I really thougt my little application was simple enough. You are right, i will try to build a hello world project with symmetric binding following your tutorial. I will tell you whether it works.
Thank you. David > Date: Tue, 22 Mar 2011 20:10:56 +1300 > From: [email protected] > To: [email protected] > Subject: Re: Symmetric Binding > > The only thing I can think of is to start by just trying the sample code > from the article so see if that works. If not, it's possible that > something has been broken in CXF since the article was published. If it > does work, try using the policy from the sample code - just as supplied, > at least to start with - with your service. > > - Dennis > > > On 03/22/2011 07:58 PM, David Zhang wrote: > > Hi Dennis, > > > > > > > > thanks for your answer. I have read your tutorial already yesterday. I > > appreciate it very much. Also i understand your point. Actually i also > > started with IncludeToken/Never, since it did not work and with the > > debugger i observed CXF seemed to look for a key in the message i just gave > > IncludeToken/Always a chance. But of course you are right. So now i changed > > it again to IncludeToken/Never. > > > > > > > > But the error message is still the same. Do you have another idea? > > > > > > > > By the way, i am using CXF 2.3.3 on JBoss 6.0.0. > > > > > > > > I just run my project again with the new WS Policy as you suggested. Also i > > took the "sp:wss11 requireX" elements from your tutorial. In the debugger i > > observe the null pointer at line 306 in the variable "el". Another thing > > which caught my attention is the variable "sigTokId" which has the value > > "EncKeyId-8B70239588B0833C2A13007760532912". This value is also the wsu:Id > > of a binary security token i found in the soap request of the client. > > > > > > > > Below i will attach the policy and the security header from the soap > > request. I appreciate your help very much. > > > > > > > > David > > > > > > > > WS Policy: > > > > > > > > <?xml version="1.0" encoding="UTF-8"?> > > <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy"; > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > <sp:SymmetricBinding> > > <wsp:Policy> > > <sp:ProtectionToken> > > <wsp:Policy> > > <sp:X509Token > > IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> > > <wsp:Policy> > > <sp:RequireDerivedKeys/> > > <sp:WssX509V3Token10/> > > </wsp:Policy> > > </sp:X509Token> > > </wsp:Policy> > > </sp:ProtectionToken> > > <sp:AlgorithmSuite> > > <wsp:Policy> > > <sp:Basic128Rsa15/> > > </wsp:Policy> > > </sp:AlgorithmSuite> > > <sp:Layout> > > <wsp:Policy> > > <sp:Strict/> > > </wsp:Policy> > > </sp:Layout> > > <sp:IncludeTimestamp/> > > </wsp:Policy> > > </sp:SymmetricBinding> > > <sp:Wss11> > > <wsp:Policy> > > <sp:MustSupportRefKeyIdentifier /> > > <sp:MustSupportRefThumbprint /> > > <sp:MustSupportRefEncryptedKey /> > > </wsp:Policy> > > </sp:Wss11> > > <sp:EncryptedParts> > > <sp:Body/> > > </sp:EncryptedParts> > > </wsp:Policy> > > > > > > > > WS Security Header from client request: > > > > > > > > <wsse:Security > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > > soap:mustUnderstand="true"> > > > > <wsse:BinarySecurityToken > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > > > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > > > > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; > > > > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; > > > > wsu:Id="8B70239588B0833C2A13007760527761">MIIB/TCCAWagAwIBAgIETYdFJTANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJkZTETMBEGA1UEChMKZmhoYW5ub3ZlcjEQMA4GA1UECxMHZGFzaW1vZDENMAsGA1UEAxMEcGF5ZDAeFw0xMTAzMjExMjMxMzNaFw0xMTA2MTkxMjMxMzNaMEMxCzAJBgNVBAYTAmRlMRMwEQYDVQQKEwpmaGhhbm5vdmVyMRAwDgYDVQQLEwdkYXNpbW9kMQ0wCwYDVQQDEwRwYXlkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTSwg37D8D0oD3Bo93tjh85doxCZL7jaBTIUc9LpUKSWQMrHwTNqL5BefNjzs5vEtpXg2IEiX9YOIoIrRg3YawXaJ+IUOko+LX6Dmtlx72FxTIyCl/t6g+StBimgDqUnMtEVlzy2uf6uE0qr3aeOQbJdBTk286ivqDEa9ht10vnwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACVn6CCm2vSyUcR3ISUDl6VkZ/GfO9BuenVKQmuabxrra/MLcEL9kD/5Z+CDHHKd2GCj0LpjPZCTy1FAhP9o6vkoaDX6bjg1uNdhmE4g7JOpNkVH00tNTNvDShLYSU5KG6xaYZT3PlzR7p9NTTkRDyS3EqJVUdpLa5N+xeI3vS61</wsse:BinarySecurityToken> > > <wsu:Timestamp > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > > > > wsu:Id="Timestamp-3"><wsu:Created>2011-03-22T06:40:52.683Z</wsu:Created><wsu:Expires>2011-03-22T06:45:52.683Z</wsu:Expires></wsu:Timestamp> > > <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; > > Id="EncKeyId-8B70239588B0833C2A13007760532912"> > > <xenc:EncryptionMethod > > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> > > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > > <wsse:SecurityTokenReference > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> > > <wsse:Reference > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > > URI="#8B70239588B0833C2A13007760527761" > > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> > > </wsse:SecurityTokenReference> > > </ds:KeyInfo> > > <xenc:CipherData> > > <xenc:CipherValue>XI/e+PVeGQw1qTMwKi54NnXr/gkGBPDR4uGYqGVlGSk7wWSeaANcy3MmFGrPGqa3/2c9SHR2IPGb74hoFOh5T1p3SVrve039lyeS/UA7dz1EHL1szkCDXSnyZtA/H+U18DhRa8YqLOdwqBDhBwqYS6JKLqZ//A7kYN8GLLRaesE=</xenc:CipherValue> > > </xenc:CipherData> > > </xenc:EncryptedKey> > > <wsc:DerivedKeyToken > > xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"; > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > > wsu:Id="derivedKeyId-4"> > > <wsse:SecurityTokenReference > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> > > <wsse:Reference > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > > URI="#EncKeyId-8B70239588B0833C2A13007760532912" > > ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/> > > </wsse:SecurityTokenReference> > > <wsc:Offset>0</wsc:Offset> > > <wsc:Length>16</wsc:Length> > > <wsc:Nonce>zVgwmIFHU8Gjlo6C3YDZLg==</wsc:Nonce> > > </wsc:DerivedKeyToken> > > <wsc:DerivedKeyToken > > xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"; > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > > wsu:Id="derivedKeyId-6"> > > <wsse:SecurityTokenReference > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> > > <wsse:Reference > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > > URI="#EncKeyId-8B70239588B0833C2A13007760532912" > > ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/> > > </wsse:SecurityTokenReference> > > <wsc:Offset>0</wsc:Offset> > > <wsc:Length>16</wsc:Length> > > <wsc:Nonce>IwGTp+MNiBNc0maObY7/cw==</wsc:Nonce> > > </wsc:DerivedKeyToken> > > <xenc:ReferenceList> > > <xenc:DataReference URI="#EncDataId-7"/> > > </xenc:ReferenceList> > > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > > Id="Signature-5"> > > <ds:SignedInfo> > > <ds:CanonicalizationMethod > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > <ds:SignatureMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> > > <ds:Reference URI="#Timestamp-3"> > > <ds:Transforms> > > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > </ds:Transforms> > > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <ds:DigestValue>uRFhg+mcgnulVaKOF0TUB4gXVVE=</ds:DigestValue> > > </ds:Reference> > > </ds:SignedInfo> > > <ds:SignatureValue>tlBnednmSJ1SUyw6kAB6QbqDurc=</ds:SignatureValue> > > <ds:KeyInfo Id="KeyId-8B70239588B0833C2A13007760533073"> > > <wsse:SecurityTokenReference > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > > > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > > wsu:Id="STRId-8B70239588B0833C2A13007760533074"> > > <wsse:Reference > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > > URI="#derivedKeyId-4"/> > > </wsse:SecurityTokenReference> > > </ds:KeyInfo> > > </ds:Signature> > > > > </wsse:Security> > > > > > > > >> Date: Tue, 22 Mar 2011 09:48:49 +1300 > >> From: [email protected] > >> To: [email protected] > >> Subject: Re: Symmetric Binding > >> > >> Hi David, > >> > >> Normally with symmetric binding you'd use the server's certificate to > >> encrypt the symmetric encryption secret key, and there'd be no reason to > >> include the certificate in the messages at all - the client needs to > >> have the certificate before it can make any request to the server, and > >> the server obviously already has it. Your IncludeToken attribute value > >> may be messing up the logic in this case, since it asks for the > >> certificate to always be included The symmetric binding example I used > >> for CXF at > >> http://www.ibm.com/developerworks/java/library/j-jws17/index.html#listing1 > >> has ...IncludeToken/Never. Try switching to that and see if it makes a > >> difference. > >> > >> - Dennis > >> > >> Dennis M. Sosnoski > >> Java SOA and Web Services Consulting<http://www.sosnoski.com/consult.html> > >> Axis2/CXF/Metro SOA and Web Services Training > >> <http://www.sosnoski.com/training.html> > >> Web Services Jump-Start<http://www.sosnoski.com/jumpstart.html> > >> > >> > >> On 03/22/2011 04:25 AM, David Zhang wrote: > >>> Hello, > >>> > >>> > >>> > >>> i am new to using apache cxf. I want to secure a web service with > >>> symmetric binding, but i always run into an error. > >>> > >>> Maybe i did a mistake when configuring the service. Can anybody help me? > >>> > >>> > >>> > >>> I have a self-signed certificate for the server and i have the public key > >>> on the client side. > >>> > >>> > >>> > >>> I generated the client with CXF wsdl2java tool. And it seems to work > >>> fine. The client sends a request to the server. I can watch the request > >>> on a tcp/ip monitor. > >>> > >>> There is the ws security header with a binary security token and the soap > >>> body is obviously encrypted. > >>> > >>> > >>> > >>> On the server side the message even gets decrypted. I know this, because > >>> the service implementation is called with correct parameters. > >>> > >>> > >>> > >>> The problem occurs when the response should be sent. I get a null pointer > >>> when a key should be copied into the response: > >>> > >>> > >>> > >>> Caused by: java.lang.NullPointerException > >>> at > >>> com.sun.org.apache.xerces.internal.dom.CoreDocumentImpl.importNode(CoreDocumentImpl.java:1532) > >>> [:1.6.0_24] > >>> at > >>> com.sun.org.apache.xerces.internal.dom.CoreDocumentImpl.importNode(CoreDocumentImpl.java:1498) > >>> [:1.6.0_24] > >>> at > >>> com.sun.xml.internal.messaging.saaj.soap.SOAPDocumentImpl.importNode(SOAPDocumentImpl.java:146) > >>> [:1.6.0_24] > >>> at > >>> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.cloneElement(AbstractBindingBuilder.java:538) > >>> [:2.3.3] > >>> at > >>> org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:306) > >>> [:2.3.3] > >>> ... 36 more > >>> > >>> > >>> > >>> With a debugger i observed that in this method a variable sigTok is not > >>> null, but sigTok.getTok returns null. > >>> > >>> > >>> > >>> Can somebody help me with this problem, please? > >>> > >>> > >>> > >>> Here is my security policy: > >>> > >>> > >>> > >>> <?xml version="1.0" encoding="UTF-8"?> > >>> <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy"; > >>> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > >>> <sp:SymmetricBinding> > >>> <wsp:Policy> > >>> <sp:ProtectionToken> > >>> <wsp:Policy> > >>> <sp:X509Token > >>> IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always";> > >>> <wsp:Policy> > >>> <sp:RequireDerivedKeys/> > >>> <sp:WssX509V3Token10/> > >>> </wsp:Policy> > >>> </sp:X509Token> > >>> </wsp:Policy> > >>> </sp:ProtectionToken> > >>> <sp:AlgorithmSuite> > >>> <wsp:Policy> > >>> <sp:Basic128Rsa15/> > >>> </wsp:Policy> > >>> </sp:AlgorithmSuite> > >>> <sp:Layout> > >>> <wsp:Policy> > >>> <sp:Strict/> > >>> </wsp:Policy> > >>> </sp:Layout> > >>> <sp:IncludeTimestamp/> > >>> </wsp:Policy> > >>> </sp:SymmetricBinding> > >>> <sp:EncryptedParts> > >>> <sp:Body/> > >>> </sp:EncryptedParts> > >>> </wsp:Policy> > >>> > >>> > >>> > >>> > >>> > > >
