11 Replies Latest reply on Mar 31, 2011 9:01 PM by Freeman(Yue) Fang

    Securing endpoints deployed in FUSE ESB with WSS

    Roger Cracel Newbie

      I have been trying to implement WSS on an enpoint I deployed to FUSE ESB 4 as an OSGi bundle and seem to be running into various problems during the process.

       

      First I should state the endpoint works well without WSS, just when I attempt to add WSS I run into the problems I will describe next;

       

      I will try to cover what I had modified in my project to support WSS...

       

      - I added cxf-rt-ws-security 2.2.3 as a dependency to my project

      - I added org.apache.ws.security.* to the dynamic import on my pom file

      - I created a password callback and added to my spring context

      - I added WSS4JInInterceptor to my spring context as follows:

           <bean id="authenticationInterceptor" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
                <constructor-arg>
                     <map>
                          <entry key="action" value="UsernameToken"></entry>
                          <entry key="passwordType" value="PasswordText"></entry>
                          <entry key="passwordCallbackRef" value-ref="myPasswordCallback"></entry>
                     </map>
                </constructor-arg>
           </bean>
      

       

      - I added the interceptor above to my list of inInterceptor as follows:

              <jaxws:inInterceptors>
                   <ref bean="authenticationInterceptor"></ref>
                   <ref bean="loggingServiceCallInterceptor"></ref>
              </jaxws:inInterceptors>
      

       

      When I try to invoke the service using SoapUI, adding the security headers for the username token, I get two set of errors. First, on the Servicemix console I get the following class not found exceptions:

       

      smx@root:></![CDATA[> java.lang.NoClassDefFoundError: org/opensaml/SAMLException
           at java.lang.Class.forName0(Native Method)
           at java.lang.Class.forName(Class.java:169)
           at org.apache.ws.security.WSSConfig.class$(WSSConfig.java:55)
           at org.apache.ws.security.WSSConfig.<clinit>(WSSConfig.java:98)
           at org.apache.ws.security.handler.WSHandler.doReceiverAction(WSHandler.java:248)
           at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:185)
           at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
           at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
           at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:89)
           at org.apache.servicemix.cxf.transport.http_osgi.OsgiDestination.doMessage(OsgiDestination.java:83)
           at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.invokeDestination(OsgiServlet.java:291)
           at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.invoke(OsgiServlet.java:184)
           at org.apache.servicemix.cxf.transport.http_osgi.SpringOsgiServlet.invoke(SpringOsgiServlet.java:48)
           at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.doPost(OsgiServlet.java:71)
           at javax.servlet.http.HttpServlet.service(HttpServlet.java:713)
           at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
           at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:502)
           at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:363)
           at org.ops4j.pax.web.service.internal.HttpServiceServletHandler.handle(HttpServiceServletHandler.java:64)
           at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
           at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:766)
           at org.ops4j.pax.web.service.internal.HttpServiceContext.handle(HttpServiceContext.java:108)
           at org.ops4j.pax.web.service.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:64)
           at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
           at org.mortbay.jetty.Server.handle(Server.java:324)
           at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:534)
           at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:879)
           at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:741)
           at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:213)
           at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:403)
           at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409)
           at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:522)
      Caused by: java.lang.ClassNotFoundException: org.opensaml.SAMLException
           at org.apache.felix.framework.searchpolicy.ModuleImpl.findClassOrResourceByDelegation(ModuleImpl.java:558)
           at org.apache.felix.framework.searchpolicy.ModuleImpl.access$100(ModuleImpl.java:59)
           at org.apache.felix.framework.searchpolicy.ModuleImpl$ModuleClassLoader.loadClass(ModuleImpl.java:1427)
           at java.lang.ClassLoader.loadClass(ClassLoader.java:254)
           at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:402)
           ... 32 more
      java.lang.ClassNotFoundException: org.apache.ws.security.transform.STRTransform
           at org.apache.felix.framework.searchpolicy.ModuleImpl.findClassOrResourceByDelegation(ModuleImpl.java:558)
           at org.apache.felix.framework.searchpolicy.ModuleImpl.access$100(ModuleImpl.java:59)
           at org.apache.felix.framework.searchpolicy.ModuleImpl$ModuleClassLoader.loadClass(ModuleImpl.java:1427)
           at java.lang.ClassLoader.loadClass(ClassLoader.java:254)
           at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:402)
           at java.lang.Class.forName0(Native Method)
           at java.lang.Class.forName(Class.java:169)
           at org.apache.xml.security.transforms.Transform.register(Unknown Source)
           at org.apache.ws.security.WSSConfig.staticInit(WSSConfig.java:246)
           at org.apache.ws.security.WSSConfig.<init>(WSSConfig.java:256)
           at org.apache.ws.security.WSSConfig.getNewInstance(WSSConfig.java:265)
           at org.apache.ws.security.handler.WSHandler.doReceiverAction(WSHandler.java:248)
           at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:185)
           at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
           at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
           at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:89)
           at org.apache.servicemix.cxf.transport.http_osgi.OsgiDestination.doMessage(OsgiDestination.java:83)
           at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.invokeDestination(OsgiServlet.java:291)
           at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.invoke(OsgiServlet.java:184)
           at org.apache.servicemix.cxf.transport.http_osgi.SpringOsgiServlet.invoke(SpringOsgiServlet.java:48)
           at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.doPost(OsgiServlet.java:71)
           at javax.servlet.http.HttpServlet.service(HttpServlet.java:713)
           at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
           at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:502)
           at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:363)
           at org.ops4j.pax.web.service.internal.HttpServiceServletHandler.handle(HttpServiceServletHandler.java:64)
           at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
           at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:766)
           at org.ops4j.pax.web.service.internal.HttpServiceContext.handle(HttpServiceContext.java:108)
           at org.ops4j.pax.web.service.internal.JettyServerHandlerCollection.handle(JettyServerHandlerCollection.java:64)
           at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
           at org.mortbay.jetty.Server.handle(Server.java:324)
           at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:534)
           at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:879)
           at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:741)
           at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:213)
           at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:403)
           at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:409)
           at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:522)
      

       

      and on my logs I get an exception stating that the security processing failed because actions mismatch:

       

      11:35:43,240 | WARN  | 346559206@qtp0-0 | WSS4JInInterceptor               | .cxf.phase.PhaseInterceptorChain  236 | Security processing failed (actions mismatch)
      11:35:43,241 | WARN  | 346559206@qtp0-0 | WSS4JInInterceptor               | .cxf.phase.PhaseInterceptorChain  236 | 
      org.apache.ws.security.WSSecurityException: An error was discovered processing the <wsse:Security> header
           at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:271)
           at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:77)
           at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:236)
           at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:89)
           at org.apache.servicemix.cxf.transport.http_osgi.OsgiDestination.doMessage(OsgiDestination.java:83)
           at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.invokeDestination(OsgiServlet.java:291)
           at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.invoke(OsgiServlet.java:184)
           at org.apache.servicemix.cxf.transport.http_osgi.SpringOsgiServlet.invoke(SpringOsgiServlet.java:48)
           at org.apache.servicemix.cxf.transport.http_osgi.OsgiServlet.doPost(OsgiServlet.java:71)
           at javax.servlet.http.HttpServlet.service(HttpServlet.java:713)
           at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
           at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:502)
           at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:363)
           at org.ops4j.pax.web.service.internal.HttpServiceServletHandler.handle(HttpServiceServletHandler.java:64)
      ...
      

       

      I am guessing the last error is a consequence of the previous one, since I have sniffed my headers and know that I am only sending the username token action and nothing else, as per the definition of my service in the spring configuration file.

       

      I have also trying to create a simple java client to invoke the services, but I still get the same error (actions mismatch)... unfortunally I can't debug the WSS4JInInterceptor since it is repackaged and deployed inside FUSE ESB.

       

      Any help on this will be very welcome.

       

      thank you

       

      Edited by: rcracel on Aug 28, 2009 6:05 PM (removed note about exception during build since it was caused by dependency conflict between imported packages)