Forum Discussion

Anonymous's avatar
Anonymous
9 years ago

Simple ws-security encryption service with soapui

This is my ws-security encryption service. It's definitely working successfully in wildfly. First only one secure key is generated with keytool

 

keytool -genkey -keyalg RSA -alias servicekey -keypass password123  -storepass password123 -keystore serviceKeystore.jks –dname "cn=joseph“

In service side ws-security configuration is set with these files(jaxws-endpoint-config.xml,MANIFEST.MF and server.properties).

 

jaxws-endpoint-config.xml :

<?xml version="1.0" encoding="UTF-8"?>
<jaxws-config xmlns="urn:jboss:jbossws-jaxws-config:4.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"  
            xmlns:javaee="http://java.sun.com/xml/ns/javaee" 
            xsi:schemaLocation="urn:jboss:jbossws-jaxws-config:4.0 schema/jbossws-jaxws-config_4_0.xsd">   
   <endpoint-config>     
      <config-name>Custom WS-Security Endpoint</config-name>     
      <property>       
         <property-name>ws-security.signature.properties</property-name>       
         <property-value>META-INF/server.properties</property-value>     
      </property>     
      <property>       
         <property-name>ws-security.encryption.properties</property-name>      
         <property-value>META-INF/server.properties</property-value>     
      </property>     
      <property>       
         <property-name>ws-security.signature.username</property-name>       
         <property-value>servicekey</property-value>     
      </property>     
      <property>       
         <property-name>ws-security.callback-handler</property-name>       
         <property-value>
         com.aaa.soap.KeystorePasswordCallback
         </property-value>         
      </property>   
   </endpoint-config> 
</jaxws-config>

server.properties :

 

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=password123
org.apache.ws.security.crypto.merlin.keystore.alias=servicekey
org.apache.ws.security.crypto.merlin.keystore.file=META-INF/serviceKeystore.jks

MANIFEST.MF :

 

Manifest-Version: 1.0
Dependencies: org.apache.cxf.impl, org.apache.ws.security services
Class-Path:

Client jsp file contains another configuration file (client.properties)

 

JSP file :

 

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=EUC-KR">
<title>WildFly SOAP Security test</title>
</head>
<body>
<% 
String SERVICE_URL = "http://localhost:8080/WSSEncryptWeb/HelloWorld";

try {
    QName serviceName = new QName("http://soap.aaa.com/", "HelloWorldService");

    URL wsdlURL;
    wsdlURL = new URL(SERVICE_URL + "?wsdl");
    Service service = Service.create(wsdlURL, serviceName);

    IHelloWorld port = (IHelloWorld) service.getPort(IHelloWorld.class); 

    ((BindingProvider) port).getRequestContext().put(SecurityConstants.CALLBACK_HANDLER, new KeystorePasswordCallback());
    ((BindingProvider) port).getRequestContext().put(SecurityConstants.ENCRYPT_PROPERTIES, 
            Thread.currentThread().getContextClassLoader().getResource("META-INF/client.properties"));
    ((BindingProvider) port).getRequestContext().put(SecurityConstants.ENCRYPT_USERNAME, "servicekey");

    out.println(port.sayHello("jina"));
} catch (Exception e) {
    // TODO Auto-generated catch block
    e.printStackTrace();
}
%>
</body>
</html>

client.properties :

 

org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=password123
org.apache.ws.security.crypto.merlin.keystore.alias=servicekey
org.apache.ws.security.crypto.merlin.keystore.file=META-INF/serviceKeystore.jks

The point is the number of encryption key is the only one serviceKeystore.jks file. However I am still stuck with this point. For your information the following images show the soapui configuration.

 

Keystore configuration

 

Encryption configuration :

 

SOAP Request configuration :

 

 

But this soapui configuration returns the soap fault

 

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
   <soap:Body>
      <soap:Fault>
         <faultcode xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:InvalidSecurity</faultcode>
         <faultstring>An error was discovered processing the &lt;wsse:Security> header</faultstring>
      </soap:Fault>
   </soap:Body>
</soap:Envelope>

And these exception is thrown from sei

20:57:51,004 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (default task-63) Interceptor for {http://soap.aaa.com/}HelloWorldService has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: An error was discovered processing the <wsse:Security> header
    at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:216)
    at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:329)
    at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:184)
    at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:79)
    at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:66)
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
    at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
    at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)
    at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:108)
    at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:134)
    at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:88)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:293)
    at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:212)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
    at org.jboss.wsf.stack.cxf.CXFServletExt.service(CXFServletExt.java:136)
    at org.jboss.wsf.spi.deployment.WSFServlet.service(WSFServlet.java:140)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
    at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
    at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
    at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
    at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
    at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
    at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
    at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
    at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
    at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
    at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
    at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
    at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
    at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
    at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
    at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
    at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.wss4j.common.ext.WSSecurityException: An error was discovered processing the <wsse:Security> header
    at org.apache.wss4j.common.crypto.AlgorithmSuiteValidator.checkSymmetricEncryptionAlgorithm(AlgorithmSuiteValidator.java:149)
    at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.decryptDataRef(EncryptedKeyProcessor.java:550)
    at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.decryptDataRefs(EncryptedKeyProcessor.java:481)
    at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:199)
    at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:76)
    at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:344)
    at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:280)
    ... 42 more

I need your help sincerely. Pls, do not hesitate posting your reply. Thanks in advance.

  • Anonymous's avatar
    Anonymous
    9 years ago

    UPDATE

     

    Below is the modified ws-security configuration in soapui of my project.  First I'd like to show you the input soap message sample.

    <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soap="http://soap.aaa.com/">
   <soapenv:Header/>
   <soapenv:Body>
      <soap:sayHello>
         <!--Optional:-->
         <arg0>?</arg0>
      </soap:sayHello>
   </soapenv:Body>
</soapenv:Envelope>

    And Both modified Username and Encryption configuration of soapui :

     

     

    The exception and soap fault are thrown,

    Caused by: javax.xml.bind.UnmarshalException: Unexpected Element (URI: "http://www.w3.org/2001/04/xmlenc#", local: "EncryptedData"). needed element is  (none).

    The following encrypted soap message is shown like this,

    <soapenv:Envelope xmlns:soap="http://soap.aaa.com/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Header><wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><xenc:EncryptedKey Id="EK-45F443F2E8A873A23714704707693412" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference><ds:X509Data><ds:X509IssuerSerial><ds:X509IssuerName>CN=joseph</ds:X509IssuerName><ds:X509SerialNumber>1602876047</ds:X509SerialNumber></ds:X509IssuerSerial></ds:X509Data></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>gOq6T+xnGCV7DGSBCxIKfH+YFuTslWumgfHIzgg1nTrryr9uRxkQ/Bn8J08wX4mjwamyrG+l9bd4LDmodeuVxKGqrrwd3lBnAQv8fytn20ds6L6PF5L3LZhagX8fumdEmCNT37SaMdZGwOqu/LCw8phBizuPRemIAsZ4+9LBpcsFncfJ9PBp0pG2lMM6JUKWHerMNM/GBhU5ytWyMG6MhkITFG3v3D1wJl8vW9L6m5iTEwek8TobcIYPJ12HWYqvQ4NGNhM/ppRD8NBTpUcFEqvute+bNlsXR3oRxrrhwbIkaKyxPUY277Vyqa1DyQF6+AonmJlLZnJIZsw3PPpqCA==</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#ED-45F443F2E8A873A23714704707693523"/></xenc:ReferenceList></xenc:EncryptedKey><wsse:UsernameToken wsu:Id="UsernameToken-45F443F2E8A873A23714704707693261"><wsse:Username>servicekey</wsse:Username><wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordDigest">y+6Ka5uzvrJwZv7ufIojMXObVhM=</wsse:Password><wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">sIewqYgHFO9P8qMHSIP9KQ==</wsse:Nonce><wsu:Created>2016-08-06T08:06:09.324Z</wsu:Created></wsse:UsernameToken></wsse:Security></soapenv:Header>
   <soapenv:Body>
      <soap:sayHello>
         <!--Optional:-->
         <arg0><xenc:EncryptedData Id="ED-45F443F2E8A873A23714704707693523" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><wsse:Reference URI="#EK-45F443F2E8A873A23714704707693412"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>mI1uKSc1Vz0BLZWzVKT/nM3Q0wjUxOpgAWtYzzOl/qk=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></arg0>
      </soap:sayHello>
   </soapenv:Body>
</soapenv:Envelope>

    I think service side of soap webservice can not recognize the element EncryptedData of input soap message . Any suggestion, pls?

    • Anonymous's avatar
      Anonymous
      9 years ago

      This is the modified SoapUI Encryption configuration. Pls, have a look at it.

       

      And the returned SOAP message is almost correct except one thing. The encrypted element is not decrypted. Pls, have a look at these request and response soap messages,

       

      == request soap

      <soapenv:Envelope xmlns:soap="http://soap.aaa.com/" xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
   <soapenv:Header>.......</soapenv:Header>
   <soapenv:Body>
      <soap:sayHello>
         <!--Optional:-->
         <xenc:EncryptedData Id="ED-5F86AA7F44351E460314705512463574" Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><wsse:Reference URI="#EK-5F86AA7F44351E460314705512463472"/></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>fSA8Yk9FKQe4RoAegZesV7qMqeHrgC22Lgfss4FEkrrSMRtlcjqrkKK0AO8PkEsM8PTqvpp+DC53GmdN89Ij5vzUsdEdMxgdXzFEsYFmlR6GRSx8WpJwDQGET6BesYFmTSLDyvpksBJX4g1e0IGtTQxFjamC8gSr</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData>
      </soap:sayHello>
   </soapenv:Body>
</soapenv:Envelope>

      == response soap

      HTTP/1.1 200 OK
Connection: keep-alive
X-Powered-By: Undertow/1
Server: WildFly/10
Content-Type: text/xml;charset=UTF-8
Content-Length: 229
Date: Sun, 07 Aug 2016 06:27:26 GMT

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
   <soap:Body>
      <ns2:sayHelloResponse xmlns:ns2="http://soap.aaa.com/">
         <return>Hello null</return>
      </ns2:sayHelloResponse>
   </soap:Body>
</soap:Envelope>

      I have no idea how to decrypt and display the encrypted arg0 element in soapui.

      How about your advice, pls. Thanks in advance.