ghost
commented
5 years ago I think this is a related issue, using EI-6.4.0: We are using WSSecurity (body message signed) for communications between our EI-640 and an external app service provider. We have installed their certificate in our client-truststore, and things are working well when app service provider responds with http code 200. The body signature is well verified, all is fine.
But when the application server respond with code error 500 the body signature is not recognized and we get "The signature or decryption was invalid" message in our logs.
[2019-06-13 16:53:09,475] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> "HTTP/1.1 500 Internal Server Error[\r][\n]" [2019-06-13 16:53:09,475] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> "Server: Apache-Coyote/1.1[\r][\n]" [2019-06-13 16:53:09,475] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> "Connection: close[\r][\n]" [2019-06-13 16:53:09,475] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> "Content-Type: text/xml;charset=UTF-8[\r][\n]" [2019-06-13 16:53:09,476] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> "Content-Length: 5851[\r][\n]" [2019-06-13 16:53:09,476] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> "Date: Thu, 13 Jun 2019 14:53:09 GMT[\r][\n]" [2019-06-13 16:53:09,476] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> "Connection: close[\r][\n]" [2019-06-13 16:53:09,476] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> "[\r][\n]" [2019-06-13 16:53:09,476] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> "<?xml version="1.0" encoding="UTF-8"?>[\n]" [2019-06-13 16:53:09,476] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> "<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">[\n]" [2019-06-13 16:53:09,476] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> " <soapenv:Header><wsse:Security soapenv:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wsu:Timestamp wsu:Id="id-2-7a530ab84f8184cc4f95e57538d5ff85"><wsu:Created>2019-06-13T14:53:09.459632660Z</wsu:Created><wsu:Expires>2019-06-13T14:58:09.459Z</wsu:Expires></wsu:Timestamp><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="id-0-7937ccba21fb5ad8209751343079ede5" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">MIIG2TCCBcGgAwIBAgIMZH/SkX5UDyxmqrurMA0GCSqGSIb3DQEBCwUAMGYxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYDVQQDEzNHbG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0gRzIwHhcNMTgwMzIwMTMxMTA0WhcNMjAwMzIwMTMxMTA0WjB/MQswCQYDVQQGEwJCRTERMA8GA1UECBMIQnJ1c3NlbHMxEzARBgNVBAcTClNjaGFlcmJlZWsxFTATBgNVBAsTDEV4cGxvaXRhdGlvbjEOMAwGA1UEChMFRVROSUMxITAfBgNVBAMTGHNlcnZpY2VzLXdlYi50cS5ldG5pYy5iZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKw1NNEUS4KJb5QlK92eHo+H3dKUNobA3YFWe0If7waqG2vv+Pq+4nZbzEdOxbOJKJgwclXUjMTyqYVagxsucVIPjkwZbTzAyzOgAfx5dsKFoOMVYy3SXvyWh48833Ch45+2LHYb69QC2habtFuwoshBDmHWFVH1sZYs6CK9tu0H+wgAmVEzWr7FT7ZyqobROpde29Pd6NxtwnhAH7ykIDdYzVeRZ4fR1sx8XixwEtE3rauQqs2YfGYM/HqyAH3juX8aX/17N1hQuOd1VozFmDU9QMo/YcmwTDEqRB8IG8kqRtD4tCiEwl3xgYjr9xsJTrFfgZCfIG+vqAjBTEvL/+cCAwEAAaOCA2wwggNoMA4GA1UdDwEB/wQEAwIFoDCBoAYIKwYBBQUHAQEEgZMwgZAwTQYIKwYBBQUHMAKGQWh0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0L2dzb3JnYW5pemF0aW9udmFsc2hhMmcycjEuY3J0MD8GCCsGAQUFBzABhjNodHRwOi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20vZ3Nvcmdhbml6YXRpb252YWxzaGEyZzIwVgYDVR0gBE8wTTBBBgkrBgEEAaAyARQwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQICMAkGA1UdEwQCMAAwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9ncy9nc29yZ2FuaXphdGlvbnZhbHNoYTJnMi5jcmwwIwYDVR0RBBwwGoIYc2VydmljZXMtd2ViLnRxLmV0bmljLmJlMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUW4uJNGD503Y0C69aBUOmtz6Ji54wHwYDVR0jBBgwFoAUlt5h8b0cFilTHMDMfTuDAEDmGnwwggF/BgorBgEEAdZ5AgQCBIIBbwSCAWsBaQB3AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABYkOI3zEAAAQDAEgwRgIhANKxUibpRRdjs4BqppHjoD34qmqDbTdj6CcH9oXc2cYXAiEAkZPMrYAEk6KBW26yvg3nVgEOqlcfyBxvJkZ/Qkhy6FsAdgCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDBtOr/XqCDDwAAAWJDiOAFAAAEAwBHMEUCIFVEpvasSpBeBkt+/rZDzb5teLGH6McU2N4atTfyWnT3AiEA5KjRFXA++fOI0FJu0D/Cz3tHoZypUDzioZghThdbKvMAdgCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWJDiN/GAAAEAwBHMEUCIFbqAP3xGj3SkOTBVBbiQSLstbwFGSsfvRNc9IdyHSaLAiEApBfgzREMxxOribvLbcPhAHkxNLPM4hWdcALEWONwAXwwDQYJKoZIhvcNAQELBQADggEBADvOcBLnIQFJqV5GfHd3PaM7/AX0X7EV+nEAy4n3iv9CN/PYDl7p13u6KSZSMxVD61WfYBOstpTkPMxaDIJ4lQMy2Lzenqu3Y7bTbbFWrTN5+uQTN1VuwU6u1tQwPp0Ttqixw4PNNlvpbI1E5TCqR1ZriLy0D/XVjD8Z7uocLjWVtlUfeUumvERX6m092SSab1tcXrWUdQYuX3egsG/Cnny0xE2UjZ2/26hFeXVWYMQtiINwxdiKRVn40NmZlrVgNjyiZYWVl3WMldfm/Su2g+s9TSBzTDRoWexTFXl8+iX+NW0lJqS6sqlsyRtTPqwV9GhxHLatp1HDn/SENoR9ChQ=</wsse:BinarySecurityToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#id-1-87045dbb3d166a01c6c17fcb69a5cb43"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>FW3Om+i2ksFqO1gyE3MzH2dD3gU=</ds:DigestValue></ds:Reference><ds:Reference URI="#id-2-7a530ab84f8184cc4f95e57538d5ff85"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>mkBEHPkrKYXVTH7JkbEzwIX0RA4=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>DhhiOxqYWvKAZsGukFvvm7Zx+2EXQxRZbdTg0/n8uexnitaXvH97FGJDUxmMvO+YmxlkyQ3ssD/IVXsRwUgkabax8GvItsiIthsIp7SatYdz+BEelobLKmsK02xALq1EE9HM3Roa3yXMCsC8mhj61lAYkyBlX/lxH2F9kQeJTr/jI2kM43q7chUaHXRwHKOlx+Hxvly8uSr8w2aptfjzV+faH/YocpajNHL83TxjTnrheLvsXMqmoN4Q2gdIl8W+M4/L4Nz72n8Un2tF7PJ63/QnESRT6n4njbe4k5akngQRInHPAXPGVPQuDJ8Lpnt+4w3CapczuMLYFx9uWyB/AQ==</ds:SignatureValue><ds:KeyInfo><wsse:SecurityTokenReference xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><wsse:Reference URI="#id-0-7937ccba21fb5ad8209751343079ede5" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soapenv:Header>[\n]" [2019-06-13 16:53:09,478] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> " <soapenv:Body wsu:Id="id-1-87045dbb3d166a01c6c17fcb69a5cb43" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">[\n]" [2019-06-13 16:53:09,478] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> " <soapenv:Fault>[\n]" [2019-06-13 16:53:09,478] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> " <faultcode>soapenv:Client</faultcode>[\n]" [2019-06-13 16:53:09,478] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> " <faultstring>Message 2b008dff-eeac-4245-acb1-1469ddc8a743 failed : SECU-0104 - WSS X509 Authentication failed against LDAP</faultstring>[\n]" [2019-06-13 16:53:09,478] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> " <faultactor>services-web.server.com</faultactor>[\n]" [2019-06-13 16:53:09,478] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> " <detail>[\n]" [2019-06-13 16:53:09,478] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> " <messageId xmlns="http://services.etnic.be/message">2b008dff-eeac-4245-acb1-1469ddc8a743</messageId>[\n]" [2019-06-13 16:53:09,478] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> " <code>SECU-0104</code>[\n]" [2019-06-13 16:53:09,478] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> " <description lang="fr">L'authentification via la technique 'WSS X509' a [0xc3][0xa9]chou[0xc3][0xa9] aupr[0xc3][0xa8]s du LDAP</description>[\n]" [2019-06-13 16:53:09,478] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> " <description lang="en">WSS X509 Authentication failed against LDAP</description>[\n]" [2019-06-13 16:53:09,478] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> " </detail>[\n]" [2019-06-13 16:53:09,478] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> " </soapenv:Fault>[\n]" [2019-06-13 16:53:09,478] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> " </soapenv:Body>[\n]" [2019-06-13 16:53:09,478] [EI-Core] DEBUG - wire HTTPS-Sender I/O dispatcher-2 >> "</soapenv:Envelope>" [2019-06-13 16:53:09,484] [EI-Core] ERROR - AxisEngine The signature or decryption was invalid org.apache.axis2.AxisFault: The signature or decryption was invalid at org.apache.rampart.handler.RampartReceiver.setFaultCodeAndThrowAxisFault(RampartReceiver.java:194) at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:96) at org.apache.axis2.engine.Phase.invokeHandler(Phase.java:340) at org.apache.axis2.engine.Phase.invoke(Phase.java:313) at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:261) at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:167) at org.apache.synapse.transport.passthru.ClientWorker.run(ClientWorker.java:263) at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: org.apache.ws.security.WSSecurityException: The signature or decryption was invalid at org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:703) at org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:124) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249) at org.apache.rampart.RampartEngine.process(RampartEngine.java:221) at org.apache.rampart.handler.RampartReceiver.invoke(RampartReceiver.java:93) ... 9 more
Description:
When trying a security scenario (like scenario number 100) in which the backend service is secured by signing the body, but we want the client not to use security, if the backend service returns an HTTP 500 without any soap message, the Rampart produces an exception, that don't returns the process neither to out-sequence nor the fault-sequence, so the client is waiting the response until time-out is produced.
Attached proxy-service, endpoint and policy configurations ESBJAVA-4836.zip
The received response from the server has a SoapFault:
<?xml version='1.0' encoding='utf-8'?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>SOAP-ENV:Server</faultcode><faultstring>Call to a member function load() on null</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>The policy indicates that a security header is required in the response (at least timestamp), so the RampartEngine.process method produces a RampartExcemption with "missingSecurityHeader".
The problem is that the exception is not propagated to the proxyservice's out-sequence, neither fault-sequence, so it is not possible to notify the client with any message
Suggested Labels:
Suggested Assignees:
Affected Product Version:
OS, DB, other environment details and versions:
Steps to reproduce:
Related Issues: https://wso2.org/jira/browse/ESBJAVA-4836