Hi everybody,
I am trying to test SymmetricBinding but the following exception is thrown:
com.mycompany.wsstack.client.api.WSClientException:
org.apache.axis2.AxisFault: Unexpected encrypted data found, no encryption
required
at com.mycompany.wsstack.client.impl.WSStaxClientImpl.sendReceive(
WSStaxClientImpl.java:133)
at com.mycompany.wsstack.samples.SampleSymClient.invokeWebService(
SampleSymClient.java:69)
at com.mycompany.wsstack.samples.SampleSymClient.main(
SampleSymClient.java:30)
Caused by: org.apache.axis2.AxisFault: Unexpected encrypted data found, no
encryption required
at org.apache.axis2.util.Utils.getInboundFaultFromMessageContext(
Utils.java:486)
at org.apache.axis2.description.OutInAxisOperationClient.handleResponse(
OutInAxisOperation.java:343)
at org.apache.axis2.description.OutInAxisOperationClient.send(
OutInAxisOperation.java:389)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(
OutInAxisOperation.java:211)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java
:163)
at org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java
:528)
at com.mycompany.wsstack.client.impl.WSStaxClientImpl.sendReceive(
WSStaxClientImpl.java:129)
... 2 more
I am not sure how Reampart works in this case. AFAIK in SymmetricBinding one
Derived Key is used generated by whom? I mean somehow the initiator and the
recipient use an ephemeral key generated from something I do not know from
what? Can you provide me some information how this works? Does it use the
X509? Which one the client or the service X509? I have read the Thread
"DerivedKeys in SymmetricBinding", but I did not get the whole thing.
I suppose I should have <sp:RequireDerivedKeys wsp:Optional="true" /> in my
policy or what?
I am applying the services.xml and the SOAP request used in my test scenario
that causes the exception.:
<?xml version="1.0" encoding="UTF-8"?>
<serviceGroup>
<service name="HelloPojo">
<description>Web Service HelloPojo</description>
<parameter name="ServiceClass">com.mycompany.wsstack.pojo.HelloPojo
</parameter>
<messageReceivers>
<messageReceiver
class="org.apache.axis2.rpc.receivers.RPCMessageReceiver" mep="
http://www.w3.org/2004/08/wsdl/in-out"/>
</messageReceivers>
<operation name="sayHello"/>
<wsp:Policy wsu:Id="User defined"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy xmlns:wsp="
http://schemas.xmlsoap.org/ws/2004/09/policy";>
<sp:X509Token sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
<wsp:Policy>
<sp:WssX509V3Token10/>
<sp:RequireDerivedKeys/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss10 xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
</sp:Policy>
</sp:Wss10>
<sp:SignedSupportingTokens xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"/>
</wsp:Policy>
</sp:SignedSupportingTokens>
<ramp:RampartConfig xmlns:ramp="
http://ws.apache.org/rampart/policy";>
<ramp:user>service</ramp:user>
<ramp:encryptionUser>client</ramp:encryptionUser>
<ramp:passwordCallbackClass>
com.mycompany.wsstack.pwcb.PasswordCallbackHandler
</ramp:passwordCallbackClass>
<ramp:signatureCrypto>
<ramp:crypto provider="
org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="
org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="
org.apache.ws.security.crypto.merlin.file
">D:\Downloads\Rampart\wsstack\keystores\Latest\service.jks</ramp:property>
<ramp:property name="
org.apache.ws.security.crypto.merlin.keystore.password
">openssl</ramp:property>
</ramp:crypto>
</ramp:signatureCrypto>
<ramp:encryptionCypto>
<ramp:crypto provider="
org.apache.ws.security.components.crypto.Merlin">
<ramp:property name="
org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>
<ramp:property name="
org.apache.ws.security.crypto.merlin.file
">D:\Downloads\Rampart\wsstack\keystores\Latest\service.jks</ramp:property>
<ramp:property name="
org.apache.ws.security.crypto.merlin.keystore.password
">openssl</ramp:property>
</ramp:crypto>
</ramp:encryptionCypto>
</ramp:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<module ref="addressing"/>
<module ref="rampart"/>
</service>
</serviceGroup>
The SOAP request:
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; xmlns:wsa="
http://www.w3.org/2005/08/addressing";>
<soapenv:Header>
<wsse:Security xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soapenv:mustUnderstand="1">
<wsu:Timestamp xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Timestamp-2159683">
<wsu:Created>2007-10-15T15:36:27.890Z</wsu:Created>
<wsu:Expires>2007-10-15T15:41:27.890Z</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey Id="EncKeyId-9715140">
<xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier EncodingType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier
">9kbwRNyMypNWhulx0JkHVOFvRB8=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>yVF0LVhaRDpq6THxi8xM9ohkC78h2FOCIGk3xbTtj2/qZPr3vxrOjZRs3XRG1sTNNXaQ9+Y7a+SPSSvkr5dzVe07zAREqzSmmQB7z+PqN0BHtCOHts3WIuEaqa0YC+Yh6IqCYD+prByHlLFBc8ann/uHU3XRXPDdhMD3p/A8dnI=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
<wsc:DerivedKeyToken xmlns:wsc="
http://schemas.xmlsoap.org/ws/2005/02/sc"; xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="derivedKeyId-27929635">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#EncKeyId-9715140"/>
</wsse:SecurityTokenReference>
<wsc:Length>16</wsc:Length>
<wsc:Nonce>s68mX1Sw7HY1iB1WA01tIQ==</wsc:Nonce>
<wsc:Offset>0</wsc:Offset>
</wsc:DerivedKeyToken>
<xenc:ReferenceList/>
<wsse:UsernameToken xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="UsernameToken-19488744">
<wsse:Username>vmtest</wsse:Username>
<wsse:Password Type="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
">vmtest</wsse:Password>
</wsse:UsernameToken>
<wsc:DerivedKeyToken xmlns:wsc="
http://schemas.xmlsoap.org/ws/2005/02/sc"; xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="derivedKeyId-6302571">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#EncKeyId-9715140"/>
</wsse:SecurityTokenReference>
<wsc:Length>16</wsc:Length>
<wsc:Nonce>aybJB/39TU/T5x/t02HEDw==</wsc:Nonce>
<wsc:Offset>0</wsc:Offset>
</wsc:DerivedKeyToken>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="Signature-18895884">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<ds:Reference URI="#Timestamp-2159683">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>tEaDQDl9rHt/PbM7Hk0wYD873UQ=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#UsernameToken-19488744">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>/M3Stuy2ughWIXL2L205fJzABGM=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>9yyO+zJHrBT02Ieq1ex7Dp4ztUE=</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-10994782">
<wsse:SecurityTokenReference xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="STRId-5057266">
<wsse:Reference URI="#derivedKeyId-6302571"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
<wsa:To>http://localhost:8082/wsstack/services/HelloPojo</wsa:To>
<wsa:MessageID>urn:uuid:C8D4C8876748A3FA131
f3
192462587646</wsa:MessageID>
<wsa:Action>urn:sayHello</wsa:Action>
</soapenv:Header>
<soapenv:Body>
<xsd:echo xmlns:xsd="http://pojo.wsstack.mycompany.com";>
<xsd:echoMessage>everybody!</xsd:echoMessage>
</xsd:echo>
</soapenv:Body>
</soapenv:Envelope>
Best Regards,
Dobri
