Hello Dennis,
thank you very much! Everything is now working. I created a small HelloWorld App and experimented with your policy. At last i found out what was the problem! It is so simple ... I did forget the namespace prefix on the attribute IncludeToken. Actually this attribute is optional, i read this in the spec. But if i dont place it there, the service will fail. And of course if i forget the prefix it will also fail. The HelloWorld App is a small maven project. It configures CXF via the policy xml. It uses the CXF Maven Tools to generate the wsdl and again to generate the client. If anybody is interested in this working example of symmetric binding feel free to ask me for the code. Thanks again David From: [email protected] To: [email protected] Subject: RE: Symmetric Binding Date: Tue, 22 Mar 2011 08:16:25 +0100 I really thougt my little application was simple enough. You are right, i will try to build a hello world project with symmetric binding following your tutorial. I will tell you whether it works. Thank you. David > Date: Tue, 22 Mar 2011 20:10:56 +1300 > From: [email protected] > To: [email protected] > Subject: Re: Symmetric Binding > > The only thing I can think of is to start by just trying the sample code > from the article so see if that works. If not, it's possible that > something has been broken in CXF since the article was published. If it > does work, try using the policy from the sample code - just as supplied, > at least to start with - with your service. > > - Dennis > > > On 03/22/2011 07:58 PM, David Zhang wrote: > > Hi Dennis, > > > > > > > > thanks for your answer. I have read your tutorial already yesterday. I > > appreciate it very much. Also i understand your point. Actually i also > > started with IncludeToken/Never, since it did not work and with the > > debugger i observed CXF seemed to look for a key in the message i just gave > > IncludeToken/Always a chance. But of course you are right. So now i changed > > it again to IncludeToken/Never. > > > > > > > > But the error message is still the same. Do you have another idea? > > > > > > > > By the way, i am using CXF 2.3.3 on JBoss 6.0.0. > > > > > > > > I just run my project again with the new WS Policy as you suggested. Also i > > took the "sp:wss11 requireX" elements from your tutorial. In the debugger i > > observe the null pointer at line 306 in the variable "el". Another thing > > which caught my attention is the variable "sigTokId" which has the value > > "EncKeyId-8B70239588B0833C2A13007760532912". This value is also the wsu:Id > > of a binary security token i found in the soap request of the client. > > > > > > > > Below i will attach the policy and the security header from the soap > > request. I appreciate your help very much. > > > > > > > > David > > > > > > > > WS Policy: > > > > > > > > <?xml version="1.0" encoding="UTF-8"?> > > <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy"; > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > <sp:SymmetricBinding> > > <wsp:Policy> > > <sp:ProtectionToken> > > <wsp:Policy> > > <sp:X509Token > > IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> > > <wsp:Policy> > > <sp:RequireDerivedKeys/> > > <sp:WssX509V3Token10/> > > </wsp:Policy> > > </sp:X509Token> > > </wsp:Policy> > > </sp:ProtectionToken> > > <sp:AlgorithmSuite> > > <wsp:Policy> > > <sp:Basic128Rsa15/> > > </wsp:Policy> > > </sp:AlgorithmSuite> > > <sp:Layout> > > <wsp:Policy> > > <sp:Strict/> > > </wsp:Policy> > > </sp:Layout> > > <sp:IncludeTimestamp/> > > </wsp:Policy> > > </sp:SymmetricBinding> > > <sp:Wss11> > > <wsp:Policy> > > <sp:MustSupportRefKeyIdentifier /> > > <sp:MustSupportRefThumbprint /> > > <sp:MustSupportRefEncryptedKey /> > > </wsp:Policy> > > </sp:Wss11> > > <sp:EncryptedParts> > > <sp:Body/> > > </sp:EncryptedParts> > > </wsp:Policy> > > > > > > > > WS Security Header from client request: > > > > > > > > <wsse:Security > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > > soap:mustUnderstand="true"> > > > > <wsse:BinarySecurityToken > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > > > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > > > > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; > > > > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; > > > > wsu:Id="8B70239588B0833C2A13007760527761">MIIB/TCCAWagAwIBAgIETYdFJTANBgkqhkiG9w0BAQUFADBDMQswCQYDVQQGEwJkZTETMBEGA1UEChMKZmhoYW5ub3ZlcjEQMA4GA1UECxMHZGFzaW1vZDENMAsGA1UEAxMEcGF5ZDAeFw0xMTAzMjExMjMxMzNaFw0xMTA2MTkxMjMxMzNaMEMxCzAJBgNVBAYTAmRlMRMwEQYDVQQKEwpmaGhhbm5vdmVyMRAwDgYDVQQLEwdkYXNpbW9kMQ0wCwYDVQQDEwRwYXlkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDTSwg37D8D0oD3Bo93tjh85doxCZL7jaBTIUc9LpUKSWQMrHwTNqL5BefNjzs5vEtpXg2IEiX9YOIoIrRg3YawXaJ+IUOko+LX6Dmtlx72FxTIyCl/t6g+StBimgDqUnMtEVlzy2uf6uE0qr3aeOQbJdBTk286ivqDEa9ht10vnwIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACVn6CCm2vSyUcR3ISUDl6VkZ/GfO9BuenVKQmuabxrra/MLcEL9kD/5Z+CDHHKd2GCj0LpjPZCTy1FAhP9o6vkoaDX6bjg1uNdhmE4g7JOpNkVH00tNTNvDShLYSU5KG6xaYZT3PlzR7p9NTTkRDyS3EqJVUdpLa5N+xeI3vS61</wsse:BinarySecurityToken> > > <wsu:Timestamp > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > > > > wsu:Id="Timestamp-3"><wsu:Created>2011-03-22T06:40:52.683Z</wsu:Created><wsu:Expires>2011-03-22T06:45:52.683Z</wsu:Expires></wsu:Timestamp> > > <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; > > Id="EncKeyId-8B70239588B0833C2A13007760532912"> > > <xenc:EncryptionMethod > > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> > > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > > <wsse:SecurityTokenReference > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> > > <wsse:Reference > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > > URI="#8B70239588B0833C2A13007760527761" > > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> > > </wsse:SecurityTokenReference> > > </ds:KeyInfo> > > <xenc:CipherData> > > <xenc:CipherValue>XI/e+PVeGQw1qTMwKi54NnXr/gkGBPDR4uGYqGVlGSk7wWSeaANcy3MmFGrPGqa3/2c9SHR2IPGb74hoFOh5T1p3SVrve039lyeS/UA7dz1EHL1szkCDXSnyZtA/H+U18DhRa8YqLOdwqBDhBwqYS6JKLqZ//A7kYN8GLLRaesE=</xenc:CipherValue> > > </xenc:CipherData> > > </xenc:EncryptedKey> > > <wsc:DerivedKeyToken > > xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"; > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > > wsu:Id="derivedKeyId-4"> > > <wsse:SecurityTokenReference > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> > > <wsse:Reference > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > > URI="#EncKeyId-8B70239588B0833C2A13007760532912" > > ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/> > > </wsse:SecurityTokenReference> > > <wsc:Offset>0</wsc:Offset> > > <wsc:Length>16</wsc:Length> > > <wsc:Nonce>zVgwmIFHU8Gjlo6C3YDZLg==</wsc:Nonce> > > </wsc:DerivedKeyToken> > > <wsc:DerivedKeyToken > > xmlns:wsc="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"; > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > > wsu:Id="derivedKeyId-6"> > > <wsse:SecurityTokenReference > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> > > <wsse:Reference > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > > URI="#EncKeyId-8B70239588B0833C2A13007760532912" > > ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"/> > > </wsse:SecurityTokenReference> > > <wsc:Offset>0</wsc:Offset> > > <wsc:Length>16</wsc:Length> > > <wsc:Nonce>IwGTp+MNiBNc0maObY7/cw==</wsc:Nonce> > > </wsc:DerivedKeyToken> > > <xenc:ReferenceList> > > <xenc:DataReference URI="#EncDataId-7"/> > > </xenc:ReferenceList> > > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > > Id="Signature-5"> > > <ds:SignedInfo> > > <ds:CanonicalizationMethod > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > <ds:SignatureMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/> > > <ds:Reference URI="#Timestamp-3"> > > <ds:Transforms> > > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > </ds:Transforms> > > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <ds:DigestValue>uRFhg+mcgnulVaKOF0TUB4gXVVE=</ds:DigestValue> > > </ds:Reference> > > </ds:SignedInfo> > > <ds:SignatureValue>tlBnednmSJ1SUyw6kAB6QbqDurc=</ds:SignatureValue> > > <ds:KeyInfo Id="KeyId-8B70239588B0833C2A13007760533073"> > > <wsse:SecurityTokenReference > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > > > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > > wsu:Id="STRId-8B70239588B0833C2A13007760533074"> > > <wsse:Reference > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > > URI="#derivedKeyId-4"/> > > </wsse:SecurityTokenReference> > > </ds:KeyInfo> > > </ds:Signature> > > > > </wsse:Security> > > > > > > > >> Date: Tue, 22 Mar 2011 09:48:49 +1300 > >> From: [email protected] > >> To: [email protected] > >> Subject: Re: Symmetric Binding > >> > >> Hi David, > >> > >> Normally with symmetric binding you'd use the server's certificate to > >> encrypt the symmetric encryption secret key, and there'd be no reason to > >> include the certificate in the messages at all - the client needs to > >> have the certificate before it can make any request to the server, and > >> the server obviously already has it. Your IncludeToken attribute value > >> may be messing up the logic in this case, since it asks for the > >> certificate to always be included The symmetric binding example I used > >> for CXF at > >> http://www.ibm.com/developerworks/java/library/j-jws17/index.html#listing1 > >> has ...IncludeToken/Never. Try switching to that and see if it makes a > >> difference. > >> > >> - Dennis > >> > >> Dennis M. Sosnoski > >> Java SOA and Web Services Consulting<http://www.sosnoski.com/consult.html> > >> Axis2/CXF/Metro SOA and Web Services Training > >> <http://www.sosnoski.com/training.html> > >> Web Services Jump-Start<http://www.sosnoski.com/jumpstart.html> > >> > >> > >> On 03/22/2011 04:25 AM, David Zhang wrote: > >>> Hello, > >>> > >>> > >>> > >>> i am new to using apache cxf. I want to secure a web service with > >>> symmetric binding, but i always run into an error. > >>> > >>> Maybe i did a mistake when configuring the service. Can anybody help me? > >>> > >>> > >>> > >>> I have a self-signed certificate for the server and i have the public key > >>> on the client side. > >>> > >>> > >>> > >>> I generated the client with CXF wsdl2java tool. And it seems to work > >>> fine. The client sends a request to the server. I can watch the request > >>> on a tcp/ip monitor. > >>> > >>> There is the ws security header with a binary security token and the soap > >>> body is obviously encrypted. > >>> > >>> > >>> > >>> On the server side the message even gets decrypted. I know this, because > >>> the service implementation is called with correct parameters. > >>> > >>> > >>> > >>> The problem occurs when the response should be sent. I get a null pointer > >>> when a key should be copied into the response: > >>> > >>> > >>> > >>> Caused by: java.lang.NullPointerException > >>> at > >>> com.sun.org.apache.xerces.internal.dom.CoreDocumentImpl.importNode(CoreDocumentImpl.java:1532) > >>> [:1.6.0_24] > >>> at > >>> com.sun.org.apache.xerces.internal.dom.CoreDocumentImpl.importNode(CoreDocumentImpl.java:1498) > >>> [:1.6.0_24] > >>> at > >>> com.sun.xml.internal.messaging.saaj.soap.SOAPDocumentImpl.importNode(SOAPDocumentImpl.java:146) > >>> [:1.6.0_24] > >>> at > >>> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.cloneElement(AbstractBindingBuilder.java:538) > >>> [:2.3.3] > >>> at > >>> org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:306) > >>> [:2.3.3] > >>> ... 36 more > >>> > >>> > >>> > >>> With a debugger i observed that in this method a variable sigTok is not > >>> null, but sigTok.getTok returns null. > >>> > >>> > >>> > >>> Can somebody help me with this problem, please? > >>> > >>> > >>> > >>> Here is my security policy: > >>> > >>> > >>> > >>> <?xml version="1.0" encoding="UTF-8"?> > >>> <wsp:Policy xmlns:wsp="http://www.w3.org/ns/ws-policy"; > >>> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > >>> <sp:SymmetricBinding> > >>> <wsp:Policy> > >>> <sp:ProtectionToken> > >>> <wsp:Policy> > >>> <sp:X509Token > >>> IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always";> > >>> <wsp:Policy> > >>> <sp:RequireDerivedKeys/> > >>> <sp:WssX509V3Token10/> > >>> </wsp:Policy> > >>> </sp:X509Token> > >>> </wsp:Policy> > >>> </sp:ProtectionToken> > >>> <sp:AlgorithmSuite> > >>> <wsp:Policy> > >>> <sp:Basic128Rsa15/> > >>> </wsp:Policy> > >>> </sp:AlgorithmSuite> > >>> <sp:Layout> > >>> <wsp:Policy> > >>> <sp:Strict/> > >>> </wsp:Policy> > >>> </sp:Layout> > >>> <sp:IncludeTimestamp/> > >>> </wsp:Policy> > >>> </sp:SymmetricBinding> > >>> <sp:EncryptedParts> > >>> <sp:Body/> > >>> </sp:EncryptedParts> > >>> </wsp:Policy> > >>> > >>> > >>> > >>> > >>> > > >
