Hi All, I am migrating from Axis2 Web Services to Apache CXF. In axis2, I had configured security using Rampart and I have configured it using following policy settings:
*<wsp:Policy wsu:Id="SigEncr"* * xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd <http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd>"* * xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy <http://schemas.xmlsoap.org/ws/2004/09/policy>">* * <wsp:ExactlyOne>* * <wsp:All>* * <sp:AsymmetricBinding* * xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">* * <wsp:Policy>* * <sp:InitiatorToken>* * <wsp:Policy>* * <sp:X509Token* * sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>">* * <wsp:Policy>* * <sp:RequireKeyIdentifierReference />* * <sp:WssX509V3Token10 />* * </wsp:Policy>* * </sp:X509Token>* * </wsp:Policy>* * </sp:InitiatorToken>* * <sp:RecipientToken>* * <wsp:Policy>* * <sp:X509Token* * sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never>">* * <wsp:Policy>* * <sp:RequireKeyIdentifierReference />* * <sp:WssX509V3Token10 />* * </wsp:Policy>* * </sp:X509Token>* * </wsp:Policy>* * </sp:RecipientToken>* * <sp:AlgorithmSuite>* * <wsp:Policy>* * <sp:TripleDesRsa15 />* * </wsp:Policy>* * </sp:AlgorithmSuite>* * <sp:Layout>* * <wsp:Policy>* * <sp:Strict />* * </wsp:Policy>* * </sp:Layout>* * <sp:IncludeTimestamp />* * <sp:OnlySignEntireHeadersAndBody />* * </wsp:Policy>* * </sp:AsymmetricBinding>* * <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">* * <wsp:Policy>* * <sp:MustSupportRefKeyIdentifier />* * <sp:MustSupportRefIssuerSerial />* * </wsp:Policy>* * </sp:Wss10>* * <sp:SignedParts* * xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">* * <sp:Body />* * </sp:SignedParts>* * <sp:EncryptedParts* * xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">* * <sp:Body />* * </sp:EncryptedParts>* * <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy <http://ws.apache.org/rampart/policy>">* * <ramp:user>service</ramp:user>* * <ramp:encryptionUser>client</ramp:encryptionUser>* * <ramp:passwordCallbackClass>com.test.webservice.PWCBHandler</ramp:passwordCallbackClass>* * <ramp:signatureCrypto>* * <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">* * <ramp:property* * name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>* * <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>* * <ramp:property* * name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>* * </ramp:crypto>* * </ramp:signatureCrypto>* * <ramp:encryptionCypto>* * <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">* * <ramp:property* * name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>* * <ramp:property name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>* * <ramp:property* * name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>* * </ramp:crypto>* * </ramp:encryptionCypto>* * </ramp:RampartConfig>* * </wsp:All>* * </wsp:ExactlyOne>* * </wsp:Policy>* In Apache CXF, I am trying to configure the security following below steps: 1. I have created as ws-policy.xml file and is placed under WEB-INF/classes folder. I am providing this policy file to service class using @Policies annotation. Ex: *@Policy(uri = "ws-policy.xml")* *@WebService(targetNamespace = "http://webservice.test.com <http://webservice.test.com>", name = "WSServicePortType")* *public class WSService {* *//Service method goes here.* *}* Contents of ws-policy.xml is as follows: *<wsp:Policy* * xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd <http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd>"* * xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy <http://schemas.xmlsoap.org/ws/2004/09/policy>">* * <sp:AsymmetricBinding* * xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">* * <wsp:Policy>* * <sp:InitiatorToken>* * <wsp:Policy>* * <sp:X509Token* * sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>">* * <wsp:Policy>* * <sp:RequireIssuerSerialReference />* * </wsp:Policy>* * </sp:X509Token>* * </wsp:Policy>* * </sp:InitiatorToken>* * <sp:RecipientToken>* * <wsp:Policy>* * <sp:X509Token* * sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>">* * <wsp:Policy>* * <sp:RequireIssuerSerialReference />* * </wsp:Policy>* * </sp:X509Token>* * </wsp:Policy>* * </sp:RecipientToken>* * <sp:AlgorithmSuite>* * <wsp:Policy>* * <sp:TripleDesRsa15 />* * </wsp:Policy>* * </sp:AlgorithmSuite>* * <sp:Layout>* * <wsp:Policy>* * <sp:Strict />* * </wsp:Policy>* * </sp:Layout>* * </wsp:Policy>* * </sp:AsymmetricBinding>* * <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">* * <wsp:Policy>* * <sp:MustSupportRefKeyIdentifier />* * <sp:MustSupportRefIssuerSerial />* * </wsp:Policy>* * </sp:Wss10>* * <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">* * <sp:Body />* * </sp:SignedParts>* * <sp:EncryptedParts* * xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">* * <sp:Body />* * </sp:EncryptedParts>* *</wsp:Policy>* 2. To configure WSS4J, I am using following snippet in cxf-servlet.xml: * <jaxws:endpoint address="/WSService">* * <jaxws:implementor>* * <bean id="WSService"* * class="com.test.webservice.WSService" />* * </jaxws:implementor>* * <jaxws:inInterceptors>* * <ref bean="wss4jInConfiguration" />* * <bean class="com.test.webservice.AuthHandler">* * </bean>* * </jaxws:inInterceptors>* * <jaxws:outInterceptors>* * <ref bean="wss4jOutConfiguration" />* * <bean class="com.test.webservice.LogHandler">* * </bean>* * </jaxws:outInterceptors>* * <jaxws:properties>* * <entry key="ws-security.is-bsp-compliant" value="false" />* * </jaxws:properties>* * </jaxws:endpoint>* * <bean id="wss4jInConfiguration" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">* * <constructor-arg>* * <map>* * <entry key="action" value="Signature Encrypt Timestamp" />* * <entry key="signaturePropFile" value="service.properties" />* * <entry key="decryptionPropFile" value="service.properties" />* * <entry key="encryptionPropFile" value="service.properties" />* * <entry key="passwordCallbackClass" value="com.test.webservice.PWCBHandler" />* * </map>* * </constructor-arg>* * </bean>* * <bean id="wss4jOutConfiguration" class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">* * <constructor-arg>* * <map>* * <entry key="action" value="Timestamp Signature Encrypt" />* * <entry key="passwordCallbackClass" value="com.test.webservice.PWCBHandler" />* * <entry key="signaturePropFile" value="service.properties" />* * <entry key="encryptionPropFile" value="service.properties" />* * <entry key="decryptionPropFile" value="service.properties" />* * </map>* * </constructor-arg>* * </bean>* service.properties is also present in WEB-INF/classes folder. Its content are as below: *org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin* *org.apache.ws.security.crypto.merlin.keystore.type=jks* *org.apache.ws.security.crypto.merlin.keystore.password=password* *org.apache.ws.security.crypto.merlin.file=service.jks* Using above configuration I am getting below mentioned exception when I am trying to access web service through client which is configured using same security setting which I used while I was in axis2: 20:49:21,744 WARN [ws.security.wss4j.WSS4JInInterceptor ] - org.apache.ws.security.WSSecurityException: The signature or decryption was invalid at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:450) at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:231) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:270) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:95) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:241) at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248) at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222) at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153) at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206) at javax.servlet.http.HttpServlet.service(HttpServlet.java:647) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) 20:49:21,745 WARN [apache.cxf.phase.PhaseInterceptorChain ] - Interceptor for {http://webservice.test.com}WSAmandaSecurityServiceService#{ http://webservice.test.com}authenticateUser has thrown exception, unwinding now org.apache.cxf.binding.soap.SoapFault: The signature or decryption was invalid at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:850) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:327) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:95) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:241) at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248) at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222) at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153) at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206) at javax.servlet.http.HttpServlet.service(HttpServlet.java:647) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Caused by: org.apache.ws.security.WSSecurityException: The signature or decryption was invalid at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:450) at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:231) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:270) ... 28 test Can anyone help me identify if I am missing anything while configuring WSS4J in apache cxf, so that I can use same client to access cxf web service? Thanks for your time and help. Regards, Puneet.
