Re: Problems using encryption together with username token

Tue, 14 Oct 2008 05:18:37 -0700

Hold on a sec -- you don't need to sign a message, if you dont' want to, right? In other words, you could just encrypt the UsernameToken element using the public key of the server, and there'd be no need to sign anything (hence posess a private key).
Note that you'll also want some sort of timestamp or nonce in the UsernameToken, since the encrypted token would be completely replayable. You'd also want some detection of replay in the server, which you'll need to do yourself, since neither WSS4J nor CXF does that for you. 

You do care about replay attacks, right?

-Fred

On Oct 13, 2008, at 11:34 PM, Glen Mazza wrote:



Hopefully someone else can answer your question, but AFAICT Username +

Encryption is largely redundant, because you still need to sign your  
SOAP
request with the client's private key to make sure that the request  
hasn't

been altered in transit[1].  And since you're signing, the server will
already have your public key, so they would know who you are--a
username/password would not be necessary.


BTW, the cryptic message "Unexpected number of X509Data:..." has  
been fixed

in the latest WSS4J (although I don't know what it now says, but as I
understand it is more comprehensible.)

Glen

[1] http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the


ChristianD wrote:


Hi there,


as the subject says, i have problems to get my web service running  
with
encryption and username token activated. But when I only use  
encryption

everything is fine.

Here is my config for the server:

1) cxf.xml:
<jaxws:inInterceptors>
        <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
        <constructor-arg>
                <map>
                        <entry key="action" value="Encrypt UsernameToken" />
                        <entry key="decryptionPropFile" value="server.properties" 
/>
                        <entry key="passwordCallbackClass"
                        value="de.sms_stiewi.services.PwCallbackHandler" />
                </map>
        </constructor-arg>
        </bean>                   
</jaxws:inInterceptors>

2) server.properties:

org 
.apache 
.ws 
.security 
.crypto.provider=org.apache.ws.security.components.crypto.Merlin

org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.alias=serveralias
org.apache.ws.security.crypto.merlin.keystore.password=serversecret
org.apache.ws.security.crypto.merlin.file=serverkeystore.jks

3) PwCallbackHandler Class:
public class PwCallbackHandler implements CallbackHandler {
        public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {

		WSPasswordCallback passwordCallback = (WSPasswordCallback)  
callbacks[0];

                
                if (passwordCallback.getIdentifer().equals("Anonymous")) {
                        passwordCallback.setPassword("secret");
                }
        }
}


And here the configuration for the client to test it:

1) Interceptor configuration:
WSS4JOutInterceptor wss4jOutInterceptor = new WSS4JOutInterceptor();
wss4jOutInterceptor.setProperty(WSHandlerConstants.ACTION,

WSHandlerConstants.USERNAME_TOKEN + " " +  
WSHandlerConstants.ENCRYPT);
wss4jOutInterceptor.setProperty(WSHandlerConstants.USER,  
"Anonymous");

wss4jOutInterceptor.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS,
"de.sms_stiewi.services.PwCallbackHandler");
wss4jOutInterceptor.setProperty(WSHandlerConstants.ENC_PROP_FILE,
"client.properties");

2) client.properties:

org 
.apache 
.ws 
.security 
.crypto.provider=org.apache.ws.security.components.crypto.Merlin

org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.alias=clientalias
org.apache.ws.security.crypto.merlin.keystore.password=clientsecret
org.apache.ws.security.crypto.merlin.file=clientkeystore.jks

3) PwCallbackHandler Class:
public class PwCallbackHandler implements CallbackHandler {
        public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {

		WSPasswordCallback passwordCallback = (WSPasswordCallback)  
callbacks[0];

                
                passwordCallback.setPassword("secret");
        }
}

But if I run the client, i get the following Exception:
org.apache.cxf.binding.soap.SoapFault: Security processing failed.
        at

org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor 
$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java: 
234)

        at

org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor 
$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java: 
107)

        at

org 
.apache 
.cxf 
.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java: 
220)

        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:296)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:242)

	at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java: 
73)

        at

org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java: 
178)

        at $Proxy46.importiereKlrStammdaten(Unknown Source)
        at de.sms_stiewi.services.MainClient.main(MainClient.java:37)
Caused by: org.apache.ws.security.WSSecurityException: WSHandler:
Encryption: error during message

processingorg.apache.ws.security.WSSecurityException: General  
security

error (Unexpected number of X509Data: for Encryption)
        at

org 
.apache 
.ws.security.action.EncryptionAction.execute(EncryptionAction.java: 
65)

        at

org 
.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java: 
197)

        at

org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access 
$200(WSS4JOutInterceptor.java:47)

        at

org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor 
$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java: 
219)

        ... 8 more

When I only use encryption, I had to set the USER property of the

out-interceptor to the alias in the keystore (e.g. "clientalias").  
But

when I do this with UsernameToken activated, I get the following
Exception:

Exception in thread "main" javax.xml.ws.soap.SOAPFaultException:  
General

security error (WSSecurityEngine: Callback supplied no password for:
serveralias)
        at

org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java: 
199)

        at $Proxy46.importiereKlrStammdaten(Unknown Source)
        at de.sms_stiewi.services.MainClient.main(MainClient.java:37)

Caused by: org.apache.cxf.binding.soap.SoapFault: General security  
error

(WSSecurityEngine: Callback supplied no password for: serveralias)
        at

org 
.apache 
.cxf 
.binding 
.soap 
.interceptor 
.Soap11FaultInInterceptor 
.handleMessage(Soap11FaultInInterceptor.java:70)

        at

org 
.apache 
.cxf 
.binding 
.soap 
.interceptor 
.Soap11FaultInInterceptor 
.handleMessage(Soap11FaultInInterceptor.java:35)

        at

org 
.apache 
.cxf 
.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java: 
220)

        at

org 
.apache 
.cxf 
.interceptor 
.AbstractFaultChainInitiatorObserver 
.onMessage(AbstractFaultChainInitiatorObserver.java:96)

        at

org 
.apache 
.cxf 
.binding 
.soap 
.interceptor 
.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)

        at

org 
.apache 
.cxf 
.binding 
.soap 
.interceptor 
.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)

        at

org 
.apache 
.cxf 
.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java: 
220)

        at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:449)
        at

org.apache.cxf.transport.http.HTTPConduit 
$WrappedOutputStream.handleResponse(HTTPConduit.java:2029)

        at

org.apache.cxf.transport.http.HTTPConduit 
$WrappedOutputStream.close(HTTPConduit.java:1865)

        at

org 
.apache 
.cxf 
.io 
.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java: 
47)

        at

org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java: 
170)

        at

org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java: 
66)
	at  
org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:593)

        at

org.apache.cxf.interceptor.MessageSenderInterceptor 
$ 
MessageSenderEndingInterceptor 
.handleMessage(MessageSenderInterceptor.java:62)

        at

org 
.apache 
.cxf 
.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java: 
220)

        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:296)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:242)

	at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java: 
73)

        at

org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java: 
178)

        ... 2 more

If someone can help me, I would be very thankful.

Greetings
Christian



--
View this message in context: 
http://www.nabble.com/Problems-using-encryption-together-with-username-token-tp19953282p19966539.html
Sent from the cxf-user mailing list archive at Nabble.com.

























					Reply via email to