On Fri July 24 2009 9:28:00 am Paweł Lipka wrote: > I filed a bug and attached a maven project with the test to it. > https://issues.apache.org/jira/browse/CXF-2356
Fixed on trunk and 2.2.x branch. Thanks. If we ever manage to get hudson running well enough to get snapshots, you could try it, but the 2.2.3 release should be built next week as well. Dan > > > thanks, > > On Thu, 2009-07-23 at 14:59 -0400, Daniel Kulp wrote: > > This definitely sounds like a bug (or collection of bugs). Is there any > > chance you could create a small "Hello World" type test case that shows > > this and attach it to a JIRA? That's definitely the best way for be to > > get a test case up and running to see how hard it is to fix. > > > > Thanks! > > Dan > > > > On Thu July 23 2009 12:01:26 pm Paweł Lipka wrote: > > > Hi, > > > > > > I have a secure WS that is described by a WS-Policy document that's > > > pasted below. > > > Policy A is attached to the wsdl:binding while policy B is attached to > > > the wsdl:input,wsdl:output and wsdl:fault > > > > > > When my WS throws a soap fault there's a couple of problems: > > > 1) the soap:Body element is not encrypted > > > 2) the soap:Body element is not signed > > > 3) the WS client fails to validate the WS-Security header with the > > > that's also pasted below. > > > > > > The problem seems to be in the way CXF handles WS-Security header using > > > the PolicyBasedWSS4JInterceptor. > > > When the response arrives it passes through the in interceptor chain > > > and the encrypted parts are decrypted. The way wss4j handles decryption > > > is that it replaces the xmlenc:EncryptedData element in the SOAP > > > document with the decrypted content but it does not remove the > > > corresponding xmlenc:ReferenceData/xmlenc:DataReference element from > > > the Security header. After decryption is done some other interceptor > > > detects that the message is actually a fault and triggers the inFault > > > interceptor chain. > > > > > > The inFault interceptor chain again contains the > > > PolicyBasedWSS4JInterceptor and it should contain it since not all the > > > policy assertions have been asserted by the 'in' chain. (e.g. > > > UsingAddressing assertion). > > > The PolicyBasedWSS4JInterceptor runs wss4j again on a document that has > > > already been decrypted and fails with the error below because the > > > xmlenc:ReferenceData/xmlenc:DataReference elements point to nothing. > > > > > > Has anyone ever hit a problem like that? Is there any workaround for > > > that (other than chainging the WS-Policy document)? > > > > > > thanks in advance, > > > > > > 7038 [main] WARN org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor - > > > org.apache.ws.security.WSSecurityException: An error was discovered > > > processing the <wsse:Security> header (WSSecurityEngine: DataReference > > > - referenced data not found) > > > at > > > org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefE > > >mbed ded(ReferenceListProcessor.java:141) at > > > org.apache.ws.security.processor.ReferenceListProcessor.handleReference > > >List (ReferenceListProcessor.java:113) at > > > org.apache.ws.security.processor.ReferenceListProcessor.handleToken(Ref > > >eren ceListProcessor.java:76) at > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurit > > >yEng ine.java:326) at > > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurit > > >yEng ine.java:243) at > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4J > > >InIn terceptor.java:179) at > > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4J > > >InIn terceptor.java:77) at > > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptor > > >Chai n.java:236) at > > > org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessag > > >e(Ab stractFaultChainInitiatorObserver.java:96) at > > > org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMes > > >sage (CheckFaultInterceptor.java:69) at > > > org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMes > > >sage (CheckFaultInterceptor.java:34) at > > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptor > > >Chai n.java:236) at > > > org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:645) at > > > org.apache.cxf.transport.http.HTTPConduit > > > $WrappedOutputStream.handleResponseInternal(HTTPConduit.java:2132) > > > at org.apache.cxf.transport.http.HTTPConduit > > > $WrappedOutputStream.handleResponse(HTTPConduit.java:2015) > > > at org.apache.cxf.transport.http.HTTPConduit > > > $WrappedOutputStream.close(HTTPConduit.java:1940) > > > at > > > org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutp > > >utSt ream.java:47) at > > > org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:180) > > > at > > > org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66) > > > at > > > org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:627) > > > at org.apache.cxf.interceptor.MessageSenderInterceptor > > > $MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor. > > >java > > > > > >:62) at > > > > > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptor > > >Chai n.java:236) at > > > org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:471) at > > > org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:301) at > > > org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:253) at > > > org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73) at > > > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:121) > > > at $Proxy38.sendMessage(Unknown Source) > > > > > > <wsp:Policy wsu:Id="A"> > > > <wsp:ExactlyOne> > > > <wsp:All> > > > <sp:SymmetricBinding > > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > > <wsp:Policy> > > > <sp:ProtectionToken> > > > <wsp:Policy> > > > <sp:X509Token > > > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/I > > >nclu deToken/Never"> <wsp:Policy> > > > > > > <sp:RequireDerivedKeys /> > > > > > > <sp:RequireThumbprintReference /> > > > > > > <sp:WssX509V3Token10 /> > > > > > > </wsp:Policy> > > > </sp:X509Token> > > > </wsp:Policy> > > > </sp:ProtectionToken> > > > <sp:AlgorithmSuite> > > > <wsp:Policy> > > > <sp:Basic128 /> > > > </wsp:Policy> > > > </sp:AlgorithmSuite> > > > <sp:Layout> > > > <wsp:Policy> > > > <sp:Strict /> > > > </wsp:Policy> > > > </sp:Layout> > > > <sp:IncludeTimestamp /> > > > <sp:EncryptSignature /> > > > > > > <sp:OnlySignEntireHeadersAndBody /> > > > </wsp:Policy> > > > </sp:SymmetricBinding> > > > <sp:EndorsingSupportingTokens > > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > > <wsp:Policy> > > > <sp:X509Token > > > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/I > > >nclu deToken/AlwaysToRecipient"> <wsp:Policy> > > > > > > <sp:RequireThumbprintReference /> > > > > > > <sp:WssX509V3Token10 /> > > > </wsp:Policy> > > > </sp:X509Token> > > > </wsp:Policy> > > > </sp:EndorsingSupportingTokens> > > > <sp:Wss11 > > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > > <wsp:Policy> > > > <sp:MustSupportRefKeyIdentifier > > > /> > > > <sp:MustSupportRefIssuerSerial > > > /> > > > <sp:MustSupportRefThumbprint /> > > > <sp:MustSupportRefEncryptedKey > > > /> > > > > > > <sp:RequireSignatureConfirmation /> > > > </wsp:Policy> > > > </sp:Wss11> > > > <sp:Trust10 > > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > > <wsp:Policy> > > > <sp:MustSupportIssuedTokens /> > > > <sp:RequireClientEntropy /> > > > <sp:RequireServerEntropy /> > > > </wsp:Policy> > > > </sp:Trust10> > > > <wsaw:UsingAddressing /> > > > </wsp:All> > > > </wsp:ExactlyOne> > > > </wsp:Policy> > > > <wsp:Policy wsu:Id="B"> > > > <wsp:ExactlyOne> > > > <wsp:All> > > > <sp:SignedParts > > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > > <sp:Body /> > > > <sp:Header Name="To" > > > Namespace="http://www.w3.org/2005/08/addressing"; /> > > > <sp:Header Name="From" > > > Namespace="http://www.w3.org/2005/08/addressing"; /> > > > <sp:Header Name="FaultTo" > > > Namespace="http://www.w3.org/2005/08/addressing"; /> > > > <sp:Header Name="ReplyTo" > > > Namespace="http://www.w3.org/2005/08/addressing"; /> > > > <sp:Header Name="MessageID" > > > Namespace="http://www.w3.org/2005/08/addressing"; /> > > > <sp:Header Name="RelatesTo" > > > Namespace="http://www.w3.org/2005/08/addressing"; /> > > > <sp:Header Name="Action" > > > Namespace="http://www.w3.org/2005/08/addressing"; /> > > > </sp:SignedParts> > > > <sp:EncryptedParts > > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > > <sp:Body /> > > > </sp:EncryptedParts> > > > </wsp:All> > > > </wsp:ExactlyOne> > > > </wsp:Policy> -- Daniel Kulp [email protected] http://www.dankulp.com/blog
