Hello,
I am trying to have a WS-SecureConversation between a CXF client - version
2.7.6 - talking to a Metro service with WS-SecureConversation (over SSL
TransportBinding). When CXF makes the final service call with the
SecurityContextToken in the security header, the service replies a SOAP
fault "Invalid Security Header". The service logs say the Signature
Verification for Signature with ID SIG-4 failed. I am trying to investigate
more on the service side what is wrong with the signature. However, I
noticed the following exceptions in CXF in FINE log level:
Dec 19, 2013 6:37:08 PM
org.apache.cxf.ws.policy.PolicyVerificationOutInterceptor handle
FINE: An exception was thrown when verifying that the effective policy for
this request was satisfied. However, this exception will not result in a
fault. The exception raised is: org.apache.cxf.ws.policy.PolicyException:
These policy alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportToken
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}Trust10
Could this be an issue? Better ideas?
I have attached the service WSDL, and the CXF client (Spring) configuration
and debug logs with the requests/responses.
Thanks for any help.
Regards,
Cyril
<?xml version='1.0' encoding='UTF-8'?><!-- Published by JAX-WS RI at http://jax-ws.dev.java.net. RI's version is Metro/2.2.1 (tags/2.2.1-7242; 2012-08-03T12:35:22+0000) JAXWS-RI/2.2.7 JAXWS/2.2 svn-revision#unknown. --><!--
DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
Copyright (c) 1997-2010 Oracle and/or its affiliates. All rights reserved.
The contents of this file are subject to the terms of either the GNU
General Public License Version 2 only ("GPL") or the Common Development
and Distribution License("CDDL") (collectively, the "License"). You
may not use this file except in compliance with the License. You can
obtain a copy of the License at
https://glassfish.dev.java.net/public/CDDL+GPL_1_1.html
or packager/legal/LICENSE.txt. See the License for the specific
language governing permissions and limitations under the License.
When distributing the software, include this License Header Notice in each
file and include the License file at packager/legal/LICENSE.txt.
GPL Classpath Exception:
Oracle designates this particular file as subject to the "Classpath"
exception as provided by Oracle in the GPL Version 2 section of the License
file that accompanied this code.
Modifications:
If applicable, add the following below the License Header, with the fields
enclosed by brackets [] replaced by your own identifying information:
"Portions Copyright [year] [name of copyright owner]"
Contributor(s):
If you wish your version of this file to be governed by only the CDDL or
only the GPL Version 2, indicate your decision by adding "[Contributor]
elects to include this software in this distribution under the [CDDL or GPL
Version 2] license." If you don't indicate a single choice of license, a
recipient has the option to distribute your version of this file under
either the CDDL, the GPL Version 2 or to extend the choice of license to
its licensees as provided above. However, if you add GPL Version 2 code
and therefore, elected the GPL Version 2 license, then the option applies
only if the new code is made subject to such option by the copyright
holder.
--><wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"; xmlns:tns="http://xmlsoap.org/Ping"; xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"; xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wsa="http://www.w3.org/2005/08/addressing"; xmlns:wsap="http://www.w3.org/2006/05/addressing/wsdl"; xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"; targetNamespace="http://xmlsoap.org/Ping";>
<wsdl:types>
<xsd:schema targetNamespace="http://xmlsoap.org/Ping/Imports";>
<xsd:import schemaLocation="http://localhost:8080/jaxws-sc/simple?xsd=1"; namespace="http://xmlsoap.org/Ping"/>
</xsd:schema>
</wsdl:types>
<wsp:Policy xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; wsu:Id="SecureConversation_UserNameOverTransport_IPingService_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:SecureConversationToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:BootstrapPolicy>
<wsp:Policy>
<sp:SignedParts>
<sp:Body/>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
</wsp:Policy>
</sp:BootstrapPolicy>
</wsp:Policy>
</sp:SecureConversationToken>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<wsap:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsdl:message name="PingRequest">
<wsdl:part xmlns:q="http://xmlsoap.org/Ping"; name="Ping" element="q:Ping"/>
</wsdl:message>
<wsdl:message name="PingResponse">
<wsdl:part xmlns:q="http://xmlsoap.org/Ping"; name="PingResponse" element="q:PingResponse"/>
</wsdl:message>
<wsdl:portType name="IPingService">
<wsdl:operation name="Ping">
<wsdl:input wsa:Action="http://xmlsoap.org/Ping"; name="PingRequest" message="tns:PingRequest"/>
<wsdl:output wsa:Action="http://xmlsoap.org/Ping"; name="PingResponse" message="tns:PingResponse"/>
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="PingBinding" type="tns:IPingService">
<wsp:PolicyReference URI="#SecureConversation_UserNameOverTransport_IPingService_policy"/>
<soap12:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
<wsdl:operation name="Ping">
<soap12:operation soapAction="http://xmlsoap.org/Ping"; style="document"/>
<wsdl:input name="PingRequest">
<soap12:body use="literal"/>
</wsdl:input>
<wsdl:output name="PingResponse">
<soap12:body use="literal"/>
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="PingService">
<wsdl:port name="PingPort" binding="tns:PingBinding">
<soap12:address location="http://localhost:8080/jaxws-sc/simple"/>
</wsdl:port>
</wsdl:service>
</wsdl:definitions><beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:cxf="http://cxf.apache.org/core"; xmlns:jaxws="http://cxf.apache.org/jaxws";
xmlns:http="http://cxf.apache.org/transports/http/configuration";
xmlns:sec="http://cxf.apache.org/configuration/security";
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd";>
<cxf:bus>
<cxf:features>
<cxf:logging />
</cxf:features>
</cxf:bus>
<jaxws:client name="{http://xmlsoap.org/Ping}PingPort"; createdFromAPI="true"
wsdlLocation="http://localhost:8080/jaxws-sc/simple?wsdl"; address="https://localhost:8443/jaxws-sc/simple";>
<jaxws:inInterceptors>
<bean class="org.apache.cxf.interceptor.LoggingInInterceptor" />
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<bean class="org.apache.cxf.interceptor.LoggingOutInterceptor" />
</jaxws:outInterceptors>
<jaxws:properties>
<entry key="ws-security.username.sct" value="alice" />
<entry key="ws-security.password.sct" value="alice" />
<!-- Below line needed only when accessing a Metro STS *and* w/UT auth due to lack of TokenType param
(Metro bugs WSIT-1324 and WSIT-1570) -->
<entry key="ws-security.is-bsp-compliant" value="false"/>
</jaxws:properties>
</jaxws:client>
<http:conduit name="https://localhost.*";>
<!-- CNcheck must be true on production! -->
<http:tlsClientParameters disableCNCheck="true">
<sec:keyManagers keyPassword="changeit">
<sec:keyStore type="jks" password="changeit" resource="client-keystore.jks" />
</sec:keyManagers>
<sec:trustManagers>
<sec:keyStore type="jks" password="changeit" resource="client-truststore.jks" />
</sec:trustManagers>
</http:tlsClientParameters>
</http:conduit>
</beans>
