Uploaded image for project: 'Rampart'
  1. Rampart
  2. RAMPART-329

Interoperability with WSIT problem: RampartException: Error in adding token into store

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 1.4, 1.5
    • 2.0.0
    • rampart-trust
    • None
    • Axis2 1.5.1
      Metro 2.1

    Description

      The combination: Axis2(Rampart) Service + Metro(WSIT) Client doesn't work when using SymmetricBinding policy. The cause is that Rampart caches all EncryptedKey's by their ID, assuming that these are UUIDs, while WSIT just assigns IDs that are unique within a single SOAP message, like "_1", "_2", etc.

      As the consequence, only the first request succeeds, with all subsequent requests failing with:

      org.apache.axis2.AxisFault: Error in adding token into store
      at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:70)
      at org.apache.axis2.engine.Phase.invoke(Phase.java:317)
      at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:264)
      at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:429)
      at org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:43)
      at org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:100)
      at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:176)
      at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:275)
      at org.apache.axis2.transport.http.HTTPWorker.service(HTTPWorker.java:278)
      at org.apache.axis2.transport.http.server.AxisHttpService.doService(AxisHttpService.java:281)
      at org.apache.axis2.transport.http.server.AxisHttpService.handleRequest(AxisHttpService.java:187)
      at org.apache.axis2.transport.http.server.HttpServiceProcessor.run(HttpServiceProcessor.java:82)
      at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1061)
      at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:575)
      at java.lang.Thread.run(Thread.java:595)
      Caused by: org.apache.rampart.RampartException: Error in adding token into store
      at org.apache.rampart.builder.SymmetricBindingBuilder.getEncryptedKey(SymmetricBindingBuilder.java:787)
      at org.apache.rampart.builder.SymmetricBindingBuilder.doSignBeforeEncrypt(SymmetricBindingBuilder.java:424)
      at org.apache.rampart.builder.SymmetricBindingBuilder.build(SymmetricBindingBuilder.java:90)
      at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:144)
      at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:64)
      ... 14 more
      (and, after patching Rampart not to swallow the root cause)
      Caused by: org.apache.rahas.TrustException: "The token "_5002" already exists in the store
      at org.apache.rahas.SimpleTokenStore.add(SimpleTokenStore.java:65)
      at org.apache.rampart.builder.SymmetricBindingBuilder.getEncryptedKey(SymmetricBindingBuilder.java:782)
      ... 18 more

      As can be seen, the first EncryptedKey with ID "_5002" couldn't be added to the store. That is because WSIT request looks like:

      <?xml version='1.0' encoding='UTF-8'?>
      <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"
      xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
      xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
      xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
      xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
      xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#">
      <S:Header>
      <To xmlns="http://www.w3.org/2005/08/addressing">http://localhost:8080/axis2/services/LoginService.LoginServicePortType</To>
      <Action xmlns="http://www.w3.org/2005/08/addressing">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</Action>
      <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
      <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
      </ReplyTo>
      <MessageID xmlns="http://www.w3.org/2005/08/addressing">uuid:be30f6b8-a756-4ef4-a2d4-ed79579ab73d</MessageID>
      <wsse:Security S:mustUnderstand="1">
      <wsu:Timestamp
      xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
      xmlns:ns18="http://www.w3.org/2003/05/soap-envelope" wsu:Id="_5">
      <wsu:Created>2011-03-11T12:41:26Z</wsu:Created>
      <wsu:Expires>2011-03-11T12:46:26Z</wsu:Expires>
      </wsu:Timestamp>
      <xenc:EncryptedKey
      xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
      xmlns:ns18="http://www.w3.org/2003/05/soap-envelope" Id="_5002">
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
      <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:type="KeyInfoType">
      <wsse:SecurityTokenReference>
      <wsse:KeyIdentifier
      ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1"
      EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">HYL371NzoOs2+IA24VDkBGcUFQM=</wsse:KeyIdentifier>
      </wsse:SecurityTokenReference>
      </ds:KeyInfo>
      <xenc:CipherData>
      <xenc:CipherValue>U2P07ZSaepPHGlHuIHYZX9oL5Vrhy.......</xenc:CipherValue>
      </xenc:CipherData>
      </xenc:EncryptedKey>
      <wsc:DerivedKeyToken
      xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
      xmlns:ns18="http://www.w3.org/2003/05/soap-envelope" wsu:Id="_3">
      <wsse:SecurityTokenReference>
      <wsse:Reference URI="#_5002"
      ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" />
      </wsse:SecurityTokenReference>
      <wsc:Offset>0</wsc:Offset>
      <wsc:Length>16</wsc:Length>
      <wsc:Nonce>XvWeqk48yU+hL9QA5+JzUeIM</wsc:Nonce>
      </wsc:DerivedKeyToken>
      <wsse:BinarySecurityToken
      xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
      xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"
      ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
      EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
      wsu:Id="uuid_cb17b7ef-6457-4b25-9a66-eb9f3611f0d3">MIICTDCCAbUCBEbJZMQwDQ.........</wsse:BinarySecurityToken>
      <wsc:DerivedKeyToken
      xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
      xmlns:ns18="http://www.w3.org/2003/05/soap-envelope" wsu:Id="_4">
      <wsse:SecurityTokenReference>
      <wsse:Reference URI="#_5002"
      ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" />
      </wsse:SecurityTokenReference>
      <wsc:Offset>0</wsc:Offset>
      <wsc:Length>16</wsc:Length>
      <wsc:Nonce>dZZ0MgLmAc+T9wBBxY7y/oDS</wsc:Nonce>
      </wsc:DerivedKeyToken>
      <xenc:ReferenceList
      xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
      xmlns:ns18="http://www.w3.org/2003/05/soap-envelope">
      <xenc:DataReference URI="#_5005" />
      <xenc:DataReference URI="#_5006" />
      </xenc:ReferenceList>
      <xenc:EncryptedData
      xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
      xmlns:ns18="http://www.w3.org/2003/05/soap-envelope" Id="_5006"
      Type="http://www.w3.org/2001/04/xmlenc#Element">
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
      <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:type="KeyInfoType">
      <wsse:SecurityTokenReference>
      <wsse:Reference URI="#_4" />
      </wsse:SecurityTokenReference>
      </ds:KeyInfo>
      <xenc:CipherData>
      <xenc:CipherValue>ggGI89+Ajl2PytO/7NM3TeC/......</xenc:CipherValue>
      </xenc:CipherData>
      </xenc:EncryptedData>
      <ds:Signature
      xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
      xmlns:ns18="http://www.w3.org/2003/05/soap-envelope" Id="_6">
      <ds:SignedInfo>
      <ds:CanonicalizationMethod
      Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
      <exc14n:InclusiveNamespaces PrefixList="wsse S" />
      </ds:CanonicalizationMethod>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
      <ds:Reference URI="#_1">
      <ds:Transforms>
      <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
      <exc14n:InclusiveNamespaces
      PrefixList="wsu wsse S" />
      </ds:Transform>
      </ds:Transforms>
      <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
      <ds:DigestValue>yo9B6dCgG2r5JtJA0iOZPOQALBU=
      </ds:DigestValue>
      </ds:Reference>
      </ds:SignedInfo>
      <ds:SignatureValue>
      SGLHUTns15tib3gnll2H.....
      </ds:SignatureValue>
      <ds:KeyInfo>
      <wsse:SecurityTokenReference>
      <wsse:Reference URI="#uuid_cb17b7ef-6457-4b25-9a66-eb9f3611f0d3"
      ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
      </wsse:SecurityTokenReference>
      </ds:KeyInfo>
      </ds:Signature>
      </wsse:Security>
      </S:Header>
      <S:Body>
      <xenc:EncryptedData
      xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
      xmlns:ns18="http://www.w3.org/2003/05/soap-envelope" Id="_5005"
      Type="http://www.w3.org/2001/04/xmlenc#Content">
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
      <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:type="KeyInfoType">
      <wsse:SecurityTokenReference>
      <wsse:Reference URI="#_4" />
      </wsse:SecurityTokenReference>
      </ds:KeyInfo>
      <xenc:CipherData>
      <xenc:CipherValue>
      Nf2O8yHO2Ls1bIDN2.....
      </xenc:CipherValue>
      </xenc:CipherData>
      </xenc:EncryptedData>
      </S:Body>
      </S:Envelope>

      I believe that the problem lies on Rampart side, as according to OASIS standards EncryptedKey ID's don't have to be unique across SOAP calls.

      Attachments

        Activity

          People

            robertlazarski Robert Lazarski
            rustamabd Rustam Abdullaev
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: