Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-5983

Security processing failed (actions mismatch) occurs due to ENCR action appearing twice

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.7.11
    • 3.0.2, 3.1
    • JAX-WS Runtime
    • None

    • Windows 7
      Windows Vista

    • Advanced

    Description

      I am receiving a response from a server which has the following actions: Timestamp Encrypt Signature.
      However when the response hits the inbound interceptor (WSS4JInInterceptor) it is throwing the following exception:

      Sep 01, 2014 2:07:49 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor checkActions
      WARNING: Security processing failed (actions mismatch)
      Sep 01, 2014 2:07:49 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage
      WARNING:
      org.apache.ws.security.WSSecurityException: An error was discovered processing the <wsse:Security> header
      at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.checkActions(WSS4JInInterceptor.java:354)

      The inbound configuration aspects are as follows:

      //Inbound Policy Rules
      inProps.put("action", "Timestamp Encrypt Signature");
      inProps.put("passwordCallbackClass", "reply.solidsoft.emvs.common.EmvsPasswordCallback");
      inProps.put("decryptionPropFile", EmvsProperties.val(propPrefix + "resp.propFile"));
      inProps.put("signaturePropFile", EmvsProperties.val(propPrefix + "enc.propFile"));
      inProps.put("encryptionKeyIdentifier", "Thumbprint");
      inProps.put("signatureKeyIdentifier", "DirectReference");
      inProps.put("encryptionKeyTransportAlgorithm", "http://www.w3.org/2001/04/xmlenc#rsa-1_5");
      inProps.put("signatureAlgorithm", "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256");
      inProps.put("signatureDigestAlgorithm", "http://www.w3.org/2001/04/xmlenc#sha256");
      inProps.put("encryptionSymAlgorithm", "http://www.w3.org/2001/04/xmlenc#aes256-cbc");

      client.getInInterceptors().add(new WSS4JInInterceptor(inProps));

      I have debugged the code in Netbeans and the issue stems from CXF erroneously misreading the actions on the incoming message. The WSS4JInInterceptor (or rather the classes/methods it calls) determines that the message has the following actions (see WSConstants.java):

      hex constant/tag value
      4/ENCR
      2/SIGN
      4/ENCR
      1000/BST
      20/TS

      It can be seen that the security engine determines that ENCR occurs twice. This causes WSHandler.java - checkReceiverResultsAnyOrder() to throw the mismatch error. I have managed a temporary work around by creating my own version of this code and ignoring the first/erroneous ENCR action. This lets the code execute without error and all parts are decrypted perfectly. As such I don't believe that the response message is at fault.

      I have attached MismatchResponse.xml which is the data which is causing the error

      Attachments

        1. MismatchResponse.xml
          7 kB
          Ben Preston

        Activity

          People

            coheigea Colm O hEigeartaigh
            bpreston Ben Preston
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: