Thank you Dennis, I am new to those standards so that was very enlightening. However if you don't mind from your reply I gathered the following:
1. CXF Version 3 does not mix RM and Secure conversation 2. Based on the standard we need to use UsesSequenceSTR but that is not supported in CXF 3. We are not configuring CXF right >From the notes above do you recommend that I NOT use apache CXF at all, or >move down to version 2.7 (maybe?) This code is going to live in a server that does not use the Oracle (sun) JDK, I will have to use the IBM JDK, so it is only going to get tougher. I appreciate your insights, Thank you, Ramzi Thank you, Ramzi > On Jul 30, 2014, at 7:08 PM, "Dennis Sosnoski" <d...@sosnoski.com> wrote: > > Hi Ramzi, > > There are issues in combining WS-SecureConversation with WS-ReliableMessaging > in the 3.0.x release. I did some work to support this last year, but it was > not a priority for the group I was working with. Since I didn't have a > working endpoint to test with I didn't pursue it at that time. > > The correct way of handling this, according to the WS-I Reliable Secure > Profile > (http://www.ws-i.org/Profiles/ReliableSecureProfile-1.0-2010-11-09.html#sec_reliable_msg), > is for the WS-RM CreateSequence to include a wsrm:UsesSequenceSTR element > that identifies the security context token. That's currently not supported. > There might also be a problem in the ordering of the interceptors when using > WS-RM in combination with WS-SC. If you want to send me the full message > exchange I can take a look at where things are going wrong. > > Also, I see that you're configuring the WSS4JInInterceptor and > WSS4JOutInterceptor manually, which is something you probably don't want to > do if you're using WS-Policy. You should instead be configuring the security > properties in the JAX-WS client element - see > http://cxf.apache.org/docs/ws-secureconversation.html for an example. > > - Dennis > > Dennis M. Sosnoski > Java Web Services Consulting <http://www.sosnoski.com/consult.html> > CXF and Web Services Security Training <http://www.sosnoski.com/training.html> > Web Services Jump-Start <http://www.sosnoski.com/jumpstart.html> > >> On 07/31/2014 09:15 AM, Yassine, Ramzi wrote: >> Hey all, >> >> I am working with .Net web services that need to use the WS-SECURITY >> standards (WS-Policy, WS-SecureConversation, WS-ReliableMessaging). >> >> My environment >> ======================================= >> >> - Oracle JSDK Java 6 Update 16 >> - Apache CXF 3.0.1 >> - Maven 3.0.4 >> >> What is happening? >> ======================================= >> >> - Generating the java stubs using wsdl2java (apache cxf). >> - We have a working certificate (PKCS12) that I know it works as we don't >> have an issue using it with jx-ws metro with wsit (we want to move to apache >> cxf as the support is lacking in Jx-ws and we have >> had other issues with it) >> - The current problem is I believe in the reliable messaging part (maybe) >> - In calling the .Net service: >> >> We see the create token request >> <soap:Header> >> <Action >> xmlns="http://www.w3.org/2005/08/addressing";>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT >> </Action> >> <MessageID >> xmlns="http://www.w3.org/2005/08/addressing";>urn:uuid:cc07ca42-8183-4656-a073-98e91642f117 >> </MessageID>...... This is the request to create the token >> >> With a successful response >> .... >> <s:Body> >> <t:RequestSecurityTokenResponse >> xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";> >> >> <t:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</t:TokenType> >> <t:RequestedSecurityToken> >> <c:SecurityContextToken >> u:Id="uuid-7aa72faa-eb08-4fdd-a2d6-8c43fbfdb5d5-5" >> >> xmlns:c="http://schemas.xmlsoap.org/ws/2005/02/sc";> >> >> <c:Identifier>urn:uuid:07701681-111c-41f7-8cc8-0f9b4211cb36</c:Identifier> >> </c:SecurityContextToken>.... The contains the token >> >> >> and then We send a create sequence >> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";> >> <soap:Header> >> <Action xmlns="http://www.w3.org/2005/08/addressing";> >> http://docs.oasis-open.org/ws-rx/wsrm/200702/CreateSequence >> </Action>...... >> >> Response: (FAIL) >> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"; >> xmlns:a="http://www.w3.org/2005/08/addressing";> >> <s:Header> >> <a:Action >> s:mustUnderstand="1">http://www.w3.org/2005/08/addressing/soap/fault</a:Action> >> >> <a:RelatesTo>urn:uuid:4ff03c67-1b06-4b2c-8248-c0fa9ecaf6fd</a:RelatesTo> >> </s:Header> >> <s:Body> >> <s:Fault> >> <s:Code> >> <s:Value>s:Sender</s:Value> >> <s:Subcode> >> <s:Value >> xmlns:a="http://schemas.xmlsoap.org/ws/2005/02/sc";>a:BadContextToken</s:Value> >> </s:Subcode> >> </s:Code> >> <s:Reason> >> <s:Text xml:lang="en-US">The message could not be processed. >> This is most likely because the action >> >> 'http://docs.oasis-open.org/ws-rx/wsrm/200702/CreateSequence' is incorrect >> or because the message >> contains an invalid or expired security context token or >> because there is a mismatch between >> bindings. The security context token would be invalid if >> the service aborted the channel due to >> inactivity. To prevent the service from aborting idle >> sessions prematurely increase the Receive >> timeout on the service endpoint's binding. >> </s:Text> >> </s:Reason> >> </s:Fault> >> </s:Body> >> </s:Envelope> >> >> >> >> All Soap requests are signed, and we are OK in getting the token however the >> second call FAILS. Any help on this is highly appreciated >> >> >> >> >> Here is the client code >> ======================================= >> >> >> System.setProperty("com.sun.xml.ws.transport.http.client.HttpTransportPipe.dump", >> "true"); >> SpringBusFactory bf = new SpringBusFactory(); >> try { >> File file = new >> File(this.getClass().getResource("/cxf.xml").toURI()); >> URI busFile = file.toURI(); >> Bus bus = bf.createBus(busFile.toString()); >> BusFactory.setDefaultBus(bus); >> >> Authentication authentication = new Authentication(); >> service = authentication.getAuthenticationEndpoint(); >> ((BindingProvider) >> service).getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY, >> "https://someUrl/Authentication.svc";); //removed for privacy >> >> } catch (URISyntaxException e) { >> // TODO handle error >> e.printStackTrace(); >> } >> >> >> The configuration >> ======================================= >> >> The client properties file >> -------------------------- >> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin >> org.apache.ws.security.crypto.merlin.keystore.file=/keys/ourpkcs12_store >> org.apache.ws.security.crypto.merlin.keystore.password=somePasswrord >> org.apache.ws.security.crypto.merlin.keystore.type=PKCS12 >> org.apache.ws.security.crypto.merlin.keystore.alias=someAlias >> >> The CXF file >> ------------- >> <beans xmlns="http://www.springframework.org/schema/beans"; >> xmlns:jaxws="http://cxf.apache.org/jaxws"; >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> xmlns:http="http://cxf.apache.org/transports/http/configuration"; >> xmlns:wsrm-policy="http://schemas.xmlsoap.org/ws/2005/02/rm/policy"; >> xmlns:wsrm-mgr="http://cxf.apache.org/ws/rm/manager"; >> xmlns:wsa="http://cxf.apache.org/ws/addressing"; >> xmlns:cxf="http://cxf.apache.org/core"; >> >> xsi:schemaLocation="http://cxf.apache.org/core >> http://cxf.apache.org/schemas/core.xsd >> http://www.springframework.org/schema/beans >> http://www.springframework.org/schema/beans/spring-beans.xsd >> http://cxf.apache.org/jaxws >> http://cxf.apache.org/schemas/jaxws.xsd >> http://cxf.apache.org/transports/http/configuration >> http://cxf.apache.org/schemas/configuration/http-conf.xsd >> http://schemas.xmlsoap.org/ws/2005/02/rm/policy >> http://schemas.xmlsoap.org/ws/2005/02/rm/wsrm-policy.xsd >> http://cxf.apache.org/ws/rm/manager >> http://cxf.apache.org/schemas/configuration/wsrm-manager.xsd";> >> >> <bean id="logInBound" >> class="org.apache.cxf.interceptor.LoggingInInterceptor"/> >> <bean id="logOutBound" >> class="org.apache.cxf.interceptor.LoggingOutInterceptor"/> >> <jaxws:client name="{http://tempuri.org/}AuthenticationEndpoint"; >> createdFromAPI="true" >> address="https://someWsdlUrl";> >> <jaxws:properties> >> <entry key="ws-security.signature.properties" >> value="/client.properties"/> >> <entry key="ws-security.callback-handler" >> value="OurOwnPasswordCallBackForTheKeyStore"/> >> </jaxws:properties> >> <jaxws:inInterceptors> >> <ref bean="logInBound"/> >> <ref bean="inbound-security"/> >> </jaxws:inInterceptors> >> <jaxws:outInterceptors> >> <ref bean="logOutBound"/> >> <ref bean="outbound-security"/> >> </jaxws:outInterceptors> >> <jaxws:features> >> <wsa:addressing xmlns:wsa="http://cxf.apache.org/ws/addressing"/> >> <wsrm-mgr:reliableMessaging> >> <wsrm-policy:RMAssertion> >> <wsrm-policy:BaseRetransmissionInterval >> Milliseconds="10000"/> >> <wsrm-policy:AcknowledgementInterval >> Milliseconds="2000"/> >> </wsrm-policy:RMAssertion> >> <wsrm-mgr:destinationPolicy> >> <wsrm-mgr:acksPolicy intraMessageThreshold="0" /> >> </wsrm-mgr:destinationPolicy> >> </wsrm-mgr:reliableMessaging> >> </jaxws:features> >> </jaxws:client> >> <!-- WSS4JOutInterceptor for signing outbound SOAP --> >> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor" >> id="outbound-security"> >> <constructor-arg> >> <map> >> <entry key="action" value="Timestamp Signature"/> >> <entry key="user" value="someUser"/> >> <entry key="signatureUser" value="someUser"/> >> <entry key="signaturePropFile" value="/client.properties"/> >> <entry key="signatureKeyIdentifier" >> value="X509KeyIdentifier" /> >> <entry key="passwordCallbackClass" >> value="OurOwnPasswordCallBackForTheKeyStore.java"/> >> <entry key="signatureParts" >> >> value="{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body;{Element}{http://www.w3.org/2005/08/addressing}To;{Element}{http://www.w3.org/2005/08/addressing}From;;{Element}{http://www.w3.org/2005/08/addressing}FaultTo;{Element}{http://www.w3.org/2005/08/addressing}ReplyTo;{Element}{http://www.w3.org/2005/08/addressing}MessageID;{Element}{http://www.w3.org/2005/08/addressing}RelatesTo;{Element}{http://www.w3.org/2005/08/addressing}Action"/> >> </map> >> </constructor-arg> >> </bean> >> >> <!-- WSS4JInInterceptor for validating the signature of inbound >> SOAP --> >> <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor" >> id="inbound-security"> >> <constructor-arg> >> <map> >> <entry key="action" value="Timestamp Signature"/> >> <entry key="signaturePropFile" value="/client.properties"/> >> <entry key="passwordCallbackClass" >> value="OurOwnPasswordCallBackForTheKeyStore.java"/> >> </map> >> </constructor-arg> >> </bean> >> </beans> >> >> >> Trace logs on the .net side >> =========================== >> An error occurred while processing a message. The RM Destination requires >> the WS-SecureConversation protocol in the binding. This is likely caused by >> a binding mismatch. >> >> >> The logs and exception >> ======================= >> >> >> Jul 30, 2014 2:04:39 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor >> handleMessage >> WARNING: Request does not contain Security header, but it's a fault. >> Jul 30, 2014 2:04:39 PM org.apache.cxf.ws.rm.Proxy invoke >> SEVERE: Failed to send RM protocol message >> {http://docs.oasis-open.org/ws-rx/wsrm/200702}CreateSequence. >> org.apache.cxf.binding.soap.SoapFault: The message could not be processed. >> This is most likely because the action >> 'http://docs.oasis-open.org/ws-rx/wsrm/200702/CreateSequence' is incorrect >> or because the message contains an invalid or expired security context token >> or because there is a mismatch between bindings. The security context token >> would be invalid if the service aborted the channel due to inactivity. To >> prevent the service from aborting idle sessions prematurely increase the >> Receive timeout on the service endpoint's binding. >> at >> org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.unmarshalFault(Soap12FaultInInterceptor.java:155) >> at >> org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.handleMessage(Soap12FaultInInterceptor.java:66) >> at >> org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.handleMessage(Soap12FaultInInterceptor.java:52) >> at >> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) >> at >> org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:113) >> at >> org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(SOAPHandlerInterceptor.java:140) >> at >> org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(SOAPHandlerInterceptor.java:71) >> at >> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) >> at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:798) >> at >> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1636) >> ...... >> Jul 30, 2014 2:04:39 PM org.apache.cxf.phase.PhaseInterceptorChain >> doDefaultLogging >> org.apache.cxf.interceptor.Fault: Failed to send RM protocol message >> {http://docs.oasis-open.org/ws-rx/wsrm/200702}CreateSequence. >> at >> org.apache.cxf.ws.rm.AbstractRMInterceptor.handleMessage(AbstractRMInterceptor.java:104) >> at >> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) >> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:514) >> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:423) >> ..... >> at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:65) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >> at java.lang.reflect.Method.invoke(Method.java:597) >> at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120) >> Caused by: org.apache.cxf.ws.rm.RMException: Failed to send RM protocol >> message {http://docs.oasis-open.org/ws-rx/wsrm/200702}CreateSequence. >> at org.apache.cxf.ws.rm.Proxy.invoke(Proxy.java:323) >> at org.apache.cxf.ws.rm.Proxy.createSequence(Proxy.java:199) >> at org.apache.cxf.ws.rm.RMManager.getSequence(RMManager.java:472) >> at >> org.apache.cxf.ws.rm.RMCaptureOutInterceptor.handle(RMCaptureOutInterceptor.java:156) >> at >> org.apache.cxf.ws.rm.AbstractRMInterceptor.handleMessage(AbstractRMInterceptor.java:83) >> ... 33 more >> Caused by: org.apache.cxf.binding.soap.SoapFault: The message could not be >> processed. This is most likely because the action >> 'http://docs.oasis-open.org/ws-rx/wsrm/200702/CreateSequence' is incorrect >> or because the message contains an invalid or expired security context token >> or because there is a mismatch between bindings. The security context token >> would be invalid if the service aborted the channel due to inactivity. To >> prevent the service from aborting idle sessions prematurely increase the >> Receive timeout on the service endpoint's binding. >> at >> org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.unmarshalFault(Soap12FaultInInterceptor.java:155) >> at >> org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.handleMessage(Soap12FaultInInterceptor.java:66) >> at >> org.apache.cxf.binding.soap.interceptor.Soap12FaultInInterceptor.handleMessage(Soap12FaultInInterceptor.java:52) >> at >> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) >> at >> org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:113) >> at >> org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(SOAPHandlerInterceptor.java:140) >> at >> org.apache.cxf.jaxws.handler.soap.SOAPHandlerInterceptor.handleMessage(SOAPHandlerInterceptor.java:71) >> at >> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) >> at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:798) >> at >> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1636) >> at >> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1525) >> at >> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1330) >> at >> org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:56) >> at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:215) >> at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) >> at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:638) >> at >> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) >> at >> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307) >> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:514) >> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:423) >> at org.apache.cxf.ws.rm.Proxy.invoke(Proxy.java:313) >> All information in this message is confidential and may be legally >> privileged. Only intended recipients are authorized to use it. > All information in this message is confidential and may be legally privileged. Only intended recipients are authorized to use it.
