I can't reproduce the problem. I've added a test which signs a SOAP response in both the outInterceptor + outFaultInterceptor chains, and it works for both. Is the SOAP Fault defined in your WSDL?
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/coverage_checker/DefaultCryptoCoverageCheckerTest.java?view=markup http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/client/client.xml?view=markup http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/coverage_checker/server/server.xml?view=markup Colm. On Thu, Apr 25, 2013 at 12:15 PM, Lattermann, Dirk < [email protected]> wrote: > Hello Colm, > > I added an WSS4JOutInterceptor using the @OutFaultInterceptors > annotation. In the server logs, I see that the the message is signed and > encrypted, but the result is not added to the outgoing response. The client > receives a HTTP response with status 500 (that is correct as it's a fault) > but with a content length of 0 bytes. > > I couldn't deduct much from the interceptor chains involved in the > different cases, but maybe a clue lies in there? > > Fault response without trying to timestamp/sign/encrypt: > 12:15:52,224 FINE [org.apache.cxf.phase.PhaseInterceptorChain] > (http-/0.0.0.0:80-1) Chain > org.apache.cxf.phase.PhaseInterceptorChain@181b1ac1 was modified. Current > flow: > setup [ServerPolicyOutFaultInterceptor] > prepare-send [MessageSenderInterceptor, Soap11FaultOutInterceptor] > pre-stream [StaxOutInterceptor] > pre-protocol [WebFaultOutInterceptor] > pre-protocol-frontend [SOAPHandlerFaultOutInterceptor] > write [SoapOutInterceptor] > pre-marshal [LogicalHandlerFaultOutInterceptor] > marshal [Soap11FaultOutInterceptorInternal] > user-protocol > [org.apache.cxf.jaxws.handler.soap.SOAPHandlerFaultOutInterceptor.ENDING] > write-ending [SoapOutEndingInterceptor] > pre-protocol-ending [SAAJOutEndingInterceptor] > pre-stream-ending [StaxOutEndingInterceptor] > prepare-send-ending [MessageSenderEndingInterceptor] > Result: Correct Fault response without security elements. > > Fault response with WSS4JOutInterceptor, trying to timestamp/sign/encrypt: > 11:45:07,177 FINE [org.apache.cxf.phase.PhaseInterceptorChain] > (http-/0.0.0.0:80-1) Chain > org.apache.cxf.phase.PhaseInterceptorChain@2286a92d was modified. Current > flow: > setup [ServerPolicyOutFaultInterceptor] > prepare-send [MessageSenderInterceptor, Soap11FaultOutInterceptor] > pre-stream [StaxOutInterceptor] > pre-protocol [WebFaultOutInterceptor, ConfiguringWSOutInterceptor] > pre-protocol-frontend [SOAPHandlerFaultOutInterceptor] > write [SoapOutInterceptor] > pre-marshal [LogicalHandlerFaultOutInterceptor] > marshal [Soap11FaultOutInterceptorInternal] > user-protocol > [org.apache.cxf.jaxws.handler.soap.SOAPHandlerFaultOutInterceptor.ENDING] > post-protocol [WSS4JOutInterceptorInternal] > write-ending [SoapOutEndingInterceptor] > pre-protocol-ending [SAAJOutEndingInterceptor] > pre-stream-ending [StaxOutEndingInterceptor] > prepare-send-ending [MessageSenderEndingInterceptor] > Result: Response with content length 0 > > Regular (non-fault) response with WSS4JOutputInterceptor: > 12:32:55,808 FINE [org.apache.cxf.phase.PhaseInterceptorChain] > (http-/0.0.0.0:80-1) Chain > org.apache.cxf.phase.PhaseInterceptorChain@2df65112 was modified. Current > flow: > setup [PolicyOutInterceptor] > pre-logical [HolderOutInterceptor, SwAOutInterceptor, > WrapperClassOutInterceptor, SoapHeaderOutFilterInterceptor] > post-logical [SoapPreProtocolOutInterceptor] > prepare-send [MessageSenderInterceptor] > pre-stream [AttachmentOutInterceptor, StaxOutInterceptor] > pre-protocol [ConfiguringWSOutInterceptor] > pre-protocol-frontend [SOAPHandlerInterceptor] > write [SoapOutInterceptor] > pre-marshal [LogicalHandlerOutInterceptor] > marshal [BareOutInterceptor] > user-protocol > [org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.ENDING] > post-protocol [WSS4JOutInterceptorInternal] > write-ending [SoapOutEndingInterceptor] > pre-protocol-ending [SAAJOutEndingInterceptor] > pre-stream-ending [StaxOutEndingInterceptor] > prepare-send-ending [MessageSenderEndingInterceptor] > Result: regular response with timestamp token, signature and encryption in > place. > > > Thank you, > Dirk > > -----Ursprüngliche Nachricht----- > Von: Colm O hEigeartaigh [mailto:[email protected]] > Gesendet: Freitag, 19. April 2013 16:10 > An: [email protected] > Betreff: Re: CryptoCoverageChecker and SOAP Fault responses > > Have you tried adding it to the outbound fault interceptor chain? > > Colm. > > > On Mon, Apr 15, 2013 at 3:46 PM, Lattermann, Dirk < > [email protected]> wrote: > > > Would it perhaps be possible to configure the WSS4JOutInterceptor that > > it applies the security means (timestamp, signature, encryption) also > > in case of an outgoing Fault message? > > Then, the receiving client would get at the real exception from the > > SOAPFault and not the one from the CryptoCoverageChecker. > > > > Thanks again, > > Dirk. > > > > -----Ursprüngliche Nachricht----- > > Von: Colm O hEigeartaigh [mailto:[email protected]] > > Gesendet: Dienstag, 9. April 2013 17:38 > > An: [email protected] > > Betreff: Re: CryptoCoverageChecker and SOAP Fault responses > > > > > I'll look at the custom AlgorithmSuites, but I am a bit sceptical: > > > what's > > the use of WS-SecurityPolicy, when using an unknown, unofficial > > > algorithm suite (identifier) that has to be communicated out of line > > the the web service clients anyway? (But thanks again, I am curious > > > anyway.) > > > > Well for one it gives you all of the standard validation that is done > > of a message against a policy, that you don't get with the "Action" > > based approach. It also gives you the ability not to have to hard-wire > > (e.g.) the Algorithm Suite you are using in the client, if the client > > can have access to the WSDL of the service via a registry or even WSDL > publish. > > > > Colm. > > > > > > On Tue, Apr 9, 2013 at 4:03 PM, Lattermann, Dirk < > > [email protected]> wrote: > > > > > Hi Colm, > > > > > > thank you, I just logged Issue 4954. > > > > > > I'll look at the custom AlgorithmSuites, but I am a bit sceptical: > > > what's the use of WS-SecurityPolicy, when using an unknown, > > > unofficial algorithm suite (identifier) that has to be communicated > > > out of line the the web service clients anyway? (But thanks again, I > > > am curious > > > anyway.) > > > > > > Dirk > > > > > > -----Ursprüngliche Nachricht----- > > > Von: Colm O hEigeartaigh [mailto:[email protected]] > > > Gesendet: Dienstag, 9. April 2013 14:46 > > > An: [email protected] > > > Betreff: Re: CryptoCoverageChecker and SOAP Fault responses > > > > > > Hi Dirk, > > > > > > It appears that this is not currently supported. Could you log a JIRA? > > > > > > Incidentally, custom AlgorithmSuites are supported in CXF using > > > WS-SecurityPolicy. See here for an example: > > > > > > > > > http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test > > > /j > > > ava/org/apache/cxf/systest/ws/gcm/ > > > > > > http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test > > > /r esources/org/apache/cxf/systest/ws/gcm/ > > > > > > Colm. > > > > > > > > > On Tue, Apr 9, 2013 at 8:14 AM, Lattermann, Dirk < > > > [email protected]> wrote: > > > > > > > Hi, > > > > > > > > Using CXF 2.4.6 in JBoss EAP 6, I'm securing my web services with > > > > WS-Security (no WS-SecurityPolicy as the algorithm suite is not > > > > supported there). > > > > > > > > For this, I have configured WSS4JInInterceptors and > > > > WSS4JOutInterceptors on both client and server, and the setup works. > > > > > > > > To check if incoming messages are signed, encrypted, and with > > > > timestamp token, I also have configured a CryptoCoverageChecker on > > > > both client and server. Now I have the problem that I cannot > > > > obtain Fault answers from the server on the client any more > > > > because the CryptoCoverageChecker kicks in and I don't have a > > > > chance to access the > > > SOAPFaultException from the server. > > > > The server doesn't sign and encrypt Fault answers (which is ok, > > > > and this is the case also when using easy WS-SecurityPolicy > > configurations). > > > > > > > > How can I configure the CryptoCoverageChecker to only check > > > > regular > > > > (non-fault) web service responses? Or how can I configure CXF to > > > > only use a CryptoCoverageChecker on non-fault responses? (With > > > > WS-SecurityPolicy, this problem seems solved). > > > > > > > > Thank you, > > > > Dirk Lattermann > > > > -------------------------------------------------------- > > > > DATAGROUP BGS GmbH > > > > Dirk Lattermann > > > > > > > > > > > > Auf den Tongruben 3 > > > > D-53721 Siegburg > > > > Fon: +49 2241 166-531 > > > > Fax: +49 2241 166-680 > > > > E-Mail: [email protected] http://www.datagroup.de > > > > > > > > Sie finden uns auch auf: > > > > Facebook<https://www.facebook.com/#!/datagroupag/> | Xing< > > > > https://www.xing.com/companies/datagroupag/updates/> | Google+< > > > > https://plus.google.com/s/datagroup#112017044868465108697/posts> | > > > > LinkedIn<http://www.linkedin.com/company/datagroup-ag/> | Kununu< > > > > http://www.kununu.com/de/all/de/it/datagroup/> > > > > > > > > Geschäftsführung: Hans-Hermann Schaber Amtsgericht Mainz, HRB > > > > 44217 > > > > > > > > DATAGROUP ist als einer von wenigen IT-Dienstleistern zertifiziert > > > > nach ISO 20000, der höchstmöglichen Auszeichnung für > > > > professionelles IT Service Management. > > > > > > > > > > > > > > > > -- > > > Colm O hEigeartaigh > > > > > > Talend Community Coder > > > http://coders.talend.com > > > -------------------------------------------------------- > > > DATAGROUP BGS GmbH > > > Dirk Lattermann > > > > > > > > > Auf den Tongruben 3 > > > D-53721 Siegburg > > > Fon: +49 2241 166-531 > > > Fax: +49 2241 166-680 > > > E-Mail: [email protected] http://www.datagroup.de > > > > > > Sie finden uns auch auf: > > > Facebook<https://www.facebook.com/#!/datagroupag/> | Xing< > > > https://www.xing.com/companies/datagroupag/updates/> | Google+< > > > https://plus.google.com/s/datagroup#112017044868465108697/posts> | > > > LinkedIn<http://www.linkedin.com/company/datagroup-ag/> | Kununu< > > > http://www.kununu.com/de/all/de/it/datagroup/> > > > > > > Geschäftsführung: Hans-Hermann Schaber Amtsgericht Mainz, HRB 44217 > > > > > > DATAGROUP ist als einer von wenigen IT-Dienstleistern zertifiziert > > > nach ISO 20000, der höchstmöglichen Auszeichnung für professionelles > > > IT Service Management. > > > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > -------------------------------------------------------- > > DATAGROUP BGS GmbH > > Dirk Lattermann > > > > > > Auf den Tongruben 3 > > D-53721 Siegburg > > Fon: +49 2241 166-531 > > Fax: +49 2241 166-680 > > E-Mail: [email protected] > > http://www.datagroup.de > > > > Sie finden uns auch auf: > > Facebook<https://www.facebook.com/#!/datagroupag/> | Xing< > > https://www.xing.com/companies/datagroupag/updates/> | Google+< > > https://plus.google.com/s/datagroup#112017044868465108697/posts> | > > LinkedIn<http://www.linkedin.com/company/datagroup-ag/> | Kununu< > > http://www.kununu.com/de/all/de/it/datagroup/> > > > > Geschäftsführung: Hans-Hermann Schaber Amtsgericht Mainz, HRB 44217 > > > > DATAGROUP ist als einer von wenigen IT-Dienstleistern zertifiziert > > nach ISO 20000, der höchstmöglichen Auszeichnung für professionelles > > IT Service Management. > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -------------------------------------------------------- > DATAGROUP BGS GmbH > Dirk Lattermann > > > Auf den Tongruben 3 > D-53721 Siegburg > Fon: +49 2241 166-531 > Fax: +49 2241 166-680 > E-Mail: [email protected] > http://www.datagroup.de > > Sie finden uns auch auf: > Facebook<https://www.facebook.com/#!/datagroupag/> | Xing< > https://www.xing.com/companies/datagroupag/updates/> | Google+< > https://plus.google.com/s/datagroup#112017044868465108697/posts> | > LinkedIn<http://www.linkedin.com/company/datagroup-ag/> | Kununu< > http://www.kununu.com/de/all/de/it/datagroup/> > > Geschäftsführung: Hans-Hermann Schaber > Amtsgericht Mainz, HRB 44217 > > DATAGROUP ist als einer von wenigen IT-Dienstleistern zertifiziert nach > ISO 20000, der höchstmöglichen Auszeichnung für professionelles IT Service > Management. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
