6 Replies Latest reply on Jan 27, 2013 7:56 PM by Freeman(Yue) Fang

    Camel CXF-Http to Https => http://docs.oasis-open.org/wss/2004/01/oasis-200

    Milan Milas Newbie

      I am trying to secure my CXF endpoint in the simplest possible way

       

      <camelcxf:cxfEndpoint id="serviceEndpoint"

                           address="https://localhost:443/cxf/pocesb/webservices/helloService"

                           wsdlURL="META-INF/wsdl/say_hi.wsdl"

                           serviceClass="com.pocesb.SayHiEndpoint">

        </camelcxf:cxfEndpoint>

         

                 <httpj:engine-factory bus="cxf">

                      <httpj:engine port="443">

                        <httpj:tlsServerParameters>

                          <sec:keyManagers keyPassword="passwo">

                            <sec:keyStore type="PKCS12" password="passwo"

                                file="C:\Fuse\Programs\FuseESB\etc\keysto.pfx"/>

                          </sec:keyManagers>

                          <sec:trustManagers>

                            <sec:keyStore type="PKCS12" password="passwo"

                               file="C:\Fuse\Programs\FuseESB\etc\keysto.pfx"/>

                          </sec:trustManagers>

                          <sec:cipherSuitesFilter>

                            <sec:include>.WITH3DES_.</sec:include>

                            <sec:include>.WITHDES_.</sec:include>

                            <sec:exclude>.WITHNULL_.</sec:exclude>

                            <sec:exclude>.DHanon_.</sec:exclude>

                          </sec:cipherSuitesFilter>

                          <sec:clientAuthentication want="true" required="false"/>

                        </httpj:tlsServerParameters>

                      </httpj:engine>

                    </httpj:engine-factory>

       

      I am calling this service from WCF C# application, it used to work with http.

      And I am getting this exception:

       

      org.apache.cxf.binding.soap.SoapFault: MustUnderstand headers: {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security are

      not understood.

      at org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.checkUltimateReceiverHeaders(MustUnderstandInterceptor.java:150)[167:org.apache.cxf.bundle:2.5.0.fuse-70-097]

      at

      org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:96)[167:org.apache.cxf.bundle:2.5.0.fuse-70-097]

      at

      org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:49)[167:org.apache.cxf.bundle:2.5.0.fuse-70-097]

      at

      org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)[167:org.apache.cxf.bundle:2.5.0.fuse-70-097]

       

      Is there example  of securing CXF in Fuse blueprint or am I missing something in this code?

      I have tried to use <import resource=cxf-extension-http-jetty.xml

      but import statement is not receognised, not sure if this is possible only in sprint not

      blueprint?

        • 1. Re: Camel CXF-Http to Https => http://docs.oasis-open.org/wss/2004/01/oasis-200
          Freeman(Yue) Fang Master

          Hi,

           

          Your incoming soap message has ws-security soap headers, so your camel-cxf endpoint need add WSS4JInInterceptor to handle those ws-security related headers.

           

          Btw, the import  stuff only works for Spring, for Blueprint, all xml files in OSGI-INF/blueprint folder could be loaded automatically.

           

          Freeman

          • 2. Re: Camel CXF-Http to Https => http://docs.oasis-open.org/wss/2004/01/oasis-200
            Milan Milas Newbie

            I am not really sure what do I need to add.

            From WCF I want to use MutualCertificate, but even if I change it to the

            UserNameOverTransport I am getting same error message.

            This is my code, I know its not correct as myPasswordCallback does not exist, but I would

            at least expect different error message.

             

            I just want to use certificates from both side, client server, no usernames, passwords.

             

            I have changed org.ops4j.pax.web.cfg:

             

            org.osgi.service.http.secure.enabled=true

            org.osgi.service.http.enabled=false

            org.ops4j.pax.web.ssl.keystore=etc/keystore.jks

            org.ops4j.pax.web.ssl.password=password

            org.ops4j.pax.web.ssl.keypassword=password

            org.osgi.service.http.port.secure=8443

            log4j.category.org.apache.cxf=DEBUG

            #org.ops4j.pax.web.config.file=etc/jetty.xml

             

            -


             

             

             

            This is sample of message when MutualCertificate is used

            • 3. Re: Camel CXF-Http to Https => http://docs.oasis-open.org/wss/2004/01/oasis-200
              Milan Milas Newbie

              Hi,

               

              I did make some progress thanks to the:

              http://grepcode.com/file/repo1.maven.org/maven2/org.apache.cxf/cxf-systests/2.2.3/org/apache/cxf/systest/ws/security/server.xml?av=f

               

               

               

                                                       <entry key="signatureParts" value="Timestamp;Body"/>

                                                       <!--   

                                                            Recommendation: signatures should be encrypted   

                                                       -->

                                                       <entry key="encryptionParts" value="Signature;Body"/>

                                                        

              -


               

              Now I am getting this error message (not sure why as I do have  ):

              -


              Caused by: org.apache.ws.security.WSSecurityException: General security error (WSSecurityEngine: No crypto property file supplied for decryption)

                      at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:67)[153:org.apache.ws.security.wss4j:1.6.6]

                      at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)[153:org.apache.ws.security.wss4j:1.6.6]

                      at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:288)[167:org.apache.cxf.bundle:2.5.0.fuse-70-097]

              -


              key.properties file:

              org.apache.ws.security.crypto.merlin.file=C:/Fuse/Programs/FuseESB/etc/keystore.jks

              org.apache.ws.security.crypto.merlin.keystore.alia=esb

              org.apache.ws.security.crypto.merlin.keystore.password=password

              org.apache.ws.security.crypto.merlin.keystore.type=jks

              org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin

               

              Edited by: milanmilas on Jan 23, 2013 6:03 PM

              • 4. Re: Camel CXF-Http to Https => http://docs.oasis-open.org/wss/2004/01/oasis-200
                Freeman(Yue) Fang Master

                Hi,

                 

                Good question.

                 

                Because in OSGi container you shouldn't pass resource files between bundles, so your shouldn't use

                 

                 

                We actually have a example[1] to demonstrate how to specify signaturePropRefId in OSGi container, more specifically, the configuration[2] of that example

                 

                https://svn.apache.org/repos/asf/servicemix/smx4/features/trunk/examples/cxf/cxf-ws-security-signature/

                https://svn.apache.org/repos/asf/servicemix/smx4/features/trunk/examples/cxf/cxf-ws-security-signature/src/main/resources/META-INF/spring/beans.xml

                 

                Freeman

                • 5. Re: Camel CXF-Http to Https => http://docs.oasis-open.org/wss/2004/01/oasis-200
                  Milan Milas Newbie

                  I finally got it, the only way to do this is to download cxf-bundle-2.5.0.fuse-70-097-sources

                  as well as wss4j-1.6.6-sources in my case.

                   

                  This is the final code:

                                          

                                                        <entry key="signatureParts" value="Timestamp;Body"/>

                                                        

                   

                  key.properties file

                  org.apache.ws.security.crypto.merlin.file=C:/Fuse/Programs/FuseESB/etc/keystore.jks

                  org.apache.ws.security.crypto.merlin.keystore.alias=selfsigned

                  org.apache.ws.security.crypto.merlin.keystore.password=password

                  org.apache.ws.security.crypto.merlin.keystore.type=jks

                  org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin

                   

                  -


                  ServerPasswordCallback.java

                  public class   ServerPasswordCallback implements CallbackHandler {

                      public void   handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {

                          WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];

                          if (pc.getIdentifier().equals("selfsigned")) {

                              pc.setPassword("password");

                          }

                      }

                  }

                  -


                  WCF client side:

                           

                   

                  I had to add

                  ProtectionLevel = ProtectionLevel.Sign

                  in Reference.cs generated by Visual Studio when adding reference to service

                   

                  System.ServiceModel.ServiceContractAttribute(Namespace="http://pocesb.com", ConfigurationName="EsbProxyPerson.SayHiEndpoint", ProtectionLevel = ProtectionLevel.Sign )

                      public interface SayHiEndpoint {

                   

                  In the c# client code:

                  client.ClientCredentials.ServiceCertificate.Authentication.CertificateValidationMode =

                  System.ServiceModel.Security.X509CertificateValidationMode.None;

                   

                   

                  Thanks freeman :):):)

                   

                  Edited by: milanmilas on Jan 25, 2013 5:53 PM