WSS1925: No CipherValue found in CipherData

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

WSS1925: No CipherValue found in CipherData

PeterParker
This post has NOT been accepted by the mailing list yet.
Hi.
I try to implement the "Example: Username Authentication with Symmetric Key (UA)" from the metro guide (https://metro.java.net/guide/ch12.html#ahiej) and get the error "SEVERE:   WSS1925: No CipherValue found in CipherData". The example works properly without the security stuff.

OS: Windows 7 Pro (x64)

What I have done:
- installed JDK7 (had the same error with JDK8 before)
- installed Netbeans 8.0 + GlassFish Server 4.0
- installed UnlimitedJCEPolicy
- manually updated the Keystores and Truststores (https://metro.java.net/guide/ch12.html#ahidm)
- added the user "wsitUser" to GlassFish
- created service + client like in the example and added security with development defaults

CalculatorWS.xml (Service)
<?xml version="1.0" encoding="UTF-8"?> 
 <definitions 
 xmlns="http://schemas.xmlsoap.org/wsdl/" 
 xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" 
 xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
 xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" name="CalculatorWS" targetNamespace="http://service.de/" xmlns:tns="http://service.de/" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:fi="http://java.sun.com/xml/ns/wsit/2006/09/policy/fastinfoset/service" xmlns:tcp="http://java.sun.com/xml/ns/wsit/2006/09/policy/soaptcp/service" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" xmlns:sc="http://schemas.sun.com/2006/03/wss/server" xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy" 
 >
    <message name="hello"/>
    <message name="helloResponse"/>
    <message name="add"/>
    <message name="addResponse"/>
    <portType name="CalculatorWS">
        <operation name="hello">
            <input message="tns:hello"/>
            <output message="tns:helloResponse"/>
        </operation>
        <operation name="add">
            <input message="tns:add"/>
            <output message="tns:addResponse"/>
        </operation>
    </portType>
    <binding name="CalculatorWSPortBinding" type="tns:CalculatorWS">
        <wsp:PolicyReference URI="#CalculatorWSPortBindingPolicy"/>
        <operation name="hello">
            <input>
                <wsp:PolicyReference URI="#CalculatorWSPortBinding_hello_Input_Policy"/>
            </input>
            <output>
                <wsp:PolicyReference URI="#CalculatorWSPortBinding_hello_Output_Policy"/>
            </output>
        </operation>
        <operation name="add">
            <input>
                <wsp:PolicyReference URI="#CalculatorWSPortBinding_hello_Input_Policy"/>
            </input>
            <output>
                <wsp:PolicyReference URI="#CalculatorWSPortBinding_hello_Output_Policy"/>
            </output>
        </operation>
    </binding>
    <service name="CalculatorWS">
        <port name="CalculatorWSPort" binding="tns:CalculatorWSPortBinding"/>
    </service>
    <wsp:Policy wsu:Id="CalculatorWSPortBindingPolicy">
        <wsp:ExactlyOne>
            <wsp:All>
                <wsam:Addressing wsp:Optional="false"/>
                <sp:SymmetricBinding>
                    <wsp:Policy>
                        <sp:ProtectionToken>
                            <wsp:Policy>
                                <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
                                    <wsp:Policy>
                                        <sp:WssX509V3Token10/>
                                        <sp:RequireIssuerSerialReference/>
                                    </wsp:Policy>
                                </sp:X509Token>
                            </wsp:Policy>
                        </sp:ProtectionToken>
                        <sp:Layout>
                            <wsp:Policy>
                                <sp:Strict/>
                            </wsp:Policy>
                        </sp:Layout>
                        <sp:IncludeTimestamp/>
                        <sp:OnlySignEntireHeadersAndBody/>
                        <sp:AlgorithmSuite>
                            <wsp:Policy>
                                <sp:Basic128/>
                            </wsp:Policy>
                        </sp:AlgorithmSuite>
                    </wsp:Policy>
                </sp:SymmetricBinding>
                <sp:Wss11>
                    <wsp:Policy>
                        <sp:MustSupportRefIssuerSerial/>
                        <sp:MustSupportRefThumbprint/>
                        <sp:MustSupportRefEncryptedKey/>
                    </wsp:Policy>
                </sp:Wss11>
                <sp:SignedEncryptedSupportingTokens>
                    <wsp:Policy>
                        <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                            <wsp:Policy>
                                <sp:WssUsernameToken10/>
                            </wsp:Policy>
                        </sp:UsernameToken>
                    </wsp:Policy>
                </sp:SignedEncryptedSupportingTokens>
                <sc:KeyStore wspp:visibility="private" location="C:\glassfish-4.0\glassfish\domains\domain1\config\keystore.jks" type="JKS" storepass="changeit" alias="xws-security-server"/>
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>
    <wsp:Policy wsu:Id="CalculatorWSPortBinding_hello_Input_Policy">
        <wsp:ExactlyOne>
            <wsp:All>
                <sp:EncryptedParts>
                    <sp:Body/>
                </sp:EncryptedParts>
                <sp:SignedParts>
                    <sp:Body/>
                    <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp:Header Name="AckRequested" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
                    <sp:Header Name="SequenceAcknowledgement" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
                    <sp:Header Name="Sequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
                    <sp:Header Name="CreateSequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
                </sp:SignedParts>
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>
    <wsp:Policy wsu:Id="CalculatorWSPortBinding_hello_Output_Policy">
        <wsp:ExactlyOne>
            <wsp:All>
                <sp:EncryptedParts>
                    <sp:Body/>
                </sp:EncryptedParts>
                <sp:SignedParts>
                    <sp:Body/>
                    <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>
                    <sp:Header Name="AckRequested" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
                    <sp:Header Name="SequenceAcknowledgement" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
                    <sp:Header Name="Sequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
                    <sp:Header Name="CreateSequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
                </sp:SignedParts>
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>
</definitions>

CalculatorWS.xml (Client)
<?xml version='1.0' encoding='UTF-8'?><!-- Published by JAX-WS RI at http://jax-ws.dev.java.net. RI's version is Metro/2.3 (tags/2.3-7528; 2013-04-29T19:34:10+0000) JAXWS-RI/2.2.8 JAXWS/2.2 svn-revision#unknown. --><!-- Generated by JAX-WS RI at http://jax-ws.dev.java.net. RI's version is Metro/2.3 (tags/2.3-7528; 2013-04-29T19:34:10+0000) JAXWS-RI/2.2.8 JAXWS/2.2 svn-revision#unknown. --><definitions xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wsp1_2="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://service.de/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.xmlsoap.org/wsdl/" targetNamespace="http://service.de/" name="CalculatorWS" xmlns:sc="http://schemas.sun.com/2006/03/wss/client" xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy">
<types>
<xsd:schema>
<xsd:import namespace="http://service.de/" schemaLocation="http://localhost:8080/CalculatorServer/CalculatorWS?xsd=1"/>
</xsd:schema>
</types>
<message name="add">
<part name="parameters" element="tns:add"/>
</message>
<message name="addResponse">
<part name="parameters" element="tns:addResponse"/>
</message>
<message name="hello">
<part name="parameters" element="tns:hello"/>
</message>
<message name="helloResponse">
<part name="parameters" element="tns:helloResponse"/>
</message>
<portType name="CalculatorWS">
<operation name="add">
<input wsam:Action="http://service.de/CalculatorWS/addRequest" message="tns:add"/>
<output wsam:Action="http://service.de/CalculatorWS/addResponse" message="tns:addResponse"/>
</operation>
<operation name="hello">
<input wsam:Action="http://service.de/CalculatorWS/helloRequest" message="tns:hello"/>
<output wsam:Action="http://service.de/CalculatorWS/helloResponse" message="tns:helloResponse"/>
</operation>
</portType>
<binding name="CalculatorWSPortBinding" type="tns:CalculatorWS">
    <wsp:PolicyReference URI="#CalculatorWSPortBindingPolicy"/>
    <soap:binding transport="http://schemas.xmlsoap.org/soap/http" style="document"/>
<operation name="add">
<soap:operation soapAction=""/>
<input>
<soap:body use="literal"/>
</input>
<output>
<soap:body use="literal"/>
</output>
</operation>
<operation name="hello">
<soap:operation soapAction=""/>
<input>
<soap:body use="literal"/>
</input>
<output>
<soap:body use="literal"/>
</output>
</operation>
</binding>
<service name="CalculatorWS">
<port name="CalculatorWSPort" binding="tns:CalculatorWSPortBinding">
<soap:address location="http://localhost:8080/CalculatorServer/CalculatorWS"/>
</port>
</service>
    <wsp:Policy wsu:Id="CalculatorWSPortBindingPolicy">
        <wsp:ExactlyOne>
            <wsp:All>
                <sc:CallbackHandlerConfiguration wspp:visibility="private">
                    <sc:CallbackHandler default="wsitUser" name="usernameHandler"/>
                    <sc:CallbackHandler default="changeit" name="passwordHandler"/>
                </sc:CallbackHandlerConfiguration>
                <sc:TrustStore wspp:visibility="private" location="C:\glassfish-4.0\glassfish\domains\domain1\config\cacerts.jks" type="JKS" storepass="changeit" peeralias="xws-security-server"/>
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>
</definitions>

GlassFish Server 4 Log (running the client)
SEVERE:   WSS1925: No CipherValue found in CipherData
WARNING:   StandardWrapperValve[ClientServlet]: Servlet.service() for servlet ClientServlet threw exception
javax.xml.ws.WebServiceException: Cannot validate response for {http://service.de/}CalculatorWSPort
	at com.sun.enterprise.security.webservices.ClientSecurityPipe.processSecureRequest(ClientSecurityPipe.java:218)
	at com.sun.enterprise.security.webservices.ClientSecurityPipe.process(ClientSecurityPipe.java:187)
	at com.sun.xml.ws.api.pipe.helper.PipeAdapter.processRequest(PipeAdapter.java:119)
	at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1136)
	at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:1050)
	at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:1019)
	at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:877)
	at com.sun.xml.ws.client.Stub.process(Stub.java:464)
	at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:174)
	at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:108)
	at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:91)
	at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:154)
	at com.sun.proxy.$Proxy380.add(Unknown Source)
	at de.client.servlet.ClientServlet.add(ClientServlet.java:100)
	at de.client.servlet.ClientServlet.processRequest(ClientServlet.java:50)
	at de.client.servlet.ClientServlet.doGet(ClientServlet.java:69)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:687)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
	at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1682)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:318)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160)
	at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734)
	at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
	at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)
	at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:357)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:260)
	at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:188)
	at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:191)
	at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:168)
	at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:189)
	at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:288)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:206)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:136)
	at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:114)
	at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
	at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:838)
	at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:113)
	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:115)
	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:55)
	at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:135)
	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:564)
	at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:544)
	at java.lang.Thread.run(Thread.java:745)
Caused by: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
	at com.sun.xml.ws.security.opt.impl.util.SOAPUtil.newSOAPFaultException(SOAPUtil.java:159)
	at com.sun.xml.ws.security.opt.impl.incoming.processor.CipherDataProcessor.readAsStream(CipherDataProcessor.java:188)
	at com.sun.xml.ws.security.opt.impl.incoming.EncryptedData.getCipherInputStream(EncryptedData.java:224)
	at com.sun.xml.ws.security.opt.impl.incoming.EncryptedData.getDecryptedData(EncryptedData.java:240)
	at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handlePayLoadED(SecurityRecipient.java:1354)
	at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.createMessage(SecurityRecipient.java:844)
	at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecipient.java:252)
	at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.verifyInboundMessage(WSITClientAuthContext.java:596)
	at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.validateResponse(WSITClientAuthContext.java:476)
	at com.sun.xml.wss.provider.wsit.WSITClientAuthContext.validateResponse(WSITClientAuthContext.java:415)
	at com.sun.enterprise.security.webservices.ClientSecurityPipe.processSecureRequest(ClientSecurityPipe.java:214)
	... 44 more

What did I do wrong? Do you need more information?
Thank you in advance.

Kind regards
Peter
Loading...