6 Replies Latest reply: Oct 3, 2012 3:43 AM by Alessio Soldano RSS

Problem implementing ws-security service (and client) in AS7.1.1

varkon Newbie

Hello,

 

I have been trying to migrate a secure web service deployed in JBoss AS 5.1 to AS7.1. Having realized that the process is quite different now, I decided to start small and follow the WS-Security for AS7.1 documentation.Unfortunately, I did not manage to get the service working as expected (sign & encrypt). I keep getting errors like this:

 

WARNING: WSP0075: Policy assertion "{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding" was evaluated as "UNKNOWN".
WARNING: WSP0075: Policy assertion "{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Wss10" was evaluated as "UNKNOWN".
WARNING: WSP0019: Suboptimal policy alternative selected on the client side with fitness "UNKNOWN".
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These policy alternatives can not be satisfied: 
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: The received token does not match the token inclusion requirement
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token
    at com.sun.xml.internal.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:178)
    at com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:111)
    at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:108)
    at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:78)
    at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:129)
    at $Proxy22.sayHello(Unknown Source)
    at Test.main(Test.java:22)

 

or this (with a slightly altered WSDL):

 

WARNING: WSP0075: Policy assertion "{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding" was evaluated as "UNKNOWN".
WARNING: WSP0075: Policy assertion "{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Wss10" was evaluated as "UNKNOWN".
WARNING: WSP0019: Suboptimal policy alternative selected on the client side with fitness "UNKNOWN".
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These policy alternatives can not be satisfied: 
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: Received Timestamp does not match the requirements
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: The received token does not match the token inclusion requirement
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp: Received Timestamp does not match the requirements
    at com.sun.xml.internal.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:178)
    at com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:111)
    at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:108)
    at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:78)
    at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:129)
    at $Proxy22.sayHello(Unknown Source)
    at Test.main(Test.java:22)

 

 

I have tried changing the ws-securitypolicy configuration in my WSDL - as described in the WS-SecurityPolicy standard - but to no avail.

Are the sample web services described in the above WS-Security link located anywhere? I would very much like to download them, and try to deploy them as they are. Perhaps I might get a better idea of what I might be doing wrong.

 

Regards,

 

Dimitris

  • 1. Re: Problem implementing ws-security service (and client) in AS7.1.1
    Alessio Soldano Master

    You can download jbossws-cxf-4.0.2.GA from http://www.jboss.org/jbossws/downloads

    Then have a look at the testcases in /jbossws-cxf-bin-dist/tests/java/org/jboss/test/ws/jaxws/samples/wsse/policy/ folder.

  • 2. Re: Problem implementing ws-security service (and client) in AS7.1.1
    varkon Newbie

    Thanks, will look into it!

  • 3. Re: Problem implementing ws-security service (and client) in AS7.1.1
    varkon Newbie

    I've found the relevant resources in the archive/path you mentioned, and attempted to incorporate the sample service in my deployment.

    I'm still getting the following error:

     

     

    12:40:05,397 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (http--0.0.0.0-8080-3) Interceptor for {http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy}SecurityService#{http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy}sayHello has thrown exception, unwinding now: org.apache.cxf.interceptor.Fault: These policy alternatives can not be satisfied: 
    {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: Received Timestamp does not match the requirements
    {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: The received token does not match the token inclusion requirement
    {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token
    {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken
    {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
    {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp: Received Timestamp does not match the requirements
    {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts: {http://schemas.xmlsoap.org/soap/envelope/}Body not SIGNED
    {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts: {http://schemas.xmlsoap.org/soap/envelope/}Body not ENCRYPTED
        at org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:47)
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:207)
        at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:91)
        at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:169)
        at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:87)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:185)
        at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:108)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
        at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:135)
        at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) [jbossws-spi-2.0.3.GA.jar:2.0.3.GA]
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) [jbossweb-7.0.13.Final.jar:]
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.13.Final.jar:]
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.13.Final.jar:]
        at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]
        at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
        at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_04]
    Caused by: org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be satisfied: 
    {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: Received Timestamp does not match the requirements
    {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: The received token does not match the token inclusion requirement
    {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token
    {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken
    {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
    {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp: Received Timestamp does not match the requirements
    {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts: {http://schemas.xmlsoap.org/soap/envelope/}Body not SIGNED
    {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts: {http://schemas.xmlsoap.org/soap/envelope/}Body not ENCRYPTED
        at org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:162)
        at org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:99)
        at org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:45)
        ... 26 more

     

     

    I should mention that I'm packaging the services as WAR inside an EAR. All relevant service resources (wsdls, keystores, etc) are include like this: EAR -> WAR -> WEB-INF. Furthermore, I'm trying to test the "sign and encrypt" case.

  • 4. Re: Problem implementing ws-security service (and client) in AS7.1.1
    Juan Sepulveda Newbie

    I have the same problem, Signing and Encrypting Example won work, I already installed JCE 6 ober JDK 6.23 for JBoss and BouncyCastle provider (editing java.security) and made the dynamic call for the provider in the client.

  • 5. Re: Problem implementing ws-security service (and client) in AS7.1.1
    Alessio Soldano Master

    The client side exception shows that the JAXWS RI is being used, not the jbossws-cxf jaxws implementation. Are you properly enabling ws-security policy support in your client? The exception on server side basically means that the received message does not satifsy the ws-security policy in the endpoint wsdl contract.