Hi,
We are trying to get MTOM and WS-Security working together using CXF. Both
client and service are using cxf 3.0.6.
The data that needs to be sent as attachment has the
"application/octect-stream" expectedContentTypes in the wsdl:
<xs:complexType name="StoreData">
<xs:sequence>
<xs:element name="storeID" type="xs:long"/>
<xs:element minOccurs="0" name="dataFileName" type="xs:string"/>
<xs:element minOccurs="0" name="data" type="xs:base64Binary"
xmime:expectedContentTypes="application/octet-stream"/>
<xs:element name="dataLen" type="xs:long"/>
</xs:sequence>
</xs:complexType>
And we enable mtom for both client and service in the spring config using:
<jaxws:properties>
<entry key="mtom-enabled" value="true"/>
...
</jaxws:properties>
in the jaxws:client and jaxws:endpoint respectively.
The binding policy we are using in our wsdl is:
<wsp:Policy wsu:Id="ServiceSoapBindingPolicy"
xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
xmlns:wsaw="http://www.w3.org/2005/08/addressing";
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";
xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl";
xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex";>
<wsp:ExactlyOne>
<wsp:All>
<wsap10:UsingAddressing/>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:EncryptSignature/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:EndorsingSupportingTokens>
<wsp:Policy>
<sp:IssuedToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<sp:Issuer>
<wsaw:Address>http://localhost:8080/DefaultSTS/DefaultSTS/DefaultSTSService</wsaw:Address>
</sp:Issuer>
<sp:RequestSecurityTokenTemplate>
<t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</t:TokenType>
<t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</t:KeyType>
<t:KeySize>256</t:KeySize>
<t:Claims
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity";
Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity";>
<ic:ClaimType
Uri="http://schemas.merge.com/icc/claims/storagespace";
Optional="true"/>
</t:Claims>
<wsp:AppliesTo>
<EndpointReference xmlns="http://www.w3.org/2005/08/addressing";>
<Address>urn:merge:icc:services:all</Address>
</EndpointReference>
</wsp:AppliesTo>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:RequireInternalReference/>
</wsp:Policy>
</sp:IssuedToken>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
<sp:RequireSignatureConfirmation/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust13>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust13>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="ServicePortBinding_Input_Policy"
xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
xmlns:wsaw="http://www.w3.org/2005/08/addressing";
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";
xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl";
xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex";>
<wsp:ExactlyOne>
<wsp:All>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
<sp:SignedParts>
<sp:Body/>
<sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="From"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="AckRequested"
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
<sp:Header Name="SequenceAcknowledgement"
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
<sp:Header Name="Sequence"
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
<sp:Header Name="CreateSequence"
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
With these settings we get the following exception on the receiving side (in
our case the service - since we are trying to "upload" data):
WARNING: Interceptor for
{http://merge.com/icc/services/test/largedatatransfer/}LargeDataTransfer#{http://merge.com/icc/services/test/largedatatransfer/}Store
has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: A security error was encountered
when verifying the message
at
org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:270)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:333)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:190)
at
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:127)
at
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:112)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:212)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:268)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:442)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1082)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:623)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:318)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.wss4j.common.ext.WSSecurityException: The signature or
decryption was invalid
at
org.apache.wss4j.dom.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:450)
at
org.apache.wss4j.dom.processor.SignatureProcessor.handleToken(SignatureProcessor.java:224)
at
org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:428)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:278)
... 34 more
Some options we tried and the conclusion from these options:
1) The exact settings mentioned above work fine with cxf 3.0.5 but not for
3.0.6 - 3.0.11. We have not tried 3.1.x.
2) In cxf 3.0.6 Adding <sp:Attachment/> to <sp:SignedParts> element does not
help; We still get the same exception.
2) In cxf 3.0.6, if we remove <sp:Body/> from the <sp:SignedParts> element
then it works fine.
Any pointers on what is going on here and how to fix it will be greatly
appreciated.
Thanks.
--
View this message in context:
http://cxf.547215.n5.nabble.com/CXF-3-0-6-MTOM-WS-Security-Exception-tp5774657.html
Sent from the cxf-user mailing list archive at Nabble.com.
