Yes, that fixed it. Thanks, Glen
On 09/04/2013 05:43 AM, Colm O hEigeartaigh wrote:
Hi Glen, The requirement now is for the policy to explicitly state that no password is required in the UsernameToken, which will be the case for key derivation, e.g.: <sp:ProtectionToken> <wsp:Policy> <sp:UsernameToken sp:IncludeToken=" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient "> <wsp:Policy> <sp:WssUsernameToken10/> <sp:NoPassword/> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:ProtectionToken> There was a security bug in previous versions of CXF where it was allowing a UsernameToken with no passwords just to handle the key derivation case. Colm. On Sun, Sep 1, 2013 at 9:48 PM, Glen Mazza <[email protected]> wrote:Hi, the following sample: https://github.com/gmazza/** blog-samples/tree/master/cxf_**ut_messagelayer<https://github.com/gmazza/blog-samples/tree/master/cxf_ut_messagelayer>, hardcoded to use CXF 2.7.3, works fine with UsernameToken over Message-Layer Encryption (here, an X.509 symmetric key as explained in the first part of this short blog article: http://www.jroller.com/gmazza/** entry/usernametoken_**messagelayer_encryption<http://www.jroller.com/gmazza/entry/usernametoken_messagelayer_encryption>). To confirm, all that needs to be done is to run "mvn clean install tomcat7:run-war" from the cxf_ut_messagelayer base folder and "mvn exec:exec" from the client subfolder. However, once I upgrade cxf_ut_messagelayer/pom.xml to CXF 2.7.4 or more recent (tried 2.7.5 and 2.7.6 as well), I get the following error upon running the client: Sep 01, 2013 4:16:53 PM org.apache.cxf.phase.**PhaseInterceptorChain doDefaultLogging WARNING: Interceptor for {http://www.example.org/**contract/DoubleIt}** DoubleItService#{http://www.**example.org/contract/DoubleIt}**DoubleIt<http://www.example.org/contract/DoubleIt%7DDoubleItService#%7Bhttp://www.example.org/contract/DoubleIt%7DDoubleIt>has thrown exception, unwinding now org.apache.cxf.binding.soap.**SoapFault: The security token could not be authenticated or authorized at org.apache.cxf.ws.security.**wss4j.WSS4JInInterceptor.** createSoapFault(**WSS4JInInterceptor.java:788) at org.apache.cxf.ws.security.**wss4j.WSS4JInInterceptor.** handleMessage(**WSS4JInInterceptor.java:336) at org.apache.cxf.ws.security.**wss4j.**PolicyBasedWSS4JInInterceptor. **handleMessage(**PolicyBasedWSS4JInInterceptor.**java:120) at org.apache.cxf.ws.security.**wss4j.**PolicyBasedWSS4JInInterceptor. **handleMessage(**PolicyBasedWSS4JInInterceptor.**java:105) at org.apache.cxf.phase.**PhaseInterceptorChain.**doIntercept(** PhaseInterceptorChain.java:**271) at org.apache.cxf.transport.**ChainInitiationObserver.**onMessage(** ChainInitiationObserver.java:**121) at org.apache.cxf.transport.http.**AbstractHTTPDestination.**invoke(** AbstractHTTPDestination.java:**239) ..... Caused by: org.apache.ws.security.**WSSecurityException: The security token could not be authenticated or authorized at org.apache.ws.security.**validate.**UsernameTokenValidator.** verifyUnknownPassword(**UsernameTokenValidator.java:**228) at org.apache.ws.security.**validate.**UsernameTokenValidator.** validate(**UsernameTokenValidator.java:**110) at org.apache.ws.security.**processor.**UsernameTokenProcessor.** handleUsernameToken(**UsernameTokenProcessor.java:**172) at org.apache.ws.security.**processor.**UsernameTokenProcessor.** handleToken(**UsernameTokenProcessor.java:**67) at org.apache.ws.security.**WSSecurityEngine.**processSecurityHeader(* *WSSecurityEngine.java:396) at org.apache.cxf.ws.security.**wss4j.WSS4JInInterceptor.** handleMessage(**WSS4JInInterceptor.java:279) Checking the dependencies via mvn dependency:tree, we upgrade from Woodstox 4.1.4 to 4.2.0 between CXF 2.7.3 and CXF 2.7.4. However, even if I force the use of Woodstox 4.1.4 in CXF 2.7.4 I get the same error message above. I don't know if this is a regression in CXF or if there is some configuration change that will require me to update my WSDL configuration. Thanks, Glen
