7 Replies Latest reply on Jun 17, 2013 1:27 PM by Pradeep Balachandran

    JBoss AS7.1.1-Final & WS-Security

    Pradeep Balachandran Newbie

      I have been trying to get JBoss AS7 & WS-Security work, but have had no luck.  I followed the link https://docs.jboss.org/author/display/JBWS/WS-Security as a guide to try and encryption & signing working (on a different example), but I run into one error after another.  The latest one being "the signature or decryption was invalid".


      Server Side (CentOS):


      * Keystore and properties file inside src/main/resources directory and jaxws-endpoint-config.xml (uses the same settings as in the JBoss article above) under WEB-INF

      * Keystore contains public + private key for server, along with public key for client

      * Service Implementation from a contract first WS (attached)

      * WSDL with policies (attached)



      Client Side (Windows):


      * Keystore and properties file inside src/main/resources directory

      * Keystore contains public + private key for client, along with public key for server

      * WSDL file used to generate client stub (attached)





      * Both keystores were generated on the linux side - not sure if there can be an incompatibility (since the server and client are on different OS).

      * See keystore listings (attached)




      * Turned on logging inside JBoss and the client's encrypted and signed request makes it across to the server

      * Server however does not know how to decrypt and verify signature, resulting in - org.apache.cxf.binding.soap.SoapFault: The signature or decryption was invalid

      * Please see incoming request (on the server side).


      Any help is greatly appreciated.


      Thank you.


      ..pradeep balachandran

        • 1. Re: JBoss AS7.1.1-Final & WS-Security
          Alessio Soldano Master

          Caused by: java.lang.ClassCastException: org.apache.ws.security.WSPasswordCallback cannot be cast to org.apache.ws.security.WSPasswordCallback
               at com.corelogic.ws.service.KeystorePasswordCallback.handle(KeystorePasswordCallback.java:24) [classes:]
               at org.apache.ws.security.components.crypto.Merlin.getPassword(Merlin.java:1377) [wss4j-1.6.10.jar:1.6.10]
               at org.apache.ws.security.components.crypto.Merlin.getPrivateKey(Merlin.java:653) [wss4j-1.6.10.jar:1.6.10]
               at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:106) [wss4j-1.6.10.jar:1.6.10]
               ... 30 more


          My gut feeling is that you have some classloading issues, given the exception above. Perhaps you have the wss4j jar (or other libraries) in your deployment?

          • 3. Re: JBoss AS7.1.1-Final & WS-Security
            Pradeep Balachandran Newbie

            I reduced the pom.xml to contain the essential dependencies - please see attached.  I still get the class cast exception.  Not sure where wss4j.jar is getting included (must be transitive).


            Do I need to put in an exclusion for it and if so within which dependency.


            Thank you.

            • 4. Re: JBoss AS7.1.1-Final & WS-Security
              Alessio Soldano Master

              Simply have a look at the notaryWS.war contents. I assume it will have multiple cxf jars (as well as the wss4j jar) in it. You need to remove them all.

              • 5. Re: JBoss AS7.1.1-Final & WS-Security
                Pradeep Balachandran Newbie

                Thank you so much for the pointers - I got a good deal further by making the JARs scope "provided".  I did not realize that the examples that I based my project on were for Tomcat (which required all these JARs to be packaged), but since JBoss is bundled with CXF, these were not required.  However I get another weird error now - it complians it can't find WSPasswordCallback which is in the wss4j.jar.  Not sure why JBoss would not be able to find this class.



                </pre></p><p><b>root cause</b> <pre>java.lang.NoClassDefFoundError: org/apache/ws/security/WSPasswordCallback




















                • 6. Re: JBoss AS7.1.1-Final & WS-Security
                  Alessio Soldano Master

                  You're most likely missing a module dependency to org.apache.ws.security module. Have a look at the doc at https://docs.jboss.org/author/display/JBWS/WS-Security

                  In few words, you most likely need to have a "Dependencies: org.apache.ws.security" line in your app MANIFEST.MF

                  • 7. Re: JBoss AS7.1.1-Final & WS-Security
                    Pradeep Balachandran Newbie

                    That was it!  I added the manifest and I am able to get responses back.  Thank you so much for all the help.