Anonymous
9 years agoBSP:R5424: Any ENC_KEY_INFO MUST have exactly one child element in WS-Security
This is my WS-Security configuration with SoapUI
Server Keystore - contains server's private key + server's public key + Client's public key
Client Keystore - contains client's private key + client's public key + server's public key
2.WS-Security Configuration – Keystore
Source: path to client keystore Password - client keystore password
and
Source: path to server keystore Password - server keystore password
3. Outgoing WS-Security Configuration
*Encryption
Keystore - server keystore Alias - alias of server's public key Password - Empty (no password required for public key) Key Identifier Type - Binary Security Token Parts - Name:Body, Namespace:http://schemas.xmlsoap.org/soap/envelope/, Encode:Content
*Signature
Keystore - client keystore Alias - alias of client's private key Password - password of client's private key Key Identifier Type - Binary Security Token Parts - Name:Body, Namespace:http://schemas.xmlsoap.org/soap/envelope/, Encode:Element
Incoming WS-Security Configuration
Decrypt Keystore - client keystore Signature Keystore - server keystore Password - password of client's private key
5. Applying the ws-security
6. But the following exception is thrown,
Request
POST http://localhost:8080/SOAPSecurityWeb/HelloWorld HTTP/1.1 Accept-Encoding: gzip,deflate Content-Type: text/xml;charset=UTF-8 SOAPAction: "" Content-Length: 4663 Host: localhost:8080 Connection: Keep-Alive User-Agent: Apache-HttpClient/4.1.1 (java 1.5) <soapenv:Envelope xmlns:soap="http://soap.aaa.com/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"> <soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="X509-A2A1C3A106D6937E8A146750003784510">MIIDbzCCA2swggJToAMCAQICBCWoh40wDQYJKoZIhvcNAQELBQAwZjELMAkGA1UEBhMCS1IxEjAQBgNVBAgTCUt5b3VuZ05hbTEOMAwGA1UEBxMFUHVzYW4xEjAQBgNVBAoTCU15IGZhbWlseTEMMAoGA1UECxMDREVQMREwDwYDVQQDEwhKaW5hIEtpbTAeFw0xNjA1MTUwNzEyMjlaFw0xNjA4MTMwNzEyMjlaMGYxCzAJBgNVBAYTAktSMRIwEAYDVQQIEwlLeW91bmdOYW0xDjAMBgNVBAcTBVB1c2FuMRIwEAYDVQQKEwlNeSBmYW1pbHkxDDAKBgNVBAsTA0RFUDERMA8GA1UEAxMISmluYSBLaW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCG+63JTaskUiQ7igWDajviOdC3+wCv3HGYF3jxrA1QgOUFZopkID3b1vXyC3Sdd6zRsgtOgXsQwupRqX4ROgbtwK8+RJMnUCig1rGt4XGPxLsgCtm5a/QQHzh8/cAWlrXN66Nad4GQWlQT5AOqvQxyYxSB1Xio28ytJvIqRol6WHC+AfzXsWnO1utJ+nVTyuYaGue+vWSO6Kjf59gyTcPBxsW2TAIwb6noL7QJMd6hlz23TZqRKEvCXe9k4NCipW5sVKBtqeaJfrq0mygHsquOfpaCDTdbiI3FRh7yX1Qst6UEpH2ku3l8G0XhWtqJOxjMsMBsWpk9R+sUyGHRwnSrAgMBAAGjITAfMB0GA1UdDgQWBBS5KhzGgj/BF22U5Ggcs4fWx/bzBTANBgkqhkiG9w0BAQsFAAOCAQEAY9S6L7I/wBoq8Q3enAak0duXPZQxgfLwZZHx8brC/y/wFWJIjSiUe9hqytzz/sNHm5ZnwahmF2jngSL1viqjjlFoliGkrDkFKczlFKr7yL5ncmvLPD4QHCPJ2A+dEnUQo1KvUl2ksWUkPYWfOzhQUOYnF4R0uAgo2fCYeOq2b6wS+7WWyg4Vc+S8ArRoAJIKt/63H9luoChWFOINfihAfuPuexwbj7RpG40sGo+aBb7+/rE8ib3cb0Qb04dlBBBCtULQjLUFCxmI2+IpjsB0G0jP1CrUYEVRXDp1c8d+D74m9Oj19GjbltgFhLvhvyCeLEuSmLy7ozPsMa2sR9QHdQ==</wsse:BinarySecurityToken><ds:Signature Id="SIG-A2A1C3A106D6937E8A146750003784614" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="soap soapenv" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id-A2A1C3A106D6937E8A146750003784613"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces PrefixList="soap" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>R6Q+97igZbt9ztKD3RRvyOQGK+A=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>VTLyXuTtsLMwDc0w/+FrHmDRexTo689O6Ua9wFb1AdY5ofF3wiD945ucv3YegXZiMf49r9XsxYaH 6H7UwcZppmvjtgBS/SN+aoRQc5+3cDJkXCb8tMYD6GVuwRb605gUDIpzVg+LM6liT8BBzzB3f5Xy flpSKMYmg97UfoQmjueyQog/JSBqBgPeugWvKP8rRCreuw9rLP353+dafnYw/h4wOpIjBeIp2tF6 ky1Z0HLWhM6YVYajT3nNHZi91nVDH3TpTktAty4OILC1tXLw+Gg2vSfF/ei4l9BcSQvvMlRxPcj5 vf+nIRS8FxOS6OMqkWzUfnM8NwOHYuWxUkNDTA==</ds:SignatureValue><ds:KeyInfo Id="KI-A2A1C3A106D6937E8A146750003784511"><wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1" wsu:Id="STR-A2A1C3A106D6937E8A146750003784512" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><wsse:Reference URI="#X509-A2A1C3A106D6937E8A146750003784510" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509PKIPathv1"/></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature><xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:DataReference URI="#ED-A2A1C3A106D6937E8A14675000378439"/></xenc:ReferenceList></wsse:Security></soapenv:Header> <soapenv:Body wsu:Id="id-A2A1C3A106D6937E8A146750003784613" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><xenc:EncryptedData Id="ED-A2A1C3A106D6937E8A14675000378439" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/><xenc:CipherData><xenc:CipherValue>/gx2WJrv8YY4v56EbgT9LP/RB+wrxOcS1TqZSY9Q1bcgYpbrPl8PIhEE21lwtabOqHqvC2oDGUH0+V0/3mUrnhjTsmcus9/vSTywiFrIqGDZmyb5kO48yNfjC3MLSuI5mCodndiou8TPdqqTpYHoZL4hvkSJDkfxIMJqEqpa63uJPtN8T+VwaXc02wT3jwtkXLvS1SsL78d8LErX7q6wafiEvSJ2cw8hxVG0Xu6XjyjkmDeoMwRRiFXNmyqA40G6EMsqm+7e5vtnWu/rTNSICZdbIFuH8pdin2H5NbolUU8=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soapenv:Body> </soapenv:Envelope>
Response
HTTP/1.1 500 Internal Server Error Connection: keep-alive X-Powered-By: Undertow/1 Server: WildFly/10 Content-Type: text/xml;charset=UTF-8 Content-Length: 299 Date: Sat, 02 Jul 2016 22:53:57 GMT <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode xmlns:ns1="http://ws.apache.org/wss4j">ns1:SecurityError</faultcode><faultstring>A security error was encountered when verifying the message</faultstring></soap:Fault></soap:Body></soap:Envelope>
These are exception of WS-Security
08:12:49,193 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (default task-5) Interceptor for {http://soap.aaa.com/}HelloWorldService has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: A security error was encountered when verifying the message at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:216) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:329) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:184) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:79) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:66) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251) at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:108) at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:134) at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:88) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:212) at javax.servlet.http.HttpServlet.service(HttpServlet.java:707) at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:136) at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Caused by: org.apache.wss4j.common.ext.WSSecurityException: BSP:R5424: Any ENC_KEY_INFO MUST have exactly one child element at org.apache.wss4j.common.bsp.BSPEnforcer.handleBSPRule(BSPEnforcer.java:56) at org.apache.wss4j.dom.processor.ReferenceListProcessor.checkBSPCompliance(ReferenceListProcessor.java:231) at org.apache.wss4j.dom.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:151) at org.apache.wss4j.dom.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:103) at org.apache.wss4j.dom.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:67) at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:344) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:280) ... 42 more
Is there anything I miss?
Your advice will be deeply appreciated! And this is my reference site.
https://docs.jboss.org/author/display/JBWS/WS-Security?_sscc=t
Best Regards!