[
https://issues.apache.org/jira/browse/RAMPART-329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Lazarski updated RAMPART-329:
------------------------------------
Fix Version/s: 2.0.0
> Interoperability with WSIT problem: RampartException: Error in adding token
> into store
> --------------------------------------------------------------------------------------
>
> Key: RAMPART-329
> URL: https://issues.apache.org/jira/browse/RAMPART-329
> Project: Rampart
> Issue Type: Bug
> Components: rampart-trust
> Affects Versions: 1.4, 1.5
> Environment: Axis2 1.5.1
> Metro 2.1
> Reporter: Rustam Abdullaev
> Assignee: Robert Lazarski
> Priority: Major
> Fix For: 2.0.0
>
>
> The combination: Axis2(Rampart) Service + Metro(WSIT) Client doesn't work
> when using SymmetricBinding policy. The cause is that Rampart caches all
> EncryptedKey's by their ID, assuming that these are UUIDs, while WSIT just
> assigns IDs that are unique within a single SOAP message, like "_1", "_2",
> etc.
> As the consequence, only the first request succeeds, with all subsequent
> requests failing with:
> org.apache.axis2.AxisFault: Error in adding token into store
> at
> org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:70)
> at org.apache.axis2.engine.Phase.invoke(Phase.java:317)
> at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:264)
> at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:429)
> at
> org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:43)
> at
> org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:100)
> at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:176)
> at
> org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:275)
> at
> org.apache.axis2.transport.http.HTTPWorker.service(HTTPWorker.java:278)
> at
> org.apache.axis2.transport.http.server.AxisHttpService.doService(AxisHttpService.java:281)
> at
> org.apache.axis2.transport.http.server.AxisHttpService.handleRequest(AxisHttpService.java:187)
> at
> org.apache.axis2.transport.http.server.HttpServiceProcessor.run(HttpServiceProcessor.java:82)
> at
> edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1061)
> at
> edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:575)
> at java.lang.Thread.run(Thread.java:595)
> Caused by: org.apache.rampart.RampartException: Error in adding token into
> store
> at
> org.apache.rampart.builder.SymmetricBindingBuilder.getEncryptedKey(SymmetricBindingBuilder.java:787)
> at
> org.apache.rampart.builder.SymmetricBindingBuilder.doSignBeforeEncrypt(SymmetricBindingBuilder.java:424)
> at
> org.apache.rampart.builder.SymmetricBindingBuilder.build(SymmetricBindingBuilder.java:90)
> at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:144)
> at
> org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:64)
> ... 14 more
> (and, after patching Rampart not to swallow the root cause)
> Caused by: org.apache.rahas.TrustException: "The token "_5002" already exists
> in the store
> at org.apache.rahas.SimpleTokenStore.add(SimpleTokenStore.java:65)
> at
> org.apache.rampart.builder.SymmetricBindingBuilder.getEncryptedKey(SymmetricBindingBuilder.java:782)
> ... 18 more
> As can be seen, the first EncryptedKey with ID "_5002" couldn't be added to
> the store. That is because WSIT request looks like:
> <?xml version='1.0' encoding='UTF-8'?>
> <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/";
>
> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
>
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:xs="http://www.w3.org/2001/XMLSchema";
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc";
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";
> xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <S:Header>
> <To
> xmlns="http://www.w3.org/2005/08/addressing";>http://localhost:8080/axis2/services/LoginService.LoginServicePortType</To>
> <Action
> xmlns="http://www.w3.org/2005/08/addressing";>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</Action>
> <ReplyTo xmlns="http://www.w3.org/2005/08/addressing";>
>
> <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
> </ReplyTo>
> <MessageID
> xmlns="http://www.w3.org/2005/08/addressing";>uuid:be30f6b8-a756-4ef4-a2d4-ed79579ab73d</MessageID>
> <wsse:Security S:mustUnderstand="1">
> <wsu:Timestamp
>
> xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
>
> xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; wsu:Id="_5">
> <wsu:Created>2011-03-11T12:41:26Z</wsu:Created>
> <wsu:Expires>2011-03-11T12:46:26Z</wsu:Expires>
> </wsu:Timestamp>
> <xenc:EncryptedKey
>
> xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
>
> xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; Id="_5002">
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"; />
> <ds:KeyInfo
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="KeyInfoType">
> <wsse:SecurityTokenReference>
> <wsse:KeyIdentifier
>
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";
>
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";>HYL371NzoOs2+IA24VDkBGcUFQM=</wsse:KeyIdentifier>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> <xenc:CipherData>
>
> <xenc:CipherValue>U2P07ZSaepPHGlHuIHYZX9oL5Vrhy.......</xenc:CipherValue>
> </xenc:CipherData>
> </xenc:EncryptedKey>
> <wsc:DerivedKeyToken
>
> xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
>
> xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; wsu:Id="_3">
> <wsse:SecurityTokenReference>
> <wsse:Reference URI="#_5002"
>
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
> />
> </wsse:SecurityTokenReference>
> <wsc:Offset>0</wsc:Offset>
> <wsc:Length>16</wsc:Length>
> <wsc:Nonce>XvWeqk48yU+hL9QA5+JzUeIM</wsc:Nonce>
> </wsc:DerivedKeyToken>
> <wsse:BinarySecurityToken
>
> xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
>
> xmlns:ns18="http://www.w3.org/2003/05/soap-envelope";
>
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
>
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
>
> wsu:Id="uuid_cb17b7ef-6457-4b25-9a66-eb9f3611f0d3">MIICTDCCAbUCBEbJZMQwDQ.........</wsse:BinarySecurityToken>
> <wsc:DerivedKeyToken
>
> xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
>
> xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; wsu:Id="_4">
> <wsse:SecurityTokenReference>
> <wsse:Reference URI="#_5002"
>
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";
> />
> </wsse:SecurityTokenReference>
> <wsc:Offset>0</wsc:Offset>
> <wsc:Length>16</wsc:Length>
> <wsc:Nonce>dZZ0MgLmAc+T9wBBxY7y/oDS</wsc:Nonce>
> </wsc:DerivedKeyToken>
> <xenc:ReferenceList
>
> xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
>
> xmlns:ns18="http://www.w3.org/2003/05/soap-envelope";>
> <xenc:DataReference URI="#_5005" />
> <xenc:DataReference URI="#_5006" />
> </xenc:ReferenceList>
> <xenc:EncryptedData
>
> xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
>
> xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; Id="_5006"
> Type="http://www.w3.org/2001/04/xmlenc#Element";>
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; />
> <ds:KeyInfo
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="KeyInfoType">
> <wsse:SecurityTokenReference>
> <wsse:Reference URI="#_4" />
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> <xenc:CipherData>
>
> <xenc:CipherValue>ggGI89+Ajl2PytO/7NM3TeC/......</xenc:CipherValue>
> </xenc:CipherData>
> </xenc:EncryptedData>
> <ds:Signature
>
> xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
>
> xmlns:ns18="http://www.w3.org/2003/05/soap-envelope"; Id="_6">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
>
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <exc14n:InclusiveNamespaces
> PrefixList="wsse S" />
> </ds:CanonicalizationMethod>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
> <ds:Reference URI="#_1">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
>
> <exc14n:InclusiveNamespaces
>
> PrefixList="wsu wsse S" />
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; />
>
> <ds:DigestValue>yo9B6dCgG2r5JtJA0iOZPOQALBU=
> </ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
> SGLHUTns15tib3gnll2H.....
> </ds:SignatureValue>
> <ds:KeyInfo>
> <wsse:SecurityTokenReference>
> <wsse:Reference
> URI="#uuid_cb17b7ef-6457-4b25-9a66-eb9f3611f0d3"
>
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
> />
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </S:Header>
> <S:Body>
> <xenc:EncryptedData
>
> xmlns:ns19="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
> xmlns:ns18="http://www.w3.org/2003/05/soap-envelope";
> Id="_5005"
> Type="http://www.w3.org/2001/04/xmlenc#Content";>
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"; />
> <ds:KeyInfo
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="KeyInfoType">
> <wsse:SecurityTokenReference>
> <wsse:Reference URI="#_4" />
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> <xenc:CipherData>
> <xenc:CipherValue>
> Nf2O8yHO2Ls1bIDN2.....
> </xenc:CipherValue>
> </xenc:CipherData>
> </xenc:EncryptedData>
> </S:Body>
> </S:Envelope>
> I believe that the problem lies on Rampart side, as according to OASIS
> standards EncryptedKey ID's don't have to be unique across SOAP calls.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
