Hi, Signature + MTOM does not work in CXF at the moment. I plan on revisiting this soon, possibly next month. Right now, if an attachment is referenced via xop:Include in the SOAP Body for example, a CXF client will only sign the SOAP Body "as is", and not dereference the attachment. Therefore you are not actually signing the attachment at all. If you want to support attachment signing, then you need to add the sp:Attachment policy to sp:SignedParts, but disable MTOM.
The reason that you are seeing a failure with CXF 3.0.6 is due to an enhancement to support inlining BASE-64 content in attachments. By default, WSS4J automatically expands an xop:Include element, so make sure that the content is signed, and not just the reference. I'll probably address this as part of the MTOM work. In the meantime, you can change this if you really need to, by specifying "<entry key="expandXOPIncludeForSignature" value="false"/>" on the server side. Colm. On Mon, Nov 7, 2016 at 8:12 PM, hammadk <[email protected]> wrote: > Hi, > We are trying to get MTOM and WS-Security working together using CXF. Both > client and service are using cxf 3.0.6. > > The data that needs to be sent as attachment has the > "application/octect-stream" expectedContentTypes in the wsdl: > <xs:complexType name="StoreData"> > <xs:sequence> > <xs:element name="storeID" type="xs:long"/> > <xs:element minOccurs="0" name="dataFileName" type="xs:string"/> > <xs:element minOccurs="0" name="data" type="xs:base64Binary" > xmime:expectedContentTypes="application/octet-stream"/> > <xs:element name="dataLen" type="xs:long"/> > </xs:sequence> > </xs:complexType> > > And we enable mtom for both client and service in the spring config using: > <jaxws:properties> > <entry key="mtom-enabled" value="true"/> > ... > </jaxws:properties> > in the jaxws:client and jaxws:endpoint respectively. > > The binding policy we are using in our wsdl is: > <wsp:Policy wsu:Id="ServiceSoapBindingPolicy" > xmlns:wsp="http://www.w3.org/ns/ws-policy"; > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis- > 200401-wss-wssecurity-utility-1.0.xsd" > xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512"; > xmlns:wsaw="http://www.w3.org/2005/08/addressing"; > xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"; > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; > xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"; > xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex";> > <wsp:ExactlyOne> > <wsp:All> > <wsap10:UsingAddressing/> > <sp:SymmetricBinding> > <wsp:Policy> > <sp:ProtectionToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws- > securitypolicy/200702/IncludeToken/Never"> > > <wsp:Policy> > > <sp:RequireDerivedKeys/> > > <sp:RequireThumbprintReference/> > > <sp:WssX509V3Token10/> > > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:ProtectionToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256/> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Strict/> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp/> > <sp:EncryptSignature/> > <sp:OnlySignEntireHeadersAndBody/> > </wsp:Policy> > </sp:SymmetricBinding> > <sp:EndorsingSupportingTokens> > <wsp:Policy> > <sp:IssuedToken > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws- > securitypolicy/200702/IncludeToken/AlwaysToRecipient"> > <sp:Issuer> > > <wsaw:Address>http://localhost:8080/DefaultSTS/ > DefaultSTS/DefaultSTSService</wsaw:Address> > </sp:Issuer> > <sp: > RequestSecurityTokenTemplate> > > <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss- > saml-token-profile-1.1#SAMLV1.1</t:TokenType> > > <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey > </t:KeyType> > > <t:KeySize>256</t:KeySize> > <t:Claims > xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity"; > Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity";> > > <ic:ClaimType Uri="http://schemas.merge.com/icc/claims/storagespace"; > Optional="true"/> > </t:Claims> > <wsp:AppliesTo> > > <EndpointReference xmlns="http://www.w3.org/2005/08/addressing";> > > <Address>urn:merge:icc:services:all</Address> > > </EndpointReference> > </wsp:AppliesTo> > </sp: > RequestSecurityTokenTemplate> > <wsp:Policy> > > <sp:RequireDerivedKeys/> > > <sp:RequireInternalReference/> > </wsp:Policy> > </sp:IssuedToken> > </wsp:Policy> > </sp:EndorsingSupportingTokens> > <sp:Wss11> > <wsp:Policy> > <sp:MustSupportRefKeyIdentifier/> > <sp:MustSupportRefIssuerSerial/> > <sp:MustSupportRefThumbprint/> > <sp:MustSupportRefEncryptedKey/> > <sp:RequireSignatureConfirmation/> > </wsp:Policy> > </sp:Wss11> > <sp:Trust13> > <wsp:Policy> > <sp:MustSupportIssuedTokens/> > <sp:RequireClientEntropy/> > <sp:RequireServerEntropy/> > </wsp:Policy> > </sp:Trust13> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > <wsp:Policy wsu:Id="ServicePortBinding_Input_Policy" > xmlns:wsp="http://www.w3.org/ns/ws-policy"; > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis- > 200401-wss-wssecurity-utility-1.0.xsd" > xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512"; > xmlns:wsaw="http://www.w3.org/2005/08/addressing"; > xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"; > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; > xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"; > xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex";> > <wsp:ExactlyOne> > <wsp:All> > <sp:EncryptedParts> > <sp:Body/> > </sp:EncryptedParts> > <sp:SignedParts> > <sp:Body/> > <sp:Header Name="To" Namespace=" > http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="From" > Namespace="http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="FaultTo" > Namespace="http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="ReplyTo" > Namespace="http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="MessageID" > Namespace="http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="RelatesTo" > Namespace="http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="Action" > Namespace="http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="AckRequested" > Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/> > <sp:Header Name="SequenceAcknowledgement" > Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/> > <sp:Header Name="Sequence" > Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/> > <sp:Header Name="CreateSequence" > Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/> > </sp:SignedParts> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > With these settings we get the following exception on the receiving side > (in > our case the service - since we are trying to "upload" data): > WARNING: Interceptor for > {http://merge.com/icc/services/test/largedatatransfer/} > LargeDataTransfer#{http://merge.com/icc/services/test/ > largedatatransfer/}Store > has thrown exception, unwinding now > org.apache.cxf.binding.soap.SoapFault: A security error was > encountered > when verifying the message > at > org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils. > java:270) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal( > WSS4JInInterceptor.java:333) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage( > WSS4JInInterceptor.java:190) > at > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor. > handleMessage(PolicyBasedWSS4JInInterceptor.java:127) > at > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor. > handleMessage(PolicyBasedWSS4JInInterceptor.java:112) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept( > PhaseInterceptorChain.java:307) > at > org.apache.cxf.transport.ChainInitiationObserver.onMessage( > ChainInitiationObserver.java:121) > at > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke( > AbstractHTTPDestination.java:251) > at > org.apache.cxf.transport.servlet.ServletController.invokeDestination( > ServletController.java:234) > at > org.apache.cxf.transport.servlet.ServletController. > invoke(ServletController.java:208) > at > org.apache.cxf.transport.servlet.ServletController. > invoke(ServletController.java:160) > at > org.apache.cxf.transport.servlet.CXFNonSpringServlet. > invoke(CXFNonSpringServlet.java:171) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest( > AbstractHTTPServlet.java:293) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet. > doPost(AbstractHTTPServlet.java:212) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:650) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet. > service(AbstractHTTPServlet.java:268) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( > ApplicationFilterChain.java:303) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter( > ApplicationFilterChain.java:208) > at org.apache.tomcat.websocket.server.WsFilter.doFilter( > WsFilter.java:52) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter( > ApplicationFilterChain.java:241) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter( > ApplicationFilterChain.java:208) > at > org.apache.catalina.core.StandardWrapperValve.invoke( > StandardWrapperValve.java:218) > at > org.apache.catalina.core.StandardContextValve.invoke( > StandardContextValve.java:122) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke( > AuthenticatorBase.java:505) > at > org.apache.catalina.core.StandardHostValve.invoke( > StandardHostValve.java:169) > at > org.apache.catalina.valves.ErrorReportValve.invoke( > ErrorReportValve.java:103) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956) > at > org.apache.catalina.core.StandardEngineValve.invoke( > StandardEngineValve.java:116) > at > org.apache.catalina.connector.CoyoteAdapter.service( > CoyoteAdapter.java:442) > at > org.apache.coyote.http11.AbstractHttp11Processor.process( > AbstractHttp11Processor.java:1082) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler. > process(AbstractProtocol.java:623) > at > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor. > run(JIoEndpoint.java:318) > at > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:615) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run( > TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.apache.wss4j.common.ext.WSSecurityException: The signature > or > decryption was invalid > at > org.apache.wss4j.dom.processor.SignatureProcessor.verifyXMLSignature( > SignatureProcessor.java:450) > at > org.apache.wss4j.dom.processor.SignatureProcessor.handleToken( > SignatureProcessor.java:224) > at > org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader( > WSSecurityEngine.java:428) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal( > WSS4JInInterceptor.java:278) > ... 34 more > > > Some options we tried and the conclusion from these options: > 1) The exact settings mentioned above work fine with cxf 3.0.5 but not for > 3.0.6 - 3.0.11. We have not tried 3.1.x. > > 2) In cxf 3.0.6 Adding <sp:Attachment/> to <sp:SignedParts> element does > not > help; We still get the same exception. > > 2) In cxf 3.0.6, if we remove <sp:Body/> from the <sp:SignedParts> element > then it works fine. > > > Any pointers on what is going on here and how to fix it will be greatly > appreciated. > > Thanks. > > > > -- > View this message in context: http://cxf.547215.n5.nabble. > com/CXF-3-0-6-MTOM-WS-Security-Exception-tp5774657.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
