CXF-Metro WS-SecureConversation interop issue (CXF client to Metro service)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

CXF-Metro WS-SecureConversation interop issue (CXF client to Metro service)

Cyril Dangerville-2
Hello,
After running the Metro WS-SecureConversation sample (in samples/wssc folder) successfully, I tried to replace the Metro client with a CXF client, and got the error down below on the service side.I have attached the debug logs from Metro with the requests/responses. I have also attached the service war deployed in Tomcat (generated/deployed from the sample's ant task) for convenience. I can also send the CXF client part (maven project) if necessary.
The issue is apparently related to the verification of the signature on the timestamp, but I would need some help finding the root cause. Has anybody tried this use case before?

Thanks for your help.

Regards,
Cyril

--EXCEPTION ON METRO SERVICE--
Using configured PlainTextPasswordValidator................
context.isExpired >>> false
Dec 19, 2013 2:24:47 AM com.sun.xml.ws.security.opt.impl.incoming.Signature process
SEVERE: WSS1710: Signature Verification for Signature with ID SIG-4 failed
Dec 19, 2013 2:24:47 AM com.sun.xml.wss.jaxws.impl.SecurityServerTube processRequest
SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message.
com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
        at com.sun.xml.ws.security.opt.impl.util.SOAPUtil.newSOAPFaultException(SOAPUtil.java:159)
        at com.sun.xml.ws.security.opt.impl.incoming.Signature.process(Signature.java:351)
        at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHeader(Security
        at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(SecurityRecipien
        at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecip
        at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:45
        at com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTube.java:295)
        at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1063)
        at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:979)
        at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:950)
        at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:825)
        at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:380)
        at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:651)
        at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:264)
        at com.sun.xml.ws.transport.http.servlet.ServletAdapter.invokeAsync(ServletAdapter.java:218)
        at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doGet(WSServletDelegate.java:159)
        at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doPost(WSServletDelegate.java:194
        at com.sun.xml.ws.transport.http.servlet.WSServlet.doPost(WSServlet.java:80)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
        at java.lang.Thread.run(Thread.java:722)

metro_wsp_with_cxf_wsc.log (13K) Download Attachment
jaxws-sc.war (27K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CXF-Metro WS-SecureConversation interop issue (CXF client to Metro service)

Cyril Dangerville-2
I forgot to mention I am using Metro 2.2.1 (and CXF 2.7.6).


On Thu, Dec 19, 2013 at 2:53 AM, Cyril Dangerville <[hidden email]> wrote:
Hello,
After running the Metro WS-SecureConversation sample (in samples/wssc folder) successfully, I tried to replace the Metro client with a CXF client, and got the error down below on the service side.I have attached the debug logs from Metro with the requests/responses. I have also attached the service war deployed in Tomcat (generated/deployed from the sample's ant task) for convenience. I can also send the CXF client part (maven project) if necessary.
The issue is apparently related to the verification of the signature on the timestamp, but I would need some help finding the root cause. Has anybody tried this use case before?

Thanks for your help.

Regards,
Cyril

--EXCEPTION ON METRO SERVICE--
Using configured PlainTextPasswordValidator................
context.isExpired >>> false
Dec 19, 2013 2:24:47 AM com.sun.xml.ws.security.opt.impl.incoming.Signature process
SEVERE: WSS1710: Signature Verification for Signature with ID SIG-4 failed
Dec 19, 2013 2:24:47 AM com.sun.xml.wss.jaxws.impl.SecurityServerTube processRequest
SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message.
com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
        at com.sun.xml.ws.security.opt.impl.util.SOAPUtil.newSOAPFaultException(SOAPUtil.java:159)
        at com.sun.xml.ws.security.opt.impl.incoming.Signature.process(Signature.java:351)
        at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHeader(Security
        at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(SecurityRecipien
        at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecip
        at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:45
        at com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTube.java:295)
        at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1063)
        at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:979)
        at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:950)
        at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:825)
        at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:380)
        at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:651)
        at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:264)
        at com.sun.xml.ws.transport.http.servlet.ServletAdapter.invokeAsync(ServletAdapter.java:218)
        at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doGet(WSServletDelegate.java:159)
        at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doPost(WSServletDelegate.java:194
        at com.sun.xml.ws.transport.http.servlet.WSServlet.doPost(WSServlet.java:80)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
        at java.lang.Thread.run(Thread.java:722)

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CXF-Metro WS-SecureConversation interop issue (CXF client to Metro service)

Cyril Dangerville-2
Hello,
I added HTTP message dumping to the metro debug logs in attachment, to make troubleshooting easier. I have also changed Basic256 assertions to Basic128 in the WSDL (and CXF upgraded to 2.7.8). Same error.

I hope it helps.

Regards,
Cyril


On Thu, Dec 19, 2013 at 2:56 AM, Cyril Dangerville <[hidden email]> wrote:
I forgot to mention I am using Metro 2.2.1 (and CXF 2.7.6).


On Thu, Dec 19, 2013 at 2:53 AM, Cyril Dangerville <[hidden email]> wrote:
Hello,
After running the Metro WS-SecureConversation sample (in samples/wssc folder) successfully, I tried to replace the Metro client with a CXF client, and got the error down below on the service side.I have attached the debug logs from Metro with the requests/responses. I have also attached the service war deployed in Tomcat (generated/deployed from the sample's ant task) for convenience. I can also send the CXF client part (maven project) if necessary.
The issue is apparently related to the verification of the signature on the timestamp, but I would need some help finding the root cause. Has anybody tried this use case before?

Thanks for your help.

Regards,
Cyril

--EXCEPTION ON METRO SERVICE--
Using configured PlainTextPasswordValidator................
context.isExpired >>> false
Dec 19, 2013 2:24:47 AM com.sun.xml.ws.security.opt.impl.incoming.Signature process
SEVERE: WSS1710: Signature Verification for Signature with ID SIG-4 failed
Dec 19, 2013 2:24:47 AM com.sun.xml.wss.jaxws.impl.SecurityServerTube processRequest
SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message.
com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
        at com.sun.xml.ws.security.opt.impl.util.SOAPUtil.newSOAPFaultException(SOAPUtil.java:159)
        at com.sun.xml.ws.security.opt.impl.incoming.Signature.process(Signature.java:351)
        at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHeader(Security
        at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(SecurityRecipien
        at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecip
        at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:45
        at com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTube.java:295)
        at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1063)
        at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:979)
        at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:950)
        at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:825)
        at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:380)
        at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:651)
        at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:264)
        at com.sun.xml.ws.transport.http.servlet.ServletAdapter.invokeAsync(ServletAdapter.java:218)
        at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doGet(WSServletDelegate.java:159)
        at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doPost(WSServletDelegate.java:194
        at com.sun.xml.ws.transport.http.servlet.WSServlet.doPost(WSServlet.java:80)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
        at java.lang.Thread.run(Thread.java:722)



metro_wsp_requested by_cxf_wsc.log (33K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CXF-Metro WS-SecureConversation interop issue (CXF client to Metro service)

Cyril Dangerville-2


On Tue, Jan 7, 2014 at 5:13 PM, Cyril <[hidden email]> wrote:
Hello,
I added HTTP message dumping to the metro debug logs in attachment, to make troubleshooting easier. I have also changed Basic256 assertions to Basic128 in the WSDL (and CXF upgraded to 2.7.8). Same error.

I hope it helps.

Regards,
Cyril


On Thu, Dec 19, 2013 at 2:56 AM, Cyril Dangerville <[hidden email]> wrote:
I forgot to mention I am using Metro 2.2.1 (and CXF 2.7.6).


On Thu, Dec 19, 2013 at 2:53 AM, Cyril Dangerville <[hidden email]> wrote:
Hello,
After running the Metro WS-SecureConversation sample (in samples/wssc folder) successfully, I tried to replace the Metro client with a CXF client, and got the error down below on the service side.I have attached the debug logs from Metro with the requests/responses. I have also attached the service war deployed in Tomcat (generated/deployed from the sample's ant task) for convenience. I can also send the CXF client part (maven project) if necessary.
The issue is apparently related to the verification of the signature on the timestamp, but I would need some help finding the root cause. Has anybody tried this use case before?

Thanks for your help.

Regards,
Cyril

--EXCEPTION ON METRO SERVICE--
Using configured PlainTextPasswordValidator................
context.isExpired >>> false
Dec 19, 2013 2:24:47 AM com.sun.xml.ws.security.opt.impl.incoming.Signature process
SEVERE: WSS1710: Signature Verification for Signature with ID SIG-4 failed
Dec 19, 2013 2:24:47 AM com.sun.xml.wss.jaxws.impl.SecurityServerTube processRequest
SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message.
com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
        at com.sun.xml.ws.security.opt.impl.util.SOAPUtil.newSOAPFaultException(SOAPUtil.java:159)
        at com.sun.xml.ws.security.opt.impl.incoming.Signature.process(Signature.java:351)
        at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHeader(Security
        at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(SecurityRecipien
        at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecip
        at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:45
        at com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTube.java:295)
        at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1063)
        at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:979)
        at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:950)
        at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:825)
        at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:380)
        at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:651)
        at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:264)
        at com.sun.xml.ws.transport.http.servlet.ServletAdapter.invokeAsync(ServletAdapter.java:218)
        at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doGet(WSServletDelegate.java:159)
        at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doPost(WSServletDelegate.java:194
        at com.sun.xml.ws.transport.http.servlet.WSServlet.doPost(WSServlet.java:80)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
        at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
        at java.lang.Thread.run(Thread.java:722)



Loading...