Bug 796991

Summary: Add support for other types of security certificates to BinarySecurityToken
Product: [JBoss] JBoss Enterprise SOA Platform 5 Reporter: Jason Shepherd <jshepherd>
Component: JBossESBAssignee: Kevin Conner <kevin.conner>
Status: CLOSED UPSTREAM QA Contact: Gui Jospin <gjospin>
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jpechane, ldimaggi, mmusaji, soa-p-jira, tcunning
Target Milestone: ER1   
Target Release: 5.3.0 GA   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
The org.jboss.soa.esb.services.security.auth.ws.BinarySecurityToken class has been made abstract, allowing users to implement Kerberos Token Profiles. The BinarySecurityToken has been made into an interface and is pluggable. To use, add a property to the security section of the jbossesb-properties.xml file containing your implementation class name.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2025-02-10 03:19:08 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 801872    

Description Jason Shepherd 2012-02-24 00:59:19 UTC 
Created attachment 565439 [details]
example project

Description of problem:
Implement a fix for this ESB problem in SOA-P 5

Version-Release number of selected component (if applicable):
ESB 4.10

How reproducible:
Use that attached example project.

Steps to Reproduce:
1. Deploy HttpGtwySec ESB Project to SOA-P 5.2 Standalone instance
2. Run the HttpGtwySecClient project with ant
3. Run the HttpGtwySecClient project with ant target 'test-v3' to see expected result
  
Actual results:
0:53:26,310 ERROR [[soap]] Servlet.service() for servlet soap threw exception
java.lang.IllegalStateException: Could not create certificate: 
	at org.jboss.soa.esb.services.security.auth.ws.BinarySecurityToken.setKey(BinarySecurityToken.java:89)
	at org.jboss.soa.esb.services.security.auth.ws.BinarySecurityTokenExtractor.extractBinarySecurityToken(BinarySecurityTokenExtractor.java:148)
	at org.jboss.soa.esb.services.security.auth.ws.BinarySecurityTokenExtractor.extractSecurityInfo(BinarySecurityTokenExtractor.java:105)
	at org.jboss.soa.esb.services.security.auth.ws.BinarySecurityTokenExtractor.extractSecurityInfo(BinarySecurityTokenExtractor.java:54)
	at org.jboss.soa.esb.services.security.auth.ExtractorUtil.extract(ExtractorUtil.java:59)
	at org.jboss.soa.esb.listeners.gateway.http.HttpMessageComposer.populateMessage(HttpMessageComposer.java:165)
	at org.jboss.soa.esb.listeners.gateway.http.HttpMessageComposer.populateMessage(HttpMessageComposer.java:79)
	at org.jboss.soa.esb.listeners.message.AbstractMessageComposer.compose(AbstractMessageComposer.java:76)
	at org.jboss.soa.esb.listeners.gateway.http.HttpGatewayServlet.processServiceRequest(HttpGatewayServlet.java:216)
	at org.jboss.soa.esb.listeners.gateway.http.HttpGatewayServlet.service(HttpGatewayServlet.java:195)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:183)
	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)
	at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
	at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:599)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)
	at java.lang.Thread.run(Thread.java:662)
Caused by: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
	at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:182)
	at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:90)
	at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:305)
	at org.jboss.soa.esb.services.security.auth.ws.BinarySecurityToken.setKey(BinarySecurityToken.java:85)
	... 30 more
Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
	at sun.security.util.DerInputStream.getLength(DerInputStream.java:544)
	at sun.security.util.DerValue.<init>(DerValue.java:235)
	at sun.security.util.DerInputStream.getDerValue(DerInputStream.java:400)
	at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1708)
	at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:179)
	... 33 more

Expected results:
The request is printed in the server log

Additional info:
See https://issues.jboss.org/browse/JBESB-2460 for possible solution.

This case was Raised by Red Hat engineer via GSS in this support case:
https://c.na7.visual.force.com/apex/Case_View?id=500A00000091ml3
Comment 4 JBoss JIRA Server 2012-03-12 19:21:56 UTC 
Tom Cunningham <tcunning> updated the status of jira JBESB-2460 to Resolved
Comment 5 JBoss JIRA Server 2012-03-12 19:21:56 UTC 
Tom Cunningham <tcunning> made a comment on jira JBESB-2460

Make BinarySecurityToken an interface and make the implementation pluggable.
Adding a property to the security section of the jbossesb-properties.xml
containing your implementation class name makes it pluggable :

example : 
        <property name="org.jboss.soa.esb.services.security.auth.ws.binarysecuritytoken.implementationClass" value="org.jboss.soa.esb.services.security.auth.ws.BinarySecurityTokenImpl" />
Comment 6 JBoss JIRA Server 2012-03-12 19:22:05 UTC 
Tom Cunningham <tcunning> updated the status of jira JBESB-2460 to Closed
Comment 7 Rick Wagner 2012-03-19 21:33:11 UTC 
Customer facing, so high priority please.
Comment 8 tcunning 2012-04-05 15:46:16 UTC 
Should be in ER1, see JBESB-2460 for details.
Comment 9 Rick Wagner 2012-04-16 13:40:54 UTC 
See JBESB-3780, addressed in svn commit r38019 on https://svn.jboss.org/repos/labs/labs/jboss 
esb/branches/JBESB_4_10_CP.
Comment 10 Filip Elias 2012-06-11 12:47:43 UTC 
Verified in SOA-P 5.3 ER3
Comment 11 David Le Sage 2012-06-13 00:27:58 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
The org.jboss.soa.esb.services.security.auth.ws.BinarySecurityToken class has been made abstract, allowing users to implement Kerberos Token Profiles. 
The BinarySecurityToken has been made into an interface and is pluggable. To use, add a property to the security section of the jbossesb-properties.xml file 
containing your implementation class name.
Comment 12 PnT Account Manager 2017-12-07 23:54:37 UTC 
Employee 'felias' has left the company.
Comment 14 Red Hat Bugzilla 2025-02-10 03:19:08 UTC 
This product has been discontinued or is no longer tracked in Red Hat Bugzilla.