Skip to main content

CXF-Metro WS-SecureConversation Interop issue (CXF client to Metro service)

2 replies [Last post]
cdangerv
Offline
Joined: 2009-05-31
Points: 0

Hello,
After running the Metro (v2.2.1) WS-SecureConversation sample (in samples/wssc folder) successfully, I tried to replace the Metro client with a CXF (v2.7.8) client, and got the error down below on the service side. Please find the following in attachment:
- debug logs from Metro with the requests/responses.
- the Metro service war to be deployed in Glassfish/Tomcat with Metro libraries (generated/deployed from the sample's ant task) for convenience. I changed the Basic256 assertions to Basic128 in the wsdl (compared to original sample).
I can also send the CXF client part as maven project if necessary.

The first phase (over SSL) for bootstrapping the secure conversation goes fine, the SCT is successfully issued by the Metro service to the client after usernameToken authentication. The issue occurs when Metro receives the service request from CXF with the SCT previously established, apparently related to the verification of the signature on the timestamp. From the logs, the computed digest seems correct. So the issue may be related to something else like the key derivation or other difference in algorithm implementation between client and service. I would need some help finding the root cause.
Has anybody tried this use case before?

Thanks for your help.

Regards,
Cyril

--EXCEPTION ON METRO SERVICE--
Using configured PlainTextPasswordValidator................
context.isExpired >>> false
Dec 19, 2013 2:24:47 AM com.sun.xml.ws.security.opt.impl.incoming.Signature process
SEVERE: WSS1710: Signature Verification for Signature with ID SIG-4 failed
Dec 19, 2013 2:24:47 AM com.sun.xml.wss.jaxws.impl.SecurityServerTube processRequest
SEVERE: WSSTUBE0025: Error in Verifying Security in the Inbound Message.
com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
at com.sun.xml.ws.security.opt.impl.util.SOAPUtil.newSOAPFaultException(SOAPUtil.java:159)
at com.sun.xml.ws.security.opt.impl.incoming.Signature.process(Signature.java:351)
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.handleSecurityHeader(Security
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.cacheHeaders(SecurityRecipien
at com.sun.xml.ws.security.opt.impl.incoming.SecurityRecipient.validateMessage(SecurityRecip
at com.sun.xml.wss.jaxws.impl.SecurityTubeBase.verifyInboundMessage(SecurityTubeBase.java:45
at com.sun.xml.wss.jaxws.impl.SecurityServerTube.processRequest(SecurityServerTube.java:295)
at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:1063)
at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:979)
at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:950)
at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:825)
at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:380)
at com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:651)
at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:264)
at com.sun.xml.ws.transport.http.servlet.ServletAdapter.invokeAsync(ServletAdapter.java:218)
at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doGet(WSServletDelegate.java:159)
at com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doPost(WSServletDelegate.java:194
at com.sun.xml.ws.transport.http.servlet.WSServlet.doPost(WSServlet.java:80)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.jav
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)

AttachmentSize
cxf-client-metro-wssc-test.zip40.19 KB

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
cdangerv
Offline
Joined: 2009-05-31
Points: 0

One of my statements was wrong, sorry. It is actually Basic256 which is used in the service WSDL (like in original Metro sample), not Basic128. Bu the error remains the same. Thanks for your help.

cdangerv
Offline
Joined: 2009-05-31
Points: 0