java - WSO2 ESB - ws security throws exception, AxisFault, Invalid Security -

-

i need call web service implements ws-security, rampart, uses username token , time stamp authentication in ssl. when trying call service following soap message ends response in esb log proceeding exception.

response soap message

"<?xml version="1.0" encoding="utf-8"?>         <soapenv:envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope">             <soapenv:header>                 <wsse:security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustunderstand="true">                     <wsu:timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:id="timestamp-18784">                     <wsu:created>2016-04-19t04:30:20.850z</wsu:created><wsu:expires>2016-04-19t04:35:20.850z</wsu:expires></wsu:timestamp>                 </wsse:security>             </soapenv:header>             <soapenv:body>                 <soapenv:fault xmlns:axis2ns72="http://www.w3.org/2003/05/soap-envelope">                     <soapenv:code>                         <soapenv:value>axis2ns72:sender</soapenv:value>                         <soapenv:subcode>                             <soapenv:value xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">wsse:invalidsecurity</soapenv:value>                         </soapenv:subcode></soapenv:code><soapenv:reason><soapenv:text xml:lang="en-us">general security error (wssecurityengine: no cryptoproperty file supplied decryption)                         </soapenv:text></soapenv:reason><soapenv:detail></soapenv:detail></soapenv:fault>             </soapenv:body>         </soapenv:envelope>

exception

 [2016-04-19 09:59:52,730] error - axisengine invalidsecurity org.apache.axis2.axisfault: invalidsecurity         @ org.apache.rampart.handler.postdispatchverificationhandler.invoke(postdispatchverificationhandler.java:164)         @ org.apache.axis2.engine.phase.invokehandler(phase.java:340)         @ org.apache.axis2.engine.phase.invoke(phase.java:313)         @ org.apache.axis2.engine.axisengine.invoke(axisengine.java:261)         @ org.apache.axis2.engine.axisengine.receive(axisengine.java:167)         @ org.apache.synapse.transport.passthru.clientworker.run(clientworker.java:247)         @ org.apache.axis2.transport.base.threads.nativeworkerpool$1.run(nativeworkerpool.java:172)         @ java.util.concurrent.threadpoolexecutor.runworker(threadpoolexecutor.java:1145)         @ java.util.concurrent.threadpoolexecutor$worker.run(threadpoolexecutor.java:615)         @ java.lang.thread.run(thread.java:745) [2016-04-19 09:59:52,733] error - clientworker fault processing response messagethrough axis2 org.apache.axis2.axisfault: invalidsecuritytdispatchverificationhandler.java:164)         @ org.apache.axis2.engine.phase.invokehandler(phase.java:340)         @ org.apache.axis2.engine.phase.invoke(phase.java:313)         @ org.apache.axis2.engine.axisengine.invoke(axisengine.java:261)         @ org.apache.axis2.engine.axisengine.receive(axisengine.java:167)         @ org.apache.synapse.transport.passthru.clientworker.run(clientworker.java:247)         @ org.apache.axis2.transport.base.threads.nativeworkerpool$1.run(nativeworkerpool.java:172)         @ java.util.concurrent.threadpoolexecutor.runworker(threadpoolexecutor.java:1145)         @ java.util.concurrent.threadpoolexecutor$worker.run(threadpoolexecutor.java:615)         @ java.lang.thread.run(thread.java:745)

proxy service

    <?xml version="1.0" encoding="utf-8"?>     <proxy name="edi_proxy" startonload="true" trace="disable"       transports="http https" xmlns="http://ws.apache.org/ns/synapse">       <target>         <insequence>           <log description="log" level="custom">             <property name="msg" value="initiating mcash"/>           </log>           <payloadfactory description="pf_mcash" media-type="xml">             <format>               <flw:purchacefrommmr xmlns:flw="http://flw.mwt.mobitel.com/">                 <!--optional: -->                 <bankpurchaserequest xmlns="">                   <amount>1</amount>                   <!--optional: -->                   <bankcode>00</bankcode>                   <!--optional: -->                   <date>07042016</date>                   <!--optional: -->                   <mobile>0711231234</mobile>                   <!--optional: -->                   <time>120000</time>                   <!--optional: -->                   <transactionid>sdc12345</transactionid>                 </bankpurchaserequest>               </flw:purchacefrommmr>             </format>             <args/>           </payloadfactory>           <log description="log" level="custom">             <property name="msg" value="payload created.."/>           </log>           <property             expression="fn:concat('basic ', base64encode('aaa:bbb'))"             name="authorization" scope="operation" type="string" xmlns:ns="http://org.apache.synapse/xsd"/>           <call>             <endpoint>               <address trace="disable" uri="https://mywssecendpoint.com/testservices/testpurchaseservice?wsdl">                 <enablesec policy="gov:ws-policy/sample_policy.xml"/>               </address>             </endpoint>           </call>           <log description="log" level="custom">             <property name="msg" value="after calling address endpoint"/>           </log>         </insequence>         <outsequence>           <log description="log" level="full"/>         </outsequence>         <faultsequence/>       </target>       <parameter name="engagedmodules">rampart,rahas</parameter>     </proxy>

policy file

<wsp:policy wsu:id="sgnencrusername"     xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"     xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"     xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">     <wsp:exactlyone>         <wsp:all>             <sp:symmetricbinding>                 <wsp:policy>                     <sp:protectiontoken>                         <wsp:policy>                             <sp:x509token sp:includetoken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/includetoken/never">                                 <wsp:policy>                                     <sp:requirethumbprintreference/>                                     <sp:wssx509v3token10/>                                 </wsp:policy>                             </sp:x509token>                         </wsp:policy>                     </sp:protectiontoken>                     <sp:algorithmsuite>                         <wsp:policy>                             <sp:basic256/>                         </wsp:policy>                     </sp:algorithmsuite>                     <sp:layout>                         <wsp:policy>                             <sp:lax/>                         </wsp:policy>                     </sp:layout>                     <sp:includetimestamp/>                     <sp:onlysignentireheadersandbody/>                 </wsp:policy>             </sp:symmetricbinding>             <sp:signedparts>                 <sp:body/>             </sp:signedparts>             <sp:encryptedparts>                 <sp:body/>             </sp:encryptedparts>             <sp:signedsupportingtokens>                 <wsp:policy>                     <sp:usernametoken sp:includetoken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/includetoken/alwaystorecipient">                         <wsp:policy>                             <sp:wssusernametoken10/>                         </wsp:policy>                     </sp:usernametoken>                 </wsp:policy>             </sp:signedsupportingtokens>             <sp:wss11>                 <wsp:policy>                     <sp:mustsupportrefkeyidentifier/>                     <sp:mustsupportrefissuerserial/>                     <sp:mustsupportrefthumbprint/>                     <sp:mustsupportrefencryptedkey/>                     <sp:requiresignatureconfirmation/>                 </wsp:policy>             </sp:wss11>             <sp:trust10>                 <wsp:policy>                     <sp:mustsupportissuedtokens/>                     <sp:requirecliententropy/>                     <sp:requireserverentropy/>                 </wsp:policy>             </sp:trust10>         </wsp:all>     </wsp:exactlyone>     <rampart:rampartconfig xmlns:rampart="http://ws.apache.org/rampart/policy">         <rampart:passwordcallbackclass>com.wssec.pwcallbackhandler</rampart:passwordcallbackclass>         <rampart:user>testuser</rampart:user>         <rampart:encryptionuser>wso2carbon</rampart:encryptionuser>         <rampart:timestampprecisioninmilliseconds>true</rampart:timestampprecisioninmilliseconds>         <rampart:timestampttl>300</rampart:timestampttl>         <rampart:timestampmaxskew>300</rampart:timestampmaxskew>         <rampart:timestampstrict>true</rampart:timestampstrict>         <rampart:tokenstoreclass>org.wso2.carbon.security.util.securitytokenstore&#xd;  </rampart:tokenstoreclass>         <rampart:noncelifetime>300</rampart:noncelifetime>         <rampart:encryptioncrypto>             <rampart:crypto                 cryptokey="org.wso2.carbon.security.crypto.privatestore" provider="org.wso2.carbon.security.util.servercrypto">                 <rampart:property name="org.wso2.carbon.security.crypto.alias">mcash.cer</rampart:property>                 <rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>                 <rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>                 <rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks</rampart:property>                 <rampart:property name="rampart.config.user">wso2carbon</rampart:property>             </rampart:crypto>         </rampart:encryptioncrypto>         <rampart:signaturecrypto>             <rampart:crypto                 cryptokey="org.wso2.carbon.security.crypto.privatestore" provider="org.wso2.carbon.security.util.servercrypto">                 <rampart:property name="org.wso2.carbon.security.crypto.alias">mcash.cer</rampart:property>                 <rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks</rampart:property>                 <rampart:property name="org.wso2.stratos.tenant.id">-1234</rampart:property>                 <rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks</rampart:property>                 <rampart:property name="rampart.config.user">wso2carbon</rampart:property>             </rampart:crypto>         </rampart:signaturecrypto>     </rampart:rampartconfig>     <sec:carbonsecconfig xmlns:sec="http://www.wso2.org/products/carbon/security">         <sec:authorization>             <sec:property name="org.wso2.carbon.security.allowedroles">admin</sec:property>         </sec:authorization>     </sec:carbonsecconfig> </wsp:policy>

i have engaged rampart module said in question. have wrote password callback handler class , have added <esb_home>/repository/components/lib been called. have written policy file in registry resource , doing necessary configurations (password callback handling, keystore).

will pleased if can or point out if i'm missing looking response , exception.

thanks in advance.

--edit-- request in wire

    "post /testservices/bankpurchaseservice?wsdl http/1.1[\r][\n]" {org.apache.synapse.transport.http.wire} "cookie: region3_registry_menu=visible; menupanel=visible; menupaneltype=main; jsessionid=95cae85de74f34bbab10163e36087b12; requesteduri="../../carbon/service-mgt/index.jsp?region=region1&item=services_list_menu"; region1_configure_menu=none; region4_monitor_menu=none; region5_tools_menu=none; current-breadcrumb=manage_menu%2cservices_menu%2cservices_list_menu%23[\r][\n]" {org.apache.synapse.transport.http.wire} "content-type: application/soap+xml; charset=utf-8; action="urn:mediate"[\r][\n]" {org.apache.synapse.transport.http.wire} "transfer-encoding: chunked[\r][\n]" {org.apache.synapse.transport.http.wire} "host: mobextintvpn.mobitel.lk:443[\r][\n]" {org.apache.synapse.transport.http.wire} "connection: keep-alive[\r][\n]" {org.apache.synapse.transport.http.wire} "user-agent: synapse-pt-httpcomponents-nio[\r][\n]" {org.apache.synapse.transport.http.wire} "[\r][\n]" {org.apache.synapse.transport.http.wire} "1287[\r][\n]" {org.apache.synapse.transport.http.wire} "<?xml version='1.0' encoding='utf-8'?><soapenv:envelope xmlns:soapenv="http://www.w3.org/2003/05/soap-envelope" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><soapenv:header><wsse:security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soapenv:mustunderstand="true"><wsu:timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:id="timestamp-1"><wsu:created>2016-04-19t10:18:22.520z</wsu:created><wsu:expires>2016-04-19t10:23:22.520z</wsu:expires></wsu:timestamp><xenc:encryptedkey id="enckeyid-95f8ba9fa0125de2c814610611030642"><xenc:encryptionmethod algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/><ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">[\n]" {org.apache.synapse.transport.http.wire} "<wsse:securitytokenreference><wsse:keyidentifier encodingtype="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#base64binary" valuetype="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#thumbprintsha1">a/jhnus21kvuofx65lmkw2o/l10=</wsse:keyidentifier></wsse:securitytokenreference>[\n]" {org.apache.synapse.transport.http.wire} "</ds:keyinfo><xenc:cipherdata><xenc:ciphervalue>oabkdbmwv8icjf+y9u34aiqi79g1qwya8femy/vdad0oscw8kvglq7spfkuevvfz7qnzuhaboeqh3oppea/o7/0wewylzbdxj1cutl1viwobdjr1uawh2iuwqvpojfsh88/5ljwdddhrpgirpmvyuu7/dl6d/djjfdcofznjtpm=</xenc:ciphervalue></xenc:cipherdata></xenc:encryptedkey><xenc:referencelist><xenc:datareference uri="#encdataid-4"/></xenc:referencelist><wsse:usernametoken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:id="usernametoken-2"><wsse:username>hnbmwtuser</wsse:username><wsse:password type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#passwordtext">hnbmwtuser</wsse:password></wsse:usernametoken><ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" id="signature-3">[\n]" {org.apache.synapse.transport.http.wire} "<ds:signedinfo>[\n]" {org.apache.synapse.transport.http.wire} "<ds:canonicalizationmethod algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>[\n]" {org.apache.synapse.transport.http.wire} "<ds:signaturemethod algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>[\n]" {org.apache.synapse.transport.http.wire} "<ds:reference uri="#id-1995499025">[\n]" {org.apache.synapse.transport.http.wire} "<ds:transforms>[\n]" {org.apache.synapse.transport.http.wire} "<ds:transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>[\n]" {org.apache.synapse.transport.http.wire} "</ds:transforms>[\n]" {org.apache.synapse.transport.http.wire} "<ds:digestmethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>[\n]" {org.apache.synapse.transport.http.wire} "<ds:digestvalue>zogehbxkice+35najzjhev+lxfo=</ds:digestvalue>[\n]" {org.apache.synapse.transport.http.wire} "</ds:reference>[\n]" {org.apache.synapse.transport.http.wire} "<ds:reference uri="#timestamp-1">[\n]" {org.apache.synapse.transport.http.wire} "<ds:transforms>[\n]" {org.apache.synapse.transport.http.wire} "<ds:transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>[\n]" {org.apache.synapse.transport.http.wire} "</ds:transforms>[\n]" {org.apache.synapse.transport.http.wire} "<ds:digestmethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>[\n]" {org.apache.synapse.transport.http.wire} "<ds:digestvalue>mvyayqaqt/h9kmttu1wp4qsto1a=</ds:digestvalue>[\n]" {org.apache.synapse.transport.http.wire} "</ds:reference>[\n]" {org.apache.synapse.transport.http.wire} "<ds:reference uri="#usernametoken-2">[\n]" {org.apache.synapse.transport.http.wire} "<ds:transforms>[\n]" {org.apache.synapse.transport.http.wire} "<ds:transform algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>[\n]" {org.apache.synapse.transport.http.wire} "</ds:transforms>[\n]" {org.apache.synapse.transport.http.wire} "<ds:digestmethod algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>[\n]" {org.apache.synapse.transport.http.wire} "<ds:digestvalue>ftaivrunngvon1mpq4l08ubdwhs=</ds:digestvalue>[\n]" {org.apache.synapse.transport.http.wire} "</ds:reference>[\n]" {org.apache.synapse.transport.http.wire} "</ds:signedinfo>[\n]" {org.apache.synapse.transport.http.wire} "<ds:signaturevalue>b4hfiv89mqbvah0e5pqm70k0hoc=</ds:signaturevalue>[\n]" {org.apache.synapse.transport.http.wire} "<ds:keyinfo id="keyid-95f8ba9fa0125de2c814610611031013">[\n]" {org.apache.synapse.transport.http.wire} "<wsse:securitytokenreference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:id="strid-95f8ba9fa0125de2c814610611031014"><wsse:reference uri="#enckeyid-95f8ba9fa0125de2c814610611030642" valuetype="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#encryptedkey"/></wsse:securitytokenreference>[\n]" {org.apache.synapse.transport.http.wire} "</ds:keyinfo>[\n]" {org.apache.synapse.transport.http.wire} "</ds:signature></wsse:security></soapenv:header><soapenv:body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:id="id-1995499025"><xenc:encrypteddata id="encdataid-4" type="http://www.w3.org/2001/04/xmlenc#content"><xenc:encryptionmethod algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">[\n]" {org.apache.synapse.transport.http.wire} "<wsse:securitytokenreference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:reference uri="#enckeyid-95f8ba9fa0125de2c814610611030642"/></wsse:securitytokenreference>[\n]" {org.apache.synapse.transport.http.wire} "</ds:keyinfo><xenc:cipherdata><xenc:ciphervalue>wil1a9udg+jfiitcm++vj0ia+oyahkzzutq3xlpk/2ethg8bonsrt+omzbq+aqscumxqv9ofgei/[\n]" {org.apache.synapse.transport.http.wire} "vlj1evric21e82d5r9oixe35s5nyr7m1ij23bfspo5wctg2qtxwg3ijdae9assxbgshhsxyecbkv[\n]" {org.apache.synapse.transport.http.wire} "07cglyzjooqrpww5b/pg4cbcctjevtwtgku8yw6wlqptjlqgg9olrw598jibvgx6/od/dlmtrea4[\n]" {org.apache.synapse.transport.http.wire} "ctsjzrimeqig3u8obwzdav9zdyinv2pyhr+m8juiex4jlkcnf3xbs/k4rdajbobaiu3rbnkbwkjt[\n]" {org.apache.synapse.transport.http.wire} "8bss7gxlw8yvgemb6uzozhlfes+sism7iinnskl0adzmlhn8na9iajs94cw6925/eulaklaos0dj[\n]" {org.apache.synapse.transport.http.wire} "hf7lisscnrzxhecd84q9pbk6/xgn/qye5q0gyntfu2aslq3w9+ymozai7x+z6qprotssoe6vltaw[\n]" {org.apache.synapse.transport.http.wire} "vpbczn/xmbzsdt40y7dfq/ykqjscfanf5lsj7tp9vf5qc+76qcnnzyrwotdeuqnr0sle9aq717yh[\n]" {org.apache.synapse.transport.http.wire} "yw==</xenc:ciphervalue></xenc:cipherdata></xenc:encrypteddata></soapenv:body></soapenv:envelope>[\r][\n]"

the error message quite clear: "wssecurityengine: no cryptoproperty file supplied decryption". looks using wss4j on server side. should configure wss4jsecurityinterceptor use right cryptoproperties. otherwise cannot verify signed content in request. if you're using xml-config should add this:

<bean class="org.springframework.ws.soap.security.wss4j.wss4jsecurityinterceptor">             <property name="validationactions" value="signature"/>             <property name="validationsignaturecrypto">                 <bean class="org.springframework.ws.soap.security.wss4j.support.cryptofactorybean">                     <property name="keystorepassword" value="<your_keystore_pwd>/>                     <property name="keystorelocation" value="<your_keystore>"/>                 </bean>               </property> </bean>

if using plain java mehtods quite similar.


Comments

Post a Comment

Popular posts from this blog

Ansible - ERROR! the field 'hosts' is required but was not set -

-
i've error when launch playbook don't found why.... error! field 'hosts' required not set there main.yml : --- - hosts: hosts - vars: - elasticsearch_java_home: /usr/lib/jmv/jre-1.7.0 - elasticsearch_http_port: 8443 - tasks: - include: tasks/main.yml - handlers: - include: handlers/main.yml and /etc/ansible/hosts : [hosts] 10.23.108.182 10.23.108.183 10.23.108.184 10.23.108.185 when test ping, : [root@poste08-08-00 elasticsearch]# ansible hosts -m ping 10.23.108.183 | success => { "changed": false, "ping": "pong" } 10.23.108.182 | success => { "changed": false, "ping": "pong" } 10.23.108.185 | success => { "changed": false, "ping": "pong" } 10.23.108.184 | success => { "changed": false, "ping": "pong" } please, me :) regards, you have syntax error in playbook.
Read more

customize file_field button ruby on rails -

-
i'm trying rid of ugly button rails has default file upload. want add glyphicon <%= f.file_field :image_url, class:"glyphicon glyphicon-camera" %> this didn't work , have tried other things in different post saw on page, don't attach file. as suggested here bootstrap filestyle , can use bootstrap's filestyle style file upload buttons. step-1: add layout application.html.erb i have added bootstrap filestyle library cdn. should make sure have both jquery , boostrap loaded. <script type="text/javascript" src="https://cdn.jsdelivr.net/bootstrap.filestyle/1.1.0/js/bootstrap-filestyle.min.js"> </script> step-2: add corresponding js file: $(":file").filestyle({input: false}); step-3: image_url file field follows: <%= f.file_field :image_url,class: "filestyle", "data-input" => false %>
Read more

SoapUI on windows 10 - high DPI/4K scaling issue -

-
Image
soapui doesn't seem dpi-aware , displays small on high dpi screen (tiny text , buttons). other applications running fine (screen resolution 3840 x 2160). version : soapui 5.1.2 os : windows 10 i have tried: configure soapui run "disable display scaling on high dpi settings" - parts of soapui looking bigger , don't display (image) changing resolution changing font size (preferences > editor settings > select font...) therefore assume, soapui pretends dpi-aware, not scale itself. have same issue? this workaround until developers round making version dpi-aware. step 1: add registry key hkey_local_machine\software\microsoft\windows\currentversion\sidebyside\preferexternalmanifest (dword) 1 step 2: add manifest file 'soapui-5.2.1.exe.manifest' in same directory 'soapui-5.2.1.exe' content of manifest file: <?xml version="1.0" encoding="utf-8" standalone="yes"?> <assembly xml
Read more