11 Replies Latest reply on Mar 31, 2011 9:01 PM by ffang

    Securing endpoints deployed in FUSE ESB with WSS

    rcracel
    rcracel Aug 28, 2009 2:08 PM

      I have been trying to implement WSS on an enpoint I deployed to FUSE ESB 4 as an OSGi bundle and seem to be running into various problems during the process.

       

      First I should state the endpoint works well without WSS, just when I attempt to add WSS I run into the problems I will describe next;

       

      I will try to cover what I had modified in my project to support WSS...

       

      - I added cxf-rt-ws-security 2.2.3 as a dependency to my project

      - I added org.apache.ws.security.* to the dynamic import on my pom file

      - I created a password callback and added to my spring context

      - I added WSS4JInInterceptor to my spring context as follows:

           <bean id="authenticationInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
          <constructor-arg>
               <map>
                    <entry key="action" value="UsernameToken"></entry>
                    <entry key="passwordType" value="PasswordText"></entry>
                    <entry key="passwordCallbackRef" value-ref="myPasswordCallback"></entry>
               </map>
          </constructor-arg>
     </bean>

       

      - I added the interceptor above to my list of inInterceptor as follows:

              <jaxws:inInterceptors>
             <ref bean="authenticationInterceptor"></ref>
             <ref bean="loggingServiceCallInterceptor"></ref>
        </jaxws:inInterceptors>

       

      When I try to invoke the service using SoapUI, adding the security headers for the username token, I get two set of errors. First, on the Servicemix console I get the following class not found exceptions:

       

      smx@root:></![CDATA[> java.lang.NoClassDefFoundError: org/opensaml/SAMLException
     at java.lang.Class.forName0(Native Method)
     at java.lang.Class.forName(Class.java:169)
     at org.apache.ws.security.WSSConfig.class$(WSSConfig.java:55)
     at org.apache.ws.security.WSSConfig.<clinit>(WSSConfig.java:98)
     at org.apache.ws.security.handler.WSHandler.doReceiverAction(WSHandler.java:248)
     at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:185)
     at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
     at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
     at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:89)
     at org.apache.servicemix.cxf.transport.http_osgi.OsgiDestination.doMessage(OsgiDestination.java:83)
     at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.invokeDestination(OsgiServlet.java:291)
     at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.invoke(OsgiServlet.java:184)
     at org.apache.servicemix.cxf.transport.http_osgi.SpringOsgiServlet.invoke(SpringOsgiServlet.java:48)
     at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.doPost(OsgiServlet.java:71)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:713)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
     at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:502)
     at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:363)
     at org.ops4j.pax.web.service.internal.HttpServiceServletHandler.handle(HttpServiceServletHandler.java:64)
     at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
     at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:766)
     at org.ops4j.pax.web.service.internal.HttpServiceContext.handle(HttpServiceContext.java:108)
     at org.ops4j.pax.web.service.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:64)
     at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
     at org.mortbay.jetty.Server.handle(Server.java:324)
     at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:534)
     at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:879)
     at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:741)
     at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:213)
     at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:403)
     at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409)
     at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:522)
Caused by: java.lang.ClassNotFoundException: org.opensaml.SAMLException
     at org.apache.felix.framework.searchpolicy.ModuleImpl.findClassOrResourceByDelegation(ModuleImpl.java:558)
     at org.apache.felix.framework.searchpolicy.ModuleImpl.access$100(ModuleImpl.java:59)
     at org.apache.felix.framework.searchpolicy.ModuleImpl$ModuleClassLoader.loadClass(ModuleImpl.java:1427)
     at java.lang.ClassLoader.loadClass(ClassLoader.java:254)
     at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:402)
     ... 32 more
java.lang.ClassNotFoundException: org.apache.ws.security.transform.STRTransform
     at org.apache.felix.framework.searchpolicy.ModuleImpl.findClassOrResourceByDelegation(ModuleImpl.java:558)
     at org.apache.felix.framework.searchpolicy.ModuleImpl.access$100(ModuleImpl.java:59)
     at org.apache.felix.framework.searchpolicy.ModuleImpl$ModuleClassLoader.loadClass(ModuleImpl.java:1427)
     at java.lang.ClassLoader.loadClass(ClassLoader.java:254)
     at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:402)
     at java.lang.Class.forName0(Native Method)
     at java.lang.Class.forName(Class.java:169)
     at org.apache.xml.security.transforms.Transform.register(Unknown Source)
     at org.apache.ws.security.WSSConfig.staticInit(WSSConfig.java:246)
     at org.apache.ws.security.WSSConfig.<init>(WSSConfig.java:256)
     at org.apache.ws.security.WSSConfig.getNewInstance(WSSConfig.java:265)
     at org.apache.ws.security.handler.WSHandler.doReceiverAction(WSHandler.java:248)
     at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:185)
     at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
     at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
     at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:89)
     at org.apache.servicemix.cxf.transport.http_osgi.OsgiDestination.doMessage(OsgiDestination.java:83)
     at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.invokeDestination(OsgiServlet.java:291)
     at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.invoke(OsgiServlet.java:184)
     at org.apache.servicemix.cxf.transport.http_osgi.SpringOsgiServlet.invoke(SpringOsgiServlet.java:48)
     at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.doPost(OsgiServlet.java:71)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:713)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
     at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:502)
     at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:363)
     at org.ops4j.pax.web.service.internal.HttpServiceServletHandler.handle(HttpServiceServletHandler.java:64)
     at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
     at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:766)
     at org.ops4j.pax.web.service.internal.HttpServiceContext.handle(HttpServiceContext.java:108)
     at org.ops4j.pax.web.service.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:64)
     at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
     at org.mortbay.jetty.Server.handle(Server.java:324)
     at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:534)
     at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:879)
     at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:741)
     at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:213)
     at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:403)
     at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409)
     at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:522)

       

      and on my logs I get an exception stating that the security processing failed because actions mismatch:

       

      11:35:43,240 | WARN  | 346559206@qtp0-0 | WSS4JInInterceptor               | .cxf.phase.PhaseInterceptorChain  236 | Security processing failed (actions mismatch)
11:35:43,241 | WARN  | 346559206@qtp0-0 | WSS4JInInterceptor               | .cxf.phase.PhaseInterceptorChain  236 | 
org.apache.ws.security.WSSecurityException: An error was discovered processing the <wsse:Security> header
     at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:271)
     at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
     at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
     at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:89)
     at org.apache.servicemix.cxf.transport.http_osgi.OsgiDestination.doMessage(OsgiDestination.java:83)
     at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.invokeDestination(OsgiServlet.java:291)
     at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.invoke(OsgiServlet.java:184)
     at org.apache.servicemix.cxf.transport.http_osgi.SpringOsgiServlet.invoke(SpringOsgiServlet.java:48)
     at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.doPost(OsgiServlet.java:71)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:713)
     at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
     at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:502)
     at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:363)
     at org.ops4j.pax.web.service.internal.HttpServiceServletHandler.handle(HttpServiceServletHandler.java:64)
...

       

      I am guessing the last error is a consequence of the previous one, since I have sniffed my headers and know that I am only sending the username token action and nothing else, as per the definition of my service in the spring configuration file.

       

      I have also trying to create a simple java client to invoke the services, but I still get the same error (actions mismatch)... unfortunally I can't debug the WSS4JInInterceptor since it is repackaged and deployed inside FUSE ESB.

       

      Any help on this will be very welcome.

       

      thank you

       

      Edited by: rcracel on Aug 28, 2009 6:05 PM (removed note about exception during build since it was caused by dependency conflict between imported packages)

      • 639 Views
      • Tags:
        • 1. Re: Securing endpoints deployed in FUSE ESB with WSS
          rcracel
          rcracel Aug 28, 2009 3:45 PM (in response to rcracel)

          I have checked and STRTransform should be accessible through

           

          Apache ServiceMix Bundles: wss4j-1.5.4 (1.5.4.1)

           

          since it does export org.apache.ws.security.transform

           

          I can't find anyone exporting org.opensaml.SAMLException though.

            • Actions
          • 2. Re: Securing endpoints deployed in FUSE ESB with WSS
            mielket
            mielket Aug 31, 2009 6:36 AM (in response to rcracel)

            Could you attach a testcase that we can investigate here?

            Also, do you really need to add the authenticationInterceptor interceptor manually to your CXF endpoint configuration?

              • Actions
            • 3. Re: Securing endpoints deployed in FUSE ESB with WSS
              rcracel
              rcracel Aug 31, 2009 8:53 AM (in response to mielket)

              Thank your for your response,

               

              I will put together a small test case so that I can attach it here.

               

              Additionally, I am not sure I understand what you mean by manually adding the interceptor... is there a better way to accomplish this than through spring configuration? I would much rather have the interceptor configured in a more global way thus avoiding the extra dependencies.

               

              thank you,

               

              Roger

                • Actions
              • 4. Re: Securing endpoints deployed in FUSE ESB with WSS
                pchandler
                pchandler Aug 31, 2009 7:53 PM (in response to rcracel)

                To resolve org.opensaml.SAMLException

                1. Start bundle:  OASIS Open Security Assertion Markup Language (OpenSAML) (1.1.0) - com.springsource.org.opensaml-1.1.0.jar

                2. Add &lt;Import-Package&gt; ...,org.opensaml,... &lt;/Import-Package&gt;

                3. Rebuild and Deploy.

                For "org.apache.ws.security.transform" I am having the same issue.

                One thing I noticed is the Transform.register and Class.forName not sure how 

                STRTransform gets loaded at runtime? If you get this resolve please let me know.

                 

                Peter.

                 

                :java}at java.lang.ClassLoader.loadClass(ClassLoader.java:254)
     at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:402)
     at java.lang.Class.forName0(Native Method)
     at java.lang.Class.forName(Class.java:169)
     at org.apache.xml.security.transforms.Transform.register(Unknown Source)

                 

                  • Actions
                • 5. Re: Securing endpoints deployed in FUSE ESB with WSS
                  rcracel
                  rcracel Sep 1, 2009 11:09 AM (in response to pchandler)

                  Thanks for the tip, I installed the OASIS bundle from https://m2proxy.atlassian.com/repository/public/org/opensaml/com.springsource.org.opensaml/1.1.0/com.springsource.org.opensaml-1.1.0.jar, it however fails to start due to an unresolved dependency

                   

                  I installed the Commons Codec 1.3.0 as required by the OpenSAML bundle, and got further along. I too however still get the ClassNotFoundException on STRTransform.... what am I missing here?

                   

                  Edited by: rcracel on Sep 1, 2009 3:06 PM

                    • Actions
                  • 6. Re: Securing endpoints deployed in FUSE ESB with WSS
                    pchandler
                    pchandler Sep 1, 2009 2:37 PM (in response to rcracel)

                    Sorry, looks like a known "Blocker" bug: http://fusesource.com/issues/browse/ESB-838

                     

                    For the record I am not using CXF and calling the org.apache.ws.security directly.

                     

                    Also,  org.apache.ws.security.transform is in my bundle import and the bundle starts.

                     

                    Also note, Works fine using: mvn camel:run

                     

                    Java Code:

                    import org.apache.ws.security.WSSecurityEngine;
// ...
// Get an instance of security engine
WSSecurityEngine securityEngine = WSSecurityEngine.getInstance();
try {
/*
* Verify WSS Headers. This method will automatically call our
* CallbackHandler to check the credentials found, like username and
* password.
*/
WSSConfig config = securityEngine.getWssConfig();

                     

                    Exception:

                     

                    smx@root:osgi> java.lang.ClassNotFoundException: org.apache.ws.security.transform.STRTransform
        at org.apache.felix.framework.searchpolicy.ModuleImpl.findClassOrResourceByDelegation(ModuleImpl.java:558)
        at org.apache.felix.framework.searchpolicy.ModuleImpl.access$100(ModuleImpl.java:59)
        at org.apache.felix.framework.searchpolicy.ModuleImpl$ModuleClassLoader.loadClass(ModuleImpl.java:1427)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:252)
        at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:320)
        at java.lang.Class.forName0(Native Method)
        at java.lang.Class.forName(Class.java:169)
        at org.apache.xml.security.transforms.Transform.register(Unknown Source)
        at org.apache.ws.security.WSSConfig.staticInit(WSSConfig.java:246)
        at org.apache.ws.security.WSSConfig.<init>(WSSConfig.java:256)
        at org.apache.ws.security.WSSConfig.getNewInstance(WSSConfig.java:265)
        at org.apache.ws.security.WSSConfig.getDefaultWSConfig(WSSConfig.java:275)
        at org.apache.ws.security.WSSecurityEngine.getWssConfig(WSSecurityEngine.java:141)

                     

                    Help, any workaround?

                      • Actions
                    • 7. Re: Securing endpoints deployed in FUSE ESB with WSS
                      pchandler
                      pchandler Sep 24, 2009 12:01 PM (in response to mielket)

                      Question?

                       

                      Does:

                       

                      Patch: https://issues.apache.org/activemq/browse/SMX4-352

                       

                      Fix: java.lang.ClassNotFoundException: org.apache.ws.security.transform.STRTransform

                       

                      Peter.

                        • Actions
                      • 8. Re: Securing endpoints deployed in FUSE ESB with WSS
                        kenster213
                        kenster213 Oct 6, 2009 12:47 PM (in response to rcracel)

                        We're experiencing the same problem with exactly the same stack trace coming from WSS4JInInterceptor line 271 as in the original message. 

                         

                        Was there any resolution to this?

                          • Actions
                        • 9. Re: Securing endpoints deployed in FUSE ESB with WSS
                          hablutzel1
                          hablutzel1 Oct 20, 2009 12:29 PM (in response to kenster213)

                          Hi, i'm experiencing the same problem

                           

                          java.lang.ClassNotFoundException: org.apache.ws.security.transform.STRTransform

                           

                          did anyone find a solution for this?

                            • Actions
                          • 10. Re: Securing endpoints deployed in FUSE ESB with WSS
                            guest
                            guest Mar 31, 2011 12:23 PM (in response to hablutzel1)

                            Has the java.lang.ClassNotFoundException: org.apache.ws.security.transform.STRTransform

                            issue been resolved yet? This is a serious show stopper.

                             

                            Edited by: guest on Mar 31, 2011 4:23 PM

                              • Actions
                            • 11. Re: Securing endpoints deployed in FUSE ESB with WSS
                              ffang
                              ffang Mar 31, 2011 9:01 PM (in response to guest)

                              Hi,

                              Yes, It has been resolved. If you still encounter this problem, which exact Fuse ESB version you're using? Do you already Import-Package org.apache.ws.security.transform for your customer bundle?

                               

                              Freeman

                                • Actions