Hi, Could you try with this jar? I fixed a problem recently in WSS4J that sounds like it could be the problem here:
https://issues.apache.org/jira/secure/attachment/12487842/wss4j-1.6.2-SNAPSHOT.jar Colm. On Tue, Jul 19, 2011 at 3:34 PM, Jaime Hablutzel Egoavil <[email protected]> wrote: > NO I was using 2.3.5 because with 2.4.1 my configuration is not working, a > wsdl like this one: > > <?xml version='1.0' encoding='UTF-8'?><wsdl:definitions > name="CXFLibraryImplService" > targetNamespace="http://service2.ws.service.kprtech.com/"; > xmlns:ns1="http://cxf.apache.org/bindings/xformat"; > xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; > xmlns:tns="http://service2.ws.service.kprtech.com/"; > xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"; > xmlns:xsd="http://www.w3.org/2001/XMLSchema";> > > > <wsp:Policy wsu:Id="SignEncr" > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> > > <wsp:ExactlyOne> > <wsp:All> > <sp:AsymmetricBinding > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:InitiatorToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> > <wsp:Policy> > <sp:RequireThumbprintReference/> > <sp:WssX509V1Token10/> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:InitiatorToken> > <sp:RecipientToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> > <wsp:Policy> > <sp:RequireThumbprintReference/> > <sp:WssX509V3Token10/> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:RecipientToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:TripleDesRsa15/> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Strict/> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp/> > <sp:OnlySignEntireHeadersAndBody/> > </wsp:Policy> > </sp:AsymmetricBinding> > <sp:Wss10 > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:MustSupportRefKeyIdentifier/> > <sp:MustSupportRefIssuerSerial/> > </wsp:Policy> > </sp:Wss10> > <sp:SignedParts > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <sp:Body/> > </sp:SignedParts> > > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > > > <wsdl:types> > <xs:schema elementFormDefault="unqualified" > targetNamespace="http://service2.ws.service.kprtech.com/"; version="1.0" > xmlns:tns="http://service2.ws.service.kprtech.com/"; > xmlns:xs="http://www.w3.org/2001/XMLSchema";> > <xs:element name="sayHello" type="tns:sayHello" /> > <xs:element name="sayHelloResponse" type="tns:sayHelloResponse" /> > <xs:complexType name="sayHello"> > <xs:sequence> > <xs:element minOccurs="0" name="arg0" type="xs:string" /> > </xs:sequence> > </xs:complexType> > <xs:complexType name="sayHelloResponse"> > <xs:sequence> > <xs:element minOccurs="0" name="return" type="xs:string" /> > </xs:sequence> > </xs:complexType> > </xs:schema> > > </wsdl:types> > <wsdl:message name="sayHelloResponse"> > <wsdl:part element="tns:sayHelloResponse" name="parameters"> > </wsdl:part> > </wsdl:message> > <wsdl:message name="sayHello"> > <wsdl:part element="tns:sayHello" name="parameters"> > </wsdl:part> > </wsdl:message> > > <wsdl:portType name="Library"> > <wsdl:operation name="sayHello"> > <wsdl:input message="tns:sayHello" name="sayHello"> > </wsdl:input> > <wsdl:output message="tns:sayHelloResponse" name="sayHelloResponse"> > </wsdl:output> > </wsdl:operation> > </wsdl:portType> > <wsdl:binding name="CXFLibraryImplServiceSoapBinding" type="tns:Library"> > <wsp:PolicyReference > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > URI="#SignEncr"/> > <soap:binding style="document" > transport="http://schemas.xmlsoap.org/soap/http"; /> > <wsdl:operation name="sayHello"> > <soap:operation soapAction="" style="document" /> > <wsdl:input name="sayHello"> > <soap:body use="literal" /> > </wsdl:input> > <wsdl:output name="sayHelloResponse"> > <soap:body use="literal" /> > </wsdl:output> > > </wsdl:operation> > </wsdl:binding> > <wsdl:service name="CXFLibraryImplService"> > <wsdl:port binding="tns:CXFLibraryImplServiceSoapBinding" > name="CXFLibraryImplPort"> > <soap:address > location="http://localhost:8080/domicilios/services/service2"; /> > </wsdl:port> > </wsdl:service> > </wsdl:definitions> > > > The service exposed this way: > > > <jaxws:endpoint id="service2" > > implementor="com.kprtech.service.ws.service2.CXFLibraryImpl" > wsdlLocation="classpath:service2.wsdl" > address="/service2"> > > <jaxws:properties> > <entry key="ws-security.signature.properties" > value="server-crypto.properties"/> > <entry key="ws-security.signature.username" value="serverkey"/> > <!--<entry key="ws-security.encryption.username" > value="useReqSigCert"/>--> > <entry key="ws-security.callback-handler" > value="com.kprtech.service.ws.impl.ServerCallback"/> > </jaxws:properties> > > </jaxws:endpoint> > > > ANd the client generated using cxf tool. > > This is working perfectly in 2.3.5 and and 2.2.6. Has something changed for > the 2.4.1 version when the wsdl first approach is used? > I´m getting this error: > > 2011-07-19 09:26:23,720 [qtp32323148-24] WARN > org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for > {http://service2.ws.service.kprtech.com/}CXFLibraryImplService has thrown > exception, unwinding now > org.apache.cxf.binding.soap.SoapFault: The signature or decryption was > invalid > > > > On Tue, Jul 19, 2011 at 3:36 AM, Colm O hEigeartaigh <[email protected]> > wrote: >> >> Hi Jaime, >> >> What version of CXF are you using? There is a better way to do this >> than via a CXF interceptor from CXF 2.4.0 onwards. Trust validation is >> done by WSS4J via the SignatureTrustValidator, which is given the >> certificate used to verify the signature, and verifies trust via the >> CertPath API. You can simply plug your own Validator implementation in >> here instead. See this blog entry for more details: >> >> >> http://coheigea.blogspot.com/2011/06/custom-token-validation-in-apache-cxf.html >> >> Colm. >> >> On Mon, Jul 18, 2011 at 7:30 PM, Jaime Hablutzel Egoavil >> <[email protected]> wrote: >> > Hi I have a web service exposed with cxf with this wsdl: >> > >> > <?xml version='1.0' encoding='UTF-8'?><wsdl: >> > definitions name="CXFLibraryImplService" targetNamespace=" >> > http://service2.ws.service.kprtech.com/"; xmlns:ns1=" >> > http://cxf.apache.org/bindings/xformat"; xmlns:soap=" >> > http://schemas.xmlsoap.org/wsdl/soap/"; xmlns:tns=" >> > http://service2.ws.service.kprtech.com/"; xmlns:wsdl=" >> > http://schemas.xmlsoap.org/wsdl/"; xmlns:xsd=" >> > http://www.w3.org/2001/XMLSchema";> >> > <wsdl:types> >> > <xs:schema elementFormDefault="unqualified" targetNamespace=" >> > http://service2.ws.service.kprtech.com/"; version="1.0" xmlns:ns1=" >> > http://cxf.apache.org/bindings/xformat"; xmlns:soap=" >> > http://schemas.xmlsoap.org/wsdl/soap/"; xmlns:tns=" >> > http://service2.ws.service.kprtech.com/"; xmlns:wsdl=" >> > http://schemas.xmlsoap.org/wsdl/"; >> > xmlns:xs="http://www.w3.org/2001/XMLSchema"; >> > xmlns:xsd="http://www.w3.org/2001/XMLSchema";> >> > <xs:element name="sayHello" type="tns:sayHello" /> >> > <xs:element name="sayHelloResponse" type="tns:sayHelloResponse" /> >> > <xs:complexType name="sayHello"> >> > <xs:sequence> >> > <xs:element minOccurs="0" name="arg0" type="xs:string" /> >> > </xs:sequence> >> > </xs:complexType> >> > <xs:complexType name="sayHelloResponse"> >> > <xs:sequence> >> > <xs:element minOccurs="0" name="return" type="xs:string" /> >> > </xs:sequence> >> > </xs:complexType> >> > </xs:schema> >> > </wsdl:types> >> > <wsdl:message name="sayHello"> >> > <wsdl:part element="tns:sayHello" name="parameters"> >> > </wsdl:part> >> > </wsdl:message> >> > <wsdl:message name="sayHelloResponse"> >> > <wsdl:part element="tns:sayHelloResponse" name="parameters"> >> > </wsdl:part> >> > </wsdl:message> >> > <wsdl:portType name="Library"> >> > <wsdl:operation name="sayHello"> >> > <wsdl:input message="tns:sayHello" name="sayHello"> >> > </wsdl:input> >> > <wsdl:output message="tns:sayHelloResponse" >> > name="sayHelloResponse"> >> > </wsdl:output> >> > </wsdl:operation> >> > </wsdl:portType> >> > <wsdl:binding name="CXFLibraryImplServiceSoapBinding" >> > type="tns:Library"> >> > <wsp:PolicyReference URI="#SignEncr" xmlns:wsp=" >> > http://schemas.xmlsoap.org/ws/2004/09/policy"; /> >> > <soap:binding style="document" transport=" >> > http://schemas.xmlsoap.org/soap/http"; /> >> > <wsdl:operation name="sayHello"> >> > <soap:operation soapAction="" style="document" /> >> > <wsdl:input name="sayHello"> >> > <soap:body use="literal" /> >> > </wsdl:input> >> > <wsdl:output name="sayHelloResponse"> >> > <soap:body use="literal" /> >> > </wsdl:output> >> > </wsdl:operation> >> > </wsdl:binding> >> > <wsdl:service name="CXFLibraryImplService"> >> > <wsdl:port binding="tns:CXFLibraryImplServiceSoapBinding" >> > name="CXFLibraryImplPort"> >> > <soap:address location=" >> > http://localhost:8888/domicilios/services/service2"; /> >> > </wsdl:port> >> > </wsdl:service> >> > <wsp:Policy wsu:Id="SignEncr" xmlns:wsp=" >> > http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wsu=" >> > >> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd >> > "> >> > >> > <wsp:ExactlyOne> >> > <wsp:All> >> > <sp:AsymmetricBinding xmlns:sp=" >> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >> > <wsp:Policy> >> > <sp:InitiatorToken> >> > <wsp:Policy> >> > <sp:X509Token sp:IncludeToken=" >> > >> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient >> > "> >> > <wsp:Policy> >> > <sp:RequireThumbprintReference /> >> > <sp:WssX509V1Token10 /> >> > </wsp:Policy> >> > </sp:X509Token> >> > </wsp:Policy> >> > </sp:InitiatorToken> >> > <sp:RecipientToken> >> > <wsp:Policy> >> > <sp:X509Token sp:IncludeToken=" >> > >> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never >> > "> >> > <wsp:Policy> >> > <sp:RequireThumbprintReference /> >> > <sp:WssX509V3Token10 /> >> > </wsp:Policy> >> > </sp:X509Token> >> > </wsp:Policy> >> > </sp:RecipientToken> >> > <sp:AlgorithmSuite> >> > <wsp:Policy> >> > <sp:TripleDesRsa15 /> >> > </wsp:Policy> >> > </sp:AlgorithmSuite> >> > <sp:Layout> >> > <wsp:Policy> >> > <sp:Strict /> >> > </wsp:Policy> >> > </sp:Layout> >> > <sp:IncludeTimestamp /> >> > <sp:OnlySignEntireHeadersAndBody /> >> > </wsp:Policy> >> > </sp:AsymmetricBinding> >> > <sp:Wss10 xmlns:sp=" >> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> >> > <wsp:Policy> >> > <sp:MustSupportRefKeyIdentifier /> >> > <sp:MustSupportRefIssuerSerial /> >> > </wsp:Policy> >> > </sp:Wss10> >> > <sp:SignedParts xmlns:sp=" >> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >> > <sp:Body /> >> > </sp:SignedParts> >> > >> > </wsp:All> >> > </wsp:ExactlyOne> >> > </wsp:Policy> >> > </wsdl:definitions> >> > >> > >> > And I want to be able to get the certificate in a custom intereceptor to >> > be >> > able to pass it to spring security session context. >> > Another thing I want is to be able to override the default behaviour of >> > cxf >> > trying to validate the certPath, because I want to do this by my own >> > because >> > certificate aren't in a .jsk keystore but in a database. >> > >> > I have read that I need a second interceptor, but how to set an >> > interceptor >> > and give it lower precedence?? >> > >> > Thanks. >> > >> > >> > >> > -- >> > Jaime Hablutzel - 9-9956-3299 >> > >> > (tildes omitidas intencionalmente) >> > >> >> >> >> -- >> Colm O hEigeartaigh >> >> http://coheigea.blogspot.com/ >> Talend - http://www.talend.com > > > > -- > Jaime Hablutzel - 9-9956-3299 > > (tildes omitidas intencionalmente) > -- Colm O hEigeartaigh http://coheigea.blogspot.com/ Talend - http://www.talend.com
