[prev in list] [next in list] [prev in thread] [next in thread]
List: xmlrpc-user
Subject: Re: Apache Rampart test failure with wss4j 1.6.5 and later
From: detelinyordanov () gmail ! com
Date: 2014-07-11 10:51:01
Message-ID: CAEu2FROFgVyKeMUTt+j_BY14LozcRCzeAUD3tpHqWXrd1xyNZQ () mail ! gmail ! com
[Download RAW message or body]
Hi again,
I opened a request in Rampart JIRA to upgrade to wss4j 1.6.16:
RAMPART-415 <https://issues.apache.org/jira/browse/RAMPART-415>. I provided
the patch there, also mentioned about another issue which I discovered
after applying the workaround for the empty Ids.
Regards,
Detelin
On Fri, Jul 11, 2014 at 2:21 AM, <detelinyordanov@gmail.com> wrote:
> Hi Martin,
> What about this one - it would log empty ids with debug level:
>
> Index:
> modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
> ===================================================================
> ---
> modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
> (revision 1609336)
> +++
> modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
> (working copy)
> @@ -1472,7 +1472,12 @@
>
> String encrKeyId = (String)
> wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID);
> if (actInt == WSConstants.ENCR &&
> encrKeyId != null) {
> - return encrKeyId;
> + if (encrKeyId.length() > 0) {
> + return encrKeyId;
> + }
> + else if (log.isDebugEnabled()) {
> + log.debug("Found encryption security processing
> result with empty id, skipping it: " + wsSecEngineResult);
> + }
> }
> }
> }
>
> Regards,
> Detelin
>
>
> On Thu, Jul 10, 2014 at 2:30 AM, Martin Gainty <mgainty@hotmail.com>
> wrote:
>
> >
> > ------------------------------
> > Date: Wed, 9 Jul 2014 22:48:36 +0300
> >
> > Subject: Re: Apache Rampart test failure with wss4j 1.6.5 and later
> > From: detelinyordanov@gmail.com
> > To: mgainty@hotmail.com
> > CC: dev@ws.apache.org
> >
> > Hi Martin,
> > I think that the code you are referring to is in
> > SymmetricBindingBuilder and it indeed checks if the Id is empty. However,
> > the one in RampartUtil.getRequestEncryptedKeyId() does not do so. The fix
> > is to add a check for empty Id there as well:
> >
> > Index:
> > modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
> > ===================================================================
> > ---
> > modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
> > (revision 1608682)
> > +++
> > modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java
> > (working copy)
> > @@ -1471,7 +1471,7 @@
> > Integer actInt = (Integer)
> > wsSecEngineResult.get(WSSecurityEngineResult.TAG_ACTION);
> > String encrKeyId = (String)
> > wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID);
> > if (actInt == WSConstants.ENCR &&
> > - encrKeyId != null) {
> > + encrKeyId != null && encrKeyId.length() > 0) {
> > return encrKeyId;
> > }
> > }
> >
> > MG>good that you are not using a null Id ..BETTER if you tell the op they
> > have a NULL ID
> > MG>wsu spec is here
> > MG>
> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> >
> > This fix would be needed if/when Rampart upgrades to wss4j version higher
> > than 1.6.4. Once wss4j 1.6.17 is released, the fix will no longer be
> > needed, but it still does not hurt to have it there. Would you like me to
> > open a jira issue about this in Rampart? I was planning to file a request
> > for wss4j upgrade in Rampart and I could mention this issue there and
> > attach the above patch.
> > MG>good idea *if* you log the error otherwise the next guy that
> > implements Rampart will run into the same problem
> >
> > Regards,
> > Detelin
> > MG>Regards
> > MG>Martin
> >
> >
> > On Wed, Jul 9, 2014 at 5:05 PM, Martin Gainty <mgainty@hotmail.com>
> > wrote:
> >
> >
> >
> > ------------------------------
> > Date: Wed, 9 Jul 2014 14:23:47 +0100
> > Subject: Re: Apache Rampart test failure with wss4j 1.6.5 and later
> > From: coheigea@apache.org
> > To: detelinyordanov@gmail.com
> > CC: dev@ws.apache.org
> >
> >
> > Well the thing is that WSS4J 1.6.16 was just released, and so the next
> > release won't happen for a couple of months probably. So if you want to see
> > a Rampart release before then, you could just submit a patch to check that
> > the Id isn't empty.
> >
> > Colm.
> >
> >
> > On Wed, Jul 9, 2014 at 1:32 PM, <detelinyordanov@gmail.com> wrote:
> >
> > I can open a defect in Rampart, but I'm not sure what should be the
> > proposed change there - I was thinking that it can check for empty id tag
> > and skip the result, but if wss4j does not generate results with empty id
> > anymore, this will not be required. Rampart uses the following code to
> > identify the encryption key id from the request, for which a response in
> > generated:
> >
> > for (WSSecurityEngineResult wsSecEngineResult : wsSecEngineResults) {
> > Integer actInt = (Integer)
> > wsSecEngineResult.get(WSSecurityEngineResult.TAG_ACTION);
> > String encrKeyId = (String)
> > wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID);
> > if (actInt == WSConstants.ENCR && encrKeyId != null) {
> > return encrKeyId;
> > }
> > }
> >
> > If you think the above is improper or can be improved, just let me know
> > and I will follow up with Rampart devs.
> >
> > Detelin
> >
> > MG>the rampart distro that accompanies Axis2-1.6.2 detected the missing
> > tag 'id'
> >
> > for (WSSecurityEngineResult wsSecEngineResult :
> > wsSecEngineResults) {
> > Integer actInt = (Integer)
> > wsSecEngineResult.get(WSSecurityEngineResult.TAG_ACTION);
> > if (actInt == WSConstants.ENCR) {
> > if
> > (wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID) != null &&
> > ((String)
> > wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID)).length() != 0) {
> > try {
> > String encryptedKeyID = (String)
> > wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID);
> >
> > Date created = new Date();
> > Date expires = new Date();
> > expires.setTime(System.currentTimeMillis() +
> > 300000);
> > EncryptedKeyToken tempTok = new
> > EncryptedKeyToken(encryptedKeyID, created, expires);
> > tempTok.setSecret((byte[])
> > wsSecEngineResult.get(WSSecurityEngineResult.TAG_SECRET));
> > tempTok.setSHA1(getSHA1((byte[])
> > wsSecEngineResult.
> >
> > get(WSSecurityEngineResult.TAG_ENCRYPTED_EPHEMERAL_KEY)));
> > rmd.getTokenStorage().add(tempTok);
> >
> > return encryptedKeyID;
> >
> > } catch (TrustException e) {
> > throw new
> > RampartException("errorInAddingTokenIntoStore");
> > }
> > MG>i would add a else condition to toss a message to the op
> > else
> > {
> > throw new
> > RampartException("security_engine_result_missing_id");
> > }
> > MG>end else
> > MG>errors.properties would contain new entry:
> > security_engine_result_missing_id=Rampart
> > Security Engine Result is missing 'id' token element
> > MG>if you make the suggestion for correction I will follow thru and make
> > sure it gets implemented
> > MG>https://issues.apache.org/jira/browse
> > MG>Thanks Detelin,
> > MG>Martin
> >
> >
> > On Wed, Jul 9, 2014 at 12:45 PM, Colm O hEigeartaigh <coheigea@apache.org
> > > wrote:
> >
> >
> > Thanks for the investigation. It turns out Maven 3.0.x is required to
> > build Rampart.
> >
> > I've merged a "fix" for this issue in WSS4J, where we don't store the
> > token Id if it is an empty String. IMO Rampart should also be fixed.
> >
> > Colm.
> >
> >
> > On Tue, Jul 8, 2014 at 6:03 PM, <detelinyordanov@gmail.com> wrote:
> >
> > I have not seen these, probably it is the "copy-mars" execution in the
> > integration module that is causing them. It could be some dependency
> > resolution problem for "mar" artifacts, I'm using Maven 3.0.4 and did not
> > experience such issues.
> >
> > I have some more input on the problem - I think that the introduction of
> > an "id" tag for reference list results is confusing Rampart, specifically
> > the first change here:
> >
> >
> > http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws/s \
> > ecurity/processor/ReferenceListProcessor.java?r1=1294114&r2=1294113&pathrev=1294114
> >
> > In the example request that I attached, there is a ReferenceList element
> > that looks like this:
> >
> > <xenc:ReferenceList \
> > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:DataReference \
> > URI="#ED-5"/></xenc:ReferenceList>
> > When processing this, the ReferenceListProcessor with the mentioned
> > change now creates a result instance, but with an empty "id" tag, since the
> > ReferenceList element does not have "Id" attribute. The result object looks
> > like this:
> >
> > {id=, data-ref-uris=[org.apache.ws.security.WSDataRef@3e9c6879],
> > action=4, validated-token=false}
> >
> > When generating the response, Rampart's AssymetricBindingBuilder searches
> > for the encrypted key by iterating over the results list and checking for a
> > result with action=4 (ENCR) and a non-empty id tag, see
> > AsymmetricBindingBuilder.setupEncryptedKey and
> > RampartUtil.getRequestEncryptedKeyId methods:
> >
> >
> > http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/1_6/modules/rampart- \
> > core/src/main/java/org/apache/rampart/builder/AsymmetricBindingBuilder.java?view=markup#l868
> >
> > http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/1_6/modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java?view=markup#l1442
> >
> > Apparently, it now picks up the result of the ReferenceListProcessor
> > since it has an "id" tag, but since it has empty value, the
> > "AssymetricBindingBuilder.encryptedKeyId" field is also left out empty and
> > this leads to missing token in response...
> > Commenting out the line in the ReferenceListProcessor that adds the "id"
> > tag fixes the issue - Rampart then properly finds the result of the
> > DerivedKeyTokenProcessor and not the one of the ReferenceListProcessor.
> >
> > Now the question is whether this has to be fixed in Rampart or in WSS4J?
> >
> > Regards,
> > Detelin
> >
> >
> >
> >
> >
> >
> >
> > On Tue, Jul 8, 2014 at 6:39 PM, Colm O hEigeartaigh <coheigea@apache.org>
> > wrote:
> >
> > I keep getting these "Could not find file
> > .../target/artifacts/addressing-1.6.3-SNAPSHOT.mar to copy" type errors on
> > the 1.6.x branch. How do I work around this?
> >
> > Colm.
> >
> >
> > On Tue, Jul 8, 2014 at 4:21 PM, <detelinyordanov@gmail.com> wrote:
> >
> > Hi Colm,
> > What I did so far is to checkout Rampart (I have tried both trunk and
> > 1.6 branches), increase the wss4j dependency to 1.6.5 and run "mvn clean
> > package -Dtest=RampartTest". This fails on the "Testing WS-Sec: custom
> > scenario 7" with the error I described. Switching the dependency back to
> > 1.6.4 fixes this issue, but still there is one additional scenario (28)
> > which is failing, however I presume it is not related with wss4j but
> > probably with Axiom.
> >
> > I have checked out wss4j 1.6.x branch and build it locally, then switched
> > Rampart to this version and re-executed the tests. The tests succeeded up
> > until the point I switched to wss4j revision 1294114. With previous 1294094
> > revision, this scenario is working fine.
> >
> > I was thinking it might be related with changes of other dependencies,
> > but I doubt this is the case, since this revision does not introduce
> > dependency changes.
> >
> > I will continue with the investigation and let you know once I have more
> > information.
> >
> > Thanks,
> > Detelin
> >
> >
> > On Tue, Jul 8, 2014 at 4:51 PM, Colm O hEigeartaigh <coheigea@apache.org>
> > wrote:
> >
> >
> > Are you sure that the commit you referenced above is causing the problem?
> > Rampart trunk fails on that test for me with WSS4J 1.6.4. Rampart 1.6.x
> > branch fails on something else...
> >
> > If you have time to look into it, you could try checking out that
> > SNAPSHOT version of WSS4J (Before the commit) + check that it works + then
> > apply each change and see what change causes the failure. Ultimately, it
> > looks like Rampart might be at fault, as the response message is not
> > composed properly
> >
> > Colm.
> >
> >
> > On Tue, Jul 8, 2014 at 12:55 PM, <detelinyordanov@gmail.com> wrote:
> >
> > Hi everyone,
> > Our team worked on new functionality that is to be released with
> > upcoming wss4j 1.6.16 (WSS-500
> > <https://issues.apache.org/jira/browse/WSS-500> & WSS-501
> > <https://issues.apache.org/jira/browse/WSS-501>). We have managed to
> > integrate this functionality within Apache Rampart 1.6.2 and are willing to
> > contribute the necessary pieces there as well. However, so far we have been
> > using wss4j 1.6.4 + the corresponding patches and they seem to work fine
> > with Rampart 1.6.2.
> > Once I saw the vote for releasing wss4j 1.6.16, I decided to try to build
> > Rampart 1.6.2 against it, just to make sure it can adopt this new version
> > in near future.
> > However, I stumbled upon a test failure in Rampart integration module,
> > which I managed to track down to a specific commit in wss4j. The commit is
> > quite old, it is released in wss4j 1.6.5 (latest Rampart uses 1.6.4). The
> > change that causes trouble is the following:
> >
> > http://svn.apache.org/viewvc?view=revision&revision=1294114
> >
> > Log message says "Only decrypt a Data Reference in the
> > ReferenceListProcessor, if it hasn't already been decrypted by the
> > EncryptedDataProcessor".
> >
> > The specific Rampart test that fails is
> > "org.apache.rampart.RampartTest#testWithPolicy()" using the following
> > security policy:
> >
> >
> > http://svn.apache.org/repos/asf/axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/7.xml
> >
> > I'm attaching the SOAP request and response (request.xml and
> > response.xml), the actual error message is on the client side, when
> > processing the response from the service:
> > java.lang.StringIndexOutOfBoundsException: String index out of range: 0
> > at java.lang.String.charAt(String.java:658)
> > at org.apache.ws.security.WSDocInfo.getResult(WSDocInfo.java:225)
> > at
> > org.apache.ws.security.str.DerivedKeyTokenSTRParser.parseSecurityTokenReference(DerivedKeyTokenSTRParser.java:90)
> > at
> > org.apache.ws.security.processor.DerivedKeyTokenProcessor.handleToken(DerivedKeyTokenProcessor.java:53)
> > at
> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:398)
> > at
> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:304)
> > at
> > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
> > at org.apache.rampart.RampartEngine.process(RampartEngine.java:147)
> >
> > The stack trace is generated using wss4j revision 1294114.
> >
> > It can be seen that the response contains invalid references (URI not
> > correctly set):
> >
> > <wsse:SecurityTokenReference ...
> > wsu:Id="STR-AA4ACE8415228CCC8E140481886870110">
> > <wsse:Reference URI="#" ValueType="
> > http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey"
> > />
> > </wsse:SecurityTokenReference>
> >
> > I'm now trying to figure out what is the root cause of this and whether
> > the problem is on the wss4j side or on Rampart's side, but I would be glad
> > if anyone more experienced takes a look into this and provides some
> > feedback.
> >
> > Thanks!
> >
> > Detelin
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> > For additional commands, e-mail: dev-help@ws.apache.org
> >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
> >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
> >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
> >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
> >
> >
>
[Attachment #3 (text/html)]
<div dir="ltr"><div><div>Hi again,<br> I opened a request in Rampart JIRA to \
upgrade to wss4j 1.6.16: <a \
href="https://issues.apache.org/jira/browse/RAMPART-415">RAMPART-415</a>. I provided \
the patch there, also mentioned about another issue which I discovered after applying \
the workaround for the empty Ids.<br> <br></div>Regards,<br></div> \
Detelin<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, \
Jul 11, 2014 at 2:21 AM, <span dir="ltr"><<a \
href="mailto:detelinyordanov@gmail.com" \
target="_blank">detelinyordanov@gmail.com</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div><div>Hi Martin,<br></div> What about \
this one - it would log empty ids with debug level:<br><br>Index: \
modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java<br> \
===================================================================<br>
--- modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java \
(revision 1609336)<br>+++ \
modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java \
(working copy)<br>@@ -1472,7 +1472,12 @@<div class=""> <br>
String encrKeyId = (String) \
wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID);<br> \
if (actInt == WSConstants.ENCR &&<br> \
encrKeyId != null) {<br></div>- return \
encrKeyId;<br>
+ if (encrKeyId.length() > 0) {<br>+ \
return encrKeyId;<br>+ }<br>+ \
else if (log.isDebugEnabled()) {<br>+ \
log.debug("Found encryption security processing result with empty id, skipping \
it: " + wsSecEngineResult);<br>
+ }<br> }<br> \
}<br> }<br><br></div><div>Regards,<br></div><div> \
Detelin<br></div><div><div class="h5"><div><div><div><div><div><div><div \
class="gmail_extra"><br><br> <div class="gmail_quote">
On Thu, Jul 10, 2014 at 2:30 AM, Martin Gainty <span dir="ltr"><<a \
href="mailto:mgainty@hotmail.com" target="_blank">mgainty@hotmail.com</a>></span> \
wrote:<br> <blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div><div dir="ltr"><br><div><hr>Date: Wed, 9 Jul 2014 22:48:36 \
+0300<div><br>Subject: Re: Apache Rampart test failure with wss4j 1.6.5 and \
later<br></div>From: <a href="mailto:detelinyordanov@gmail.com" \
target="_blank">detelinyordanov@gmail.com</a><br>
To: <a href="mailto:mgainty@hotmail.com" \
target="_blank">mgainty@hotmail.com</a><br>CC: <a href="mailto:dev@ws.apache.org" \
target="_blank">dev@ws.apache.org</a><br><br><div \
dir="ltr"><div><div><div><div><div>Hi Martin,<br>
</div> I think that the code you are referring to is in SymmetricBindingBuilder \
and it indeed checks if the Id is empty. However, the one in \
RampartUtil.getRequestEncryptedKeyId() does not do so. The fix is to add a check for \
empty Id there as well:<br>
<br>Index: modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java<br>===================================================================<br>--- \
modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java \
(revision 1608682)<br>
+++ modules/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java \
(working copy)<br>@@ -1471,7 +1471,7 @@<br> Integer \
actInt = (Integer) wsSecEngineResult.get(WSSecurityEngineResult.TAG_ACTION);<br>
String encrKeyId = (String) \
wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID);<br> \
if (actInt == WSConstants.ENCR &&<br>- \
encrKeyId != null) {<br>+ encrKeyId != \
null && encrKeyId.length() > 0) {<br>
return encrKeyId;<br> \
}<br> }<br><br></div>MG>good that you are not using a null \
Id ..BETTER if you tell the op they have a NULL ID<br>MG>wsu spec is \
here<br>MG><a href="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" \
target="_blank">http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd</a><br>
<br></div><div>This fix would be needed if/when Rampart upgrades to wss4j version \
higher than 1.6.4. Once wss4j 1.6.17 is released, the fix will no longer be needed, \
but it still does not hurt to have it there. Would you like me to open a jira issue \
about this in Rampart? I was planning to file a request for wss4j upgrade in Rampart \
and I could mention this issue there and attach the above patch.<br>
</div>MG>good idea *if* you log the error otherwise the next guy that implements \
Rampart will run into the same problem<br> <br></div>Regards,<br></div> \
Detelin<br>MG>Regards<br>MG>Martin<br></div><div><div><div><br><br><div>On Wed, \
Jul 9, 2014 at 5:05 PM, Martin Gainty <span dir="ltr"><<a \
href="mailto:mgainty@hotmail.com" target="_blank">mgainty@hotmail.com</a>></span> \
wrote:<br>
<blockquote style="border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div><div dir="ltr"><br><br><div><hr>Date: Wed, 9 Jul 2014 14:23:47 +0100<br>Subject: \
Re: Apache Rampart test failure with wss4j 1.6.5 and later<br>From: <a \
href="mailto:coheigea@apache.org" target="_blank">coheigea@apache.org</a><br>
To: <a href="mailto:detelinyordanov@gmail.com" \
target="_blank">detelinyordanov@gmail.com</a><br>CC: <a \
href="mailto:dev@ws.apache.org" \
target="_blank">dev@ws.apache.org</a><div><br><br><div dir="ltr">Well the thing is \
that WSS4J 1.6.16 was just released, and so the next release won't happen for a \
couple of months probably. So if you want to see a Rampart release before then, you \
could just submit a patch to check that the Id isn't empty.<br>
<br>Colm.<br></div></div><div><br><br><div><div>On Wed, Jul 9, 2014 at 1:32 PM, \
<span dir="ltr"><<a href="mailto:detelinyordanov@gmail.com" \
target="_blank">detelinyordanov@gmail.com</a>></span> wrote:<br>
</div><blockquote style="border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div>I can open a defect \
in Rampart, but I'm not sure what should be the proposed change there - I was \
thinking that it can check for empty id tag and skip the result, but if wss4j does \
not generate results with empty id anymore, this will not be required. Rampart uses \
the following code to identify the encryption key id from the request, for which a \
response in generated:<br>
<br>for (WSSecurityEngineResult wsSecEngineResult : wsSecEngineResults) {<br> \
Integer actInt = (Integer) \
wsSecEngineResult.get(WSSecurityEngineResult.TAG_ACTION);<br> String encrKeyId \
= (String) wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID);<br>
if (actInt == WSConstants.ENCR && encrKeyId != null) {<br> \
return encrKeyId;<br> }<br>}<br><br></div>If you think the above is improper or \
can be improved, just let me know and I will follow up with Rampart devs.<br>
<br></div>Detelin<br><br></div>MG>the rampart distro that accompanies Axis2-1.6.2 \
detected the missing tag 'id'<div><br> for \
(WSSecurityEngineResult wsSecEngineResult : wsSecEngineResults) {<br> Integer actInt \
= (Integer) wsSecEngineResult.get(WSSecurityEngineResult.TAG_ACTION);<br></div> \
if (actInt == WSConstants.ENCR) {<br> if \
(wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID) != null &&<br>
((String) \
wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID)).length() != 0) {<br> \
try {<br> String encryptedKeyID \
= (String) wsSecEngineResult.get(WSSecurityEngineResult.TAG_ID);<br>
<br> Date created = new \
Date();<br> Date expires = new \
Date();<br> \
expires.setTime(System.currentTimeMillis() + 300000);<br> \
EncryptedKeyToken tempTok = new EncryptedKeyToken(encryptedKeyID, created, \
expires);<br>
tempTok.setSecret((byte[]) \
wsSecEngineResult.get(WSSecurityEngineResult.TAG_SECRET));<br> \
tempTok.setSHA1(getSHA1((byte[]) wsSecEngineResult.<br> \
get(WSSecurityEngineResult.TAG_ENCRYPTED_EPHEMERAL_KEY)));<br>
\
rmd.getTokenStorage().add(tempTok);<br><br> \
return encryptedKeyID;<br><br> } catch \
(TrustException e) {<br> throw \
new RampartException("errorInAddingTokenIntoStore");<br>
}<br>MG>i would add a else \
condition to toss a message to the op<br> \
else<br> {<br> \
throw new RampartException("security_engine_result_missing_id");<br>
}<br>MG>end \
else<br>MG>errors.properties would contain new entry:<br> \
security_engine_result_missing_id=Rampart Security Engine Result is missing \
'id' token element<br>
MG>if you make the suggestion for correction I will follow thru and make sure it \
gets implemented<br>MG><a href="https://issues.apache.org/jira/browse" \
target="_blank">https://issues.apache.org/jira/browse</a><br>MG>Thanks \
Detelin,<br>
MG>Martin<br></div><div><div><div><br><br><div>On Wed, Jul 9, 2014 at 12:45 PM, \
Colm O hEigeartaigh <span dir="ltr"><<a href="mailto:coheigea@apache.org" \
target="_blank">coheigea@apache.org</a>></span> wrote:<br>
<blockquote style="border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
dir="ltr"><div><div><div><br></div>Thanks for the investigation. It turns out Maven \
3.0.x is required to build Rampart. <br>
<br></div>I've merged a "fix" for this issue in WSS4J, where we \
don't store the token Id if it is an empty String. IMO Rampart should also be \
fixed.<span><font color="#888888"><br> <br></font></span></div><span><font \
color="#888888">Colm.<br></font></span></div><div><div><div><br><br><div>On Tue, Jul \
8, 2014 at 6:03 PM, <span dir="ltr"><<a href="mailto:detelinyordanov@gmail.com" \
target="_blank">detelinyordanov@gmail.com</a>></span> wrote:<br>
<blockquote style="border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
dir="ltr"><div><div><div><div><div><div><div><div><div>I have not seen these, \
probably it is the "copy-mars" execution in the integration module that is \
causing them. It could be some dependency resolution problem for "mar" \
artifacts, I'm using Maven 3.0.4 and did not experience such issues.<br>
<br></div>I have some more input on the problem - I think that the introduction of an \
"id" tag for reference list results is confusing Rampart, specifically the \
first change here:<br><br><a \
href="http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org/apache/ws \
/security/processor/ReferenceListProcessor.java?r1=1294114&r2=1294113&pathrev=1294114" \
target="_blank">http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/main/java/org \
/apache/ws/security/processor/ReferenceListProcessor.java?r1=1294114&r2=1294113&pathrev=1294114</a><br>
<br></div>In the example request that I attached, there is a ReferenceList element \
that looks like this:<br><br><xenc:ReferenceList xmlns:xenc="<a \
href="http://www.w3.org/2001/04/xmlenc#" \
target="_blank">http://www.w3.org/2001/04/xmlenc#</a>"><xenc:DataReference \
URI="#ED-5"/></xenc:ReferenceList><br>
<br></div>When processing this, the ReferenceListProcessor with the mentioned change \
now creates a result instance, but with an empty "id" tag, since the \
ReferenceList element does not have "Id" attribute. The result object looks \
like this:<br>
<br>{id=, data-ref-uris=[org.apache.ws.security.WSDataRef@3e9c6879], action=4, \
validated-token=false}<br><br></div>When generating the response, Rampart's \
AssymetricBindingBuilder searches for the encrypted key by iterating over the results \
list and checking for a result with action=4 (ENCR) and a non-empty id tag, see \
AsymmetricBindingBuilder.setupEncryptedKey and RampartUtil.getRequestEncryptedKeyId \
methods:<br>
<br><a href="http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/1_6/modules \
/rampart-core/src/main/java/org/apache/rampart/builder/AsymmetricBindingBuilder.java?view=markup#l868" \
target="_blank">http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/1_6/modu \
les/rampart-core/src/main/java/org/apache/rampart/builder/AsymmetricBindingBuilder.java?view=markup#l868</a><br>
<a href="http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/1_6/modules/ram \
part-core/src/main/java/org/apache/rampart/util/RampartUtil.java?view=markup#l1442" \
target="_blank">http://svn.apache.org/viewvc/axis/axis2/java/rampart/branches/1_6/modu \
les/rampart-core/src/main/java/org/apache/rampart/util/RampartUtil.java?view=markup#l1442</a><br>
<br></div>Apparently, it now picks up the result of the ReferenceListProcessor since \
it has an "id" tag, but since it has empty value, the \
"AssymetricBindingBuilder.encryptedKeyId" field is also left out empty and \
this leads to missing token in response... <br>
</div>Commenting out the line in the ReferenceListProcessor that adds the \
"id" tag fixes the issue - Rampart then properly finds the result of the \
DerivedKeyTokenProcessor and not the one of the ReferenceListProcessor.<br>
<br></div>Now the question is whether this has to be fixed in Rampart or in \
WSS4J?<br><br></div>Regards,<br></div> \
Detelin<br><div><div><div><div><br><br><div><div><br><div><div><div><div><div><div><div><br><br></div></div>
</div></div></div></div></div></div></div></div></div></div></div></div><div><br><br><div>On \
Tue, Jul 8, 2014 at 6:39 PM, Colm O hEigeartaigh <span dir="ltr"><<a \
href="mailto:coheigea@apache.org" target="_blank">coheigea@apache.org</a>></span> \
wrote:<br>
<blockquote style="border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
dir="ltr">I keep getting these "Could not find file \
.../target/artifacts/addressing-1.6.3-SNAPSHOT.mar to copy" type errors on the \
1.6.x branch. How do I work around this?<span><font color="#888888"><br>
<br>Colm.<br></font></span></div><div><div><div>
<br><br><div>On Tue, Jul 8, 2014 at 4:21 PM, <span dir="ltr"><<a \
href="mailto:detelinyordanov@gmail.com" \
target="_blank">detelinyordanov@gmail.com</a>></span> wrote:<br><blockquote \
style="border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr"><div><div><div><div><div>Hi Colm,<br></div> What I did so far is to \
checkout Rampart (I have tried both trunk and 1.6 branches), increase the wss4j \
dependency to 1.6.5 and run "mvn clean package -Dtest=RampartTest". This \
fails on the "Testing WS-Sec: custom scenario 7" with the error I \
described. Switching the dependency back to 1.6.4 fixes this issue, but still there \
is one additional scenario (28) which is failing, however I presume it is not related \
with wss4j but probably with Axiom.<br>
<br></div>I have checked out wss4j 1.6.x branch and build it locally, then switched \
Rampart to this version and re-executed the tests. The tests succeeded up until the \
point I switched to wss4j revision 1294114. With previous 1294094 revision, this \
scenario is working fine.<br>
<br></div>I was thinking it might be related with changes of other dependencies, but \
I doubt this is the case, since this revision does not introduce dependency \
changes.<br><br></div>I will continue with the investigation and let you know once I \
have more information.<br>
<br>Thanks,<br></div> Detelin<br><div><div><div><div><div><br><br><div>On Tue, \
Jul 8, 2014 at 4:51 PM, Colm O hEigeartaigh <span dir="ltr"><<a \
href="mailto:coheigea@apache.org" target="_blank">coheigea@apache.org</a>></span> \
wrote:<br>
<blockquote style="border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
dir="ltr"><div><div><br></div>Are you sure that the commit you referenced above is \
causing the problem? Rampart trunk fails on that test for me with WSS4J 1.6.4. \
Rampart 1.6.x branch fails on something else...<br>
<br>
</div>If you have time to look into it, you could try checking out that SNAPSHOT \
version of WSS4J (Before the commit) + check that it works + then apply each change \
and see what change causes the failure. Ultimately, it looks like Rampart might be at \
fault, as the response message is not composed properly <br>
<br>Colm.<br></div><div><br><br><div><div><div>On Tue, Jul 8, 2014 at 12:55 PM, \
<span dir="ltr"><<a href="mailto:detelinyordanov@gmail.com" \
target="_blank">detelinyordanov@gmail.com</a>></span> wrote:<br>
</div></div><blockquote style="border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div><div><div \
dir="ltr"><div><div><div><div><div><div><div><div>Hi everyone,<br></div> Our team \
worked on new functionality that is to be released with upcoming wss4j 1.6.16 (<a \
href="https://issues.apache.org/jira/browse/WSS-500" target="_blank">WSS-500</a> \
& <a href="https://issues.apache.org/jira/browse/WSS-501" \
target="_blank">WSS-501</a>). We have managed to integrate this functionality within \
Apache Rampart 1.6.2 and are willing to contribute the necessary pieces there as \
well. However, so far we have been using wss4j 1.6.4 + the corresponding patches and \
they seem to work fine with Rampart 1.6.2.<br>
</div>Once I saw the vote for releasing wss4j 1.6.16, I decided to try to build \
Rampart 1.6.2 against it, just to make sure it can adopt this new version in near \
future.<br></div>However, I stumbled upon a test failure in Rampart integration \
module, which I managed to track down to a specific commit in wss4j. The commit is \
quite old, it is released in wss4j 1.6.5 (latest Rampart uses 1.6.4). The change that \
causes trouble is the following:<br>
<br><a href="http://svn.apache.org/viewvc?view=revision&revision=1294114" \
target="_blank">http://svn.apache.org/viewvc?view=revision&revision=1294114</a><br><br></div>Log \
message says "Only decrypt a Data Reference in the ReferenceListProcessor, if it \
hasn't already been decrypted by the EncryptedDataProcessor".<br>
<br></div>The specific Rampart test that fails is \
"org.apache.rampart.RampartTest#testWithPolicy()" using the following \
security policy:<br><br><a \
href="http://svn.apache.org/repos/asf/axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/7.xml" \
target="_blank">http://svn.apache.org/repos/asf/axis/axis2/java/rampart/trunk/modules/rampart-integration/src/test/resources/rampart/policy/7.xml</a><br>
</div><br>I'm attaching the SOAP request and response (request.xml and \
response.xml), the actual error message is on the client side, when processing the \
response from the service:<br>java.lang.StringIndexOutOfBoundsException: String index \
out of range: 0<br>
at java.lang.String.charAt(String.java:658)<br> at \
org.apache.ws.security.WSDocInfo.getResult(WSDocInfo.java:225)<br> at \
org.apache.ws.security.str.DerivedKeyTokenSTRParser.parseSecurityTokenReference(DerivedKeyTokenSTRParser.java:90)<br>
at org.apache.ws.security.processor.DerivedKeyTokenProcessor.handleToken(DerivedKeyTokenProcessor.java:53)<br> \
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:398)<br> \
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:304)<br>
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)<br> \
at org.apache.rampart.RampartEngine.process(RampartEngine.java:147)<br><br></div>The \
stack trace is generated using wss4j revision 1294114. <br>
<br></div>It can be seen that the response contains invalid references (URI not \
correctly set):<br><br><wsse:SecurityTokenReference ... \
wsu:Id="STR-AA4ACE8415228CCC8E140481886870110"><br> \
<wsse:Reference URI="#" ValueType="<a \
href="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey" \
target="_blank">http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey</a>" \
/><br>
</wsse:SecurityTokenReference><br><div><div><div><br></div><div>I'm now \
trying to figure out what is the root cause of this and whether the problem is on the \
wss4j side or on Rampart's side, but I would be glad if anyone more experienced \
takes a look into this and provides some feedback.<br>
<br></div><div>Thanks!<br><br></div><div> Detelin<br></div></div></div></div>
<br><br></div></div>
---------------------------------------------------------------------<br>
To unsubscribe, e-mail: <a href="mailto:dev-unsubscribe@ws.apache.org" \
target="_blank">dev-unsubscribe@ws.apache.org</a><br> For additional commands, \
e-mail: <a href="mailto:dev-help@ws.apache.org" \
target="_blank">dev-help@ws.apache.org</a><span><font \
color="#888888"><br></font></span></blockquote></div><span><font color="#888888"><br> \
</font></span></div><span><font color="#888888"><br clear="all"><span><font \
color="#888888"><span><font color="#888888"><br>-- <br>Colm O \
hEigeartaigh<br><br>Talend Community Coder<br><a href="http://coders.talend.com" \
target="_blank">http://coders.talend.com</a><br>
</font></span></font></span></font></span></blockquote></div><span><font \
color="#888888"><br></font></span></div></div></div></div></div></div><span><font \
color="#888888"> </font></span></blockquote></div><span><font color="#888888"><br><br \
clear="all"><span><font color="#888888"><br>-- <br>Colm O hEigeartaigh<br><br>Talend \
Community Coder<br><a href="http://coders.talend.com" \
target="_blank">http://coders.talend.com</a><br>
</font></span></font></span></div><span><font color="#888888">
</font></span></div></div></blockquote></div><span><font \
color="#888888"><br></font></span></div><span><font color="#888888"> \
</font></span></blockquote></div><span><font color="#888888"><br><br \
clear="all"><br>-- <br>Colm O hEigeartaigh<br><br>Talend Community Coder<br><a \
href="http://coders.talend.com" target="_blank">http://coders.talend.com</a><br>
</font></span></div>
</div></div></blockquote></div><br></div>
</div></div></blockquote></div><div><div><br><br clear="all"><br>-- <br>Colm O \
hEigeartaigh<br><br>Talend Community Coder<br><a href="http://coders.talend.com" \
target="_blank">http://coders.talend.com</a><br> </div></div></div></div> \
</div></div> </blockquote></div><br></div></div></div></div> </div></div>
</blockquote></div><br></div></div></div></div></div></div></div></div></div></div>
</blockquote></div><br></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic