Hi All,
I am migrating from Axis2 Web Services to Apache CXF. In axis2, I had
configured security using Rampart and I have configured it using following
policy settings:
*<wsp:Policy wsu:Id="SigEncr"*
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd>"*
* xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy
<http://schemas.xmlsoap.org/ws/2004/09/policy>">*
* <wsp:ExactlyOne>*
* <wsp:All>*
* <sp:AsymmetricBinding*
* xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
* <wsp:Policy>*
* <sp:InitiatorToken>*
* <wsp:Policy>*
* <sp:X509Token*
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>">*
* <wsp:Policy>*
* <sp:RequireKeyIdentifierReference />*
* <sp:WssX509V3Token10 />*
* </wsp:Policy>*
* </sp:X509Token>*
* </wsp:Policy>*
* </sp:InitiatorToken>*
* <sp:RecipientToken>*
* <wsp:Policy>*
* <sp:X509Token*
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never>">*
* <wsp:Policy>*
* <sp:RequireKeyIdentifierReference />*
* <sp:WssX509V3Token10 />*
* </wsp:Policy>*
* </sp:X509Token>*
* </wsp:Policy>*
* </sp:RecipientToken>*
* <sp:AlgorithmSuite>*
* <wsp:Policy>*
* <sp:TripleDesRsa15 />*
* </wsp:Policy>*
* </sp:AlgorithmSuite>*
* <sp:Layout>*
* <wsp:Policy>*
* <sp:Strict />*
* </wsp:Policy>*
* </sp:Layout>*
* <sp:IncludeTimestamp />*
* <sp:OnlySignEntireHeadersAndBody />*
* </wsp:Policy>*
* </sp:AsymmetricBinding>*
* <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
* <wsp:Policy>*
* <sp:MustSupportRefKeyIdentifier />*
* <sp:MustSupportRefIssuerSerial />*
* </wsp:Policy>*
* </sp:Wss10>*
* <sp:SignedParts*
* xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
* <sp:Body />*
* </sp:SignedParts>*
* <sp:EncryptedParts*
* xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
* <sp:Body />*
* </sp:EncryptedParts>*
* <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy
<http://ws.apache.org/rampart/policy>">*
* <ramp:user>service</ramp:user>*
* <ramp:encryptionUser>client</ramp:encryptionUser>*
<ramp:passwordCallbackClass>com.test.webservice.PWCBHandler</ramp:passwordCallbackClass>*
* <ramp:signatureCrypto>*
* <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">*
* <ramp:property*
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>*
* <ramp:property
name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>*
* <ramp:property*
name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>*
* </ramp:crypto>*
* </ramp:signatureCrypto>*
* <ramp:encryptionCypto>*
* <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">*
* <ramp:property*
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>*
* <ramp:property
name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>*
* <ramp:property*
name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>*
* </ramp:crypto>*
* </ramp:encryptionCypto>*
* </ramp:RampartConfig>*
* </wsp:All>*
* </wsp:ExactlyOne>*
* </wsp:Policy>*
In Apache CXF, I am trying to configure the security following below steps:
1. I have created as ws-policy.xml file and is placed under WEB-INF/classes
folder. I am providing this policy file to service class using @Policies
annotation. Ex:
*@Policy(uri = "ws-policy.xml")*
*@WebService(targetNamespace = "http://webservice.test.com
<http://webservice.test.com>", name = "WSServicePortType")*
*public class WSService {*
*//Service method goes here.*
*}*
Contents of ws-policy.xml is as follows:
*<wsp:Policy*
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd>"*
* xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy
<http://schemas.xmlsoap.org/ws/2004/09/policy>">*
* <sp:AsymmetricBinding*
* xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
* <wsp:Policy>*
* <sp:InitiatorToken>*
* <wsp:Policy>*
* <sp:X509Token*
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>">*
* <wsp:Policy>*
* <sp:RequireIssuerSerialReference />*
* </wsp:Policy>*
* </sp:X509Token>*
* </wsp:Policy>*
* </sp:InitiatorToken>*
* <sp:RecipientToken>*
* <wsp:Policy>*
* <sp:X509Token*
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>">*
* <wsp:Policy>*
* <sp:RequireIssuerSerialReference />*
* </wsp:Policy>*
* </sp:X509Token>*
* </wsp:Policy>*
* </sp:RecipientToken>*
* <sp:AlgorithmSuite>*
* <wsp:Policy>*
* <sp:TripleDesRsa15 />*
* </wsp:Policy>*
* </sp:AlgorithmSuite>*
* <sp:Layout>*
* <wsp:Policy>*
* <sp:Strict />*
* </wsp:Policy>*
* </sp:Layout>*
* </wsp:Policy>*
* </sp:AsymmetricBinding>*
* <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
* <wsp:Policy>*
* <sp:MustSupportRefKeyIdentifier />*
* <sp:MustSupportRefIssuerSerial />*
* </wsp:Policy>*
* </sp:Wss10>*
* <sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
* <sp:Body />*
* </sp:SignedParts>*
* <sp:EncryptedParts*
* xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
* <sp:Body />*
* </sp:EncryptedParts>*
*</wsp:Policy>*
2. To configure WSS4J, I am using following snippet in cxf-servlet.xml:
* <jaxws:endpoint address="/WSService">*
* <jaxws:implementor>*
* <bean id="WSService"*
* class="com.test.webservice.WSService" />*
* </jaxws:implementor>*
* <jaxws:inInterceptors>*
* <ref bean="wss4jInConfiguration" />*
* <bean class="com.test.webservice.AuthHandler">*
* </bean>*
* </jaxws:inInterceptors>*
* <jaxws:outInterceptors>*
* <ref bean="wss4jOutConfiguration" />*
* <bean class="com.test.webservice.LogHandler">*
* </bean>*
* </jaxws:outInterceptors>*
* <jaxws:properties>*
* <entry key="ws-security.is-bsp-compliant" value="false" />*
* </jaxws:properties>*
* </jaxws:endpoint>*
* <bean id="wss4jInConfiguration"
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">*
* <constructor-arg>*
* <map>*
* <entry key="action" value="Signature Encrypt Timestamp" />*
* <entry key="signaturePropFile" value="service.properties" />*
* <entry key="decryptionPropFile" value="service.properties" />*
* <entry key="encryptionPropFile" value="service.properties" />*
* <entry key="passwordCallbackClass"
value="com.test.webservice.PWCBHandler" />*
* </map>*
* </constructor-arg>*
* </bean>*
* <bean id="wss4jOutConfiguration"
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">*
* <constructor-arg>*
* <map>*
* <entry key="action" value="Timestamp Signature Encrypt" />*
* <entry key="passwordCallbackClass"
value="com.test.webservice.PWCBHandler" />*
* <entry key="signaturePropFile" value="service.properties" />*
* <entry key="encryptionPropFile" value="service.properties" />*
* <entry key="decryptionPropFile" value="service.properties" />*
* </map>*
* </constructor-arg>*
* </bean>*
service.properties is also present in WEB-INF/classes folder. Its content
are as below:
*org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin*
*org.apache.ws.security.crypto.merlin.keystore.type=jks*
*org.apache.ws.security.crypto.merlin.keystore.password=password*
*org.apache.ws.security.crypto.merlin.file=service.jks*
Using above configuration I am getting below mentioned exception when I am
trying to access web service through client which is configured using same
security setting which I used while I was in axis2:
20:49:21,744 WARN [ws.security.wss4j.WSS4JInInterceptor ] -
org.apache.ws.security.WSSecurityException: The signature or decryption was
invalid
at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:450)
at
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:231)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:270)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:95)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:241)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
20:49:21,745 WARN [apache.cxf.phase.PhaseInterceptorChain ] -
Interceptor for {http://webservice.test.com}WSAmandaSecurityServiceService#{
http://webservice.test.com}authenticateUser has thrown exception, unwinding
now
org.apache.cxf.binding.soap.SoapFault: The signature or decryption was
invalid
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:850)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:327)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:95)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:241)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: org.apache.ws.security.WSSecurityException: The signature or
decryption was invalid
at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:450)
at
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:231)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:270)
... 28 test
Can anyone help me identify if I am missing anything while configuring
WSS4J in apache cxf, so that I can use same client to access cxf web
service?
Thanks for your time and help.
Regards, Puneet.
I am migrating from Axis2 Web Services to Apache CXF. In axis2, I had
configured security using Rampart and I have configured it using following
policy settings:
*<wsp:Policy wsu:Id="SigEncr"*
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd>"*
* xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy
<http://schemas.xmlsoap.org/ws/2004/09/policy>">*
* <wsp:ExactlyOne>*
* <wsp:All>*
* <sp:AsymmetricBinding*
* xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
* <wsp:Policy>*
* <sp:InitiatorToken>*
* <wsp:Policy>*
* <sp:X509Token*
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>">*
* <wsp:Policy>*
* <sp:RequireKeyIdentifierReference />*
* <sp:WssX509V3Token10 />*
* </wsp:Policy>*
* </sp:X509Token>*
* </wsp:Policy>*
* </sp:InitiatorToken>*
* <sp:RecipientToken>*
* <wsp:Policy>*
* <sp:X509Token*
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never>">*
* <wsp:Policy>*
* <sp:RequireKeyIdentifierReference />*
* <sp:WssX509V3Token10 />*
* </wsp:Policy>*
* </sp:X509Token>*
* </wsp:Policy>*
* </sp:RecipientToken>*
* <sp:AlgorithmSuite>*
* <wsp:Policy>*
* <sp:TripleDesRsa15 />*
* </wsp:Policy>*
* </sp:AlgorithmSuite>*
* <sp:Layout>*
* <wsp:Policy>*
* <sp:Strict />*
* </wsp:Policy>*
* </sp:Layout>*
* <sp:IncludeTimestamp />*
* <sp:OnlySignEntireHeadersAndBody />*
* </wsp:Policy>*
* </sp:AsymmetricBinding>*
* <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
* <wsp:Policy>*
* <sp:MustSupportRefKeyIdentifier />*
* <sp:MustSupportRefIssuerSerial />*
* </wsp:Policy>*
* </sp:Wss10>*
* <sp:SignedParts*
* xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
* <sp:Body />*
* </sp:SignedParts>*
* <sp:EncryptedParts*
* xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
* <sp:Body />*
* </sp:EncryptedParts>*
* <ramp:RampartConfig xmlns:ramp="http://ws.apache.org/rampart/policy
<http://ws.apache.org/rampart/policy>">*
* <ramp:user>service</ramp:user>*
* <ramp:encryptionUser>client</ramp:encryptionUser>*
<ramp:passwordCallbackClass>com.test.webservice.PWCBHandler</ramp:passwordCallbackClass>*
* <ramp:signatureCrypto>*
* <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">*
* <ramp:property*
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>*
* <ramp:property
name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>*
* <ramp:property*
name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>*
* </ramp:crypto>*
* </ramp:signatureCrypto>*
* <ramp:encryptionCypto>*
* <ramp:crypto provider="org.apache.ws.security.components.crypto.Merlin">*
* <ramp:property*
name="org.apache.ws.security.crypto.merlin.keystore.type">JKS</ramp:property>*
* <ramp:property
name="org.apache.ws.security.crypto.merlin.file">service.jks</ramp:property>*
* <ramp:property*
name="org.apache.ws.security.crypto.merlin.keystore.password">password</ramp:property>*
* </ramp:crypto>*
* </ramp:encryptionCypto>*
* </ramp:RampartConfig>*
* </wsp:All>*
* </wsp:ExactlyOne>*
* </wsp:Policy>*
In Apache CXF, I am trying to configure the security following below steps:
1. I have created as ws-policy.xml file and is placed under WEB-INF/classes
folder. I am providing this policy file to service class using @Policies
annotation. Ex:
*@Policy(uri = "ws-policy.xml")*
*@WebService(targetNamespace = "http://webservice.test.com
<http://webservice.test.com>", name = "WSServicePortType")*
*public class WSService {*
*//Service method goes here.*
*}*
Contents of ws-policy.xml is as follows:
*<wsp:Policy*
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd>"*
* xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy
<http://schemas.xmlsoap.org/ws/2004/09/policy>">*
* <sp:AsymmetricBinding*
* xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
* <wsp:Policy>*
* <sp:InitiatorToken>*
* <wsp:Policy>*
* <sp:X509Token*
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>">*
* <wsp:Policy>*
* <sp:RequireIssuerSerialReference />*
* </wsp:Policy>*
* </sp:X509Token>*
* </wsp:Policy>*
* </sp:InitiatorToken>*
* <sp:RecipientToken>*
* <wsp:Policy>*
* <sp:X509Token*
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>">*
* <wsp:Policy>*
* <sp:RequireIssuerSerialReference />*
* </wsp:Policy>*
* </sp:X509Token>*
* </wsp:Policy>*
* </sp:RecipientToken>*
* <sp:AlgorithmSuite>*
* <wsp:Policy>*
* <sp:TripleDesRsa15 />*
* </wsp:Policy>*
* </sp:AlgorithmSuite>*
* <sp:Layout>*
* <wsp:Policy>*
* <sp:Strict />*
* </wsp:Policy>*
* </sp:Layout>*
* </wsp:Policy>*
* </sp:AsymmetricBinding>*
* <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
* <wsp:Policy>*
* <sp:MustSupportRefKeyIdentifier />*
* <sp:MustSupportRefIssuerSerial />*
* </wsp:Policy>*
* </sp:Wss10>*
* <sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
* <sp:Body />*
* </sp:SignedParts>*
* <sp:EncryptedParts*
* xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>">*
* <sp:Body />*
* </sp:EncryptedParts>*
*</wsp:Policy>*
2. To configure WSS4J, I am using following snippet in cxf-servlet.xml:
* <jaxws:endpoint address="/WSService">*
* <jaxws:implementor>*
* <bean id="WSService"*
* class="com.test.webservice.WSService" />*
* </jaxws:implementor>*
* <jaxws:inInterceptors>*
* <ref bean="wss4jInConfiguration" />*
* <bean class="com.test.webservice.AuthHandler">*
* </bean>*
* </jaxws:inInterceptors>*
* <jaxws:outInterceptors>*
* <ref bean="wss4jOutConfiguration" />*
* <bean class="com.test.webservice.LogHandler">*
* </bean>*
* </jaxws:outInterceptors>*
* <jaxws:properties>*
* <entry key="ws-security.is-bsp-compliant" value="false" />*
* </jaxws:properties>*
* </jaxws:endpoint>*
* <bean id="wss4jInConfiguration"
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">*
* <constructor-arg>*
* <map>*
* <entry key="action" value="Signature Encrypt Timestamp" />*
* <entry key="signaturePropFile" value="service.properties" />*
* <entry key="decryptionPropFile" value="service.properties" />*
* <entry key="encryptionPropFile" value="service.properties" />*
* <entry key="passwordCallbackClass"
value="com.test.webservice.PWCBHandler" />*
* </map>*
* </constructor-arg>*
* </bean>*
* <bean id="wss4jOutConfiguration"
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor">*
* <constructor-arg>*
* <map>*
* <entry key="action" value="Timestamp Signature Encrypt" />*
* <entry key="passwordCallbackClass"
value="com.test.webservice.PWCBHandler" />*
* <entry key="signaturePropFile" value="service.properties" />*
* <entry key="encryptionPropFile" value="service.properties" />*
* <entry key="decryptionPropFile" value="service.properties" />*
* </map>*
* </constructor-arg>*
* </bean>*
service.properties is also present in WEB-INF/classes folder. Its content
are as below:
*org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin*
*org.apache.ws.security.crypto.merlin.keystore.type=jks*
*org.apache.ws.security.crypto.merlin.keystore.password=password*
*org.apache.ws.security.crypto.merlin.file=service.jks*
Using above configuration I am getting below mentioned exception when I am
trying to access web service through client which is configured using same
security setting which I used while I was in axis2:
20:49:21,744 WARN [ws.security.wss4j.WSS4JInInterceptor ] -
org.apache.ws.security.WSSecurityException: The signature or decryption was
invalid
at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:450)
at
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:231)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:270)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:95)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:241)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
20:49:21,745 WARN [apache.cxf.phase.PhaseInterceptorChain ] -
Interceptor for {http://webservice.test.com}WSAmandaSecurityServiceService#{
http://webservice.test.com}authenticateUser has thrown exception, unwinding
now
org.apache.cxf.binding.soap.SoapFault: The signature or decryption was
invalid
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:850)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:327)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:95)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:241)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:936)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1004)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: org.apache.ws.security.WSSecurityException: The signature or
decryption was invalid
at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:450)
at
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:231)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:270)
... 28 test
Can anyone help me identify if I am missing anything while configuring
WSS4J in apache cxf, so that I can use same client to access cxf web
service?
Thanks for your time and help.
Regards, Puneet.