[
https://issues.apache.org/jira/browse/CXF-9167?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18028604#comment-18028604
]
Guillaume Bouchon commented on CXF-9167:
----------------------------------------
Hi [~coheigea]
Thanks for your answer
I provide more information below :
*Errror : Unsupported KeyInfo type :*
I already set ws-security.is-bsp-compliant to false.
I've the error below when I receive a SOAP response with X509 Data KeyInfo :
{noformat}
jakarta.xml.ws.soap.SOAPFaultException: Unsupported KeyInfo type
at
org.apache.cxf.jaxws.JaxWsClientProxy.mapException(JaxWsClientProxy.java:195)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:145)
at
io.quarkiverse.cxf.QuarkusJaxWsProxyFactoryBean$QuarkusJaxWsClientProxy.invoke(QuarkusJaxWsProxyFactoryBean.java:171)
at jdk.proxy6/jdk.proxy6.$Proxy151.get(Unknown Source)
at lu.ctie.poc.MyAppV2$MyRunner.run(MyAppV2.java:67)
at lu.ctie.poc.MyAppV2_MyRunner_Subclass.run$$superforward(Unknown Source)
at lu.ctie.poc.MyAppV2_MyRunner_Subclass$$function$$1.apply(Unknown Source)
at
io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:73)
at
io.quarkus.arc.impl.AroundInvokeInvocationContext.proceed(AroundInvokeInvocationContext.java:62)
at
io.quarkus.arc.impl.ActivateRequestContextInterceptor.invoke(ActivateRequestContextInterceptor.java:129)
at
io.quarkus.arc.impl.ActivateRequestContextInterceptor.aroundInvoke(ActivateRequestContextInterceptor.java:33)
at
io.quarkus.arc.impl.ActivateRequestContextInterceptor_Bean.intercept(Unknown
Source)
at
io.quarkus.arc.impl.InterceptorInvocation.invoke(InterceptorInvocation.java:42)
at
io.quarkus.arc.impl.AroundInvokeInvocationContext.perform(AroundInvokeInvocationContext.java:30)
at
io.quarkus.arc.impl.InvocationContexts.performAroundInvoke(InvocationContexts.java:27)
at lu.ctie.poc.MyAppV2_MyRunner_Subclass.run(Unknown Source)
at lu.ctie.poc.MyAppV2_MyRunner_ClientProxy.run(Unknown Source)
at
io.quarkus.runtime.ApplicationLifecycleManager.run(ApplicationLifecycleManager.java:141)
at io.quarkus.runtime.Quarkus.run(Quarkus.java:80)
at io.quarkus.runtime.Quarkus.run(Quarkus.java:51)
at io.quarkus.runner.GeneratedMain.main(Unknown Source)
at
java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
at java.base/java.lang.reflect.Method.invoke(Method.java:580)
at
io.quarkus.runner.bootstrap.StartupActionImpl$1.run(StartupActionImpl.java:136)
at java.base/java.lang.Thread.run(Thread.java:1583)
Caused by: org.apache.wss4j.common.ext.WSSecurityException: Unsupported KeyInfo
type
at org.apache.wss4j.dom.util.X509Util.parseKeyValue(X509Util.java:139)
at
org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:158)
at
org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:326)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:213)
at
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:125)
at
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:78)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:923)
at
io.quarkiverse.cxf.vertx.http.client.VertxHttpClientHTTPConduit$ResponseHandler.handle(VertxHttpClientHTTPConduit.java:1451)
at
io.quarkiverse.cxf.vertx.http.client.VertxHttpClientHTTPConduit$ResponseHandler.handle(VertxHttpClientHTTPConduit.java:1360)
at
io.quarkiverse.cxf.vertx.http.client.VertxHttpClientHTTPConduit$RequestBodyHandler$Mode$Sync.awaitResponse(VertxHttpClientHTTPConduit.java:1180)
at
io.quarkiverse.cxf.vertx.http.client.VertxHttpClientHTTPConduit$RequestBodyHandler.handle(VertxHttpClientHTTPConduit.java:635)
at
io.quarkiverse.cxf.vertx.http.client.VertxHttpClientHTTPConduit$RequestBodyHandler.handle(VertxHttpClientHTTPConduit.java:464)
at
io.quarkiverse.cxf.vertx.http.client.VertxHttpClientHTTPConduit$RequestBodyOutputStream.close(VertxHttpClientHTTPConduit.java:459)
at
org.apache.cxf.ext.logging.LoggingOutputStream.postClose(LoggingOutputStream.java:53)
at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:243)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:717)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:63)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:441)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:356)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:314)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:140)
... 23 more{noformat}
In SignatureProcessor
([https://github.com/apache/ws-wss4j/blob/master/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java]),
X509Util is responsible for retrieving the public key but is only handling a
KeyInfo of type KeyValue (see
[https://github.com/apache/ws-wss4j/blob/f6aa404aff0f36af8e9db8458448bc8fabe2a57e/ws-security-dom/src/main/java/org/apache/wss4j/dom/util/X509Util.java#L157]
) even though underneath, Santuario manages X509Data KeyInfo (see
[https://github.com/apache/santuario-xml-security-java/blob/f93ece134a6a3a5894779de2547f6efd1765242c/src/main/java/org/apache/jcp/xml/dsig/internal/dom/DOMKeyInfo.java#L120)]
So today, by default it's not possible to handle X509Data KeyInfo, which is
logic because not BSP compliant.
*Error occuring before reaching the custom validator :*
SignatureProcessor
([https://github.com/apache/ws-wss4j/blob/master/ws-security-dom/src/main/java/org/apache/wss4j/dom/processor/SignatureProcessor.java]
) is used for handling the signature and KeyInfo :
!image-2025-10-09-11-07-27-417.png!
In my case, because the X509Data KeyInfo is rejected at line 158 (see previous
explanation), the validator (line 163) is never reached
So in my case, I cannot use a custom validator.
*Using a custom validator :*
It's suggested to add a custom validator, but, maybe i'm wrong, the only way
for registering a custom validator, is to use the constructor
WSS4JInInterceptor(Map<String, Object> properties) which is not available on
{{PolicyBasedWSS4JInInterceptor.}}
So it's impossible with {{PolicyBasedWSS4JInInterceptor}} today.
*My solution today :*
I succeeded to handle my X509Data KeyInfo by :
-creating a new SignatureProcessor based on the actual : I added code for
retrieving public key stored in X509Data KeyInfo and handled as if it was a
KeyValue KeyInfo.
-registering this new processor in {{PolicyBasedWSS4JInInterceptor : because
the constructor WSS4JInInterceptor(Map<String, Object> properties) is not
exposed, it's not an ideal solution but got no choice for now, I created a new
}}{{PolicyBasedWSS4JInInterceptor by taking the actual code and just added the
constructor :}}
{code:java}
public class MyCustomPolicyBasedWSS4JInInterceptor extends WSS4JInInterceptor {
/**
* adding the missing constructor
*/
public MyCustomPolicyBasedWSS4JInInterceptor(Map<String, Object>
properties) {
super(properties);
setIgnoreActions(true);
}
... the rest of the code is identical to (see
PolicyBasedWSS4JInInterceptorhttps://github.com/apache/cxf/blob/a25cac6fef1adbb62d3511a9459bd2de78729c0f/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/PolicyBasedWSS4JInInterceptor.java)
}{code}
*What can be enhanced :*
What can I suggest :
-avoiding to create MyCustomPolicyBasedWSS4JInInterceptor "just" for exposing
the constructor PolicyBasedWSS4JInInterceptor(Map<String, Object> properties) :
adding directly this constructor in the existing PolicyBasedWSS4JInInterceptor,
similar what is done for WSS4JInInterceptor. It's about adding three lines of
code in the actual implementation.
-or maybe, changing the code of SignatureProcessor for handling not only
KeyValue KeyInfo but also handling natively X509Data KeyInfo
In this case, my custom SignatureProcessor should not be necessary. But,
clearly not BSP compliant, the rule
[https://docs.oasis-open.org/ws-brsp/BasicSecurityProfile/v1.1/cs01/BasicSecurityProfile-v1.1-cs01.html#_Toc396926219]
will be violated. I don't think it's a good choice to add non standard KeyInfo
in the CXF.
What do you think ?
Regards
> Enable Custom Processor Injection in PolicyBasedWSS4JInInterceptor
> ------------------------------------------------------------------
>
> Key: CXF-9167
> URL: https://issues.apache.org/jira/browse/CXF-9167
> Project: CXF
> Issue Type: Improvement
> Components: WS-* Components
> Affects Versions: 4.1.3
> Reporter: Guillaume Bouchon
> Priority: Minor
> Attachments: image-2025-10-09-11-07-27-417.png
>
>
> {*}Description{*}:
> Dear CXF team,
> To integrate with a legacy service, I need to implement a custom
> {{Processor}} based on {{{}SignatureProcessor{}}}. According to the
> documentation (WS-Security - Apache CXF), this requires configuring the
> {{WSS4JInInterceptor}} with a custom processor via the
> {{"wss4j.processor.map"}} property.
> This setup works correctly when using {{{}WSS4JInInterceptor(Map<String,
> Object> properties){}}}.
> However, in my case, I am using {{{}PolicyBasedWSS4JInInterceptor{}}}, which
> extends {{WSS4JInInterceptor}} but does *not* expose the constructor that
> accepts a {{{}Map<String, Object>{}}}. As a result, it is currently
> *impossible* to inject a custom processor when using
> {{{}PolicyBasedWSS4JInInterceptor{}}}.
> I am aware of a similar request made in the past (CXF-3706), but after
> reviewing the current codebase, I can confirm that there is still no viable
> way to achieve this with {{{}PolicyBasedWSS4JInInterceptor{}}}.
> {*}Request{*}:
> Would it be possible to add a constructor to
> {{PolicyBasedWSS4JInInterceptor}} that accepts a {{Map<String, Object>}}
> (similar to {{{}WSS4JInInterceptor{}}}) to allow custom processor injection?
> Thank you for your consideration.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
