[
https://issues.apache.org/jira/browse/CXF-4758?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13555227#comment-13555227
]
Colm O hEigeartaigh commented on CXF-4758:
------------------------------------------
I have just merged a potential fix. Could you try with the latest CXF
2.7.3-SNAPSHOT code and let me know if it works? The TransportBindingHandler
was not properly handling the case of a SpnegoContextToken, which explains why
it works with the SymmetricBinding but not the TransportBinding.
Either wait until the Jenkins build deploys the latest SNAPSHOT with this fix
in it or you can checkout the source yourself and build the
cxf-rt-ws-security-2.7.3-SNAPSHOT jar.
Colm.
> Receive error message when trying to connect to crm 2011 Webservices with
> https binding - javax.xml.ws.soap.SOAPFaultException: An error occurred when
> verifying security for the message.
> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-4758
> URL: https://issues.apache.org/jira/browse/CXF-4758
> Project: CXF
> Issue Type: Bug
> Affects Versions: 2.7.2
> Environment: Windows 7 64 Bit. Java 1.6.37 runtime environment
> Reporter: Jair Lopes
> Priority: Critical
>
> I am trying to connect from a Java client with cxf to crm 2011 Web
> Services(on premise). When I connected over http everything worked fine. But
> when I switched to HTTPS(Port 443)I suddenly got this error:
> FEIN: Invoking handleMessage on interceptor
> org.apache.cxf.ws.policy.PolicyVerificationInFaultInterceptor@17698cbe
> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: An error
> occurred when verifying security for the message.
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:155)
> at $Proxy46.create(Unknown Source)
> at GetCRm.doIt(GetCRm.java:322)
> at RunHttpSpnego.main(RunHttpSpnego.java:20)
> Caused by: org.apache.cxf.binding.soap.SoapFault: An error occurred when
> verifying security for the message.
> at
> org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.unmarshalFault(Soap12FaultInInterceptor.java:133)
> at
> org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.handleMessage(Soap12FaultInInterceptor.java:59)
> at
> org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.handleMessage(Soap12FaultInInterceptor.java:46)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
> at
> org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:114)
> at
> org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
> at
> org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
> at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:800)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1590)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1488)
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1307)
> at
> org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:50)
> at
> org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:229)
> at
> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
> at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:622)
> at
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319)
> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:133)
> ... 3 more
> Against first thoughts, this was not a time issue between the server and
> client.
> I activated WCF Tracing and got the following error:
> <Exception><ExceptionType>System.ServiceModel.Security.MessageSecurityException,
> System.ServiceModel, Version=4.0.0.0, Culture=neutral,
> PublicKeyToken=b77a5c561934e089</ExceptionType><Message>A supporting token
> that satisfies parameters
> 'System.ServiceModel.Security.Tokens.SspiSecurityTokenParameters:
> InclusionMode: AlwaysToRecipient
> ReferenceStyle: Internal
> RequireDerivedKeys: False
> RequireCancellation: True' and attachment mode 'Endorsing' was not
> provided.</Message><StackTrace> at
> System.ServiceModel.Security.ReceiveSecurityHeader.VerifySupportingToken(TokenTracker
> tracker)
> at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan
> timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy
> extendedProtectionPolicy)
> at
> System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message&amp;
> message, TimeSpan timeout)
> at
> System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message&amp;
> message, TimeSpan timeout)
> at
> System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message&amp;
> message, TimeSpan timeout, SecurityProtocolCorrelationState[]
> correlationStates)
> at
> System.ServiceModel.Channels.SecurityChannelListener`1.ServerSecurityChannel`1.VerifyIncomingMessage(Message&amp;
> message, TimeSpan timeout, SecurityProtocolCorrelationState[]
> correlationState)
> at
> System.ServiceModel.Channels.SecurityChannelListener`1.SecurityReplyChannel.ProcessReceivedRequest(RequestContext
> requestContext, TimeSpan timeout)
> at
> System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.OnInnerReceiveDone()
> at
> System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.InnerTryReceiveCompletedCallback(IAsyncResult
> result)
> at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult
> result)
> at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously)
> at System.Runtime.InputQueue`1.AsyncQueueReader.Set(Item item)
> at System.Runtime.InputQueue`1.Dispatch()
> at System.Runtime.IOThreadScheduler.ScheduledOverlapped.IOCallback(UInt32
> errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)
> at System.Runtime.Fx.IOCompletionThunk.UnhandledExceptionFrame(UInt32
> error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped)
> at
> System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32
> errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)
> </StackTrace><ExceptionString>System.ServiceModel.Security.MessageSecurityException:
> A supporting token that satisfies parameters
> 'System.ServiceModel.Security.Tokens.SspiSecurityTokenParameters:
> InclusionMode: AlwaysToRecipient
> ReferenceStyle: Internal
> RequireDerivedKeys: False
> RequireCancellation: True' and attachment mode 'Endorsing' was not
> provided.</ExceptionString></Exception></TraceRecord></DataItem></TraceData></ApplicationData></E2ETraceEvent><E2ETraceEvent
> xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent";><System
> xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system";><EventID>458802</EventID><Type>3</Type><SubType
> Name="Warning">0</SubType><Level>4</Level><TimeCreated
> SystemTime="2013-01-16T13:55:44.5998534Z" /><Source
> Name="System.ServiceModel" /><Correlation
> ActivityID="{00000000-0000-0000-0000-000000000000}" /><Execution
> ProcessName="w3wp" ProcessID="8504" ThreadID="16"
> /><Channel/><Computer>LOGICALIS-ALT</Computer></System><ApplicationData><TraceData><DataItem><TraceRecord
> xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord";
> Severity="Warning"><TraceIdentifier>http://msdn.microsoft.com/de-DE/library/System.ServiceModel.Security.SecurityBindingVerifyIncomingMessageFailure.aspx</TraceIdentifier><Description>The
> security protocol cannot verify the incoming message.</Description>
> This only happens when trying to connect over HTTPS.
> I connect to my endpoint by using a servicestub generated with WSDL to java.
> The authentication policy for the Webservice Looks like this:
> <?xml version="1.0" encoding="utf-8" ?>
> - <wsdl:definitions
> targetNamespace="http://schemas.microsoft.com/xrm/2011/Contracts/Services";
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
> xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex";
> xmlns:wsa10="http://www.w3.org/2005/08/addressing";
> xmlns:tns="http://schemas.microsoft.com/xrm/2011/Contracts/Services";
> xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/";
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
> xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy";
> xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract";
> xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing";
> xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata";
> xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl";
> xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/";
> xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/";>
> - <wsp:Policy wsu:Id="CustomBinding_IOrganizationService_policy">
> - <wsp:ExactlyOne>
> - <wsp:All>
> - <ms-xrm:AuthenticationPolicy
> xmlns:ms-xrm="http://schemas.microsoft.com/xrm/2011/Contracts/Services";>
> <ms-xrm:Authentication>ActiveDirectory</ms-xrm:Authentication>
> </ms-xrm:AuthenticationPolicy>
> - <sp:TransportBinding
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> - <wsp:Policy>
> - <sp:TransportToken>
> - <wsp:Policy>
> <sp:HttpsToken RequireClientCertificate="false" />
> </wsp:Policy>
> </sp:TransportToken>
> - <sp:AlgorithmSuite>
> - <wsp:Policy>
> <sp:Basic256 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> - <sp:Layout>
> - <wsp:Policy>
> <sp:Strict />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> </wsp:Policy>
> </sp:TransportBinding>
> - <sp:EndorsingSupportingTokens
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> - <wsp:Policy>
> - <sp:SpnegoContextToken
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
> <wsp:Policy />
> </sp:SpnegoContextToken>
> </wsp:Policy>
> </sp:EndorsingSupportingTokens>
> - <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> <wsp:Policy />
> </sp:Wss11>
> - <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
> - <wsp:Policy>
> <sp:MustSupportIssuedTokens />
> <sp:RequireClientEntropy />
> <sp:RequireServerEntropy />
> </wsp:Policy>
> </sp:Trust10>
> <wsaw:UsingAddressing />
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> The authentication process is handled by Spnego.
> I simply changed the Webservice endpoint for my URL and imported the
> neccessary certificates into the respective java certca store
> besides that I didnĀ“t make any changes to the code.
> I have tried for a long time to make it work but without success. Can you
> guys tell me more about this?
> Am I missing something in my code that I have to add to make this work?
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
