I thought the problem was because WSS4J now is expecting a different keystore for trusted certs and another for keys... or it should be backward compatible?
On Tue, Jul 26, 2011 at 10:22 AM, Colm O hEigeartaigh <cohei...@apache.org>wrote: > Hi, > > Could you try with this jar? I fixed a problem recently in WSS4J that > sounds like it could be the problem here: > > > https://issues.apache.org/jira/secure/attachment/12487842/wss4j-1.6.2-SNAPSHOT.jar > > Colm. > > On Tue, Jul 19, 2011 at 3:34 PM, Jaime Hablutzel Egoavil > <hablutz...@gmail.com> wrote: > > NO I was using 2.3.5 because with 2.4.1 my configuration is not working, > a > > wsdl like this one: > > > > <?xml version='1.0' encoding='UTF-8'?><wsdl:definitions > > name="CXFLibraryImplService" > > targetNamespace="http://service2.ws.service.kprtech.com/" > > xmlns:ns1="http://cxf.apache.org/bindings/xformat" > > xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" > > xmlns:tns="http://service2.ws.service.kprtech.com/" > > xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" > > xmlns:xsd="http://www.w3.org/2001/XMLSchema"> > > > > > > <wsp:Policy wsu:Id="SignEncr" > > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> > > > > <wsp:ExactlyOne> > > <wsp:All> > > <sp:AsymmetricBinding > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> > > <wsp:Policy> > > <sp:InitiatorToken> > > <wsp:Policy> > > <sp:X509Token > > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > > <wsp:Policy> > > <sp:RequireThumbprintReference/> > > <sp:WssX509V1Token10/> > > </wsp:Policy> > > </sp:X509Token> > > </wsp:Policy> > > </sp:InitiatorToken> > > <sp:RecipientToken> > > <wsp:Policy> > > <sp:X509Token > > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never > "> > > <wsp:Policy> > > <sp:RequireThumbprintReference/> > > <sp:WssX509V3Token10/> > > </wsp:Policy> > > </sp:X509Token> > > </wsp:Policy> > > </sp:RecipientToken> > > <sp:AlgorithmSuite> > > <wsp:Policy> > > <sp:TripleDesRsa15/> > > </wsp:Policy> > > </sp:AlgorithmSuite> > > <sp:Layout> > > <wsp:Policy> > > <sp:Strict/> > > </wsp:Policy> > > </sp:Layout> > > <sp:IncludeTimestamp/> > > <sp:OnlySignEntireHeadersAndBody/> > > </wsp:Policy> > > </sp:AsymmetricBinding> > > <sp:Wss10 > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> > > <wsp:Policy> > > <sp:MustSupportRefKeyIdentifier/> > > <sp:MustSupportRefIssuerSerial/> > > </wsp:Policy> > > </sp:Wss10> > > <sp:SignedParts > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> > > <sp:Body/> > > </sp:SignedParts> > > > > </wsp:All> > > </wsp:ExactlyOne> > > </wsp:Policy> > > > > > > > > <wsdl:types> > > <xs:schema elementFormDefault="unqualified" > > targetNamespace="http://service2.ws.service.kprtech.com/" version="1.0" > > xmlns:tns="http://service2.ws.service.kprtech.com/" > > xmlns:xs="http://www.w3.org/2001/XMLSchema"> > > <xs:element name="sayHello" type="tns:sayHello" /> > > <xs:element name="sayHelloResponse" type="tns:sayHelloResponse" /> > > <xs:complexType name="sayHello"> > > <xs:sequence> > > <xs:element minOccurs="0" name="arg0" type="xs:string" /> > > </xs:sequence> > > </xs:complexType> > > <xs:complexType name="sayHelloResponse"> > > <xs:sequence> > > <xs:element minOccurs="0" name="return" type="xs:string" /> > > </xs:sequence> > > </xs:complexType> > > </xs:schema> > > > > </wsdl:types> > > <wsdl:message name="sayHelloResponse"> > > <wsdl:part element="tns:sayHelloResponse" name="parameters"> > > </wsdl:part> > > </wsdl:message> > > <wsdl:message name="sayHello"> > > <wsdl:part element="tns:sayHello" name="parameters"> > > </wsdl:part> > > </wsdl:message> > > > > <wsdl:portType name="Library"> > > <wsdl:operation name="sayHello"> > > <wsdl:input message="tns:sayHello" name="sayHello"> > > </wsdl:input> > > <wsdl:output message="tns:sayHelloResponse" > name="sayHelloResponse"> > > </wsdl:output> > > </wsdl:operation> > > </wsdl:portType> > > <wsdl:binding name="CXFLibraryImplServiceSoapBinding" > type="tns:Library"> > > <wsp:PolicyReference > > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" > > URI="#SignEncr"/> > > <soap:binding style="document" > > transport="http://schemas.xmlsoap.org/soap/http" /> > > <wsdl:operation name="sayHello"> > > <soap:operation soapAction="" style="document" /> > > <wsdl:input name="sayHello"> > > <soap:body use="literal" /> > > </wsdl:input> > > <wsdl:output name="sayHelloResponse"> > > <soap:body use="literal" /> > > </wsdl:output> > > > > </wsdl:operation> > > </wsdl:binding> > > <wsdl:service name="CXFLibraryImplService"> > > <wsdl:port binding="tns:CXFLibraryImplServiceSoapBinding" > > name="CXFLibraryImplPort"> > > <soap:address > > location="http://localhost:8080/domicilios/services/service2" /> > > </wsdl:port> > > </wsdl:service> > > </wsdl:definitions> > > > > > > The service exposed this way: > > > > > > <jaxws:endpoint id="service2" > > > > implementor="com.kprtech.service.ws.service2.CXFLibraryImpl" > > wsdlLocation="classpath:service2.wsdl" > > address="/service2"> > > > > <jaxws:properties> > > <entry key="ws-security.signature.properties" > > value="server-crypto.properties"/> > > <entry key="ws-security.signature.username" > value="serverkey"/> > > <!--<entry key="ws-security.encryption.username" > > value="useReqSigCert"/>--> > > <entry key="ws-security.callback-handler" > > value="com.kprtech.service.ws.impl.ServerCallback"/> > > </jaxws:properties> > > > > </jaxws:endpoint> > > > > > > ANd the client generated using cxf tool. > > > > This is working perfectly in 2.3.5 and and 2.2.6. Has something changed > for > > the 2.4.1 version when the wsdl first approach is used? > > I´m getting this error: > > > > 2011-07-19 09:26:23,720 [qtp32323148-24] WARN > > org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for > > {http://service2.ws.service.kprtech.com/}CXFLibraryImplService has > thrown > > exception, unwinding now > > org.apache.cxf.binding.soap.SoapFault: The signature or decryption was > > invalid > > > > > > > > On Tue, Jul 19, 2011 at 3:36 AM, Colm O hEigeartaigh < > cohei...@apache.org> > > wrote: > >> > >> Hi Jaime, > >> > >> What version of CXF are you using? There is a better way to do this > >> than via a CXF interceptor from CXF 2.4.0 onwards. Trust validation is > >> done by WSS4J via the SignatureTrustValidator, which is given the > >> certificate used to verify the signature, and verifies trust via the > >> CertPath API. You can simply plug your own Validator implementation in > >> here instead. See this blog entry for more details: > >> > >> > >> > http://coheigea.blogspot.com/2011/06/custom-token-validation-in-apache-cxf.html > >> > >> Colm. > >> > >> On Mon, Jul 18, 2011 at 7:30 PM, Jaime Hablutzel Egoavil > >> <hablutz...@gmail.com> wrote: > >> > Hi I have a web service exposed with cxf with this wsdl: > >> > > >> > <?xml version='1.0' encoding='UTF-8'?><wsdl: > >> > definitions name="CXFLibraryImplService" targetNamespace=" > >> > http://service2.ws.service.kprtech.com/" xmlns:ns1=" > >> > http://cxf.apache.org/bindings/xformat" xmlns:soap=" > >> > http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns=" > >> > http://service2.ws.service.kprtech.com/" xmlns:wsdl=" > >> > http://schemas.xmlsoap.org/wsdl/" xmlns:xsd=" > >> > http://www.w3.org/2001/XMLSchema"> > >> > <wsdl:types> > >> > <xs:schema elementFormDefault="unqualified" targetNamespace=" > >> > http://service2.ws.service.kprtech.com/" version="1.0" xmlns:ns1=" > >> > http://cxf.apache.org/bindings/xformat" xmlns:soap=" > >> > http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns=" > >> > http://service2.ws.service.kprtech.com/" xmlns:wsdl=" > >> > http://schemas.xmlsoap.org/wsdl/" > >> > xmlns:xs="http://www.w3.org/2001/XMLSchema" > >> > xmlns:xsd="http://www.w3.org/2001/XMLSchema"> > >> > <xs:element name="sayHello" type="tns:sayHello" /> > >> > <xs:element name="sayHelloResponse" type="tns:sayHelloResponse" /> > >> > <xs:complexType name="sayHello"> > >> > <xs:sequence> > >> > <xs:element minOccurs="0" name="arg0" type="xs:string" /> > >> > </xs:sequence> > >> > </xs:complexType> > >> > <xs:complexType name="sayHelloResponse"> > >> > <xs:sequence> > >> > <xs:element minOccurs="0" name="return" type="xs:string" /> > >> > </xs:sequence> > >> > </xs:complexType> > >> > </xs:schema> > >> > </wsdl:types> > >> > <wsdl:message name="sayHello"> > >> > <wsdl:part element="tns:sayHello" name="parameters"> > >> > </wsdl:part> > >> > </wsdl:message> > >> > <wsdl:message name="sayHelloResponse"> > >> > <wsdl:part element="tns:sayHelloResponse" name="parameters"> > >> > </wsdl:part> > >> > </wsdl:message> > >> > <wsdl:portType name="Library"> > >> > <wsdl:operation name="sayHello"> > >> > <wsdl:input message="tns:sayHello" name="sayHello"> > >> > </wsdl:input> > >> > <wsdl:output message="tns:sayHelloResponse" > >> > name="sayHelloResponse"> > >> > </wsdl:output> > >> > </wsdl:operation> > >> > </wsdl:portType> > >> > <wsdl:binding name="CXFLibraryImplServiceSoapBinding" > >> > type="tns:Library"> > >> > <wsp:PolicyReference URI="#SignEncr" xmlns:wsp=" > >> > http://schemas.xmlsoap.org/ws/2004/09/policy" /> > >> > <soap:binding style="document" transport=" > >> > http://schemas.xmlsoap.org/soap/http" /> > >> > <wsdl:operation name="sayHello"> > >> > <soap:operation soapAction="" style="document" /> > >> > <wsdl:input name="sayHello"> > >> > <soap:body use="literal" /> > >> > </wsdl:input> > >> > <wsdl:output name="sayHelloResponse"> > >> > <soap:body use="literal" /> > >> > </wsdl:output> > >> > </wsdl:operation> > >> > </wsdl:binding> > >> > <wsdl:service name="CXFLibraryImplService"> > >> > <wsdl:port binding="tns:CXFLibraryImplServiceSoapBinding" > >> > name="CXFLibraryImplPort"> > >> > <soap:address location=" > >> > http://localhost:8888/domicilios/services/service2" /> > >> > </wsdl:port> > >> > </wsdl:service> > >> > <wsp:Policy wsu:Id="SignEncr" xmlns:wsp=" > >> > http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu=" > >> > > >> > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > >> > "> > >> > > >> > <wsp:ExactlyOne> > >> > <wsp:All> > >> > <sp:AsymmetricBinding xmlns:sp=" > >> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> > >> > <wsp:Policy> > >> > <sp:InitiatorToken> > >> > <wsp:Policy> > >> > <sp:X509Token sp:IncludeToken=" > >> > > >> > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > >> > "> > >> > <wsp:Policy> > >> > <sp:RequireThumbprintReference /> > >> > <sp:WssX509V1Token10 /> > >> > </wsp:Policy> > >> > </sp:X509Token> > >> > </wsp:Policy> > >> > </sp:InitiatorToken> > >> > <sp:RecipientToken> > >> > <wsp:Policy> > >> > <sp:X509Token sp:IncludeToken=" > >> > > >> > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never > >> > "> > >> > <wsp:Policy> > >> > <sp:RequireThumbprintReference /> > >> > <sp:WssX509V3Token10 /> > >> > </wsp:Policy> > >> > </sp:X509Token> > >> > </wsp:Policy> > >> > </sp:RecipientToken> > >> > <sp:AlgorithmSuite> > >> > <wsp:Policy> > >> > <sp:TripleDesRsa15 /> > >> > </wsp:Policy> > >> > </sp:AlgorithmSuite> > >> > <sp:Layout> > >> > <wsp:Policy> > >> > <sp:Strict /> > >> > </wsp:Policy> > >> > </sp:Layout> > >> > <sp:IncludeTimestamp /> > >> > <sp:OnlySignEntireHeadersAndBody /> > >> > </wsp:Policy> > >> > </sp:AsymmetricBinding> > >> > <sp:Wss10 xmlns:sp=" > >> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> > >> > <wsp:Policy> > >> > <sp:MustSupportRefKeyIdentifier /> > >> > <sp:MustSupportRefIssuerSerial /> > >> > </wsp:Policy> > >> > </sp:Wss10> > >> > <sp:SignedParts xmlns:sp=" > >> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> > >> > <sp:Body /> > >> > </sp:SignedParts> > >> > > >> > </wsp:All> > >> > </wsp:ExactlyOne> > >> > </wsp:Policy> > >> > </wsdl:definitions> > >> > > >> > > >> > And I want to be able to get the certificate in a custom intereceptor > to > >> > be > >> > able to pass it to spring security session context. > >> > Another thing I want is to be able to override the default behaviour > of > >> > cxf > >> > trying to validate the certPath, because I want to do this by my own > >> > because > >> > certificate aren't in a .jsk keystore but in a database. > >> > > >> > I have read that I need a second interceptor, but how to set an > >> > interceptor > >> > and give it lower precedence?? > >> > > >> > Thanks. > >> > > >> > > >> > > >> > -- > >> > Jaime Hablutzel - 9-9956-3299 > >> > > >> > (tildes omitidas intencionalmente) > >> > > >> > >> > >> > >> -- > >> Colm O hEigeartaigh > >> > >> http://coheigea.blogspot.com/ > >> Talend - http://www.talend.com > > > > > > > > -- > > Jaime Hablutzel - 9-9956-3299 > > > > (tildes omitidas intencionalmente) > > > > > > -- > Colm O hEigeartaigh > > http://coheigea.blogspot.com/ > Talend - http://www.talend.com > -- Jaime Hablutzel - 9-9956-3299 (tildes omitidas intencionalmente)