Currently I am using Spring WS (spring-ws-core:2.1.0.RELEASE)
I have setup global method security:
<security:global-method-security pre-post-annotations="enabled" secured-annotations="enabled"/>
I have an endpoint that throws an AccessDeniedException which I handle with SoapFaultMappingExceptionResolver like this:
<bean id="exceptionResolver"
class="org.springframework.ws.soap.server.endpoint.SoapFaultMappingExceptionResolver">
<property name="defaultFault" value="SERVER"/>
<property name="exceptionMappings">
<value>
org.springframework.security.access.AccessDeniedException=SENDER, 403 Forbidden
</value>
</property>
</bean>
I get the following response
<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
<env:Header/>
<env:Body>
<env:Fault>
<env:Code>
<env:Value>env:Sender</env:Value>
</env:Code>
<env:Reason>
<env:Text xml:lang="en">403 Forbidden</env:Text>
</env:Reason>
</env:Fault>
</env:Body>
</env:Envelope>
with an HTTP response code 500.
According to the spec soap 1.2 spec
it should return 400.
Is there a mistake on my part or ist just the way Spring WS handles it?
Related
I am getting 'Caused by: org.opensaml.xml.security.SecurityException: SAML message intended destination endpoint did not match recipient endpoint' exception while SSO between my app SP and client IdP.
Server log show the difference in schemas, see below:
Checking SAML message intended destination endpoint against receiver endpoint
2019-03-05 15:02:44.599 DEBUG [204 default task-41][BaseSAMLMessageDecoder] Intended message destination endpoint: https://my.app.com/app-gateway/saml/SSO
2019-03-05 15:02:44.599 DEBUG [204 default task-41][BaseSAMLMessageDecoder] Actual message receiver endpoint: http://my.app.com/app-gateway/saml/SSO
2019-03-05 15:02:44.600 ERROR [204 default task-41][BaseSAMLMessageDecoder] SAML message intended destination endpoint 'https://my.app.com/app-gateway/saml/SSO' did not match the recipient endpoint 'http://my.app.com/app-gateway/saml/SSO'
My application is running on STG on 2 instances with the LB in front, therefore I use SAMLContextProviderLB context provider instead of SAMLContextProviderImpl:
<bean id="contextProvider" class="org.springframework.security.saml.context.SAMLContextProviderLB">
<property name="scheme" value="https"/>
<property name="serverName" value="my.app.com"/>
<property name="serverPort" value="443"/>
<property name="includeServerPortInRequestURL" value="false"/>
<property name="contextPath" value="/app-gateway"/>
</bean>
<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
<constructor-arg>
<bean class="org.springframework.security.saml.metadata.MetadataGenerator">
<property name="entityBaseURL" value="https://my.app.com/app-gateway1"/>
<property name="entityId" value="${cas.sso.entityId}"/>
<property name="includeDiscoveryExtension" value="false"/>
<property name="extendedMetadata" ref="extendedMetadata"/>
<property name="keyManager" ref="keyManager"/>
</bean>
</constructor-arg>
</bean>
In the source code of getActualReceiverEndpointURI the receiver endpoint URL is being taken from request httpRequest obj. Thus, I am trying to understand at which step that wrong URL http://my.app.com/app-gateway/saml/SSO was set to it. Can anyone explain me it?
protected String getActualReceiverEndpointURI(SAMLMessageContext messageContext) throws MessageDecodingException {
InTransport inTransport = messageContext.getInboundMessageTransport();
if (! (inTransport instanceof HttpServletRequestAdapter)) {
log.error("Message context InTransport instance was an unsupported type: {}",
inTransport.getClass().getName());
throw new MessageDecodingException("Message context InTransport instance was an unsupported type");
}
HttpServletRequest httpRequest = ((HttpServletRequestAdapter)inTransport).getWrappedRequest();
StringBuffer urlBuilder = httpRequest.getRequestURL();
return urlBuilder.toString();
}
You might want to check the following page :
https://developer.jboss.org/thread/240113
I had a similar issue, even with X-Forwarded-Proto properly set on the LB, the request was still interpreted in http only.
The backend must be aware of the header.
add proxy-address-forwarding="true" on the http listener and two filter-ref
<http-listener name="default" socket-binding="http" proxy-address-forwarding="true"/>
<filter-ref name="server-header"/>
<filter-ref name="x-powered-by-header"/>
Hope this help,
For Apache Tomcat server, which is running behind AWS Application load balancer, need to enable the RemoteIPValue so that based on the x-forwarded-proto header, Tomcat will overwrite scheme(https) & port(443) accordingly.
In server.xml
<Valve className="org.apache.catalina.valves.RemoteIpValve" protocolHeader="X-Forwarded-Proto" internalProxies="10\.\d+\.\d+\.\d+|192\.168\.\d+\.\d+|169\.254\.\d+\.\d+|127\.\d+\.\d+\.\d+|172\.(1[6-9]|2[0-9]|3[0-1])\.\d+\.\d+" />
My case is as follows:
I wrote SOAP service using CXF
I wrote two SOAP clients - one using CXF and another using Spring-WS
I set up WSSecurity : "Timestamp Signature Encrypt" action on both sides (client / server)
CXF client works like charm, but Spring-WS cant decrypt response.
Server side is OK while interacting with CXF-client and Spring-client (it is properely decrypting, verifing signature, processing requests, sign, encrypt and finnaly send response).
Code:
CXF client:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:jaxws="http://cxf.apache.org/jaxws" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd">
<bean id="inbound-logging" class="org.apache.cxf.interceptor.LoggingInInterceptor" />
<bean id="outbound-logging" class="org.apache.cxf.interceptor.LoggingOutInterceptor" />
<jaxws:client id="helloClient" serviceClass="com.example.HelloWorld"
address="http://localhost:8282/HelloWorld">
<jaxws:inInterceptors>
<ref bean="inbound-logging" />
<ref bean="inbound-security" />
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<ref bean="outbound-logging" />
<ref bean="outbound-security" />
</jaxws:outInterceptors>
</jaxws:client>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor" id="outbound-security">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="user" value="client"/>
<entry key="signaturePropFile" value="config/client-crypto.properties"/>
<entry key="encryptionPropFile" value="config/client-crypto.properties"/>
<entry key="signatureKeyIdentifier" value="DirectReference"/>
<entry key="encryptionUser" value="server"/>
<entry key="passwordCallbackClass" value="org.mydomain.ClientPasswordCallback"/>
<entry key="signatureParts" value="{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionParts" value="{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"/>
<entry key="encryptionSymAlgorithm" value="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>
</map>
</constructor-arg>
</bean>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor" id="inbound-security">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature Encrypt"/>
<entry key="signaturePropFile" value="config/client-crypto.properties"/>
<entry key="decryptionPropFile" value="config/client-crypto.properties"/>
<entry key="passwordCallbackClass" value="org.mydomain.CustomPasswordCallback"/>
</map>
</constructor-arg>
</bean>
Spring-WS client - wss-interceptor :
#Bean
public Wss4jSecurityInterceptor wssInterceptor(
#Qualifier("cryptoFactoryBean") CryptoFactoryBean cryptoFactoryBean,
#Qualifier("signValidCryptoFactoryBean") CryptoFactoryBean signValidCryptoFactoryBean) throws Exception {
Wss4jSecurityInterceptor interceptor = new Wss4jSecurityInterceptor();
// outgoing securement
interceptor.setSecurementUsername("client");
interceptor.setSecurementPassword("123456");
interceptor.setSecurementSignatureKeyIdentifier("DirectReference");
interceptor.setSecurementActions("Timestamp Signature Encrypt");
interceptor.setSecurementSignatureCrypto(cryptoFactoryBean.getObject());
interceptor.setSecurementSignatureParts(
"{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;" +
"{Element}{http://schemas.xmlsoap.org/soap/envelope/}Body"
);
interceptor.setSecurementEncryptionCrypto(cryptoFactoryBean.getObject());
interceptor.setSecurementEncryptionUser("server");
interceptor.setSecurementEncryptionSymAlgorithm("http://www.w3.org/2001/04/xmlenc#tripledes-cbc");
interceptor.setSecurementEncryptionParts(
"{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;" +
"{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body"
);
// incoming validation:
interceptor.setValidationActions("Timestamp Signature Encrypt");
interceptor.setValidationDecryptionCrypto(cryptoFactoryBean.getObject());
interceptor.setValidationSignatureCrypto(signValidCryptoFactoryBean.getObject());
return interceptor;
}
Logging level is set to debug. Here is the result:
(... - logs related with encrypting data befrore send )
2015-08-09 19:09:45.181 DEBUG WSSecEncrypt:258 - Encryption complete.
2015-08-09 19:09:45.182 DEBUG sent:620 - Sent request [SaajSoapMessage {http://www.w3.org/2001/04/xmlenc#}EncryptedData]
2015-08-09 19:09:45.223 DEBUG received:678 - Received response [SaajSoapMessage {http://www.w3.org/2001/04/xmlenc#}EncryptedData] for request [SaajSoapMessage {http://www.w3.org/2001/04/xmlenc#}EncryptedData]
2015-08-09 19:09:45.224 DEBUG Wss4jSecurityInterceptor:562 - Validating message [SaajSoapMessage {http://www.w3.org/2001/04/xmlenc#}EncryptedData] with actions [Timestamp Signature Encrypt]
2015-08-09 19:09:45.225 DEBUG WSSecurityEngine:236 - enter processSecurityHeader()
2015-08-09 19:09:45.229 WARN Wss4jSecurityInterceptor:281 - Could not validate request: No WS-Security header found
2015-08-09 19:09:45.229 DEBUG Wss4jSecurityInterceptor:288 - No exception resolver present, creating basic soap fault
Exception in thread "main" org.springframework.oxm.UnmarshallingFailureException: JAXB unmarshalling exception; nested exception is javax.xml.bind.UnmarshalException: unexpected element (uri:"http://schemas.xmlsoap.org/soap/envelope/", local:"Fault"). Expected elements are <{}helloRequest>,<{http://example.com}helloResponse>
at org.springframework.oxm.jaxb.Jaxb2Marshaller.convertJaxbException(Jaxb2Marshaller.java:809)
at org.springframework.oxm.jaxb.Jaxb2Marshaller.unmarshal(Jaxb2Marshaller.java:730)
at org.springframework.ws.support.MarshallingUtils.unmarshal(MarshallingUtils.java:62)
at org.springframework.ws.client.core.WebServiceTemplate$3.extractData(WebServiceTemplate.java:407)
at org.springframework.ws.client.core.WebServiceTemplate.doSendAndReceive(WebServiceTemplate.java:596)
at org.springframework.ws.client.core.WebServiceTemplate.sendAndReceive(WebServiceTemplate.java:537)
at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:384)
at org.springframework.ws.client.core.WebServiceTemplate.marshalSendAndReceive(WebServiceTemplate.java:374)
at client.Main.main(Main.java:39)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:134)
Caused by: javax.xml.bind.UnmarshalException: unexpected element (uri:"http://schemas.xmlsoap.org/soap/envelope/", local:"Fault"). Expected elements are <{}helloRequest>,<{http://example.com}helloResponse>
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallingContext.handleEvent(UnmarshallingContext.java:726)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.Loader.reportError(Loader.java:247)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.Loader.reportError(Loader.java:242)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.Loader.reportUnexpectedChildElement(Loader.java:109)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallingContext$DefaultRootLoader.childElement(UnmarshallingContext.java:1131)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallingContext._startElement(UnmarshallingContext.java:556)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallingContext.startElement(UnmarshallingContext.java:538)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.InterningXmlVisitor.startElement(InterningXmlVisitor.java:60)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.SAXConnector.startElement(SAXConnector.java:153)
at com.sun.xml.internal.bind.unmarshaller.DOMScanner.visit(DOMScanner.java:229)
at com.sun.xml.internal.bind.unmarshaller.DOMScanner.scan(DOMScanner.java:112)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal0(UnmarshallerImpl.java:354)
at com.sun.xml.internal.bind.v2.runtime.unmarshaller.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:337)
at javax.xml.bind.helpers.AbstractUnmarshallerImpl.unmarshal(AbstractUnmarshallerImpl.java:127)
at org.springframework.oxm.jaxb.Jaxb2Marshaller.unmarshal(Jaxb2Marshaller.java:726)
... 12 more
It looks like Spring is trying to process response without decrypting it earlier.
I've found solution to the problem. I didn't set password callback, so wss4j-interceptor couldn't decrypt response. Here is code that fix the issue:
KeyStoreCallbackHandler keyStoreCallbackHandler = new KeyStoreCallbackHandler();
keyStoreCallbackHandler.setPrivateKeyPassword("123456");
interceptor.setValidationCallbackHandler(keyStoreCallbackHandler);
You are receiving a soap fault from the other party. Soap fault messages are not encrypted this is why Wss4jSecurityInterceptor is complaining about the ws-security header.
2015-08-09 19:09:45.229 WARN Wss4jSecurityInterceptor:281 -
**Could not validate request: No WS-Security header found**
It seems also that the processing of the message continue while it should normaly stops. The JAXB marshaller complains that (uri:"http://schemas.xmlsoap.org/soap/envelope/", local:"Fault") is not from the context.
2015-08-09 19:09:45.229 DEBUG Wss4jSecurityInterceptor:288 -
No exception resolver present, creating basic soap fault
Exception in thread "main"
org.springframework.oxm.UnmarshallingFailureException:
JAXB unmarshalling exception; nested exception is
javax.xml.bind.UnmarshalException: unexpected element
(uri:"http://schemas.xmlsoap.org/soap/envelope/", local:"Fault").
Expected elements are <{}helloRequest>,<{http://example.com}helloResponse>
I would recommend the following:
Log the soap fault to determine what the other party needs
Whenever you receive a soap fault, you should stop processing the request
KeyStoreCallbackHandler wasn't defined for the interceptor - that was the case. Appropriate code in the initial post.
This question already has answers here:
Why does Spring MVC respond with a 404 and report "No mapping found for HTTP request with URI [...] in DispatcherServlet"?
(13 answers)
Closed 6 years ago.
I'm aware that there are loads of questions on the topic but none of the solutions i found here worked for me.
I'm using Spring with Jetty 6 so i don't have a web.xml file. The mapping for the spring dispatcher servlet is set to "/" in jetty's config
dispatcher:
<bean class="org.mortbay.jetty.servlet.ServletHolder">
<property name="name" value="spring" />
<property name="servlet">
<bean class="org.springframework.web.servlet.DispatcherServlet" />
</property>
<property name="initParameters">
<map>
<entry key="contextConfigLocation" value="classpath:com/project/config/spring-servlet.xml" />
</map>
</property>
</bean>
... mapping:
<bean class="org.mortbay.jetty.servlet.ServletMapping">
<property name="servletName" value="spring"></property>
<property name="pathSpec" value="/"></property>
</bean>
The spring-servlet.xml looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="..." ...>
<context:component-scan base-package="com.project.web" />
<mvc:annotation-driven />
<bean
class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="prefix">
<value>/WEB-INF/pages/</value>
</property>
<property name="suffix">
<value>.jsp</value>
</property>
</bean>
</beans>
And i have a simple controller called HelloController:
#Controller
public class HelloController {
#RequestMapping(method = RequestMethod.GET, value="/welcome")
public String sayHello(ModelMap model){
model.addAttribute("message", "Spring 3 MVC Hello World");
return "hello";
}
}
Reading the logs it seem to work but i get the following error:
No mapping found for HTTP request with URI [/WEB-INF/pages/hello.jsp] in DispatcherServlet with name 'spring'
which i don't understand. it maps the "/welcome" to /WEB-INF/pages/hello.jsp but it still says page cannot be found, which is just there where it seems to look for it. I added the WEB-INF folder to the classpath but it's still the same. Do you have any idea why's that?
Are you sure the package name is correct in this?
<context:component-scan base-package="com.project.web" />
The request mapping path in the controller is relative to your http://your-domain/your-app/. If your app name is welcome use url http://localhost:25001/welcome/welcome or change the requestmapping to #RequestMapping(method = RequestMethod.GET, value="/") so you can use url http://localhost:25001/welcome
Is your hello.jsp directly under WEB-INF/pages?
Can you change the Dispatcher Servlet mapping to this and try
<property name="pathSpec" value="*.html"></property>
Iam wrote simple spring mvc apps.But I unable to redirect one page to another page. I mentioned code snippet below
Claims-servlet.xml
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.5.xsd">
<bean id="urlMapping" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMapping">
<property name="mappings">
<props><prop key="/loginpage.htm">loginFormController</prop></props>
</property>
</bean>
<bean id="loginFormController" class="com.aims.controller.LoginFormController">
<property name="sessionForm"><value>true</value></property>
<property name="commandName"><value>LoginFormCommand</value></property>
<property name="commandClass"><value>com.aims.commands.LoginFormCommand</value></property>
<property name="validator"><ref bean="loginformValidator"/></property>
<property name="formView"><value>loginpage</value></property>
<property name="successView"><value>body</value></property>
</bean>
<bean id="loginformValidator" class="com.aims.validator.LoginFormValidator"/>
<bean id="viewResolver" class="org.springframework.web.servlet.view.InternalResourceViewResolver">
<property name="viewClass"><value>org.springframework.web.servlet.view.JstlView</value></property>
<property name="suffix"><value>.jsp</value></property>
</bean>
</beans>
Controller:
public class LoginFormController extends SimpleFormController {
public ModelAndView onSubmit(Object command, BindException bindException) throws Exception {
System.out.println("LoginFormController:onSubmit============");
LoginFormCommand loginform = (LoginFormCommand) command;
System.out.println("username" + loginform.getUsername() + "Password"
+ loginform.getPassword());
return new ModelAndView(new RedirectView("/WEB-INF/view/jsp/"
+ getSuccessView()));
}}
I have two jsp one is
Webroot>loginpage.jsp
view->jsp>body.jsp
When the browser opens its automatically called loginpage.jsp(web.xml>welecome-file) and after success iam trying to call view->jsp>body.jsp.But it doesn't move to body.jsp.Please need help.
With a redirect view, you must specify the actual URL of the target, not a path to an internal jsp. Instead of rendering a jsp, Spring MVC will redirect the user to this URL.
Example: new ModelAndView(new RedirectView("/example/helloworld.html")).
Of course, the target has to exist.
I am using a spring-ws client to invoke a web service in two way ssl mode. I need to make sure that I don't end up creating a new connection everytime - instead I re-use connections.
I did some re-search and found that by default HTTP 1.1 always makes persistent http(s) connections. Is that true?
Do I need any piece of code in my client to ensure connections are persistent? How can I check if the connections are persistent or if a new connection is being created vereytime I send a new request ?
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:oxm="http://www.springframework.org/schema/oxm"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd http://www.springframework.org/schema/oxm http://www.springframework.org/schema/oxm/spring-oxm-3.0.xsd">
<bean id="messageFactory" class="org.springframework.ws.soap.saaj.SaajSoapMessageFactory"/>
<bean id="webServiceTemplate" class="org.springframework.ws.client.core.WebServiceTemplate">
<constructor-arg ref="messageFactory"/>
<property name="marshaller" ref="jaxb2Marshaller" />
<property name="unmarshaller" ref="jaxb2Marshaller" />
<property name="messageSender" ref="httpSender" />
</bean>
<bean id="httpSender" class="org.springframework.ws.transport.http.CommonsHttpMessageSender">
</bean>
<oxm:jaxb2-marshaller id="jaxb2Marshaller" contextPath="com.nordstrom.direct.oms.webservices.addressval" />
<bean id="Client" class="test.ClientStub">
<property name="webServiceTemplate" ref="webServiceTemplate" />
</bean>
</beans>
HTTP/1.1 has connection keep-alive but the server can decide to close it after a number of requests or does not support keep-alive
The easiest way to check is to use tcpdump or wireshark and check for SYN [S] flags. Thats new connections.
I am using the following and on J2SE 1.6 jdk it did not create any new sockets across multiple requests. The server did not send the Connection: Keep-Alive header but connections were kept alive anyway.
Bean configuration:
<bean id="wsHttpClient" factory-bean="customHttpClient"
factory-method="getHttpClient" />
<bean id="messageSender"
class="org.springframework.ws.transport.http.CommonsHttpMessageSender"
p:httpClient-ref="wsHttpClient" />
Java Code:
import org.apache.commons.httpclient.*;
import org.springframework.stereotype.*;
#Component public class CustomHttpClient {
private final HttpClient httpClient;
public CustomHttpClient() {
httpClient = new HttpClient(new MultiThreadedHttpConnectionManager());
httpClient.getParams().setParameter("http.protocol.content-charset",
"UTF-8");
httpClient.getHttpConnectionManager().getParams()
.setConnectionTimeout(60000);
httpClient.getHttpConnectionManager().getParams().setSoTimeout(60000);
httpClient.setHostConfiguration(new HostConfiguration());
}
public HttpClient getHttpClient() {
return httpClient;
}
}