Hi,
I'm trying to use the library from https://github.com/DinoChiesa/ApigeeEdge-Java-WsSec-Signature to verify incoming request signed with Ws Security signing. I have installed the example-bundle with the importAndDeploy tool.
I keep on getting the "Could not initialize class org.apache.wss4j.dom.engine.WSSConfig" error while performing the /verify use cases, while all jars are installed in the resource folder through the tool.
Any hints on how to resolve this?
Thanks,
Eelco
Solved! Go to Solution.
Between the time I posted the original Ws-Security callout and now, something has changed in the MP to prevent the initialization of the WSS4J library within a Java Callout. This is preventing the callout from working correctly. At the moment the runtime error is not "handle-able" or "catchable" by your own Java code.
I don't have a good suggestion for a solution at this time.
I could suggest using a Hosted Target with nodejs code, but there are no good, proven WS-Sec libraries for nodejs, that I have been able to find. Also , the Hosted Target does not allow the use of non-JavaScript runtimes at the moment, so... no Java, no .NET. Either of those would be able to handle WS-Security, but you cannot use them in a Hosted Target, for now anyway.
I suggest opening a ticket with Apigee Support and requesting
Sorry I don't have a better answer !
Update
As of October 2019, There is now a new, different callout that will work for this purpose.
https://github.com/DinoChiesa/ApigeeEdge-Java-WsSec-Signature-2
Hi, I wrote that callout jar. Maybe I can help you.
It's hard to know why you're experiencing the problem, without further details.
Most often, the problem is the WSS4J configuration cannot be read properly. This could be because the crypto.properties file is not included in the expected location, or because it has incorrect information, or the key is missing. The second common cause of problems is a Java security permissions error.
Some questions to help diagnose.
Thanks @Dino-at-Google, actually, I just deployed the example-bundle as described in the readme documentation, without any further changes. In that bundle, I don't see any crypto.properties either.
Can you point me to any documentation how to fill that one?
Thanks,
Eelco
While looking further in the Trace, I see the following:
Properties | |
error | Could not initialize class org.apache.wss4j.dom.engine.WSSConfig |
---|---|
type | ErrorPoint |
state | PROXY_REQ_FLOW |
error.class | java.lang.NoClassDefFoundError |
Identifier | fault |
So it appears the correct jar cannot be loaded?
Either the jar containing WSSConfig is missing, or a different jar containing a dependency required by that class.
You need to check the contents of the resources/java directory in your proxy to make sure all the required jars are present there. The list of jars is:
commons-lang3-3.7.jar edge-wssec-sign-x509-1.0.4.jar wss4j-bindings-2.2.1.jar wss4j-ws-security-common-2.2.1.jar wss4j-ws-security-dom-2.2.1.jar wss4j-ws-security-stax-2.2.1.jar xmlsec-2.1.1.jar
Do you have all of those?
Yes, they're all there. They were installed through your importAndDeploy tool from the repo.
Can you "git pull" from the repo, and then show your policy configuration please?
Yes, one of the policies is below. It is completely untouched from your example-bundle. The error appears on all the different signing and verifying policies by the way.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <JavaCallout name="Java-VerifySignature-BYOJKS"> <Properties> <Property name="alias">my-key-alias</Property> <Property name="password">Secret123</Property> <Property name="jks-base64"> /u3+7QAAAAIAAAABAAAAAQAMbXkta2V5LWFsaWFzAAABYbnEZOYAAAUCMIIE/jAO BgorBgEEASoCEQEBBQAEggTqnnD8kh66XIABAyAK2L0nLUm3z0jEFLiYgKXE8YhK y3AKBZcBSltXLTeAiLAv2xEwdZF8+EkaUSoRoggyrAA8YGTyK9qjoiPAeklozMip noNYmjvg0baH8RaAp2rHLI85Foav0HOE5kRbOXN8lm3uU2TmqMxx70/L/VFRWVAz XzFxxbFaGn8LB4a5C6a0UQ0Laxq9/iIF7jBBDZWZaYvTZSB5Bp6/iynu1EzDVIEg BpHSRHe9k2Proev4ISv8hz5CSKpLo5PiFbXoLlmiyjanoYurNN4uNRp/F2GyDnOd dRtGO90wRCwzm3xL4+SIsDZzCVc05eQT7jtEdkdleZcQjyoYJ4ZucNUejRPpeU8I 02ZwQEApxT7ZkDZqo+BX2MdYF9okLwBW0o5UNYSsd2VpPoKbd7C2ZvcG3D9zvuev Gz9QtGqcF2DPnV5Eq/OVrB7RqlgGGerBBUEyCSjV/rFrUu0LvOZ83QN/IDd4aUOy RibQw3R3xVc3OPbpiPy76lD8C8vfxVi9sqskTvGCrjSqILSr2kehQO295NTKYRsy 9peXMbCIjWJoo301NIc8Xnz44RMc1vzGL8cfZa8tgJe8Fo9x32Xa4F2JroNUB+B2 e6WhS/1yVA2wv2i54SNrJ+5aQ2e2Fs6dZ6omIF016JTUUTNhZh9i8EaPqyi7jhid FCQtc0PSkhwdzg/CKn+kbBnVNPGa7wsyHs+AwQ/+EFrLXI4X6RCmzEyzpAcHADlb BVYKcs1N6nEdQMg8Mkn6hvo7Rzm0o8lfiBKIGUmum2u8HChXZkbSjq0U4AJ5J8Pf S3PUMsLNuAnFXl7VM+k9Ld5BgtPIwFJl5Qy6X5qtPhB2Dd0gJSg31aJ3lw+1JrA0 ONRHAFh4wIgRLecpb4JYp8dq+E5Zn7DgaSa/P/ohiW+Ghw/n2qmti6qHkBO5SwpF BzlW4US7XXTvrJOsELzAmc6dFyFEy4iy0C4AGih0hvnHPo/ZJbWvaZA0W1VmF/HN puK4eLry8W8rw/oGP0dvexTuyolF4V9pi+h11Zvhf/xP54WdweXyDx0pG3asSs55 bRAyWduuY9y8mmS2gKmLE//kCaqWHNXzLRVSExN8ANnbK3FGWYPc4I9fOdsvBH5O 6VcdCBWwtRzYF9FeF5owx0Uu6IgmKEDLJOgExEi3t3kcL0CEszZCgpKpSNTi1qsN 03340dR6/R50OQtdcd09Y3U66WVGgWN47hb+HfzCV+Y3I16LWroKICfjXh0v8i1x D7s9u7QcD0/YAJYa20hg3qilishYIeOvJ1ca7tOZ6tN9L8nSQkN843a39ZPzttFt TacQ/yfj5GlvqFOG0X7mWM+Q6KXNXRXzpW/sh5CMR1YJcVUI6UR1nzdB/JHgV1dI kXlWf9FFh8KxnLCJCVAo4K6WVYZcvcqGj7PvOnvLJvI11OEdLmuA7HmhvnOZ0JnA iu10/GJC/+uuFZRXohYte20Np6wMeeku5YivUI7q/V9pRAtEggrlXYCs2hPM01oZ W+jv7ngjXe/hncTJLtGahEC3cz6ia+xQUhQOH4+0eGEzzcD/G68LGGXdWY8puxRn OVR2u4LCmetKV73Dw2S5LstRU5yq0xWSMyAb/RZsXtHCt4eYkH2FsEg2irp/hEKc kBga6n9oWwh7M8/QoLW/VmFyHggWIMUiV6jxtgAAAAEABVguNTA5AAADgzCCA38w ggJnoAMCAQICBDIFTQMwDQYJKoZIhvcNAQELBQAwcDELMAkGA1UEBhMCVVMxCzAJ BgNVBAgTAldBMRAwDgYDVQQHEwdTZWF0dGxlMRUwEwYDVQQKEwxHb29nbGUgQ2xv dWQxDzANBgNVBAsTBkFwaWdlZTEaMBgGA1UEAxMRV2VybmVyIEhlaXNlbmJlcmcw HhcNMTgwMjIxMTkwODI5WhcNNDUwNzA5MTkwODI5WjBwMQswCQYDVQQGEwJVUzEL MAkGA1UECBMCV0ExEDAOBgNVBAcTB1NlYXR0bGUxFTATBgNVBAoTDEdvb2dsZSBD bG91ZDEPMA0GA1UECxMGQXBpZ2VlMRowGAYDVQQDExFXZXJuZXIgSGVpc2VuYmVy ZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAIYCpQ7SAwbB6zz87kL6 WRjNl7NUI7y+9c21slYZ+lfwtbQujSK7ZJEvQ6rgxTMJwV7HrkEKUAhhe5oJ9TgI TkqTTndoMiJFHEItEM1zBMTcLtPKw81Wnsx7zXpgiexjDiHwTWQw2OHJlRwJeRhR WWJ+fiVXNy0BG5XBO2Ekf8E1U5PPPwnGBcAHaUbrbpJylwvs/SDMkDbAqanPEBlS 6Xdi46rVtrjGE1oeAymZh7GYVcpYLVzPFhT55kgvvKEB1w3DZIGSNnj+wqzvtRVr 04fzpxkIbgbneYJSS/BLgKa+hJAiGAmBq7KnDsX7pCQvAWqcRRhDdXgTD3bWG5LQ Av8CAwEAAaMhMB8wHQYDVR0OBBYEFN/2Z+Lghk+4QH5tjH8K564KuwSwMA0GCSqG SIb3DQEBCwUAA4IBAQA8FhrObopn7TjNdZbf1UT6EpnQB+Y+wMHuD8mXcRJ17qfH a4UTDefQ86Rut8l07g1nXiGVD/39NwO51LCqllLpt4r/zraOqne04nxnYURG7dho nlq3n0ZQOQI/gSB07zqvfAwJ8JsgZoS32xQoVzRZI4c0bZh0hsd+RZfgyX4h9/G+ +suInu8LyBfW8dfXy45PIz8bUIEUdPgIqMQXD/I6MyBYJls3WjUKi2hgYcLs255K 4xnj6pKH1UEwYf7kP2P8z535ofVkzWNwsw+JkEHAvpK6J1KoxllMXgIRuwkyF9RF INdapRxnrH3Hdvjmnti6cY7SgVlbAR2gR/jAU6FOkjo9Yi0o8hzQB9wQuU7yQrCY +qA= </Property> </Properties> <ClassName>com.google.apigee.callout.wssec.SOAPVerifier</ClassName> <ResourceURL>java://edge-wssec-sign-x509-1.0.4.jar</ResourceURL> </JavaCallout>
@Dino-at-Google: any more hints for this one would be much appreciated.
hi @Dino-at-Google, I just tried to the same. I just downloaded and deployed the example-bundle in a demo org. It shows the same behavior as Eelco explained.
I've been away. Let me look again.
Between the time I posted the original Ws-Security callout and now, something has changed in the MP to prevent the initialization of the WSS4J library within a Java Callout. This is preventing the callout from working correctly. At the moment the runtime error is not "handle-able" or "catchable" by your own Java code.
I don't have a good suggestion for a solution at this time.
I could suggest using a Hosted Target with nodejs code, but there are no good, proven WS-Sec libraries for nodejs, that I have been able to find. Also , the Hosted Target does not allow the use of non-JavaScript runtimes at the moment, so... no Java, no .NET. Either of those would be able to handle WS-Security, but you cannot use them in a Hosted Target, for now anyway.
I suggest opening a ticket with Apigee Support and requesting
Sorry I don't have a better answer !
Update
As of October 2019, There is now a new, different callout that will work for this purpose.
https://github.com/DinoChiesa/ApigeeEdge-Java-WsSec-Signature-2
Hi @dchiesa1, good day! Many thanks to you're active support to these query items and thanks to all involved on this post!
I was wondering if the bugs cited for https://github.com/DinoChiesa/ApigeeEdge-Java-WsSec-Signature-2 are updated? I've been following community posts related to this thread and looking for a solution that offers verification of an xml digital signature with SHA-256.
Appreciate all the help!
Thank you!
Hi Pauljosh - I don't know what you mean by "bugs cited" . I guess you are talking about the discussion in the thread. But what specifically are you asking about? Right now I know of no bugs in the callout that prevent its use for signing and validating.
The callout you cited can sign or validate, using RSA keys. The README states:
Signing or validating with RSA-SHA1 (http://www.w3.org/2000/09/xmldsig#rsa-sha1 ) or RSA-SHA256 (http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 ). The latter is highly recommended.
using a digest method of sha1 (http://www.w3.org/2000/09/xmldsig#sha1) or sha256 (http://www.w3.org/2001/04/xmlenc#sha256) . The latter is highly recommended.
So I think that may cover your case. Let me know if not. (Please open a NEW THREAD)
Hi Dchiesa1, good day! I have created another post for my concern item.
Kindly refer to this link: https://www.googlecloudcommunity.com/gc/Apigee/Ws-Security-signature-verification-follow-up-question...
Many thanks!
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |