Re: Unable to configure WSS4J for security in Apache CXF.

Mon, 21 Jul 2014 02:49:27 -0700 

Hi,

You are mixing up the two different ways of configuring WS-Security in CXF.
The "action" based approach involves defining WSS4JOutInterceptor +
WSS4JInInterceptors + explicitly adding them to the interceptor chain.
However, when you have a security policy, you don't need to do any of this
as CXF will take care of configuring WSS4J for you. In this case, you just
need to define some JAX-WS properties (keystores etc.). For example, see
the following test configuration:

https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob_plain;f=systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/x509/client/client.xml;hb=refs/heads/2.7.x-fixes

e.g.

 <jaxws:client 
name="{http://www.example.org/contract/DoubleIt}DoubleItAsymmetricSignEncryptPort";
                  createdFromAPI="true">
       <jaxws:properties>
           <entry key="ws-security.callback-handler"

value="org.apache.cxf.systest.wssec.examples.common.CommonPasswordCallback"/>
           <entry key="ws-security.encryption.properties"
value="bob.properties"/>
           <entry key="ws-security.encryption.username" value="bob"/>
           <entry key="ws-security.signature.properties"
value="alice.properties"/>
           <entry key="ws-security.signature.username" value="alice"/>
       </jaxws:properties>
    </jaxws:client>

Colm.


On Sat, Jul 19, 2014 at 4:38 PM, Puneet Gupta <[email protected]>
wrote:

> Hi All,
>
> I am migrating from Axis2 Web Services to Apache CXF. In axis2, I had
> configured security using Rampart and I have configured it using following
> policy settings:
>
> *<wsp:Policy wsu:Id="SigEncr"*
> *
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> <
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> >"*
> * xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy
> <http://schemas.xmlsoap.org/ws/2004/09/policy>">*
> * <wsp:ExactlyOne>*
> * <wsp:All>*
> * <sp:AsymmetricBinding*
> * xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
> <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
> * <wsp:Policy>*
> * <sp:InitiatorToken>*
> * <wsp:Policy>*
> * <sp:X509Token*
> *
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> <
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> >">*
> * <wsp:Policy>*
> * <sp:RequireKeyIdentifierReference />*
> * <sp:WssX509V3Token10 />*
> * </wsp:Policy>*
> * </sp:X509Token>*
> * </wsp:Policy>*
> * </sp:InitiatorToken>*
> * <sp:RecipientToken>*
> * <wsp:Policy>*
> * <sp:X509Token*
> *
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never
> <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never
> >">*
> * <wsp:Policy>*
> * <sp:RequireKeyIdentifierReference />*
> * <sp:WssX509V3Token10 />*
> * </wsp:Policy>*
> * </sp:X509Token>*
> * </wsp:Policy>*
> * </sp:RecipientToken>*
> * <sp:AlgorithmSuite>*
> * <wsp:Policy>*
> * <sp:TripleDesRsa15 />*
> * </wsp:Policy>*
> * </sp:AlgorithmSuite>*
> * <sp:Layout>*
> * <wsp:Policy>*
> * <sp:Strict />*
> * </wsp:Policy>*
> * </sp:Layout>*
> * <sp:IncludeTimestamp />*
> * <sp:OnlySignEntireHeadersAndBody />*
> * </wsp:Policy>*
> * </sp:AsymmetricBinding>*
> * <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
> <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
> * <wsp:Policy>*
> * <sp:MustSupportRefKeyIdentifier />*
> * <sp:MustSupportRefIssuerSerial />*
> * </wsp:Policy>*
> * </sp:Wss10>*
> * <sp:SignedParts*
> * xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
> <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
> * <sp:Body />*
> * </sp:SignedParts>*
> * <sp:EncryptedParts*
> * xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
> <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
> * <sp:Body />*
> * </sp:EncryptedParts>*
>
> * <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy
> <http://ws.apache.org/rampart/policy>">*
> * <ramp:user>service</ramp:user>*
> * <ramp:encryptionUser>client</ramp:encryptionUser>*
> *
>
> <ramp:passwordCallbackClass>com.test.webservice.PWCBHandler</ramp:passwordCallbackClass>*
>
> * <ramp:signatureCrypto>*
> * <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">*
> * <ramp:property*
> *
>
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>*
> * <ramp:property
>
> name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>*
> * <ramp:property*
> *
>
> name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>*
> * </ramp:crypto>*
> * </ramp:signatureCrypto>*
> * <ramp:encryptionCypto>*
> * <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">*
> * <ramp:property*
> *
>
> name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>*
> * <ramp:property
>
> name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>*
> * <ramp:property*
> *
>
> name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>*
> * </ramp:crypto>*
> * </ramp:encryptionCypto>*
> * </ramp:RampartConfig>*
> * </wsp:All>*
> * </wsp:ExactlyOne>*
> * </wsp:Policy>*
>
> In Apache CXF, I am trying to configure the security following below steps:
>
> 1. I have created as ws-policy.xml file and is placed under WEB-INF/classes
> folder. I am providing this policy file to service class using @Policies
> annotation. Ex:
>
>
> *@Policy(uri = "ws-policy.xml")*
> *@WebService(targetNamespace = "http://webservice.test.com
> <http://webservice.test.com>", name = "WSServicePortType")*
> *public class WSService {*
> *//Service method goes here.*
> *}*
>
> Contents of ws-policy.xml is as follows:
>
> *<wsp:Policy*
> *
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> <
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> >"*
> * xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy
> <http://schemas.xmlsoap.org/ws/2004/09/policy>">*
>
> * <sp:AsymmetricBinding*
> * xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
> <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
> * <wsp:Policy>*
> * <sp:InitiatorToken>*
> * <wsp:Policy>*
> * <sp:X509Token*
> *
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> <
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> >">*
> * <wsp:Policy>*
> * <sp:RequireIssuerSerialReference />*
> * </wsp:Policy>*
> * </sp:X509Token>*
> * </wsp:Policy>*
> * </sp:InitiatorToken>*
> * <sp:RecipientToken>*
> * <wsp:Policy>*
> * <sp:X509Token*
> *
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> <
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> >">*
> * <wsp:Policy>*
> * <sp:RequireIssuerSerialReference />*
> * </wsp:Policy>*
> * </sp:X509Token>*
> * </wsp:Policy>*
> * </sp:RecipientToken>*
> * <sp:AlgorithmSuite>*
> * <wsp:Policy>*
> * <sp:TripleDesRsa15 />*
> * </wsp:Policy>*
> * </sp:AlgorithmSuite>*
> * <sp:Layout>*
> * <wsp:Policy>*
> * <sp:Strict />*
> * </wsp:Policy>*
> * </sp:Layout>*
> * </wsp:Policy>*
> * </sp:AsymmetricBinding>*
>
> * <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
> <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
> * <wsp:Policy>*
> * <sp:MustSupportRefKeyIdentifier />*
> * <sp:MustSupportRefIssuerSerial />*
> * </wsp:Policy>*
> * </sp:Wss10>*
> * <sp:SignedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
> <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
> * <sp:Body />*
> * </sp:SignedParts>*
> * <sp:EncryptedParts*
> * xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
> <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
> * <sp:Body />*
> * </sp:EncryptedParts>*
> *</wsp:Policy>*
>
> 2. To configure WSS4J, I am using following snippet in cxf-servlet.xml:
>
> *         <jaxws:endpoint address="/WSService">*
> * <jaxws:implementor>*
> * <bean id="WSService"*
> * class="com.test.webservice.WSService" />*
> * </jaxws:implementor>*
> * <jaxws:inInterceptors>*
> * <ref bean="wss4jInConfiguration" />*
> * <bean class="com.test.webservice.AuthHandler">*
> * </bean>*
> * </jaxws:inInterceptors>*
> * <jaxws:outInterceptors>*
> * <ref bean="wss4jOutConfiguration" />*
> * <bean class="com.test.webservice.LogHandler">*
> * </bean>*
> * </jaxws:outInterceptors>*
> * <jaxws:properties>*
> * <entry key="ws-security.is-bsp-compliant" value="false" />*
> * </jaxws:properties>*
> * </jaxws:endpoint>*
>
> * <bean id="wss4jInConfiguration"
> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">*
> * <constructor-arg>*
> * <map>*
> * <entry key="action" value="Signature Encrypt Timestamp" />*
> * <entry key="signaturePropFile" value="service.properties" />*
> * <entry key="decryptionPropFile" value="service.properties" />*
> * <entry key="encryptionPropFile" value="service.properties" />*
> * <entry key="passwordCallbackClass"
> value="com.test.webservice.PWCBHandler" />*
> * </map>*
> * </constructor-arg>*
> * </bean>*
>
> * <bean id="wss4jOutConfiguration"
> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">*
> * <constructor-arg>*
> * <map>*
> * <entry key="action" value="Timestamp Signature Encrypt" />*
> * <entry key="passwordCallbackClass"
> value="com.test.webservice.PWCBHandler" />*
> * <entry key="signaturePropFile" value="service.properties" />*
> * <entry key="encryptionPropFile" value="service.properties" />*
> * <entry key="decryptionPropFile" value="service.properties" />*
> * </map>*
> * </constructor-arg>*
> * </bean>*
>
> service.properties is also present in WEB-INF/classes folder. Its content
> are as below:
>
>
> *org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin*
> *org.apache.ws.security.crypto.merlin.keystore.type=jks*
> *org.apache.ws.security.crypto.merlin.keystore.password=password*
> *org.apache.ws.security.crypto.merlin.file=service.jks*
>
> Using above configuration I am getting below mentioned exception when I am
> trying to access web service through client which is configured using same
> security setting which I used while I was in axis2:
>
> 20:49:21,744  WARN [ws.security.wss4j.WSS4JInInterceptor              ] -
> org.apache.ws.security.WSSecurityException: The signature or decryption was
> invalid
> at
>
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:450)
> at
>
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:231)
> at
>
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
> at
>
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:270)
> at
>
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:95)
> at
>
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
> at
>
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> at
>
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:241)
> at
>
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
> at
>
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
> at
>
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
> at
>
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
> at
>
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
> at
>
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
> at
>
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> at
>
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
> at
>
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
> at
>
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
> at
>
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> at
>
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
> at
>
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
> at
>
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
> at
>
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
> at
>
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> at java.lang.Thread.run(Unknown Source)
> 20:49:21,745  WARN [apache.cxf.phase.PhaseInterceptorChain            ] -
> Interceptor for {http://webservice.test.com
> }WSAmandaSecurityServiceService#{
> http://webservice.test.com}authenticateUser has thrown exception,
> unwinding
> now
> org.apache.cxf.binding.soap.SoapFault: The signature or decryption was
> invalid
> at
>
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:850)
> at
>
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:327)
> at
>
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:95)
> at
>
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
> at
>
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> at
>
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:241)
> at
>
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
> at
>
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
> at
>
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
> at
>
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
> at
>
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
> at
>
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
> at
>
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
> at
>
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
> at
>
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
> at
>
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
> at
>
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
> at
>
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
> at
>
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
> at
>
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
> at
>
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
> at
>
> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
> at java.lang.Thread.run(Unknown Source)
> Caused by: org.apache.ws.security.WSSecurityException: The signature or
> decryption was invalid
> at
>
> org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:450)
> at
>
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:231)
> at
>
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
> at
>
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:270)
> ... 28 test
>
>
> Can anyone help me identify if I am missing anything while configuring
> WSS4J in apache cxf, so that I can use same client to access cxf web
> service?
>
> Thanks for your time and help.
>
> Regards, Puneet.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Reply via email to