3 Replies Latest reply on Jul 24, 2012 12:55 AM by pratik.pai

    JBossWS Service that calls a client

    dannyhoult

      JBoss 4.2.2 AS (JBossWS Native 3.0.3)  Seam 2.0.1GA

       

      I have a web service configured to use Mutual Certifcate authentication using keystore files. All is well and good until one of my exposed web methods does a WS Client call to another service (also secured with mutual certificate keystores).

      The client call is secured and returns fine, then when the original method that was called on the service tries to return, it doesn't know how to encrypt it. The client WS call has somehow interfered with the original encryption alias.

      Error:

       

      org.jboss.ws.extensions.security.exception.WSSecurityException: Cannot get the certificate for message encryption! Verify the keystore contents, considering the certificate is obtained through the alias specified in the encrypt configuration element or (server side only) through a single key used to sign the incoming message.
      at org.jboss.ws.extensions.security.operation.EncryptionOperation.getCertificate(EncryptionOperation.java:206)
      at org.jboss.ws.extensions.security.operation.EncryptionOperation.process(EncryptionOperation.java:175)
      at org.jboss.ws.extensions.security.SecurityEncoder.encode(SecurityEncoder.java:72)
      at org.jboss.ws.extensions.security.WSSecurityDispatcher.encodeMessage(WSSecurityDispatcher.java:182)
      at org.jboss.ws.extensions.security.jaxws.WSSecurityHandler.handleOutboundSecurity(WSSecurityHandler.java:104)
      at org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer.handleOutbound(WSSecurityHandlerServer.java:44)
      at org.jboss.wsf.common.handler.GenericHandler.handleMessage(GenericHandler.java:53)
      at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:293)
      at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:138)
      at org.jboss.ws.core.jaxws.handler.HandlerDelegateJAXWS.callResponseHandlerChain(HandlerDelegateJAXWS.java:105)
      at org.jboss.ws.core.server.ServiceEndpointInvoker.callResponseHandlerChain(ServiceEndpointInvoker.java:130)
      at org.jboss.ws.core.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:265)
      at org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(RequestHandlerImpl.java:476)
      at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:295)
      at org.jboss.wsf.stack.jbws.RequestHandlerImpl.doPost(RequestHandlerImpl.java:205)
      at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:131)
      at org.jboss.wsf.stack.jbws.EndpointServlet.service(EndpointServlet.java:81)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
      at java.lang.Thread.run(Thread.java:595)
      2010-07-27 16:53:21,969 ERROR [org.jboss.ws.core.jaxws.handler.HandlerChainExecutor] Exception during handler processing
      org.jboss.ws.core.CommonSOAPFaultException: An internal WS-Security error occurred. See log for details
      at org.jboss.ws.extensions.security.WSSecurityDispatcher.convertToFault(WSSecurityDispatcher.java:228)
      at org.jboss.ws.extensions.security.WSSecurityDispatcher.encodeMessage(WSSecurityDispatcher.java:190)
      at org.jboss.ws.extensions.security.jaxws.WSSecurityHandler.handleOutboundSecurity(WSSecurityHandler.java:104)
      at org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer.handleOutbound(WSSecurityHandlerServer.java:44)
      at org.jboss.wsf.common.handler.GenericHandler.handleMessage(GenericHandler.java:53)
      at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:293)
      at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:138)
      at org.jboss.ws.core.jaxws.handler.HandlerDelegateJAXWS.callResponseHandlerChain(HandlerDelegateJAXWS.java:105)
      at org.jboss.ws.core.server.ServiceEndpointInvoker.callResponseHandlerChain(ServiceEndpointInvoker.java:130)
      at org.jboss.ws.core.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:265)
      at org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(RequestHandlerImpl.java:476)
      at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:295)
      at org.jboss.wsf.stack.jbws.RequestHandlerImpl.doPost(RequestHandlerImpl.java:205)
      at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:131)
      at org.jboss.wsf.stack.jbws.EndpointServlet.service(EndpointServlet.java:81)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
      at java.lang.Thread.run(Thread.java:595)
      2010-07-27 16:53:22,003 ERROR [org.jboss.ws.core.jaxws.SOAPFaultHelperJAXWS] SOAP request exception
      javax.xml.ws.WebServiceException: org.jboss.ws.core.CommonSOAPFaultException: An internal WS-Security error occurred. See log for details
      at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.processHandlerFailure(HandlerChainExecutor.java:274)
      at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:153)
      at org.jboss.ws.core.jaxws.handler.HandlerDelegateJAXWS.callResponseHandlerChain(HandlerDelegateJAXWS.java:105)
      at org.jboss.ws.core.server.ServiceEndpointInvoker.callResponseHandlerChain(ServiceEndpointInvoker.java:130)
      at org.jboss.ws.core.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:265)
      at org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(RequestHandlerImpl.java:476)
      at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:295)
      at org.jboss.wsf.stack.jbws.RequestHandlerImpl.doPost(RequestHandlerImpl.java:205)
      at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:131)
      at org.jboss.wsf.stack.jbws.EndpointServlet.service(EndpointServlet.java:81)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
      at java.lang.Thread.run(Thread.java:595)
      Caused by: org.jboss.ws.core.CommonSOAPFaultException: An internal WS-Security error occurred. See log for details
      at org.jboss.ws.extensions.security.WSSecurityDispatcher.convertToFault(WSSecurityDispatcher.java:228)
      at org.jboss.ws.extensions.security.WSSecurityDispatcher.encodeMessage(WSSecurityDispatcher.java:190)
      at org.jboss.ws.extensions.security.jaxws.WSSecurityHandler.handleOutboundSecurity(WSSecurityHandler.java:104)
      at org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer.handleOutbound(WSSecurityHandlerServer.java:44)
      at org.jboss.wsf.common.handler.GenericHandler.handleMessage(GenericHandler.java:53)
      at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:293)
      at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:138)
      ... 27 more

       

      It works absolutely fine when we don't make the additional client call...

        • 1. Re: JBossWS Service that calls a client
          dannyhoult

          an additional note:

           

          We can temporarily solve this issue by specifying the encryption alias in the jboss-wsse-server.xml, but doing this means other clients (using other aliases) can't interact with the service...

           

          <config>
            <timestamp ttl="300" />
            <sign type="x509v3" alias="server" includeTimestamp="true" />

            <!-- doesn't work -->
            <encrypt type="x509v3" algorithm="aes-128" keyWrapAlgorithm="rsa_oaep"
             tokenReference="keyIdentifier" />
          <!-- does work but disables other clients -->
            <encrypt type="x509v3" algorithm="aes-128" keyWrapAlgorithm="rsa_oaep"
             tokenReference="keyIdentifier" alias="specific_client_to_encrypt_to" />
          <requires>
             <signature />
             <encryption />
            </requires>
            <authenticate>
             <signatureCertAuth certificatePrincipal="org.jboss.security.auth.certs.SubjectCNMapping" />
            </authenticate>
          </config>

          • 2. Re: JBossWS Service that calls a client
            dannyhoult

            Any ideas anyone?

            • 3. Re: JBossWS Service that calls a client
              pratik.pai

              Hi Daniel,

               

                   Even i am facing similar issue........Did you overcome this anyhow?

                   Specifying alias would not work in my case as i have multiple clients that would hit my service so i want dynamic enryption to work.

               

                   Any help would be highly appreciated.

               

                   Thanks in advance!

               

              Regards,

              Pratik Pai