7 Replies Latest reply on Jun 17, 2013 1:27 PM by Pradeep Balachandran

    JBoss AS7.1.1-Final & WS-Security

    Pradeep Balachandran Newbie

      I have been trying to get JBoss AS7 & WS-Security work, but have had no luck.  I followed the link https://docs.jboss.org/author/display/JBWS/WS-Security as a guide to try and encryption & signing working (on a different example), but I run into one error after another.  The latest one being "the signature or decryption was invalid".

       

      Server Side (CentOS):

       

      * Keystore and properties file inside src/main/resources directory and jaxws-endpoint-config.xml (uses the same settings as in the JBoss article above) under WEB-INF

      * Keystore contains public + private key for server, along with public key for client

      * Service Implementation from a contract first WS (attached)

      * WSDL with policies (attached)

       

       

      Client Side (Windows):

       

      * Keystore and properties file inside src/main/resources directory

      * Keystore contains public + private key for client, along with public key for server

      * WSDL file used to generate client stub (attached)

       

       

      Keystores:

       

      * Both keystores were generated on the linux side - not sure if there can be an incompatibility (since the server and client are on different OS).

      * See keystore listings (attached)

       

      Output:

       

      * Turned on logging inside JBoss and the client's encrypted and signed request makes it across to the server

      * Server however does not know how to decrypt and verify signature, resulting in - org.apache.cxf.binding.soap.SoapFault: The signature or decryption was invalid

      * Please see incoming request (on the server side).

       

      Any help is greatly appreciated.

       

      Thank you.

       

      ..pradeep balachandran

        • 1. Re: JBoss AS7.1.1-Final & WS-Security
          Alessio Soldano Master

          Caused by: java.lang.ClassCastException: org.apache.ws.security.WSPasswordCallback cannot be cast to org.apache.ws.security.WSPasswordCallback
               at com.corelogic.ws.service.KeystorePasswordCallback.handle(KeystorePasswordCallback.java:24) [classes:]
               at org.apache.ws.security.components.crypto.Merlin.getPassword(Merlin.java:1377) [wss4j-1.6.10.jar:1.6.10]
               at org.apache.ws.security.components.crypto.Merlin.getPrivateKey(Merlin.java:653) [wss4j-1.6.10.jar:1.6.10]
               at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:106) [wss4j-1.6.10.jar:1.6.10]
               ... 30 more

           

          My gut feeling is that you have some classloading issues, given the exception above. Perhaps you have the wss4j jar (or other libraries) in your deployment?

          • 3. Re: JBoss AS7.1.1-Final & WS-Security
            Pradeep Balachandran Newbie

            I reduced the pom.xml to contain the essential dependencies - please see attached.  I still get the class cast exception.  Not sure where wss4j.jar is getting included (must be transitive).

             

            Do I need to put in an exclusion for it and if so within which dependency.

             

            Thank you.

            • 4. Re: JBoss AS7.1.1-Final & WS-Security
              Alessio Soldano Master

              Simply have a look at the notaryWS.war contents. I assume it will have multiple cxf jars (as well as the wss4j jar) in it. You need to remove them all.

              • 5. Re: JBoss AS7.1.1-Final & WS-Security
                Pradeep Balachandran Newbie

                Thank you so much for the pointers - I got a good deal further by making the JARs scope "provided".  I did not realize that the examples that I based my project on were for Tomcat (which required all these JARs to be packaged), but since JBoss is bundled with CXF, these were not required.  However I get another weird error now - it complians it can't find WSPasswordCallback which is in the wss4j.jar.  Not sure why JBoss would not be able to find this class.

                 

                 

                </pre></p><p><b>root cause</b> <pre>java.lang.NoClassDefFoundError: org/apache/ws/security/WSPasswordCallback

                    com.corelogic.ws.service.KeystorePasswordCallback.handle(KeystorePasswordCallback.java:24)

                    org.apache.ws.security.components.crypto.Merlin.getPassword(Merlin.java:1377)

                    org.apache.ws.security.components.crypto.Merlin.getPrivateKey(Merlin.java:653)

                    org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:106)

                    org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:397)

                    org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:249)

                    org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:85)

                    org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)

                    org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)

                    org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:207)

                    org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:91)

                    org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:169)

                    org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:87)

                    org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:185)

                    org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:108)

                    javax.servlet.http.HttpServlet.service(HttpServlet.java:754)

                    org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:135)

                    org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140)

                    javax.servlet.http.HttpServlet.service(HttpServlet.java:847)

                • 6. Re: JBoss AS7.1.1-Final & WS-Security
                  Alessio Soldano Master

                  You're most likely missing a module dependency to org.apache.ws.security module. Have a look at the doc at https://docs.jboss.org/author/display/JBWS/WS-Security

                  In few words, you most likely need to have a "Dependencies: org.apache.ws.security" line in your app MANIFEST.MF

                  • 7. Re: JBoss AS7.1.1-Final & WS-Security
                    Pradeep Balachandran Newbie

                    That was it!  I added the manifest and I am able to get responses back.  Thank you so much for all the help.