Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Wss4jSecurityInterceptor decryption problem [SWS-701] #797

Closed
gregturn opened this issue Mar 31, 2011 · 4 comments
Closed

Wss4jSecurityInterceptor decryption problem [SWS-701] #797

gregturn opened this issue Mar 31, 2011 · 4 comments
Assignees
Labels

Comments

@gregturn
Copy link
Member

@gregturn gregturn commented Mar 31, 2011

Arnaud BARRE opened SWS-701 and commented

I would like to implement a web service that receive encrypted signed messages (XML-encryption and XML-Signature). Here's my interceptor part in spring-ws-servlet.xml :

<bean id="crypto"
		class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean">
		<property name="keyStorePassword" value="${deltabank.security.server.keystore.password}" />
		<property name="keyStoreLocation" value="file:${deltabank.security.server.keystore}" />
	</bean>
<sws:interceptors>
        <bean id="encryptInterceptor"
			class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
			<property name="securementActions" value="Signature Encrypt"/>
			<property name="securementUsername" value="${deltabank.security.server.signature.keystore.alias}"/>
			<property name="securementPassword" value="${deltabank.security.server.signature.keystore.alias.password}"/>
			<property name="securementEncryptionUser" value="${deltabank.security.server.encryption.keystore.alias}" />
			<property name="securementEncryptionCrypto">
				<ref bean="crypto"/>
			</property>
			<property name="securementSignatureCrypto">
				<ref bean="crypto"/>
			</property>
			
			<property name="validationActions" value="Signature Encrypt"/>
			<property name="validationDecryptionCrypto">
				<ref bean="crypto"/>
			</property>
			<property name="validationSignatureCrypto">
				<ref bean="crypto"/>
			</property>
			<property name="validationCallbackHandler">
				<bean class="org.springframework.ws.soap.security.wss4j.callback.KeyStoreCallbackHandler">
					<property name="privateKeyPassword" value="${deltabank.security.server.encryption.keystore.alias.password}"/>
				</bean>
			</property>
		</bean>
</sws:interceptors>

Here's the part of the code of my client where the interceptor is created:

Wss4jSecurityInterceptor interceptor = new Wss4jSecurityInterceptor();
		
		CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean();
		cryptoFactoryBean.setKeyStoreLocation(new FileSystemResource("C:/Documents and Settings/a.barre/.keystore"));
		cryptoFactoryBean.setKeyStorePassword("deltabank");		
		cryptoFactoryBean.afterPropertiesSet();
		Crypto crypto = cryptoFactoryBean.getObject();
		
		interceptor.setValidationActions("Signature Encrypt");		
		interceptor.setValidationDecryptionCrypto(crypto);
		KeyStoreCallbackHandler callbackHandler = new KeyStoreCallbackHandler();
		callbackHandler.setPrivateKeyPassword("deltabank");
		interceptor.setValidationCallbackHandler(callbackHandler);		
		interceptor.setValidationSignatureCrypto(crypto);
		
		interceptor.setSecurementActions("Signature Encrypt");
		interceptor.setSecurementUsername("tomcat");
		interceptor.setSecurementPassword("deltabank");
		interceptor.setSecurementEncryptionUser("tomcat");
		interceptor.setSecurementEncryptionCrypto(crypto);
		interceptor.setSecurementSignatureCrypto(crypto);
		
		setInterceptors(new ClientInterceptor[] {interceptor});

Here's the logs for the web service:

10:40:02.456 [http-8080-1] DEBUG o.s.w.t.h.WebServiceMessageReceiverHandlerAdapter - Accepting incoming [org.springframework.ws.transport.http.HttpServletConnection@11cf5b3] at [http://localhost:8080/funds-transfer]
10:40:02.456 [http-8080-1] DEBUG o.s.w.server.MessageTracing.received - Received request [SaajSoapMessage {http://www.w3.org/2001/04/xmlenc#}EncryptedData]
10:40:02.456 [http-8080-1] DEBUG o.s.w.s.e.m.PayloadRootAnnotationMethodEndpointMapping - Looking up endpoint for [{http://www.w3.org/2001/04/xmlenc#}EncryptedData]
10:40:02.456 [http-8080-1] DEBUG o.s.w.s.server.SoapMessageDispatcher - Endpoint mapping [org.springframework.ws.server.endpoint.mapping.PayloadRootAnnotationMethodEndpointMapping@140df03] has no mapping for request
10:40:02.456 [http-8080-1] DEBUG o.s.w.s.s.e.m.SoapActionAnnotationMethodEndpointMapping - Looking up endpoint for []
10:40:02.456 [http-8080-1] DEBUG o.s.w.s.server.SoapMessageDispatcher - Endpoint mapping [org.springframework.ws.soap.server.endpoint.mapping.SoapActionAnnotationMethodEndpointMapping@1f13e99] has no mapping for request
10:40:02.456 [http-8080-1] WARN  o.s.ws.server.EndpointNotFound - No endpoint mapping found for [SaajSoapMessage {http://www.w3.org/2001/04/xmlenc#}EncryptedData]
10:40:02.456 [http-8080-1] DEBUG o.s.w.t.h.MessageDispatcherServlet - Successfully completed request

Here is the request sent by the client:

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
                   xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
  <SOAP-ENV:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                   SOAP-ENV:mustUnderstand="1">
      <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                         Id="EncKeyId-D8F835AB8EC535FF8813015608023945">
        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
        <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
            <ds:X509Data>
              <ds:X509IssuerSerial>
                <ds:X509IssuerName>CN=Arnaud BARRE,OU=Delta WS,O=Delta Informatique,L=Tours,ST=37,C=FR</ds:X509IssuerName>
                <ds:X509SerialNumber>1301067314</ds:X509SerialNumber>
              </ds:X509IssuerSerial>
            </ds:X509Data>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
        <xenc:CipherData>
          <xenc:CipherValue>AG+v+wtJHbZnhFB/sZ27g8fzRuFfUdh04uF7YlZ0EZxw28d5BsFT3ekCaXiYmmGHG2yiv2cyr5khze+p6lrN6I6okVtoiKxNTljM0dRv+B1eRsglIBfiWEzH3a1LRje5XD3NWVKmF8O2uEmt1/CjIUHnGcu2svUiPpKisIgJ4Zg=</xenc:CipherValue>
        </xenc:CipherData>
        <xenc:ReferenceList>
          <xenc:DataReference URI="#EncDataId-3" />
        </xenc:ReferenceList>
      </xenc:EncryptedKey>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                    Id="Signature-1">
        <ds:SignedInfo>
          <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
          <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
          <ds:Reference URI="#id-2">
            <ds:Transforms>
              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <ds:DigestValue>oVw2xDtXKZMxmmqbJj1vVhuMmyk=</ds:DigestValue>
          </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>
hZy5vlcHb/Z7qD8lBJTnYj73lKGuWJnC/gDi6krQIbjGnnDn0+dfOOch7dJ9wlgubBluyf+KtHkL
XeZT662tgfXrSvuPMVKJa0arDfwtwUI45VCmFFkTySzk41M6Iysv2K84Av4HKgCF4r0KzSceFaLr
9AH4C2yQ2uuPUF3Rlu8=
</ds:SignatureValue>
        <ds:KeyInfo Id="KeyId-D8F835AB8EC535FF8813015608017382">
          <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                                       xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                                       wsu:Id="STRId-D8F835AB8EC535FF8813015608017533">
            <ds:X509Data>
              <ds:X509IssuerSerial>
                <ds:X509IssuerName>CN=Arnaud BARRE,OU=Delta WS,O=Delta Informatique,L=Tours,ST=37,C=FR</ds:X509IssuerName>
                <ds:X509SerialNumber>1301067314</ds:X509SerialNumber>
              </ds:X509IssuerSerial>
            </ds:X509Data>
          </wsse:SecurityTokenReference>
        </ds:KeyInfo>
      </ds:Signature>
    </wsse:Security>
  </SOAP-ENV:Header>
  <SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                 wsu:Id="id-2">
    <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                        Id="EncDataId-3"
                        Type="http://www.w3.org/2001/04/xmlenc#Content">
      <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
          <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                          URI="#EncKeyId-D8F835AB8EC535FF8813015608023945" />
        </wsse:SecurityTokenReference>
      </ds:KeyInfo>
      <xenc:CipherData>
        <xenc:CipherValue>FDFo13ZDhmMbQ72D4ho/sEVmAD5xVdaMmFaI7tarhPq9ykWpmWF97IvgiGs1VUNW5DH0xS9SbukY
UUF2KazElMmPdAmSsW8C2p25xzHdX4Ub658pXWeJRYvRv0Akl0gk1vKsH+Ho48LDNd2gpdE9Oweq
jlYy5CcRSN39E7ntXcXf6PBpTzY8uoEC6mqNFMzB2ZRnONNN1uNOip9VKNk2l4l/NrQ2hxFt06Df
JWRIBGFwUeOIkTtxmZYzjEX4QnCG1Ai13NmkMnDWU3PJarq/r6KrHKtEZM85Iq9UucM73VEJF7q4
HUSVQrMjgbz2ThRyjBKYwIYeQhb3fRQj91ADK8H2tueOVRat/44BqtWCqaNNkGazAsTxhQT0xL4K
VinxpucsvbeKmyjgL0ImyedgAP06ecTvcK7k2N9Tweea4iTM8KaDBvIET5NTaTERPLUK0bQBIF9F
OIdEAYJgjWgxmPLCkaJh+3xUuwaTDFrFTWU=</xenc:CipherValue>
      </xenc:CipherData>
    </xenc:EncryptedData>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

I don't see why the request is not decrypted by the security interceptor. Did I do something's wrong?

Thanks,

Arnaud


Affects: 2.0.1

Attachments:

@gregturn
Copy link
Member Author

@gregturn gregturn commented Apr 1, 2011

Arnaud BARRE commented

Here's my spring-ws-servlet.xml and the client code

@gregturn
Copy link
Member Author

@gregturn gregturn commented Apr 6, 2011

Arnaud BARRE commented

Any news about this subject ? It is very important for me to have this POC working because we're currently investigating on Web service frameworks and we need to make our choice very soon. And I would like to introduce Spring-WS in my company as we're already working with other spring components and I don't want to add a new framework but this will be the case if this case is not supported...

@gregturn
Copy link
Member Author

@gregturn gregturn commented Apr 6, 2011

Arjen Poutsma commented

It seems that the server cannot map the request to any endpoint. Apparently there is no mapping for the payload root of the message (EncrypedData), and since you are not setting any SOAP action in the client, there is no SOAP Action mapping either. All of this is the logs:

10:40:02.456 [http-8080-1] DEBUG o.s.w.s.e.m.PayloadRootAnnotationMethodEndpointMapping - Looking up endpoint for [{http://www.w3.org/2001/04/xmlenc#}EncryptedData]
10:40:02.456 [http-8080-1] DEBUG o.s.w.s.server.SoapMessageDispatcher - Endpoint mapping [org.springframework.ws.server.endpoint.mapping.PayloadRootAnnotationMethodEndpointMapping@140df03] has no mapping for request
10:40:02.456 [http-8080-1] DEBUG o.s.w.s.s.e.m.SoapActionAnnotationMethodEndpointMapping - Looking up endpoint for []
10:40:02.456 [http-8080-1] DEBUG o.s.w.s.server.SoapMessageDispatcher - Endpoint mapping [org.springframework.ws.soap.server.endpoint.mapping.SoapActionAnnotationMethodEndpointMapping@1f13e99] has no mapping for request
10:40:02.456 [http-8080-1] WARN  o.s.ws.server.EndpointNotFound - No endpoint mapping found for [SaajSoapMessage {http://www.w3.org/2001/04/xmlenc#}EncryptedData]

The solution to your problem would be to either create a mapping for Encrypted Data (which I would not recommend), or set the SOAP Action in the client (which is probably a better idea). Read this section in the reference docs to find out how you can set the soap action.

At any rate, this is not a bug, as Spring-WS is doing its job fine. A post in the forums would have been a better idea.

Closing as invalid.

@gregturn
Copy link
Member Author

@gregturn gregturn commented May 4, 2012

Arjen Poutsma commented

Closing old issues

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.