Problem WS-Security Standard implementation difference --> i
lall2 Jul 3, 2008 8:50 AMHi all,
I built a JBoss 4.2.2 JBossWS Native 2.0.4/3.0.1 WS Client with the following jboss-wsse-client.xml security configuration:
<?xml version="1.0" encoding="UTF-8"?> <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <config> <timestamp ttl="30"/> <sign type="x509v3" alias="SimpleClientCertPrivateKey" includeTimestamp="true"/> <encrypt type="x509v3" alias="SimpleClientCert"/> <requires> <signature/> <encryption/> </requires> </config> <timestamp-verification createdTolerance="500" warnCreated="true" expiresTolerance="100" warnExpires="true"/> </jboss-ws-security>
All certificates and KeyStores have been installed properly on both sides.
The resulting SOAP message trace looks as follows:
(Listing 1)
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"> <env:Header> <wsse:Security env:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsu:Timestamp wsu:Id="timestamp"> <wsu:Created>2008-06-13T12:45:10.976Z</wsu:Created> <wsu:Expires>2008-06-13T12:45:40.976Z</wsu:Expires> </wsu:Timestamp> <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="token-2-1213361111663-11328770"> <!-- ... lot of base64 encoding ... --> </wsse:BinarySecurityToken> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference wsu:Id="reference-5-1213361112194-30222347"> <wsse:Reference URI="#token-2-1213361111663-11328770" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">lg6tOjzqKs26HX6KFk1nLA5YF5W5fQZ6dh2mzM9/V3r5Pg80vLz4x0EJ10Y1KdhXH08ijZxRZWjf v1dqulorSnIyV7X0uk25y/OMDmkVYQ/VlQF7bxZr/5Q+UB6YwLy74N1jpx7lo4BZXUM9kEZmgFAo o8SW8P3AcSgBAUoOpOc=</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:DataReference URI="#encrypted-4-1213361112116-6044039" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/> </xenc:ReferenceList> </xenc:EncryptedKey> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:Reference URI="#element-1-1213361110976-31952022" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">l2LG3Bc2Rk+LgAjU2OP2vrVwYBM=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#timestamp" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">GNamS8F3tDSDlfUzNxIzfYZpXdc=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <!-- ... lot of base64 encoding ... --> </ds:SignatureValue> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference wsu:Id="reference-3-1213361111663-15774883"> <wsse:Reference URI="#token-2-1213361111663-11328770" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </env:Header> <env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="element-1-1213361110976-31952022"> <xenc:EncryptedData Id="encrypted-4-1213361112116-6044039" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <!-- ... lot of base64 encoding ... --> </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </env:Body> </env:Envelope>
Due to researching, I know that the WebService system expects a reqeuest that looks as follows
(Listing 2)
<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP:mustUnderstand="1"> <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="sap-9" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"> <!-- ... lot of base64 encoding ... --> </wsse:BinarySecurityToken> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wsu-targetID-1f10b320-0181-11dd-aebd-00144f2515b0"> <wsu:Created ValueType="xsd:dateTime">2008-04-03T13:23:17Z</wsu:Created> <wsu:Expires ValueType="xsd:dateTime">2008-04-03T13:25:17Z</wsu:Expires> </wsu:Timestamp> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK52789332"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference> <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">yk+Civrkf+wQdj30aJid9VGnjtY=</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue> <!-- ... lot of base64 encoding ... --> </xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#ED13608949"/> </xenc:ReferenceList> </xenc:EncryptedKey> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#wsuid-body-1f108c10-0181-11dd-838e-00144f2515b0"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>UaW58GCrg/nrA/EfW+OyHP2DCio=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#wsu-targetID-1f10b320-0181-11dd-aebd-00144f2515b0"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>LFuszgJ412Fe8PRtK3W69RTXndY=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue> <!-- ... lot of base64 encoding ... --> </ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#sap-9"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </SOAP:Header> <SOAP:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wsuid-body-1f108c10-0181-11dd-838e-00144f2515b0"> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content" Id="ED13608949"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <xenc:CipherData> <xenc:CipherValue> <!-- ... lot of base64 encoding ... --> </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </SOAP:Body> </SOAP:Envelope>
There is a significant difference of the Envelope/Header/Security/EncryptedKey/KeyInfo element (printed in bold). This difference causes
an error message:
"No SecurityTokenReference was found in the <xenc:EncryptedKey>/// element.",
showing the reason for the failure of the WS Client request processing by the system implementing the WebService.
JBoss Native's
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference wsu:Id="reference-5-1213361112194-30222347"> <wsse:Reference URI="#token-2-1213361111663-11328770" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo>
vs.
system implementing the WebService
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference> <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">yk+Civrkf+wQdj30aJid9VGnjtY= </wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo>
It looks to me that there is a difference in the implementation of WS-Security between JBossWS Native and the one of the
system on which the WebService runs.
I am wondering if JBossWS Metro 3.0.2 behaves like JBossWS Native, differently or even the same like in the second listing.
Does anyone know that? I am about to build a test case to find out, but it would time saving to know that beforehands ;-)
Obviously, when looking at http://support.microsoft.com/?scid=kb%3Ben-us%3B922779&x=8&y=13, the MS Web Services Enhancements 3.0 for Microsoft .NET implement the WS-Security like in Listing 2 with a <ds:KeyInfo>/<wsse:SecurityTokenReference>/<wsse:KeyIdentifier>
instead of
<ds:KeyInfo>/<wsse:SecurityTokenReference>/<wsse:Reference>
Why does JBoss Native implement WS-Security in this way?
Greets Andy