[ https://issues.apache.org/jira/browse/CXF-4758?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13556105#comment-13556105 ]
Jair Lopes commented on CXF-4758: --------------------------------- Hi Colm, I just tried with the SNAPSHOT and it works perfectly =) You´re the man! THX Jair > Receive error message when trying to connect to crm 2011 Webservices with > https binding - javax.xml.ws.soap.SOAPFaultException: An error occurred when > verifying security for the message. > ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ > > Key: CXF-4758 > URL: https://issues.apache.org/jira/browse/CXF-4758 > Project: CXF > Issue Type: Bug > Affects Versions: 2.7.2 > Environment: Windows 7 64 Bit. Java 1.6.37 runtime environment > Reporter: Jair Lopes > Priority: Critical > > I am trying to connect from a Java client with cxf to crm 2011 Web > Services(on premise). When I connected over http everything worked fine. But > when I switched to HTTPS(Port 443)I suddenly got this error: > FEIN: Invoking handleMessage on interceptor > org.apache.cxf.ws.policy.PolicyVerificationInFaultInterceptor@17698cbe > Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: An error > occurred when verifying security for the message. > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:155) > at $Proxy46.create(Unknown Source) > at GetCRm.doIt(GetCRm.java:322) > at RunHttpSpnego.main(RunHttpSpnego.java:20) > Caused by: org.apache.cxf.binding.soap.SoapFault: An error occurred when > verifying security for the message. > at > org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.unmarshalFault(Soap12FaultInInterceptor.java:133) > at > org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.handleMessage(Soap12FaultInInterceptor.java:59) > at > org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.handleMessage(Soap12FaultInInterceptor.java:46) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271) > at > org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:114) > at > org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:69) > at > org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(CheckFaultInterceptor.java:34) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271) > at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:800) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1590) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1488) > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1307) > at > org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:50) > at > org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:229) > at > org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) > at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:622) > at > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271) > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:530) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:463) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:366) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:319) > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96) > at > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:133) > ... 3 more > Against first thoughts, this was not a time issue between the server and > client. > I activated WCF Tracing and got the following error: > <Exception><ExceptionType>System.ServiceModel.Security.MessageSecurityException, > System.ServiceModel, Version=4.0.0.0, Culture=neutral, > PublicKeyToken=b77a5c561934e089</ExceptionType><Message>A supporting token > that satisfies parameters > 'System.ServiceModel.Security.Tokens.SspiSecurityTokenParameters: > InclusionMode: AlwaysToRecipient > ReferenceStyle: Internal > RequireDerivedKeys: False > RequireCancellation: True' and attachment mode 'Endorsing' was not > provided.</Message><StackTrace> at > System.ServiceModel.Security.ReceiveSecurityHeader.VerifySupportingToken(TokenTracker > tracker) > at System.ServiceModel.Security.ReceiveSecurityHeader.Process(TimeSpan > timeout, ChannelBinding channelBinding, ExtendedProtectionPolicy > extendedProtectionPolicy) > at > System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessageCore(Message&amp; > message, TimeSpan timeout) > at > System.ServiceModel.Security.TransportSecurityProtocol.VerifyIncomingMessage(Message&amp; > message, TimeSpan timeout) > at > System.ServiceModel.Security.SecurityProtocol.VerifyIncomingMessage(Message&amp; > message, TimeSpan timeout, SecurityProtocolCorrelationState[] > correlationStates) > at > System.ServiceModel.Channels.SecurityChannelListener`1.ServerSecurityChannel`1.VerifyIncomingMessage(Message&amp; > message, TimeSpan timeout, SecurityProtocolCorrelationState[] > correlationState) > at > System.ServiceModel.Channels.SecurityChannelListener`1.SecurityReplyChannel.ProcessReceivedRequest(RequestContext > requestContext, TimeSpan timeout) > at > System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.OnInnerReceiveDone() > at > System.ServiceModel.Channels.SecurityChannelListener`1.ReceiveItemAndVerifySecurityAsyncResult`2.InnerTryReceiveCompletedCallback(IAsyncResult > result) > at System.Runtime.Fx.AsyncThunk.UnhandledExceptionFrame(IAsyncResult > result) > at System.Runtime.AsyncResult.Complete(Boolean completedSynchronously) > at System.Runtime.InputQueue`1.AsyncQueueReader.Set(Item item) > at System.Runtime.InputQueue`1.Dispatch() > at System.Runtime.IOThreadScheduler.ScheduledOverlapped.IOCallback(UInt32 > errorCode, UInt32 numBytes, NativeOverlapped* nativeOverlapped) > at System.Runtime.Fx.IOCompletionThunk.UnhandledExceptionFrame(UInt32 > error, UInt32 bytesRead, NativeOverlapped* nativeOverlapped) > at > System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32 > errorCode, UInt32 numBytes, NativeOverlapped* pOVERLAP) > </StackTrace><ExceptionString>System.ServiceModel.Security.MessageSecurityException: > A supporting token that satisfies parameters > 'System.ServiceModel.Security.Tokens.SspiSecurityTokenParameters: > InclusionMode: AlwaysToRecipient > ReferenceStyle: Internal > RequireDerivedKeys: False > RequireCancellation: True' and attachment mode 'Endorsing' was not > provided.</ExceptionString></Exception></TraceRecord></DataItem></TraceData></ApplicationData></E2ETraceEvent><E2ETraceEvent > xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent"><System > xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system"><EventID>458802</EventID><Type>3</Type><SubType > Name="Warning">0</SubType><Level>4</Level><TimeCreated > SystemTime="2013-01-16T13:55:44.5998534Z" /><Source > Name="System.ServiceModel" /><Correlation > ActivityID="{00000000-0000-0000-0000-000000000000}" /><Execution > ProcessName="w3wp" ProcessID="8504" ThreadID="16" > /><Channel/><Computer>LOGICALIS-ALT</Computer></System><ApplicationData><TraceData><DataItem><TraceRecord > xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" > Severity="Warning"><TraceIdentifier>http://msdn.microsoft.com/de-DE/library/System.ServiceModel.Security.SecurityBindingVerifyIncomingMessageFailure.aspx</TraceIdentifier><Description>The > security protocol cannot verify the incoming message.</Description> > This only happens when trying to connect over HTTPS. > I connect to my endpoint by using a servicestub generated with WSDL to java. > The authentication policy for the Webservice Looks like this: > <?xml version="1.0" encoding="utf-8" ?> > - <wsdl:definitions > targetNamespace="http://schemas.microsoft.com/xrm/2011/Contracts/Services" > xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" > xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex" > xmlns:wsa10="http://www.w3.org/2005/08/addressing" > xmlns:tns="http://schemas.microsoft.com/xrm/2011/Contracts/Services" > xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" > xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy" > xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract" > xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" > xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" > xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" > xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" > xmlns:xsd="http://www.w3.org/2001/XMLSchema" > xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"> > - <wsp:Policy wsu:Id="CustomBinding_IOrganizationService_policy"> > - <wsp:ExactlyOne> > - <wsp:All> > - <ms-xrm:AuthenticationPolicy > xmlns:ms-xrm="http://schemas.microsoft.com/xrm/2011/Contracts/Services"> > <ms-xrm:Authentication>ActiveDirectory</ms-xrm:Authentication> > </ms-xrm:AuthenticationPolicy> > - <sp:TransportBinding > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> > - <wsp:Policy> > - <sp:TransportToken> > - <wsp:Policy> > <sp:HttpsToken RequireClientCertificate="false" /> > </wsp:Policy> > </sp:TransportToken> > - <sp:AlgorithmSuite> > - <wsp:Policy> > <sp:Basic256 /> > </wsp:Policy> > </sp:AlgorithmSuite> > - <sp:Layout> > - <wsp:Policy> > <sp:Strict /> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp /> > </wsp:Policy> > </sp:TransportBinding> > - <sp:EndorsingSupportingTokens > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> > - <wsp:Policy> > - <sp:SpnegoContextToken > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"> > <wsp:Policy /> > </sp:SpnegoContextToken> > </wsp:Policy> > </sp:EndorsingSupportingTokens> > - <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> > <wsp:Policy /> > </sp:Wss11> > - <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> > - <wsp:Policy> > <sp:MustSupportIssuedTokens /> > <sp:RequireClientEntropy /> > <sp:RequireServerEntropy /> > </wsp:Policy> > </sp:Trust10> > <wsaw:UsingAddressing /> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > The authentication process is handled by Spnego. > I simply changed the Webservice endpoint for my URL and imported the > neccessary certificates into the respective java certca store > besides that I didn´t make any changes to the code. > I have tried for a long time to make it work but without success. Can you > guys tell me more about this? > Am I missing something in my code that I have to add to make this work? -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira