The Basic Security Profile mandates that EncryptedData structures must come after EncryptedKey structures that reference them:
http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html#EncryptedKey_Precedes_EncryptedData Your best bet is to re-order the header on the receiving side so that the EncryptedKey comes before the EncryptedData, if this does not break signature verification. Colm. On Tue, Oct 24, 2017 at 2:58 PM, <markfu...@yahoo.com> wrote: > Hi Colm, > > The websphere support forum is telling me that the order of the security > header should not matter and there is no way to change the order in > websphere. > > Is there any workaround or facility for class implementation/overriding we > can do with CXF to support this? > > Mark > > -----Original Message----- > From: Colm O hEigeartaigh [mailto:cohei...@apache.org] > Sent: Wednesday, October 18, 2017 6:57 AM > To: users@cxf.apache.org > Subject: Re: Websphere 9 and CXF > > The problem here is that the EncryptedKey structure, which contains the > ReferenceList pointing to the first EncryptedData structure, is below the > EncryptedData structure. WSS4J parses the security header in order, and so > when it hits the first EncryptedData structure it does not know how to > decrypt it. This is a problem with websphere - the ReferenceList or > EncryptedKey/ReferenceList must be above the EncryptedData element. > > Colm. > > On Tue, Oct 17, 2017 at 1:08 PM, <markfu...@yahoo.com.invalid> wrote: > > > Hi Colm, > > > > Thanks for the help. Please take a look at this xml generated by > > websphere 9 (with the exception of the ... where I replaced information) > > and let me know if you can think of any workaround. To me it seems that > > CXF does not parse the reference list for the EncryptedKey. > > > > Here is the error also: > > > > <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";> > > <soap:Body> > > <soap:Fault> > > <faultcode xmlns:ns1="http://ws.apache.org/wss4j > > ">ns1:SecurityError</faultcode> > > <faultstring>A security error was encountered when > > verifying the message Caused by: EncryptedKey/EncryptedData does not > > contain ds:KeyInfo</faultstring> > > <detail> > > <stackTrace xmlns="http://cxf.apache.org/fault";>Caused > > by: org.apache.wss4j.common.ext.WSSecurityException: > > EncryptedKey/EncryptedData does not contain ds:KeyInfo > > #*#org.apache.wss4j.dom.processor.EncryptedDataProcessor!handleToken! > > EncryptedDataProcessor.java!75#*#org.apache.wss4j.dom. > > engine.WSSecurityEngine!processSecurityHeader!WSSecurityEngine.java!34 > > 0#*# > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor! > handleMessageInternal! > > WSS4JInInterceptor.java!284#*#org.apache.cxf.ws.security. > > wss4j.WSS4JInInterceptor!handleMessage!WSS4JInInterceptor.java!175#*# > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor!handleMessage! > > WSS4JInInterceptor.java!86#*#org.apache.cxf.phase.PhaseInterceptorChain! > > doIntercept!PhaseInterceptorChain.java!308#*#org.apache.cxf.transport. > > ChainInitiationObserver!onMessage!ChainInitiationObserver.java! > > 121#*#org.apache.cxf.transport.http.AbstractHTTPDestination!invoke! > > AbstractHTTPDestination.java!267#*#org.apache.cxf.transport.servlet. > > ServletController!invokeDestination!ServletController.java!234#*# > > org.apache.cxf.transport.servlet.ServletController! > > invoke!ServletController.java!208#*#org.apache.cxf.transport.servlet. > > ServletController!invoke!ServletController.java!160#*# > > org.apache.cxf.transport.servlet.CXFNonSpringServlet! > > invoke!CXFNonSpringServlet.java!191#*#org.apache.cxf.transport.servlet. > > AbstractHTTPServlet!handleRequest!AbstractHTTPServlet.java!301#* > > #org.apache..cxf.transport.servlet.AbstractHTTPServlet! > > doPost!AbstractHTTPServlet.java!220#*#javax.servlet.http. > > HttpServlet!service!HttpServlet.java!648#*#org.. > > apache.cxf.transport.servlet.AbstractHTTPServlet!service! > > AbstractHTTPServlet.java!276#*#org.apache.catalina.core. > > ApplicationFilterChain!internalDoFilter!ApplicationFilterChain.java! > > 291#*#org.apache.catalina.core.ApplicationFilterChain!doFilter! > > ApplicationFilterChain.java!206#*#org.apache.tomcat. > > websocket.server.WsFilter!doFilter!WsFilter.java!52#*# > > org.apache.catalina.core.ApplicationFilterChain!internalDoFilter! > > ApplicationFilterChain..java!239#*#org.apache.catalina. > > core.ApplicationFilterChain!doFilter!ApplicationFilterChain.java! > > 206#*#org.apache.catalina.core.StandardWrapperValve! > > invoke!StandardWrapperValve.java!212#*#org.apache.catalina.core. > > StandardContextValve!invoke!StandardContextValve.java!106# > > *#org.apache.catalina..authenticator.AuthenticatorBase!invoke! > > AuthenticatorBase.java!502#*#org.apache.catalina.core. > > StandardHostValve!invoke!StandardHostValve.java!141#*# > > org.apache.catalina.valves.ErrorReportValve!invoke! > > ErrorReportValve.java!79#*#org.apache.catalina.valves. > > AbstractAccessLogValve!invoke!AbstractAccessLogValve.java! > > 616#*#org.apache.catalina.core.StandardEngineValve! > > invoke!StandardEngineValve.java!88#*#org.apache.catalina. > > connector.CoyoteAdapter!service!CoyoteAdapter.java! > > 521#*#org.apache.coyote.http11.AbstractHttp11Processor!process! > > AbstractHttp11Processor.java!1096#*#org.apache.coyote.AbstractProtocol > > $ AbstractConnectionHandler!process!AbstractProtocol.java! > > 674#*#org.apache.tomcat.util.net.NioEndpoint$SocketProcessor!doRun! > > NioEndpoint.java!1500#*#org.apache.tomcat.util.net. > > NioEndpoint$SocketProcessor!run!NioEndpoint.java!1456#*# > > java.util.concurrent.ThreadPoolExecutor!runWorker! > > ThreadPoolExecutor.java!1149#*#java.util.concurrent. > > ThreadPoolExecutor$Worker!run!ThreadPoolExecutor.java!624#*# > > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable!run! > > TaskThread.java!61#*#java.lang.Thread!run!Thread.java! > 748#*#</stackTrace> > > </detail> > > </soap:Fault> > > </soap:Body> > > > > Mark > > > > <soapenv:Envelope > > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/ > > "> > > <soapenv:Header> > > <wsse:Security xmlns:wsse="http://docs.oasis- > > open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" > > soapenv:mustUnderstand="1"> > > <enc:EncryptedData xmlns:enc="http://www.w3.org/ > > 2001/04/xmlenc#" Id="wssecurity_encryption_id_24" Type=" > > http://www.w3.org/2001/04/xmlenc#Element";> > > <enc:EncryptionMethod Algorithm="http://www.w3.org/ > > 2001/04/xmlenc#aes128-cbc"></enc:EncryptionMethod> > > <enc:CipherData> > > <enc:CipherValue>...</enc:CipherValue> > > </enc:CipherData> > > </enc:EncryptedData> > > <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis- > > open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > > wsu:Id="x509bst_22" > > EncodingType="http://docs.oasis-open.org/wss/2004/01/ > > oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType=" > > http://docs.oasis-open.org/wss/2004/01/oasis- > > 200401-wss-x509-token-profile-1.0#X509v3">...</wsse:BinarySecurityToken> > > <wsse:UsernameToken xmlns:wsu="http://docs.oasis- > > open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > > wsu:Id="unt_20"> > > <wsse:Username>...</wsse:Username> > > <wsse:Password Type="http://docs.oasis-open. > > org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordTe > > xt > > ">...</wsse:Password> > > </wsse:UsernameToken> > > <enc:EncryptedKey > > xmlns:enc="http://www.w3.org/2001/04/xmlenc# > > "> > > <enc:EncryptionMethod Algorithm="http://www.w3.org/ > > 2001/04/xmlenc#rsa-1_5"></enc:EncryptionMethod> > > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig# > "> > > <wsse:SecurityTokenReference> > > <ds:X509Data> > > <ds:X509IssuerSerial> > > <ds:X509IssuerName>...</ds: > X509IssuerName> > > <ds:X509SerialNumber>...</ds: > > X509SerialNumber> > > </ds:X509IssuerSerial> > > </ds:X509Data> > > </wsse:SecurityTokenReference> > > </ds:KeyInfo> > > <enc:CipherData> > > <enc:CipherValue>...</enc:CipherValue> > > </enc:CipherData> > > <enc:ReferenceList> > > <enc:DataReference URI="#wssecurity_encryption_ > > id_24"></enc:DataReference> > > <enc:DataReference URI="#wssecurity_encryption_ > > id_25"></enc:DataReference> > > <enc:DataReference URI="#wssecurity_encryption_ > > id_26"></enc:DataReference> > > </enc:ReferenceList> > > </enc:EncryptedKey> > > <enc:EncryptedData xmlns:enc="http://www.w3.org/ > > 2001/04/xmlenc#" Id="wssecurity_encryption_id_25" Type=" > > http://www.w3.org/2001/04/xmlenc#Element";> > > <enc:EncryptionMethod Algorithm="http://www.w3.org/ > > 2001/04/xmlenc#aes128-cbc"></enc:EncryptionMethod> > > <enc:CipherData> > > <enc:CipherValue>...</enc:CipherValue> > > </enc:CipherData> > > </enc:EncryptedData> > > </wsse:Security> > > </soapenv:Header> > > <soapenv:Body > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis- > > 200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wssecurity_signature_ > > id_21"> > > <enc:EncryptedData xmlns:enc="http://www.w3.org/2001/04/xmlenc#"; > > Id="wssecurity_encryption_id_26" Type="http://www.w3.org/2001/ > > 04/xmlenc#Content"> > > <enc:EncryptionMethod Algorithm="http://www.w3.org/ > > 2001/04/xmlenc#aes128-cbc"></enc:EncryptionMethod> > > <enc:CipherData> > > <enc:CipherValue>...</enc:CipherValue> > > </enc:CipherData> > > </enc:EncryptedData> > > </soapenv:Body> > > </soapenv:Envelope> > > > > -----Original Message----- > > From: Colm O hEigeartaigh [mailto:cohei...@apache.org] > > Sent: Tuesday, October 17, 2017 5:31 AM > > To: users@cxf.apache.org > > Subject: Re: Websphere 9 and CXF > > > > Can you give an example of the websphere request that CXF does not > > parse correctly? > > > > Colm. > > > > On Mon, Oct 16, 2017 at 10:14 PM, <markfu...@yahoo.com.invalid> wrote: > > > > > Hi, > > > > > > > > > > > > I am trying to get the websphere 9 container's built in security > > > engine to programmatically generate a soap JAX-WS secure client > > > request to a CXF web service. > > > > > > > > > > > > The problem is that websphere's engine is not repeating the > > > EncryptedKey under each EncryptedData element and is using a > > > reference list to minimize how many times this information is in the > message. > > > > > > > > > > > > However CXF 3.2.0 and 3.1.7 do not seem to parse the EncryptedKey > > > Info from the reference list and replace them. So it reports the > > > EncryptedData has no keyInfo element. > > > > > > > > > > > > It seems to be an optimize on IBM's end that Apache CXF has not > > > implemented. > > > > > > > > > > > > Let me know if anyone has had this problem. > > > > > > > > > > > > Thanks in advance, > > > > > > > > > > > > Mark > > > > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
