OK, I just downloaded and ran the sample from the tutorial (from
scratch, everything new) on my machine and it worked fine after creating
the keys and placing them in the locations specified in the tutorial.
(Incidentally I just posted a small update to the download, it now uses
CXF 2.5.2 instead of 2.4.2.)
Next, checking if there might have been a problem with your key
creation, I created two or three sets of {client, server} keys and had
some keys have the wrong client or server key in their respective
truststores. I wasn't able to duplicate your error message, instead for
any type of wrong key what I would get is:
Mar 02, 2012 2:33:03 PM
org.apache.cxf.interceptor.AbstractLoggingInterceptor log
INFO: Inbound Message
----------------------------
ID: 1
Response-Code: 500
Encoding: UTF-8
Content-Type: text/xml;charset=UTF-8
Headers: {connection=[close], Content-Length=[269],
content-type=[text/xml;charset=UTF-8], Date=[Fri, 02 Mar 2012 19:33:03
GMT], Server=[Apache-Coyote/1.1]}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><soap:Fault><faultcode>soap:Client</faultcode><faultstring>General
security error (No certificates were found for decryption
(KeyId))</faultstring></soap:Fault></soap:Body></soap:Envelope>
--------------------------------------
Mar 02, 2012 2:33:03 PM
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage
WARNING: Request does not contain Security header, but it's a fault.
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: General
security error (No certificates were found for decryption (KeyId))
Finally, I downgraded to the non-unlimited encryption in the JDK
(shouldn't be required to do so) but that wasn't it either, the SOAP
calls worked regardless of whether or not I was doing unlimited encryption.
Note I'm using JDK 7 and Tomcat 7, but the tutorial was written under
JDK 6 / Tomcat 6 so it should work for both. Also note, when you update
the keys and place them in the location specified in the tutorial you
need to run an mvn clean install for the client and a mvn clean install
tomcat:redeploy so they move to the proper classpath locations.
Bottom line, I'm not sure why my tutorial download isn't working on your
machine. If you'd like, if you ZIP up my blog tutorial project (do an
mvn clean first) but keep your sample keys in the project (assuming
you're creating them just as in my blog entry) at the exact locations
you're using, you can email it to me (glen dot mazza at gmail dot com)
and I can run it on my machine to see if I can duplicate your error
using exactly your code. (Make sure you have no sensitive passwords or
other config information within it.)
Glen
On 03/02/2012 12:25 PM, martin wrote:
First: I am sorry for being a blind idiot. Of cause it was there. I looked
too many times to admit without finding it. Blech.
Anyway I installed the doubleit example. Added the keystores (copy paste
from the tutorial). And I am getting this message.
Payload:<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><soap:Fault><faultcode
xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>ns1:FailedCheck</faultcode><faultstring>The
signature or decryption was
invalid</faultstring></soap:Fault></soap:Body></soap:Envelope>
So the problem is here too. Please can anyone help me figure out what is
wrong? I have tried multiple key combinations, and even tried using the same
key combination in both ends.
Whole dump:
INFO: Outbound Message
---------------------------
ID: 1
Address: http://localhost:8080/doubleit/services/doubleit
Encoding: UTF-8
Content-Type: text/xml
Headers: {Accept=[*/*], SOAPAction=[""]}
Payload:<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Header><wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
soap:mustUnderstand="1"><xenc:EncryptedKey
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
Id="EK-E35BA3DBFF70783C7813307086058634"><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><wsse:SecurityTokenReference><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=localhost</ds:X509IssuerName><ds:X509SerialNumber>1330708376</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>QesYkLXIUhEuX1FjJEYL1+yZomYNq+9OGQiL/3oLBlvJdJE4E3aqCgVUeH2wjj7nmGf5H9Q8gNtNbMtF9/+k4H8fxMwaqOlK5TI01jb/qU0VfcBz3E+tanEeIiRn2z6SNRED3BMWeL5tJuA7f+jS7RmiPCeHOpDQDgyYkI3CCcY=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference
URI="#ED-4"/><xenc:DataReference
URI="#ED-5"/></xenc:ReferenceList></xenc:EncryptedKey><xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Id="ED-4"
Type="http://www.w3.org/2001/04/xmlenc#Element";><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";><wsse:Reference
URI="#EK-E35BA3DBFF70783C7813307086058634"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>1yIB8yUoD8/FElWZiqcFcS2CU6bsIjmh+zoxK1n2AG8AJY63qQVMRaRD2m1fL/svuktREl3IhfcBUjBhQtLaNOM0lgudPw8ntVC8rRCi4qzo2jN9cwbFZoGV4SYB+QaWPByuW0LwazpMAGZ2IhcELNjEZdz8RQ/A0VWqkyPzx+lzLr4zyZKTjlZyR9FHCeBzY9JbC7rwfcOhMZPt+7n9n/rgqQgn7JA87FRePpAgVkj0oWuEJgXMgcNY3ksKtoNY6hiKrBYMuExzH4gRZfOJIssqlo4HcyvHIg951ml4FNqgiHdC5kS3mWqI4s/nCIbiVgsCaBnFCeASsDyneoG4o5yHKZqs6dEZgEhoHqM51q2906Yvm0/XSG+5Ex5Hm17mamBh4uUawD6T4OpJ+/X2mTyazFrmCDhEyjFhoN0K6WJrRRM9s1agiIWzinQY4LO5TPIybHhOCOKJrAG5QXGSPOkgvJECV7ZFBu7zf+vVYBDlD0W6Z7HX72ssdngBnIA/6FcvEvsNq0Fw4vQGaXvEx50M1J//32jsyonetR6WU2E3cfiN8KD/Tb0ckdT8kIB1DvmU3y2wu8xPKCuzcy1HFO7d9ueuxi3ZLM8t6+m+pBUNQNfSVtWxb86a84XUMXTZ6td7gs2GG1wQdy6SilsXlaPjLCoeQ4S+GUeGa0gznP8HLvYdIZz3kacy/6CXK3fffw+wiNJv5gBLJugWa+5rjPOjnL7+4Cg87Y2ndIfE5cCKF/G18ZjOrqEAOXVLj8x/X6hIfONpXG2TIPUhomfm4Qy33aVRfSmQmliOrIs91ogdIzftjVkH1WiwPmMxU8Yrq49Wb2l/fBzBublxY+QoFge6VbPKeV6A866a64/FxnBhdt4+NSDOPzVTu5Ovo1jsgxO0H/G7C7AB/kfKLdI22MlV/u0K1ZKx530eUDATXvjquS3/SWekCB7A6RL3ZwDCL5s/8jcd0A8UF9PFEOwvwkCW6vC7pX6XVIvhXgoP4Br0tV3pS19K+rldC0BfnpotPdysoAqq314JEZ0/4AHWMLMjm0UqdvbdLt1Sqv6+Aodjci964lH2F4N1vAE2G6eyPdkXliFtlq701JWjlWrtEOPQXu+QgX1JbGae+5ZWzzV31WLmK5Mthd7EDmOUW3SpRDpBtdmMqj0jKZfGQLo5V3TnVyrALYvzzFTFjPirkJUJ5K1PUVjFh0A6r+6Bxq98o8ggdnDmQApuB/3cd9yjSu9obGYesRHmzfP55/bCvEgPWDCqilBpUfSc05CWiDk2w/wIH9WnURHUo92Kk3dzJqbV7E8KL9AymhWZpa3M5aEstpFbKeS+riDFnFcShGPIC1JGk42JyozbjtFoehQmJ7iwcF34ekAPjWXehMbV6he9GOSJE8hrAmDOK/hUmjRJWIraR3IICBVfbPaKZ/WqDH38gRs1u9EFZ1WXoC5TPQO79ttLZujTRidz1YsgQDbfjhRnu85/xinddAlBB+D58s5jHShXEnfpTx4bPMTjNeCbNbNumdrOKbVfFGS/MFicCaQX5ry2t7WWGYF6kV3RDSBgPxhUPcUdGkJ/XE9nVQzyKLOsYzJDBGf++4A/GdCRDWqliUyk9GqKs47Wfj1dLKJVG/4qbLmrJKGp71cIDUOChPshKxWus/n7Oz7bs96aBcItW7DMYjWTyUr3iS4WZ/nJVIYHSN1NV+n1dc2hfUkBdIBrVPEvRJSfvalnqyU76U7OVxTcYKcWMAytRYKLVQLJws9ROhTBHnow6+/CUGamMeWvue+WxrArYARxqzVfldhY7kE3ktFrnJrlNeFTK4eLnJ3DLj207JwJ+zC203XrpJVzng57V8BV3f/ZdUcXNOx6RfJrwiO8H3ajZxiaUz2dParYF8A7e2xqcnwhDmL3XK5ZcC/Dlu3aq2PMWA96GrDhl7k9m2UXhrwpWHmCV90QA8HqszBld/RWM/WGjHfoZB2VLaZdmiIdXnspXttNl5gda4VE24zW+C7sIAh6iBmmOn0npXItg8JLXjMIMrmZdt+SAz3BY/sB/aqGs4kJVbt/k+0KFM2FSoZcF0rixihRc26U7GaTd3tc209J5SETewSVBo1wOZTaBoyeDUu0xUHYukE074ExAFeH9W+kApgOU91mN5q9pJklyUs/4YCJHyXVxECwcnoUNUTXkoxs1s9ZlosflzDtHD/QoKsJvMG5PslOT7dcio66lE1p5xM3+W3xeudY6TNuL9xi58nXqyHJtgf6igCJhYyFfQWcA8dMxywux3Xg8alARyYU0JyO3IDkJagRQSAiJtx8dP+T3LIxLZV8oA2QPNQPcIrJGLEP0FhrbDYz+5Ulzjx9aijySqNYJd6L0fxVdZgRUuOLMnKFaSNoROk9imxbflFK4b6+CNNSL83IBot9UFbmed6YGlBPIc3Le3Fs5KXgmFuFE9cSwahXooiirh3rxAtW0IbiNLI7BBYrntjxCiroXYURAXXRlvO6PjvtV7Y94JPviOMIK4NX4xnLCs86G5lhcGJIf+QelxFFJaERYJi1oBAt5/YxBX+bhXxnULMM1T7rQd/xVJiPivmDVxBnAgoHbdBleHr6abJY8bTsii5J/VrmGlqE3K94LueggLL2ePddEP0gV98XiSKlOpoyzYv3irKf6Be6VeFSRgT0zkITxkB7/2VJt2Ns3aHmciWbPdJeP5cKqn7G86+6Hf04rjGQ44mcHvYzc2mjxM9uws6idTNeQIixbd5qd2YDgF/DMwdNp2r9TQszc3EziaJxPTfCn8BmyqPUnDlx</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData><wsu:Timestamp
wsu:Id="TS-1"><wsu:Created>2012-03-02T17:16:45.390Z</wsu:Created><wsu:Expires>2012-03-02T17:21:45.390Z</wsu:Expires></wsu:Timestamp></wsse:Security></soap:Header><soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="id-2"><xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Id="ED-5"
Type="http://www.w3.org/2001/04/xmlenc#Content";><xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";><wsse:Reference
URI="#EK-E35BA3DBFF70783C7813307086058634"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>YDdHFiDqFw9/4aYgINYNYcqshIJ85+neI6+HLCd25XADb31XFB/VrEd0m9alKSCMI38HCXIurEh3hoXXn/U64fenBiT4sZCbqK2Xoegs3kN5vUdZZj/B4ikyzRbaHwJRrvqJtx1j0Iep8ls0R1K7I83eYy96AQVWqlfcISVUFw4=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
--------------------------------------
Mar 2, 2012 6:16:46 PM org.apache.cxf.interceptor.AbstractLoggingInterceptor
log
INFO: Inbound Message
----------------------------
ID: 1
Response-Code: 500
Encoding: UTF-8
Content-Type: text/xml;charset=UTF-8
Headers: {connection=[close], Content-Length=[332],
content-type=[text/xml;charset=UTF-8], Date=[Fri, 02 Mar 2012 17:16:46 GMT],
Server=[Apache-Coyote/1.1]}
Payload:<soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";><soap:Body><soap:Fault><faultcode
xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>ns1:FailedCheck</faultcode><faultstring>The
signature or decryption was
invalid</faultstring></soap:Fault></soap:Body></soap:Envelope>
--------------------------------------
Mar 2, 2012 6:16:46 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
handleMessage
WARNING: Request does not contain Security header, but it's a fault.
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: The
signature or decryption was invalid
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:156)
at $Proxy35.doubleIt(Unknown Source)
at client.WSClient.doubleIt(WSClient.java:28)
at client.WSClient.main(WSClient.java:23)
Caused by: org.apache.cxf.binding.soap.SoapFault: The signature or
decryption was invalid
at
org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(Soap11FaultInInterceptor.java:75)
at
org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:46)
at
org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:35)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at
org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:105)
at
org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
at
org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:771)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1600)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1485)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1393)
at
org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47)
at
org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:188)
at
org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at
org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:640)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:519)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:449)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:352)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:304)
at
org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
... 3 more
---Original Message---
2nd paragraph, from the top:
http://www.jroller.com/gmazza/entry/cxf_x509_profile
Glen
On 03/02/2012 04:19 AM, martin wrote:
Hello again Glen
I have control over the web service provider. I am running on a Tomcat
server on a local machine.
I tried to reload the keys again thinking I made an error last time (I
only
used one client and one server key this time, just to be sure), but I am
still getting the exact same error.
Lastly, you are saying that you put the entire example somewhere on your
blog, but I can't seem to find it. I might just be blind, but I have
looked
over the blog entry a couple of times not but I just can't find it. Can
you
tell me where it is?
--
View this message in context:
http://cxf.547215.n5.nabble.com/WS-Security-policy-not-being-enabled-in-CXF-tp5512888p5531617.html
Sent from the cxf-user mailing list archive at Nabble.com.
--
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza
