceptorSessionSymmetricTransportSecurityProtocol.VerifyIncomingMessageCore(Message&
message, TimeSpan timeout)
at
System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message&
message, TimeSpan timeout)
at
System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message&
message, TimeSpan timeout, SecurityProtocolCorrelationState[]
correlationStates)
at
System.ServiceModel.Security.SecuritySessionServerSettings.ServerSecuritySessionChannel.ProcessRequestContext(RequestContext
requestContext, TimeSpan timeout, SecurityProtocolCorrelationState&
correlationState, Boolean& isSecurityProcessingFailure)
at
System.ServiceModel.Security.SecuritySessionServerSettings.ServerSecuritySessionChannel.ReceiveRequestAsyncResult.WaitComplete()
at
System.ServiceModel.Security.SecuritySessionServerSettings.ServerSecuritySessionChannel.ReceiveRequestAsyncResult..ctor(ServerSecuritySessionChannel
channel, TimeSpan timeout, AsyncCallback callback, Object state)
at
System.ServiceModel.Security.SecuritySessionServerSettings.ServerSecuritySessionChannel.BeginTryReceiveRequest(TimeSpan
timeout, AsyncCallback callback, Object state)
at System.ServiceModel.Dispatcher.ReplyChannelBinder.BeginTryReceive(TimeSpan
timeout, AsyncCallback callback, Object state)
at
System.ServiceModel.Dispatcher.ErrorHandlingReceiver.BeginTryReceive(TimeSpan
timeout, AsyncCallback callback, Object state)
at System.ServiceModel.Dispatcher.ChannelHandler.EnsurePump()
at System.ServiceModel.Dispatcher.ChannelHandler.OpenAndEnsurePump()
at
System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.WorkItem.Invoke2()
at System.Security.SecurityContext.Run(SecurityContext securityContext,
ContextCallback callback, Object state)
at
System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.WorkItem.Invoke()
at
System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.ProcessCallbacks()
at
System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.CompletionCallback(Object
state)
at
System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.ScheduledOverlapped.IOCallback(UInt32
errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)
at
System.ServiceModel.Diagnostics.Utility.IOCompletionThunk.UnhandledExceptionFrame(UInt32
error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped)
at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32
errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)
</StackTrace>
<ExceptionString>System.ServiceModel.Security.MessageSecurityException: Cannot
resolve KeyInfo for verifying signature: KeyInfo 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = LocalIdKeyIdentifierClause(LocalId =
'urn:uuid:67422cf9-69c5-4e15-802d-4c6d39cdc57d', Owner =
'System.ServiceModel.Security.Tokens.SecurityContextSecurityToken')
)
', available tokens 'SecurityTokenResolver
(
TokenCount = 1,
TokenEntry[0] = (AllowedReferenceStyle=Internal,
Token=System.ServiceModel.Security.Tokens.SecurityContextSecurityToken,
Parameters=System.ServiceModel.Security.Tokens.SecureConversationSecurityTokenParameters:
InclusionMode: AlwaysToRecipient
ReferenceStyle: Internal
RequireDerivedKeys: False
RequireCancellation: True
BootstrapSecurityBindingElement:
System.ServiceModel.Channels.TransportSecurityBindingElement:
DefaultAlgorithmSuite: Basic256
IncludeTimestamp: True
KeyEntropyMode: CombinedEntropy
MessageSecurityVersion:
WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
SecurityHeaderLayout: Strict
EndpointSupportingTokenParameters:
No endorsing tokens.
No signed tokens.
SignedEncrypted[0]
System.ServiceModel.Security.Tokens.UserNameSecurityTokenParameters:
InclusionMode: AlwaysToRecipient
ReferenceStyle: Internal
RequireDerivedKeys: False
No signed endorsing tokens.
OptionalEndpointSupportingTokenParameters:
No endorsing tokens.
No signed tokens.
No signed encrypted tokens.
No signed endorsing tokens.
OperationSupportingTokenParameters: none
OptionalOperationSupportingTokenParameters: none)
)
'.</ExceptionString>
</Exception>
[edit] WCF Client with WCF Server
[edit] WCF Client Request 1
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope";
xmlns:a="http://www.w3.org/2005/08/addressing";
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<s:Header>
<a:Action
s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</a:Action>
<a:MessageID>urn:uuid:8151f398-b043-485e-a443-681fb698d334</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To
s:mustUnderstand="1">https://host/servicemodelsamples/service.svc/SSLA</a:To>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<u:Timestamp u:Id="_0">
<u:Created>2009-04-06T08:25:00.988Z</u:Created>
<u:Expires>2009-04-06T08:30:00.988Z</u:Expires>
</u:Timestamp>
<o:UsernameToken u:Id="uuid-0403819d-3bc9-4fc8-be6f-0c1b01da7397-1">
<o:Username>
<!-- Removed-->
</o:Username>
<o:Password>
<!-- Removed-->
</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityToken
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>
<t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</t:TokenType>
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<t:Entropy>
<!-- Removed-->
</t:Entropy>
<t:KeySize>256</t:KeySize>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>
[edit] WCF Client Response from Server 1
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope";
xmlns:a="http://www.w3.org/2005/08/addressing";
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<s:Header>
<a:Action
s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT</a:Action>
<a:RelatesTo>urn:uuid:4f4996b9-4d71-47d8-91b8-ba75df9b3de6</a:RelatesTo>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<u:Timestamp u:Id="_0">
<u:Created>2009-04-06T08:59:01.713Z</u:Created>
<u:Expires>2009-04-06T09:04:01.713Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityTokenResponse
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>
<t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</t:TokenType>
<t:RequestedSecurityToken>
<c:SecurityContextToken
u:Id="uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"
xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc";>
<c:Identifier>urn:uuid:33b535ab-9f44-431a-87c9-0d1cf8c71d8e</c:Identifier>
</c:SecurityContextToken>
</t:RequestedSecurityToken>
<t:RequestedAttachedReference>
<o:SecurityTokenReference
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<o:Reference
ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct";
URI="#uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"></o:Reference>
</o:SecurityTokenReference>
</t:RequestedAttachedReference>
<t:RequestedUnattachedReference>
<o:SecurityTokenReference
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<o:Reference
URI="urn:uuid:33b535ab-9f44-431a-87c9-0d1cf8c71d8e"
ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct";></o:Reference>
</o:SecurityTokenReference>
</t:RequestedUnattachedReference>
<t:RequestedProofToken>
<t:ComputedKey>http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1</t:ComputedKey>
</t:RequestedProofToken>
<t:Entropy>
<!-- Removed-->
</t:Entropy>
<t:Lifetime>
<u:Created>2009-04-06T08:59:01.701Z</u:Created>
<u:Expires>2009-04-06T23:59:01.701Z</u:Expires>
</t:Lifetime>
<t:KeySize>256</t:KeySize>
</t:RequestSecurityTokenResponse>
</s:Body>
</s:Envelope>
[edit] WCF Client Request 2
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope";
xmlns:a="http://www.w3.org/2005/08/addressing";
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<s:Header>
<a:Action
s:mustUnderstand="1">http://Microsoft.ServiceModel.Samples/ICalculator/Add</a:Action>
<a:MessageID>urn:uuid:3363fc9e-17e1-4e15-a0dc-ef56d63fa541</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To
s:mustUnderstand="1">https://host/servicemodelsamples/service.svc/SSLA</a:To>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<u:Timestamp u:Id="_0">
<u:Created>2009-04-06T08:59:01.737Z</u:Created>
<u:Expires>2009-04-06T09:04:01.737Z</u:Expires>
</u:Timestamp>
<c:SecurityContextToken
u:Id="uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"
xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc";>
<c:Identifier>urn:uuid:33b535ab-9f44-431a-87c9-0d1cf8c71d8e</c:Identifier>
</c:SecurityContextToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></CanonicalizationMethod>
<SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1";></SignatureMethod>
<Reference URI="#_0">
<Transforms>
<Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></Transform>
</Transforms>
<DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
<DigestValue>2VuDOwhOC2mm4YhQJEAzutsXuiU=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>AZzmujJH/wkgEzq9jopInPW3exQ=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference
ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct";
URI="#uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body>
<Add xmlns="http://Microsoft.ServiceModel.Samples";>
<n1>100</n1>
<n2>15.99</n2>
</Add>
</s:Body>
</s:Envelope>
[edit] WCF Client Response from Server 2
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope";
xmlns:a="http://www.w3.org/2005/08/addressing";
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<s:Header>
<a:Action
s:mustUnderstand="1">http://Microsoft.ServiceModel.Samples/ICalculator/AddResponse</a:Action>
<a:RelatesTo>urn:uuid:3363fc9e-17e1-4e15-a0dc-ef56d63fa541</a:RelatesTo>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<u:Timestamp u:Id="_0">
<u:Created>2009-04-06T08:59:01.773Z</u:Created>
<u:Expires>2009-04-06T09:04:01.773Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body>
<AddResponse xmlns="http://Microsoft.ServiceModel.Samples";>
<AddResult>115.99</AddResult>
</AddResponse>
</s:Body>
</s:Envelope>
[edit] CXF Client with WCF Server
[edit] CXF Client Request 1
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";>
<soap:Header>
<Action xmlns="http://www.w3.org/2005/08/addressing";>
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</Action>
<MessageID xmlns="http://www.w3.org/2005/08/addressing";>
urn:uuid:ee3fd188-2a43-4d0e-b202-aac81f803bc5</MessageID>
<To xmlns="http://www.w3.org/2005/08/addressing";>
https://host/ServiceModelSamples/service.svc/SSLA</To>
<ReplyTo xmlns="http://www.w3.org/2005/08/addressing";>
<Address>http://www.w3.org/2005/08/addressing/anonymous
</Address>
</ReplyTo>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soap:mustUnderstand="true">
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Timestamp-1763636894">
<wsu:Created>2009-04-06T10:00:47.466Z
</wsu:Created>
<wsu:Expires>2009-04-06T10:05:47.466Z
</wsu:Expires>
</wsu:Timestamp>
<wsse:UsernameToken
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="UsernameToken-2095036283">
<wsse:Username>bart\myuser</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>password</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<wst:RequestSecurityToken
xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust";>
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
</wst:RequestType>
<wsp:AppliesTo
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing";>
<wsa:Address>
https://host/ServiceModelSamples/service.svc/SSLA
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:Lifetime>
<wsu:Created
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>2009-04-06T10:00:46.692Z
</wsu:Created>
<wsu:Expires
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>2009-04-06T10:05:46.692Z
</wsu:Expires>
</wst:Lifetime>
<wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct
</wst:TokenType>
<wst:Entropy>
<wst:BinarySecret
Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce";>7pPJRu/vrIfSeAzoq48kAd+55khFFbU/sLw0PeYkIKA=
</wst:BinarySecret>
</wst:Entropy>
<wst:ComputedKeyAlgorithm>
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
</wst:ComputedKeyAlgorithm>
</wst:RequestSecurityToken>
</soap:Body>
</soap:Envelope>
[edit] CXF Client Response from Server 1
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope";
xmlns:a="http://www.w3.org/2005/08/addressing";
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT</a:Action>
<a:RelatesTo>urn:uuid:ee3fd188-2a43-4d0e-b202-aac81f803bc5
</a:RelatesTo>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<u:Timestamp u:Id="_0">
<u:Created>2009-04-06T10:00:28.212Z
</u:Created>
<u:Expires>2009-04-06T10:05:28.212Z
</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body>
<t:RequestSecurityTokenResponse
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>
<t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct
</t:TokenType>
<t:RequestedSecurityToken>
<c:SecurityContextToken
u:Id="uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-3"
xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc";>
<c:Identifier>urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20
</c:Identifier>
</c:SecurityContextToken>
</t:RequestedSecurityToken>
<wsp:AppliesTo
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<EndpointReference
xmlns="http://www.w3.org/2005/08/addressing";>
<Address>
https://host/ServiceModelSamples/service.svc/SSLA
</Address>
</EndpointReference>
</wsp:AppliesTo>
<t:RequestedAttachedReference>
<o:SecurityTokenReference
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<o:Reference
ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct";
URI="#uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-3"></o:Reference>
</o:SecurityTokenReference>
</t:RequestedAttachedReference>
<t:RequestedUnattachedReference>
<o:SecurityTokenReference
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<o:Reference
URI="urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20"
ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct";></o:Reference>
</o:SecurityTokenReference>
</t:RequestedUnattachedReference>
<t:RequestedProofToken>
<t:ComputedKey>http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
</t:ComputedKey>
</t:RequestedProofToken>
<t:Entropy>
<t:BinarySecret
u:Id="uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-4"
Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce";>f6m4wEJy9gPMttOxzM+7yf1i5biWxbNaBfbx1sWvVPw=
</t:BinarySecret>
</t:Entropy>
<t:Lifetime>
<u:Created>2009-04-06T10:00:28.208Z
</u:Created>
<u:Expires>2009-04-07T01:00:28.208Z
</u:Expires>
</t:Lifetime>
<t:KeySize>256</t:KeySize>
</t:RequestSecurityTokenResponse>
</s:Body>
</s:Envelope>
[edit] CXF Client Request 2
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";>
<soap:Header>
<Action xmlns="http://www.w3.org/2005/08/addressing";>
http://Microsoft.ServiceModel.Samples/ICalculator/Add</Action>
<MessageID xmlns="http://www.w3.org/2005/08/addressing";>
urn:uuid:b879526c-68c1-4713-8912-6ee23264715f</MessageID>
<To xmlns="http://www.w3.org/2005/08/addressing";>
https://host/ServiceModelSamples/service.svc/SSLA</To>
<ReplyTo xmlns="http://www.w3.org/2005/08/addressing";>
<Address>http://www.w3.org/2005/08/addressing/anonymous
</Address>
</ReplyTo>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soap:mustUnderstand="true">
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Timestamp-937741416">
<wsu:Created>2009-04-06T10:00:48.903Z
</wsu:Created>
<wsu:Expires>2009-04-06T10:05:48.903Z
</wsu:Expires>
</wsu:Timestamp>
<c:SecurityContextToken
xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc";
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
u:Id="uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-3">
<c:Identifier>urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20
</c:Identifier>
</c:SecurityContextToken>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="Signature-1670444352">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"; />
<ds:Reference
URI="#Timestamp-937741416">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>/gRfeAVaxWCey/0KWfXh4VDIdGA=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>rhEDDQNJHxAKgsBz5ZVPma1TkeY=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-451036744">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="STRId-187592160">
<wsse:Reference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
URI="#urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20"
ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"; />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soap:Header>
<soap:Body>
<ns1:Add xmlns:ns1="http://Microsoft.ServiceModel.Samples";>
<ns1:n1
xmlns:ns2="http://schemas.microsoft.com/2003/10/Serialization/";
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">1</ns1:n1>
<ns1:n2
xmlns:ns2="http://schemas.microsoft.com/2003/10/Serialization/";
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">2</ns1:n2>
</ns1:Add>
</soap:Body>
</soap:Envelope>
[edit] CXF Client Response from Server 2
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope";
xmlns:a="http://www.w3.org/2005/08/addressing";>
<s:Header>
<a:Action s:mustUnderstand="1">
http://www.w3.org/2005/08/addressing/soap/fault</a:Action>
<a:RelatesTo>urn:uuid:c20c8ac5-3e6d-4189-8db8-97dda22f7cdc
</a:RelatesTo>
</s:Header>
<s:Body>
<s:Fault>
<s:Code>
<s:Value>s:Sender</s:Value>
<s:Subcode>
<s:Value
xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>a:InvalidSecurity</s:Value>
</s:Subcode>
</s:Code>
<s:Reason>
<s:Text xml:lang="en-GB">An error occurred when
verifying security
for the message.</s:Text>
</s:Reason>
</s:Fault>
</s:Body>
</s:Envelope>
[edit] Analysis
CXF client sends the following on request 2 with the URI attribute of the
Reference element equal to the element content of the Identifier element.
<c:SecurityContextToken u:Id="uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-3">
<c:Identifier>urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20</c:Identifier>
</c:SecurityContextToken>
...
<ds:KeyInfo Id="KeyId-451036744">
<wsse:SecurityTokenReference>
<wsse:Reference
URI="#urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20"
ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"; />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
however, the WCF client sends the following for its second request with the URI
element of the Reference element equal to the Id attribute of the
SecurityContextToken element
<c:SecurityContextToken u:Id="uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"
xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc";>
<c:Identifier>urn:uuid:33b535ab-9f44-431a-87c9-0d1cf8c71d8e</c:Identifier>
</c:SecurityContextToken>
...
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference
ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct";
URI="#uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"></o:Reference>
</o:SecurityTokenReference>
</KeyInfo>
If the following change is made in the
org.apache.cxf.ws.security.wss4j.policyhandler.TransportBindingHandler:
CXF trunk 2.2 version
sig.setCustomTokenId(secTok.getId());
changed to
Node firstChild = securityToken.getAttachedReference().getFirstChild();
Attr referenceUriAttribute = (Attr)
firstChild.getAttributes().getNamedItem("URI");
String referenceUri = referenceUriAttribute.getValue().substring(1);
sig.setCustomTokenId(referenceUri)
then the CXF client communicates with the WCF server successfully. It is not
expected that this is the correct place for the fix, since there are other
places in the CXF source which set the custom token id on the signature. It is
more likely that a correction is required earlier in the logic such that
security token allows the id reference (i.e. the Reference URI) to be set
correctly and made available for configuring in the signature.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
