The only thing I can think of is to start by just trying the sample code
from the article so see if that works. If not, it's possible that
something has been broken in CXF since the article was published. If it
does work, try using the policy from the sample code - just as supplied,
at least to start with - with your service.
- Dennis
On 03/22/2011 07:58 PM, David Zhang wrote:
Hi Dennis,
thanks for your answer. I have read your tutorial already yesterday. I
appreciate it very much. Also i understand your point. Actually i also started
with IncludeToken/Never, since it did not work and with the debugger i observed
CXF seemed to look for a key in the message i just gave IncludeToken/Always a
chance. But of course you are right. So now i changed it again to
IncludeToken/Never.
But the error message is still the same. Do you have another idea?
By the way, i am using CXF 2.3.3 on JBoss 6.0.0.
I just run my project again with the new WS Policy as you suggested. Also i took the "sp:wss11 requireX"
elements from your tutorial. In the debugger i observe the null pointer at line 306 in the variable "el".
Another thing which caught my attention is the variable "sigTokId" which has the value
"EncKeyId-8B70239588B0833C2A13007760532912". This value is also the wsu:Id of a binary security token i found
in the soap request of the client.
Below i will attach the policy and the security header from the soap request. I
appreciate your help very much.
David
WS Policy:
<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token
IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
</wsp:Policy>
</sp:Wss11>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
</wsp:Policy>
WS Security Header from client request:
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soap:mustUnderstand="true">
<wsse:BinarySecurityToken xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="8B70239588B0833C2A13007760527761">MIIB/TCCAWagAwIBAgIETYdFJTANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJkZTETMBEGA1UEChMKZmhoYW5ub3ZlcjEQMA4GA1UECxMHZGFzaW1vZDENMAsGA1UEAxMEcGF5ZDAeFw0xMTAzMjExMjMxMzNaFw0xMTA2MTkxMjMxMzNaMEMxCzAJBgNVBAYTAmRlMRMwEQYDVQQKEwpmaGhhbm5vdmVyMRAwDgYDVQQLEwdkYXNpbW9kMQ0wCwYDVQQDEwRwYXlkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTSwg37D8D0oD3Bo93tjh85doxCZL7jaBTIUc9LpUKSWQMrHwTNqL5BefNjzs5vEtpXg2IEiX9YOIoIrRg3YawXaJ+IUOko+LX6Dmtlx72FxTIyCl/t6g+StBimgDqUnMtEVlzy2uf6uE0qr3aeOQbJdBTk286ivqDEa9ht10vnwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACVn6CCm2vSyUcR3ISUDl6VkZ/GfO9BuenVKQmuabxrra/MLcEL9kD/5Z+CDHHKd2GCj0LpjPZCTy1FAhP9o6vkoaDX6bjg1uNdhmE4g7JOpNkVH00tNTNvDShLYSU5KG6xaYZT3PlzR7p9NTTkRDyS3EqJVUdpLa5N+xeI3vS61</wsse:BinarySecurityToken>
<wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Timestamp-3"><wsu:Created>2011-03-22T06:40:52.683Z</wsu:Created><wsu:Expires>2011-03-22T06:45:52.683Z</wsu:Expires></wsu:Timestamp>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Id="EncKeyId-8B70239588B0833C2A13007760532912">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<wsse:Reference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
URI="#8B70239588B0833C2A13007760527761"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>XI/e+PVeGQw1qTMwKi54NnXr/gkGBPDR4uGYqGVlGSk7wWSeaANcy3MmFGrPGqa3/2c9SHR2IPGb74hoFOh5T1p3SVrve039lyeS/UA7dz1EHL1szkCDXSnyZtA/H+U18DhRa8YqLOdwqBDhBwqYS6JKLqZ//A7kYN8GLLRaesE=</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
<wsc:DerivedKeyToken xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="derivedKeyId-4">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<wsse:Reference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
URI="#EncKeyId-8B70239588B0833C2A13007760532912"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
</wsse:SecurityTokenReference>
<wsc:Offset>0</wsc:Offset>
<wsc:Length>16</wsc:Length>
<wsc:Nonce>zVgwmIFHU8Gjlo6C3YDZLg==</wsc:Nonce>
</wsc:DerivedKeyToken>
<wsc:DerivedKeyToken xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="derivedKeyId-6">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<wsse:Reference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
URI="#EncKeyId-8B70239588B0833C2A13007760532912"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/>
</wsse:SecurityTokenReference>
<wsc:Offset>0</wsc:Offset>
<wsc:Length>16</wsc:Length>
<wsc:Nonce>IwGTp+MNiBNc0maObY7/cw==</wsc:Nonce>
</wsc:DerivedKeyToken>
<xenc:ReferenceList>
<xenc:DataReference URI="#EncDataId-7"/>
</xenc:ReferenceList>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="Signature-5">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<ds:Reference URI="#Timestamp-3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>uRFhg+mcgnulVaKOF0TUB4gXVVE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>tlBnednmSJ1SUyw6kAB6QbqDurc=</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-8B70239588B0833C2A13007760533073">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="STRId-8B70239588B0833C2A13007760533074">
<wsse:Reference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
URI="#derivedKeyId-4"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
Date: Tue, 22 Mar 2011 09:48:49 +1300
From: [email protected]
To: [email protected]
Subject: Re: Symmetric Binding
Hi David,
Normally with symmetric binding you'd use the server's certificate to
encrypt the symmetric encryption secret key, and there'd be no reason to
include the certificate in the messages at all - the client needs to
have the certificate before it can make any request to the server, and
the server obviously already has it. Your IncludeToken attribute value
may be messing up the logic in this case, since it asks for the
certificate to always be included The symmetric binding example I used
for CXF at
http://www.ibm.com/developerworks/java/library/j-jws17/index.html#listing1
has ...IncludeToken/Never. Try switching to that and see if it makes a
difference.
- Dennis
Dennis M. Sosnoski
Java SOA and Web Services Consulting<http://www.sosnoski.com/consult.html>
Axis2/CXF/Metro SOA and Web Services Training
<http://www.sosnoski.com/training.html>
Web Services Jump-Start<http://www.sosnoski.com/jumpstart.html>
On 03/22/2011 04:25 AM, David Zhang wrote:
Hello,
i am new to using apache cxf. I want to secure a web service with symmetric
binding, but i always run into an error.
Maybe i did a mistake when configuring the service. Can anybody help me?
I have a self-signed certificate for the server and i have the public key on
the client side.
I generated the client with CXF wsdl2java tool. And it seems to work fine. The
client sends a request to the server. I can watch the request on a tcp/ip
monitor.
There is the ws security header with a binary security token and the soap body
is obviously encrypted.
On the server side the message even gets decrypted. I know this, because the
service implementation is called with correct parameters.
The problem occurs when the response should be sent. I get a null pointer when
a key should be copied into the response:
Caused by: java.lang.NullPointerException
at
com.sun.org.apache.xerces.internal.dom.CoreDocumentImpl.importNode(CoreDocumentImpl.java:1532)
[:1.6.0_24]
at
com.sun.org.apache.xerces.internal.dom.CoreDocumentImpl.importNode(CoreDocumentImpl.java:1498)
[:1.6.0_24]
at
com.sun.xml.internal.messaging.saaj.soap.SOAPDocumentImpl.importNode(SOAPDocumentImpl.java:146)
[:1.6.0_24]
at
org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.cloneElement(AbstractBindingBuilder.java:538)
[:2.3.3]
at
org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:306)
[:2.3.3]
... 36 more
With a debugger i observed that in this method a variable sigTok is not null,
but sigTok.getTok returns null.
Can somebody help me with this problem, please?
Here is my security policy:
<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token
IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always";>
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128Rsa15/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
</wsp:Policy>
