On 01/16/2017 03:32 PM, Colm O hEigeartaigh wrote:
> It's a bug...either in CXF or WSS4J. It manifests when there is whitespace
> between the SOAP Body tag and the first Element in the Body itself. For a
> workaround, you can just use the DOM WSS4JInInterceptor instead.
Enabling "strip whitespace" in SoapUI also works.
Kind regards,
Martijn Brinkers
>> I have CXF configured server side with spring and enabled UsernameToken
>> authentication:
>>
>> <bean id="publicWebServicePasswordInterceptor"
>> class="org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor">
>> <constructor-arg>
>> <map>
>> <entry key="action" value="UsernameToken" />
>> <entry key="passwordType" value="PasswordText" />
>> <entry key="passwordCallbackRef">
>> <ref bean="publicWebServicePasswordHandler"/>
>> </entry>
>> </map>
>> </constructor-arg>
>> </bean>
>>
>> <jaxws:inInterceptors>
>> <ref bean="publicWebServicePasswordInterceptor"/>
>> </jaxws:inInterceptors>
>>
>> This works when the SOAP client is created with CXF. However when I use
>> SoapUI to test the web service I always get the following error in the
>> SOAP server:
>>
>> "Security processing failed (actions mismatch)"
>>
>> With some debugging I noticed that the "incomingSecurityEventList" is
>> empty when
>>
>> From StaxActionInInterceptor:
>>
>> public void handleMessage(SoapMessage soapMessage)
>> {
>> [SNIP]
>> ...
>> List<SecurityEvent> incomingSecurityEventList =
>> (List)soapMessage.get(SecurityEvent.class.getName() + ".in");
>> ...
>>
>> This is why a few lines later a SoapFault exception is thrown because
>> the incomingSecurityEventList should not be empty.
>>
>> If I use the CXF SOAP client (which works), the
>> incomingSecurityEventList contains the following object:
>>
>> org.apache.wss4j.stax.securityEvent.UsernameTokenSecurityEvent
>>
>> It might be that the SOAP call from SoapUI is incorrect or that
>> something is missing but I have not figured out why this is not working.
>>
>> I hope someone can tell me what's not correct with the SOAP call from
>> SoapUI:
>>
>> SOAP call from SoapUI (from tcpdump):
>>
>> POST /usersws HTTP/1.1
>>
>> Content-Type: text/xml;charset=UTF-8
>>
>> SOAPAction: ""
>>
>> Content-Length: 829
>>
>> Host: 127.0.0.1:9009
>>
>> Connection: Keep-Alive
>>
>> User-Agent: Apache-HttpClient/4.1.1 (java 1.5)
>>
>>
>>
>> <soapenv:Envelope
>> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
>> xmlns:ws="http://ws.djigzo.application.mitm/";>
>> <soapenv:Header><wsse:Security soapenv:mustUnderstand="1"
>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-
>> 200401-wss-wssecurity-secext-1.0.xsd"
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-
>> 200401-wss-wssecurity-utility-1.0.xsd"><wsse:UsernameToken
>> wsu:Id="UsernameToken-A74ECD7A71C7695F3D148438453965
>> 395"><wsse:Username>admin</wsse:Username><wsse:Password
>> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-
>> wss-username-token-profile-1.0#PasswordText">password</
>> wsse:Password></wsse:UsernameToken></wsse:Security></soapenv:Header>
>> <soapenv:Body>
>> <ws:isUser>
>> <!--Optional:-->
>> <email>?</email>
>> </ws:isUser>
>> </soapenv:Body>
>> </soapenv:Envelope>
>>
>> I have tested it with CXF 3.0.9 and with 3.0.12
>>
>> Any idea why this is not working?
>>
>> Kind regards,
>>
>> Martijn Brinkers
>>
>
>
>
--
CipherMail email encryption
Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.
https://www.ciphermail.com
Twitter: http://twitter.com/CipherMail
