By setting "allowMTOM" to "true", just bear in mind that the attachment is not signed or encrypted. CXF 3.0.0 will contain some improvements in this area - but we do not support signing or encrypting attachments in CXF 2.6/2.7, unless they are inlined.
Colm. On Mon, Apr 21, 2014 at 3:21 PM, Paul Avijit <[email protected]> wrote: > Thanks a ton Andrew. > > After setting the following in WSSJOutInterceptor, MTOM is working fine > with WS-Security. > > <property name="allowMTOM" value="true"/> > > > Regards > Paul > > > On Monday, April 21, 2014 10:02 AM, "Hart, Andrew B." <[email protected]> > wrote: > > I recalled seeing in an earlier version of WSS4JOutInterceptor that it > disabled MTOM. Looking at the most recent (in GrepCode) it looks like > they added a separate property for WSS4J. So , perhaps you need to make > sure that WSS4JOutInterceptor.mtomEnabled is set to true. It looks like if > it is enabled it will use MTOM, but the attachments are not inlined, so > they are not encrypted or signed. > > > -----Original Message----- > From: Paul Avijit [mailto:[email protected]] > Sent: Sunday, April 20, 2014 8:56 AM > To: [email protected] > Subject: MTOM + WS-Security > > Hi, > > I am trying to implement a Web Service which needs to give capability to > upload & download file using MTOM attachments (XOP). Also it needs to be > secured with WS-Security(X.509 & Username Token). > > MOTM works fine without WS-Security. WS-Security works fine for Web > Service operations which do not have file upload/download feature. With > WS-Security enabled, the MTOM attachment becomes a inline file instead of a > MTOM attachment using XOP, and I get the following error: > > > Apr 19, 2014 8:53:43 AM > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage > WARNING: > org.apache.ws.security.WSSecurityException: The signature or decryption > was invalid at > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:450) > at > org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:231) > at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:281) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:100) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) > at > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:122) > at > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:233) > at > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:209) > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:189) > at > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:129) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:223) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:143) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:199) > at > weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227) > at > weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125) > at > weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300) > at > weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:183) > at > weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3717) > at > weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681) > at > weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) > at > weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120) > at > weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277) > at > weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183) > at > weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454) > at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209) > at weblogic.work.ExecuteThread.run(ExecuteThread.java:178) > Apr 19, 2014 8:53:43 AM org.apache.cxf.phase.PhaseInterceptorChain > doDefaultLogging > WARNING: Interceptor for { > http://www.caqh.org/SOAP/WSDL/}Core#{http://www.caqh.org/SOAP/WSDL/}BatchSubmitTransactionhas > thrown exception, unwinding now > org.apache.cxf.binding.soap.SoapFault: The signature or decryption was > invalid at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:764) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:329) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:100) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) > at > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:122) > at > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:233) > at > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:209) > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:189) > at > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:129) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:223) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:143) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:727) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:199) > at > weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227) > at > weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125) > at > weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300) > at > weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:183) > at > weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3717) > at > weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681) > at > weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) > at > weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120) > at > weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277) > at > weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183) > at > weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454) > at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209) > at weblogic.work.ExecuteThread.run(ExecuteThread.java:178) > Caused by: org.apache.ws.security.WSSecurityException: The signature or > decryption was invalid at > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:450) > at > org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:231) > at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:281) > ... 24 more > Apr 19, 2014 8:53:43 AM > org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInternal > handleMessage > INFO: class > org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInternalapplication/soap+xml > > > > After searching the CXF mailing list, I saw a messages related to this > issue but no solution. Is this issue fixed in CXF or will it be fixed in > soon. Please let me know. Thanks in advance for the help to CXF experts in > this mailing list. > > > Regards > Paul > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
