6 Replies Latest reply on Jan 27, 2013 7:56 PM by ffang

oasis-200

milanmilas Jan 22, 2013 12:35 PM

I am trying to secure my CXF endpoint in the simplest possible way

<camelcxf:cxfEndpoint id="serviceEndpoint"

address="https://localhost:443/cxf/pocesb/webservices/helloService"

wsdlURL="META-INF/wsdl/say_hi.wsdl"

serviceClass="com.pocesb.SayHiEndpoint">

</camelcxf:cxfEndpoint>

<httpj:engine-factory bus="cxf">

<httpj:engine port="443">

<httpj:tlsServerParameters>

<sec:keyManagers keyPassword="passwo">

<sec:keyStore type="PKCS12" password="passwo"

file="C:\Fuse\Programs\FuseESB\etc\keysto.pfx"/>

</sec:keyManagers>

<sec:trustManagers>

<sec:keyStore type="PKCS12" password="passwo"

file="C:\Fuse\Programs\FuseESB\etc\keysto.pfx"/>

</sec:trustManagers>

<sec:cipherSuitesFilter>

<sec:include>.WITH3DES_.</sec:include>

<sec:include>.WITHDES_.</sec:include>

<sec:exclude>.WITHNULL_.</sec:exclude>

<sec:exclude>.DHanon_.</sec:exclude>

</sec:cipherSuitesFilter>

<sec:clientAuthentication want="true" required="false"/>

</httpj:tlsServerParameters>

</httpj:engine>

</httpj:engine-factory>

I am calling this service from WCF C# application, it used to work with http.

And I am getting this exception:

org.apache.cxf.binding.soap.SoapFault: MustUnderstand headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security are

not understood.

at org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.checkUltimateReceiverHeaders(MustUnderstandInterceptor.java:150)[167:org.apache.cxf.bundle:2.5.0.fuse-70-097]

org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:96)[167:org.apache.cxf.bundle:2.5.0.fuse-70-097]

org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:49)[167:org.apache.cxf.bundle:2.5.0.fuse-70-097]

org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)[167:org.apache.cxf.bundle:2.5.0.fuse-70-097]

Is there example of securing CXF in Fuse blueprint or am I missing something in this code?

I have tried to use <import resource=cxf-extension-http-jetty.xml

but import statement is not receognised, not sure if this is possible only in sprint not

blueprint?

1. Re: Camel CXF-Http to Https => http://docs.oasis-open.org/wss/2004/01/oasis-200

ffang Jan 22, 2013 9:03 PM (in response to milanmilas)

Hi,

Your incoming soap message has ws-security soap headers, so your camel-cxf endpoint need add WSS4JInInterceptor to handle those ws-security related headers.

Btw, the import stuff only works for Spring, for Blueprint, all xml files in OSGI-INF/blueprint folder could be loaded automatically.

Freeman
Actions
2. Re: Camel CXF-Http to Https => http://docs.oasis-open.org/wss/2004/01/oasis-200

milanmilas Jan 23, 2013 9:10 AM (in response to ffang)
I am not really sure what do I need to add.
From WCF I want to use MutualCertificate, but even if I change it to the
UserNameOverTransport I am getting same error message.
This is my code, I know its not correct as myPasswordCallback does not exist, but I would
at least expect different error message.

I just want to use certificates from both side, client server, no usernames, passwords.

I have changed org.ops4j.pax.web.cfg:

org.osgi.service.http.secure.enabled=true
org.osgi.service.http.enabled=false
org.ops4j.pax.web.ssl.keystore=etc/keystore.jks
org.ops4j.pax.web.ssl.password=password
org.ops4j.pax.web.ssl.keypassword=password
org.osgi.service.http.port.secure=8443
log4j.category.org.apache.cxf=DEBUG
#org.ops4j.pax.web.config.file=etc/jetty.xml

-

This is sample of message when MutualCertificate is used

HTTPS.jpg 147.3 KB
Actions
3. Re: Camel CXF-Http to Https => http://docs.oasis-open.org/wss/2004/01/oasis-200

milanmilas Jan 23, 2013 1:03 PM (in response to milanmilas)

Hi,

I did make some progress thanks to the:
http://grepcode.com/file/repo1.maven.org/maven2/org.apache.cxf/cxf-systests/2.2.3/org/apache/cxf/systest/ws/security/server.xml?av=f

                                         <entry key="signatureParts" value="Timestamp;Body"/>
                                         
                                         <entry key="encryptionParts" value="Signature;Body"/>

-

Now I am getting this error message (not sure why as I do have ):
-
Caused by: org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied for decryption)
        at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:67)[153:org.apache.ws.security.wss4j:1.6.6]
        at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)[153:org.apache.ws.security.wss4j:1.6.6]
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:288)[167:org.apache.cxf.bundle:2.5.0.fuse-70-097]
-
key.properties file:
org.apache.ws.security.crypto.merlin.file=C:/Fuse/Programs/FuseESB/etc/keystore.jks
org.apache.ws.security.crypto.merlin.keystore.alia=esb
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin

Edited by: milanmilas on Jan 23, 2013 6:03 PM
Actions
4. Re: Camel CXF-Http to Https => http://docs.oasis-open.org/wss/2004/01/oasis-200

ffang Jan 23, 2013 8:18 PM (in response to milanmilas)

Hi,

Good question.

Because in OSGi container you shouldn't pass resource files between bundles, so your shouldn't use

We actually have a example[1] to demonstrate how to specify signaturePropRefId in OSGi container, more specifically, the configuration[2] of that example

https://svn.apache.org/repos/asf/servicemix/smx4/features/trunk/examples/cxf/cxf-ws-security-signature/
https://svn.apache.org/repos/asf/servicemix/smx4/features/trunk/examples/cxf/cxf-ws-security-signature/src/main/resources/META-INF/spring/beans.xml

Freeman
Actions
5. Re: Camel CXF-Http to Https => http://docs.oasis-open.org/wss/2004/01/oasis-200

milanmilas Jan 25, 2013 12:54 PM (in response to ffang)

I finally got it, the only way to do this is to download cxf-bundle-2.5.0.fuse-70-097-sources
as well as wss4j-1.6.6-sources in my case.

This is the final code:

                                      <entry key="signatureParts" value="Timestamp;Body"/>


key.properties file
org.apache.ws.security.crypto.merlin.file=C:/Fuse/Programs/FuseESB/etc/keystore.jks
org.apache.ws.security.crypto.merlin.keystore.alias=selfsigned
org.apache.ws.security.crypto.merlin.keystore.password=password
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin

-
ServerPasswordCallback.java
public class   ServerPasswordCallback implements CallbackHandler {
    public void   handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
        WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
        if (pc.getIdentifier().equals("selfsigned")) {
            pc.setPassword("password");
        }
    }
}
-
WCF client side:


I had to add
ProtectionLevel = ProtectionLevel.Sign
in Reference.cs generated by Visual Studio when adding reference to service

System.ServiceModel.ServiceContractAttribute(Namespace="http://pocesb.com", ConfigurationName="EsbProxyPerson.SayHiEndpoint", ProtectionLevel = ProtectionLevel.Sign )
    public interface SayHiEndpoint {

In the c# client code:
client.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode =
System.ServiceModel.Security.X509CertificateValidationMode.None;

Thanks freeman :):):)

Edited by: milanmilas on Jan 25, 2013 5:53 PM
Actions
6. Re: Camel CXF-Http to Https => http://docs.oasis-open.org/wss/2004/01/oasis-200

ffang Jan 27, 2013 7:56 PM (in response to milanmilas)

Thanks for sharing your solution here!
Actions

Go to original post