[jbossws-users] [JBossWS] - Problem WS-Security Standard implementation difference --> i

Hi all, I built a JBoss 4.2.2 JBossWS Native 2.0.4/3.0.1 WS Client with the following jboss-wsse-client.xml security configuration: | <?xml version="1.0" encoding="UTF-8"?> | <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> | <config> | <timestamp ttl="30"/> | <sign type="x509v3" alias="SimpleClientCertPrivateKey" includeTimestamp="true"/> | <encrypt type="x509v3" alias="SimpleClientCert"/> | <requires> | <signature/> | <encryption/> | </requires> | </config> | <timestamp-verification createdTolerance="500" warnCreated="true" expiresTolerance="100" warnExpires="true"/> | </jboss-ws-security> | All certificates and KeyStores have been installed properly on both sides. The resulting SOAP message trace looks as follows: (Listing 1) | <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/"> | <env:Header> | <wsse:Security env:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-... xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-w... | <wsu:Timestamp wsu:Id="timestamp"> | <wsu:Created>2008-06-13T12:45:10.976Z</wsu:Created> | <wsu:Expires>2008-06-13T12:45:40.976Z</wsu:Expires> | </wsu:Timestamp> | <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-ws... ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x... wsu:Id="token-2-1213361111663-11328770"> | | <!-- ... lot of base64 encoding ... --> | | </wsse:BinarySecurityToken> | <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> | <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/> | | <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | <wsse:SecurityTokenReference wsu:Id="reference-5-1213361112194-30222347"> | <wsse:Reference URI="#token-2-1213361111663-11328770" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x... | </wsse:SecurityTokenReference> | </ds:KeyInfo> | | <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> | <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">lg6tOjzqKs26H... | v1dqulorSnIyV7X0uk25y/OMDmkVYQ/VlQF7bxZr/5Q+UB6YwLy74N1jpx7lo4BZXUM9kEZmgFAo | o8SW8P3AcSgBAUoOpOc=</xenc:CipherValue> | </xenc:CipherData> | <xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> | <xenc:DataReference URI="#encrypted-4-1213361112116-6044039" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/> | </xenc:ReferenceList> | </xenc:EncryptedKey> | <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> | <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> | <ds:Reference URI="#element-1-1213361110976-31952022" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> | </ds:Transforms> | <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> | <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">l2LG3Bc2Rk+LgA... | </ds:Reference> | <ds:Reference URI="#timestamp" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> | </ds:Transforms> | <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/> | <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">GNamS8F3tDSDlf... | </ds:Reference> | </ds:SignedInfo> | <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | <!-- ... lot of base64 encoding ... --> | </ds:SignatureValue> | <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | <wsse:SecurityTokenReference wsu:Id="reference-3-1213361111663-15774883"> | <wsse:Reference URI="#token-2-1213361111663-11328770" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x... | </wsse:SecurityTokenReference> | </ds:KeyInfo> | </ds:Signature> | </wsse:Security> | </env:Header> | <env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-w... wsu:Id="element-1-1213361110976-31952022"> | <xenc:EncryptedData Id="encrypted-4-1213361112116-6044039" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> | <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/> | <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> | <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> | <!-- ... lot of base64 encoding ... --> | </xenc:CipherValue> | </xenc:CipherData> | </xenc:EncryptedData> | </env:Body> | </env:Envelope> | | Due to researching, I know that the WebService system expects a reqeuest that looks as follows (Listing 2) | <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/"> | <SOAP:Header> | <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-... SOAP:mustUnderstand="1"> | <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-w... wsu:Id="sap-9" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x... EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-ws... | | <!-- ... lot of base64 encoding ... --> | | </wsse:BinarySecurityToken> | <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-w... wsu:Id="wsu-targetID-1f10b320-0181-11dd-aebd-00144f2515b0"> | <wsu:Created ValueType="xsd:dateTime">2008-04-03T13:23:17Z</wsu:Created> | <wsu:Expires ValueType="xsd:dateTime">2008-04-03T13:25:17Z</wsu:Expires> | </wsu:Timestamp> | <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK52789332"> | <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/> | | <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | <wsse:SecurityTokenReference> | <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x... EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-ws... | </wsse:SecurityTokenReference> | </ds:KeyInfo> | | <xenc:CipherData> | <xenc:CipherValue> | | <!-- ... lot of base64 encoding ... --> | | </xenc:CipherValue> | </xenc:CipherData> | <xenc:ReferenceList> | <xenc:DataReference URI="#ED13608949"/> | </xenc:ReferenceList> | </xenc:EncryptedKey> | <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | <ds:SignedInfo> | <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> | <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> | <ds:Reference URI="#wsuid-body-1f108c10-0181-11dd-838e-00144f2515b0"> | <ds:Transforms> | <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> | </ds:Transforms> | <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> | <ds:DigestValue>UaW58GCrg/nrA/EfW+OyHP2DCio=</ds:DigestValue> | </ds:Reference> | <ds:Reference URI="#wsu-targetID-1f10b320-0181-11dd-aebd-00144f2515b0"> | <ds:Transforms> | <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> | </ds:Transforms> | <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> | <ds:DigestValue>LFuszgJ412Fe8PRtK3W69RTXndY=</ds:DigestValue> | </ds:Reference> | </ds:SignedInfo> | <ds:SignatureValue> | | <!-- ... lot of base64 encoding ... --> | | </ds:SignatureValue> | <ds:KeyInfo> | <wsse:SecurityTokenReference> | <wsse:Reference URI="#sap-9"/> | </wsse:SecurityTokenReference> | </ds:KeyInfo> | </ds:Signature> | </wsse:Security> | </SOAP:Header> | <SOAP:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-w... wsu:Id="wsuid-body-1f108c10-0181-11dd-838e-00144f2515b0"> | <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content" Id="ED13608949"> | <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/> | <xenc:CipherData> | <xenc:CipherValue> | | <!-- ... lot of base64 encoding ... --> | | </xenc:CipherValue> | </xenc:CipherData> | </xenc:EncryptedData> | </SOAP:Body> | </SOAP:Envelope> | There is a significant difference of the Envelope/Header/Security/EncryptedKey/KeyInfo element (printed in bold). This difference causes an error message: "No SecurityTokenReference was found in the <xenc:EncryptedKey>/// element.", showing the reason for the failure of the WS Client request processing by the system implementing the WebService. JBoss Native's | <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | <wsse:SecurityTokenReference wsu:Id="reference-5-1213361112194-30222347"> | <wsse:Reference URI="#token-2-1213361111663-11328770" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x... | </wsse:SecurityTokenReference> | </ds:KeyInfo> | vs. system implementing the WebService | <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | <wsse:SecurityTokenReference> | <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x... EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-ws... | </wsse:KeyIdentifier> | </wsse:SecurityTokenReference> | </ds:KeyInfo> | It looks to me that there is a difference in the implementation of WS-Security between JBossWS Native and the one of the system on which the WebService runs. I am wondering if JBossWS Metro 3.0.2 behaves like JBossWS Native, differently or even the same like in the second listing. Does anyone know that? I am about to build a test case to find out, but it would time saving to know that beforehands ;-) Obviously, when looking at http://support.microsoft.com/?scid=kb%3Ben-us%3B922779&x=8&y=13, the MS Web Services Enhancements 3.0 for Microsoft .NET implement the WS-Security like in Listing 2 with a <ds:KeyInfo>/<wsse:SecurityTokenReference>/<wsse:KeyIdentifier> instead of <ds:KeyInfo>/<wsse:SecurityTokenReference>/<wsse:Reference> Why does JBoss Native implement WS-Security in this way? Greets Andy View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4162315#... Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...