Yes it's done with Action property via code. Action looks like:
"UsernameToken Timestamp Signature Encrypt", and the signature element is
as follows "{Element}{
http://et.srv.gov.ca/}ES;{Element}{http://ip.ebs.srv.gov.ca/}ID;{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body
"On Tue, Feb 11, 2014 at 11:45 AM, Colm O hEigeartaigh <[email protected]>wrote: > Ok, and what is the security policy of the service? Or is security > configured manually using the "Action" based approach? > > Colm. > > > On Tue, Feb 11, 2014 at 4:37 PM, Wabi Sabi <[email protected]> wrote: > > > I can't find the reference to AlgorithmSuite in the associated WSDL. > > Somehow this worked ok with CXF 2.7 > > > > Here is how the failing response looks like. > > > > ID: 1 > > Response-Code: 200 > > Encoding: ISO-8859-1 > > Content-Type: text/xml > > Headers: {Cache-Control=[no-cache, no-store], connection=[Keep-Alive], > > Content-Language=[en-CA], content-type=[text/xml], Date=[Tue, 11 Feb 2014 > > 16:04:05 GMT], Server=[Apache], transfer-encoding=[chunked], > > X-Backside-Transport=[OK OK], X-Client-IP=[111.111.11.111]} > > Payload: <?xml version="1.0" encoding="UTF-8"?> > > <soapenv:Envelope > > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/ > > "><soapenv:Header><wsse:Security > > soapenv:mustUnderstand="1" xmlns:wsse=" > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > > "><xenc:EncryptedKey > > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:EncryptionMethod > > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; xmlns:dsig=" > > http://www.w3.org/2000/09/xmldsig#"/><dsig:KeyInfo xmlns:dsig=" > > http://www.w3.org/2000/09/xmldsig# > > "><wsse:SecurityTokenReference><wsse:KeyIdentifier > > ValueType=" > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier > > " > > EncodingType=" > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary > > > ">qXzKaOt1jDRiRhI85g=</wsse:KeyIdentifier></wsse:SecurityTokenReference></dsig:KeyInfo><xenc:CipherData > > xmlns:dsig="http://www.w3.org/2000/09/xmldsig# > > > "><xenc:CipherValue>...</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference > > > > > URI="#G0x7fda3d296d98-46D"/></xenc:ReferenceList></xenc:EncryptedKey><wsu:Timestamp > > wsu:Id="Timestamp-18d293c0-d26e-4042-9cfc-f026872122f7" xmlns:wsu=" > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > > > "><wsu:Created>2014-02-11T16:04:07Z</wsu:Created><wsu:Expires>2014-02-11T16:09:07Z</wsu:Expires></wsu:Timestamp><wsse:BinarySecurityToken > > wsu:Id="SecurityToken-fcfdab51-096f-4475-b46d-236871b8145e" > EncodingType=" > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary > > " > > ValueType=" > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 > > " > > xmlns:wsu=" > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > > ">....</wsse:BinarySecurityToken><Signature > > xmlns="http://www.w3.org/2000/09/xmldsig#";> > > <SignedInfo> > > <CanonicalizationMethod Algorithm=" > > http://www.w3.org/2001/10/xml-exc-c14n# > > "/> > > <SignatureMethod Algorithm=" > > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > > <Reference URI="#Timestamp-18d293c0-d26e-4042-9cfc-f026872122f7"> > > <Transforms> > > <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > </Transforms> > > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <DigestValue>...</DigestValue> > > </Reference> > > <Reference URI="#Body-00d89df1-048f-4cc6-9cc2-39c33900dca4"> > > <Transforms> > > <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > </Transforms> > > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <DigestValue>...</DigestValue> > > </Reference> > > </SignedInfo> > > > > <SignatureValue>...</SignatureValue><KeyInfo><wsse:SecurityTokenReference > > xmlns=""><wsse:Reference > > URI="#SecurityToken-fcfdab51-096f-4475-b46d-236871b8145e" ValueType=" > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 > > > "/></wsse:SecurityTokenReference></KeyInfo></Signature></wsse:Security></soapenv:Header><soapenv:Body > > wsu:Id="Body-00d89df1-048f-4cc6-9cc2-39c33900dca4" xmlns:wsu=" > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > > "><ns2:listResponse > > xmlns:ns4="http://srv.gov.ca/"; xmlns:ns3="http://ip.srv.gov.ca/"; > > xmlns:ns2=" > > http://et.srv.gov.ca/";><xenc:EncryptedData Id="G0x7fda3d296d98-46D" > Type=" > > http://www.w3.org/2001/04/xmlenc#Element"; xmlns:xenc=" > > http://www.w3.org/2001/04/xmlenc#";><xenc:EncryptionMethod Algorithm=" > > http://www.w3.org/2001/04/xmlenc#aes128-cbc > > > > > "/><xenc:CipherData><xenc:CipherValue>......</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></ns2:listResponse></soapenv:Body></soapenv:Envelope> > > > > Thank you very much, Colm, for your help looking into this! > > > > > > > > On Tue, Feb 11, 2014 at 11:13 AM, Colm O hEigeartaigh > > <[email protected]>wrote: > > > > > There are no CXF 2.7.x based solutions. The exception message seems to > be > > > that you are using the RSA 1.5 key transport algorithm even though > there > > is > > > no RSA 1.5 security policy in effect. What "AlgorithmSuite" policy are > > you > > > using? Is it a CXF client or some other stack? What does the failing > > > request look like? > > > > > > Colm. > > > > > > > > > On Tue, Feb 11, 2014 at 4:08 PM, Wabi Sabi <[email protected]> > > wrote: > > > > > > > Thank you very much, Colm for detailed and complete responses. I > tried > > > > building client with CXF 3, but it seems to break even the calls that > > > > worked before. I now get: > > > > > > > > Caused by: *org.apache.wss4j.common.ext.WSSecurityException*: An > error > > > was > > > > discovered processing the <wsse:Security> header > > > > > > > > Thrown by org.apache.wss4j.dom.processor.EncryptedKeyProcessor: > > > > > > > > if > > > > (WSConstants.KEYTRANSPORT_RSA15.equals(encryptedKeyTransportMethod) > > > > && !data.isAllowRSA15KeyTransportAlgorithm() > > > > && > > > > > > > > > > > > > > !algorithmSuite.getKeyWrapAlgorithms().contains(WSConstants.KEYTRANSPORT_RSA15)) > > > > { > > > > log.debug( > > > > "The Key transport method does not match the > > requirement" > > > > ); > > > > throw new > > > > WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY); > > > > } > > > > > > > > > > > > I would greatly appreciate any pointers for implementing a CXF > > 2.7-based > > > > solution for the decryption... > > > > > > > > > > > > > > > > On Mon, Feb 10, 2014 at 11:38 AM, Colm O hEigeartaigh > > > > <[email protected]>wrote: > > > > > > > > > Here is a blog article describing how to use this new functionality > > in > > > > > CXF... > > > > > > > > > > http://coheigea.blogspot.ie/2014/02/apache-wss4j-200-part-v.html > > > > > > > > > > Colm. > > > > > > > > > > > > > > > On Fri, Feb 7, 2014 at 3:27 PM, Colm O hEigeartaigh < > > > [email protected] > > > > > >wrote: > > > > > > > > > > > > > > > > > Signing + encrypting/decrypting SOAP Attachments is not supported > > in > > > > CXF > > > > > > 2.7.x. However it is supported on CXF trunk at the moment, and > will > > > be > > > > > > included in the forthcoming CXF 3.0.0 release. Here are some > tests > > if > > > > you > > > > > > are interested: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/swa/ > > > > > > > > > > > > Colm. > > > > > > > > > > > > > > > > > > On Fri, Feb 7, 2014 at 3:19 PM, Wabi Sabi < > [email protected]> > > > > > wrote: > > > > > > > > > > > >> Hello, > > > > > >> > > > > > >> I wonder if CXF can be configured to decrypt attachments that > come > > > as > > > > a > > > > > >> web > > > > > >> service response? > > > > > >> > > > > > >> I hoped that WSS4JInInterceptor will take care of this use case, > > but > > > > it > > > > > >> fails with "The signature or decryption was invalid" exception, > > > which > > > > is > > > > > >> caused by > > > "org.apache.xml.security.encryption.XMLEncryptionException: > > > > > >> Could > > > > > >> not find a resolver for URI > > > > > >> cid:urn%3Auuid%@apache.org and Base null > > > > > >> > > > > > >> I managed to write a custom resolver to provide attachment data, > > but > > > > > then > > > > > >> it fails with yet another exception: > > > > > >> org.apache.xml.security.encryption.XMLEncryptionException: > > > > > >> Unknown transformation. No handler installed for URI > > > > > >> > > > > > >> > > > > > > > > > > > > > > > http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Ciphertext-Transform > > > > > >> > > > > > >> Can somebody point me in the right direction, please? Any help > is > > > > > greatly > > > > > >> appreciated. > > > > > >> > > > > > >> Thanks in advance. > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Colm O hEigeartaigh > > > > > > > > > > > > Talend Community Coder > > > > > > http://coders.talend.com > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Colm O hEigeartaigh > > > > > > > > > > Talend Community Coder > > > > > http://coders.talend.com > > > > > > > > > > > > > > > > > > > > > -- > > > Colm O hEigeartaigh > > > > > > Talend Community Coder > > > http://coders.talend.com > > > > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com >
