7 Replies Latest reply on Jun 17, 2013 1:27 PM by pbalachandran

    JBoss AS7.1.1-Final & WS-Security

    pbalachandran
    pbalachandran Jun 16, 2013 7:35 PM

      I have been trying to get JBoss AS7 & WS-Security work, but have had no luck.  I followed the link https://docs.jboss.org/author/display/JBWS/WS-Security as a guide to try and encryption & signing working (on a different example), but I run into one error after another.  The latest one being "the signature or decryption was invalid".

       

      Server Side (CentOS):

       

      * Keystore and properties file inside src/main/resources directory and jaxws-endpoint-config.xml (uses the same settings as in the JBoss article above) under WEB-INF

      * Keystore contains public + private key for server, along with public key for client

      * Service Implementation from a contract first WS (attached)

      * WSDL with policies (attached)

       

       

      Client Side (Windows):

       

      * Keystore and properties file inside src/main/resources directory

      * Keystore contains public + private key for client, along with public key for server

      * WSDL file used to generate client stub (attached)

       

       

      Keystores:

       

      * Both keystores were generated on the linux side - not sure if there can be an incompatibility (since the server and client are on different OS).

      * See keystore listings (attached)

       

      Output:

       

      * Turned on logging inside JBoss and the client's encrypted and signed request makes it across to the server

      * Server however does not know how to decrypt and verify signature, resulting in - org.apache.cxf.binding.soap.SoapFault: The signature or decryption was invalid

      * Please see incoming request (on the server side).

       

      Any help is greatly appreciated.

       

      Thank you.

       

      ..pradeep balachandran

        • 1. Re: JBoss AS7.1.1-Final & WS-Security
          asoldano
          asoldano Jun 17, 2013 3:13 AM (in response to pbalachandran)

          Caused by: java.lang.ClassCastException: org.apache.ws.security.WSPasswordCallback cannot be cast to org.apache.ws.security.WSPasswordCallback
               at com.corelogic.ws.service.KeystorePasswordCallback.handle(KeystorePasswordCallback.java:24) [classes:]
               at org.apache.ws.security.components.crypto.Merlin.getPassword(Merlin.java:1377) [wss4j-1.6.10.jar:1.6.10]
               at org.apache.ws.security.components.crypto.Merlin.getPrivateKey(Merlin.java:653) [wss4j-1.6.10.jar:1.6.10]
               at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:106) [wss4j-1.6.10.jar:1.6.10]
               ... 30 more

           

          My gut feeling is that you have some classloading issues, given the exception above. Perhaps you have the wss4j jar (or other libraries) in your deployment?

            • Actions
          • 2. Re: JBoss AS7.1.1-Final & WS-Security
            erasmomarciano
            erasmomarciano Jun 17, 2013 3:38 AM (in response to pbalachandran)

            HI

             

            Perhaps, this tool http://www.jboss.org/tattletale/ could help you

              • Actions
            • 3. Re: JBoss AS7.1.1-Final & WS-Security
              pbalachandran
              pbalachandran Jun 17, 2013 9:27 AM (in response to asoldano)

              I reduced the pom.xml to contain the essential dependencies - please see attached.  I still get the class cast exception.  Not sure where wss4j.jar is getting included (must be transitive).

               

              Do I need to put in an exclusion for it and if so within which dependency.

               

              Thank you.

                • Actions
              • 4. Re: JBoss AS7.1.1-Final & WS-Security
                asoldano
                asoldano Jun 17, 2013 10:04 AM (in response to pbalachandran)

                Simply have a look at the notaryWS.war contents. I assume it will have multiple cxf jars (as well as the wss4j jar) in it. You need to remove them all.

                  • Actions
                • 5. Re: JBoss AS7.1.1-Final & WS-Security
                  pbalachandran
                  pbalachandran Jun 17, 2013 11:45 AM (in response to asoldano)

                  Thank you so much for the pointers - I got a good deal further by making the JARs scope "provided".  I did not realize that the examples that I based my project on were for Tomcat (which required all these JARs to be packaged), but since JBoss is bundled with CXF, these were not required.  However I get another weird error now - it complians it can't find WSPasswordCallback which is in the wss4j.jar.  Not sure why JBoss would not be able to find this class.

                   

                   

                  </pre></p><p><b>root cause</b> <pre>java.lang.NoClassDefFoundError: org/apache/ws/security/WSPasswordCallback

                      com.corelogic.ws.service.KeystorePasswordCallback.handle(KeystorePasswordCallback.java:24)

                      org.apache.ws.security.components.crypto.Merlin.getPassword(Merlin.java:1377)

                      org.apache.ws.security.components.crypto.Merlin.getPrivateKey(Merlin.java:653)

                      org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:106)

                      org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:397)

                      org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:249)

                      org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:85)

                      org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)

                      org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)

                      org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:207)

                      org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:91)

                      org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:169)

                      org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:87)

                      org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:185)

                      org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:108)

                      javax.servlet.http.HttpServlet.service(HttpServlet.java:754)

                      org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:135)

                      org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140)

                      javax.servlet.http.HttpServlet.service(HttpServlet.java:847)

                    • Actions
                  • 6. Re: JBoss AS7.1.1-Final & WS-Security
                    asoldano
                    asoldano Jun 17, 2013 12:02 PM (in response to pbalachandran)

                    You're most likely missing a module dependency to org.apache.ws.security module. Have a look at the doc at https://docs.jboss.org/author/display/JBWS/WS-Security

                    In few words, you most likely need to have a "Dependencies: org.apache.ws.security" line in your app MANIFEST.MF

                      • Actions
                    • 7. Re: JBoss AS7.1.1-Final & WS-Security
                      pbalachandran
                      pbalachandran Jun 17, 2013 1:27 PM (in response to asoldano)

                      That was it!  I added the manifest and I am able to get responses back.  Thank you so much for all the help.

                        • Actions