All I can suggest is add the CXF logging interceptors and enable debug logging. Then see what the "inbound" message is (and whether it is on the client or service side) that is causing the problem.
Colm. On Fri, Nov 3, 2017 at 1:26 PM, Morein, Arnie <[email protected]> wrote: > What about a SOAP handler? Or is something else missing or mis-configured? > > -----Original Message----- > From: Morein, Arnie > Sent: Friday, November 03, 2017 8:13 AM > To: [email protected]; '[email protected]' > Subject: RE: Help with configuring web service to match security from WSDL > > No. > > -----Original Message----- > From: Colm O hEigeartaigh [mailto:[email protected]] > Sent: Friday, November 03, 2017 8:12 AM > To: Morein, Arnie > Cc: [email protected] > Subject: Re: Help with configuring web service to match security from WSDL > > Do you have a test-case I can take a look at? > > Colm. > > On Fri, Nov 3, 2017 at 1:07 PM, Morein, Arnie <[email protected] > > > wrote: > > > Yes, In fact most of the CXF package is imported via Maven. > > > > -----Original Message----- > > From: Colm O hEigeartaigh [mailto:[email protected]] > > Sent: Friday, November 03, 2017 8:03 AM > > To: Morein, Arnie > > Cc: [email protected] > > Subject: Re: Help with configuring web service to match security from > > WSDL > > > > Have you got the cxf-rt-ws-policy on the classpath? > > > > Colm. > > > > On Fri, Nov 3, 2017 at 12:53 PM, Morein, Arnie < > > [email protected]> > > wrote: > > > > > That's what I was afraid of. I removed the registration of the > > > intercepters and now am getting: > > > > > > org.apache.cxf.binding.soap.SoapFault: MustUnderstand headers: [{ > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss- > > > wssecurity-secext-1.0.xsd}Security] are not understood. > > > > > > Both without and with the following properties added to the end point: > > > > > > <jaxws:properties> > > > <entry key="security.callback-handler.sct" > > > value="gov.uscis.uscis.xsd.esb.authentication. > > > AuthenticationServicePasswordCallback" /> > > > <entry key="security.signature.properties.sct" > > > value="cxf/crypto.properties" /> > > > <entry key="security.encryption.username.sct" > > > value="dls-vls-mock-service-client-key" /> > > > </jaxws:properties> > > > > > > I must say, the documentation is very vague in places. I'm assuming > > > that "username" is the JKS alias of the key used to sign/etc. the > > messages. > > > > > > So what I have I left out now? > > > > > > What's more confusing is that the WAR containing the mock service is > > > running in the same VM on my machine as the client. I deploy the > > > service first (no errors) and then the client, then it attempts to > > > connect. The logging doesn't clearly indicate if the exception is > > > coming from the client or the server. Could that be the case? > > > > > > > > > -----Original Message----- > > > From: Colm O hEigeartaigh [mailto:[email protected]] > > > Sent: Friday, November 03, 2017 3:17 AM > > > To: [email protected] > > > Subject: Re: Help with configuring web service to match security > > > from WSDL > > > > > > Hi, > > > > > > You are mixing up the two different ways of configuring WS-Security > > > in > > CXF. > > > When there is a security policy available, then you don't manually > > > configure the WSS4JInInterceptor or WSS4JOutInterceptors. They are > > > used when there is no security policy and you have to manually tell > > > CXF what WS-Security actions to perform. Instead the configuration > > > is a lot simpler for the policy case. > > > > > > I'd suggest you look at the example test-case for > > > WS-SecureConversation in the CXF source: > > > > > > https://github.com/apache/cxf/blob/master/systests/ws- > > > security-examples/src/test/java/org/apache/cxf/systest/ > > > wssec/examples/secconv/SecureConversationTest.java > > > > > > In particular, the service configuration is here: > > > > > > https://github.com/apache/cxf/blob/master/systests/ws- > > > security-examples/src/test/resources/org/apache/cxf/ > > > systest/wssec/examples/secconv/server.xml > > > > > > Colm. > > > > > > On Fri, Nov 3, 2017 at 2:43 AM, Morein, Arnie > > > <[email protected] > > > > > > > wrote: > > > > > > > I have created a mock service based on a WSDL from a vendor that > > > > is already in use. > > > > > > > > One of the calls requires that the message be > > > > timestamped/signed/encrypted before transmission. > > > > > > > > The real service provider issued an X.509 certificate for our use. > > > > I have had our internal folks issue one like it with the same > extensions. > > > > > > > > Everything is in place, but when the client app hits my mock > > > > service, it gets an error that is neither clear or helpful: > > > > > > > > > > > > org.apache.cxf.binding.soap.SoapFault: A security error was > > > > encountered when verifying the message ... > > > > Caused by: org.apache.wss4j.common.ext.WSSecurityException: An > > > > error was discovered processing the <wsse:Security> header > > > > > > > > Digging into the CXF trace log, I barely managed to find these: > > > > > > > > 2017-11-02 19:49:52.018 DEBUG > > > > [org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor] > > > > WSS4JInInterceptor: enter handleMessage() > > > > 2017-11-02 19:49:54.037 WARN [org.apache.cxf.ws.security. > > > wss4j.WSS4JInInterceptor] > > > > Security processing failed (actions mismatch) > > > > > > > > The messages are being generated by CXF (wsdl2java situation). > > > > > > > > The WSDL policy section is thus: > > > > > > > > <wsp:Policy wsu:Id="wsHttpEndPoint_policy"> > > > > <wsp:ExactlyOne> > > > > <wsp:All> > > > > <sp:TransportBinding > > > > > > > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/ > > > > securitypolicy" > > > > > > > > > <wsp:Policy> > > > > <sp:TransportToken> > > > > <wsp:Policy> > > > > <sp:HttpsToken > > > > RequireClientCertificate="false" > > /> > > > > </wsp:Policy> > > > > </sp:TransportToken> > > > > <sp:AlgorithmSuite> > > > > <wsp:Policy> > > > > <sp:Basic256 /> > > > > </wsp:Policy> > > > > </sp:AlgorithmSuite> > > > > <sp:Layout> > > > > <wsp:Policy> > > > > <sp:Strict /> > > > > </wsp:Policy> > > > > </sp:Layout> > > > > <sp:IncludeTimestamp /> > > > > </wsp:Policy> > > > > </sp:TransportBinding> > > > > <sp:EndorsingSupportingTokens > > > > > > > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/ > > > > securitypolicy" > > > > > > > > > <wsp:Policy> > > > > <sp:SecureConversationToken > > > > sp:IncludeToken="http:// > > > > schemas.xmlsoap.org/ws/2005/07/securitypolicy/ > > > > IncludeToken/AlwaysToRecipient" > > > > > > > > > <wsp:Policy> > > > > <sp:BootstrapPolicy> > > > > <wsp:Policy> > > > > <sp:SignedParts> > > > > <sp:Body /> > > > > <sp:Header > > > > Name="To" > > > > Namespace=" > > > > http://www.w3.org/2005/08/addressing"; /> > > > > <sp:Header > > > > Name="From" > > > > Namespace=" > > > > http://www.w3.org/2005/08/addressing"; /> > > > > <sp:Header > > > > Name="FaultTo" > > > > Namespace=" > > > > http://www.w3.org/2005/08/addressing"; /> > > > > <sp:Header > > > > Name="ReplyTo" > > > > Namespace=" > > > > http://www.w3.org/2005/08/addressing"; /> > > > > <sp:Header > > > > Name="MessageID" > > > > Namespace=" > > > > http://www.w3.org/2005/08/addressing"; /> > > > > <sp:Header > > > > Name="RelatesTo" > > > > Namespace=" > > > > http://www.w3.org/2005/08/addressing"; /> > > > > <sp:Header > > > > Name="Action" > > > > Namespace=" > > > > http://www.w3.org/2005/08/addressing"; /> > > > > </sp:SignedParts> > > > > <sp:EncryptedParts> > > > > <sp:Body /> > > > > </sp:EncryptedParts> > > > > <sp:TransportBinding> > > > > <wsp:Policy> > > > > <sp:TransportToken> > > > > <wsp:Policy> > > > > > > > > <sp:HttpsToken > > > > > > > > RequireClientCertificate="false" /> > > > > </wsp:Policy> > > > > </sp:TransportToken> > > > > <sp:AlgorithmSuite> > > > > <wsp:Policy> > > > > <sp:Basic256 > /> > > > > </wsp:Policy> > > > > </sp:AlgorithmSuite> > > > > <sp:Layout> > > > > <wsp:Policy> > > > > <sp:Strict /> > > > > </wsp:Policy> > > > > </sp:Layout> > > > > <sp:IncludeTimestamp > /> > > > > </wsp:Policy> > > > > </sp:TransportBinding> > > > > > <sp:EndorsingSupportingTokens> > > > > <wsp:Policy> > > > > <sp:X509Token > > > > sp:IncludeToken=" > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/ > > > > IncludeToken/AlwaysToRecipient" > > > > > > > > > <wsp:Policy> > > > > > > > > <sp:RequireThumbprintReference /> > > > > > > > > <sp:WssX509V3Token10 /> > > > > </wsp:Policy> > > > > </sp:X509Token> > > > > <sp:SignedParts> > > > > <sp:Header > > > > Name="To" > > > > Namespace=" > > > > http://www.w3.org/2005/08/addressing"; /> > > > > </sp:SignedParts> > > > > </wsp:Policy> > > > > </sp: > > EndorsingSupportingTokens> > > > > <sp:Wss11> > > > > <wsp:Policy> > > > > > > > > <sp:MustSupportRefThumbprint /> > > > > </wsp:Policy> > > > > </sp:Wss11> > > > > <sp:Trust10> > > > > <wsp:Policy> > > > > > > > > <sp:MustSupportIssuedTokens /> > > > > > > > > <sp:RequireClientEntropy > > > /> > > > > > > > > <sp:RequireServerEntropy > > > /> > > > > </wsp:Policy> > > > > </sp:Trust10> > > > > </wsp:Policy> > > > > </sp:BootstrapPolicy> > > > > </wsp:Policy> > > > > </sp:SecureConversationToken> > > > > </wsp:Policy> > > > > </sp:EndorsingSupportingTokens> > > > > <sp:Wss11 > > > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/ > > > > securitypolicy"> > > > > <wsp:Policy /> > > > > </sp:Wss11> > > > > <sp:Trust10 > > > > > > > > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/ > > > > securitypolicy" > > > > > > > > > <wsp:Policy> > > > > <sp:MustSupportIssuedTokens /> > > > > <sp:RequireClientEntropy /> > > > > <sp:RequireServerEntropy /> > > > > </wsp:Policy> > > > > </sp:Trust10> > > > > <wsaw:UsingAddressing /> > > > > </wsp:All> > > > > </wsp:ExactlyOne> > > > > </wsp:Policy> > > > > > > > > and a message being sent to my mock service looks like: > > > > > > > > ID: 1 > > > > Address: https://localhost:8443/mock-vls-ws/services/ > > > > mockAuthenticationService > > > > Encoding: UTF-8 > > > > Http-Method: POST > > > > Content-Type: application/soap+xml; action="http://schemas. > > > > xmlsoap.org/ws/2005/02/trust/RST/SCT"; charset=UTF-8 > > > > Headers: {Accept=[*/*], cache-control=[no-cache], > > > > connection=[keep-alive], content-type=[application/soap+xml; > action=" > > > http://schemas. > > > > xmlsoap.org/ws/2005/02/trust/RST/SCT"; charset=UTF-8], > > > > host=[localhost:8443], pragma=[no-cache], > > > > transfer-encoding=[chunked], user-agent=[Apache-CXF/3.1.10]} > > > > Payload: > > > > <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";> > > > > <soap:Header> > > > > <Action xmlns="http://www.w3.org/2005/08/addressing";> > > > > http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</Action> > > > > <MessageID xmlns="http://www.w3.org/2005/08/addressing > > > ">urn:uuid: > > > > d4a37685-340a-41e3-9ad5-33d21601b2b2</MessageID> > > > > <To xmlns="http://www.w3.org/2005/08/addressing"; > > > > > > > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis- > > > > 200401-wss-wssecurity-utility-1.0.xsd" > > > > wsu:Id="_7f09a81a-706a-4d03-932e-c402c7af8d16" > > > > >https://localhost:8443/mock-vls-ws/services/ > > > > mockAuthenticationService</To> > > > > <ReplyTo xmlns="http://www.w3.org/2005/08/addressing";> > > > > > > > > <Address>http://www.w3.org/2005/08/addressing/anonymous</ > > > > Address> > > > > </ReplyTo> > > > > <wsse:Security > > > > > > > > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis- > > > > 200401-wss-wssecurity-secext-1.0.xsd" > > > > > > > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis- > > > > 200401-wss-wssecurity-utility-1.0.xsd" > > > > soap:mustUnderstand="true" > > > > > > > > > <wsse:BinarySecurityToken > > > > > > > > EncodingType="http://docs.oasis-open.org/wss/2004/01/ > > > > oasis-200401-wss-soap-message-security-1.0#Base64Binary" > > > > > > > > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis- > > > > 200401-wss-x509-token-profile-1.0#X509v3" > > > > wsu:Id="X509-fbd22553-2805-4f67-af0c-cd552b6c4ea1" > > > > > > > > >MIIHPzCCBSegAwIBAgITRAAAc2IaBbGCTk7sGwAAAABzYjANBgkqhkiG9w0B > > > > AQsFADBBMRMwEQYKCZImiZPyLGQBGRYDRFBTMRMwEQYKCZImiZPyLGQBGRYD > > > > VExFMRUwEwYDVQQDEwxEUFNJc3N1ZUNBMDEwHhcNMTcxMTAxMTczMTUzWhcN > > > > MjAxMDMxMTczMTUzWjCBjTELMAkGA1UEBhMCVVMxDjAMBgNVBAgTBVRleGFz > > > > MQ8wDQYDVQQHEwZBdXN0aW4xKjAoBgNVBAoTIVRleGFzIERlcGFydG1lbnQg > > > > b2YgUHVibGljIFNhZmV0eTELMAkGA1UECxMCSVQxJDAiBgNVBAMMG2Rwcy5k > > > > ZXZlbG9wZXJAZHBzLnRleGFzLmdvdjCCASIwDQYJKoZIhvcNAQEBBQADggEP > > > > ADCCAQoCggEBAIPrRFbLW92EYqeCr/jrEkFaHLP4Zm8lMnpNV1aJtEPuZno3GdBtRN > > > > ad > > > > TH > > > > pg+ x6dKQemTgrpZJIzBCsm6iCWliB2PWqdFbQKt3DQoG4o8fT8DxPNZLod9Y/ > > > > Rfi8Lb7NO33WdFu6JG8KRypTs1mQUItQ03TbKapACMmyoXhctZEgnSkwQUBY > > > > F6jUHMoOpcxj6pPr/oaV9YMfh4P2eyKxNTdJGJXGe9kUPpLRydgoBq9NHluUfjsxKQ > > > > 4S > > > > Tw > > > > G45+ 8TMZnXZOF3qQpW2Ny1shn5V2wSECZBHiTaTtshcIz6Kxew47nW9DQ2ITpbba > > > > lYTXdnaBOalKpKkS0r4/96QD2HrYQECAwEAAaOCAuEwggLdMB0 > > > > GA1UdDgQWBBRHFQmUcuBtf6vI5ikCLF1uudlSezAfBgNVHSMEGDAWgBSqB1gVMhLVR > > > > X/ > > > > DsU7Cy9JdkhJExjCCAQQGA1UdHwSB/DCB+TCB9qCB86CB8IaBt2xkYXA6Ly8vQ04 > > > > 9RFBTSXNzdWVDQTAxLENOPUhEUVBSRElUU0lDQTAwMSxDTj1DRFAsQ049UHV > > > > ibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJ > > > > hdGlvbixEQz1UTEUsREM9RFBTP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/ > > > > YmFzZT9vYmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludIY0aHR0cDov > > > > L2NybC5kcHMudGV4YXMuZ292L2NlcnRlbnJvbGwvRFBTSXNzdWVDQTAxLmNy > > > > bDCB5QYIKwYBBQUHAQEEgdgwgdUwgacGCCsGAQUFBzAChoGabGRhcDovLy9D > > > > Tj1EUFNJc3N1ZUNBMDEsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZp > > > > Y2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9VExFLERDPURQ > > > > Uz9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdG > > > > lvbkF1dGhvcml0eTApBggrBgEFBQcwAYYdaHR0cDovL2NybC5kcHMudGV4YX > > > > MuZ292L29jc3AwCwYDVR0PBAQDAgWgMDwGCSsGAQQBgjcVBwQvMC0GJSsGAQ > > > > QBgjcVCKu3YYWw7zKHhZsih5egL4PJzHwhhI+/NoO2ljQCAWQCAQUwKQYDVR0lBCIw > > > > QBgjcVCKu3YYWw7zKHhZsih5egL4PJzHwhhI+IA > > > > YIKwYBBQUHAwQGCisGAQQBgjcKAwQGCCsGAQUFBwMCMDUGCSsGAQQBgjcVCg > > > > QoMCYwCgYIKwYBBQUHAwQwDAYKKwYBBAGCNwoDBDAKBggrBgEFBQcDAjANBg > > > > kqhkiG9w0BAQsFAAOCAgEApbhMNf/KZge1ZtpY9xpokh3Zuo3VbNnIi0A6V > > > > 5PWE/UN8AXIvq6IsbjES+XLxecIkNmSBvZllSvEzZzSnDy/XFlqVGCYRWS8LDrm/ > > > > 1NAjyr4YXfRZyOTxE7W4RyyBsRpLRk2VsgCZ8wpO9kmG8vogp+ > > > > 6Bd0DQQayuTrJbAtlw0SBBgCd6pIWfG9LoCsvKKmNd6xi65clijxxWm82w14KqlUEc > > > > R/ mgFoCJLJ1qpshHmqK5nc283nDmlnKB1jdOBHOZ3S6j5YpLlxxWHZhntwd01w > > > > /wKntwAZDHSagRCSvWz+gct47//chfjcCIzaUqTTY9Pw0VjDy+ > > > > KDgOaVp2lAlHEWs5Ts3nT0AfTJDSDtDmOikyfAJlUIM08jfKUIIMOh1w/ > > > > DC4SEFESl8vnmOimnqN2bFO5KmyulMD4XwWQBxuwmub1eR80Z3// > > > > hynXp6aCcUEaTswDmlws24Ecv9ILuSVohQC+WtJAB5bbRQTbbuYu+ > > > > taabxGNl9Hyh9zTyNrbM3nG5GkaxtSYy2fNiVqzS88sXOShye3GEfgb0a/ > > > > OFpC736wbMPV+I7HNbqGa9Zi+KdsJLA32cbnJO1g2yThdpT05uoikNN > > > > QrHuse0RtOZJdpLEnRejW96WQYHmxm/tlL64ZPskl5dnlUrbzTqQ9oyJqueDe > > > > 1eP9jaId6NjAuKzLkQ=</wsse:BinarySecurityToken> > > > > <wsu:Timestamp wsu:Id="TS-c1511394-ae6f-4a4c- > > > > b8c4-a97df1bbd782"> > > > > <wsu:Created>2017-11-02T22:02:30.558Z</wsu:Created> > > > > <wsu:Expires>2017-11-02T22:07:30.558Z</wsu:Expires> > > > > </wsu:Timestamp> > > > > <ds:Signature > > > > xmlns:ds="http://www.w3.org/2000/09/xmldsig# > > " > > > > Id="SIG-d17430ac-1be2-410d-b4ed-389fa2c71d9c" > > > > > > > > > <ds:SignedInfo> > > > > <ds:CanonicalizationMethod > > > > > > > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# > > > > " > > > > > > > > > <ec:InclusiveNamespaces > > > > xmlns:ec="http://www.w3.org/ > > > > 2001/10/xml-exc-c14n#" > > > > PrefixList="soap" /> > > > > </ds:CanonicalizationMethod> > > > > <ds:SignatureMethod > > > > Algorithm="http://www.w3.org/ > > > > 2000/09/xmldsig#rsa-sha1" /> > > > > <ds:Reference URI="#TS-c1511394-ae6f-4a4c- > > > > b8c4-a97df1bbd782"> > > > > <ds:Transforms> > > > > <ds:Transform > > > > Algorithm="http://www.w3.org/ > > > > 2001/10/xml-exc-c14n#" > > > > > > > > > <ec:InclusiveNamespaces > > > > xmlns:ec="http://www.w3.org/ > > > > 2001/10/xml-exc-c14n#" > > > > PrefixList="wsse soap" /> > > > > </ds:Transform> > > > > </ds:Transforms> > > > > <ds:DigestMethod > > > > Algorithm="http://www.w3.org/ > > > > 2000/09/xmldsig#sha1" /> > > > > > > > > <ds:DigestValue>oUUE187y3bNvLUk0KvKAMQi5oS0=</ > > > > ds:DigestValue> > > > > </ds:Reference> > > > > <ds:Reference URI="#_7f09a81a-706a-4d03- > > > > 932e-c402c7af8d16"> > > > > <ds:Transforms> > > > > <ds:Transform > > > > Algorithm="http://www.w3.org/ > > > > 2001/10/xml-exc-c14n#" > > > > > > > > > <ec:InclusiveNamespaces > > > > xmlns:ec="http://www.w3.org/ > > > > 2001/10/xml-exc-c14n#" > > > > PrefixList="soap" /> > > > > </ds:Transform> > > > > </ds:Transforms> > > > > <ds:DigestMethod > > > > Algorithm="http://www.w3.org/ > > > > 2000/09/xmldsig#sha1" /> > > > > > > > > <ds:DigestValue>J3b0s0Tc7Z9nwyg6ryeyXi5V7Wk=</ > > > > ds:DigestValue> > > > > </ds:Reference> > > > > </ds:SignedInfo> > > > > <ds:SignatureValue>UED8ewbdSQUhh6k7Py+P+ > > > > 5wveYhhM8xwpaBhn5IYKqqPSFzQSkFCG3q7oN/tOL3Oe33N2Xm+ > > > > zPD26Qr7t7LGSEIXUU3ALxtnf8MtS3FRo9C6pxPPC6QuN0dYupPFZnQpYtNB > > > > L9i9HIRB9dqh9I7NAdz3OGBCjdB8j0scP9V830YSf5fy5Sq5uC2uNV4Ee9tE > > > > mPbY1yStH8htwPHeQEAFlQ0eNRCGrKL30af9waXGPXetMfuoQPMIbNssImie > > > > 5cz2O56DGs88bBLZZaLG8LdoouAti9v2DGmlL9A42iJjXs19jQy+HP+4zy/ > > > > vteV/aRhk4t8Q+tJcbn3piy7+pFnuhQ==</ds:SignatureValue> > > > > <ds:KeyInfo Id="KI-2b2d8678-1047-4bbb- > > > a9f6-33de176b569e"> > > > > <wsse:SecurityTokenReference > > > > xmlns:wsse="http://docs.oasis- > > > > open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" > > > > xmlns:wsu="http://docs.oasis- > > > > open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" > > > > wsu:Id="STR-2e70c6dd-87f9- > > > 449e-9659-e0853efef74f" > > > > > > > > > <wsse:KeyIdentifier > > > > EncodingType="http://docs. > > > > oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message- > > > > security-1.0#Base64Binary" > > > > ValueType="http://docs.oasis- > > > > open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1" > > > > >y5plsGZ1ujCONeUMI+FuNgfF8LU=< > > > /wsse:KeyIdentifier> > > > > </wsse:SecurityTokenReference> > > > > </ds:KeyInfo> > > > > </ds:Signature> > > > > </wsse:Security> > > > > </soap:Header> > > > > <soap:Body> > > > > <wst:RequestSecurityToken xmlns:wst="http://schemas. > > > > xmlsoap.org/ws/2005/02/trust"> > > > > <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/ > > > > 02/trust/Issue</wst:RequestType> > > > > <wsp:AppliesTo xmlns:wsp="http://www.w3.org/ns/ws-policy > "> > > > > <wsa:EndpointReference > > > > xmlns:wsa="http://www.w3.org/ 2005/08/addressing"> > > > > > > > > <wsa:Address>https://localhost:8443/mock-vls-ws/ > > > > services/mockAuthenticationService</wsa:Address> > > > > </wsa:EndpointReference> > > > > </wsp:AppliesTo> > > > > <wst:Lifetime > > > > > > > > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis- > > > > 200401-wss-wssecurity-utility-1.0.xsd" > > > > > > > > > <wsu:Created>2017-11-02T22:02:29.214Z</wsu:Created> > > > > <wsu:Expires>2017-11-02T22:07:29.214Z</wsu:Expires> > > > > </wst:Lifetime> > > > > > > > > <wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct< > > > > /wst:TokenType> > > > > <wst:KeySize>256</wst:KeySize> > > > > <wst:Entropy> > > > > <wst:BinarySecret > > > > Type="http://schemas.xmlsoap. > > > > org/ws/2005/02/trust/Nonce" > > > > >0UEx1yrKYAbPt0/m6tuSeyjFvVV4bE1bvN97D9lT0bw=< > > > > /wst:BinarySecret> > > > > </wst:Entropy> > > > > > > > > <wst:ComputedKeyAlgorithm>http://schemas.xmlsoap.org/ws/ > > > > 2005/02/trust/CK/PSHA1</wst:ComputedKeyAlgorithm> > > > > <wst:Renewing /> > > > > </wst:RequestSecurityToken> > > > > </soap:Body> > > > > </soap:Envelope> > > > > > > > > > > > > Here is my Spring Endpoint config: > > > > > > > > > > > > <bean id="Aamva_Authentication_Request" class="org.apache.cxf.ws > . > > > > security.wss4j.WSS4JInInterceptor"> > > > > <constructor-arg> > > > > <map> > > > > <entry key="action" value="Timestamp Signature" /> > > > > <entry key="user" value="dls-vls-mock-service- > > > client-key" > > > > /> > > > > <entry key="passwordType" value="PasswordText" /> > > > > <entry key="passwordCallbackClass" > > > > value="gov.uscis.uscis.xsd.esb.authentication. > > > > AuthenticationServicePasswordCallback" /> > > > > <entry key="decryptionPropFile" > value="cxf/cxf-crypto. > > > properties" > > > > /> > > > > <entry key="signaturePropFile" value="cxf/cxf-crypto. > > > properties" > > > > /> > > > > <entry key="signatureUser" > > > > value="dls-vls-mock-service- > > > client-key" > > > > /> > > > > <entry key="signatureKeyIdentifier" > > > > value="X509KeyIdentifier " /> > > > > <entry key="signatureParts" > > > > value="{Element}{http://docs. > > > > oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0. > > > > xs d} BinarySecurityToken;{Element}{http://docs.oasis-open.org/ > > > > wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd} > > > > Timestamp;{}{http://www.w3.org/2000/09/xmldsig}Signature; > > > > {Content}{http://schemas.xmlsoap.org/soap/envelope/}Body;"; /> > > > > > > > > <!-- > > > > <entry key="encryptionPropFile" > value="cxf/cxf-crypto. > > > properties" > > > > /> > > > > <entry key="encryptionParts" > > > > > > > > value="{Content}{http://schemas.xmlsoap.org/ws/2005/ > > > > 07/securitypolicy}Body;" /> > > > > --> > > > > </map> > > > > </constructor-arg> > > > > </bean> > > > > > > > > <bean id="Aamva_Authentication_Response" class=" > org.apache.cxf.ws. > > > > security.wss4j.WSS4JOutInterceptor"> > > > > <constructor-arg> > > > > <map> > > > > <entry key="action" value="Timestamp Signature" /> > > > > <entry key="user" value="dls-vls-mock-service- > > > client-key" > > > > /> > > > > <entry key="passwordType" value="PasswordText" /> > > > > <entry key="passwordCallbackClass" > > > > value="gov.uscis.uscis.xsd.esb.authentication. > > > > AuthenticationServicePasswordCallback" /> > > > > <entry key="signaturePropFile" value="cxf/cxf-crypto. > > > properties" > > > > /> > > > > <entry key="signatureKeyIdentifier" > > > > value="X509KeyIdentifier " /> > > > > <entry key="signatureParts" > > > > value="{Element}{http://docs. > > > > oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0. > > > > xs d} BinarySecurityToken;{Element}{http://docs.oasis-open.org/ > > > > wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd} > > > > Timestamp;{}{http://www.w3.org/2000/09/xmldsig}Signature; > > > > {Content}{http://schemas.xmlsoap.org/soap/envelope/}Body;"; /> > > > > <!-- > > > > <entry key="encryptionPropFile" > value="cxf/cxf-crypto. > > > properties" > > > > /> > > > > <entry key="encryptionParts" > > > > > > > > value="{Content}{http://schemas.xmlsoap.org/ws/2005/ > > > > 07/securitypolicy}Body;" /> > > > > --> > > > > </map> > > > > </constructor-arg> > > > > </bean> > > > > > > > > <jaxws:endpoint id="mockAuthenticationServiceEndpoint" bus="cxf" > > > > address="/mockAuthenticationService" > > > > implementor="gov.uscis.uscis.xsd.esb.authentication. > > > > AuthenticationServiceImpl" > > > > > > > > > <jaxws:binding> > > > > <soap:soapBinding mtomEnabled="true" version="1.2" /> > > > > </jaxws:binding> > > > > > > > > <jaxws:inInterceptors> > > > > <ref bean="Aamva_Authentication_Request" /> > > > > <bean class="org.apache.cxf.binding. > > > soap.saaj.SAAJInInterceptor" > > > > /> > > > > </jaxws:inInterceptors> > > > > > > > > <jaxws:outInterceptors> > > > > <ref bean="Aamva_Authentication_Response" /> > > > > <bean class="org.apache.cxf.binding. > > > soap.saaj.SAAJOutInterceptor" > > > > /> > > > > </jaxws:outInterceptors> > > > > > > > > </jaxws:endpoint> > > > > > > > > Since adding the signatureParts entries, now I am getting: > > > > > > > > 2017-11-02 21:40:11.369 WARN [org.apache.cxf.common. > > logging.LogUtils] > > > > Interceptor for {http://aamva.org/authentication/3.1.0} > > > > AuthenticationService has thrown exception, unwinding now > > > > org.apache.cxf.interceptor.Fault: Message part { > > > > http://schemas.xmlsoap.org/ws/2005/02/trust}RequestSecurityToken > > > > was not recognized. (Does it exist in service WSDL?) > > > > > > > > > > > > I am out of my depth here. Can anyone suggest how to get the > > > > JAX:WS markup to match up with the WSDL policy? > > > > > > > > Thanks. > > > > > > > > > > > > > > > > -- > > > Colm O hEigeartaigh > > > > > > Talend Community Coder > > > http://coders.talend.com > > > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
