DEVHIDE
Login Or Sign up

Migrating to CXF 3.2.7 -> How to solve the password related security error during SOAP RQ processing?

1.8k Views Asked by At

Context : I am trying to migrate a webservice from CXF 2.2.2 to CXF 3.2.7

Problem : Post migration whenever i try to fire the below HTTP-POST SOAP based request against my webservice through a software like SOAP UI :

<SOAP-ENV:Header>
      <wsse:Security SOAP-ENV:mustUnderstand="1">
        <wsse:UsernameToken wsu:Id="">
        <wsse:Username>sampleUser</wsse:Username>
        <wsse:Password>12345</wsse:Password>
        <wsse:PartnerID>samplePartner</wsse:PartnerID>
</wsse:UsernameToken>
</wsse:Security>
    <wsa:To>http://localhost:8080/sampleWs</wsa:To>
    <wsa:Action>http://localhost:8080/sampleWs/sampleAction</wsa:Action>
      <wsa:From>
      <wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:From>
</SOAP-ENV:Header>

I receive the following security exception from CXF security module :

18:11:29,250 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (http-127.0.0.1:8080-1) Interceptor for {http://ws.sampleWs.varun/}SampleWebService has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: A security error was encountered when verifying the message
        at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:234) [cxf-rt-ws-security-3.2.7.jar:3.2.7]
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:341) [cxf-rt-ws-security-3.2.7.jar:3.2.7]
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:176) [cxf-rt-ws-security-3.2.7.jar:3.2.7]
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:87) [cxf-rt-ws-security-3.2.7.jar:3.2.7]
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308) [cxf-core-3.2.7.jar:3.2.7]
        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-core-3.2.7.jar:3.2.7]
        .
        .
        .
Caused by: org.apache.wss4j.common.ext.WSSecurityException: BSP:R4201: Any PASSWORD MUST specify a Type attribute
        at org.apache.wss4j.common.bsp.BSPEnforcer.handleBSPRule(BSPEnforcer.java:57) [wss4j-ws-security-common-2.2.2.jar:2.2.2]
        at org.apache.wss4j.dom.message.token.UsernameToken.checkBSPCompliance(UsernameToken.java:834) [wss4j-ws-security-dom-2.2.2.jar:2.2.2]
        at org.apache.wss4j.dom.message.token.UsernameToken.<init>(UsernameToken.java:143) [wss4j-ws-security-dom-2.2.2.jar:2.2.2]
        at org.apache.wss4j.dom.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:137) [wss4j-ws-security-dom-2.2.2.jar:2.2.2]
        at org.apache.wss4j.dom.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:62) [wss4j-ws-security-dom-2.2.2.jar:2.2.2]
        at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340) [wss4j-ws-security-dom-2.2.2.jar:2.2.2]
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:285) [cxf-rt-ws-security-3.2.7.jar:3.2.7]
        ... 28 more

The root cause appears to be a missing attribute in wsse:password tag.

I checked the security WS specs : http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd

There i could not find a mandatory type attribute for wsse:passwordas expected by latest CXF.

Note : The same request is processed fine by CXF version 2.2.2

Question : Is there a way for preventing CXF from dropping the above request and allow it go through. I looked around a lot but couldnt find any answers ? Any suggestions ? OR modfifying the SOAP request is the only solution ?

java soap cxf ws-security wss4j
Original Q&A
2

There are 2 best solutions below

0
On BEST ANSWER

Above request is being dropped because as stated earlier by @GPI, CXF tries to enforce R4201 of the Basic security specs (http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html).

To prevent CXF from enforcing this we can use configuration constants provided by ws-security and wss4j that would instruct CXF to stop the enforcement.

Solution #1 (Using WSS4J interceptor)

In your spring config file, you can set isBspCompliant to false :

    <jaxws:inInterceptors>
        <bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
            <constructor-arg>
                <map>
                    <entry key="action" value="UsernameToken" />
                    <entry key="passwordType" value="PasswordText" />
                    <entry key="passwordCallbackRef">
                        <ref bean="passwordCallback" />
                    </entry>
                    <entry key="isBSPCompliant" value="false"/>
                </map>
            </constructor-arg>
        </bean>
    </jaxws:inInterceptors>

Solution #2 (Using JAX-WS)

In your spring config file, you can set ws-security.is-bsp-compliant to false :

    <jaxws:endpoint id="sample" implementor="sample.ws.SampleWebService" address="/SampleWebService">
    <jaxws:properties> 
    <entry key="ws-security.is-bsp-compliant" value="false"/> 
    </jaxws:properties> 
</jaxws:endpoint>

For additional configuration options, you can refer these pages :

http://ws.apache.org/wss4j/config.html

http://cxf.apache.org/docs/ws-securitypolicy.html

0
On

I was facing the same problem and found out that there was an issue in the soap request.

I was able to resolve it by adding :

  • the following attribute in the soap:Envelope xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
  • the following attribute in wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText"

The header of my request looked like this

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tic="http://ticket.degroupage.atos.ma/"  xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
   <soapenv:Header>
      <wsse:Security soapenv:mustUnderstand="1">
         <wsse:UsernameToken><wsse:Username>XXXX</wsse:Username>
         <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">XXXX</wsse:Password>
         </wsse:UsernameToken>
     </wsse:Security></soapenv:Header>
   <soapenv:Body>
...

Related Questions in JAVA

Related Questions in SOAP

Related Questions in CXF

Related Questions in WS-SECURITY

Related Questions in WSS4J

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.