It should be backwards compatible. Colm.
On Tue, Jul 26, 2011 at 5:40 PM, Jaime Hablutzel Egoavil <hablutz...@gmail.com> wrote: > I thought the problem was because WSS4J now is expecting a different > keystore for trusted certs and another for keys... or it should be backward > compatible? > > On Tue, Jul 26, 2011 at 10:22 AM, Colm O hEigeartaigh <cohei...@apache.org> > wrote: >> >> Hi, >> >> Could you try with this jar? I fixed a problem recently in WSS4J that >> sounds like it could be the problem here: >> >> >> https://issues.apache.org/jira/secure/attachment/12487842/wss4j-1.6.2-SNAPSHOT.jar >> >> Colm. >> >> On Tue, Jul 19, 2011 at 3:34 PM, Jaime Hablutzel Egoavil >> <hablutz...@gmail.com> wrote: >> > NO I was using 2.3.5 because with 2.4.1 my configuration is not working, >> > a >> > wsdl like this one: >> > >> > <?xml version='1.0' encoding='UTF-8'?><wsdl:definitions >> > name="CXFLibraryImplService" >> > targetNamespace="http://service2.ws.service.kprtech.com/" >> > xmlns:ns1="http://cxf.apache.org/bindings/xformat" >> > xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" >> > xmlns:tns="http://service2.ws.service.kprtech.com/" >> > xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" >> > xmlns:xsd="http://www.w3.org/2001/XMLSchema"> >> > >> > >> > <wsp:Policy wsu:Id="SignEncr" >> > >> > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" >> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> >> > >> > <wsp:ExactlyOne> >> > <wsp:All> >> > <sp:AsymmetricBinding >> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> >> > <wsp:Policy> >> > <sp:InitiatorToken> >> > <wsp:Policy> >> > <sp:X509Token >> > >> > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> >> > <wsp:Policy> >> > <sp:RequireThumbprintReference/> >> > <sp:WssX509V1Token10/> >> > </wsp:Policy> >> > </sp:X509Token> >> > </wsp:Policy> >> > </sp:InitiatorToken> >> > <sp:RecipientToken> >> > <wsp:Policy> >> > <sp:X509Token >> > >> > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never"> >> > <wsp:Policy> >> > <sp:RequireThumbprintReference/> >> > <sp:WssX509V3Token10/> >> > </wsp:Policy> >> > </sp:X509Token> >> > </wsp:Policy> >> > </sp:RecipientToken> >> > <sp:AlgorithmSuite> >> > <wsp:Policy> >> > <sp:TripleDesRsa15/> >> > </wsp:Policy> >> > </sp:AlgorithmSuite> >> > <sp:Layout> >> > <wsp:Policy> >> > <sp:Strict/> >> > </wsp:Policy> >> > </sp:Layout> >> > <sp:IncludeTimestamp/> >> > <sp:OnlySignEntireHeadersAndBody/> >> > </wsp:Policy> >> > </sp:AsymmetricBinding> >> > <sp:Wss10 >> > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> >> > <wsp:Policy> >> > <sp:MustSupportRefKeyIdentifier/> >> > <sp:MustSupportRefIssuerSerial/> >> > </wsp:Policy> >> > </sp:Wss10> >> > <sp:SignedParts >> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> >> > <sp:Body/> >> > </sp:SignedParts> >> > >> > </wsp:All> >> > </wsp:ExactlyOne> >> > </wsp:Policy> >> > >> > >> > >> > <wsdl:types> >> > <xs:schema elementFormDefault="unqualified" >> > targetNamespace="http://service2.ws.service.kprtech.com/" version="1.0" >> > xmlns:tns="http://service2.ws.service.kprtech.com/" >> > xmlns:xs="http://www.w3.org/2001/XMLSchema"> >> > <xs:element name="sayHello" type="tns:sayHello" /> >> > <xs:element name="sayHelloResponse" type="tns:sayHelloResponse" /> >> > <xs:complexType name="sayHello"> >> > <xs:sequence> >> > <xs:element minOccurs="0" name="arg0" type="xs:string" /> >> > </xs:sequence> >> > </xs:complexType> >> > <xs:complexType name="sayHelloResponse"> >> > <xs:sequence> >> > <xs:element minOccurs="0" name="return" type="xs:string" /> >> > </xs:sequence> >> > </xs:complexType> >> > </xs:schema> >> > >> > </wsdl:types> >> > <wsdl:message name="sayHelloResponse"> >> > <wsdl:part element="tns:sayHelloResponse" name="parameters"> >> > </wsdl:part> >> > </wsdl:message> >> > <wsdl:message name="sayHello"> >> > <wsdl:part element="tns:sayHello" name="parameters"> >> > </wsdl:part> >> > </wsdl:message> >> > >> > <wsdl:portType name="Library"> >> > <wsdl:operation name="sayHello"> >> > <wsdl:input message="tns:sayHello" name="sayHello"> >> > </wsdl:input> >> > <wsdl:output message="tns:sayHelloResponse" >> > name="sayHelloResponse"> >> > </wsdl:output> >> > </wsdl:operation> >> > </wsdl:portType> >> > <wsdl:binding name="CXFLibraryImplServiceSoapBinding" >> > type="tns:Library"> >> > <wsp:PolicyReference >> > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" >> > URI="#SignEncr"/> >> > <soap:binding style="document" >> > transport="http://schemas.xmlsoap.org/soap/http" /> >> > <wsdl:operation name="sayHello"> >> > <soap:operation soapAction="" style="document" /> >> > <wsdl:input name="sayHello"> >> > <soap:body use="literal" /> >> > </wsdl:input> >> > <wsdl:output name="sayHelloResponse"> >> > <soap:body use="literal" /> >> > </wsdl:output> >> > >> > </wsdl:operation> >> > </wsdl:binding> >> > <wsdl:service name="CXFLibraryImplService"> >> > <wsdl:port binding="tns:CXFLibraryImplServiceSoapBinding" >> > name="CXFLibraryImplPort"> >> > <soap:address >> > location="http://localhost:8080/domicilios/services/service2" /> >> > </wsdl:port> >> > </wsdl:service> >> > </wsdl:definitions> >> > >> > >> > The service exposed this way: >> > >> > >> > <jaxws:endpoint id="service2" >> > >> > implementor="com.kprtech.service.ws.service2.CXFLibraryImpl" >> > wsdlLocation="classpath:service2.wsdl" >> > address="/service2"> >> > >> > <jaxws:properties> >> > <entry key="ws-security.signature.properties" >> > value="server-crypto.properties"/> >> > <entry key="ws-security.signature.username" >> > value="serverkey"/> >> > <!--<entry key="ws-security.encryption.username" >> > value="useReqSigCert"/>--> >> > <entry key="ws-security.callback-handler" >> > value="com.kprtech.service.ws.impl.ServerCallback"/> >> > </jaxws:properties> >> > >> > </jaxws:endpoint> >> > >> > >> > ANd the client generated using cxf tool. >> > >> > This is working perfectly in 2.3.5 and and 2.2.6. Has something changed >> > for >> > the 2.4.1 version when the wsdl first approach is used? >> > I´m getting this error: >> > >> > 2011-07-19 09:26:23,720 [qtp32323148-24] WARN >> > org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for >> > {http://service2.ws.service.kprtech.com/}CXFLibraryImplService has >> > thrown >> > exception, unwinding now >> > org.apache.cxf.binding.soap.SoapFault: The signature or decryption was >> > invalid >> > >> > >> > >> > On Tue, Jul 19, 2011 at 3:36 AM, Colm O hEigeartaigh >> > <cohei...@apache.org> >> > wrote: >> >> >> >> Hi Jaime, >> >> >> >> What version of CXF are you using? There is a better way to do this >> >> than via a CXF interceptor from CXF 2.4.0 onwards. Trust validation is >> >> done by WSS4J via the SignatureTrustValidator, which is given the >> >> certificate used to verify the signature, and verifies trust via the >> >> CertPath API. You can simply plug your own Validator implementation in >> >> here instead. See this blog entry for more details: >> >> >> >> >> >> >> >> http://coheigea.blogspot.com/2011/06/custom-token-validation-in-apache-cxf.html >> >> >> >> Colm. >> >> >> >> On Mon, Jul 18, 2011 at 7:30 PM, Jaime Hablutzel Egoavil >> >> <hablutz...@gmail.com> wrote: >> >> > Hi I have a web service exposed with cxf with this wsdl: >> >> > >> >> > <?xml version='1.0' encoding='UTF-8'?><wsdl: >> >> > definitions name="CXFLibraryImplService" targetNamespace=" >> >> > http://service2.ws.service.kprtech.com/" xmlns:ns1=" >> >> > http://cxf.apache.org/bindings/xformat" xmlns:soap=" >> >> > http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns=" >> >> > http://service2.ws.service.kprtech.com/" xmlns:wsdl=" >> >> > http://schemas.xmlsoap.org/wsdl/" xmlns:xsd=" >> >> > http://www.w3.org/2001/XMLSchema"> >> >> > <wsdl:types> >> >> > <xs:schema elementFormDefault="unqualified" targetNamespace=" >> >> > http://service2.ws.service.kprtech.com/" version="1.0" xmlns:ns1=" >> >> > http://cxf.apache.org/bindings/xformat" xmlns:soap=" >> >> > http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns=" >> >> > http://service2.ws.service.kprtech.com/" xmlns:wsdl=" >> >> > http://schemas.xmlsoap.org/wsdl/" >> >> > xmlns:xs="http://www.w3.org/2001/XMLSchema" >> >> > xmlns:xsd="http://www.w3.org/2001/XMLSchema"> >> >> > <xs:element name="sayHello" type="tns:sayHello" /> >> >> > <xs:element name="sayHelloResponse" type="tns:sayHelloResponse" /> >> >> > <xs:complexType name="sayHello"> >> >> > <xs:sequence> >> >> > <xs:element minOccurs="0" name="arg0" type="xs:string" /> >> >> > </xs:sequence> >> >> > </xs:complexType> >> >> > <xs:complexType name="sayHelloResponse"> >> >> > <xs:sequence> >> >> > <xs:element minOccurs="0" name="return" type="xs:string" /> >> >> > </xs:sequence> >> >> > </xs:complexType> >> >> > </xs:schema> >> >> > </wsdl:types> >> >> > <wsdl:message name="sayHello"> >> >> > <wsdl:part element="tns:sayHello" name="parameters"> >> >> > </wsdl:part> >> >> > </wsdl:message> >> >> > <wsdl:message name="sayHelloResponse"> >> >> > <wsdl:part element="tns:sayHelloResponse" name="parameters"> >> >> > </wsdl:part> >> >> > </wsdl:message> >> >> > <wsdl:portType name="Library"> >> >> > <wsdl:operation name="sayHello"> >> >> > <wsdl:input message="tns:sayHello" name="sayHello"> >> >> > </wsdl:input> >> >> > <wsdl:output message="tns:sayHelloResponse" >> >> > name="sayHelloResponse"> >> >> > </wsdl:output> >> >> > </wsdl:operation> >> >> > </wsdl:portType> >> >> > <wsdl:binding name="CXFLibraryImplServiceSoapBinding" >> >> > type="tns:Library"> >> >> > <wsp:PolicyReference URI="#SignEncr" xmlns:wsp=" >> >> > http://schemas.xmlsoap.org/ws/2004/09/policy" /> >> >> > <soap:binding style="document" transport=" >> >> > http://schemas.xmlsoap.org/soap/http" /> >> >> > <wsdl:operation name="sayHello"> >> >> > <soap:operation soapAction="" style="document" /> >> >> > <wsdl:input name="sayHello"> >> >> > <soap:body use="literal" /> >> >> > </wsdl:input> >> >> > <wsdl:output name="sayHelloResponse"> >> >> > <soap:body use="literal" /> >> >> > </wsdl:output> >> >> > </wsdl:operation> >> >> > </wsdl:binding> >> >> > <wsdl:service name="CXFLibraryImplService"> >> >> > <wsdl:port binding="tns:CXFLibraryImplServiceSoapBinding" >> >> > name="CXFLibraryImplPort"> >> >> > <soap:address location=" >> >> > http://localhost:8888/domicilios/services/service2" /> >> >> > </wsdl:port> >> >> > </wsdl:service> >> >> > <wsp:Policy wsu:Id="SignEncr" xmlns:wsp=" >> >> > http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu=" >> >> > >> >> > >> >> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd >> >> > "> >> >> > >> >> > <wsp:ExactlyOne> >> >> > <wsp:All> >> >> > <sp:AsymmetricBinding xmlns:sp=" >> >> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> >> >> > <wsp:Policy> >> >> > <sp:InitiatorToken> >> >> > <wsp:Policy> >> >> > <sp:X509Token sp:IncludeToken=" >> >> > >> >> > >> >> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient >> >> > "> >> >> > <wsp:Policy> >> >> > <sp:RequireThumbprintReference /> >> >> > <sp:WssX509V1Token10 /> >> >> > </wsp:Policy> >> >> > </sp:X509Token> >> >> > </wsp:Policy> >> >> > </sp:InitiatorToken> >> >> > <sp:RecipientToken> >> >> > <wsp:Policy> >> >> > <sp:X509Token sp:IncludeToken=" >> >> > >> >> > >> >> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never >> >> > "> >> >> > <wsp:Policy> >> >> > <sp:RequireThumbprintReference /> >> >> > <sp:WssX509V3Token10 /> >> >> > </wsp:Policy> >> >> > </sp:X509Token> >> >> > </wsp:Policy> >> >> > </sp:RecipientToken> >> >> > <sp:AlgorithmSuite> >> >> > <wsp:Policy> >> >> > <sp:TripleDesRsa15 /> >> >> > </wsp:Policy> >> >> > </sp:AlgorithmSuite> >> >> > <sp:Layout> >> >> > <wsp:Policy> >> >> > <sp:Strict /> >> >> > </wsp:Policy> >> >> > </sp:Layout> >> >> > <sp:IncludeTimestamp /> >> >> > <sp:OnlySignEntireHeadersAndBody /> >> >> > </wsp:Policy> >> >> > </sp:AsymmetricBinding> >> >> > <sp:Wss10 xmlns:sp=" >> >> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"> >> >> > <wsp:Policy> >> >> > <sp:MustSupportRefKeyIdentifier /> >> >> > <sp:MustSupportRefIssuerSerial /> >> >> > </wsp:Policy> >> >> > </sp:Wss10> >> >> > <sp:SignedParts xmlns:sp=" >> >> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> >> >> > <sp:Body /> >> >> > </sp:SignedParts> >> >> > >> >> > </wsp:All> >> >> > </wsp:ExactlyOne> >> >> > </wsp:Policy> >> >> > </wsdl:definitions> >> >> > >> >> > >> >> > And I want to be able to get the certificate in a custom intereceptor >> >> > to >> >> > be >> >> > able to pass it to spring security session context. >> >> > Another thing I want is to be able to override the default behaviour >> >> > of >> >> > cxf >> >> > trying to validate the certPath, because I want to do this by my own >> >> > because >> >> > certificate aren't in a .jsk keystore but in a database. >> >> > >> >> > I have read that I need a second interceptor, but how to set an >> >> > interceptor >> >> > and give it lower precedence?? >> >> > >> >> > Thanks. >> >> > >> >> > >> >> > >> >> > -- >> >> > Jaime Hablutzel - 9-9956-3299 >> >> > >> >> > (tildes omitidas intencionalmente) >> >> > >> >> >> >> >> >> >> >> -- >> >> Colm O hEigeartaigh >> >> >> >> http://coheigea.blogspot.com/ >> >> Talend - http://www.talend.com >> > >> > >> > >> > -- >> > Jaime Hablutzel - 9-9956-3299 >> > >> > (tildes omitidas intencionalmente) >> > >> >> >> >> -- >> Colm O hEigeartaigh >> >> http://coheigea.blogspot.com/ >> Talend - http://www.talend.com > > > > -- > Jaime Hablutzel - 9-9956-3299 > > (tildes omitidas intencionalmente) > -- Colm O hEigeartaigh http://coheigea.blogspot.com/ Talend - http://www.talend.com