Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-5166

"org.apache.ws.security.WSSecurityException: The signature or decryption was invalid." when soap reference returns a SOAPFault

    XMLWordPrintable

Details

    • % %
    • Hide

      The workaround is to add the namespace manually in the switchyard project in a bean the client can handle the response.

      From the attachments, `cxfClient.zip`, check the `testSYBean_PreserveExceptionNSFix() ` from the test class, `SwitchyardSOAPTest`

      @Test
	public void testSYBean_PreserveExceptionNSFix() throws Exception {
		String command = "CMD-42-EXCEPTION-PRESERVE-NSFIX";
		setEndpointURL(WORK_SERVICE_ENDPOINT_URL);

		try {
			port.doWork(generateWork(command));
			fail("Want exception!");
		} catch (SOAPFaultException sfe) {
			assertThat(sfe.getFault().getFaultCode(), not(containsString("FailedCheck")));
			assertThat(sfe.getFault().getFaultCode(), is("soap:Server"));
			assertThat(sfe.getFault().getFaultString(), is("java.lang.RuntimeException: Throwing wanted Exception!"));
		}
	}
      Show
      The workaround is to add the namespace manually in the switchyard project in a bean the client can handle the response. From the attachments, `cxfClient.zip`, check the `testSYBean_PreserveExceptionNSFix() ` from the test class, `SwitchyardSOAPTest` @Test public void testSYBean_PreserveExceptionNSFix() throws Exception { String command = "CMD-42-EXCEPTION-PRESERVE-NSFIX" ; setEndpointURL(WORK_SERVICE_ENDPOINT_URL); try { port.doWork(generateWork(command)); fail( "Want exception!" ); } catch (SOAPFaultException sfe) { assertThat(sfe.getFault().getFaultCode(), not(containsString( "FailedCheck" ))); assertThat(sfe.getFault().getFaultCode(), is( "soap:Server" )); assertThat(sfe.getFault().getFaultString(), is( "java.lang.RuntimeException: Throwing wanted Exception!" )); } }
    • Hide
      • jboss-eap-6.4.6 with fuse 6.2.1 and java 1.8.
      • Start JBoss EAP with port offset 300, ./standalone.sh -Djboss.socket.binding.port-offset=300
      • The switchyard projects are modified quickstart projects (originate from policy-security-wss-signencrypt).
        policy-security-wss-signencrypt_nosecurity_soapfault:
      • removed security policies and added the ability to produce a soapfault when the command contains the string 'EXCEPTION'
      • Security removed because of missing ability to configure security for composite-soap-reference-bindings.
        policy-security-wss-signencrypt_proxy:
      • extended with proxy functionality to proxy the request to switchyard project policy-security-wss-signencrypt_nosecurity_soapfault
      • two composite-services/paths, one with Bean-implementation and one with Camel (XML) implementation
      • the bean-implementation has some flags to control behavior:
      • when the command contains 'PRESERVE' we return the original soapfault from the proxy webservice. I think that switchyard wraps and hides the original exception is also not always the wanted behavior...
      • when the command contains 'NSFIX' a workaround where we set the namespace prefix is applied.

      To demonstrate the issue modified cxf sample project to call the webservice.
      ws_security_sign_enc_policy contains a unit test which calls the switchyard webservices policy-security-wss-signencrypt_proxy provides.
      The two tests that fail show the issue, the test 'testSYBean_Exception' shows the wrapped exception.
      This sample client uses the same CXF version shipped with JBoss Fuse 6.2.1.

      Show
      jboss-eap-6.4.6 with fuse 6.2.1 and java 1.8. Start JBoss EAP with port offset 300, ./standalone.sh -Djboss.socket.binding.port-offset=300 The switchyard projects are modified quickstart projects (originate from policy-security-wss-signencrypt). policy-security-wss-signencrypt_nosecurity_soapfault: removed security policies and added the ability to produce a soapfault when the command contains the string 'EXCEPTION' Security removed because of missing ability to configure security for composite-soap-reference-bindings. policy-security-wss-signencrypt_proxy: extended with proxy functionality to proxy the request to switchyard project policy-security-wss-signencrypt_nosecurity_soapfault two composite-services/paths, one with Bean-implementation and one with Camel (XML) implementation the bean-implementation has some flags to control behavior: when the command contains 'PRESERVE' we return the original soapfault from the proxy webservice. I think that switchyard wraps and hides the original exception is also not always the wanted behavior... when the command contains 'NSFIX' a workaround where we set the namespace prefix is applied. To demonstrate the issue modified cxf sample project to call the webservice. ws_security_sign_enc_policy contains a unit test which calls the switchyard webservices policy-security-wss-signencrypt_proxy provides. The two tests that fail show the issue, the test 'testSYBean_Exception' shows the wrapped exception. This sample client uses the same CXF version shipped with JBoss Fuse 6.2.1.

    Description

      When calling a switchyard soap endpoint which calls a soap proxy webservice and this proxy call results in a SOAPFault, the client produces the error "org.apache.ws.security.WSSecurityException: The signature or decryption was invalid.".

      When turning on xmlsec debug logging it is discovered that the "Pre-digested input" of the body-element is different on client and on server side.
      It seems that the namespace prefix switchyard uses for the soapfault (SOAP-ENV:Fault) is missing a namespace definition, this definition is removed or is not used when generating the signature.

      As clients, the self coded java clients and soapui which both produce the error "org.apache.ws.security.WSSecurityException: The signature or decryption was invalid.".
      When adding the namespace manually in the switchyard project in a bean the client can handle the response.

      To isolate and clarify the issue I have created some sample projects.

      The projects policy-security-wss-signencrypt_proxy and ws_security_sign_enc_policy assumes that the fuse eap is started with a port offset of 300.
      The projects should all build with 'mvn clean package' except of course the test client which fails with test failures.

      • You should be able to see this test failure with method, `testSYBean_PreserveException()`
      Caused by: org.apache.xml.security.encryption.XMLEncryptionException: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 212; The prefix "SOAP-ENV" for element "SOAP-ENV:Fault" is not bound.
Original Exception was javax.xml.transform.TransformerException: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 212; The prefix "SOAP-ENV" for element "SOAP-ENV:Fault" is not bound.
	at org.apache.xml.security.encryption.TransformSerializer.deserialize(TransformSerializer.java:110)
	at org.apache.xml.security.encryption.TransformSerializer.deserialize(TransformSerializer.java:51)
	at org.apache.xml.security.encryption.XMLCipher.decryptElement(XMLCipher.java:1750)
	at org.apache.xml.security.encryption.XMLCipher.decryptElementContent(XMLCipher.java:1781)
	at org.apache.xml.security.encryption.XMLCipher.doFinal(XMLCipher.java:1031)
	at org.apache.wss4j.dom.processor.ReferenceListProcessor.decryptEncryptedData(ReferenceListProcessor.java:438)
	... 52 more
Caused by: javax.xml.transform.TransformerException: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 212; The prefix "SOAP-ENV" for element "SOAP-ENV:Fault" is not bound.
	at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:749)
	at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:351)
	at org.apache.xml.security.encryption.TransformSerializer.deserialize(TransformSerializer.java:91)
	... 57 more
Caused by: org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 212; The prefix "SOAP-ENV" for element "SOAP-ENV:Fault" is not bound.
	at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1239)
	at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transformIdentity(TransformerImpl.java:641)
	at com.sun.org.apache.xalan.internal.xsltc.trax.TransformerImpl.transform(TransformerImpl.java:737)
	... 59 more

      Attachments

        Activity

          People

            toigaras@redhat.com tomohisa igarashi
            rhn-support-vgohel Viral Gohel
            Martin Basovnik Martin Basovnik (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: