This definitely sounds like a bug (or collection of bugs). Is there any chance you could create a small "Hello World" type test case that shows this and attach it to a JIRA? That's definitely the best way for be to get a test case up and running to see how hard it is to fix.
Thanks! Dan On Thu July 23 2009 12:01:26 pm Paweł Lipka wrote: > Hi, > > I have a secure WS that is described by a WS-Policy document that's > pasted below. > Policy A is attached to the wsdl:binding while policy B is attached to > the wsdl:input,wsdl:output and wsdl:fault > > When my WS throws a soap fault there's a couple of problems: > 1) the soap:Body element is not encrypted > 2) the soap:Body element is not signed > 3) the WS client fails to validate the WS-Security header with the > that's also pasted below. > > The problem seems to be in the way CXF handles WS-Security header using > the PolicyBasedWSS4JInterceptor. > When the response arrives it passes through the in interceptor chain and > the encrypted parts are decrypted. The way wss4j handles decryption is > that it replaces the xmlenc:EncryptedData element in the SOAP document > with the decrypted content but it does not remove the corresponding > xmlenc:ReferenceData/xmlenc:DataReference element from the Security > header. After decryption is done some other interceptor detects that the > message is actually a fault and triggers the inFault interceptor chain. > > The inFault interceptor chain again contains the > PolicyBasedWSS4JInterceptor and it should contain it since not all the > policy assertions have been asserted by the 'in' chain. (e.g. > UsingAddressing assertion). > The PolicyBasedWSS4JInterceptor runs wss4j again on a document that has > already been decrypted and fails with the error below because the > xmlenc:ReferenceData/xmlenc:DataReference elements point to nothing. > > Has anyone ever hit a problem like that? Is there any workaround for > that (other than chainging the WS-Policy document)? > > thanks in advance, > > 7038 [main] WARN org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor - > org.apache.ws.security.WSSecurityException: An error was discovered > processing the <wsse:Security> header (WSSecurityEngine: DataReference - > referenced data not found) > at > org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbed >ded(ReferenceListProcessor.java:141) at > org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList >(ReferenceListProcessor.java:113) at > org.apache.ws.security.processor.ReferenceListProcessor.handleToken(Referen >ceListProcessor.java:76) at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEng >ine.java:326) at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEng >ine.java:243) at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInIn >terceptor.java:179) at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInIn >terceptor.java:77) at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChai >n.java:236) at > org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(Ab >stractFaultChainInitiatorObserver.java:96) at > org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage >(CheckFaultInterceptor.java:69) at > org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage >(CheckFaultInterceptor.java:34) at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChai >n.java:236) at > org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:645) at > org.apache.cxf.transport.http.HTTPConduit > $WrappedOutputStream.handleResponseInternal(HTTPConduit.java:2132) > at org.apache.cxf.transport.http.HTTPConduit > $WrappedOutputStream.handleResponse(HTTPConduit.java:2015) > at org.apache.cxf.transport.http.HTTPConduit > $WrappedOutputStream.close(HTTPConduit.java:1940) > at > org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputSt >ream.java:47) at > org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:180) > at > org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66) > at > org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:627) > at org.apache.cxf.interceptor.MessageSenderInterceptor > $MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java >:62) at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChai >n.java:236) at > org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:471) at > org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:301) at > org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:253) at > org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73) at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:121) > at $Proxy38.sendMessage(Unknown Source) > > <wsp:Policy wsu:Id="A"> > <wsp:ExactlyOne> > <wsp:All> > <sp:SymmetricBinding > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:ProtectionToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/Inclu >deToken/Never"> <wsp:Policy> > > <sp:RequireDerivedKeys /> > > <sp:RequireThumbprintReference /> > > <sp:WssX509V3Token10 /> > > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:ProtectionToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic128 /> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Strict /> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp /> > <sp:EncryptSignature /> > > <sp:OnlySignEntireHeadersAndBody /> > </wsp:Policy> > </sp:SymmetricBinding> > <sp:EndorsingSupportingTokens > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/Inclu >deToken/AlwaysToRecipient"> <wsp:Policy> > > <sp:RequireThumbprintReference /> > > <sp:WssX509V3Token10 /> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:EndorsingSupportingTokens> > <sp:Wss11 > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:MustSupportRefKeyIdentifier > /> > <sp:MustSupportRefIssuerSerial > /> > <sp:MustSupportRefThumbprint /> > <sp:MustSupportRefEncryptedKey > /> > > <sp:RequireSignatureConfirmation /> > </wsp:Policy> > </sp:Wss11> > <sp:Trust10 > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:MustSupportIssuedTokens /> > <sp:RequireClientEntropy /> > <sp:RequireServerEntropy /> > </wsp:Policy> > </sp:Trust10> > <wsaw:UsingAddressing /> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > <wsp:Policy wsu:Id="B"> > <wsp:ExactlyOne> > <wsp:All> > <sp:SignedParts > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <sp:Body /> > <sp:Header Name="To" > Namespace="http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="From" > Namespace="http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="FaultTo" > Namespace="http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="ReplyTo" > Namespace="http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="MessageID" > Namespace="http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="RelatesTo" > Namespace="http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="Action" > Namespace="http://www.w3.org/2005/08/addressing"; /> > </sp:SignedParts> > <sp:EncryptedParts > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <sp:Body /> > </sp:EncryptedParts> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> -- Daniel Kulp [email protected] http://www.dankulp.com/blog
