Re: Getting "Security processing failed (actions mismatch)" with UsernameToken authentication and SoapUI

martijn.list Thu, 19 Jan 2017 01:32:42 -0800

On 01/17/2017 05:47 PM, Colm O hEigeartaigh wrote:
> On Mon, Jan 16, 2017 at 10:05 PM, martijn.list <[email protected]>
> wrote:
> 
>>
>>
>> Is this reported somewhere?
>>
> 
> No, not yet. Not sure yet whether it's a bug in CXF or WSS4J.
> 
> 
>>
>>> For a workaround, you can just use the DOM WSS4JInInterceptor instead.
>>
>> Changing it to org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor did
>> not solve the issue. I get the same error.
>>
> 
>  It works for me. What stacktrace do you see on the server side?


I get the same error and a more or less similar stack trace:

19 Jan 2017 10:29:23 | WARN  Security processing failed (actions
mismatch)    (org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor)
[defaultEventExecutorGroup-6-1]
19 Jan 2017 10:29:23 | WARN  Interceptor for {http://ws.djigzo.com}Users
has thrown exception, unwinding now
(org.apache.cxf.phase.PhaseInterceptorChain)
[defaultEventExecutorGroup-6-1]
org.apache.cxf.binding.soap.SoapFault: A security error was encountered
when verifying the message
        at
org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:275)
        at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:333)
        at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:190)
        at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:96)
        at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
        at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
        at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:252)
        at
org.apache.cxf.transport.http.netty.server.NettyHttpDestination.doService(NettyHttpDestination.java:174)
        at
org.apache.cxf.transport.http.netty.server.NettyHttpHandler.handle(NettyHttpHandler.java:64)
        at
org.apache.cxf.transport.http.netty.server.NettyHttpContextHandler.handle(NettyHttpContextHandler.java:83)
        at
org.apache.cxf.transport.http.netty.server.NettyHttpServletHandler.handleHttpServletRequest(NettyHttpServletHandler.java:135)
        at
org.apache.cxf.transport.http.netty.server.NettyHttpServletHandler.channelRead(NettyHttpServletHandler.java:110)
        at
io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:292)
        at
io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:32)
        at
io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:283)
        at
io.netty.util.concurrent.DefaultEventExecutor.run(DefaultEventExecutor.java:36)
        at
io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:112)
        at
io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137)
        at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.wss4j.common.ext.WSSecurityException: An error was
discovered processing the <wsse:Security> header
        at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.checkActions(WSS4JInInterceptor.java:380)
        at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:317)

Kind regards,

Martijn Brinkers




>>> On Sat, Jan 14, 2017 at 9:20 AM, martijn.list <[email protected]>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I have CXF configured server side with spring and enabled UsernameToken
>>>> authentication:
>>>>
>>>> <bean id="publicWebServicePasswordInterceptor"
>>>>   class="org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor">
>>>>   <constructor-arg>
>>>>     <map>
>>>>      <entry key="action" value="UsernameToken" />
>>>>      <entry key="passwordType" value="PasswordText" />
>>>>      <entry key="passwordCallbackRef">
>>>>        <ref bean="publicWebServicePasswordHandler"/>
>>>>      </entry>
>>>>    </map>
>>>>  </constructor-arg>
>>>> </bean>
>>>>
>>>> <jaxws:inInterceptors>
>>>>    <ref bean="publicWebServicePasswordInterceptor"/>
>>>> </jaxws:inInterceptors>
>>>>
>>>> This works when the SOAP client is created with CXF. However when I use
>>>> SoapUI to test the web service I always get the following error in the
>>>> SOAP server:
>>>>
>>>> "Security processing failed (actions mismatch)"
>>>>
>>>> With some debugging I noticed that the "incomingSecurityEventList" is
>>>> empty when
>>>>
>>>> From StaxActionInInterceptor:
>>>>
>>>> public void handleMessage(SoapMessage soapMessage)
>>>> {
>>>> [SNIP]
>>>> ...
>>>> List<SecurityEvent> incomingSecurityEventList =
>>>> (List)soapMessage.get(SecurityEvent.class.getName() + ".in");
>>>> ...
>>>>
>>>> This is why a few lines later a SoapFault exception is thrown because
>>>> the incomingSecurityEventList should not be empty.
>>>>
>>>> If I use the CXF SOAP client (which works), the
>>>> incomingSecurityEventList contains the following object:
>>>>
>>>> org.apache.wss4j.stax.securityEvent.UsernameTokenSecurityEvent
>>>>
>>>> It might be that the SOAP call from SoapUI is incorrect or that
>>>> something is missing but I have not figured out why this is not working.
>>>>
>>>> I hope someone can tell me what's not correct with the SOAP call from
>>>> SoapUI:
>>>>
>>>> SOAP call from SoapUI (from tcpdump):
>>>>
>>>> POST /usersws HTTP/1.1
>>>>
>>>> Content-Type: text/xml;charset=UTF-8
>>>>
>>>> SOAPAction: ""
>>>>
>>>> Content-Length: 829
>>>>
>>>> Host: 127.0.0.1:9009
>>>>
>>>> Connection: Keep-Alive
>>>>
>>>> User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
>>>>
>>>>
>>>>
>>>> <soapenv:Envelope
>>>> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
>>>> xmlns:ws="http://ws.djigzo.application.mitm/";>
>>>>    <soapenv:Header><wsse:Security soapenv:mustUnderstand="1"
>>>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-
>>>> 200401-wss-wssecurity-secext-1.0.xsd"
>>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-
>>>> 200401-wss-wssecurity-utility-1.0.xsd"><wsse:UsernameToken
>>>> wsu:Id="UsernameToken-A74ECD7A71C7695F3D148438453965
>>>> 395"><wsse:Username>admin</wsse:Username><wsse:Password
>>>> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
>>>> wss-username-token-profile-1.0#PasswordText">password</
>>>> wsse:Password></wsse:UsernameToken></wsse:Security></soapenv:Header>
>>>>    <soapenv:Body>
>>>>       <ws:isUser>
>>>>          <!--Optional:-->
>>>>          <email>?</email>
>>>>       </ws:isUser>
>>>>    </soapenv:Body>
>>>> </soapenv:Envelope>
>>>>
>>>> I have tested it with CXF 3.0.9 and with 3.0.12
>>>>
>>>> Any idea why this is not working?
>>>>
>>>> Kind regards,
>>>>
>>>> Martijn Brinkers
>>>>
>>>
>>>
>>>
>>
>>
>> --
>> CipherMail email encryption
>>
>> Email encryption with support for S/MIME, OpenPGP, PDF encryption and
>> secure webmail pull.
>>
>> https://www.ciphermail.com
>>
>> Twitter: http://twitter.com/CipherMail
>>
> 
> 
> 


-- 
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.

https://www.ciphermail.com

Twitter: http://twitter.com/CipherMail

Re: Getting "Security processing failed (actions mismatch)" with UsernameToken authentication and SoapUI

Reply via email to