Error SAP WS-Security client calling JBoss Security WS
lall2 Jul 29, 2008 5:48 AMHi,
I get the following exception when the SAP system invokes a JBossWS WS-Security WS:
ERROR [WSSecurityDispatcher] Internal error occured handling inbound message: org.jboss.ws.extensions.security.exception.WSSecurityException: Inavliad message, Reference element is missing a ValueType at org.jboss.ws.extensions.security.element.DirectReference.<init>(DirectReference.java:78) at org.jboss.ws.extensions.security.element.Reference.getReference(Reference.java:39) at org.jboss.ws.extensions.security.element.SecurityTokenReference.<init>(SecurityTokenReference.java:61) at org.jboss.ws.extensions.security.KeyResolver.extractSecurityTokenReference(KeyResolver.java:70) at org.jboss.ws.extensions.security.KeyResolver.resolvePublicKey(KeyResolver.java:161) at org.jboss.ws.extensions.security.element.Signature.<init>(Signature.java:56) at org.jboss.ws.extensions.security.element.SecurityHeader.<init>(SecurityHeader.java:87) at org.jboss.ws.extensions.security.SecurityDecoder.decode(SecurityDecoder.java:175) at org.jboss.ws.extensions.security.WSSecurityDispatcher.decodeMessage(WSSecurityDispatcher.java:219) at org.jboss.ws.extensions.security.jaxws.WSSecurityHandler.handleInboundSecurity(WSSecurityHandler.java:83) at org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer.handleInbound(WSSecurityHandlerServer.java:41)
It looks to me that this occurs when the SAP's request
Envelope/Header/Security/Signature/KeyInfo/SecurityTokenReference/Reference
element is checked. If so, can this check in org.jboss.ws.extensions.security.element.DirectReference be skipped, since the ValueType attribute of
Envelope/Header/Security/Signature/KeyInfo/SecurityTokenReference/Reference
does not contain specific information? Additionally, the same value type is also contained in Envelope/Header/Security/BinarySecurityToken
element with a wsu:Id="token-2-1215429956710-11328770" attribute referencing/referenced in the URI attribute of
Envelope/Header/Security/Signature/KeyInfo/SecurityTokenReference/Reference
I have outlined the important sections in bold of the two following SOAP trace listings.
a) The request from the SAP system looks as follows:
<SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/"> <SOAP:Header> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP:mustUnderstand="1"> <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="sap-17" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"> <!-- ... cipher data ... --> </wsse:BinarySecurityToken> <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wsu-targetID-4f51c3d1-4c31-11dd-c804-52325dc89402"> <wsu:Created ValueType="xsd:dateTime">2008-07-07T14:30:55Z</wsu:Created> <wsu:Expires ValueType="xsd:dateTime">2008-07-07T14:31:55Z</wsu:Expires> </wsu:Timestamp> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK7176284"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference> <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">tZwIZ4EyuXCscFmLexbBSDw4pXc=</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData> <xenc:CipherValue>dN7Jdu9ZrqKdO4gmMhVVqEraDWATPkXyfaOwqTJ9iiNBGslSZxS9wDPaMms+1AVIsEj+zPxOP1m9 iGzNZgUj36ytFnfMPEYy79LZhjlsrRcuNNIYdIosI1aR55Cg8LWhmExp8xfPwcaero2ku6mnHqZT PCoAWq859YRnQsmxoF8=</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList> <xenc:DataReference URI="#ED52721394"/> </xenc:ReferenceList> </xenc:EncryptedKey> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#wsuid-body-4f51c3d0-4c31-11dd-962a-52325dc89402"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>uPX1GhMMPxAyFhdKOyOWTSXoaFg=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#wsu-targetID-4f51c3d1-4c31-11dd-c804-52325dc89402"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>720bTnzpOnIall0ooGeyk32Syqs=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>AzlqPk9OCrqetQVS2BPZ6u3ZwMHGtPGgYQwMTBLnREKPhNEI/Cb8o3EJAgIfB73kKgKFmw0Dj3WN c+MesXZ1LEOqvT2YDq6Jxpz4I/cYWbY+79tKKmuOfstfoQzBGn8uo4+wwR8Vn3l0Ns/DuYHwvnNR 34RzPbLDllZUW4qdXmE=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#sap-17"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="sap-17" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"> <!-- ... cipher data ... --> </wsse:BinarySecurityToken> <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"><!-- ... cipher data ... --></wsse:BinarySecurityToken> <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="sap-17" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"><!-- ... cipher data ... --></wsse:BinarySecurityToken> </wsse:Security> </SOAP:Header> <SOAP:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wsuid-body-4f51c3d0-4c31-11dd-962a-52325dc89402"> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content" Id="ED52721394"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> <xenc:CipherData> <xenc:CipherValue><!-- ... cipher data ... --></xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </SOAP:Body> </SOAP:Envelope>
The SAP request only has the ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" attribute within the
Envelope/Header/Security/BinarySecurityToken
element. The JBoss request ValueType attribute is contained in
Envelope/Header/Security/BinarySecurityToken
and
Envelope/Header/Security/Signature/KeyInfo/SecurityTokenReference/Reference.
Is the second ValueType attribute required by JBossWS internal processing?
b) When a JBossWS WS-Security client calls an SAP WS-Security WS, there are no problems. The request looks as follows:
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"> <env:Header> <wsse:Security env:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsu:Timestamp wsu:Id="timestamp"> <wsu:Created>2008-07-07T11:25:56.523Z</wsu:Created> <wsu:Expires>2008-07-07T11:26:26.523Z</wsu:Expires> </wsu:Timestamp> <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="token-2-1215429956710-11328770"> <!-- ... cipher data ... --> </wsse:BinarySecurityToken> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference wsu:Id="reference-5-1215429957054-30222347"> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">NS0xdPUqf/9XQw4/YZ+lMnTguf8=</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">dqWVJQ08cTvj6O/lbEC+e6giBMlU5msZsGS5fShB1bdkkGUh1Fc0Kk38FNYfUW/EZZu0H3/YDInN W7HcQle5KL0LpD1vGCNlXElGlOfRYdX96stIL8e6r386lglQdYxdL78RaPlI6OF4fnD6XCS3QfM9 XhODTHWQf8LIw2xQVyI=</xenc:CipherValue> </xenc:CipherData> <xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:DataReference URI="#encrypted-4-1215429956976-6044039" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/> </xenc:ReferenceList> </xenc:EncryptedKey> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:Reference URI="#element-1-1215429956523-31952022" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">ZmQ7YZUv5swk3OnUn5X3w2JyenE=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#timestamp" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">OyIUQGrnwhkJoimoqv07+ML45IE=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <!-- ... cipher data ... --> </ds:SignatureValue> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <wsse:SecurityTokenReference wsu:Id="reference-3-1215429956710-15774883"> <wsse:Reference URI="#token-2-1215429956710-11328770" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> </wsse:Security> </env:Header> <env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="element-1-1215429956523-31952022"> <xenc:EncryptedData Id="encrypted-4-1215429956976-6044039" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/> <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <!-- ... cipher data ... --> </xenc:CipherValue> </xenc:CipherData> </xenc:EncryptedData> </env:Body> </env:Envelope>
I use version: JBoss 4.2.2 - JBossWS 3.0.1.