Re: Getting "Security processing failed (actions mismatch)" with UsernameToken authentication and SoapUI

martijn.list Thu, 19 Jan 2017 01:45:02 -0800

On 01/19/2017 10:32 AM, martijn.list wrote:
> On 01/17/2017 05:47 PM, Colm O hEigeartaigh wrote:
>> On Mon, Jan 16, 2017 at 10:05 PM, martijn.list <martijn.l...@gmail.com>
>> wrote:
>>
>>>
>>>
>>> Is this reported somewhere?
>>>
>>
>> No, not yet. Not sure yet whether it's a bug in CXF or WSS4J.
>>
>>
>>>
>>>> For a workaround, you can just use the DOM WSS4JInInterceptor instead.
>>>
>>> Changing it to org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor did
>>> not solve the issue. I get the same error.
>>>
>>
>>  It works for me. What stacktrace do you see on the server side?


Sorry my bad. You are right. Replacing WSS4JStaxInInterceptor with
WSS4JInInterceptor actually works (in SoapUI it's not always clear where
to configure authentication).

Kind regards,

Martijn Brinkers


> I get the same error and a more or less similar stack trace:
> 
> 19 Jan 2017 10:29:23 | WARN  Security processing failed (actions
> mismatch)    (org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor)
> [defaultEventExecutorGroup-6-1]
> 19 Jan 2017 10:29:23 | WARN  Interceptor for {http://ws.djigzo.com}Users
> has thrown exception, unwinding now
> (org.apache.cxf.phase.PhaseInterceptorChain)
> [defaultEventExecutorGroup-6-1]
> org.apache.cxf.binding.soap.SoapFault: A security error was encountered
> when verifying the message
>       at
> org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:275)
>       at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:333)
>       at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:190)
>       at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:96)
>       at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
>       at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
>       at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:252)
>       at
> org.apache.cxf.transport.http.netty.server.NettyHttpDestination.doService(NettyHttpDestination.java:174)
>       at
> org.apache.cxf.transport.http.netty.server.NettyHttpHandler.handle(NettyHttpHandler.java:64)
>       at
> org.apache.cxf.transport.http.netty.server.NettyHttpContextHandler.handle(NettyHttpContextHandler.java:83)
>       at
> org.apache.cxf.transport.http.netty.server.NettyHttpServletHandler.handleHttpServletRequest(NettyHttpServletHandler.java:135)
>       at
> org.apache.cxf.transport.http.netty.server.NettyHttpServletHandler.channelRead(NettyHttpServletHandler.java:110)
>       at
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:292)
>       at
> io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:32)
>       at
> io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:283)
>       at
> io.netty.util.concurrent.DefaultEventExecutor.run(DefaultEventExecutor.java:36)
>       at
> io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:112)
>       at
> io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137)
>       at java.lang.Thread.run(Thread.java:745)
> Caused by: org.apache.wss4j.common.ext.WSSecurityException: An error was
> discovered processing the <wsse:Security> header
>       at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.checkActions(WSS4JInInterceptor.java:380)
>       at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:317)
> 
> Kind regards,
> 
> Martijn Brinkers
> 
> 
> 
> 
>>>> On Sat, Jan 14, 2017 at 9:20 AM, martijn.list <martijn.l...@gmail.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I have CXF configured server side with spring and enabled UsernameToken
>>>>> authentication:
>>>>>
>>>>> <bean id="publicWebServicePasswordInterceptor"
>>>>>   class="org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor">
>>>>>   <constructor-arg>
>>>>>     <map>
>>>>>      <entry key="action" value="UsernameToken" />
>>>>>      <entry key="passwordType" value="PasswordText" />
>>>>>      <entry key="passwordCallbackRef">
>>>>>        <ref bean="publicWebServicePasswordHandler"/>
>>>>>      </entry>
>>>>>    </map>
>>>>>  </constructor-arg>
>>>>> </bean>
>>>>>
>>>>> <jaxws:inInterceptors>
>>>>>    <ref bean="publicWebServicePasswordInterceptor"/>
>>>>> </jaxws:inInterceptors>
>>>>>
>>>>> This works when the SOAP client is created with CXF. However when I use
>>>>> SoapUI to test the web service I always get the following error in the
>>>>> SOAP server:
>>>>>
>>>>> "Security processing failed (actions mismatch)"
>>>>>
>>>>> With some debugging I noticed that the "incomingSecurityEventList" is
>>>>> empty when
>>>>>
>>>>> From StaxActionInInterceptor:
>>>>>
>>>>> public void handleMessage(SoapMessage soapMessage)
>>>>> {
>>>>> [SNIP]
>>>>> ...
>>>>> List<SecurityEvent> incomingSecurityEventList =
>>>>> (List)soapMessage.get(SecurityEvent.class.getName() + ".in");
>>>>> ...
>>>>>
>>>>> This is why a few lines later a SoapFault exception is thrown because
>>>>> the incomingSecurityEventList should not be empty.
>>>>>
>>>>> If I use the CXF SOAP client (which works), the
>>>>> incomingSecurityEventList contains the following object:
>>>>>
>>>>> org.apache.wss4j.stax.securityEvent.UsernameTokenSecurityEvent
>>>>>
>>>>> It might be that the SOAP call from SoapUI is incorrect or that
>>>>> something is missing but I have not figured out why this is not working.
>>>>>
>>>>> I hope someone can tell me what's not correct with the SOAP call from
>>>>> SoapUI:
>>>>>
>>>>> SOAP call from SoapUI (from tcpdump):
>>>>>
>>>>> POST /usersws HTTP/1.1
>>>>>
>>>>> Content-Type: text/xml;charset=UTF-8
>>>>>
>>>>> SOAPAction: ""
>>>>>
>>>>> Content-Length: 829
>>>>>
>>>>> Host: 127.0.0.1:9009
>>>>>
>>>>> Connection: Keep-Alive
>>>>>
>>>>> User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
>>>>>
>>>>>
>>>>>
>>>>> <soapenv:Envelope
>>>>> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
>>>>> xmlns:ws="http://ws.djigzo.application.mitm/";>
>>>>>    <soapenv:Header><wsse:Security soapenv:mustUnderstand="1"
>>>>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-
>>>>> 200401-wss-wssecurity-secext-1.0.xsd"
>>>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-
>>>>> 200401-wss-wssecurity-utility-1.0.xsd"><wsse:UsernameToken
>>>>> wsu:Id="UsernameToken-A74ECD7A71C7695F3D148438453965
>>>>> 395"><wsse:Username>admin</wsse:Username><wsse:Password
>>>>> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
>>>>> wss-username-token-profile-1.0#PasswordText">password</
>>>>> wsse:Password></wsse:UsernameToken></wsse:Security></soapenv:Header>
>>>>>    <soapenv:Body>
>>>>>       <ws:isUser>
>>>>>          <!--Optional:-->
>>>>>          <email>?</email>
>>>>>       </ws:isUser>
>>>>>    </soapenv:Body>
>>>>> </soapenv:Envelope>
>>>>>
>>>>> I have tested it with CXF 3.0.9 and with 3.0.12
>>>>>
>>>>> Any idea why this is not working?
>>>>>
>>>>> Kind regards,
>>>>>
>>>>> Martijn Brinkers
>>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> CipherMail email encryption
>>>
>>> Email encryption with support for S/MIME, OpenPGP, PDF encryption and
>>> secure webmail pull.
>>>
>>> https://www.ciphermail.com
>>>
>>> Twitter: http://twitter.com/CipherMail
>>>
>>
>>
>>
> 
> 


-- 
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.

https://www.ciphermail.com

Twitter: http://twitter.com/CipherMail

Re: Getting "Security processing failed (actions mismatch)" with UsernameToken authentication and SoapUI

Reply via email to