Hi Glen,
The requirement now is for the policy to explicitly state that no password
is required in the UsernameToken, which will be the case for key
derivation, e.g.:
<sp:ProtectionToken>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
">
<wsp:Policy>
<sp:WssUsernameToken10/>
<sp:NoPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:ProtectionToken>
There was a security bug in previous versions of CXF where it was allowing
a UsernameToken with no passwords just to handle the key derivation case.
Colm.
On Sun, Sep 1, 2013 at 9:48 PM, Glen Mazza <[email protected]> wrote:
> Hi, the following sample: https://github.com/gmazza/**
> blog-samples/tree/master/cxf_**ut_messagelayer<https://github.com/gmazza/blog-samples/tree/master/cxf_ut_messagelayer>,
> hardcoded to use CXF 2.7.3, works fine with UsernameToken over
> Message-Layer Encryption (here, an X.509 symmetric key as explained in the
> first part of this short blog article: http://www.jroller.com/gmazza/**
> entry/usernametoken_**messagelayer_encryption<http://www.jroller.com/gmazza/entry/usernametoken_messagelayer_encryption>).
> To confirm, all that needs to be done is to run "mvn clean install
> tomcat7:run-war" from the cxf_ut_messagelayer base folder and "mvn
> exec:exec" from the client subfolder. However, once I upgrade
> cxf_ut_messagelayer/pom.xml to CXF 2.7.4 or more recent (tried 2.7.5 and
> 2.7.6 as well), I get the following error upon running the client:
>
> Sep 01, 2013 4:16:53 PM org.apache.cxf.phase.**PhaseInterceptorChain
> doDefaultLogging
> WARNING: Interceptor for {http://www.example.org/**contract/DoubleIt}**
> DoubleItService#{http://www.**example.org/contract/DoubleIt}**DoubleIt<http://www.example.org/contract/DoubleIt%7DDoubleItService#%7Bhttp://www.example.org/contract/DoubleIt%7DDoubleIt>has
> thrown exception, unwinding now
> org.apache.cxf.binding.soap.**SoapFault: The security token could not be
> authenticated or authorized
> at org.apache.cxf.ws.security.**wss4j.WSS4JInInterceptor.**
> createSoapFault(**WSS4JInInterceptor.java:788)
> at org.apache.cxf.ws.security.**wss4j.WSS4JInInterceptor.**
> handleMessage(**WSS4JInInterceptor.java:336)
> at org.apache.cxf.ws.security.**wss4j.**PolicyBasedWSS4JInInterceptor.
> **handleMessage(**PolicyBasedWSS4JInInterceptor.**java:120)
> at org.apache.cxf.ws.security.**wss4j.**PolicyBasedWSS4JInInterceptor.
> **handleMessage(**PolicyBasedWSS4JInInterceptor.**java:105)
> at org.apache.cxf.phase.**PhaseInterceptorChain.**doIntercept(**
> PhaseInterceptorChain.java:**271)
> at org.apache.cxf.transport.**ChainInitiationObserver.**onMessage(**
> ChainInitiationObserver.java:**121)
> at org.apache.cxf.transport.http.**AbstractHTTPDestination.**invoke(**
> AbstractHTTPDestination.java:**239)
> .....
> Caused by: org.apache.ws.security.**WSSecurityException: The security
> token could not be authenticated or authorized
> at org.apache.ws.security.**validate.**UsernameTokenValidator.**
> verifyUnknownPassword(**UsernameTokenValidator.java:**228)
> at org.apache.ws.security.**validate.**UsernameTokenValidator.**
> validate(**UsernameTokenValidator.java:**110)
> at org.apache.ws.security.**processor.**UsernameTokenProcessor.**
> handleUsernameToken(**UsernameTokenProcessor.java:**172)
> at org.apache.ws.security.**processor.**UsernameTokenProcessor.**
> handleToken(**UsernameTokenProcessor.java:**67)
> at org.apache.ws.security.**WSSecurityEngine.**processSecurityHeader(*
> *WSSecurityEngine.java:396)
> at org.apache.cxf.ws.security.**wss4j.WSS4JInInterceptor.**
> handleMessage(**WSS4JInInterceptor.java:279)
>
> Checking the dependencies via mvn dependency:tree, we upgrade from
> Woodstox 4.1.4 to 4.2.0 between CXF 2.7.3 and CXF 2.7.4. However, even if
> I force the use of Woodstox 4.1.4 in CXF 2.7.4 I get the same error message
> above. I don't know if this is a regression in CXF or if there is some
> configuration change that will require me to update my WSDL configuration.
>
> Thanks,
> Glen
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
