[
https://issues.apache.org/jira/browse/CXF-2158?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
ian homer updated CXF-2158:
---------------------------
Component/s: WS-* Components
> Mix up of ID and ID reference of security token in signature causes WCF
> service to throw Cannot resolve KeyInfo for verifying signature
> ---------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-2158
> URL: https://issues.apache.org/jira/browse/CXF-2158
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.2
> Environment: Java(TM) SE Runtime Environment (build 1.6.0_07-b06-153)
> - MacOS 10.5 and Windows Vista
> Reporter: ian homer
> Attachments: CalculatorService1339.wsdl
>
>
> Issue
> CXF client causes WCF to throw the error Cannot resolve KeyInfo for verifying
> signature: KeyInfo 'SecurityKeyIdentifier when connecting to a secured WCF
> service set up following the tutorial "WCF Getting Started Sample Tutorial
> with Message Security User Name" @
> http://msdn.microsoft.com/en-us/library/ms752233.aspx. (WSDL attached on CXF
> ticket)
> See analysis below for summary of the issue and indication of resolution.
> [edit] CXF Client Test Case
> $ java -version
> java version "1.6.0_07"
> Java(TM) SE Runtime Environment (build 1.6.0_07-b06-153)
> Java HotSpot(TM) 64-Bit Server VM (build 1.6.0_07-b06-57, mixed mode)
>
> MacOS 10.5 and Windows Vista
> CXF Version 2.2
> import static org.junit.Assert.assertEquals;
> import groovyx.net.ws.cxf.SSLHelper;
>
> import java.util.ArrayList;
> import java.util.HashMap;
> import java.util.List;
> import java.util.Map;
>
> import javax.security.auth.callback.Callback;
> import javax.security.auth.callback.CallbackHandler;
> import javax.xml.namespace.QName;
>
> import org.apache.commons.logging.Log;
> import org.apache.commons.logging.LogFactory;
> import org.apache.cxf.Bus;
> import org.apache.cxf.binding.soap.SoapMessage;
> import org.apache.cxf.endpoint.Client;
> import org.apache.cxf.endpoint.Endpoint;
> import org.apache.cxf.endpoint.EndpointImpl;
> import org.apache.cxf.endpoint.dynamic.DynamicClientFactory;
> import org.apache.cxf.interceptor.Fault;
> import org.apache.cxf.interceptor.LoggingInInterceptor;
> import org.apache.cxf.interceptor.LoggingOutInterceptor;
> import org.apache.cxf.message.Exchange;
> import org.apache.cxf.message.Message;
> import org.apache.cxf.message.MessageUtils;
> import org.apache.cxf.phase.Phase;
> import org.apache.cxf.service.model.BindingOperationInfo;
> import org.apache.cxf.service.model.EndpointInfo;
> import org.apache.cxf.ws.policy.AbstractPolicyInterceptor;
> import org.apache.cxf.ws.policy.EffectivePolicy;
> import org.apache.cxf.ws.policy.PolicyEngine;
> import org.apache.cxf.ws.policy.PolicyException;
> import org.apache.cxf.ws.security.policy.model.SignedEncryptedParts;
> import org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor;
> import org.apache.neethi.AbstractPolicyOperator;
> import org.apache.ws.security.WSConstants;
> import org.apache.ws.security.WSPasswordCallback;
> import org.apache.ws.security.handler.WSHandlerConstants;
> import org.junit.Test;
>
> public class SSLAWSWCFCalculatorIssueTestCase {
> protected static Log log =
> LogFactory.getLog(SSLAWSWCFCalculatorIssueTestCase.class);
>
> public static final String WCF_HOST = "host";
> private static final String WSDL_URI_REMOTE = "http://"; + WCF_HOST
> + "/ServiceModelSamples/service.svc?wsdl";
> /**
> * Filters for a default WCF_SSLA integration
> */
> public static final Class<?>[] WCF_SSLA = new Class<?>[] {
> SignedEncryptedParts.class };
>
> @Test
> public void testOperationsOfSSLClientWithSoapAuthentication() throws
> Exception {
> QName service = new QName("http://tempuri.org/";,
> "CalculatorService");
> QName port = new QName("http://tempuri.org/";, "SSLCalculatorA");
>
> Client client =
> DynamicClientFactory.newInstance().createClient(WSDL_URI_REMOTE, service,
>
> SSLAWSWCFCalculatorIssueTestCase.class.getClassLoader(), port);
>
> SSLHelper sslHelper = new SSLHelper();
> sslHelper.initialize();
> sslHelper.enable(client);
>
> Bus bus = ((EndpointImpl) client.getEndpoint()).getBus();
> /*
> * Apply default policy filter in interceptor to filter out the
> * mandatory signing of body parts. Otherwise CXF policy
> validation
> * fails since the response from WCF is not compliant with this
> */
> bus.getInInterceptors().add(new
> PolicyFilterOutInterceptor(WCF_SSLA));
> Map<String, Object> outProps = new HashMap<String, Object>();
>
> outProps.put(WSHandlerConstants.ACTION,
> WSHandlerConstants.USERNAME_TOKEN);
> outProps.put(WSHandlerConstants.USER, "bart\\myname");
> outProps.put(WSHandlerConstants.PASSWORD_TYPE,
> WSConstants.PW_TEXT);
> outProps.put(WSHandlerConstants.MUST_UNDERSTAND, "true");
> outProps.put(WSHandlerConstants.PW_CALLBACK_REF, new
> PasswordHandler("password"));
>
> bus.getOutInterceptors().add(new
> JustOnceWSS4JOutInterceptor(outProps));
>
> /*
> * Add logging interceptors
> */
> bus.getInInterceptors().add(new LoggingInInterceptor());
> bus.getOutInterceptors().add(new LoggingOutInterceptor());
>
> BindingOperationInfo add =
> client.getEndpoint().getEndpointInfo().getBinding()
> .getOperation(new
> QName("http://Microsoft.ServiceModel.Samples";, "Add"))
> .getUnwrappedOperation();
> /**
> * Now call some operations
> */
> if (log.isDebugEnabled()) {
> log.debug("Invoking method add");
> }
> Object[] answer = client.invoke(add, new Object[] { "1", "2" });
> if (log.isDebugEnabled()) {
> log.debug("1 + 2 = " + answer[0]);
> }
> assertEquals("Add method not correct", new Double(3.0),
> answer[0]);
>
> if (log.isDebugEnabled()) {
> log.debug("Invoking method multiply");
> }
> BindingOperationInfo multiply =
> client.getEndpoint().getEndpointInfo().getBinding()
> .getOperation(new
> QName("http://Microsoft.ServiceModel.Samples";, "Multiply"))
> .getUnwrappedOperation();
>
> answer = client.invoke(multiply, new Object[] { "3", "2" });
> assertEquals("Multiply method not correct", new Double(6.0),
> answer);
> if (log.isDebugEnabled()) {
> log.debug("3 x 2 = " + answer);
> }
> }
>
> /**
> * Handler to get the password
> */
> public class PasswordHandler implements CallbackHandler {
> private static final String DEFAULT_PASSWORD = "password";
> String password;
>
> public PasswordHandler() {
> this.password = DEFAULT_PASSWORD;
> }
>
> public PasswordHandler(String password) {
> this.password = password;
> }
>
> public void handle(Callback[] callbacks) {
> WSPasswordCallback pc = (WSPasswordCallback)
> callbacks[0];
> pc.setPassword(password);
> }
> }
>
> /**
> * An WSS4J Interceptor that only includes the security header once,
> without
> * this WCF service throws a security exception when username and
> password
> * sent along with the SecurityContextToken in the second request
> */
>
> public class JustOnceWSS4JOutInterceptor extends WSS4JOutInterceptor {
> int count = 0;
>
> /**
> * @param outProps
> */
> public JustOnceWSS4JOutInterceptor(Map<String, Object>
> outProps) {
> super(outProps);
> }
>
> @Override
> public void handleMessage(SoapMessage mc) throws Fault {
> if (count == 0) {
> if (log.isDebugEnabled()) {
> log.debug("Calling WSS4J interceptor :
> count = " + count);
> }
> super.handleMessage(mc);
> } else {
> if (log.isDebugEnabled()) {
> log.debug("Skipping WSS4J interceptor :
> count = " + count);
> }
> }
> count++;
> }
> }
>
> public class PolicyFilterOutInterceptor extends
> AbstractPolicyInterceptor {
>
> private Class<?>[] filters;
>
> public PolicyFilterOutInterceptor(Class<?>[] filters) {
> super(Phase.PRE_STREAM);
> this.filters = filters;
> }
>
> @Override
> protected void handle(Message message) throws PolicyException {
> if (log.isDebugEnabled()) {
> log.debug("Filtering policies for " +
> this.getClass().getName());
> }
>
> Exchange exchange = message.getExchange();
> BindingOperationInfo boi =
> exchange.get(BindingOperationInfo.class);
> if (null == boi) {
> if (log.isDebugEnabled()) {
> log.debug("No binding operation info.");
> }
> return;
> }
>
> Endpoint e = exchange.get(Endpoint.class);
> if (null == e) {
> if (log.isDebugEnabled()) {
> log.debug("No endpoint.");
> }
> return;
> }
> EndpointInfo ei = e.getEndpointInfo();
>
> Bus bus = exchange.get(Bus.class);
> PolicyEngine pe = bus.getExtension(PolicyEngine.class);
> if (null == pe) {
> return;
> }
>
> if (MessageUtils.isPartialResponse(message)) {
> if (log.isDebugEnabled()) {
> log.debug("Not verifying policies on
> inbound partial response.");
> }
> return;
> }
>
> getTransportAssertions(message);
>
> EffectivePolicy effectivePolicy =
> message.get(EffectivePolicy.class);
> if (effectivePolicy == null) {
> if (MessageUtils.isRequestor(message)) {
> effectivePolicy =
> pe.getEffectiveClientResponsePolicy(ei, boi);
> } else {
> effectivePolicy =
> pe.getEffectiveServerRequestPolicy(ei, boi);
> }
> }
>
> removePolicies(effectivePolicy.getPolicy(), filters);
> }
>
> public void removePolicy(AbstractPolicyOperator operator,
> Class<?> clazz) {
> removePolicies(operator, new Class<?>[] { clazz });
> }
>
> @SuppressWarnings("unchecked")
> public void removePolicies(AbstractPolicyOperator operator,
> Class<?>[] classes) {
> List<Object> childrenForRemoval = new
> ArrayList<Object>();
>
> for (Object child : operator.getPolicyComponents()) {
> if (child instanceof AbstractPolicyOperator) {
> removePolicies((AbstractPolicyOperator)
> child, classes);
> } else {
> for (int i = 0; i < classes.length;
> i++) {
> if (child.getClass() ==
> classes[i]) {
>
> childrenForRemoval.add(child);
> if
> (log.isDebugEnabled()) {
>
> log.debug("Removing policy : " + child);
> }
> }
> }
> }
> }
>
> /*
> * Remove all the children that have been marked for
> removal
> */
>
> operator.getPolicyComponents().removeAll(childrenForRemoval);
> }
> }
> }
> [edit] WCF Exception
> <Exception>
> <ExceptionType>System.ServiceModel.Security.MessageSecurityException,
> System.ServiceModel, Version=3.0.0.0, Culture=neutral,
> PublicKeyToken=b77a5c561934e089</ExceptionType>
> <Message>Cannot resolve KeyInfo for verifying signature: KeyInfo
> 'SecurityKeyIdentifier
> (
> IsReadOnly = False,
> Count = 1,
> Clause[0] = LocalIdKeyIdentifierClause(LocalId =
> 'urn:uuid:67422cf9-69c5-4e15-802d-4c6d39cdc57d', Owner =
> 'System.ServiceModel.Security.Tokens.SecurityContextSecurityToken')
> )
> ', available tokens 'SecurityTokenResolver
> (
> TokenCount = 1,
> TokenEntry[0] = (AllowedReferenceStyle=Internal,
> Token=System.ServiceModel.Security.Tokens.SecurityContextSecurityToken,
> Parameters=System.ServiceModel.Security.Tokens.SecureConversationSecurityTokenParameters:
> InclusionMode: AlwaysToRecipient
> ReferenceStyle: Internal
> RequireDerivedKeys: False
> RequireCancellation: True
> BootstrapSecurityBindingElement:
> System.ServiceModel.Channels.TransportSecurityBindingElement:
> DefaultAlgorithmSuite: Basic256
> IncludeTimestamp: True
> KeyEntropyMode: CombinedEntropy
> MessageSecurityVersion:
> WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
> SecurityHeaderLayout: Strict
> EndpointSupportingTokenParameters:
> No endorsing tokens.
> No signed tokens.
> SignedEncrypted[0]
> System.ServiceModel.Security.Tokens.UserNameSecurityTokenParameters:
> InclusionMode: AlwaysToRecipient
> ReferenceStyle: Internal
> RequireDerivedKeys: False
> No signed endorsing tokens.
> OptionalEndpointSupportingTokenParameters:
> No endorsing tokens.
> No signed tokens.
> No signed encrypted tokens.
> No signed endorsing tokens.
> OperationSupportingTokenParameters: none
> OptionalOperationSupportingTokenParameters: none)
> )
> '.</Message>
> <StackTrace>
> at
> System.ServiceModel.Security.WSSecurityOneDotZeroReceiveSecurityHeader.ResolveSignatureToken(SecurityKeyIdentifier
>
> keyIdentifier, SecurityTokenResolver resolver, Boolean isPrimarySignature)
> at
> System.ServiceModel.Security.WSSecurityOneDotZeroReceiveSecurityHeader.VerifySignature(SignedXml
> signedXml, Boolean isPrimarySignature, SecurityHeaderTokenResolver resolver,
> Object signatureTarget, String id)
> at
> System.ServiceModel.Security.ReceiveSecurityHeader.ProcessSupportingSignature(SignedXml
> signedXml, Boolean isFromDecryptedSource)
> at
> System.ServiceModel.Security.ReceiveSecurityHeader.ExecuteFullPass(XmlDictionaryReader
> reader)
> at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan
> timeout)
> at
> System.ServiceModel.Security.AcceptorSessionSymmetricTransportSecurityProtocol.VerifyIncomingMessageCore(Message&
> message, TimeSpan timeout)
> at
> System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message&
> message, TimeSpan timeout)
> at
> System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message&
> message, TimeSpan timeout, SecurityProtocolCorrelationState[]
> correlationStates)
> at
> System.ServiceModel.Security.SecuritySessionServerSettings.ServerSecuritySessionChannel.ProcessRequestContext(RequestContext
> requestContext, TimeSpan timeout, SecurityProtocolCorrelationState&
> correlationState, Boolean& isSecurityProcessingFailure)
> at
> System.ServiceModel.Security.SecuritySessionServerSettings.ServerSecuritySessionChannel.ReceiveRequestAsyncResult.WaitComplete()
> at
> System.ServiceModel.Security.SecuritySessionServerSettings.ServerSecuritySessionChannel.ReceiveRequestAsyncResult..ctor(ServerSecuritySessionChannel
> channel, TimeSpan timeout, AsyncCallback callback, Object state)
> at
> System.ServiceModel.Security.SecuritySessionServerSettings.ServerSecuritySessionChannel.BeginTryReceiveRequest(TimeSpan
> timeout, AsyncCallback callback, Object state)
> at System.ServiceModel.Dispatcher.ReplyChannelBinder.BeginTryReceive(TimeSpan
> timeout, AsyncCallback callback, Object state)
> at
> System.ServiceModel.Dispatcher.ErrorHandlingReceiver.BeginTryReceive(TimeSpan
> timeout, AsyncCallback callback, Object state)
> at System.ServiceModel.Dispatcher.ChannelHandler.EnsurePump()
> at System.ServiceModel.Dispatcher.ChannelHandler.OpenAndEnsurePump()
> at
> System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.WorkItem.Invoke2()
> at System.Security.SecurityContext.Run(SecurityContext securityContext,
> ContextCallback callback, Object state)
> at
> System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.WorkItem.Invoke()
> at
> System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.ProcessCallbacks()
> at
> System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.CompletionCallback(Object
> state)
> at
> System.ServiceModel.Channels.IOThreadScheduler.CriticalHelper.ScheduledOverlapped.IOCallback(UInt32
> errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped)
> at
> System.ServiceModel.Diagnostics.Utility.IOCompletionThunk.UnhandledExceptionFrame(UInt32
> error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped)
> at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32
> errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP)
> </StackTrace>
> <ExceptionString>System.ServiceModel.Security.MessageSecurityException:
> Cannot resolve KeyInfo for verifying signature: KeyInfo 'SecurityKeyIdentifier
> (
> IsReadOnly = False,
> Count = 1,
> Clause[0] = LocalIdKeyIdentifierClause(LocalId =
> 'urn:uuid:67422cf9-69c5-4e15-802d-4c6d39cdc57d', Owner =
> 'System.ServiceModel.Security.Tokens.SecurityContextSecurityToken')
> )
> ', available tokens 'SecurityTokenResolver
> (
> TokenCount = 1,
> TokenEntry[0] = (AllowedReferenceStyle=Internal,
> Token=System.ServiceModel.Security.Tokens.SecurityContextSecurityToken,
> Parameters=System.ServiceModel.Security.Tokens.SecureConversationSecurityTokenParameters:
> InclusionMode: AlwaysToRecipient
> ReferenceStyle: Internal
> RequireDerivedKeys: False
> RequireCancellation: True
> BootstrapSecurityBindingElement:
> System.ServiceModel.Channels.TransportSecurityBindingElement:
> DefaultAlgorithmSuite: Basic256
> IncludeTimestamp: True
> KeyEntropyMode: CombinedEntropy
> MessageSecurityVersion:
> WSSecurity11WSTrustFebruary2005WSSecureConversationFebruary2005WSSecurityPolicy11BasicSecurityProfile10
> SecurityHeaderLayout: Strict
> EndpointSupportingTokenParameters:
> No endorsing tokens.
> No signed tokens.
> SignedEncrypted[0]
> System.ServiceModel.Security.Tokens.UserNameSecurityTokenParameters:
> InclusionMode: AlwaysToRecipient
> ReferenceStyle: Internal
> RequireDerivedKeys: False
> No signed endorsing tokens.
> OptionalEndpointSupportingTokenParameters:
> No endorsing tokens.
> No signed tokens.
> No signed encrypted tokens.
> No signed endorsing tokens.
> OperationSupportingTokenParameters: none
> OptionalOperationSupportingTokenParameters: none)
> )
> '.</ExceptionString>
> </Exception>
> [edit] WCF Client with WCF Server
> [edit] WCF Client Request 1
> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope";
> xmlns:a="http://www.w3.org/2005/08/addressing";
>
> xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
> <s:Header>
> <a:Action
> s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</a:Action>
>
> <a:MessageID>urn:uuid:8151f398-b043-485e-a443-681fb698d334</a:MessageID>
> <a:ReplyTo>
>
> <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
> </a:ReplyTo>
> <a:To
> s:mustUnderstand="1">https://host/servicemodelsamples/service.svc/SSLA</a:To>
> <o:Security s:mustUnderstand="1"
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
> <u:Timestamp u:Id="_0">
> <u:Created>2009-04-06T08:25:00.988Z</u:Created>
> <u:Expires>2009-04-06T08:30:00.988Z</u:Expires>
> </u:Timestamp>
> <o:UsernameToken
> u:Id="uuid-0403819d-3bc9-4fc8-be6f-0c1b01da7397-1">
> <o:Username>
> <!-- Removed-->
> </o:Username>
> <o:Password>
> <!-- Removed-->
> </o:Password>
> </o:UsernameToken>
> </o:Security>
> </s:Header>
> <s:Body>
> <t:RequestSecurityToken
> xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>
>
> <t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</t:TokenType>
>
> <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
> <t:Entropy>
> <!-- Removed-->
> </t:Entropy>
> <t:KeySize>256</t:KeySize>
> </t:RequestSecurityToken>
> </s:Body>
> </s:Envelope>
> [edit] WCF Client Response from Server 1
> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope";
> xmlns:a="http://www.w3.org/2005/08/addressing";
> xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
> <s:Header>
> <a:Action
> s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT</a:Action>
>
> <a:RelatesTo>urn:uuid:4f4996b9-4d71-47d8-91b8-ba75df9b3de6</a:RelatesTo>
> <o:Security s:mustUnderstand="1"
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
> <u:Timestamp u:Id="_0">
> <u:Created>2009-04-06T08:59:01.713Z</u:Created>
> <u:Expires>2009-04-06T09:04:01.713Z</u:Expires>
> </u:Timestamp>
> </o:Security>
> </s:Header>
> <s:Body>
> <t:RequestSecurityTokenResponse
> xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>
>
> <t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</t:TokenType>
> <t:RequestedSecurityToken>
> <c:SecurityContextToken
> u:Id="uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"
> xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc";>
>
> <c:Identifier>urn:uuid:33b535ab-9f44-431a-87c9-0d1cf8c71d8e</c:Identifier>
> </c:SecurityContextToken>
> </t:RequestedSecurityToken>
> <t:RequestedAttachedReference>
> <o:SecurityTokenReference
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
> <o:Reference
> ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct";
> URI="#uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"></o:Reference>
> </o:SecurityTokenReference>
> </t:RequestedAttachedReference>
> <t:RequestedUnattachedReference>
> <o:SecurityTokenReference
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
> <o:Reference
> URI="urn:uuid:33b535ab-9f44-431a-87c9-0d1cf8c71d8e"
> ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct";></o:Reference>
> </o:SecurityTokenReference>
> </t:RequestedUnattachedReference>
> <t:RequestedProofToken>
>
> <t:ComputedKey>http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1</t:ComputedKey>
> </t:RequestedProofToken>
> <t:Entropy>
> <!-- Removed-->
> </t:Entropy>
> <t:Lifetime>
> <u:Created>2009-04-06T08:59:01.701Z</u:Created>
> <u:Expires>2009-04-06T23:59:01.701Z</u:Expires>
> </t:Lifetime>
> <t:KeySize>256</t:KeySize>
> </t:RequestSecurityTokenResponse>
> </s:Body>
> </s:Envelope>
> [edit] WCF Client Request 2
> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope";
> xmlns:a="http://www.w3.org/2005/08/addressing";
> xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
> <s:Header>
> <a:Action
> s:mustUnderstand="1">http://Microsoft.ServiceModel.Samples/ICalculator/Add</a:Action>
>
> <a:MessageID>urn:uuid:3363fc9e-17e1-4e15-a0dc-ef56d63fa541</a:MessageID>
> <a:ReplyTo>
>
> <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
> </a:ReplyTo>
> <a:To
> s:mustUnderstand="1">https://host/servicemodelsamples/service.svc/SSLA</a:To>
> <o:Security s:mustUnderstand="1"
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
> <u:Timestamp u:Id="_0">
> <u:Created>2009-04-06T08:59:01.737Z</u:Created>
> <u:Expires>2009-04-06T09:04:01.737Z</u:Expires>
> </u:Timestamp>
> <c:SecurityContextToken
> u:Id="uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"
> xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc";>
>
> <c:Identifier>urn:uuid:33b535ab-9f44-431a-87c9-0d1cf8c71d8e</c:Identifier>
> </c:SecurityContextToken>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
> <SignedInfo>
> <CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></CanonicalizationMethod>
> <SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1";></SignatureMethod>
> <Reference URI="#_0">
> <Transforms>
> <Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";></Transform>
> </Transforms>
> <DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";></DigestMethod>
>
> <DigestValue>2VuDOwhOC2mm4YhQJEAzutsXuiU=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>AZzmujJH/wkgEzq9jopInPW3exQ=</SignatureValue>
> <KeyInfo>
> <o:SecurityTokenReference>
> <o:Reference
> ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct";
> URI="#uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"></o:Reference>
> </o:SecurityTokenReference>
> </KeyInfo>
> </Signature>
> </o:Security>
> </s:Header>
> <s:Body>
> <Add xmlns="http://Microsoft.ServiceModel.Samples";>
> <n1>100</n1>
> <n2>15.99</n2>
> </Add>
> </s:Body>
> </s:Envelope>
> [edit] WCF Client Response from Server 2
> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope";
> xmlns:a="http://www.w3.org/2005/08/addressing";
> xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
> <s:Header>
> <a:Action
> s:mustUnderstand="1">http://Microsoft.ServiceModel.Samples/ICalculator/AddResponse</a:Action>
>
> <a:RelatesTo>urn:uuid:3363fc9e-17e1-4e15-a0dc-ef56d63fa541</a:RelatesTo>
> <o:Security s:mustUnderstand="1"
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
> <u:Timestamp u:Id="_0">
> <u:Created>2009-04-06T08:59:01.773Z</u:Created>
> <u:Expires>2009-04-06T09:04:01.773Z</u:Expires>
> </u:Timestamp>
> </o:Security>
> </s:Header>
> <s:Body>
> <AddResponse xmlns="http://Microsoft.ServiceModel.Samples";>
> <AddResult>115.99</AddResult>
> </AddResponse>
> </s:Body>
> </s:Envelope>
> [edit] CXF Client with WCF Server
> [edit] CXF Client Request 1
> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";>
> <soap:Header>
> <Action xmlns="http://www.w3.org/2005/08/addressing";>
>
> http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</Action>
> <MessageID xmlns="http://www.w3.org/2005/08/addressing";>
>
> urn:uuid:ee3fd188-2a43-4d0e-b202-aac81f803bc5</MessageID>
> <To xmlns="http://www.w3.org/2005/08/addressing";>
> https://host/ServiceModelSamples/service.svc/SSLA</To>
> <ReplyTo xmlns="http://www.w3.org/2005/08/addressing";>
> <Address>http://www.w3.org/2005/08/addressing/anonymous
> </Address>
> </ReplyTo>
> <wsse:Security
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> soap:mustUnderstand="true">
> <wsu:Timestamp
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="Timestamp-1763636894">
> <wsu:Created>2009-04-06T10:00:47.466Z
> </wsu:Created>
> <wsu:Expires>2009-04-06T10:05:47.466Z
> </wsu:Expires>
> </wsu:Timestamp>
> <wsse:UsernameToken
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="UsernameToken-2095036283">
> <wsse:Username>bart\myuser</wsse:Username>
> <wsse:Password
>
> Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>password</wsse:Password>
> </wsse:UsernameToken>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <wst:RequestSecurityToken
> xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust";>
>
> <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
> </wst:RequestType>
> <wsp:AppliesTo
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
> <wsa:EndpointReference
> xmlns:wsa="http://www.w3.org/2005/08/addressing";>
> <wsa:Address>
>
> https://host/ServiceModelSamples/service.svc/SSLA
> </wsa:Address>
> </wsa:EndpointReference>
> </wsp:AppliesTo>
> <wst:Lifetime>
> <wsu:Created
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>2009-04-06T10:00:46.692Z
> </wsu:Created>
> <wsu:Expires
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>2009-04-06T10:05:46.692Z
> </wsu:Expires>
> </wst:Lifetime>
>
> <wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct
> </wst:TokenType>
> <wst:Entropy>
> <wst:BinarySecret
>
> Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce";>7pPJRu/vrIfSeAzoq48kAd+55khFFbU/sLw0PeYkIKA=
> </wst:BinarySecret>
> </wst:Entropy>
> <wst:ComputedKeyAlgorithm>
>
> http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
> </wst:ComputedKeyAlgorithm>
> </wst:RequestSecurityToken>
> </soap:Body>
> </soap:Envelope>
> [edit] CXF Client Response from Server 1
> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope";
> xmlns:a="http://www.w3.org/2005/08/addressing";
>
> xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
> <s:Header>
> <a:Action s:mustUnderstand="1">
>
> http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT</a:Action>
> <a:RelatesTo>urn:uuid:ee3fd188-2a43-4d0e-b202-aac81f803bc5
> </a:RelatesTo>
> <o:Security s:mustUnderstand="1"
>
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
> <u:Timestamp u:Id="_0">
> <u:Created>2009-04-06T10:00:28.212Z
> </u:Created>
> <u:Expires>2009-04-06T10:05:28.212Z
> </u:Expires>
> </u:Timestamp>
> </o:Security>
> </s:Header>
> <s:Body>
> <t:RequestSecurityTokenResponse
> xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>
>
> <t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct
> </t:TokenType>
> <t:RequestedSecurityToken>
> <c:SecurityContextToken
>
> u:Id="uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-3"
> xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc";>
>
> <c:Identifier>urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20
> </c:Identifier>
> </c:SecurityContextToken>
> </t:RequestedSecurityToken>
> <wsp:AppliesTo
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
> <EndpointReference
> xmlns="http://www.w3.org/2005/08/addressing";>
> <Address>
>
> https://host/ServiceModelSamples/service.svc/SSLA
> </Address>
> </EndpointReference>
> </wsp:AppliesTo>
> <t:RequestedAttachedReference>
> <o:SecurityTokenReference
>
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
> <o:Reference
> ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct";
>
> URI="#uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-3"></o:Reference>
> </o:SecurityTokenReference>
> </t:RequestedAttachedReference>
> <t:RequestedUnattachedReference>
> <o:SecurityTokenReference
>
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
> <o:Reference
> URI="urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20"
>
> ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct";></o:Reference>
> </o:SecurityTokenReference>
> </t:RequestedUnattachedReference>
> <t:RequestedProofToken>
>
> <t:ComputedKey>http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
> </t:ComputedKey>
> </t:RequestedProofToken>
> <t:Entropy>
> <t:BinarySecret
> u:Id="uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-4"
>
> Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce";>f6m4wEJy9gPMttOxzM+7yf1i5biWxbNaBfbx1sWvVPw=
> </t:BinarySecret>
> </t:Entropy>
> <t:Lifetime>
> <u:Created>2009-04-06T10:00:28.208Z
> </u:Created>
> <u:Expires>2009-04-07T01:00:28.208Z
> </u:Expires>
> </t:Lifetime>
> <t:KeySize>256</t:KeySize>
> </t:RequestSecurityTokenResponse>
> </s:Body>
> </s:Envelope>
> [edit] CXF Client Request 2
> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";>
> <soap:Header>
> <Action xmlns="http://www.w3.org/2005/08/addressing";>
>
> http://Microsoft.ServiceModel.Samples/ICalculator/Add</Action>
> <MessageID xmlns="http://www.w3.org/2005/08/addressing";>
>
> urn:uuid:b879526c-68c1-4713-8912-6ee23264715f</MessageID>
> <To xmlns="http://www.w3.org/2005/08/addressing";>
> https://host/ServiceModelSamples/service.svc/SSLA</To>
> <ReplyTo xmlns="http://www.w3.org/2005/08/addressing";>
> <Address>http://www.w3.org/2005/08/addressing/anonymous
> </Address>
> </ReplyTo>
> <wsse:Security
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> soap:mustUnderstand="true">
> <wsu:Timestamp
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="Timestamp-937741416">
> <wsu:Created>2009-04-06T10:00:48.903Z
> </wsu:Created>
> <wsu:Expires>2009-04-06T10:05:48.903Z
> </wsu:Expires>
> </wsu:Timestamp>
> <c:SecurityContextToken
> xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc";
>
> xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>
> u:Id="uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-3">
>
> <c:Identifier>urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20
> </c:Identifier>
> </c:SecurityContextToken>
> <ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> Id="Signature-1670444352">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
>
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"; />
> <ds:Reference
> URI="#Timestamp-937741416">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
>
> <ds:DigestValue>/gRfeAVaxWCey/0KWfXh4VDIdGA=
> </ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>rhEDDQNJHxAKgsBz5ZVPma1TkeY=
> </ds:SignatureValue>
> <ds:KeyInfo Id="KeyId-451036744">
> <wsse:SecurityTokenReference
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="STRId-187592160">
> <wsse:Reference
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> URI="#urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20"
> ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"; />
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <ns1:Add xmlns:ns1="http://Microsoft.ServiceModel.Samples";>
> <ns1:n1
> xmlns:ns2="http://schemas.microsoft.com/2003/10/Serialization/";
> xmlns:xs="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xs:string">1</ns1:n1>
> <ns1:n2
> xmlns:ns2="http://schemas.microsoft.com/2003/10/Serialization/";
> xmlns:xs="http://www.w3.org/2001/XMLSchema";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="xs:string">2</ns1:n2>
> </ns1:Add>
> </soap:Body>
> </soap:Envelope>
> [edit] CXF Client Response from Server 2
> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope";
> xmlns:a="http://www.w3.org/2005/08/addressing";>
> <s:Header>
> <a:Action s:mustUnderstand="1">
>
> http://www.w3.org/2005/08/addressing/soap/fault</a:Action>
> <a:RelatesTo>urn:uuid:c20c8ac5-3e6d-4189-8db8-97dda22f7cdc
> </a:RelatesTo>
> </s:Header>
> <s:Body>
> <s:Fault>
> <s:Code>
> <s:Value>s:Sender</s:Value>
> <s:Subcode>
> <s:Value
>
> xmlns:a="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>a:InvalidSecurity</s:Value>
> </s:Subcode>
> </s:Code>
> <s:Reason>
> <s:Text xml:lang="en-GB">An error occurred when
> verifying security
> for the message.</s:Text>
> </s:Reason>
> </s:Fault>
> </s:Body>
> </s:Envelope>
> [edit] Analysis
> CXF client sends the following on request 2 with the URI attribute of the
> Reference element equal to the element content of the Identifier element.
> <c:SecurityContextToken u:Id="uuid-e19e1759-7ef7-452b-9055-17ed4b15114c-3">
>
> <c:Identifier>urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20</c:Identifier>
> </c:SecurityContextToken>
> ...
> <ds:KeyInfo Id="KeyId-451036744">
> <wsse:SecurityTokenReference>
> <wsse:Reference
> URI="#urn:uuid:cc05aea2-c53b-417e-9527-5d81102d6b20"
>
> ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"; />
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> however, the WCF client sends the following for its second request with the
> URI element of the Reference element equal to the Id attribute of the
> SecurityContextToken element
> <c:SecurityContextToken u:Id="uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"
> xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc";>
> <c:Identifier>urn:uuid:33b535ab-9f44-431a-87c9-0d1cf8c71d8e</c:Identifier>
> </c:SecurityContextToken>
> ...
> <KeyInfo>
> <o:SecurityTokenReference>
> <o:Reference
> ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct";
>
> URI="#uuid-75ea67a3-c521-4a6c-8fff-f23ff9e793bc-1"></o:Reference>
> </o:SecurityTokenReference>
> </KeyInfo>
> If the following change is made in the
> org.apache.cxf.ws.security.wss4j.policyhandler.TransportBindingHandler:
> CXF trunk 2.2 version
> sig.setCustomTokenId(secTok.getId());
> changed to
> Node firstChild = securityToken.getAttachedReference().getFirstChild();
> Attr referenceUriAttribute = (Attr)
> firstChild.getAttributes().getNamedItem("URI");
> String referenceUri = referenceUriAttribute.getValue().substring(1);
> sig.setCustomTokenId(referenceUri)
> then the CXF client communicates with the WCF server successfully. It is not
> expected that this is the correct place for the fix, since there are other
> places in the CXF source which set the custom token id on the signature. It
> is more likely that a correction is required earlier in the logic such that
> security token allows the id reference (i.e. the Reference URI) to be set
> correctly and made available for configuring in the signature.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
