Interoperability with WSIT problem: RampartException: Error in adding token
into store
--------------------------------------------------------------------------------------
Key: RAMPART-329
URL: https://issues.apache.org/jira/browse/RAMPART-329
Project: Rampart
Issue Type: Bug
Components: rampart-trust
Affects Versions: 1.5
Environment: Axis2 1.5.1
Metro 2.1
Reporter: Rustam Abdullaev
The combination: Axis2(Rampart) Service + Metro(WSIT) Client doesn't work when
using SymmetricBinding policy. The cause is that Rampart caches all
EncryptedKey's by their ID, assuming that these are UUIDs, while WSIT just
assigns IDs that are unique within a single SOAP message, like "_1", "_2", etc.
As the consequence, only the first request succeeds, with all subsequent
requests failing with:
org.apache.axis2.AxisFault: Error in adding token into store
at
org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:70)
at org.apache.axis2.engine.Phase.invoke(Phase.java:317)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:264)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:429)
at
org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:43)
at
org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:100)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:176)
at
org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:275)
at
org.apache.axis2.transport.http.HTTPWorker.service(HTTPWorker.java:278)
at
org.apache.axis2.transport.http.server.AxisHttpService.doService(AxisHttpService.java:281)
at
org.apache.axis2.transport.http.server.AxisHttpService.handleRequest(AxisHttpService.java:187)
at
org.apache.axis2.transport.http.server.HttpServiceProcessor.run(HttpServiceProcessor.java:82)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1061)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:575)
at java.lang.Thread.run(Thread.java:595)
Caused by: org.apache.rampart.RampartException: Error in adding token into store
at
org.apache.rampart.builder.SymmetricBindingBuilder.getEncryptedKey(SymmetricBindingBuilder.java:787)
at
org.apache.rampart.builder.SymmetricBindingBuilder.doSignBeforeEncrypt(SymmetricBindingBuilder.java:424)
at
org.apache.rampart.builder.SymmetricBindingBuilder.build(SymmetricBindingBuilder.java:90)
at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:144)
at
org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:64)
... 14 more
(and, after patching Rampart not to swallow the root cause)
Caused by: org.apache.rahas.TrustException: "The token "_5002" already exists
in the store
at org.apache.rahas.SimpleTokenStore.add(SimpleTokenStore.java:65)
at
org.apache.rampart.builder.SymmetricBindingBuilder.getEncryptedKey(SymmetricBindingBuilder.java:782)
... 18 more
As can be seen, the first EncryptedKey with ID "_5002" couldn't be added to the
store. That is because WSIT request looks like:
{code:xml}
<?xml version='1.0' encoding='UTF-8'?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#";>
<S:Header>
<To
xmlns="http://www.w3.org/2005/08/addressing";>http://localhost:8080/axis2/services/LoginService.LoginServicePortType</To>
<Action
xmlns="http://www.w3.org/2005/08/addressing";>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</Action>
<ReplyTo xmlns="http://www.w3.org/2005/08/addressing";>
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
<MessageID
xmlns="http://www.w3.org/2005/08/addressing";>uuid:be30f6b8-a756-4ef4-a2d4-ed79579ab73d</MessageID>
<wsse:Security S:mustUnderstand="1">
<wsu:Timestamp
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; wsu:Id="_5">
<wsu:Created>2011-03-11T12:41:26Z</wsu:Created>
<wsu:Expires>2011-03-11T12:46:26Z</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; Id="_5002">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; />
<ds:KeyInfo
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="KeyInfoType">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>HYL371NzoOs2+IA24VDkBGcUFQM=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>U2P07ZSaepPHGlHuIHYZX9oL5Vrhy.......</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
<wsc:DerivedKeyToken
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; wsu:Id="_3">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#_5002"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
/>
</wsse:SecurityTokenReference>
<wsc:Offset>0</wsc:Offset>
<wsc:Length>16</wsc:Length>
<wsc:Nonce>XvWeqk48yU+hL9QA5+JzUeIM</wsc:Nonce>
</wsc:DerivedKeyToken>
<wsse:BinarySecurityToken
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
wsu:Id="uuid_cb17b7ef-6457-4b25-9a66-eb9f3611f0d3">MIICTDCCAbUCBEbJZMQwDQ.........</wsse:BinarySecurityToken>
<wsc:DerivedKeyToken
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; wsu:Id="_4">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#_5002"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
/>
</wsse:SecurityTokenReference>
<wsc:Offset>0</wsc:Offset>
<wsc:Length>16</wsc:Length>
<wsc:Nonce>dZZ0MgLmAc+T9wBBxY7y/oDS</wsc:Nonce>
</wsc:DerivedKeyToken>
<xenc:ReferenceList
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope";>
<xenc:DataReference URI="#_5005" />
<xenc:DataReference URI="#_5006" />
</xenc:ReferenceList>
<xenc:EncryptedData
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; Id="_5006"
Type="http://www.w3.org/2001/04/xmlenc#Element";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; />
<ds:KeyInfo
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="KeyInfoType">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#_4" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>ggGI89+Ajl2PytO/7NM3TeC/......</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<ds:Signature
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; Id="_6">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces
PrefixList="wsse S" />
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
<ds:Reference URI="#_1">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces
PrefixList="wsu wsse S" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>yo9B6dCgG2r5JtJA0iOZPOQALBU=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
SGLHUTns15tib3gnll2H.....
</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference
URI="#uuid_cb17b7ef-6457-4b25-9a66-eb9f3611f0d3"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S:Header>
<S:Body>
<xenc:EncryptedData
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope";
Id="_5005"
Type="http://www.w3.org/2001/04/xmlenc#Content";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; />
<ds:KeyInfo
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="KeyInfoType">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#_4" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>
Nf2O8yHO2Ls1bIDN2.....
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</S:Body>
</S:Envelope>
{code}
I believe that the problem lies on Rampart side, as according to OASIS
standards SecurityKey ID's don't have to be unique across SOAP calls.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
