I’m developing a REST/SOAP backend in SpringBoot 2.3.12, Spring Security, JWT and cxf-rt-ws-security.
Services cosumed by REST have JWT Security and SOAP services consume Rest services thru the core use cases (hexagonal architecture).
SOAP services have an Interceptor that makes the security with certificates only.
The thing is that i’m controlling the token authentication of SOAP services to acces to REST’s manually thus i don’t want spring security to interfiere in the soap security. But still the problem persists:
0748 --- [io-8080-exec-41] org.ehcache.core.EhcacheManager : Cache 'org.apache.cxf.ws.security.tokenstore.TokenStore-117706598' created in EhcacheManager.
2024-04-23 10:39:42.285 WARN TraceId:no_request 20748 --- [io-8080-exec-41] o.a.cxf.phase.PhaseInterceptorChain : Interceptor for {http://a.b.net/}AServiceImplService#{http://a.b.b.net/}Service has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: A security error was encountered when verifying the message
at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:238) ~[cxf-rt-ws-security-3.6.2.jar:3.6.2]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:382) ~[cxf-rt-ws-security-3.6.2.jar:3.6.2]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:213) ~[cxf-rt-ws-security-3.6.2.jar:3.6.2]
.....
Caused by: org.apache.wss4j.common.ext.WSSecurityException: The security token could not be authenticated or authorized
at org.apache.wss4j.dom.validate.UsernameTokenValidator.verifyDigestPassword(UsernameTokenValidator.java:182) ~[wss4j-ws-security-dom-2.4.2.jar:2.4.2]
at org.apache.wss4j.dom.validate.UsernameTokenValidator.validate(UsernameTokenValidator.java:89) ~[wss4j-ws-security-dom-2.4.2.jar:2.4.2]
at org.apache.wss4j.dom.processor.UsernameTokenProcessor.handleUsernameToken(UsernameTokenProcessor.java:172) ~[wss4j-ws-security-dom-2.4.2.jar:2.4.2]
at org.apache.wss4j.dom.processor.UsernameTokenProcessor.handleToken(UsernameTokenProcessor.java:63) ~[wss4j-ws-security-dom-2.4.2.jar:2.4.2]
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340) ~[wss4j-ws-security-dom-2.4.2.jar:2.4.2]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:326) ~[cxf-rt-ws-security-3.6.2.jar:3.6.2]
I tried to solve the problem working on the security config rest class, telling spring security to avoid checking SOAP Interceptor by excluding the SOAP urls to have security but the error is always the same. This is my SecurityConfig:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.authorizeRequests()
.antMatchers("/swagger-ui/**", "/v3/api-docs/**", "/swagger-ui.html", "/webjars/**").permitAll()
.antMatchers(ApiPaths.LOGIN).permitAll()
.antMatchers("/services/**").permitAll()
.anyRequest().authenticated();
}
I also tried with this but nothing:
@Override
public void configure(WebSecurity webSecurity) {
webSecurity.ignoring().antMatchers(IGNORED_PATHS);
}
I also don’t understand why the filter is always called at register, login and everytime there’s a call to those urls even tho i tell spring to not do it.
New contributor
bellaLi is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.