++ [email protected]<mailto:[email protected]>
From: Yeikel Valdes Santana <[email protected]> Date: Friday, January 21, 2022 at 9:54 AM To: "[email protected]" <[email protected]> Subject: Re: [External] Re: Apache CXF WS-Security: "Security processing failed (actions mismatch) Thank you. I solved it myself. It turns out I was using the wrong class. I had to use WSS4JOutInterceptor Instead of WSS4JInInterceptor From: Colm O hEigeartaigh <[email protected]> Reply-To: "[email protected]" <[email protected]> Date: Friday, January 21, 2022 at 8:38 AM To: "[email protected]" <[email protected]> Subject: [External] Re: Apache CXF WS-Security: "Security processing failed (actions mismatch) Hi, Could you put together a test-case that reproduces the problem that we can run? Colm. On Tue, Jan 18, 2022 at 12:46 AM Yeikel Valdes Santana <[email protected]<mailto:[email protected]>.invalid> wrote: > > I am trying to generate a SOAP request using Apache CXF WS-Security similar > to the following request(I generated it using SoapUI) : > > <soapenv:Envelope > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/<https://isolate.menlosecurity.com/1/3735928037/http:/schemas.xmlsoap.org/soap/envelope/>"> > <soapenv:Header> > <wsse:Security > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd<https://isolate.menlosecurity.com/1/3735928037/http:/docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd>" > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd<https://isolate.menlosecurity.com/1/3735928037/http:/docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd>"> > <ds:Signature Id="SIG-xxx" > xmlns:ds="http://www.w3.org/2000/09/xmldsig#<https://isolate.menlosecurity.com/1/3735928037/http:/www.w3.org/2000/09/xmldsig>"> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#<https://isolate.menlosecurity.com/1/3735928037/http:/www.w3.org/2001/10/xml-exc-c14n>"> > <ec:InclusiveNamespaces PrefixList="soapenv" > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#<https://isolate.menlosecurity.com/1/3735928037/http:/www.w3.org/2001/10/xml-exc-c14n>"/> > </ds:CanonicalizationMethod> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1<https://isolate.menlosecurity.com/1/3735928037/http:/www.w3.org/2000/09/xmldsig#rsa-sha1>"/> > <ds:Reference URI="#xxxx"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#<https://isolate.menlosecurity.com/1/3735928037/http:/www.w3.org/2001/10/xml-exc-c14n>"> > <ec:InclusiveNamespaces PrefixList="" > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#<https://isolate.menlosecurity.com/1/3735928037/http:/www.w3.org/2001/10/xml-exc-c14n>"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1<https://isolate.menlosecurity.com/1/3735928037/http:/www.w3.org/2000/09/xmldsig#sha1>"/> > <ds:DigestValue>xxxx</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue>xxxx > </ds:SignatureValue> > <ds:KeyInfo Id="xxxxx"> > <wsse:SecurityTokenReference wsu:Id="xxxxx"> > <wsse:KeyIdentifier > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary<https://isolate.menlosecurity.com/1/3735928037/http:/docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary>" > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3<https://isolate.menlosecurity.com/1/3735928037/http:/docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3>"> > xxxx > </wsse:KeyIdentifier> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > </ds:Signature> > </wsse:Security> > > </soapenv:Header> > <soapenv:Body wsu:Id="id-xxx" > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd<https://isolate.menlosecurity.com/1/3735928037/http:/docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd>"> > <v3:AccountRequest > xmlns:v3="http://services.mysiste.com/V3<https://isolate.menlosecurity.com/1/3735928037/http:/services.mysiste.com/V3>"> > <Request> > <SearchParametersBlock> > <MktCd> > <MktCdData> > <MktCd>US</MktCd> > </MktCdData> > </MktCd> > </SearchParametersBlock> > </Request> > </v3:AccountRequest> > </soapenv:Body> > </soapenv:Envelope> > > > I am using the following code to generate my Java request : > > > Properties signatureProperties = new Properties(); > signatureProperties.put("org.apache.ws<https://isolate.menlosecurity.com/1/3735928037/http:/org.apache.ws>.security.crypto.provider", > "org.apache.ws<https://isolate.menlosecurity.com/1/3735928037/http:/org.apache.ws>.security.components.crypto.Merlin"); > signatureProperties.put("org.apache.ws<https://isolate.menlosecurity.com/1/3735928037/http:/org.apache.ws>.security.crypto.merlin.keystore.type", > "jks"); > signatureProperties.put("org.apache.ws<https://isolate.menlosecurity.com/1/3735928037/http:/org.apache.ws>.security.crypto.merlin.keystore.file", > "server.jks"); > signatureProperties.put("org.apache.ws<https://isolate.menlosecurity.com/1/3735928037/http:/org.apache.ws>.security.crypto.merlin.keystore.password", > "password"); > signatureProperties.put("org.apache.ws<https://isolate.menlosecurity.com/1/3735928037/http:/org.apache.ws>.security.crypto.merlin.keystore.alias", > "myAlias"); > > signatureProperties.put("org.apache.ws<https://isolate.menlosecurity.com/1/3735928037/http:/org.apache.ws>.security.crypto.merlin.keystore.private.password", > "password"); > > Map<String,Object> outProps = new HashMap<>(); > outProps.put(WSHandlerConstants.USER, "myAlias"); > outProps.put(WSHandlerConstants.SIG_KEY_ID, "X509KeyIdentifier"); > outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE); > > outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, > ServiceKeystorePasswordCallback.class.getName()); > outProps.put(WSHandlerConstants.SIG_ALGO, > "http://www.w3.org/2000/09/xmldsig#sha1<https://isolate.menlosecurity.com/1/3735928037/http:/www.w3.org/2000/09/xmldsig#sha1>"); > outProps.put(WSHandlerConstants.SIG_C14N_ALGO, > "http://www.w3.org/2001/10/xml-exc-c14n#<https://isolate.menlosecurity.com/1/3735928037/http:/www.w3.org/2001/10/xml-exc-c14n>"); > outProps.put(WSHandlerConstants.SIG_PROP_REF_ID, "signatureProperties"); > outProps.put("signatureProperties", signatureProperties); > > > org.apache.cxf.endpoint.Client client = ClientProxy.getClient(this.service); > org.apache.cxf.endpoint.Endpoint cxfEndpoint = client.getEndpoint(); > > WSS4JInInterceptor wssIn = new WSS4JInInterceptor(outProps); > cxfEndpoint.getOutInterceptors().add(wssIn); > > But I am experiencing the following error : "Security processing failed > (actions mismatch)" > > I traced the exception and it boils down to the following snippet > > > if (!checkReceiverResultsAnyOrder(wsResult, actions)) { > LOG.warning("Security processing failed (actions mismatch)"); > throw new WSSecurityException(WSSecurityException.ErrorCode.INVALID_SECURITY); > } > > Where actions != wsResult(it is empty) > > I am not sure how to populate wsResult in this case. Any help would be > greatly appreciated > > > > American Express made the following annotations > > "This message and any attachments are solely for the intended recipient and > may contain confidential or privileged information. If you are not the > intended recipient, any disclosure, copying, use, or distribution of the > information included in this message and any attachments is prohibited. If > you have received this communication in error, please notify us by reply > e-mail and immediately and permanently delete this message and any > attachments. Thank you." > American Express a ajouté le commentaire suivant > Ce courrier et toute pièce jointe qu'il contient sont réservés au seul > destinataire indiqué et peuvent contenir des renseignements confidentiels et > privilégiés. Si vous n'êtes pas le destinataire prévu, toute divulgation, > duplication, utilisation ou distribution du courrier ou de toute pièce jointe > est interdite. Si vous avez reçu cette communication par erreur, veuillez > nous en aviser par courrier et détruire immédiatement le courrier et les > pièces jointes. Merci. > American Express made the following annotations "This message and any attachments are solely for the intended recipient and may contain confidential or privileged information. If you are not the intended recipient, any disclosure, copying, use, or distribution of the information included in this message and any attachments is prohibited. If you have received this communication in error, please notify us by reply e-mail and immediately and permanently delete this message and any attachments. Thank you." American Express a ajouté le commentaire suivant Ce courrier et toute pièce jointe qu'il contient sont réservés au seul destinataire indiqué et peuvent contenir des renseignements confidentiels et privilégiés. Si vous n'êtes pas le destinataire prévu, toute divulgation, duplication, utilisation ou distribution du courrier ou de toute pièce jointe est interdite. Si vous avez reçu cette communication par erreur, veuillez nous en aviser par courrier et détruire immédiatement le courrier et les pièces jointes. Merci.
