[jboss-user] [JBossWS] - Problem WS-Security Standard implementation difference --> i
lall2
do-not-reply at jboss.com
Thu Jul 3 08:50:52 EDT 2008
Hi all,
I built a JBoss 4.2.2 JBossWS Native 2.0.4/3.0.1 WS Client with the following jboss-wsse-client.xml security configuration:
| <?xml version="1.0" encoding="UTF-8"?>
| <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
| <config>
| <timestamp ttl="30"/>
| <sign type="x509v3" alias="SimpleClientCertPrivateKey" includeTimestamp="true"/>
| <encrypt type="x509v3" alias="SimpleClientCert"/>
| <requires>
| <signature/>
| <encryption/>
| </requires>
| </config>
| <timestamp-verification createdTolerance="500" warnCreated="true" expiresTolerance="100" warnExpires="true"/>
| </jboss-ws-security>
|
All certificates and KeyStores have been installed properly on both sides.
The resulting SOAP message trace looks as follows:
(Listing 1)
| <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
| <env:Header>
| <wsse:Security env:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
| <wsu:Timestamp wsu:Id="timestamp">
| <wsu:Created>2008-06-13T12:45:10.976Z</wsu:Created>
| <wsu:Expires>2008-06-13T12:45:40.976Z</wsu:Expires>
| </wsu:Timestamp>
| <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="token-2-1213361111663-11328770">
|
| <!-- ... lot of base64 encoding ... -->
|
| </wsse:BinarySecurityToken>
| <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
| <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
|
| <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <wsse:SecurityTokenReference wsu:Id="reference-5-1213361112194-30222347">
| <wsse:Reference URI="#token-2-1213361111663-11328770" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
| </wsse:SecurityTokenReference>
| </ds:KeyInfo>
|
| <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
| <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">lg6tOjzqKs26HX6KFk1nLA5YF5W5fQZ6dh2mzM9/V3r5Pg80vLz4x0EJ10Y1KdhXH08ijZxRZWjf
| v1dqulorSnIyV7X0uk25y/OMDmkVYQ/VlQF7bxZr/5Q+UB6YwLy74N1jpx7lo4BZXUM9kEZmgFAo
| o8SW8P3AcSgBAUoOpOc=</xenc:CipherValue>
| </xenc:CipherData>
| <xenc:ReferenceList xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
| <xenc:DataReference URI="#encrypted-4-1213361112116-6044039" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
| </xenc:ReferenceList>
| </xenc:EncryptedKey>
| <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <ds:SignedInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
| <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
| <ds:Reference URI="#element-1-1213361110976-31952022" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
| </ds:Transforms>
| <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
| <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">l2LG3Bc2Rk+LgAjU2OP2vrVwYBM=</ds:DigestValue>
| </ds:Reference>
| <ds:Reference URI="#timestamp" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <ds:Transforms xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
| </ds:Transforms>
| <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"/>
| <ds:DigestValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">GNamS8F3tDSDlfUzNxIzfYZpXdc=</ds:DigestValue>
| </ds:Reference>
| </ds:SignedInfo>
| <ds:SignatureValue xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <!-- ... lot of base64 encoding ... -->
| </ds:SignatureValue>
| <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <wsse:SecurityTokenReference wsu:Id="reference-3-1213361111663-15774883">
| <wsse:Reference URI="#token-2-1213361111663-11328770" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
| </wsse:SecurityTokenReference>
| </ds:KeyInfo>
| </ds:Signature>
| </wsse:Security>
| </env:Header>
| <env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="element-1-1213361110976-31952022">
| <xenc:EncryptedData Id="encrypted-4-1213361112116-6044039" Type="http://www.w3.org/2001/04/xmlenc#Content" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
| <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"/>
| <xenc:CipherData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
| <xenc:CipherValue xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
| <!-- ... lot of base64 encoding ... -->
| </xenc:CipherValue>
| </xenc:CipherData>
| </xenc:EncryptedData>
| </env:Body>
| </env:Envelope>
|
|
Due to researching, I know that the WebService system expects a reqeuest that looks as follows
(Listing 2)
| <SOAP:Envelope xmlns:SOAP="http://schemas.xmlsoap.org/soap/envelope/">
| <SOAP:Header>
| <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" SOAP:mustUnderstand="1">
| <wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="sap-9" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">
|
| <!-- ... lot of base64 encoding ... -->
|
| </wsse:BinarySecurityToken>
| <wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wsu-targetID-1f10b320-0181-11dd-aebd-00144f2515b0">
| <wsu:Created ValueType="xsd:dateTime">2008-04-03T13:23:17Z</wsu:Created>
| <wsu:Expires ValueType="xsd:dateTime">2008-04-03T13:25:17Z</wsu:Expires>
| </wsu:Timestamp>
| <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="EK52789332">
| <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>
|
| <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <wsse:SecurityTokenReference>
| <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">yk+Civrkf+wQdj30aJid9VGnjtY=</wsse:KeyIdentifier>
| </wsse:SecurityTokenReference>
| </ds:KeyInfo>
|
| <xenc:CipherData>
| <xenc:CipherValue>
|
| <!-- ... lot of base64 encoding ... -->
|
| </xenc:CipherValue>
| </xenc:CipherData>
| <xenc:ReferenceList>
| <xenc:DataReference URI="#ED13608949"/>
| </xenc:ReferenceList>
| </xenc:EncryptedKey>
| <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <ds:SignedInfo>
| <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
| <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
| <ds:Reference URI="#wsuid-body-1f108c10-0181-11dd-838e-00144f2515b0">
| <ds:Transforms>
| <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
| </ds:Transforms>
| <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
| <ds:DigestValue>UaW58GCrg/nrA/EfW+OyHP2DCio=</ds:DigestValue>
| </ds:Reference>
| <ds:Reference URI="#wsu-targetID-1f10b320-0181-11dd-aebd-00144f2515b0">
| <ds:Transforms>
| <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
| </ds:Transforms>
| <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
| <ds:DigestValue>LFuszgJ412Fe8PRtK3W69RTXndY=</ds:DigestValue>
| </ds:Reference>
| </ds:SignedInfo>
| <ds:SignatureValue>
|
| <!-- ... lot of base64 encoding ... -->
|
| </ds:SignatureValue>
| <ds:KeyInfo>
| <wsse:SecurityTokenReference>
| <wsse:Reference URI="#sap-9"/>
| </wsse:SecurityTokenReference>
| </ds:KeyInfo>
| </ds:Signature>
| </wsse:Security>
| </SOAP:Header>
| <SOAP:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="wsuid-body-1f108c10-0181-11dd-838e-00144f2515b0">
| <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="http://www.w3.org/2001/04/xmlenc#Content" Id="ED13608949">
| <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
| <xenc:CipherData>
| <xenc:CipherValue>
|
| <!-- ... lot of base64 encoding ... -->
|
| </xenc:CipherValue>
| </xenc:CipherData>
| </xenc:EncryptedData>
| </SOAP:Body>
| </SOAP:Envelope>
|
There is a significant difference of the Envelope/Header/Security/EncryptedKey/KeyInfo element (printed in bold). This difference causes
an error message:
"No SecurityTokenReference was found in the <xenc:EncryptedKey>/// element.",
showing the reason for the failure of the WS Client request processing by the system implementing the WebService.
JBoss Native's
| <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <wsse:SecurityTokenReference wsu:Id="reference-5-1213361112194-30222347">
| <wsse:Reference URI="#token-2-1213361111663-11328770" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
| </wsse:SecurityTokenReference>
| </ds:KeyInfo>
|
vs.
system implementing the WebService
| <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
| <wsse:SecurityTokenReference>
| <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">yk+Civrkf+wQdj30aJid9VGnjtY=
| </wsse:KeyIdentifier>
| </wsse:SecurityTokenReference>
| </ds:KeyInfo>
|
It looks to me that there is a difference in the implementation of WS-Security between JBossWS Native and the one of the
system on which the WebService runs.
I am wondering if JBossWS Metro 3.0.2 behaves like JBossWS Native, differently or even the same like in the second listing.
Does anyone know that? I am about to build a test case to find out, but it would time saving to know that beforehands ;-)
Obviously, when looking at http://support.microsoft.com/?scid=kb%3Ben-us%3B922779&x=8&y=13, the MS Web Services Enhancements 3.0 for Microsoft .NET implement the WS-Security like in Listing 2 with a <ds:KeyInfo>/<wsse:SecurityTokenReference>/<wsse:KeyIdentifier>
instead of
<ds:KeyInfo>/<wsse:SecurityTokenReference>/<wsse:Reference>
Why does JBoss Native implement WS-Security in this way?
Greets Andy
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4162315#4162315
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4162315
More information about the jboss-user
mailing list