6 Replies Latest reply: Oct 3, 2012 3:43 AM by Alessio Soldano RSS

    Problem implementing ws-security service (and client) in AS7.1.1

    varkon Newbie

      Hello,

       

      I have been trying to migrate a secure web service deployed in JBoss AS 5.1 to AS7.1. Having realized that the process is quite different now, I decided to start small and follow the WS-Security for AS7.1 documentation.Unfortunately, I did not manage to get the service working as expected (sign & encrypt). I keep getting errors like this:

       

      WARNING: WSP0075: Policy assertion "{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding" was evaluated as "UNKNOWN".
      WARNING: WSP0075: Policy assertion "{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Wss10" was evaluated as "UNKNOWN".
      WARNING: WSP0019: Suboptimal policy alternative selected on the client side with fitness "UNKNOWN".
      Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These policy alternatives can not be satisfied: 
      {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: The received token does not match the token inclusion requirement
      {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token
          at com.sun.xml.internal.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:178)
          at com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:111)
          at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:108)
          at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:78)
          at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:129)
          at $Proxy22.sayHello(Unknown Source)
          at Test.main(Test.java:22)

       

      or this (with a slightly altered WSDL):

       

      WARNING: WSP0075: Policy assertion "{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding" was evaluated as "UNKNOWN".
      WARNING: WSP0075: Policy assertion "{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Wss10" was evaluated as "UNKNOWN".
      WARNING: WSP0019: Suboptimal policy alternative selected on the client side with fitness "UNKNOWN".
      Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: These policy alternatives can not be satisfied: 
      {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: Received Timestamp does not match the requirements
      {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: The received token does not match the token inclusion requirement
      {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token
      {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken
      {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
      {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp: Received Timestamp does not match the requirements
          at com.sun.xml.internal.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:178)
          at com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:111)
          at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:108)
          at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:78)
          at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:129)
          at $Proxy22.sayHello(Unknown Source)
          at Test.main(Test.java:22)
      

       

       

      I have tried changing the ws-securitypolicy configuration in my WSDL - as described in the WS-SecurityPolicy standard - but to no avail.

      Are the sample web services described in the above WS-Security link located anywhere? I would very much like to download them, and try to deploy them as they are. Perhaps I might get a better idea of what I might be doing wrong.

       

      Regards,

       

      Dimitris

        • 1. Re: Problem implementing ws-security service (and client) in AS7.1.1
          Alessio Soldano Master

          You can download jbossws-cxf-4.0.2.GA from http://www.jboss.org/jbossws/downloads

          Then have a look at the testcases in /jbossws-cxf-bin-dist/tests/java/org/jboss/test/ws/jaxws/samples/wsse/policy/ folder.

          • 3. Re: Problem implementing ws-security service (and client) in AS7.1.1
            varkon Newbie

            I've found the relevant resources in the archive/path you mentioned, and attempted to incorporate the sample service in my deployment.

            I'm still getting the following error:

             

             

            12:40:05,397 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (http--0.0.0.0-8080-3) Interceptor for {http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy}SecurityService#{http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy}sayHello has thrown exception, unwinding now: org.apache.cxf.interceptor.Fault: These policy alternatives can not be satisfied: 
            {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: Received Timestamp does not match the requirements
            {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: The received token does not match the token inclusion requirement
            {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token
            {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken
            {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
            {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp: Received Timestamp does not match the requirements
            {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts: {http://schemas.xmlsoap.org/soap/envelope/}Body not SIGNED
            {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts: {http://schemas.xmlsoap.org/soap/envelope/}Body not ENCRYPTED
                at org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:47)
                at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
                at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
                at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:207)
                at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:91)
                at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:169)
                at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:87)
                at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:185)
                at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:108)
                at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
                at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:135)
                at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) [jbossws-spi-2.0.3.GA.jar:2.0.3.GA]
                at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
                at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) [jbossweb-7.0.13.Final.jar:]
                at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]
                at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.13.Final.jar:]
                at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.13.Final.jar:]
                at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.1.1.Final.jar:7.1.1.Final]
                at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
                at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
                at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
                at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
                at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
                at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
                at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
                at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
                at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_04]
            Caused by: org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be satisfied: 
            {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: Received Timestamp does not match the requirements
            {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token: The received token does not match the token inclusion requirement
            {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token
            {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken
            {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
            {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp: Received Timestamp does not match the requirements
            {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts: {http://schemas.xmlsoap.org/soap/envelope/}Body not SIGNED
            {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts: {http://schemas.xmlsoap.org/soap/envelope/}Body not ENCRYPTED
                at org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:162)
                at org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:99)
                at org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:45)
                ... 26 more

             

             

            I should mention that I'm packaging the services as WAR inside an EAR. All relevant service resources (wsdls, keystores, etc) are include like this: EAR -> WAR -> WEB-INF. Furthermore, I'm trying to test the "sign and encrypt" case.

            • 4. Re: Problem implementing ws-security service (and client) in AS7.1.1
              Juan Sepulveda Newbie

              I have the same problem, Signing and Encrypting Example won work, I already installed JCE 6 ober JDK 6.23 for JBoss and BouncyCastle provider (editing java.security) and made the dynamic call for the provider in the client.

              • 5. Re: Problem implementing ws-security service (and client) in AS7.1.1
                Alessio Soldano Master

                The client side exception shows that the JAXWS RI is being used, not the jbossws-cxf jaxws implementation. Are you properly enabling ws-security policy support in your client? The exception on server side basically means that the received message does not satifsy the ws-security policy in the endpoint wsdl contract.