[jboss-user] [JBossWS] - Error SAP WS-Security client calling JBoss Security WS
lall2
do-not-reply at jboss.com
Tue Jul 29 05:48:35 EDT 2008
Hi,
I get the following exception when the SAP system invokes a JBossWS WS-Security WS:
| ERROR [WSSecurityDispatcher] Internal error occured handling inbound message:
| org.jboss.ws.extensions.security.exception.WSSecurityException: Inavliad message, Reference element is missing a ValueType
| at org.jboss.ws.extensions.security.element.DirectReference.<init>(DirectReference.java:78)
| at org.jboss.ws.extensions.security.element.Reference.getReference(Reference.java:39)
| at org.jboss.ws.extensions.security.element.SecurityTokenReference.<init>(SecurityTokenReference.java:61)
| at org.jboss.ws.extensions.security.KeyResolver.extractSecurityTokenReference(KeyResolver.java:70)
| at org.jboss.ws.extensions.security.KeyResolver.resolvePublicKey(KeyResolver.java:161)
| at org.jboss.ws.extensions.security.element.Signature.<init>(Signature.java:56)
| at org.jboss.ws.extensions.security.element.SecurityHeader.<init>(SecurityHeader.java:87)
| at org.jboss.ws.extensions.security.SecurityDecoder.decode(SecurityDecoder.java:175)
| at org.jboss.ws.extensions.security.WSSecurityDispatcher.decodeMessage(WSSecurityDispatcher.java:219)
| at org.jboss.ws.extensions.security.jaxws.WSSecurityHandler.handleInboundSecurity(WSSecurityHandler.java:83)
| at org.jboss.ws.extensions.security.jaxws.WSSecurityHandlerServer.handleInbound(WSSecurityHandlerServer.java:41)
|
It looks to me that this occurs when the SAP's request
Envelope/Header/Security/Signature/KeyInfo/SecurityTokenReference/Reference
element is checked. If so, can this check in org.jboss.ws.extensions.security.element.DirectReference be skipped, since the ValueType attribute of
Envelope/Header/Security/Signature/KeyInfo/SecurityTokenReference/Reference
does not contain specific information? Additionally, the same value type is also contained in Envelope/Header/Security/BinarySecurityToken
element with a wsu:Id="token-2-1215429956710-11328770" attribute referencing/referenced in the URI attribute of
Envelope/Header/Security/Signature/KeyInfo/SecurityTokenReference/Reference
I have outlined the important sections in bold of the two following SOAP trace listings.
a) The request from the SAP system looks as follows:
| <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
| <SOAP:Header>
| <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP:mustUnderstand="1">
| <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
| wsu:Id="sap-17" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
| <!-- ... cipher data ... -->
| </wsse:BinarySecurityToken>
| <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wsu-targetID-4f51c3d1-4c31-11dd-c804-52325dc89402">
| <wsu:Created ValueType="xsd:dateTime">2008-07-07T14:30:55Z</wsu:Created>
| <wsu:Expires ValueType="xsd:dateTime">2008-07-07T14:31:55Z</wsu:Expires>
| </wsu:Timestamp>
| <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK7176284">
| <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
| <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <wsse:SecurityTokenReference>
| <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">tZwIZ4EyuXCscFmLexbBSDw4pXc=</wsse:KeyIdentifier>
| </wsse:SecurityTokenReference>
| </ds:KeyInfo>
| <xenc:CipherData>
| <xenc:CipherValue>dN7Jdu9ZrqKdO4gmMhVVqEraDWATPkXyfaOwqTJ9iiNBGslSZxS9wDPaMms+1AVIsEj+zPxOP1m9
| iGzNZgUj36ytFnfMPEYy79LZhjlsrRcuNNIYdIosI1aR55Cg8LWhmExp8xfPwcaero2ku6mnHqZT
| PCoAWq859YRnQsmxoF8=</xenc:CipherValue>
| </xenc:CipherData>
| <xenc:ReferenceList>
| <xenc:DataReference URI="#ED52721394"/>
| </xenc:ReferenceList>
| </xenc:EncryptedKey>
| <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <ds:SignedInfo>
| <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
| <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
| <ds:Reference URI="#wsuid-body-4f51c3d0-4c31-11dd-962a-52325dc89402">
| <ds:Transforms>
| <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
| </ds:Transforms>
| <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
| <ds:DigestValue>uPX1GhMMPxAyFhdKOyOWTSXoaFg=</ds:DigestValue>
| </ds:Reference>
| <ds:Reference URI="#wsu-targetID-4f51c3d1-4c31-11dd-c804-52325dc89402">
| <ds:Transforms>
| <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
| </ds:Transforms>
| <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
| <ds:DigestValue>720bTnzpOnIall0ooGeyk32Syqs=</ds:DigestValue>
| </ds:Reference>
| </ds:SignedInfo>
| <ds:SignatureValue>AzlqPk9OCrqetQVS2BPZ6u3ZwMHGtPGgYQwMTBLnREKPhNEI/Cb8o3EJAgIfB73kKgKFmw0Dj3WN
| c+MesXZ1LEOqvT2YDq6Jxpz4I/cYWbY+79tKKmuOfstfoQzBGn8uo4+wwR8Vn3l0Ns/DuYHwvnNR
| 34RzPbLDllZUW4qdXmE=</ds:SignatureValue>
| <ds:KeyInfo>
| <wsse:SecurityTokenReference>
| <wsse:Reference URI="#sap-17"/>
| </wsse:SecurityTokenReference>
| </ds:KeyInfo>
| </ds:Signature>
| <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="sap-17" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
|
| <!-- ... cipher data ... -->
|
| </wsse:BinarySecurityToken>
| <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"><!-- ... cipher data ... --></wsse:BinarySecurityToken>
| <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="sap-17" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"><!-- ... cipher data ... --></wsse:BinarySecurityToken>
| </wsse:Security>
| </SOAP:Header>
| <SOAP:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wsuid-body-4f51c3d0-4c31-11dd-962a-52325dc89402">
| <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content" Id="ED52721394">
| <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
| <xenc:CipherData>
| <xenc:CipherValue><!-- ... cipher data ... --></xenc:CipherValue>
| </xenc:CipherData>
| </xenc:EncryptedData>
| </SOAP:Body>
| </SOAP:Envelope>
|
The SAP request only has the ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" attribute within the
Envelope/Header/Security/BinarySecurityToken
element. The JBoss request ValueType attribute is contained in
Envelope/Header/Security/BinarySecurityToken
and
Envelope/Header/Security/Signature/KeyInfo/SecurityTokenReference/Reference.
Is the second ValueType attribute required by JBossWS internal processing?
b) When a JBossWS WS-Security client calls an SAP WS-Security WS, there are no problems. The request looks as follows:
| <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
| <env:Header>
| <wsse:Security env:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
| <wsu:Timestamp wsu:Id="timestamp">
| <wsu:Created>2008-07-07T11:25:56.523Z</wsu:Created>
| <wsu:Expires>2008-07-07T11:26:26.523Z</wsu:Expires>
| </wsu:Timestamp>
| <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="token-2-1215429956710-11328770">
|
| <!-- ... cipher data ... -->
| </wsse:BinarySecurityToken>
| <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
| <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
| <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <wsse:SecurityTokenReference wsu:Id="reference-5-1215429957054-30222347">
| <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">NS0xdPUqf/9XQw4/YZ+lMnTguf8=</wsse:KeyIdentifier>
| </wsse:SecurityTokenReference>
| </ds:KeyInfo>
| <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
| <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">dqWVJQ08cTvj6O/lbEC+e6giBMlU5msZsGS5fShB1bdkkGUh1Fc0Kk38FNYfUW/EZZu0H3/YDInN
| W7HcQle5KL0LpD1vGCNlXElGlOfRYdX96stIL8e6r386lglQdYxdL78RaPlI6OF4fnD6XCS3QfM9
| XhODTHWQf8LIw2xQVyI=</xenc:CipherValue>
| </xenc:CipherData>
| <xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
| <xenc:DataReference URI="#encrypted-4-1215429956976-6044039" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
| </xenc:ReferenceList>
| </xenc:EncryptedKey>
| <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
| <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
| <ds:Reference URI="#element-1-1215429956523-31952022" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
| </ds:Transforms>
| <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
| <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">ZmQ7YZUv5swk3OnUn5X3w2JyenE=</ds:DigestValue>
| </ds:Reference>
| <ds:Reference URI="#timestamp" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
| </ds:Transforms>
| <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
| <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">OyIUQGrnwhkJoimoqv07+ML45IE=</ds:DigestValue>
| </ds:Reference>
| </ds:SignedInfo>
| <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <!-- ... cipher data ... -->
| </ds:SignatureValue>
| <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <wsse:SecurityTokenReference wsu:Id="reference-3-1215429956710-15774883">
| <wsse:Reference URI="#token-2-1215429956710-11328770" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
| </wsse:SecurityTokenReference>
| </ds:KeyInfo>
| </ds:Signature>
| </wsse:Security>
| </env:Header>
| <env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="element-1-1215429956523-31952022">
| <xenc:EncryptedData Id="encrypted-4-1215429956976-6044039" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
| <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
| <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
| <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
| <!-- ... cipher data ... -->
| </xenc:CipherValue>
| </xenc:CipherData>
| </xenc:EncryptedData>
| </env:Body>
| </env:Envelope>
|
I use version: JBoss 4.2.2 - JBossWS 3.0.1.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4167271#4167271
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4167271
More information about the jboss-user
mailing list