Securing endpoints deployed in FUSE ESB with WSS
rcracel Aug 28, 2009 2:08 PMI have been trying to implement WSS on an enpoint I deployed to FUSE ESB 4 as an OSGi bundle and seem to be running into various problems during the process.
First I should state the endpoint works well without WSS, just when I attempt to add WSS I run into the problems I will describe next;
I will try to cover what I had modified in my project to support WSS...
- I added cxf-rt-ws-security 2.2.3 as a dependency to my project
- I added org.apache.ws.security.* to the dynamic import on my pom file
- I created a password callback and added to my spring context
- I added WSS4JInInterceptor to my spring context as follows:
<bean id="authenticationInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"> <constructor-arg> <map> <entry key="action" value="UsernameToken"></entry> <entry key="passwordType" value="PasswordText"></entry> <entry key="passwordCallbackRef" value-ref="myPasswordCallback"></entry> </map> </constructor-arg> </bean>
- I added the interceptor above to my list of inInterceptor as follows:
<jaxws:inInterceptors> <ref bean="authenticationInterceptor"></ref> <ref bean="loggingServiceCallInterceptor"></ref> </jaxws:inInterceptors>
When I try to invoke the service using SoapUI, adding the security headers for the username token, I get two set of errors. First, on the Servicemix console I get the following class not found exceptions:
smx@root:></![CDATA[> java.lang.NoClassDefFoundError: org/opensaml/SAMLException at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:169) at org.apache.ws.security.WSSConfig.class$(WSSConfig.java:55) at org.apache.ws.security.WSSConfig.<clinit>(WSSConfig.java:98) at org.apache.ws.security.handler.WSHandler.doReceiverAction(WSHandler.java:248) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:185) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236) at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:89) at org.apache.servicemix.cxf.transport.http_osgi.OsgiDestination.doMessage(OsgiDestination.java:83) at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.invokeDestination(OsgiServlet.java:291) at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.invoke(OsgiServlet.java:184) at org.apache.servicemix.cxf.transport.http_osgi.SpringOsgiServlet.invoke(SpringOsgiServlet.java:48) at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.doPost(OsgiServlet.java:71) at javax.servlet.http.HttpServlet.service(HttpServlet.java:713) at javax.servlet.http.HttpServlet.service(HttpServlet.java:806) at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:502) at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:363) at org.ops4j.pax.web.service.internal.HttpServiceServletHandler.handle(HttpServiceServletHandler.java:64) at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181) at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:766) at org.ops4j.pax.web.service.internal.HttpServiceContext.handle(HttpServiceContext.java:108) at org.ops4j.pax.web.service.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:64) at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152) at org.mortbay.jetty.Server.handle(Server.java:324) at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:534) at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:879) at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:741) at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:213) at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:403) at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409) at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:522) Caused by: java.lang.ClassNotFoundException: org.opensaml.SAMLException at org.apache.felix.framework.searchpolicy.ModuleImpl.findClassOrResourceByDelegation(ModuleImpl.java:558) at org.apache.felix.framework.searchpolicy.ModuleImpl.access$100(ModuleImpl.java:59) at org.apache.felix.framework.searchpolicy.ModuleImpl$ModuleClassLoader.loadClass(ModuleImpl.java:1427) at java.lang.ClassLoader.loadClass(ClassLoader.java:254) at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:402) ... 32 more java.lang.ClassNotFoundException: org.apache.ws.security.transform.STRTransform at org.apache.felix.framework.searchpolicy.ModuleImpl.findClassOrResourceByDelegation(ModuleImpl.java:558) at org.apache.felix.framework.searchpolicy.ModuleImpl.access$100(ModuleImpl.java:59) at org.apache.felix.framework.searchpolicy.ModuleImpl$ModuleClassLoader.loadClass(ModuleImpl.java:1427) at java.lang.ClassLoader.loadClass(ClassLoader.java:254) at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:402) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:169) at org.apache.xml.security.transforms.Transform.register(Unknown Source) at org.apache.ws.security.WSSConfig.staticInit(WSSConfig.java:246) at org.apache.ws.security.WSSConfig.<init>(WSSConfig.java:256) at org.apache.ws.security.WSSConfig.getNewInstance(WSSConfig.java:265) at org.apache.ws.security.handler.WSHandler.doReceiverAction(WSHandler.java:248) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:185) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236) at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:89) at org.apache.servicemix.cxf.transport.http_osgi.OsgiDestination.doMessage(OsgiDestination.java:83) at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.invokeDestination(OsgiServlet.java:291) at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.invoke(OsgiServlet.java:184) at org.apache.servicemix.cxf.transport.http_osgi.SpringOsgiServlet.invoke(SpringOsgiServlet.java:48) at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.doPost(OsgiServlet.java:71) at javax.servlet.http.HttpServlet.service(HttpServlet.java:713) at javax.servlet.http.HttpServlet.service(HttpServlet.java:806) at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:502) at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:363) at org.ops4j.pax.web.service.internal.HttpServiceServletHandler.handle(HttpServiceServletHandler.java:64) at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181) at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:766) at org.ops4j.pax.web.service.internal.HttpServiceContext.handle(HttpServiceContext.java:108) at org.ops4j.pax.web.service.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:64) at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152) at org.mortbay.jetty.Server.handle(Server.java:324) at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:534) at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:879) at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:741) at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:213) at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:403) at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409) at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:522)
and on my logs I get an exception stating that the security processing failed because actions mismatch:
11:35:43,240 | WARN | 346559206@qtp0-0 | WSS4JInInterceptor | .cxf.phase.PhaseInterceptorChain 236 | Security processing failed (actions mismatch) 11:35:43,241 | WARN | 346559206@qtp0-0 | WSS4JInInterceptor | .cxf.phase.PhaseInterceptorChain 236 | org.apache.ws.security.WSSecurityException: An error was discovered processing the <wsse:Security> header at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:271) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236) at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:89) at org.apache.servicemix.cxf.transport.http_osgi.OsgiDestination.doMessage(OsgiDestination.java:83) at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.invokeDestination(OsgiServlet.java:291) at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.invoke(OsgiServlet.java:184) at org.apache.servicemix.cxf.transport.http_osgi.SpringOsgiServlet.invoke(SpringOsgiServlet.java:48) at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.doPost(OsgiServlet.java:71) at javax.servlet.http.HttpServlet.service(HttpServlet.java:713) at javax.servlet.http.HttpServlet.service(HttpServlet.java:806) at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:502) at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:363) at org.ops4j.pax.web.service.internal.HttpServiceServletHandler.handle(HttpServiceServletHandler.java:64) ...
I am guessing the last error is a consequence of the previous one, since I have sniffed my headers and know that I am only sending the username token action and nothing else, as per the definition of my service in the spring configuration file.
I have also trying to create a simple java client to invoke the services, but I still get the same error (actions mismatch)... unfortunally I can't debug the WSS4JInInterceptor since it is repackaged and deployed inside FUSE ESB.
Any help on this will be very welcome.
thank you
Edited by: rcracel on Aug 28, 2009 6:05 PM (removed note about exception during build since it was caused by dependency conflict between imported packages)