Hi Colm, Thanks for the help. Please take a look at this xml generated by websphere 9 (with the exception of the ... where I replaced information) and let me know if you can think of any workaround. To me it seems that CXF does not parse the reference list for the EncryptedKey.
Here is the error also: <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";> <soap:Body> <soap:Fault> <faultcode xmlns:ns1="http://ws.apache.org/wss4j";>ns1:SecurityError</faultcode> <faultstring>A security error was encountered when verifying the message Caused by: EncryptedKey/EncryptedData does not contain ds:KeyInfo</faultstring> <detail> <stackTrace xmlns="http://cxf.apache.org/fault";>Caused by: org.apache.wss4j.common.ext.WSSecurityException: EncryptedKey/EncryptedData does not contain ds:KeyInfo #*#org.apache.wss4j.dom.processor.EncryptedDataProcessor!handleToken!EncryptedDataProcessor.java!75#*#org.apache.wss4j.dom.engine.WSSecurityEngine!processSecurityHeader!WSSecurityEngine.java!340#*#org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor!handleMessageInternal!WSS4JInInterceptor.java!284#*#org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor!handleMessage!WSS4JInInterceptor.java!175#*#org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor!handleMessage!WSS4JInInterceptor.java!86#*#org.apache.cxf.phase.PhaseInterceptorChain!doIntercept!PhaseInterceptorChain.java!308#*#org.apache.cxf.transport.ChainInitiationObserver!onMessage!ChainInitiationObserver.java!121#*#org.apache.cxf.transport.http.AbstractHTTPDestination!invoke!AbstractHTTPDestination.java!267#*#org.apache.cxf.transport.servlet.ServletController!invokeDestination!ServletController.java!234#*#org.apache.cxf.transport.servlet.ServletController!invoke!ServletController.java!208#*#org.apache.cxf.transport.servlet.ServletController!invoke!ServletController.java!160#*#org.apache.cxf.transport.servlet.CXFNonSpringServlet!invoke!CXFNonSpringServlet.java!191#*#org.apache.cxf.transport.servlet.AbstractHTTPServlet!handleRequest!AbstractHTTPServlet.java!301#*#org.apache..cxf.transport.servlet.AbstractHTTPServlet!doPost!AbstractHTTPServlet.java!220#*#javax.servlet.http.HttpServlet!service!HttpServlet.java!648#*#org..apache.cxf.transport.servlet.AbstractHTTPServlet!service!AbstractHTTPServlet.java!276#*#org.apache.catalina.core.ApplicationFilterChain!internalDoFilter!ApplicationFilterChain.java!291#*#org.apache.catalina.core.ApplicationFilterChain!doFilter!ApplicationFilterChain.java!206#*#org.apache.tomcat.websocket.server.WsFilter!doFilter!WsFilter.java!52#*#org.apache.catalina.core.ApplicationFilterChain!internalDoFilter!ApplicationFilterChain..java!239#*#org.apache.catalina.core.ApplicationFilterChain!doFilter!ApplicationFilterChain.java!206#*#org.apache.catalina.core.StandardWrapperValve!invoke!StandardWrapperValve.java!212#*#org.apache.catalina.core.StandardContextValve!invoke!StandardContextValve.java!106#*#org.apache.catalina..authenticator.AuthenticatorBase!invoke!AuthenticatorBase.java!502#*#org.apache.catalina.core.StandardHostValve!invoke!StandardHostValve.java!141#*#org.apache.catalina.valves.ErrorReportValve!invoke!ErrorReportValve.java!79#*#org.apache.catalina.valves.AbstractAccessLogValve!invoke!AbstractAccessLogValve.java!616#*#org.apache.catalina.core.StandardEngineValve!invoke!StandardEngineValve.java!88#*#org.apache.catalina.connector.CoyoteAdapter!service!CoyoteAdapter.java!521#*#org.apache.coyote.http11.AbstractHttp11Processor!process!AbstractHttp11Processor.java!1096#*#org.apache.coyote.AbstractProtocol$AbstractConnectionHandler!process!AbstractProtocol.java!674#*#org.apache.tomcat.util.net.NioEndpoint$SocketProcessor!doRun!NioEndpoint.java!1500#*#org.apache.tomcat.util.net.NioEndpoint$SocketProcessor!run!NioEndpoint.java!1456#*#java.util.concurrent.ThreadPoolExecutor!runWorker!ThreadPoolExecutor.java!1149#*#java.util.concurrent.ThreadPoolExecutor$Worker!run!ThreadPoolExecutor.java!624#*#org.apache.tomcat.util.threads.TaskThread$WrappingRunnable!run!TaskThread.java!61#*#java.lang.Thread!run!Thread.java!748#*#</stackTrace> </detail> </soap:Fault> </soap:Body> Mark <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";> <soapenv:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; soapenv:mustUnderstand="1"> <enc:EncryptedData xmlns:enc="http://www.w3.org/2001/04/xmlenc#"; Id="wssecurity_encryption_id_24" Type="http://www.w3.org/2001/04/xmlenc#Element";> <enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc";></enc:EncryptionMethod> <enc:CipherData> <enc:CipherValue>...</enc:CipherValue> </enc:CipherData> </enc:EncryptedData> <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="x509bst_22" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";>...</wsse:BinarySecurityToken> <wsse:UsernameToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="unt_20"> <wsse:Username>...</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>...</wsse:Password> </wsse:UsernameToken> <enc:EncryptedKey xmlns:enc="http://www.w3.org/2001/04/xmlenc#";> <enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5";></enc:EncryptionMethod> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> <wsse:SecurityTokenReference> <ds:X509Data> <ds:X509IssuerSerial> <ds:X509IssuerName>...</ds:X509IssuerName> <ds:X509SerialNumber>...</ds:X509SerialNumber> </ds:X509IssuerSerial> </ds:X509Data> </wsse:SecurityTokenReference> </ds:KeyInfo> <enc:CipherData> <enc:CipherValue>...</enc:CipherValue> </enc:CipherData> <enc:ReferenceList> <enc:DataReference URI="#wssecurity_encryption_id_24"></enc:DataReference> <enc:DataReference URI="#wssecurity_encryption_id_25"></enc:DataReference> <enc:DataReference URI="#wssecurity_encryption_id_26"></enc:DataReference> </enc:ReferenceList> </enc:EncryptedKey> <enc:EncryptedData xmlns:enc="http://www.w3.org/2001/04/xmlenc#"; Id="wssecurity_encryption_id_25" Type="http://www.w3.org/2001/04/xmlenc#Element";> <enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc";></enc:EncryptionMethod> <enc:CipherData> <enc:CipherValue>...</enc:CipherValue> </enc:CipherData> </enc:EncryptedData> </wsse:Security> </soapenv:Header> <soapenv:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; wsu:Id="wssecurity_signature_id_21"> <enc:EncryptedData xmlns:enc="http://www.w3.org/2001/04/xmlenc#"; Id="wssecurity_encryption_id_26" Type="http://www.w3.org/2001/04/xmlenc#Content";> <enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc";></enc:EncryptionMethod> <enc:CipherData> <enc:CipherValue>...</enc:CipherValue> </enc:CipherData> </enc:EncryptedData> </soapenv:Body> </soapenv:Envelope> -----Original Message----- From: Colm O hEigeartaigh [mailto:cohei...@apache.org] Sent: Tuesday, October 17, 2017 5:31 AM To: users@cxf.apache.org Subject: Re: Websphere 9 and CXF Can you give an example of the websphere request that CXF does not parse correctly? Colm. On Mon, Oct 16, 2017 at 10:14 PM, <markfu...@yahoo.com.invalid> wrote: > Hi, > > > > I am trying to get the websphere 9 container's built in security > engine to programmatically generate a soap JAX-WS secure client > request to a CXF web service. > > > > The problem is that websphere's engine is not repeating the > EncryptedKey under each EncryptedData element and is using a reference > list to minimize how many times this information is in the message. > > > > However CXF 3.2.0 and 3.1.7 do not seem to parse the EncryptedKey Info > from the reference list and replace them. So it reports the > EncryptedData has no keyInfo element. > > > > It seems to be an optimize on IBM's end that Apache CXF has not > implemented. > > > > Let me know if anyone has had this problem. > > > > Thanks in advance, > > > > Mark > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
