We use Ws-Security over https (java 6, jboss 5.0CR1, jbossws core 3.0.2). Client is java 6 (Sun XWSS). Server uses a real production certificate, client -a self-signed one (I was told it was created with openssl, not keytool). Request is successfully validated during SSL handshake using CLIENT-CERT, and authorized with JAAS. This means on the java.security.cert level the server is able to recognize and authenticate the certificate as valid one (compared to the truststore). However, on WS-Security level we get an exception. Below is the trace. What is wrong with key identifier? Thanks.
2008-08-19 15:20:14,592 TRACE [org.jboss.ws.core.jaxws.handler.HandlerChainExecutor] (http-0.0.0.0-8443-1:) BEFORE handleRequest - [EMAIL PROTECTED] <S:Envelope xmlns:S='http://schemas.xmlsoap.org/soap/envelope/'> <S:Header> <wsse:Security S:mustUnderstand='1' xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd'> <wsu:Timestamp wsu:Id='XWSSGID-12191736147481681242501' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'> <wsu:Created>2008-08-19T19:20:14Z</wsu:Created> <wsu:Expires>2008-08-19T19:25:14Z</wsu:Expires> </wsu:Timestamp> <ds:Signature Id='XWSSGID-12191736146031743555814' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> </ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/> <ds:Reference URI='#XWSSGID-1219173614748711119660' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/> <ds:DigestValue xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>D5VC3nxO1mCHdvlx3ZlL+pKVOMo=</ds:DigestValue> </ds:Reference> <ds:Reference URI='#XWSSGID-12191736147481681242501' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'> <ds:DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1' xmlns:ds='http://www.w3.org/2000/09/xmldsig#'/> <ds:DigestValue xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>sl1ERXikaFn0w4iWQtKnNS2dYuE=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>d4zmVhrNWDjNqSQ8tHXH7iEUAKj0pmnFwkbTWdyQEiCRry4INKT4lZpVnNG6qcsKMM+fh1CPOyd4 eHCZYOZjdpFhPYEIbfBzjZuiOkrnXmwIVm43bS7bCW+R9xELJ67cgldJL03G9ntcdsOo3I/vxEGn BRZm4siJbM2VbUrtLfE=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference wsu:Id='XWSSGID-12191736147371393264612' xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'> <wsse:KeyIdentifier EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary' ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier'>VsF5XAhG06l2TVSo6RafX5b9epw=</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </S:Header> <S:Body wsu:Id='XWSSGID-1219173614748711119660' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'> <ns2:GetAllStatementList xmlns:ns2='http://www.wsc.com/'> test 0 sm0 2007 TX10000976 </ns2:GetAllStatementList> </S:Body> </S:Envelope> 2008-08-19 15:20:14,592 TRACE [org.jboss.ws.core.CommonMessageContext] (http-0.0.0.0-8443-1:) put: APPLICATION:org.jboss.ws.allow.expand.dom=true 2008-08-19 15:20:14,592 TRACE [org.jboss.ws.core.CommonMessageContext] (http-0.0.0.0-8443-1:) get(javax.xml.ws.handler.message.outbound): APPLICATION:javax.xml.ws.handler.message.outbound=false 2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes 2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes 2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes 2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes 2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes 2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes 2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.jaxws.handler.HandlerChainExecutor] (http-0.0.0.0-8443-1:) AFTER handleRequest - [EMAIL PROTECTED]: unchanged 2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes 2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes 2008-08-19 15:20:14,593 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes 2008-08-19 15:20:14,594 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes 2008-08-19 15:20:14,594 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes 2008-08-19 15:20:14,594 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getChildNodes 2008-08-19 15:20:14,594 TRACE [org.jboss.ws.core.jaxws.handler.HandlerChainExecutor] (http-0.0.0.0-8443-1:) BEFORE handleRequest - WSSecurity Handler: unchanged 2008-08-19 15:20:14,594 TRACE [org.jboss.ws.core.CommonMessageContext] (http-0.0.0.0-8443-1:) put: APPLICATION:org.jboss.ws.allow.expand.dom=true 2008-08-19 15:20:14,594 TRACE [org.jboss.ws.core.CommonMessageContext] (http-0.0.0.0-8443-1:) get(javax.xml.ws.handler.message.outbound): APPLICATION:javax.xml.ws.handler.message.outbound=false 2008-08-19 15:20:14,594 TRACE [org.jboss.ws.core.CommonMessageContext] (http-0.0.0.0-8443-1:) get(javax.xml.ws.addressing.context.inbound): null 2008-08-19 15:20:14,594 DEBUG [org.jboss.ws.core.soap.SOAPMessageDispatcher] (http-0.0.0.0-8443-1:) getDispatchDestination: {http://www.wsc.com/}GetAllStatementList 2008-08-19 15:20:14,594 DEBUG [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) loadStore: vfszip:/opt/jboss/jboss-5.0.0.CR1/server/cpportal2/deploy/cpportal2-ear.ear/statements-web.war/WEB-INF/cpportal2.keystore 2008-08-19 15:20:14,594 DEBUG [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) loadStore: vfszip:/opt/jboss/jboss-5.0.0.CR1/server/cpportal2/deploy/cpportal2-ear.ear/statements-web.war/WEB-INF/cpportal2.keystore 2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypt password: password 2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypt password: password 2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypted password: password 2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypted password: password 2008-08-19 15:20:14,595 DEBUG [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) loadStore: vfszip:/opt/jboss/jboss-5.0.0.CR1/server/cpportal2/deploy/cpportal2-ear.ear/statements-web.war/WEB-INF/cpportal2.truststore 2008-08-19 15:20:14,595 DEBUG [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) loadStore: vfszip:/opt/jboss/jboss-5.0.0.CR1/server/cpportal2/deploy/cpportal2-ear.ear/statements-web.war/WEB-INF/cpportal2.truststore 2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypt password: password 2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypt password: password 2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypted password: password 2008-08-19 15:20:14,595 TRACE [org.jboss.ws.extensions.security.SecurityStore] (http-0.0.0.0-8443-1:) decrypted password: password 2008-08-19 15:20:14,596 TRACE [org.jboss.ws.core.soap.SOAPContentElement] (http-0.0.0.0-8443-1:) getFirstChild 2008-08-19 15:20:14,596 ERROR [org.jboss.ws.extensions.security.WSSecurityDispatcher] (http-0.0.0.0-8443-1:) Internal error occured handling inbound message: org.jboss.ws.extensions.security.exception.SecurityTokenUnavailableException: Could not locate certificate by key identifier at org.jboss.ws.extensions.security.KeyResolver.resolveKeyIdentifier(KeyResolver.java:116) at org.jboss.ws.extensions.security.KeyResolver.resolve(KeyResolver.java:89) at org.jboss.ws.extensions.security.KeyResolver.resolveCertificate(KeyResolver.java:131) at org.jboss.ws.extensions.security.KeyResolver.resolvePublicKey(KeyResolver.java:141) at org.jboss.ws.extensions.security.KeyResolver.resolvePublicKey(KeyResolver.java:161) at org.jboss.ws.extensions.security.element.Signature.(Signature.java:60) at org.jboss.ws.extensions.security.element.SecurityHeader.(SecurityHeader.java:87) at org.jboss.ws.extensions.security.SecurityDecoder.decode(SecurityDecoder.java:192) at org.jboss.ws.extensions.security.WSSecurityDispatcher.decodeMessage(WSSecurityDispatcher.java:105) at org.jboss.ws.extensions.security.jaxws.WSSecurityHandler.handleInboundSecurity(WSSecurityHandler.java:83) at org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer.handleInbound(WSSecurityHandlerServer.java:41) at org.jboss.wsf.common.handler.GenericHandler.handleMessage(GenericHandler.java:55) at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:295) at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:140) at org.jboss.ws.core.jaxws.handler.HandlerDelegateJAXWS.callRequestHandlerChain(HandlerDelegateJAXWS.java:97) at org.jboss.ws.core.server.ServiceEndpointInvoker.callRequestHandlerChain(ServiceEndpointInvoker.java:127) at org.jboss.ws.core.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:171) at org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(RequestHandlerImpl.java:466) at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:284) at org.jboss.wsf.stack.jbws.RequestHandlerImpl.doPost(RequestHandlerImpl.java:201) at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:134) at org.jboss.wsf.stack.jbws.EndpointServlet.service(EndpointServlet.java:84) at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:183) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:189) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:525) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:90) at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:96) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:325) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:828) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) at java.lang.Thread.run(Unknown Source) Some service config details: -------------------------- @WebService(name = "Statements", targetNamespace = "http://www.wsc.com/", serviceName = "StatementsService", portName = "StatementsPort") @EndpointConfig(configName = "Standard WSSecurity Endpoint") @SOAPBinding(style = SOAPBinding.Style.DOCUMENT, parameterStyle = SOAPBinding.ParameterStyle.WRAPPED) @MTOM(enabled = true) @BindingType(value = "http://schemas.xmlsoap.org/wsdl/soap/http?mtom=true") @WebContext(secureWSDLAccess = true) @SecurityDomain("CPPortal2WSCert") @DeclareRoles( {"statements-client"}) @RolesAllowed( {"statements-client"}) public class StatementService ------------------------------------------------ <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd" id="WebApp_ID" version="2.5"> <display-name>statements</display-name> <servlet-name>Statements</servlet-name> <servlet-class>com.wsc.cp.web.statements.StatementService</servlet-class> <servlet-mapping> <servlet-name>Statements</servlet-name> <url-pattern>/statements</url-pattern> </servlet-mapping> <session-config> <session-timeout>30</session-timeout> </session-config> <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> <security-constraint> <web-resource-collection> <web-resource-name>Statements</web-resource-name> <url-pattern>/statements</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> </web-app> ---------------------------------- <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"> <key-store-file>WEB-INF/cpportal2.keystore</key-store-file> <key-store-password>password</key-store-password> <key-store-type>jks</key-store-type> <trust-store-file>WEB-INF/cpportal2.truststore</trust-store-file> <trust-store-password>password</trust-store-password> <trust-store-type>jks</trust-store-type> <timestamp-verification createdTolerance="5" warnCreated="true" expiresTolerance="10" warnExpires="true" /> <!-- --> <!-- --> </jboss-ws-security> ---------------------------------- CN\=test.client=statements-client ------------------------------------------- View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4171364#4171364 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4171364 _______________________________________________ jboss-user mailing list jboss-user@lists.jboss.org https://lists.jboss.org/mailman/listinfo/jboss-user