Hopefully someone else can answer your question, but AFAICT Username + Encryption is largely redundant, because you still need to sign your SOAP request with the client's private key to make sure that the request hasn't been altered in transit[1]. And since you're signing, the server will already have your public key, so they would know who you are--a username/password would not be necessary.
BTW, the cryptic message "Unexpected number of X509Data:..." has been fixed in the latest WSS4J (although I don't know what it now says, but as I understand it is more comprehensible.) Glen [1] http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the ChristianD wrote: > > Hi there, > > as the subject says, i have problems to get my web service running with > encryption and username token activated. But when I only use encryption > everything is fine. > > Here is my config for the server: > > 1) cxf.xml: > <jaxws:inInterceptors> > <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> > <constructor-arg> > <map> > <entry key="action" value="Encrypt UsernameToken" /> > <entry key="decryptionPropFile" > value="server.properties" /> > <entry key="passwordCallbackClass" > value="de.sms_stiewi.services.PwCallbackHandler" /> > </map> > </constructor-arg> > </bean> > </jaxws:inInterceptors> > > 2) server.properties: > org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin > org.apache.ws.security.crypto.merlin.keystore.type=jks > org.apache.ws.security.crypto.merlin.keystore.alias=serveralias > org.apache.ws.security.crypto.merlin.keystore.password=serversecret > org.apache.ws.security.crypto.merlin.file=serverkeystore.jks > > 3) PwCallbackHandler Class: > public class PwCallbackHandler implements CallbackHandler { > public void handle(Callback[] callbacks) throws IOException, > UnsupportedCallbackException { > WSPasswordCallback passwordCallback = (WSPasswordCallback) > callbacks[0]; > > if (passwordCallback.getIdentifer().equals("Anonymous")) { > passwordCallback.setPassword("secret"); > } > } > } > > > And here the configuration for the client to test it: > > 1) Interceptor configuration: > WSS4JOutInterceptor wss4jOutInterceptor = new WSS4JOutInterceptor(); > wss4jOutInterceptor.setProperty(WSHandlerConstants.ACTION, > WSHandlerConstants.USERNAME_TOKEN + " " + WSHandlerConstants.ENCRYPT); > wss4jOutInterceptor.setProperty(WSHandlerConstants.USER, "Anonymous"); > wss4jOutInterceptor.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, > "de.sms_stiewi.services.PwCallbackHandler"); > wss4jOutInterceptor.setProperty(WSHandlerConstants.ENC_PROP_FILE, > "client.properties"); > > 2) client.properties: > org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin > org.apache.ws.security.crypto.merlin.keystore.type=jks > org.apache.ws.security.crypto.merlin.keystore.alias=clientalias > org.apache.ws.security.crypto.merlin.keystore.password=clientsecret > org.apache.ws.security.crypto.merlin.file=clientkeystore.jks > > 3) PwCallbackHandler Class: > public class PwCallbackHandler implements CallbackHandler { > public void handle(Callback[] callbacks) throws IOException, > UnsupportedCallbackException { > WSPasswordCallback passwordCallback = (WSPasswordCallback) > callbacks[0]; > > passwordCallback.setPassword("secret"); > } > } > > But if I run the client, i get the following Exception: > org.apache.cxf.binding.soap.SoapFault: Security processing failed. > at > org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:234) > at > org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:107) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:220) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:296) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:242) > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73) > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:178) > at $Proxy46.importiereKlrStammdaten(Unknown Source) > at de.sms_stiewi.services.MainClient.main(MainClient.java:37) > Caused by: org.apache.ws.security.WSSecurityException: WSHandler: > Encryption: error during message > processingorg.apache.ws.security.WSSecurityException: General security > error (Unexpected number of X509Data: for Encryption) > at > org.apache.ws.security.action.EncryptionAction.execute(EncryptionAction.java:65) > at > org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:197) > at > org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOutInterceptor.java:47) > at > org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:219) > ... 8 more > > When I only use encryption, I had to set the USER property of the > out-interceptor to the alias in the keystore (e.g. "clientalias"). But > when I do this with UsernameToken activated, I get the following > Exception: > Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: General > security error (WSSecurityEngine: Callback supplied no password for: > serveralias) > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:199) > at $Proxy46.importiereKlrStammdaten(Unknown Source) > at de.sms_stiewi.services.MainClient.main(MainClient.java:37) > Caused by: org.apache.cxf.binding.soap.SoapFault: General security error > (WSSecurityEngine: Callback supplied no password for: serveralias) > at > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:70) > at > org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:35) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:220) > at > org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:96) > at > org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69) > at > org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:220) > at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:449) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:2029) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1865) > at > org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47) > at > org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:170) > at > org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66) > at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:593) > at > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:220) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:296) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:242) > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73) > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:178) > ... 2 more > > If someone can help me, I would be very thankful. > > Greetings > Christian > -- View this message in context: http://www.nabble.com/Problems-using-encryption-together-with-username-token-tp19953282p19966539.html Sent from the cxf-user mailing list archive at Nabble.com.
