[
https://issues.apache.org/jira/browse/RAMPART-329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rustam Abdullaev updated RAMPART-329:
-------------------------------------
Description:
The combination: Axis2(Rampart) Service + Metro(WSIT) Client doesn't work when
using SymmetricBinding policy. The cause is that Rampart caches all
EncryptedKey's by their ID, assuming that these are UUIDs, while WSIT just
assigns IDs that are unique within a single SOAP message, like "_1", "_2", etc.
As the consequence, only the first request succeeds, with all subsequent
requests failing with:
org.apache.axis2.AxisFault: Error in adding token into store
at
org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:70)
at org.apache.axis2.engine.Phase.invoke(Phase.java:317)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:264)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:429)
at
org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:43)
at
org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:100)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:176)
at
org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:275)
at
org.apache.axis2.transport.http.HTTPWorker.service(HTTPWorker.java:278)
at
org.apache.axis2.transport.http.server.AxisHttpService.doService(AxisHttpService.java:281)
at
org.apache.axis2.transport.http.server.AxisHttpService.handleRequest(AxisHttpService.java:187)
at
org.apache.axis2.transport.http.server.HttpServiceProcessor.run(HttpServiceProcessor.java:82)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1061)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:575)
at java.lang.Thread.run(Thread.java:595)
Caused by: org.apache.rampart.RampartException: Error in adding token into store
at
org.apache.rampart.builder.SymmetricBindingBuilder.getEncryptedKey(SymmetricBindingBuilder.java:787)
at
org.apache.rampart.builder.SymmetricBindingBuilder.doSignBeforeEncrypt(SymmetricBindingBuilder.java:424)
at
org.apache.rampart.builder.SymmetricBindingBuilder.build(SymmetricBindingBuilder.java:90)
at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:144)
at
org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:64)
... 14 more
(and, after patching Rampart not to swallow the root cause)
Caused by: org.apache.rahas.TrustException: "The token "_5002" already exists
in the store
at org.apache.rahas.SimpleTokenStore.add(SimpleTokenStore.java:65)
at
org.apache.rampart.builder.SymmetricBindingBuilder.getEncryptedKey(SymmetricBindingBuilder.java:782)
... 18 more
As can be seen, the first EncryptedKey with ID "_5002" couldn't be added to the
store. That is because WSIT request looks like:
<?xml version='1.0' encoding='UTF-8'?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#";>
<S:Header>
<To
xmlns="http://www.w3.org/2005/08/addressing";>http://localhost:8080/axis2/services/LoginService.LoginServicePortType</To>
<Action
xmlns="http://www.w3.org/2005/08/addressing";>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</Action>
<ReplyTo xmlns="http://www.w3.org/2005/08/addressing";>
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
<MessageID
xmlns="http://www.w3.org/2005/08/addressing";>uuid:be30f6b8-a756-4ef4-a2d4-ed79579ab73d</MessageID>
<wsse:Security S:mustUnderstand="1">
<wsu:Timestamp
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; wsu:Id="_5">
<wsu:Created>2011-03-11T12:41:26Z</wsu:Created>
<wsu:Expires>2011-03-11T12:46:26Z</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; Id="_5002">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; />
<ds:KeyInfo
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="KeyInfoType">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>HYL371NzoOs2+IA24VDkBGcUFQM=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>U2P07ZSaepPHGlHuIHYZX9oL5Vrhy.......</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
<wsc:DerivedKeyToken
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; wsu:Id="_3">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#_5002"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
/>
</wsse:SecurityTokenReference>
<wsc:Offset>0</wsc:Offset>
<wsc:Length>16</wsc:Length>
<wsc:Nonce>XvWeqk48yU+hL9QA5+JzUeIM</wsc:Nonce>
</wsc:DerivedKeyToken>
<wsse:BinarySecurityToken
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
wsu:Id="uuid_cb17b7ef-6457-4b25-9a66-eb9f3611f0d3">MIICTDCCAbUCBEbJZMQwDQ.........</wsse:BinarySecurityToken>
<wsc:DerivedKeyToken
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; wsu:Id="_4">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#_5002"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
/>
</wsse:SecurityTokenReference>
<wsc:Offset>0</wsc:Offset>
<wsc:Length>16</wsc:Length>
<wsc:Nonce>dZZ0MgLmAc+T9wBBxY7y/oDS</wsc:Nonce>
</wsc:DerivedKeyToken>
<xenc:ReferenceList
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope";>
<xenc:DataReference URI="#_5005" />
<xenc:DataReference URI="#_5006" />
</xenc:ReferenceList>
<xenc:EncryptedData
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; Id="_5006"
Type="http://www.w3.org/2001/04/xmlenc#Element";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; />
<ds:KeyInfo
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="KeyInfoType">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#_4" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>ggGI89+Ajl2PytO/7NM3TeC/......</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<ds:Signature
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; Id="_6">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces
PrefixList="wsse S" />
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
<ds:Reference URI="#_1">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces
PrefixList="wsu wsse S" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>yo9B6dCgG2r5JtJA0iOZPOQALBU=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
SGLHUTns15tib3gnll2H.....
</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference
URI="#uuid_cb17b7ef-6457-4b25-9a66-eb9f3611f0d3"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S:Header>
<S:Body>
<xenc:EncryptedData
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope";
Id="_5005"
Type="http://www.w3.org/2001/04/xmlenc#Content";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; />
<ds:KeyInfo
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="KeyInfoType">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#_4" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>
Nf2O8yHO2Ls1bIDN2.....
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</S:Body>
</S:Envelope>
I believe that the problem lies on Rampart side, as according to OASIS
standards EncryptedKey ID's don't have to be unique across SOAP calls.
was:
The combination: Axis2(Rampart) Service + Metro(WSIT) Client doesn't work when
using SymmetricBinding policy. The cause is that Rampart caches all
EncryptedKey's by their ID, assuming that these are UUIDs, while WSIT just
assigns IDs that are unique within a single SOAP message, like "_1", "_2", etc.
As the consequence, only the first request succeeds, with all subsequent
requests failing with:
org.apache.axis2.AxisFault: Error in adding token into store
at
org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:70)
at org.apache.axis2.engine.Phase.invoke(Phase.java:317)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:264)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:429)
at
org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:43)
at
org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:100)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:176)
at
org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:275)
at
org.apache.axis2.transport.http.HTTPWorker.service(HTTPWorker.java:278)
at
org.apache.axis2.transport.http.server.AxisHttpService.doService(AxisHttpService.java:281)
at
org.apache.axis2.transport.http.server.AxisHttpService.handleRequest(AxisHttpService.java:187)
at
org.apache.axis2.transport.http.server.HttpServiceProcessor.run(HttpServiceProcessor.java:82)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1061)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:575)
at java.lang.Thread.run(Thread.java:595)
Caused by: org.apache.rampart.RampartException: Error in adding token into store
at
org.apache.rampart.builder.SymmetricBindingBuilder.getEncryptedKey(SymmetricBindingBuilder.java:787)
at
org.apache.rampart.builder.SymmetricBindingBuilder.doSignBeforeEncrypt(SymmetricBindingBuilder.java:424)
at
org.apache.rampart.builder.SymmetricBindingBuilder.build(SymmetricBindingBuilder.java:90)
at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:144)
at
org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:64)
... 14 more
(and, after patching Rampart not to swallow the root cause)
Caused by: org.apache.rahas.TrustException: "The token "_5002" already exists
in the store
at org.apache.rahas.SimpleTokenStore.add(SimpleTokenStore.java:65)
at
org.apache.rampart.builder.SymmetricBindingBuilder.getEncryptedKey(SymmetricBindingBuilder.java:782)
... 18 more
As can be seen, the first EncryptedKey with ID "_5002" couldn't be added to the
store. That is because WSIT request looks like:
{code:xml}
<?xml version='1.0' encoding='UTF-8'?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#";>
<S:Header>
<To
xmlns="http://www.w3.org/2005/08/addressing";>http://localhost:8080/axis2/services/LoginService.LoginServicePortType</To>
<Action
xmlns="http://www.w3.org/2005/08/addressing";>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</Action>
<ReplyTo xmlns="http://www.w3.org/2005/08/addressing";>
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
<MessageID
xmlns="http://www.w3.org/2005/08/addressing";>uuid:be30f6b8-a756-4ef4-a2d4-ed79579ab73d</MessageID>
<wsse:Security S:mustUnderstand="1">
<wsu:Timestamp
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; wsu:Id="_5">
<wsu:Created>2011-03-11T12:41:26Z</wsu:Created>
<wsu:Expires>2011-03-11T12:46:26Z</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; Id="_5002">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; />
<ds:KeyInfo
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="KeyInfoType">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>HYL371NzoOs2+IA24VDkBGcUFQM=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>U2P07ZSaepPHGlHuIHYZX9oL5Vrhy.......</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
<wsc:DerivedKeyToken
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; wsu:Id="_3">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#_5002"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
/>
</wsse:SecurityTokenReference>
<wsc:Offset>0</wsc:Offset>
<wsc:Length>16</wsc:Length>
<wsc:Nonce>XvWeqk48yU+hL9QA5+JzUeIM</wsc:Nonce>
</wsc:DerivedKeyToken>
<wsse:BinarySecurityToken
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
wsu:Id="uuid_cb17b7ef-6457-4b25-9a66-eb9f3611f0d3">MIICTDCCAbUCBEbJZMQwDQ.........</wsse:BinarySecurityToken>
<wsc:DerivedKeyToken
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; wsu:Id="_4">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#_5002"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
/>
</wsse:SecurityTokenReference>
<wsc:Offset>0</wsc:Offset>
<wsc:Length>16</wsc:Length>
<wsc:Nonce>dZZ0MgLmAc+T9wBBxY7y/oDS</wsc:Nonce>
</wsc:DerivedKeyToken>
<xenc:ReferenceList
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope";>
<xenc:DataReference URI="#_5005" />
<xenc:DataReference URI="#_5006" />
</xenc:ReferenceList>
<xenc:EncryptedData
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; Id="_5006"
Type="http://www.w3.org/2001/04/xmlenc#Element";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; />
<ds:KeyInfo
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="KeyInfoType">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#_4" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>ggGI89+Ajl2PytO/7NM3TeC/......</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<ds:Signature
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; Id="_6">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces
PrefixList="wsse S" />
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
<ds:Reference URI="#_1">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<exc14n:InclusiveNamespaces
PrefixList="wsu wsse S" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
<ds:DigestValue>yo9B6dCgG2r5JtJA0iOZPOQALBU=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
SGLHUTns15tib3gnll2H.....
</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference
URI="#uuid_cb17b7ef-6457-4b25-9a66-eb9f3611f0d3"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S:Header>
<S:Body>
<xenc:EncryptedData
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope";
Id="_5005"
Type="http://www.w3.org/2001/04/xmlenc#Content";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; />
<ds:KeyInfo
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="KeyInfoType">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#_4" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>
Nf2O8yHO2Ls1bIDN2.....
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</S:Body>
</S:Envelope>
{code}
I believe that the problem lies on Rampart side, as according to OASIS
standards SecurityKey ID's don't have to be unique across SOAP calls.
> Interoperability with WSIT problem: RampartException: Error in adding token
> into store
> --------------------------------------------------------------------------------------
>
> Key: RAMPART-329
> URL: https://issues.apache.org/jira/browse/RAMPART-329
> Project: Rampart
> Issue Type: Bug
> Components: rampart-trust
> Affects Versions: 1.5
> Environment: Axis2 1.5.1
> Metro 2.1
> Reporter: Rustam Abdullaev
>
> The combination: Axis2(Rampart) Service + Metro(WSIT) Client doesn't work
> when using SymmetricBinding policy. The cause is that Rampart caches all
> EncryptedKey's by their ID, assuming that these are UUIDs, while WSIT just
> assigns IDs that are unique within a single SOAP message, like "_1", "_2",
> etc.
> As the consequence, only the first request succeeds, with all subsequent
> requests failing with:
> org.apache.axis2.AxisFault: Error in adding token into store
> at
> org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:70)
> at org.apache.axis2.engine.Phase.invoke(Phase.java:317)
> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:264)
> at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:429)
> at
> org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:43)
> at
> org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:100)
> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:176)
> at
> org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:275)
> at
> org.apache.axis2.transport.http.HTTPWorker.service(HTTPWorker.java:278)
> at
> org.apache.axis2.transport.http.server.AxisHttpService.doService(AxisHttpService.java:281)
> at
> org.apache.axis2.transport.http.server.AxisHttpService.handleRequest(AxisHttpService.java:187)
> at
> org.apache.axis2.transport.http.server.HttpServiceProcessor.run(HttpServiceProcessor.java:82)
> at
> edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1061)
> at
> edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:575)
> at java.lang.Thread.run(Thread.java:595)
> Caused by: org.apache.rampart.RampartException: Error in adding token into
> store
> at
> org.apache.rampart.builder.SymmetricBindingBuilder.getEncryptedKey(SymmetricBindingBuilder.java:787)
> at
> org.apache.rampart.builder.SymmetricBindingBuilder.doSignBeforeEncrypt(SymmetricBindingBuilder.java:424)
> at
> org.apache.rampart.builder.SymmetricBindingBuilder.build(SymmetricBindingBuilder.java:90)
> at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:144)
> at
> org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:64)
> ... 14 more
> (and, after patching Rampart not to swallow the root cause)
> Caused by: org.apache.rahas.TrustException: "The token "_5002" already exists
> in the store
> at org.apache.rahas.SimpleTokenStore.add(SimpleTokenStore.java:65)
> at
> org.apache.rampart.builder.SymmetricBindingBuilder.getEncryptedKey(SymmetricBindingBuilder.java:782)
> ... 18 more
> As can be seen, the first EncryptedKey with ID "_5002" couldn't be added to
> the store. That is because WSIT request looks like:
> <?xml version='1.0' encoding='UTF-8'?>
> <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/";
>
> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:xs="http://www.w3.org/2001/XMLSchema";
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc";
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
> xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <S:Header>
> <To
> xmlns="http://www.w3.org/2005/08/addressing";>http://localhost:8080/axis2/services/LoginService.LoginServicePortType</To>
> <Action
> xmlns="http://www.w3.org/2005/08/addressing";>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</Action>
> <ReplyTo xmlns="http://www.w3.org/2005/08/addressing";>
>
> <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
> </ReplyTo>
> <MessageID
> xmlns="http://www.w3.org/2005/08/addressing";>uuid:be30f6b8-a756-4ef4-a2d4-ed79579ab73d</MessageID>
> <wsse:Security S:mustUnderstand="1">
> <wsu:Timestamp
>
> xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
>
> xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; wsu:Id="_5">
> <wsu:Created>2011-03-11T12:41:26Z</wsu:Created>
> <wsu:Expires>2011-03-11T12:46:26Z</wsu:Expires>
> </wsu:Timestamp>
> <xenc:EncryptedKey
>
> xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
>
> xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; Id="_5002">
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; />
> <ds:KeyInfo
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="KeyInfoType">
> <wsse:SecurityTokenReference>
> <wsse:KeyIdentifier
>
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";
>
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>HYL371NzoOs2+IA24VDkBGcUFQM=</wsse:KeyIdentifier>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> <xenc:CipherData>
>
> <xenc:CipherValue>U2P07ZSaepPHGlHuIHYZX9oL5Vrhy.......</xenc:CipherValue>
> </xenc:CipherData>
> </xenc:EncryptedKey>
> <wsc:DerivedKeyToken
>
> xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
>
> xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; wsu:Id="_3">
> <wsse:SecurityTokenReference>
> <wsse:Reference URI="#_5002"
>
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
> />
> </wsse:SecurityTokenReference>
> <wsc:Offset>0</wsc:Offset>
> <wsc:Length>16</wsc:Length>
> <wsc:Nonce>XvWeqk48yU+hL9QA5+JzUeIM</wsc:Nonce>
> </wsc:DerivedKeyToken>
> <wsse:BinarySecurityToken
>
> xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
>
> xmlns:ns18="http://www.w3.org/2003/05/soap-envelope";
>
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
>
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
>
> wsu:Id="uuid_cb17b7ef-6457-4b25-9a66-eb9f3611f0d3">MIICTDCCAbUCBEbJZMQwDQ.........</wsse:BinarySecurityToken>
> <wsc:DerivedKeyToken
>
> xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
>
> xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; wsu:Id="_4">
> <wsse:SecurityTokenReference>
> <wsse:Reference URI="#_5002"
>
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
> />
> </wsse:SecurityTokenReference>
> <wsc:Offset>0</wsc:Offset>
> <wsc:Length>16</wsc:Length>
> <wsc:Nonce>dZZ0MgLmAc+T9wBBxY7y/oDS</wsc:Nonce>
> </wsc:DerivedKeyToken>
> <xenc:ReferenceList
>
> xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
>
> xmlns:ns18="http://www.w3.org/2003/05/soap-envelope";>
> <xenc:DataReference URI="#_5005" />
> <xenc:DataReference URI="#_5006" />
> </xenc:ReferenceList>
> <xenc:EncryptedData
>
> xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
>
> xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; Id="_5006"
> Type="http://www.w3.org/2001/04/xmlenc#Element";>
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; />
> <ds:KeyInfo
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="KeyInfoType">
> <wsse:SecurityTokenReference>
> <wsse:Reference URI="#_4" />
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> <xenc:CipherData>
>
> <xenc:CipherValue>ggGI89+Ajl2PytO/7NM3TeC/......</xenc:CipherValue>
> </xenc:CipherData>
> </xenc:EncryptedData>
> <ds:Signature
>
> xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
>
> xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; Id="_6">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
>
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <exc14n:InclusiveNamespaces
> PrefixList="wsse S" />
> </ds:CanonicalizationMethod>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
> <ds:Reference URI="#_1">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
>
> <exc14n:InclusiveNamespaces
>
> PrefixList="wsu wsse S" />
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
>
> <ds:DigestValue>yo9B6dCgG2r5JtJA0iOZPOQALBU=
> </ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
> SGLHUTns15tib3gnll2H.....
> </ds:SignatureValue>
> <ds:KeyInfo>
> <wsse:SecurityTokenReference>
> <wsse:Reference
> URI="#uuid_cb17b7ef-6457-4b25-9a66-eb9f3611f0d3"
>
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
> />
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </S:Header>
> <S:Body>
> <xenc:EncryptedData
>
> xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
> xmlns:ns18="http://www.w3.org/2003/05/soap-envelope";
> Id="_5005"
> Type="http://www.w3.org/2001/04/xmlenc#Content";>
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; />
> <ds:KeyInfo
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="KeyInfoType">
> <wsse:SecurityTokenReference>
> <wsse:Reference URI="#_4" />
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> <xenc:CipherData>
> <xenc:CipherValue>
> Nf2O8yHO2Ls1bIDN2.....
> </xenc:CipherValue>
> </xenc:CipherData>
> </xenc:EncryptedData>
> </S:Body>
> </S:Envelope>
> I believe that the problem lies on Rampart side, as according to OASIS
> standards EncryptedKey ID's don't have to be unique across SOAP calls.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
