Uploaded image for project: 'Spring Web Services'
  1. Spring Web Services
  2. SWS-701

Wss4jSecurityInterceptor decryption problem

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Complete
    • Affects Version/s: 2.0.1
    • Fix Version/s: None
    • Component/s: Security
    • Labels:
      None

      Description

      I would like to implement a web service that receive encrypted signed messages (XML-encryption and XML-Signature). Here's my interceptor part in spring-ws-servlet.xml :

      <bean id="crypto"
      		class="org.springframework.ws.soap.security.wss4j.support.CryptoFactoryBean">
      		<property name="keyStorePassword" value="${deltabank.security.server.keystore.password}" />
      		<property name="keyStoreLocation" value="file:${deltabank.security.server.keystore}" />
      	</bean>
      <sws:interceptors>
              <bean id="encryptInterceptor"
      			class="org.springframework.ws.soap.security.wss4j.Wss4jSecurityInterceptor">
      			<property name="securementActions" value="Signature Encrypt"/>
      			<property name="securementUsername" value="${deltabank.security.server.signature.keystore.alias}"/>
      			<property name="securementPassword" value="${deltabank.security.server.signature.keystore.alias.password}"/>
      			<property name="securementEncryptionUser" value="${deltabank.security.server.encryption.keystore.alias}" />
      			<property name="securementEncryptionCrypto">
      				<ref bean="crypto"/>
      			</property>
      			<property name="securementSignatureCrypto">
      				<ref bean="crypto"/>
      			</property>
      			
      			<property name="validationActions" value="Signature Encrypt"/>
      			<property name="validationDecryptionCrypto">
      				<ref bean="crypto"/>
      			</property>
      			<property name="validationSignatureCrypto">
      				<ref bean="crypto"/>
      			</property>
      			<property name="validationCallbackHandler">
      				<bean class="org.springframework.ws.soap.security.wss4j.callback.KeyStoreCallbackHandler">
      					<property name="privateKeyPassword" value="${deltabank.security.server.encryption.keystore.alias.password}"/>
      				</bean>
      			</property>
      		</bean>
      </sws:interceptors>
      

      Here's the part of the code of my client where the interceptor is created:

      Wss4jSecurityInterceptor interceptor = new Wss4jSecurityInterceptor();
      		
      		CryptoFactoryBean cryptoFactoryBean = new CryptoFactoryBean();
      		cryptoFactoryBean.setKeyStoreLocation(new FileSystemResource("C:/Documents and Settings/a.barre/.keystore"));
      		cryptoFactoryBean.setKeyStorePassword("deltabank");		
      		cryptoFactoryBean.afterPropertiesSet();
      		Crypto crypto = cryptoFactoryBean.getObject();
      		
      		interceptor.setValidationActions("Signature Encrypt");		
      		interceptor.setValidationDecryptionCrypto(crypto);
      		KeyStoreCallbackHandler callbackHandler = new KeyStoreCallbackHandler();
      		callbackHandler.setPrivateKeyPassword("deltabank");
      		interceptor.setValidationCallbackHandler(callbackHandler);		
      		interceptor.setValidationSignatureCrypto(crypto);
      		
      		interceptor.setSecurementActions("Signature Encrypt");
      		interceptor.setSecurementUsername("tomcat");
      		interceptor.setSecurementPassword("deltabank");
      		interceptor.setSecurementEncryptionUser("tomcat");
      		interceptor.setSecurementEncryptionCrypto(crypto);
      		interceptor.setSecurementSignatureCrypto(crypto);
      		
      		setInterceptors(new ClientInterceptor[] {interceptor});
      

      Here's the logs for the web service:

      10:40:02.456 [http-8080-1] DEBUG o.s.w.t.h.WebServiceMessageReceiverHandlerAdapter - Accepting incoming [org.springframework.ws.transport.http.HttpServletConnection@11cf5b3] at [http://localhost:8080/funds-transfer]
      10:40:02.456 [http-8080-1] DEBUG o.s.w.server.MessageTracing.received - Received request [SaajSoapMessage {http://www.w3.org/2001/04/xmlenc#}EncryptedData]
      10:40:02.456 [http-8080-1] DEBUG o.s.w.s.e.m.PayloadRootAnnotationMethodEndpointMapping - Looking up endpoint for [{http://www.w3.org/2001/04/xmlenc#}EncryptedData]
      10:40:02.456 [http-8080-1] DEBUG o.s.w.s.server.SoapMessageDispatcher - Endpoint mapping [org.springframework.ws.server.endpoint.mapping.PayloadRootAnnotationMethodEndpointMapping@140df03] has no mapping for request
      10:40:02.456 [http-8080-1] DEBUG o.s.w.s.s.e.m.SoapActionAnnotationMethodEndpointMapping - Looking up endpoint for []
      10:40:02.456 [http-8080-1] DEBUG o.s.w.s.server.SoapMessageDispatcher - Endpoint mapping [org.springframework.ws.soap.server.endpoint.mapping.SoapActionAnnotationMethodEndpointMapping@1f13e99] has no mapping for request
      10:40:02.456 [http-8080-1] WARN  o.s.ws.server.EndpointNotFound - No endpoint mapping found for [SaajSoapMessage {http://www.w3.org/2001/04/xmlenc#}EncryptedData]
      10:40:02.456 [http-8080-1] DEBUG o.s.w.t.h.MessageDispatcherServlet - Successfully completed request
      

      Here is the request sent by the client:

      <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
                         xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
        <SOAP-ENV:Header>
          <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                         SOAP-ENV:mustUnderstand="1">
            <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                               Id="EncKeyId-D8F835AB8EC535FF8813015608023945">
              <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
              <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                  <ds:X509Data>
                    <ds:X509IssuerSerial>
                      <ds:X509IssuerName>CN=Arnaud BARRE,OU=Delta WS,O=Delta Informatique,L=Tours,ST=37,C=FR</ds:X509IssuerName>
                      <ds:X509SerialNumber>1301067314</ds:X509SerialNumber>
                    </ds:X509IssuerSerial>
                  </ds:X509Data>
                </wsse:SecurityTokenReference>
              </ds:KeyInfo>
              <xenc:CipherData>
                <xenc:CipherValue>AG+v+wtJHbZnhFB/sZ27g8fzRuFfUdh04uF7YlZ0EZxw28d5BsFT3ekCaXiYmmGHG2yiv2cyr5khze+p6lrN6I6okVtoiKxNTljM0dRv+B1eRsglIBfiWEzH3a1LRje5XD3NWVKmF8O2uEmt1/CjIUHnGcu2svUiPpKisIgJ4Zg=</xenc:CipherValue>
              </xenc:CipherData>
              <xenc:ReferenceList>
                <xenc:DataReference URI="#EncDataId-3" />
              </xenc:ReferenceList>
            </xenc:EncryptedKey>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
                          Id="Signature-1">
              <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
                <ds:Reference URI="#id-2">
                  <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                  </ds:Transforms>
                  <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
                  <ds:DigestValue>oVw2xDtXKZMxmmqbJj1vVhuMmyk=</ds:DigestValue>
                </ds:Reference>
              </ds:SignedInfo>
              <ds:SignatureValue>
      hZy5vlcHb/Z7qD8lBJTnYj73lKGuWJnC/gDi6krQIbjGnnDn0+dfOOch7dJ9wlgubBluyf+KtHkL
      XeZT662tgfXrSvuPMVKJa0arDfwtwUI45VCmFFkTySzk41M6Iysv2K84Av4HKgCF4r0KzSceFaLr
      9AH4C2yQ2uuPUF3Rlu8=
      </ds:SignatureValue>
              <ds:KeyInfo Id="KeyId-D8F835AB8EC535FF8813015608017382">
                <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                                             xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                                             wsu:Id="STRId-D8F835AB8EC535FF8813015608017533">
                  <ds:X509Data>
                    <ds:X509IssuerSerial>
                      <ds:X509IssuerName>CN=Arnaud BARRE,OU=Delta WS,O=Delta Informatique,L=Tours,ST=37,C=FR</ds:X509IssuerName>
                      <ds:X509SerialNumber>1301067314</ds:X509SerialNumber>
                    </ds:X509IssuerSerial>
                  </ds:X509Data>
                </wsse:SecurityTokenReference>
              </ds:KeyInfo>
            </ds:Signature>
          </wsse:Security>
        </SOAP-ENV:Header>
        <SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                       wsu:Id="id-2">
          <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
                              Id="EncDataId-3"
                              Type="http://www.w3.org/2001/04/xmlenc#Content">
            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" />
            <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
              <wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                <wsse:Reference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                                URI="#EncKeyId-D8F835AB8EC535FF8813015608023945" />
              </wsse:SecurityTokenReference>
            </ds:KeyInfo>
            <xenc:CipherData>
              <xenc:CipherValue>FDFo13ZDhmMbQ72D4ho/sEVmAD5xVdaMmFaI7tarhPq9ykWpmWF97IvgiGs1VUNW5DH0xS9SbukY
      UUF2KazElMmPdAmSsW8C2p25xzHdX4Ub658pXWeJRYvRv0Akl0gk1vKsH+Ho48LDNd2gpdE9Oweq
      jlYy5CcRSN39E7ntXcXf6PBpTzY8uoEC6mqNFMzB2ZRnONNN1uNOip9VKNk2l4l/NrQ2hxFt06Df
      JWRIBGFwUeOIkTtxmZYzjEX4QnCG1Ai13NmkMnDWU3PJarq/r6KrHKtEZM85Iq9UucM73VEJF7q4
      HUSVQrMjgbz2ThRyjBKYwIYeQhb3fRQj91ADK8H2tueOVRat/44BqtWCqaNNkGazAsTxhQT0xL4K
      VinxpucsvbeKmyjgL0ImyedgAP06ecTvcK7k2N9Tweea4iTM8KaDBvIET5NTaTERPLUK0bQBIF9F
      OIdEAYJgjWgxmPLCkaJh+3xUuwaTDFrFTWU=</xenc:CipherValue>
            </xenc:CipherData>
          </xenc:EncryptedData>
        </SOAP-ENV:Body>
      </SOAP-ENV:Envelope>
      

      I don't see why the request is not decrypted by the security interceptor. Did I do something's wrong?

      Thanks,

      Arnaud

        Attachments

          Activity

            People

            • Assignee:
              arjen.poutsma Arjen Poutsma
              Reporter:
              abarre Arnaud BARRE
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: