Hi Dennis,
thanks for your answer. I have read your tutorial already yesterday. I appreciate it very much. Also i understand your point. Actually i also started with IncludeToken/Never, since it did not work and with the debugger i observed CXF seemed to look for a key in the message i just gave IncludeToken/Always a chance. But of course you are right. So now i changed it again to IncludeToken/Never. But the error message is still the same. Do you have another idea? By the way, i am using CXF 2.3.3 on JBoss 6.0.0. I just run my project again with the new WS Policy as you suggested. Also i took the "sp:wss11 requireX" elements from your tutorial. In the debugger i observe the null pointer at line 306 in the variable "el". Another thing which caught my attention is the variable "sigTokId" which has the value "EncKeyId-8B70239588B0833C2A13007760532912". This value is also the wsu:Id of a binary security token i found in the soap request of the client. Below i will attach the policy and the security header from the soap request. I appreciate your help very much. David WS Policy: <?xml version="1.0" encoding="UTF-8"?> <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy"; xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> <sp:SymmetricBinding> <wsp:Policy> <sp:ProtectionToken> <wsp:Policy> <sp:X509Token IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> <wsp:Policy> <sp:RequireDerivedKeys/> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:ProtectionToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic128Rsa15/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> </wsp:Policy> </sp:SymmetricBinding> <sp:Wss11> <wsp:Policy> <sp:MustSupportRefKeyIdentifier /> <sp:MustSupportRefThumbprint /> <sp:MustSupportRefEncryptedKey /> </wsp:Policy> </sp:Wss11> <sp:EncryptedParts> <sp:Body/> </sp:EncryptedParts> </wsp:Policy> WS Security Header from client request: <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; soap:mustUnderstand="true"> <wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; wsu:Id="8B70239588B0833C2A13007760527761">MIIB/TCCAWagAwIBAgIETYdFJTANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJkZTETMBEGA1UEChMKZmhoYW5ub3ZlcjEQMA4GA1UECxMHZGFzaW1vZDENMAsGA1UEAxMEcGF5ZDAeFw0xMTAzMjExMjMxMzNaFw0xMTA2MTkxMjMxMzNaMEMxCzAJBgNVBAYTAmRlMRMwEQYDVQQKEwpmaGhhbm5vdmVyMRAwDgYDVQQLEwdkYXNpbW9kMQ0wCwYDVQQDEwRwYXlkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTSwg37D8D0oD3Bo93tjh85doxCZL7jaBTIUc9LpUKSWQMrHwTNqL5BefNjzs5vEtpXg2IEiX9YOIoIrRg3YawXaJ+IUOko+LX6Dmtlx72FxTIyCl/t6g+StBimgDqUnMtEVlzy2uf6uE0qr3aeOQbJdBTk286ivqDEa9ht10vnwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACVn6CCm2vSyUcR3ISUDl6VkZ/GfO9BuenVKQmuabxrra/MLcEL9kD/5Z+CDHHKd2GCj0LpjPZCTy1FAhP9o6vkoaDX6bjg1uNdhmE4g7JOpNkVH00tNTNvDShLYSU5KG6xaYZT3PlzR7p9NTTkRDyS3EqJVUdpLa5N+xeI3vS61</wsse:BinarySecurityToken> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="Timestamp-3"><wsu:Created>2011-03-22T06:40:52.683Z</wsu:Created><wsu:Expires>2011-03-22T06:45:52.683Z</wsu:Expires></wsu:Timestamp> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Id="EncKeyId-8B70239588B0833C2A13007760532912"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; URI="#8B70239588B0833C2A13007760527761" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>XI/e+PVeGQw1qTMwKi54NnXr/gkGBPDR4uGYqGVlGSk7wWSeaANcy3MmFGrPGqa3/2c9SHR2IPGb74hoFOh5T1p3SVrve039lyeS/UA7dz1EHL1szkCDXSnyZtA/H+U18DhRa8YqLOdwqBDhBwqYS6JKLqZ//A7kYN8GLLRaesE=</xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedKey> <wsc:DerivedKeyToken xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="derivedKeyId-4"> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; URI="#EncKeyId-8B70239588B0833C2A13007760532912" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/> </wsse:SecurityTokenReference> <wsc:Offset>0</wsc:Offset> <wsc:Length>16</wsc:Length> <wsc:Nonce>zVgwmIFHU8Gjlo6C3YDZLg==</wsc:Nonce> </wsc:DerivedKeyToken> <wsc:DerivedKeyToken xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="derivedKeyId-6"> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; URI="#EncKeyId-8B70239588B0833C2A13007760532912" ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/> </wsse:SecurityTokenReference> <wsc:Offset>0</wsc:Offset> <wsc:Length>16</wsc:Length> <wsc:Nonce>IwGTp+MNiBNc0maObY7/cw==</wsc:Nonce> </wsc:DerivedKeyToken> <xenc:ReferenceList> <xenc:DataReference URI="#EncDataId-7"/> </xenc:ReferenceList> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="Signature-5"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> <ds:Reference URI="#Timestamp-3"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>uRFhg+mcgnulVaKOF0TUB4gXVVE=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>tlBnednmSJ1SUyw6kAB6QbqDurc=</ds:SignatureValue> <ds:KeyInfo Id="KeyId-8B70239588B0833C2A13007760533073"> <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="STRId-8B70239588B0833C2A13007760533074"> <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; URI="#derivedKeyId-4"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> > Date: Tue, 22 Mar 2011 09:48:49 +1300 > From: [email protected] > To: [email protected] > Subject: Re: Symmetric Binding > > Hi David, > > Normally with symmetric binding you'd use the server's certificate to > encrypt the symmetric encryption secret key, and there'd be no reason to > include the certificate in the messages at all - the client needs to > have the certificate before it can make any request to the server, and > the server obviously already has it. Your IncludeToken attribute value > may be messing up the logic in this case, since it asks for the > certificate to always be included The symmetric binding example I used > for CXF at > http://www.ibm.com/developerworks/java/library/j-jws17/index.html#listing1 > has ...IncludeToken/Never. Try switching to that and see if it makes a > difference. > > - Dennis > > Dennis M. Sosnoski > Java SOA and Web Services Consulting <http://www.sosnoski.com/consult.html> > Axis2/CXF/Metro SOA and Web Services Training > <http://www.sosnoski.com/training.html> > Web Services Jump-Start <http://www.sosnoski.com/jumpstart.html> > > > On 03/22/2011 04:25 AM, David Zhang wrote: > > Hello, > > > > > > > > i am new to using apache cxf. I want to secure a web service with symmetric > > binding, but i always run into an error. > > > > Maybe i did a mistake when configuring the service. Can anybody help me? > > > > > > > > I have a self-signed certificate for the server and i have the public key > > on the client side. > > > > > > > > I generated the client with CXF wsdl2java tool. And it seems to work fine. > > The client sends a request to the server. I can watch the request on a > > tcp/ip monitor. > > > > There is the ws security header with a binary security token and the soap > > body is obviously encrypted. > > > > > > > > On the server side the message even gets decrypted. I know this, because > > the service implementation is called with correct parameters. > > > > > > > > The problem occurs when the response should be sent. I get a null pointer > > when a key should be copied into the response: > > > > > > > > Caused by: java.lang.NullPointerException > > at > > com.sun.org.apache.xerces.internal.dom.CoreDocumentImpl.importNode(CoreDocumentImpl.java:1532) > > [:1.6.0_24] > > at > > com.sun.org.apache.xerces.internal.dom.CoreDocumentImpl.importNode(CoreDocumentImpl.java:1498) > > [:1.6.0_24] > > at > > com.sun.xml.internal.messaging.saaj.soap.SOAPDocumentImpl.importNode(SOAPDocumentImpl.java:146) > > [:1.6.0_24] > > at > > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.cloneElement(AbstractBindingBuilder.java:538) > > [:2.3.3] > > at > > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:306) > > [:2.3.3] > > ... 36 more > > > > > > > > With a debugger i observed that in this method a variable sigTok is not > > null, but sigTok.getTok returns null. > > > > > > > > Can somebody help me with this problem, please? > > > > > > > > Here is my security policy: > > > > > > > > <?xml version="1.0" encoding="UTF-8"?> > > <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy"; > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > <sp:SymmetricBinding> > > <wsp:Policy> > > <sp:ProtectionToken> > > <wsp:Policy> > > <sp:X509Token > > IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always";> > > <wsp:Policy> > > <sp:RequireDerivedKeys/> > > <sp:WssX509V3Token10/> > > </wsp:Policy> > > </sp:X509Token> > > </wsp:Policy> > > </sp:ProtectionToken> > > <sp:AlgorithmSuite> > > <wsp:Policy> > > <sp:Basic128Rsa15/> > > </wsp:Policy> > > </sp:AlgorithmSuite> > > <sp:Layout> > > <wsp:Policy> > > <sp:Strict/> > > </wsp:Policy> > > </sp:Layout> > > <sp:IncludeTimestamp/> > > </wsp:Policy> > > </sp:SymmetricBinding> > > <sp:EncryptedParts> > > <sp:Body/> > > </sp:EncryptedParts> > > </wsp:Policy> > > > > > > > > > >
