Do you have control over the web service provider, or it's external and
you're only building a client?
I provided the source code in that blog entry, you might wish to
download and at least confirm *that* works, then it's an issue of trying
to extrapolate why my client's OK but yours is having problems (of
course, the fact that you're using a different web service provider that
might have some peculiar requirements is probably going to be the source
of the problem.) Using Wireshark
(http://www.jroller.com/gmazza/entry/soap_calls_over_wireshark) can also
help with your debugging a bit, by making it clearer where the error
messages are coming from.
It appears the "The signature or decryption was invalid" message came
from the web service provider, that might mean the service has the wrong
client public key in its truststore (when it tried to validate the
client's signature, it's comparing it with the wrong public key) or, if
you're using assymmetric (2-key) binding, your client has the wrong
public key of the service (The client encrypted the message with the
wrong public key and hence the decryption failure when the service tried
to decrypt it with its private key.)
Finally, one of the keys you mentioned below:
keytool -genkey -alias myclient2key -keyalg RSA -sigalg SHA1withRSA -keypass
ck2pass -storepass cs2pass -keystore client2Keystore.jks -dname
Is unnecessary, it was placed in the tutorial for educational purposes only.
HTH,
Glen
On 03/01/2012 03:46 PM, martin wrote:
Hello again. I have used the tutorial found here to implement security now
(Favouring interceptors instead of WS security policy):
http://www.jroller.com/gmazza/entry/cxf_x509_profile
This has activated encryption on the service as far as I can see, as the old
client now complains over missing security headers as such:
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: An error
was discovered processing the<wsse:Security> header
So far so good.
But then I tried building the client from the tutorial and that didn't work
as well. (by the way very good tutorial, I really got a good idea of how
interceptors work)
I did not use the tutorial 1-1 but I used it to modify my own functioning
web service. This is the error I am getting:
Mar 1, 2012 9:28:25 PM
org.springframework.beans.factory.xml.XmlBeanDefinitionReader
loadBeanDefinitions
INFO: Loading XML bean definitions from class path resource
[orgserver/common/Resources/Client.xml]
Mar 1, 2012 9:28:26 PM
org.apache.cxf.service.factory.ReflectionServiceFactoryBean
buildServiceFromClass
INFO: Creating Service {http://localhost:8080/}SEILoginService from class
orgserver.services.interfaces.SEILogin
Mar 1, 2012 9:28:27 PM
org.apache.cxf.services.SEILoginService.LoginServicePort.LoginService
INFO: Outbound Message
---------------------------
ID: 1
Address: http://localhost:8080/LoginService/services/Login
Encoding: UTF-8
Content-Type: text/xml
Headers: {Accept=[*/*], SOAPAction=[""]}
Payload:<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Header><wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
soap:mustUnderstand="1"><xenc:EncryptedKey
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Id="EK-4C079C7FA871DAB16E13306337076504"><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><wsse:SecurityTokenReference><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=localhost</ds:X509IssuerName><ds:X509SerialNumber>1330071969</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>D+6WuPyhXg+UwVDaZhzGOoHp10+Ob7NRaQk9Wtjw9DRBswI7GYpzEfZx5NBE0JMy/Znz8lIgVdlF9+REC1vsarYtgWe1rCKfaZAXZQnzzzdbEw2uD6ilhng5JSS/YITrfZOcDXiHB/bKtOf9ETPJHTTuauzc0FZsYLT6tCEgEu0=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference
URI="#ED-4"/><xenc:DataReference
URI="#ED-5"/></xenc:ReferenceList></xenc:EncryptedKey><xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Id="ED-4"
Type="http://www.w3.org/2001/04/xmlenc#Element";><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";><wsse:Reference
URI="#EK-4C079C7FA871DAB16E13306337076504"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>rEfGWpgj8FgUzp9Krz9ezyCTTw9fiasjuha58hsDibYSnbdAUy/k2mZdvfo+8oIaxnwaTuW43eNV5EVnHbMcK0ri0V9ZnNEB9xK2D8A0c2w3whppC/fRTyS6ms7bE0W4tRCSFSaHDuFXsYMi7KlfOCyNH4ZJ78o65798zBbA8foNDyHFpokbH6ecSRDNv+cuN7CarVlXX33LXuxVpU7t8NcESjpGzlmLehYhValKIHbWapKF4L8gqM3aIghd9GdlWyQRPO5j1q3iHfzd0lelP92w2KSvbps5OhaakyQSuRNnkMTOu5wECJ23r01v4bQ0LvhaDQViTzeFRRj92vCAQNfWNkyq1+QzQbFVtljc8IEaCDZe0uzND721XBPx9Ub0Pp/WkUg+qFJDrEx+nYoXu9kB/wmVSUkE54twX8yCSu15ZEwOxwhUHgRrxw5xSnHV/5d1akY/Tb1bmoD1vZiSrAFZDwhUeIJURdz+Xsg0GRrg0Ex49rX947m1AUoDJ1OKpPoetzClXsylqTecgalv3FZm0V3fXfYShuAs5bZZR/iA9WwFuh/SpFRc2qjnh2+zXPRM8UAplUaFFc7GyUsVQS0EXExduhHUIqOXAk97SRoPzxCN/a2Or2z9514g3rHhU/4imFkGUHDLf/9E8LSI57CSH18sIs2v34ZLo/BfaM49GVkI+MuUnKYO+d1kBYZoN4b09QHgwW/SDxI3bHFHhj8jwtMSZCt9Fh4LyYw9a2NFu0VLoo+MTw5gIBltgUQc19zDNtJTgPQAOF+d7w7Wjaif0owKBVnabKKl3FSmCm5kSwnHbsadG9TzL5chqVvPupIPYRpV43u8ptHzQmtE9h15LOikEo+qtGjpkA4h+KbEiM42AbqxKV52mHIM2Fh1L6Q3oxXGoAi7f2YHhDcsVxcAo3fvGFwpuy7LJOUvqtv3UgnyV67qipdwjPXss+qq3IxXv+mVLRx9OiJtgnX7BbxRyEJ4B9nyabiSRvsPJcXZ0WA0aoL9AGorPh8jLevfO2+kEi/KLetmOHbDfg1jWMsymWM17OBscj7MJ+iWBAsCF5QjJMdGYCIWGo9Mj3UfsvnA/D5N2NKoTHAwn6OpjOWd4YhBXz7QFO1lDIaCiv3Tvcxc4jonBCwaOTnZoxkLCGQbEOyl+8/VH7wmpmQEYT0zapFSROe1YZk4xGBNV/pGje7MTe3Zr8PUxUIdixW8+m2JWzUczrhO8xBV24LbBQs3jq/kqV+66E187tQUz9hEiOGIIoLNfWo2yhQEhqS0LLktHvDG+UNOcL29kdYsB4Be3z6VJGJfqMB86K/ey6YMt9ig1ni6E04mXaBViiaEa/LQDsgA+cfFaLTSfqQVdTt3WaGEQqL8eTG5/xrXPapNwJH0khFPNNUJdqCYnRAM+j8C1vrsabU5HvqMOqG/mwODqxywRkWcbUZ0vH3m+0pn4m9uwQbo7oYer8AwicGHKtsDmMd0RAZjdirJtEr/wXpcnzLqpMlsQIJy3BBT1GHmtDe2cJOSnNRwS3RcLW+wbLvltMaphXJk0ah25b/dUhFH3NPTrtYVwqdxemdNC/FZEvKCjZ0aIzx9bpC5/GlhqkbWQDXQniv7h2WUwMXtfQ9vUU9a4A9G22Qzie97qyZLKOsYXV9wgYtNJ5CWuUU1XGYWdn5iapc6mYkx1XH4eUcjQnzJthrLbk4uGFtkZN1yFlUg4HUtH6mfDItQGAg2WvWUKsG2CDpxrYU5+47+vHP4ghe6Tq0n24vfT/GVVmoKT1CMZoBtG7OgHGphc6wkP9eipmLyYHaFindODjOX0s7q3Clf2+LnRRGKQsaEC4u0keX7bbGVEcJ+u0Lbf2WWD1tCtN3K2QpXMATRODvWH6sIiFLB4RSPxThvzeTeHrJeuaaHCTwFRNb5b5o4tJZLJMDh8wWh0csKdyrboIZuwnusg4ToEgYUU1G18QYitxVDd5SXSd/BCf7mD31ktWWH0Yb6YtWaYjofg/dydUqzdu4iMNC/STMOJvIytWvFBozrwmKXcThFLlNwvAqexPnz6SgjnI/fd3czJXo5DAXxFXisOrFTsfAzs4KQa9VbBnwU77N4XP6zwavhQaoz6EcyKxwB9WMZlwq18JnPjQiODJL9yxbRF0mVAeji8JHMjjoZMZiPuk0lrb3S4uZpFPEZ7lboLr+e2zfWoZgpGQuuLi//tZdbuwrCRGJ48ZHiT3B5kfvn/DxAygfLs2M7VO3TFOrv6GJRXulOoskujRWXIuizSd6GOCF2ERWznhwb2KSl230CFqrNXdSEgYZ+XNfTawBM6cHGbHDuBRoyayEOVs/IMf3wFx4IqbdnGUItPhg2wbQp7yqvVqcYjSXXzhlEuFf7PpcDybFyaN7lAX76Y9xJaYUYtFJdJu8fVqgtsMLN0N/I4BD8H65aykrNEpNJg4HoGHsgsJMDRDjMJvjUdZedYodP/R6A6vCeenP29jxfXF0tE1F1tMXstiG+BExUq5yJAH3Ulk2Ibi5+4n5wx/JV5W5GVzJ1W+Brn+lhdkTbOhbqgT4uIoS9Jks5JcHVZVRSkiI15L4niQbqbk+bPlJSuLOgz0+C7NrQqD98u5oY3H0axz5d2+2XaJOehURoEBXFqZMgoJ/0HBiq1tPVF4viblukf1BBcW2SX3DQT+GRQaJSJNDzKBI6tAo6YfspOKkD3gjfUV5zPVSEzE/f3tV72asY2dXJhCKtP+4r3ZO6azrMHWOyRrki/pPvEbndecDNbGePQ27/CQ8GUUZgKxuu2XOTwueK</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData><wsu:Timestamp
wsu:Id="TS-1"><wsu:Created>2012-03-01T20:28:27.357Z</wsu:Created><wsu:Expires>2012-03-01T20:33:27.357Z</wsu:Expires></wsu:Timestamp></wsse:Security></soap:Header><soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="id-2"><xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Id="ED-5"
Type="http://www.w3.org/2001/04/xmlenc#Content";><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";><wsse:Reference
URI="#EK-4C079C7FA871DAB16E13306337076504"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>VzTHmncSp9ky9+P/nhJQyY3Zn0iGtswtdyrp1VDOvyAxNmeTlTBsRBR1fHOdo7CCmWF8PhNfRHdhfFq7x0+hg/yteIpIyGHCOw2P68n5+kN8nb6EwEZmITrFKJBs0HDzFWVRuExWrByv1xLTi/1LEAiiXdRkygFwhyRDJ1fcRFk=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
--------------------------------------
Mar 1, 2012 9:28:27 PM
org.apache.cxf.services.SEILoginService.LoginServicePort.LoginService
INFO: Inbound Message
----------------------------
ID: 1
Response-Code: 500
Encoding: UTF-8
Content-Type: text/xml;charset=UTF-8
Headers: {connection=[close], Content-Length=[332],
content-type=[text/xml;charset=UTF-8], Date=[Thu, 01 Mar 2012 20:28:27 GMT],
Server=[Apache-Coyote/1.1]}
Payload:<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><soap:Fault><faultcode
xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>ns1:FailedCheck</faultcode><faultstring>The
signature or decryption was
invalid</faultstring></soap:Fault></soap:Body></soap:Envelope>
--------------------------------------
Mar 1, 2012 9:28:27 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
handleMessage
WARNING: Request does not contain Security header, but it's a fault.
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: The
signature or decryption was invalid
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:156)
at $Proxy34.Validate(Unknown Source)
at orgserver.clienttest.EncClient.Validate(EncClient.java:32)
at orgserver.clienttest.EncClient.main(EncClient.java:27)
Caused by: org.apache.cxf.binding.soap.SoapFault: The signature or
decryption was invalid
at
org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(Soap11FaultInInterceptor.java:75)
at
org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:46)
at
org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:35)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at
org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:113)
at
org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
at
org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:799)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1627)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1494)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1402)
at
org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47)
at
org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:195)
at
org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at
org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:649)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:533)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319)
at
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
... 3 more
Java Result: 1
BUILD SUCCESSFUL (total time: 2 seconds)
Im sorry for the long ugly post, but I don't want to omit anything. But the
issue here seems to be that the server sends a soapfault back complaining
over the signature or encryption method. This seems to indicate that the
client encryption/signing does not match the server.
Client XML
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:jaxws="http://cxf.apache.org/jaxws";
xmlns:http="http://cxf.apache.org/transports/http/configuration";
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd";>
<bean id="client" class="orgserver.services.interfaces.SEILogin"
factory-bean="clientFactory" factory-method="create"/>
<bean id="clientFactory"
class="org.apache.cxf.jaxws.JaxWsProxyFactoryBean">
<property name="serviceClass"
value="orgserver.services.interfaces.SEILogin"/>
<property name="address"
value="http://localhost:8080/LoginService/services/Login"/>
<property name="inInterceptors">
<list>
<ref bean="TimestampSignEncrypt_Response"/>
</list>
</property>
<property name="outInterceptors">
<list>
<ref bean="TimestampSignEncrypt_Request"/>
</list>
</property>
</bean>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
id="TimestampSignEncrypt_Request">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="user" value="myclientkey"/>
<entry key="signaturePropFile"
value="orgserver/common/Resources/clientKeystore.properties"/>
<entry key="encryptionPropFile"
value="orgserver/common/Resources/clientKeystore.properties"/>
<entry key="encryptionUser" value="myservicekey"/>
<entry key="passwordCallbackClass"
value="orgserver.clienttest.ClientPasswordCallback"/>
<entry key="signatureParts"
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionParts"
value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</map>
</constructor-arg>
</bean>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"
id="TimestampSignEncrypt_Response">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="signaturePropFile"
value="orgserver/common/Resources/clientKeystore.properties"/>
<entry key="decryptionPropFile"
value="orgserver/common/Resources/clientKeystore.properties"/>
<entry key="passwordCallbackClass"
value="orgserver.clienttest.ClientPasswordCallback"/>
</map>
</constructor-arg>
</bean>
</beans>
Server XML
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:jaxws="http://cxf.apache.org/jaxws";
xmlns:soap="http://cxf.apache.org/bindings/soap";
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd";>
<jaxws:endpoint
id="LoginService"
implementor="orgserver.services.Login"
address="/Login">
<jaxws:outInterceptors>
<ref bean="TimestampSignEncrypt_Response"/>
</jaxws:outInterceptors>
<jaxws:inInterceptors>
<ref bean="TimestampSignEncrypt_Request"/>
</jaxws:inInterceptors>
</jaxws:endpoint>
<bean
id="TimestampSignEncrypt_Request"
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"
>
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="signaturePropFile"
value="server-crypto.properties"/>
<entry key="decryptionPropFile"
value="server-crypto.properties"/>
<entry key="passwordCallbackClass"
value="orgserver.common.services.ServerCallback"/>
</map>
</constructor-arg>
</bean>
<bean
id="TimestampSignEncrypt_Response"
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
>
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="user" value="myservicekey"/>
<entry key="signaturePropFile"
value="server-crypto.properties"/>
<entry key="encryptionPropFile"
value="server-crypto.properties"/>
<entry key="encryptionUser" value="useReqSigCert"/>
<entry key="passwordCallbackClass"
value="orgserver.common.services.ServerCallback"/>
<entry key="signatureParts"
value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionParts"
value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</map>
</constructor-arg>
</bean>
</beans>
Client callback
public ClientPasswordCallback() {
passwords.put("myclientkey", "ckpass");
}
Server Callback
public ServerCallback() {
passwords.put("myservicekey", "skpass");
}
Server-Crypto
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.file=serviceKeystore.jks
org.apache.ws.security.crypto.merlin.keystore.password=sspass
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.alias=myservicekey
Client-Crypto
org.apache.ws.security.crypto.merlin.keystore.file=clientKeystore.jks
org.apache.ws.security.crypto.merlin.keystore.password=cspass
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.alias=myclientkey
I have made certain that all the files are where they are supposed to be
(And they do throw exceptions if I move them, I checked). I have used the
key tool as described in the tutorial, I shamelessly copied/pasted into my
terminal.
Can anyone see my problem. The only alarm bell I see is the tag
<entry key="encryptionSymAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
used in both client and server xmls. Does this describe a symmetric
algorithm? Because the keys used are RSA keys (which is an assymetric key)
These are the keys in question:
keytool -genkey -alias myservicekey -keyalg RSA -sigalg SHA1withRSA -keypass
skpass -storepass sspass -keystore serviceKeystore.jks -dname "cn=localhost"
keytool -genkey -alias myclientkey -keyalg RSA -sigalg SHA1withRSA -keypass
ckpass -storepass cspass -keystore clientKeystore.jks -dname "cn=clientuser"
keytool -genkey -alias myclient2key -keyalg RSA -sigalg SHA1withRSA -keypass
ck2pass -storepass cs2pass -keystore client2Keystore.jks -dname
"cn=client2user"
Am i missing a symmetric key to be transported by the RSA or what am i doing
wrong?
HELP!
-Martin
And thank you in advance.
-Although it's WSDL-first, link #14 (WS-SecPol method) might help you
-determine the Policy statements needed:
-http://www.jroller.com/gmazza/entry/blog_article_index
-Since you're doing Java-first you'll need to wire in the WS-Policy
-statements as described elsewhere (@Policy annotation).
-Glen
On 02/27/2012 01:53 PM, martin wrote:
Thank you for your reply.
I have been trying to find an example of how to write the policy.xml file.
Do you know of any example i can use?
Do I have to include namespaces in the policy file?
Do I have to include something in other files beside the policy
exceptions?
Thank you for your time
You're wsdl doesn't contain any security policy fragments or anything to
define the security requirements. There are two options:
1) Use the WSS4JInInterceptor documented at:
http://cxf.apache.org/docs/ws-security.html
2) Create a WS-Policy document that describes the policy you want to
enforce
and attach that to the service via something like the @Policy annotation
or
similar.
Dan
--
View this message in context:
http://cxf.547215.n5.nabble.com/WS-Security-policy-not-being-enabled-in-CXF-tp5512888p5519791.html
Sent from the cxf-user mailing list archive at Nabble.com.
... [show rest of quote]
--
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza
