Well the point is that the client does'nt need to identify itself cause this service only runs on intranet. So I don't need to be afraid of replay attacks (well in my opinion if there are replay attacks something goes wrong there).
Why I have to use UsernameToken is that there were problems on the client side to get access to the web service without a username. I told him just to call the service with the given password from PwCallbackHandler. But he said, he couldn't access it. So I had to get a username token so he can access it. (atm I am waiting for the result) Well at monday I made it working with a workaround. I just set ALL passwords and alias/user (in code and in keystores) equal. I don't mean password=alias but every password is the same and alias/user too. I don't like this solution but it is only for tests at the moment. I will give the jroller site a try. Thx for the link. Will tell you more, if I have news for you. Christian Fred Dushin-3 wrote: > > Hold on a sec -- you don't need to sign a message, if you dont' want > to, right? In other words, you could just encrypt the UsernameToken > element using the public key of the server, and there'd be no need to > sign anything (hence posess a private key). > > Note that you'll also want some sort of timestamp or nonce in the > UsernameToken, since the encrypted token would be completely > replayable. You'd also want some detection of replay in the server, > which you'll need to do yourself, since neither WSS4J nor CXF does > that for you. > > You do care about replay attacks, right? > > -Fred > > On Oct 13, 2008, at 11:34 PM, Glen Mazza wrote: > >> >> Hopefully someone else can answer your question, but AFAICT Username + >> Encryption is largely redundant, because you still need to sign your >> SOAP >> request with the client's private key to make sure that the request >> hasn't >> been altered in transit[1]. And since you're signing, the server will >> already have your public key, so they would know who you are--a >> username/password would not be necessary. >> >> BTW, the cryptic message "Unexpected number of X509Data:..." has >> been fixed >> in the latest WSS4J (although I don't know what it now says, but as I >> understand it is more comprehensible.) >> >> Glen >> >> [1] http://www.jroller.com/gmazza/entry/implementing_ws_security_with_the >> >> >> ChristianD wrote: >>> >>> Hi there, >>> >>> as the subject says, i have problems to get my web service running >>> with >>> encryption and username token activated. But when I only use >>> encryption >>> everything is fine. >>> >>> Here is my config for the server: >>> >>> 1) cxf.xml: >>> <jaxws:inInterceptors> >>> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> >>> <constructor-arg> >>> <map> >>> <entry key="action" value="Encrypt UsernameToken" /> >>> <entry key="decryptionPropFile" >>> value="server.properties" /> >>> <entry key="passwordCallbackClass" >>> value="de.sms_stiewi.services.PwCallbackHandler" /> >>> </map> >>> </constructor-arg> >>> </bean> >>> </jaxws:inInterceptors> >>> >>> 2) server.properties: >>> org >>> .apache >>> .ws >>> .security >>> .crypto.provider=org.apache.ws.security.components.crypto.Merlin >>> org.apache.ws.security.crypto.merlin.keystore.type=jks >>> org.apache.ws.security.crypto.merlin.keystore.alias=serveralias >>> org.apache.ws.security.crypto.merlin.keystore.password=serversecret >>> org.apache.ws.security.crypto.merlin.file=serverkeystore.jks >>> >>> 3) PwCallbackHandler Class: >>> public class PwCallbackHandler implements CallbackHandler { >>> public void handle(Callback[] callbacks) throws IOException, >>> UnsupportedCallbackException { >>> WSPasswordCallback passwordCallback = (WSPasswordCallback) >>> callbacks[0]; >>> >>> if (passwordCallback.getIdentifer().equals("Anonymous")) { >>> passwordCallback.setPassword("secret"); >>> } >>> } >>> } >>> >>> >>> And here the configuration for the client to test it: >>> >>> 1) Interceptor configuration: >>> WSS4JOutInterceptor wss4jOutInterceptor = new WSS4JOutInterceptor(); >>> wss4jOutInterceptor.setProperty(WSHandlerConstants.ACTION, >>> WSHandlerConstants.USERNAME_TOKEN + " " + >>> WSHandlerConstants.ENCRYPT); >>> wss4jOutInterceptor.setProperty(WSHandlerConstants.USER, >>> "Anonymous"); >>> wss4jOutInterceptor.setProperty(WSHandlerConstants.PW_CALLBACK_CLASS, >>> "de.sms_stiewi.services.PwCallbackHandler"); >>> wss4jOutInterceptor.setProperty(WSHandlerConstants.ENC_PROP_FILE, >>> "client.properties"); >>> >>> 2) client.properties: >>> org >>> .apache >>> .ws >>> .security >>> .crypto.provider=org.apache.ws.security.components.crypto.Merlin >>> org.apache.ws.security.crypto.merlin.keystore.type=jks >>> org.apache.ws.security.crypto.merlin.keystore.alias=clientalias >>> org.apache.ws.security.crypto.merlin.keystore.password=clientsecret >>> org.apache.ws.security.crypto.merlin.file=clientkeystore.jks >>> >>> 3) PwCallbackHandler Class: >>> public class PwCallbackHandler implements CallbackHandler { >>> public void handle(Callback[] callbacks) throws IOException, >>> UnsupportedCallbackException { >>> WSPasswordCallback passwordCallback = (WSPasswordCallback) >>> callbacks[0]; >>> >>> passwordCallback.setPassword("secret"); >>> } >>> } >>> >>> But if I run the client, i get the following Exception: >>> org.apache.cxf.binding.soap.SoapFault: Security processing failed. >>> at >>> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor >>> $WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java: >>> 234) >>> at >>> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor >>> $WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java: >>> 107) >>> at >>> org >>> .apache >>> .cxf >>> .phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java: >>> 220) >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:296) >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:242) >>> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java: >>> 73) >>> at >>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java: >>> 178) >>> at $Proxy46.importiereKlrStammdaten(Unknown Source) >>> at de.sms_stiewi.services.MainClient.main(MainClient.java:37) >>> Caused by: org.apache.ws.security.WSSecurityException: WSHandler: >>> Encryption: error during message >>> processingorg.apache.ws.security.WSSecurityException: General >>> security >>> error (Unexpected number of X509Data: for Encryption) >>> at >>> org >>> .apache >>> .ws.security.action.EncryptionAction.execute(EncryptionAction.java: >>> 65) >>> at >>> org >>> .apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java: >>> 197) >>> at >>> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access >>> $200(WSS4JOutInterceptor.java:47) >>> at >>> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor >>> $WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java: >>> 219) >>> ... 8 more >>> >>> When I only use encryption, I had to set the USER property of the >>> out-interceptor to the alias in the keystore (e.g. "clientalias"). >>> But >>> when I do this with UsernameToken activated, I get the following >>> Exception: >>> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: >>> General >>> security error (WSSecurityEngine: Callback supplied no password for: >>> serveralias) >>> at >>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java: >>> 199) >>> at $Proxy46.importiereKlrStammdaten(Unknown Source) >>> at de.sms_stiewi.services.MainClient.main(MainClient.java:37) >>> Caused by: org.apache.cxf.binding.soap.SoapFault: General security >>> error >>> (WSSecurityEngine: Callback supplied no password for: serveralias) >>> at >>> org >>> .apache >>> .cxf >>> .binding >>> .soap >>> .interceptor >>> .Soap11FaultInInterceptor >>> .handleMessage(Soap11FaultInInterceptor.java:70) >>> at >>> org >>> .apache >>> .cxf >>> .binding >>> .soap >>> .interceptor >>> .Soap11FaultInInterceptor >>> .handleMessage(Soap11FaultInInterceptor.java:35) >>> at >>> org >>> .apache >>> .cxf >>> .phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java: >>> 220) >>> at >>> org >>> .apache >>> .cxf >>> .interceptor >>> .AbstractFaultChainInitiatorObserver >>> .onMessage(AbstractFaultChainInitiatorObserver.java:96) >>> at >>> org >>> .apache >>> .cxf >>> .binding >>> .soap >>> .interceptor >>> .CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69) >>> at >>> org >>> .apache >>> .cxf >>> .binding >>> .soap >>> .interceptor >>> .CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34) >>> at >>> org >>> .apache >>> .cxf >>> .phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java: >>> 220) >>> at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:449) >>> at >>> org.apache.cxf.transport.http.HTTPConduit >>> $WrappedOutputStream.handleResponse(HTTPConduit.java:2029) >>> at >>> org.apache.cxf.transport.http.HTTPConduit >>> $WrappedOutputStream.close(HTTPConduit.java:1865) >>> at >>> org >>> .apache >>> .cxf >>> .io >>> .CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java: >>> 47) >>> at >>> org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java: >>> 170) >>> at >>> org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java: >>> 66) >>> at >>> org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:593) >>> at >>> org.apache.cxf.interceptor.MessageSenderInterceptor >>> $ >>> MessageSenderEndingInterceptor >>> .handleMessage(MessageSenderInterceptor.java:62) >>> at >>> org >>> .apache >>> .cxf >>> .phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java: >>> 220) >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:296) >>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:242) >>> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java: >>> 73) >>> at >>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java: >>> 178) >>> ... 2 more >>> >>> If someone can help me, I would be very thankful. >>> >>> Greetings >>> Christian >>> >> >> -- >> View this message in context: >> http://www.nabble.com/Problems-using-encryption-together-with-username-token-tp19953282p19966539.html >> Sent from the cxf-user mailing list archive at Nabble.com. >> > > > -- View this message in context: http://www.nabble.com/Problems-using-encryption-together-with-username-token-tp19953282p19988593.html Sent from the cxf-user mailing list archive at Nabble.com.
