The error message is fairly self-explanatory here, the Signature does not contain a PrefixList Attribute as required by the Basic Security Profile. To get around this, you can disable Basic Security Profile compliance on the inbound side by setting the property "ws-security.is-bsp-compliant" to "false".
Colm. On Wed, Feb 12, 2014 at 11:24 PM, Wabi Sabi <[email protected]> wrote: > Thank you very much, Colm. After enabling RSA15, I ran into another > exception: > > org.apache.cxf.binding.soap.SoapFault: BSP:R5406: Any > CANONICALIZATION_METHOD MUST contain an INCLUSIVE_NAMESPACES with a > PrefixList attribute unless the PrefixList is empty > at > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:809) > at > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:316) > at > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:94) > .... > Caused by: org.apache.wss4j.common.ext.WSSecurityException: BSP:R5406: Any > CANONICALIZATION_METHOD MUST contain an INCLUSIVE_NAMESPACES with a > PrefixList attribute unless the PrefixList is empty > at org.apache.wss4j.dom.bsp.BSPEnforcer.handleBSPRule(BSPEnforcer.java:57) > at > > org.apache.wss4j.dom.processor.SignatureProcessor.checkBSPCompliance(SignatureProcessor.java:730) > at > > org.apache.wss4j.dom.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:403) > at > > org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:230) > at > > org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:421) > at > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:260) > ... 40 more > > :( > > > On Wed, Feb 12, 2014 at 8:49 AM, Colm O hEigeartaigh <[email protected] > >wrote: > > > > > In this case you need to set the "allowRSA15KeyTransportAlgorithm" > > property to "true" on the receiving side. > > > > Colm. > > > > > > On Tue, Feb 11, 2014 at 5:51 PM, Wabi Sabi <[email protected]> > wrote: > > > >> Yes it's done with Action property via code. Action looks like: > >> "UsernameToken Timestamp Signature Encrypt", and the signature element > is > >> as follows "{Element}{ > >> > http://et.srv.gov.ca/}ES;{Element}{http://ip.ebs.srv.gov.ca/}ID;{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body > >> " > >> > >> > >> > >> > >> > >> On Tue, Feb 11, 2014 at 11:45 AM, Colm O hEigeartaigh < > >> [email protected]> wrote: > >> > >>> Ok, and what is the security policy of the service? Or is security > >>> configured manually using the "Action" based approach? > >>> > >>> Colm. > >>> > >>> > >>> On Tue, Feb 11, 2014 at 4:37 PM, Wabi Sabi <[email protected]> > >>> wrote: > >>> > >>> > I can't find the reference to AlgorithmSuite in the associated WSDL. > >>> > Somehow this worked ok with CXF 2.7 > >>> > > >>> > Here is how the failing response looks like. > >>> > > >>> > ID: 1 > >>> > Response-Code: 200 > >>> > Encoding: ISO-8859-1 > >>> > Content-Type: text/xml > >>> > Headers: {Cache-Control=[no-cache, no-store], > connection=[Keep-Alive], > >>> > Content-Language=[en-CA], content-type=[text/xml], Date=[Tue, 11 Feb > >>> 2014 > >>> > 16:04:05 GMT], Server=[Apache], transfer-encoding=[chunked], > >>> > X-Backside-Transport=[OK OK], X-Client-IP=[111.111.11.111]} > >>> > Payload: <?xml version="1.0" encoding="UTF-8"?> > >>> > <soapenv:Envelope > >>> > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/ > >>> > "><soapenv:Header><wsse:Security > >>> > soapenv:mustUnderstand="1" xmlns:wsse=" > >>> > > >>> > > >>> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > >>> > "><xenc:EncryptedKey > >>> > xmlns:xenc="http://www.w3.org/2001/04/xmlenc# > "><xenc:EncryptionMethod > >>> > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; xmlns:dsig=" > >>> > http://www.w3.org/2000/09/xmldsig#"/><dsig:KeyInfo xmlns:dsig=" > >>> > http://www.w3.org/2000/09/xmldsig# > >>> > "><wsse:SecurityTokenReference><wsse:KeyIdentifier > >>> > ValueType=" > >>> > > >>> > > >>> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier > >>> > " > >>> > EncodingType=" > >>> > > >>> > > >>> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary > >>> > > >>> > ">qXzKaOt1jDRiRhI85g=</wsse:KeyIdentifier></wsse:SecurityTokenReference></dsig:KeyInfo><xenc:CipherData > >>> > xmlns:dsig="http://www.w3.org/2000/09/xmldsig# > >>> > > >>> > "><xenc:CipherValue>...</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference > >>> > > >>> > > >>> > URI="#G0x7fda3d296d98-46D"/></xenc:ReferenceList></xenc:EncryptedKey><wsu:Timestamp > >>> > wsu:Id="Timestamp-18d293c0-d26e-4042-9cfc-f026872122f7" xmlns:wsu=" > >>> > > >>> > > >>> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > >>> > > >>> > "><wsu:Created>2014-02-11T16:04:07Z</wsu:Created><wsu:Expires>2014-02-11T16:09:07Z</wsu:Expires></wsu:Timestamp><wsse:BinarySecurityToken > >>> > wsu:Id="SecurityToken-fcfdab51-096f-4475-b46d-236871b8145e" > >>> EncodingType=" > >>> > > >>> > > >>> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary > >>> > " > >>> > ValueType=" > >>> > > >>> > > >>> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 > >>> > " > >>> > xmlns:wsu=" > >>> > > >>> > > >>> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > >>> > ">....</wsse:BinarySecurityToken><Signature > >>> > xmlns="http://www.w3.org/2000/09/xmldsig#";> > >>> > <SignedInfo> > >>> > <CanonicalizationMethod Algorithm=" > >>> > http://www.w3.org/2001/10/xml-exc-c14n# > >>> > "/> > >>> > <SignatureMethod Algorithm=" > >>> > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > >>> > <Reference URI="#Timestamp-18d293c0-d26e-4042-9cfc-f026872122f7"> > >>> > <Transforms> > >>> > <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# > "/> > >>> > </Transforms> > >>> > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 > "/> > >>> > <DigestValue>...</DigestValue> > >>> > </Reference> > >>> > <Reference URI="#Body-00d89df1-048f-4cc6-9cc2-39c33900dca4"> > >>> > <Transforms> > >>> > <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# > "/> > >>> > </Transforms> > >>> > <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 > "/> > >>> > <DigestValue>...</DigestValue> > >>> > </Reference> > >>> > </SignedInfo> > >>> > > >>> > > >>> > <SignatureValue>...</SignatureValue><KeyInfo><wsse:SecurityTokenReference > >>> > xmlns=""><wsse:Reference > >>> > URI="#SecurityToken-fcfdab51-096f-4475-b46d-236871b8145e" ValueType=" > >>> > > >>> > > >>> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 > >>> > > >>> > "/></wsse:SecurityTokenReference></KeyInfo></Signature></wsse:Security></soapenv:Header><soapenv:Body > >>> > wsu:Id="Body-00d89df1-048f-4cc6-9cc2-39c33900dca4" xmlns:wsu=" > >>> > > >>> > > >>> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > >>> > "><ns2:listResponse > >>> > xmlns:ns4="http://srv.gov.ca/"; xmlns:ns3="http://ip.srv.gov.ca/"; > >>> > xmlns:ns2=" > >>> > http://et.srv.gov.ca/";><xenc:EncryptedData Id="G0x7fda3d296d98-46D" > >>> Type=" > >>> > http://www.w3.org/2001/04/xmlenc#Element"; xmlns:xenc=" > >>> > http://www.w3.org/2001/04/xmlenc#";><xenc:EncryptionMethod > Algorithm=" > >>> > http://www.w3.org/2001/04/xmlenc#aes128-cbc > >>> > > >>> > > >>> > "/><xenc:CipherData><xenc:CipherValue>......</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></ns2:listResponse></soapenv:Body></soapenv:Envelope> > >>> > > >>> > Thank you very much, Colm, for your help looking into this! > >>> > > >>> > > >>> > > >>> > On Tue, Feb 11, 2014 at 11:13 AM, Colm O hEigeartaigh > >>> > <[email protected]>wrote: > >>> > > >>> > > There are no CXF 2.7.x based solutions. The exception message seems > >>> to be > >>> > > that you are using the RSA 1.5 key transport algorithm even though > >>> there > >>> > is > >>> > > no RSA 1.5 security policy in effect. What "AlgorithmSuite" policy > >>> are > >>> > you > >>> > > using? Is it a CXF client or some other stack? What does the > failing > >>> > > request look like? > >>> > > > >>> > > Colm. > >>> > > > >>> > > > >>> > > On Tue, Feb 11, 2014 at 4:08 PM, Wabi Sabi <[email protected] > > > >>> > wrote: > >>> > > > >>> > > > Thank you very much, Colm for detailed and complete responses. I > >>> tried > >>> > > > building client with CXF 3, but it seems to break even the calls > >>> that > >>> > > > worked before. I now get: > >>> > > > > >>> > > > Caused by: *org.apache.wss4j.common.ext.WSSecurityException*: An > >>> error > >>> > > was > >>> > > > discovered processing the <wsse:Security> header > >>> > > > > >>> > > > Thrown by org.apache.wss4j.dom.processor.EncryptedKeyProcessor: > >>> > > > > >>> > > > if > >>> > > > > (WSConstants.KEYTRANSPORT_RSA15.equals(encryptedKeyTransportMethod) > >>> > > > && !data.isAllowRSA15KeyTransportAlgorithm() > >>> > > > && > >>> > > > > >>> > > > > >>> > > > >>> > > >>> > !algorithmSuite.getKeyWrapAlgorithms().contains(WSConstants.KEYTRANSPORT_RSA15)) > >>> > > > { > >>> > > > log.debug( > >>> > > > "The Key transport method does not match the > >>> > requirement" > >>> > > > ); > >>> > > > throw new > >>> > > > > >>> WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY); > >>> > > > } > >>> > > > > >>> > > > > >>> > > > I would greatly appreciate any pointers for implementing a CXF > >>> > 2.7-based > >>> > > > solution for the decryption... > >>> > > > > >>> > > > > >>> > > > > >>> > > > On Mon, Feb 10, 2014 at 11:38 AM, Colm O hEigeartaigh > >>> > > > <[email protected]>wrote: > >>> > > > > >>> > > > > Here is a blog article describing how to use this new > >>> functionality > >>> > in > >>> > > > > CXF... > >>> > > > > > >>> > > > > > http://coheigea.blogspot.ie/2014/02/apache-wss4j-200-part-v.html > >>> > > > > > >>> > > > > Colm. > >>> > > > > > >>> > > > > > >>> > > > > On Fri, Feb 7, 2014 at 3:27 PM, Colm O hEigeartaigh < > >>> > > [email protected] > >>> > > > > >wrote: > >>> > > > > > >>> > > > > > > >>> > > > > > Signing + encrypting/decrypting SOAP Attachments is not > >>> supported > >>> > in > >>> > > > CXF > >>> > > > > > 2.7.x. However it is supported on CXF trunk at the moment, > and > >>> will > >>> > > be > >>> > > > > > included in the forthcoming CXF 3.0.0 release. Here are some > >>> tests > >>> > if > >>> > > > you > >>> > > > > > are interested: > >>> > > > > > > >>> > > > > > > >>> > > > > > > >>> > > > > > >>> > > > > >>> > > > >>> > > >>> > http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/swa/ > >>> > > > > > > >>> > > > > > Colm. > >>> > > > > > > >>> > > > > > > >>> > > > > > On Fri, Feb 7, 2014 at 3:19 PM, Wabi Sabi < > >>> [email protected]> > >>> > > > > wrote: > >>> > > > > > > >>> > > > > >> Hello, > >>> > > > > >> > >>> > > > > >> I wonder if CXF can be configured to decrypt attachments > that > >>> come > >>> > > as > >>> > > > a > >>> > > > > >> web > >>> > > > > >> service response? > >>> > > > > >> > >>> > > > > >> I hoped that WSS4JInInterceptor will take care of this use > >>> case, > >>> > but > >>> > > > it > >>> > > > > >> fails with "The signature or decryption was invalid" > >>> exception, > >>> > > which > >>> > > > is > >>> > > > > >> caused by > >>> > > "org.apache.xml.security.encryption.XMLEncryptionException: > >>> > > > > >> Could > >>> > > > > >> not find a resolver for URI > >>> > > > > >> cid:urn%3Auuid%@apache.org and Base null > >>> > > > > >> > >>> > > > > >> I managed to write a custom resolver to provide attachment > >>> data, > >>> > but > >>> > > > > then > >>> > > > > >> it fails with yet another exception: > >>> > > > > >> org.apache.xml.security.encryption.XMLEncryptionException: > >>> > > > > >> Unknown transformation. No handler installed for URI > >>> > > > > >> > >>> > > > > >> > >>> > > > > > >>> > > > > >>> > > > >>> > > >>> > http://docs.oasis-open.org/wss/oasis-wss-SwAProfile-1.1#Attachment-Ciphertext-Transform > >>> > > > > >> > >>> > > > > >> Can somebody point me in the right direction, please? Any > >>> help is > >>> > > > > greatly > >>> > > > > >> appreciated. > >>> > > > > >> > >>> > > > > >> Thanks in advance. > >>> > > > > >> > >>> > > > > > > >>> > > > > > > >>> > > > > > > >>> > > > > > -- > >>> > > > > > Colm O hEigeartaigh > >>> > > > > > > >>> > > > > > Talend Community Coder > >>> > > > > > http://coders.talend.com > >>> > > > > > > >>> > > > > > >>> > > > > > >>> > > > > > >>> > > > > -- > >>> > > > > Colm O hEigeartaigh > >>> > > > > > >>> > > > > Talend Community Coder > >>> > > > > http://coders.talend.com > >>> > > > > > >>> > > > > >>> > > > >>> > > > >>> > > > >>> > > -- > >>> > > Colm O hEigeartaigh > >>> > > > >>> > > Talend Community Coder > >>> > > http://coders.talend.com > >>> > > > >>> > > >>> > >>> > >>> > >>> -- > >>> Colm O hEigeartaigh > >>> > >>> Talend Community Coder > >>> http://coders.talend.com > >>> > >> > >> > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
