1 Reply Latest reply on Jul 3, 2008 9:02 AM by Alessio Soldano

    Problem WS-Security Standard implementation difference --> i

    lall lall Newbie

      Hi all,

      I built a JBoss 4.2.2 JBossWS Native 2.0.4/3.0.1 WS Client with the following jboss-wsse-client.xml security configuration:

      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
       <config>
       <timestamp ttl="30"/>
       <sign type="x509v3" alias="SimpleClientCertPrivateKey" includeTimestamp="true"/>
       <encrypt type="x509v3" alias="SimpleClientCert"/>
       <requires>
       <signature/>
       <encryption/>
       </requires>
       </config>
       <timestamp-verification createdTolerance="500" warnCreated="true" expiresTolerance="100" warnExpires="true"/>
      </jboss-ws-security>
      


      All certificates and KeyStores have been installed properly on both sides.
      The resulting SOAP message trace looks as follows:

      (Listing 1)

      <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
       <env:Header>
       <wsse:Security env:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
       <wsu:Timestamp wsu:Id="timestamp">
       <wsu:Created>2008-06-13T12:45:10.976Z</wsu:Created>
       <wsu:Expires>2008-06-13T12:45:40.976Z</wsu:Expires>
       </wsu:Timestamp>
       <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="token-2-1213361111663-11328770">
      
       <!-- ... lot of base64 encoding ... -->
      
       </wsse:BinarySecurityToken>
       <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
       <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
      
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <wsse:SecurityTokenReference wsu:Id="reference-5-1213361112194-30222347">
       <wsse:Reference URI="#token-2-1213361111663-11328770" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
       </wsse:SecurityTokenReference>
       </ds:KeyInfo>
      
       <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
       <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">lg6tOjzqKs26HX6KFk1nLA5YF5W5fQZ6dh2mzM9/V3r5Pg80vLz4x0EJ10Y1KdhXH08ijZxRZWjf
      v1dqulorSnIyV7X0uk25y/OMDmkVYQ/VlQF7bxZr/5Q+UB6YwLy74N1jpx7lo4BZXUM9kEZmgFAo
      o8SW8P3AcSgBAUoOpOc=</xenc:CipherValue>
       </xenc:CipherData>
       <xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
       <xenc:DataReference URI="#encrypted-4-1213361112116-6044039" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
       </xenc:ReferenceList>
       </xenc:EncryptedKey>
       <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
       <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
       <ds:Reference URI="#element-1-1213361110976-31952022" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
       </ds:Transforms>
       <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
       <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">l2LG3Bc2Rk+LgAjU2OP2vrVwYBM=</ds:DigestValue>
       </ds:Reference>
       <ds:Reference URI="#timestamp" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
       </ds:Transforms>
       <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
       <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">GNamS8F3tDSDlfUzNxIzfYZpXdc=</ds:DigestValue>
       </ds:Reference>
       </ds:SignedInfo>
       <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <!-- ... lot of base64 encoding ... -->
       </ds:SignatureValue>
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <wsse:SecurityTokenReference wsu:Id="reference-3-1213361111663-15774883">
       <wsse:Reference URI="#token-2-1213361111663-11328770" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
       </wsse:SecurityTokenReference>
       </ds:KeyInfo>
       </ds:Signature>
       </wsse:Security>
       </env:Header>
       <env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="element-1-1213361110976-31952022">
       <xenc:EncryptedData Id="encrypted-4-1213361112116-6044039" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
       <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
       <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
       <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
       <!-- ... lot of base64 encoding ... -->
       </xenc:CipherValue>
       </xenc:CipherData>
       </xenc:EncryptedData>
       </env:Body>
      </env:Envelope>
      
      

      Due to researching, I know that the WebService system expects a reqeuest that looks as follows

      (Listing 2)

      <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
       <SOAP:Header>
       <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP:mustUnderstand="1">
       <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="sap-9" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
      
       <!-- ... lot of base64 encoding ... -->
      
       </wsse:BinarySecurityToken>
       <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wsu-targetID-1f10b320-0181-11dd-aebd-00144f2515b0">
       <wsu:Created ValueType="xsd:dateTime">2008-04-03T13:23:17Z</wsu:Created>
       <wsu:Expires ValueType="xsd:dateTime">2008-04-03T13:25:17Z</wsu:Expires>
       </wsu:Timestamp>
       <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK52789332">
       <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
      
       <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <wsse:SecurityTokenReference>
       <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">yk+Civrkf+wQdj30aJid9VGnjtY=</wsse:KeyIdentifier>
       </wsse:SecurityTokenReference>
       </ds:KeyInfo>
      
       <xenc:CipherData>
       <xenc:CipherValue>
      
       <!-- ... lot of base64 encoding ... -->
      
       </xenc:CipherValue>
       </xenc:CipherData>
       <xenc:ReferenceList>
       <xenc:DataReference URI="#ED13608949"/>
       </xenc:ReferenceList>
       </xenc:EncryptedKey>
       <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <ds:SignedInfo>
       <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
       <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
       <ds:Reference URI="#wsuid-body-1f108c10-0181-11dd-838e-00144f2515b0">
       <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
       </ds:Transforms>
       <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
       <ds:DigestValue>UaW58GCrg/nrA/EfW+OyHP2DCio=</ds:DigestValue>
       </ds:Reference>
       <ds:Reference URI="#wsu-targetID-1f10b320-0181-11dd-aebd-00144f2515b0">
       <ds:Transforms>
       <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
       </ds:Transforms>
       <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
       <ds:DigestValue>LFuszgJ412Fe8PRtK3W69RTXndY=</ds:DigestValue>
       </ds:Reference>
       </ds:SignedInfo>
       <ds:SignatureValue>
      
       <!-- ... lot of base64 encoding ... -->
      
       </ds:SignatureValue>
       <ds:KeyInfo>
       <wsse:SecurityTokenReference>
       <wsse:Reference URI="#sap-9"/>
       </wsse:SecurityTokenReference>
       </ds:KeyInfo>
       </ds:Signature>
       </wsse:Security>
       </SOAP:Header>
       <SOAP:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wsuid-body-1f108c10-0181-11dd-838e-00144f2515b0">
       <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content" Id="ED13608949">
       <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
       <xenc:CipherData>
       <xenc:CipherValue>
      
       <!-- ... lot of base64 encoding ... -->
      
       </xenc:CipherValue>
       </xenc:CipherData>
       </xenc:EncryptedData>
       </SOAP:Body>
      </SOAP:Envelope>
      



      There is a significant difference of the Envelope/Header/Security/EncryptedKey/KeyInfo element (printed in bold). This difference causes
      an error message:

      "No SecurityTokenReference was found in the <xenc:EncryptedKey>/// element.",

      showing the reason for the failure of the WS Client request processing by the system implementing the WebService.

      JBoss Native's
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <wsse:SecurityTokenReference wsu:Id="reference-5-1213361112194-30222347">
       <wsse:Reference URI="#token-2-1213361111663-11328770" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
       </wsse:SecurityTokenReference>
      </ds:KeyInfo>
      


      vs.

      system implementing the WebService

      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <wsse:SecurityTokenReference>
       <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">yk+Civrkf+wQdj30aJid9VGnjtY=
       </wsse:KeyIdentifier>
       </wsse:SecurityTokenReference>
      </ds:KeyInfo>
      



      It looks to me that there is a difference in the implementation of WS-Security between JBossWS Native and the one of the
      system on which the WebService runs.
      I am wondering if JBossWS Metro 3.0.2 behaves like JBossWS Native, differently or even the same like in the second listing.
      Does anyone know that? I am about to build a test case to find out, but it would time saving to know that beforehands ;-)

      Obviously, when looking at http://support.microsoft.com/?scid=kb%3Ben-us%3B922779&x=8&y=13, the MS Web Services Enhancements 3.0 for Microsoft .NET implement the WS-Security like in Listing 2 with a <ds:KeyInfo>/<wsse:SecurityTokenReference>/<wsse:KeyIdentifier>

      instead of
      <ds:KeyInfo>/<wsse:SecurityTokenReference>/<wsse:Reference>

      Why does JBoss Native implement WS-Security in this way?

      Greets Andy