Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
2.2.2
-
None
-
cxf-2.2.2, wss4j-1.5.7, xmlsec-1.4.2
-
Advanced
Description
I have a secure WS that is described by a WS-Policy document that's
pasted below.
Policy A is attached to the wsdl:binding while policy B is attached to
the wsdl:input,wsdl:output and wsdl:fault
When my WS throws a soap fault there's a couple of problems:
1) the soap:Body element is not encrypted
2) the soap:Body element is not signed
3) the WS client fails to validate the WS-Security header with the
that's also pasted below.
The problem seems to be in the way CXF handles WS-Security header using
the PolicyBasedWSS4JInterceptor.
When the response arrives it passes through the in interceptor chain and
the encrypted parts are decrypted. The way wss4j handles decryption is
that it replaces the xmlenc:EncryptedData element in the SOAP document
with the decrypted content but it does not remove the corresponding
xmlenc:ReferenceData/xmlenc:DataReference element from the Security
header. After decryption is done some other interceptor detects that the
message is actually a fault and triggers the inFault interceptor chain.
The inFault interceptor chain again contains the
PolicyBasedWSS4JInterceptor and it should contain it since not all the
policy assertions have been asserted by the 'in' chain. (e.g.
UsingAddressing assertion).
The PolicyBasedWSS4JInterceptor runs wss4j again on a document that has
already been decrypted and fails with the error below because the
xmlenc:ReferenceData/xmlenc:DataReference elements point to nothing.
Has anyone ever hit a problem like that? Is there any workaround for
that (other than chainging the WS-Policy document)?
thanks in advance,
7038 [main] WARN org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor -
org.apache.ws.security.WSSecurityException: An error was discovered
processing the <wsse:Security> header (WSSecurityEngine: DataReference -
referenced data not found)
at
org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:141)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:113)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:76)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:326)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:243)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:179)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
at
org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:96)
at
org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69)
at
org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:645)
at org.apache.cxf.transport.http.HTTPConduit
$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:2132)
at org.apache.cxf.transport.http.HTTPConduit
$WrappedOutputStream.handleResponse(HTTPConduit.java:2015)
at org.apache.cxf.transport.http.HTTPConduit
$WrappedOutputStream.close(HTTPConduit.java:1940)
at
org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:47)
at
org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:180)
at
org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:66)
at
org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:627)
at org.apache.cxf.interceptor.MessageSenderInterceptor
$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:471)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:301)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:253)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:121)
at $Proxy38.sendMessage(Unknown Source)
<wsp:Policy wsu:Id="A">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireDerivedKeys />
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:EncryptSignature />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:SymmetricBinding>
<sp:EndorsingSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
<sp:RequireSignatureConfirmation />
</wsp:Policy>
</sp:Wss11>
<sp:Trust10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<sp:RequireClientEntropy />
<sp:RequireServerEntropy />
</wsp:Policy>
</sp:Trust10>
<wsaw:UsingAddressing />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="B">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
<sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="From"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing" />
</sp:SignedParts>
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body />
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>