Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
1.4, 1.5
-
None
-
Axis2 1.5.1
Metro 2.1
Description
The combination: Axis2(Rampart) Service + Metro(WSIT) Client doesn't work when using SymmetricBinding policy. The cause is that Rampart caches all EncryptedKey's by their ID, assuming that these are UUIDs, while WSIT just assigns IDs that are unique within a single SOAP message, like "_1", "_2", etc.
As the consequence, only the first request succeeds, with all subsequent requests failing with:
org.apache.axis2.AxisFault: Error in adding token into store
at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:70)
at org.apache.axis2.engine.Phase.invoke(Phase.java:317)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:264)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:429)
at org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:43)
at org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:100)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:176)
at org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:275)
at org.apache.axis2.transport.http.HTTPWorker.service(HTTPWorker.java:278)
at org.apache.axis2.transport.http.server.AxisHttpService.doService(AxisHttpService.java:281)
at org.apache.axis2.transport.http.server.AxisHttpService.handleRequest(AxisHttpService.java:187)
at org.apache.axis2.transport.http.server.HttpServiceProcessor.run(HttpServiceProcessor.java:82)
at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1061)
at edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:575)
at java.lang.Thread.run(Thread.java:595)
Caused by: org.apache.rampart.RampartException: Error in adding token into store
at org.apache.rampart.builder.SymmetricBindingBuilder.getEncryptedKey(SymmetricBindingBuilder.java:787)
at org.apache.rampart.builder.SymmetricBindingBuilder.doSignBeforeEncrypt(SymmetricBindingBuilder.java:424)
at org.apache.rampart.builder.SymmetricBindingBuilder.build(SymmetricBindingBuilder.java:90)
at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:144)
at org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:64)
... 14 more
(and, after patching Rampart not to swallow the root cause)
Caused by: org.apache.rahas.TrustException: "The token "_5002" already exists in the store
at org.apache.rahas.SimpleTokenStore.add(SimpleTokenStore.java:65)
at org.apache.rampart.builder.SymmetricBindingBuilder.getEncryptedKey(SymmetricBindingBuilder.java:782)
... 18 more
As can be seen, the first EncryptedKey with ID "_5002" couldn't be added to the store. That is because WSIT request looks like:
<?xml version='1.0' encoding='UTF-8'?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#">
<S:Header>
<To xmlns="http://www.w3.org/2005/08/addressing">http://localhost:8080/axis2/services/LoginService.LoginServicePortType</To>
<Action xmlns="http://www.w3.org/2005/08/addressing">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</Action>
<ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
<MessageID xmlns="http://www.w3.org/2005/08/addressing">uuid:be30f6b8-a756-4ef4-a2d4-ed79579ab73d</MessageID>
<wsse:Security S:mustUnderstand="1">
<wsu:Timestamp
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope" wsu:Id="_5">
<wsu:Created>2011-03-11T12:41:26Z</wsu:Created>
<wsu:Expires>2011-03-11T12:46:26Z</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope" Id="_5002">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
<ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="KeyInfoType">
<wsse:SecurityTokenReference>
<wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">HYL371NzoOs2+IA24VDkBGcUFQM=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>U2P07ZSaepPHGlHuIHYZX9oL5Vrhy.......</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
<wsc:DerivedKeyToken
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope" wsu:Id="_3">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#_5002"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" />
</wsse:SecurityTokenReference>
<wsc:Offset>0</wsc:Offset>
<wsc:Length>16</wsc:Length>
<wsc:Nonce>XvWeqk48yU+hL9QA5+JzUeIM</wsc:Nonce>
</wsc:DerivedKeyToken>
<wsse:BinarySecurityToken
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
wsu:Id="uuid_cb17b7ef-6457-4b25-9a66-eb9f3611f0d3">MIICTDCCAbUCBEbJZMQwDQ.........</wsse:BinarySecurityToken>
<wsc:DerivedKeyToken
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope" wsu:Id="_4">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#_5002"
ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" />
</wsse:SecurityTokenReference>
<wsc:Offset>0</wsc:Offset>
<wsc:Length>16</wsc:Length>
<wsc:Nonce>dZZ0MgLmAc+T9wBBxY7y/oDS</wsc:Nonce>
</wsc:DerivedKeyToken>
<xenc:ReferenceList
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope">
<xenc:DataReference URI="#_5005" />
<xenc:DataReference URI="#_5006" />
</xenc:ReferenceList>
<xenc:EncryptedData
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope" Id="_5006"
Type="http://www.w3.org/2001/04/xmlenc#Element">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="KeyInfoType">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#_4" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>ggGI89+Ajl2PytO/7NM3TeC/......</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
<ds:Signature
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope" Id="_6">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="wsse S" />
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<ds:Reference URI="#_1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces
PrefixList="wsu wsse S" />
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<ds:DigestValue>yo9B6dCgG2r5JtJA0iOZPOQALBU=
</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
SGLHUTns15tib3gnll2H.....
</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#uuid_cb17b7ef-6457-4b25-9a66-eb9f3611f0d3"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S:Header>
<S:Body>
<xenc:EncryptedData
xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
xmlns:ns18="http://www.w3.org/2003/05/soap-envelope" Id="_5005"
Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
<ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="KeyInfoType">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#_4" />
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>
Nf2O8yHO2Ls1bIDN2.....
</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</S:Body>
</S:Envelope>
I believe that the problem lies on Rampart side, as according to OASIS standards EncryptedKey ID's don't have to be unique across SOAP calls.