Getting "Security processing failed (actions mismatch)" with UsernameToken authentication and SoapUI

Sat, 14 Jan 2017 01:21:07 -0800 

Hi,

I have CXF configured server side with spring and enabled UsernameToken
authentication:

<bean id="publicWebServicePasswordInterceptor"
  class="org.apache.cxf.ws.security.wss4j.WSS4JStaxInInterceptor">
  <constructor-arg>
    <map>
     <entry key="action" value="UsernameToken" />
     <entry key="passwordType" value="PasswordText" />
     <entry key="passwordCallbackRef">
       <ref bean="publicWebServicePasswordHandler"/>
     </entry>
   </map>
 </constructor-arg>
</bean>

<jaxws:inInterceptors>
   <ref bean="publicWebServicePasswordInterceptor"/>
</jaxws:inInterceptors>

This works when the SOAP client is created with CXF. However when I use
SoapUI to test the web service I always get the following error in the
SOAP server:

"Security processing failed (actions mismatch)"

With some debugging I noticed that the "incomingSecurityEventList" is
empty when

>From StaxActionInInterceptor:

public void handleMessage(SoapMessage soapMessage)
{
[SNIP]
...
List<SecurityEvent> incomingSecurityEventList =
(List)soapMessage.get(SecurityEvent.class.getName() + ".in");
...

This is why a few lines later a SoapFault exception is thrown because
the incomingSecurityEventList should not be empty.

If I use the CXF SOAP client (which works), the
incomingSecurityEventList contains the following object:

org.apache.wss4j.stax.securityEvent.UsernameTokenSecurityEvent

It might be that the SOAP call from SoapUI is incorrect or that
something is missing but I have not figured out why this is not working.

I hope someone can tell me what's not correct with the SOAP call from
SoapUI:

SOAP call from SoapUI (from tcpdump):

POST /usersws HTTP/1.1

Content-Type: text/xml;charset=UTF-8

SOAPAction: ""

Content-Length: 829

Host: 127.0.0.1:9009

Connection: Keep-Alive

User-Agent: Apache-HttpClient/4.1.1 (java 1.5)



<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:ws="http://ws.djigzo.application.mitm/";>
   <soapenv:Header><wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";><wsse:UsernameToken
wsu:Id="UsernameToken-A74ECD7A71C7695F3D148438453965395"><wsse:Username>admin</wsse:Username><wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>password</wsse:Password></wsse:UsernameToken></wsse:Security></soapenv:Header>
   <soapenv:Body>
      <ws:isUser>
         <!--Optional:-->
         <email>?</email>
      </ws:isUser>
   </soapenv:Body>
</soapenv:Envelope>

I have tested it with CXF 3.0.9 and with 3.0.12

Any idea why this is not working?

Kind regards,

Martijn Brinkers

Reply via email to