[
https://issues.apache.org/jira/browse/CXF-4823?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sergey updated CXF-4823:
------------------------
Summary: CXF - Rampart interoperability issue: order of signature and
encrypted key (was: CXF - Rampart interoperability issue)
> CXF - Rampart interoperability issue: order of signature and encrypted key
> ---------------------------------------------------------------------------
>
> Key: CXF-4823
> URL: https://issues.apache.org/jira/browse/CXF-4823
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Reporter: Sergey
>
> We have a CXF web service secured with WS-Security. The problem is that Axis2
> client which uses Rampart module cannot handle response generated by CXF.
> Rampart expects that xenc:EncryptedKey goes first, and ds:Signature is next.
> CXF puts elements in the opposite order. The workaround is
> to re-order actions in Axis2 config file:
> {code:xml}
> <parameter name="InflowSecurity">
> <action>
> <items>Encrypt Signature Timestamp</items>
> </action>
> </parameter>
> {code}
> The question is: how to make CXF to change the order of signature and
> encrypted key elements in security header of the SOAP response to make it
> compatible with Axis2 clients? Since the order of action is the same in both
> Axis and CXF configuration files *Signature Encrypt Timestamp*, then it
> should work out of the box, shouldn't it ?
> Response sample:
> {code:xml}
> <?xml version="1.0" encoding="utf-8"?>
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
> <soap:Header>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> soap:mustUnderstand="1">
> <wsu:Timestamp wsu:Id="TS-6">
> <wsu:Created>2013-02-10T20:22:51.879Z</wsu:Created>
> <wsu:Expires>2013-02-10T20:27:51.879Z</wsu:Expires>
> </wsu:Timestamp>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> Id="SIG-8">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
> <ds:Reference URI="#id-7">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
> <ds:DigestValue>
> otiRAVkSs777jSOZqqwBJlFILJo=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#TS-6">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
> <ds:DigestValue>
> wAJxVtTNvbPX6aHqrrX7/SOPplQ=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
>
> Dy/OVbJOTr1lfqzbZCGxUlanJ0YKVmnyDV9F3Z1aJtB093rXffnKX35o4CxfWqVY/k1COF1TG6mfDZ6nbd1PqM6Vlbk8hBL5iSUFZAKe6RgilD9nYZmWPl2KaLAVrHS66jdmczWGWUh/15YTWB1s8cyNbBSVrwcyKx9FlOgI3pY=</ds:SignatureValue>
> <ds:KeyInfo Id="KI-6029833839643E518513605277718807">
> <wsse:SecurityTokenReference
> wsu:Id="STR-6029833839643E518513605277718808">
> <wsse:KeyIdentifier
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
>
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";>
> 4ZQm/eQOxdcAHohj09+Uk4ex3Lw=</wsse:KeyIdentifier>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
> Id="EK-6029833839643E518513605277718755">
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; />
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <wsse:SecurityTokenReference>
> <wsse:KeyIdentifier
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
>
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";>
> mxCXzekKZqaJcrE3UmHFGOswTnI=</wsse:KeyIdentifier>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> <xenc:CipherData>
> <xenc:CipherValue>
>
> SQWm0I/90/iJUEDAts1jBPC4/W67aDTwrWGzZn1sYYRKyiFx/SxaGj3rtO3Nx8548I0e0ymfGN78ukjcytsUZHoABSNPmJb773Ou4r1l/S7oPqrGCW87A3OpFj3ri62u+iVP3c0u58tnjdIyKXqyeuZTpjtRETlTviH7O4YyInk=</xenc:CipherValue>
> </xenc:CipherData>
> <xenc:ReferenceList>
> <xenc:DataReference URI="#ED-5" />
> </xenc:ReferenceList>
> </xenc:EncryptedKey>
> </wsse:Security>
> <Action xmlns="http://www.w3.org/2005/08/addressing";>
>
> http://service.resadapter.myidtravel.lhsystems.com/RESAdapterServicePortType/getAvailabilityResponse</Action>
> <MessageID xmlns="http://www.w3.org/2005/08/addressing";>
> urn:uuid:f8f2570d-cd35-404a-b413-e5322ca92d01</MessageID>
> <To xmlns="http://www.w3.org/2005/08/addressing";>
> http://www.w3.org/2005/08/addressing/anonymous</To>
> <RelatesTo xmlns="http://www.w3.org/2005/08/addressing";>
> urn:uuid:65935AD1BEED993E3D1360527858578</RelatesTo>
> </soap:Header>
> <soap:Body
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="id-7">
> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
> Id="ED-5" Type="http://www.w3.org/2001/04/xmlenc#Content";>
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"; />
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
> <wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
>
> wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";>
> <wsse:Reference URI="#EK-6029833839643E518513605277718755" />
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> <xenc:CipherData>
> <xenc:CipherValue>
>
> hk6afclqW40YD/Lt91WdResuoUwzUwB9HYmcmmnMS2O3TdqOm7UC09l4h5Y2BCYoqM6+eBw8C1aS3Pg8TCYVksfVDRUW8Oai5VT+Hk7ihs/ABE2xZBeo2h50Nnx1EGVhizJfm2Be37yyJFz4i0MhI51Lto2LZvRppChyywe9GBdmxyC3+X+lM5cgSBRWPPi11KYgdNhcy6+FHaij5ZW4TjIlbg98gNGaGq8/5tR2H0luYadEq02bzMj0Qqjqxze7ixND9n750+BM89amhsnOXWCAbN9DXBjvA57qJSqmDRyyejUgj6srHV2n7VRMof75JpcmIdB0kfKMRPGXq0Jcd6LZIjjeG8+nit7HoJBRPk7VN3BO2A+5VZEjPW4Csb+4+KSx5+cmquIX+dxJvJ6M86iglkUVb+M+syekJffOVwOgFlZcZx54JL9O2VJIzsongff3KtYBg6Hxfhsx80ZfwTtH/6T8pf68rWF3MG6xSbP+cv6UjTegjQ/j84b7D2Gga5Vv5y+9c9PYlgpUIFX91Bx1RzmR+gkgEZ5EVG8OfhIlM6DGFyayXhSi0en4vpuRYu9qhOJKIgEjA7egc2G6rH81RQhObp4p9m1mlJrBakiUzxzayMsYXbzPduXTXdU7q2gEo/ZzjABnD9VVUY5oyMIGclnNDCNOtrVnnKm3zsM2xYlMhjIxUdTSFGHJmZXbGeApkZUef/b69hXvy3d0d6MP0L5zQatECj8NoOdIx5oJo26jsJId0wpPshkEAx+sgOu7Dnt+6sTnKg4zYQIKm4951d0nz9qP1bp3iWaRuid4oiZXfjBioqMom1teORmm1tEldTBen8Qa1p65y6sutb0D9B3E/j6ovHuaMs2J76+eU5q82N8fjkIPakvElVMBlvHIrgnyiburB9iCRjaI9SBcPbIlS1N6HExcdJSoB4o+glQb54o0KwV57919HvaZKii7tiIpDBMBPV7q3dyi5iXc0xYc7dFifwlxOyboH0ZlMBv2jmzo+sMZB7sN9BwAkJzRWKu9Bj44vZAqBSWL3dLIyKWSzDFchOV7xu8BBREr2sJKk2v0eFlIFwO8rfAowpgt0JLex0txXqIRx8gMq94lrAjquv4ADu91ImckDI8x7bURCax3O1YYA0un/oM5xH+kCuBk6dJNj+mUGOtM7qaJJEqGNpfMIIhoOCnc2BVP8WIt7CMVHM71DxOCWBZkQPFH+HlNs8MilXxWUFEjOFF5Fao8Cx62erSK3JBauiCdeMzVVyX8Xewwhg4pklYS/6fEpvovxgAt6DijH5cWfUDcwJIUMwY0JAMzC7uDB6kjTgYyphtcxHnS01xZISJeLqpPn8XOoQW1V2eUpcrITFHFgXd+85uCnP+vfVS9Z0Uv/ZNmYDqOnm837Y7VRNb9NIlUlgb6HNFVUThhqm6w0QzYMT3Vc304sc4LrvL/kfrLtqVzQwAT8zoikyOEj3kUOUdehJNWu4/yvyxZsyeQn436m/bPiZcYxQaN596VGRTOk8sYL5wDP7hWolBijswT9MFLb/lyK6fUinFc84pgq7gt8u7MoPWl4fxtzoMgyBvr85Rgtoyqopb0h+1XGcXd6rdC2JkEr3fCeM6M7CBAO/VycaLzDOkLW7TWlWEZDN/bQRGaV6QphY1l7qN3IpS8g1tnPSvbW0ots8OtLgyjIDidb6kPRKIzT16q8cTUuUZT8cO3NXMaIOwfbEKPN928pkQF8V15Bma2KBdMCWN5jHmLmLJZGWhXVi/flgo86Eoy8GpCJmr5IowrDfYOZZZbsw6m4bdTUsksDLpdXczlsY+8m6N1kQNwxXOJHbnbEb/e/qHAXmjgJ+fDVRjBd3MrJEZkcOf+bKP7NGjbY8AQzUgpZ/RdOfJ19WlwpvfPPG9f3UbifcUBliDTHFD2igeal3IUBVgYaGzmsw1fzT+G5nip64MadaVAF33TTMqFgQ3Pm/U+f/f0jKnJ9DnV4eH/k9XQyyvpbm58wHwBauI99vqWmce9gRkOwSc4X8eURM9I4ajCwod7iUUugbXvUegh9VckQncZPromBwL3R55RCPfj7XcbfjhSIrPbSbM+/TgP+0yTnwdJogm6F26IlfoPbbxWBhjgaGOW8P42ytJupbnVZUzChaC1Xip6UHDaYdy6WOsoasbp2LExY+LTmOrt/m1dy18z2DkO4nmlGBB8+KjjFh+7bD71a0shOoXImmW3paIudcDLMyhjUp0VfwXPUwiQnmgBLqj0FEF3yvul5ptJvzq6ZYWJ293IOVZFbxKmhyJVYctl2EmfaPtEYUMak3QIntWYr6PT5FRj2YBqiuhqsqOwA7CGSetbJ+9ArRd8JKZS5KEmsPlVloESzD7kwCjfkto+l+rb/dkDa5Bjk3X29dQC/U9vyxb5YZ8zxAYNii67e+LhfpxoCkFi22WXjFPsmRctFwpIVuTgObObRAqAcwNwk5QGrb9hNdCQZZ8RyVBx3T1m6k+5ZdRUkv9Vo/gdrh5WQa5oONa0J7e5jO/Ursim1/z86xbs0Wupu/90XHRuAtmxBBbvCv6ja2DquhvUFldhPueW+B1Ltr11OlZZ9jrGwmfGlwr5Z83v/PK9+nOvai9ibbOAe9j02uZBurigBPMRo0lBtcqu2Pj90WlR00HHZ8gPuxhL5siPr9f5aPWaVoPJtbACA+ukQveq5094B59Ez2vEFf3fZySHqgqMXtP+E19chT32mkF/ggq9I84jKurvDlmRRlFt/D/UAqVpON3W/0+CI7CeJ2/70IWgvdPghCuu70/sGXnXLX7EpdAnzDSwuCdt1KU5ZXvWKyWH86pizkRXNx3drSsLYVz1zbA5Y189aE4TvbYVvvxfxfe1CehLsJxzOmtmgu5fOUEEAyv6386PNPOBapsOW0Py46xpzAF9C9oqG4T+FHukaJGnMhk/oLMwIpruWfJt5qV2ydhCgQcWDf/biTQUUomK6mo+Bs/KuShUo+z0Ki4YbdjtQtYhNeqJqFYMKUSmBVqf+Pm5e63SuxXUBNqAaJtF9k4ZeolYoTfIILuNBytuuk6a5BGNhJ3gl+AKQBxFs8tjiharbLC0ckoECSheAPdb2OT7aCP5dxQfP5ovgRNQXIWlQJj7gxXQQjzIS3BcbaLegbi3VIt569bUiLT0wMnLgseBGmW9W+ue8pGEq/hqejgaaHn44qW7eNNwWojhSSjPq3FBQb0L3OedyYPom/w/F62fFTpe1WxTr3xMFOMp0JtXnAMx+tJvW1pI04wqXaIzV8AdBBGMvqTtJZ0pVgtxI3bBcIZP9ymIIIQ/odC96cZbM9ywVNknJHtptH0VUq2r0iWM62BHrSDYHJd+6rBwRQf9/LOk/JkVEPfggKkYkVPGMix3DB3ZvNUGxjbuZO/ReT+1XktijvOJX5sCcGn/pFIWKIxepiB5dtZ5AJeNqrbnc8asHb+bh5rPn/RkUCTcyEFCKGjgqpX5df9h+To0f5mkaTZP84g2dKDG+O08PojTdXr+QOHug5yPlC1cABbpkpnUbqnpJAh+lWl48GugnoIZZTbTISeGOFPNy4wdRKWaoFNITTnuST+X8HLGsybQPHhB0PaCDz8VKxq2gQw3rgNND78I6aLdNfaV9hZnOZuCX2qDNH34zXl4zCZd09r77mFQyCLO7lgQlTUT+tt+8+VAe6yTje34xX7W3jreDoVjVeL/+rzJmS6geg0RCYjE5I8OScYbx3vDyy8ONP+w0TByhOqb8LHEqfHSjUki3rQ9/2KZHJhHt7ZZ7bMCVJdzlEZOh/SF8auL83FKLkMxv9kdH9b8noZMtZzu1U7Q8j77J6kRx3wfJI3PCPzI7OOy7TN0w+/uqEwQSQ/LEqwdkBZKL9R68ngCKjxeIOEctqI0wc1fc/IwQ6iTZujYwdZNmMbiDKxM9gbklUOL4+iLrpmAOiaTXamAkrN7Xh29XGMvxtv7uC2derda0LszlGejRJISAqX1vkPclLU1q5UEUB6CrF0ilPQ7fkuJVaL920ooOW2LZoXBvUJ1Kl1OvqoRbbfiZIWzNZXTujRcwOOo9mxbWt5YBiLZN84tBWySeDuSqeNX4dXOs2rFz7IVBgLQH//64hSCG4GIBs00RElF8Fg/FqLg8wEowJA1OpZn49/j3Y9ZeNjGsBboRd7ZsOZjIY9w9Tn2wxpP3rXWMaKgUQkYU03cHdiSefQO4qGgpbQq8CQrBMQY1ZahEVPVPP33BST8XgDB9wQh5E7r8BqeDTMSpYmaObCnv3xRQzvZ6SBtWtkco/XbkEPNgMleFu0e3Lte/PmsstvNABfGbA==</xenc:CipherValue>
> </xenc:CipherData>
> </xenc:EncryptedData>
> </soap:Body>
> </soap:Envelope>
> {code}
> Rampart configuration :
> {code:xml}
> <parameter name="InflowSecurity">
> <action>
> <items>Signature Encrypt Timestamp</items>
> </action>
> </parameter>
> {code}
> CXF configuration:
> {code:xml}
> <?xml version="1.0" encoding="UTF-8"?>
> <beans xmlns="http://www.springframework.org/schema/beans";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xmlns:jaxws="http://cxf.apache.org/jaxws";
> xmlns:wsa="http://cxf.apache.org/ws/addressing";
> xsi:schemaLocation="http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans.xsd
> http://cxf.apache.org/jaxws
> http://cxf.apache.org/schemas/jaxws.xsd
> http://cxf.apache.org/ws/addressing
> http://cxf.apache.org/schemas/ws-addr-conf.xsd";>
> <import resource="classpath:META-INF/cxf/cxf.xml" />
> <import resource="classpath:META-INF/cxf/cxf-extension-*.xml" />
> <import resource="classpath:META-INF/cxf/cxf-servlet.xml" />
> <!-- Spring manage ServiceBean -->
> <bean id="RESAdapterService"
> class="net.worldticket.edi.protocol.ota.RESAdapterService" />
> <!--
> Log4j is set to be used in META-INF\cxf\org.apache.cxf.Logger
> Make sure that log4j INFO level is set for the following interceptors or
> for the package org.apache.cxf to make them work.
> -->
> <bean id="logInInterceptor"
> class="org.apache.cxf.interceptor.LoggingInInterceptor"/>
> <bean id="logOutInterceptor"
> class="org.apache.cxf.interceptor.LoggingOutInterceptor"/>
> <!--
> WSS4JInInterceptor for decrypting and validating the signature of
> the SOAP request.
> -->
> <bean
> id="TimestampSignEncrypt_Request"
> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Signature Encrypt Timestamp"/>
> <entry key="signaturePropFile" value="interop.properties"/>
> <entry key="decryptionPropFile" value="interop.properties"/>
> <entry key="passwordCallbackClass"
> value="net.worldticket.myIdTravel.PasswordCallback"/>
> </map>
> </constructor-arg>
> </bean>
> <!--
> WSS4JOutInterceptor for encoding and signing the SOAP response.
> -->
> <bean
> id="TimestampSignEncrypt_Response"
> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">
> <constructor-arg>
> <map>
> <entry key="action" value="Signature Encrypt Timestamp"/>
> <entry key="user" value="useReqSigCert"/>
> <entry key="signatureUser" value="bob"/>
> <entry key="signaturePropFile" value="interop.properties"/>
> <entry key="encryptionPropFile" value="interop.properties"/>
> <entry key="passwordCallbackClass"
> value="net.worldticket.myIdTravel.PasswordCallback"/>
> <entry key="signatureParts"
> value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp"/>
> <entry key="encryptionParts"
> value="{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
> <entry key="encryptionSymAlgorithm"
> value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
> <entry key="encryptionKeyTransportAlgorithm"
> value="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
> <entry key="encryptionKeyIdentifier" value="Thumbprint"/>
> <entry key="signatureKeyIdentifier" value="Thumbprint"/>
> </map>
> </constructor-arg>
> </bean>
> <!-- JAX-WS Service Endpoint -->
> <jaxws:endpoint id="resadapter" implementor="#RESAdapterService"
> address="/resadapter">
> <jaxws:outInterceptors>
> <ref bean="logOutInterceptor"/>
> <ref bean="TimestampSignEncrypt_Response"/>
> </jaxws:outInterceptors>
> <jaxws:inInterceptors>
> <ref bean="logInInterceptor"/>
> <ref bean="TimestampSignEncrypt_Request"/>
> </jaxws:inInterceptors>
> <jaxws:features>
> <wsa:addressing allowDuplicates="false"/>
> </jaxws:features>
> </jaxws:endpoint>
> </beans>
> {code}
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
