3 Replies Latest reply on Sep 3, 2008 3:36 PM by lall2

    Error SAP WS-Security client calling JBoss Security WS

    lall2 Jul 29, 2008 5:48 AM

      Hi,

      I get the following exception when the SAP system invokes a JBossWS WS-Security WS:

      ERROR [WSSecurityDispatcher] Internal error occured handling inbound message:
org.jboss.ws.extensions.security.exception.WSSecurityException: Inavliad message, Reference element is missing a ValueType
 at org.jboss.ws.extensions.security.element.DirectReference.<init>(DirectReference.java:78)
 at org.jboss.ws.extensions.security.element.Reference.getReference(Reference.java:39)
 at org.jboss.ws.extensions.security.element.SecurityTokenReference.<init>(SecurityTokenReference.java:61)
 at org.jboss.ws.extensions.security.KeyResolver.extractSecurityTokenReference(KeyResolver.java:70)
 at org.jboss.ws.extensions.security.KeyResolver.resolvePublicKey(KeyResolver.java:161)
 at org.jboss.ws.extensions.security.element.Signature.<init>(Signature.java:56)
 at org.jboss.ws.extensions.security.element.SecurityHeader.<init>(SecurityHeader.java:87)
 at org.jboss.ws.extensions.security.SecurityDecoder.decode(SecurityDecoder.java:175)
 at org.jboss.ws.extensions.security.WSSecurityDispatcher.decodeMessage(WSSecurityDispatcher.java:219)
 at org.jboss.ws.extensions.security.jaxws.WSSecurityHandler.handleInboundSecurity(WSSecurityHandler.java:83)
 at org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer.handleInbound(WSSecurityHandlerServer.java:41)



      It looks to me that this occurs when the SAP's request

      Envelope/Header/Security/Signature/KeyInfo/SecurityTokenReference/Reference

      element is checked. If so, can this check in org.jboss.ws.extensions.security.element.DirectReference be skipped, since the ValueType attribute of

      Envelope/Header/Security/Signature/KeyInfo/SecurityTokenReference/Reference

      does not contain specific information? Additionally, the same value type is also contained in Envelope/Header/Security/BinarySecurityToken
      element with a wsu:Id="token-2-1215429956710-11328770" attribute referencing/referenced in the URI attribute of

      Envelope/Header/Security/Signature/KeyInfo/SecurityTokenReference/Reference



      I have outlined the important sections in bold of the two following SOAP trace listings.

      a) The request from the SAP system looks as follows: 

      <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
 <SOAP:Header>
 <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP:mustUnderstand="1">
 <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="sap-17" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
 <!-- ... cipher data ... -->
 </wsse:BinarySecurityToken>
 <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wsu-targetID-4f51c3d1-4c31-11dd-c804-52325dc89402">
 <wsu:Created ValueType="xsd:dateTime">2008-07-07T14:30:55Z</wsu:Created>
 <wsu:Expires ValueType="xsd:dateTime">2008-07-07T14:31:55Z</wsu:Expires>
 </wsu:Timestamp>
 <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK7176284">
 <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
 <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 <wsse:SecurityTokenReference>
 <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">tZwIZ4EyuXCscFmLexbBSDw4pXc=</wsse:KeyIdentifier>
 </wsse:SecurityTokenReference>
 </ds:KeyInfo>
 <xenc:CipherData>
 <xenc:CipherValue>dN7Jdu9ZrqKdO4gmMhVVqEraDWATPkXyfaOwqTJ9iiNBGslSZxS9wDPaMms+1AVIsEj+zPxOP1m9
iGzNZgUj36ytFnfMPEYy79LZhjlsrRcuNNIYdIosI1aR55Cg8LWhmExp8xfPwcaero2ku6mnHqZT
PCoAWq859YRnQsmxoF8=</xenc:CipherValue>
 </xenc:CipherData>
 <xenc:ReferenceList>
 <xenc:DataReference URI="#ED52721394"/>
 </xenc:ReferenceList>
 </xenc:EncryptedKey>
 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 <ds:SignedInfo>
 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
 <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
 <ds:Reference URI="#wsuid-body-4f51c3d0-4c31-11dd-962a-52325dc89402">
 <ds:Transforms>
 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
 </ds:Transforms>
 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
 <ds:DigestValue>uPX1GhMMPxAyFhdKOyOWTSXoaFg=</ds:DigestValue>
 </ds:Reference>
 <ds:Reference URI="#wsu-targetID-4f51c3d1-4c31-11dd-c804-52325dc89402">
 <ds:Transforms>
 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
 </ds:Transforms>
 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
 <ds:DigestValue>720bTnzpOnIall0ooGeyk32Syqs=</ds:DigestValue>
 </ds:Reference>
 </ds:SignedInfo>
 <ds:SignatureValue>AzlqPk9OCrqetQVS2BPZ6u3ZwMHGtPGgYQwMTBLnREKPhNEI/Cb8o3EJAgIfB73kKgKFmw0Dj3WN
c+MesXZ1LEOqvT2YDq6Jxpz4I/cYWbY+79tKKmuOfstfoQzBGn8uo4+wwR8Vn3l0Ns/DuYHwvnNR
34RzPbLDllZUW4qdXmE=</ds:SignatureValue>
 <ds:KeyInfo>
 <wsse:SecurityTokenReference>
 <wsse:Reference URI="#sap-17"/>
 </wsse:SecurityTokenReference>
 </ds:KeyInfo>
 </ds:Signature>
 <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="sap-17" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">

<!-- ... cipher data ... -->

 </wsse:BinarySecurityToken>
 <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"><!-- ... cipher data ... --></wsse:BinarySecurityToken>
 <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="sap-17" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"><!-- ... cipher data ... --></wsse:BinarySecurityToken>
 </wsse:Security>
 </SOAP:Header>
 <SOAP:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wsuid-body-4f51c3d0-4c31-11dd-962a-52325dc89402">
 <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content" Id="ED52721394">
 <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
 <xenc:CipherData>
 <xenc:CipherValue><!-- ... cipher data ... --></xenc:CipherValue>
 </xenc:CipherData>
 </xenc:EncryptedData>
 </SOAP:Body>
</SOAP:Envelope>

      The SAP request only has the ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" attribute within the

      Envelope/Header/Security/BinarySecurityToken

      element. The JBoss request ValueType attribute is contained in

      Envelope/Header/Security/BinarySecurityToken

      and

      Envelope/Header/Security/Signature/KeyInfo/SecurityTokenReference/Reference.

      Is the second ValueType attribute required by JBossWS internal processing?



      b) When a JBossWS WS-Security client calls an SAP WS-Security WS, there are no problems. The request looks as follows: 

      <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
 <env:Header>
 <wsse:Security env:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
 <wsu:Timestamp wsu:Id="timestamp">
 <wsu:Created>2008-07-07T11:25:56.523Z</wsu:Created>
 <wsu:Expires>2008-07-07T11:26:26.523Z</wsu:Expires>
 </wsu:Timestamp>
 <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="token-2-1215429956710-11328770">

<!-- ... cipher data ... -->
</wsse:BinarySecurityToken>
 <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
 <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
 <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 <wsse:SecurityTokenReference wsu:Id="reference-5-1215429957054-30222347">
 <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">NS0xdPUqf/9XQw4/YZ+lMnTguf8=</wsse:KeyIdentifier>
 </wsse:SecurityTokenReference>
 </ds:KeyInfo>
 <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
 <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">dqWVJQ08cTvj6O/lbEC+e6giBMlU5msZsGS5fShB1bdkkGUh1Fc0Kk38FNYfUW/EZZu0H3/YDInN
W7HcQle5KL0LpD1vGCNlXElGlOfRYdX96stIL8e6r386lglQdYxdL78RaPlI6OF4fnD6XCS3QfM9
XhODTHWQf8LIw2xQVyI=</xenc:CipherValue>
 </xenc:CipherData>
 <xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
 <xenc:DataReference URI="#encrypted-4-1215429956976-6044039" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
 </xenc:ReferenceList>
 </xenc:EncryptedKey>
 <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
 <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
 <ds:Reference URI="#element-1-1215429956523-31952022" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
 </ds:Transforms>
 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
 <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">ZmQ7YZUv5swk3OnUn5X3w2JyenE=</ds:DigestValue>
 </ds:Reference>
 <ds:Reference URI="#timestamp" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
 </ds:Transforms>
 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
 <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">OyIUQGrnwhkJoimoqv07+ML45IE=</ds:DigestValue>
 </ds:Reference>
 </ds:SignedInfo>
 <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 <!-- ... cipher data ... -->
 </ds:SignatureValue>
 <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
 <wsse:SecurityTokenReference wsu:Id="reference-3-1215429956710-15774883">
 <wsse:Reference URI="#token-2-1215429956710-11328770" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
 </wsse:SecurityTokenReference>
 </ds:KeyInfo>
 </ds:Signature>
 </wsse:Security>
 </env:Header>
 <env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="element-1-1215429956523-31952022">
 <xenc:EncryptedData Id="encrypted-4-1215429956976-6044039" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
 <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
 <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
 <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<!-- ... cipher data ... -->
</xenc:CipherValue>
 </xenc:CipherData>
 </xenc:EncryptedData>
 </env:Body>
</env:Envelope>


      I use version: JBoss 4.2.2 - JBossWS 3.0.1.

      • 3181 Views
      • Tags:
        • 1. Re: Error SAP WS-Security client calling JBoss Security WS
          lall2 Jul 29, 2008 6:13 AM (in response to lall2)

          Hi,

          i found a similar case with a Microsoft WCF client calling an Oracle WS:
          http://weblogs.asp.net/gsusx/archive/2006/10/20/WCF-Oracle-Application-Server-WS_2D00_Security-interoperability-Part1_3A00_-from-WCF-to-Oracle.aspx

          The last code listing contains a WS-Security request trace with an element KeyInfo without the ValueType attribute:

          ...
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
 <o:SecurityTokenReference>
 <o:Reference URI="#_1"/>
 </o:SecurityTokenReference>
</KeyInfo>
...


            • Actions
          • 2. Re: Error SAP WS-Security client calling JBoss Security WS
            enpasos
            enpasos Aug 15, 2008 2:10 PM (in response to lall2)

            Requiring "ValueType to be set" breaks the wsse standard 1.0 and 1.1!!!
            (tested in jbossws-3.0.1-native-204.GA)
            Please change. Thanks a lot.

            See ...
            http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf

            page 22, lines 702 - 708

            702 /wsse:SecurityTokenReference/wsse:Reference/@ValueType
            703 This optional attribute specifies a URI that is used to identify the type of token being
            704 referenced. This specification does not define any processing rules around the usage of
            705 this attribute, however, specifications for individual token types MAY define specific
            706 processing rules and semantics around the value of the URI and how it SHALL be
            707 interpreted. If this attribute is not present, the URI MUST be processed as a normal URI.
            708 The usage of ValueType is RECOMMENDED for references with local URIs.

              • Actions
            • 3. Re: Error SAP WS-Security client calling JBoss Security WS
              lall2 Sep 3, 2008 3:36 PM (in response to lall2)

              Hi enpasos,

              thanks for your reply. I did a further test. Taking the request from the SAP system, see a) of my first post, I manually added
              ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3'
              to the <wsse:Reference> element of

              ...
 <ds:KeyInfo>
 <wsse:SecurityTokenReference>
 <wsse:Reference URI="#sap-17"/>
 </wsse:SecurityTokenReference>
 </ds:KeyInfo>
...

----->

...
 <ds:KeyInfo>
 <wsse:SecurityTokenReference>
 <wsse:Reference URI="#sap-17" ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3'/>
 </wsse:SecurityTokenReference>
 </ds:KeyInfo>
...


              Using my sniffer tool, I resubmitted this modified request to JBoss and the

              WSSecurityException("Inavliad message, Reference element is missing a ValueType") of
              org.jboss.ws.extensions.security.element.DirectReference

              was gone. But unfortunately, I faced the next exeption:

              WSSecurityException("Invalid message, BinarySecurityToken is missing an id") of org.jboss.ws.extensions.security.element.X509Token

              So I modified and resent the same request again by adding

              xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd' wsu:Id='sap-18'

              to the line 

              ...
<wsse:BinarySecurityToken
 ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
 EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
...

----->

...
<wsse:BinarySecurityToken
 xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'
 wsu:Id='sap-18'
 ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
 EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
...


              Again, after resubmitting the modified request to JBoss, the exception did not occur any more.
              However, using this resubmitting method resulted in an expired message error/exception. I am running out of ideas.

              The only two things that remain is trying out the latest releases of JBoss and JBossWS native 3.0.3 or rebuilding JBossWS 3.0.x
              from the source after commenting out the "Reference element is missing a ValueType" check of org.jboss.ws.extensions.security.element.DirectReference
              and the "Invalid message, BinarySecurityToken is missing an id" check of org.jboss.ws.extensions.security.element.X509Token to see what is happening then.

              Unfortunately, I have no time to do that at the moment :-(


                • Actions