Bug 796991 - Add support for other types of security certificates to BinarySecurityToken
Add support for other types of security certificates to BinarySecurityToken
Status: VERIFIED
Product: JBoss Enterprise SOA Platform 5
Classification: JBoss
Component: JBossESB (Show other bugs)
unspecified
Unspecified Unspecified
high Severity high
: ER1
: 5.3.0 GA
Assigned To: Kevin Conner
Filip Elias
:
Depends On:
Blocks: 801872
  Show dependency treegraph
 
Reported: 2012-02-23 19:59 EST by Jason Shepherd
Modified: 2012-06-12 23:37 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
The org.jboss.soa.esb.services.security.auth.ws.BinarySecurityToken class has been made abstract, allowing users to implement Kerberos Token Profiles. The BinarySecurityToken has been made into an interface and is pluggable. To use, add a property to the security section of the jbossesb-properties.xml file containing your implementation class name.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Feature Request
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker JBESB-2460 Major Closed BinarySecurityToken class hardwired to X.509 certificates 2014-04-02 13:43:03 EDT

  None (edit)
Description Jason Shepherd 2012-02-23 19:59:19 EST
Created attachment 565439 [details]
example project

Description of problem:
Implement a fix for this ESB problem in SOA-P 5

Version-Release number of selected component (if applicable):
ESB 4.10

How reproducible:
Use that attached example project.

Steps to Reproduce:
1. Deploy HttpGtwySec ESB Project to SOA-P 5.2 Standalone instance
2. Run the HttpGtwySecClient project with ant
3. Run the HttpGtwySecClient project with ant target 'test-v3' to see expected result
  
Actual results:
0:53:26,310 ERROR [[soap]] Servlet.service() for servlet soap threw exception
java.lang.IllegalStateException: Could not create certificate: 
	at org.jboss.soa.esb.services.security.auth.ws.BinarySecurityToken.setKey(BinarySecurityToken.java:89)
	at org.jboss.soa.esb.services.security.auth.ws.BinarySecurityTokenExtractor.extractBinarySecurityToken(BinarySecurityTokenExtractor.java:148)
	at org.jboss.soa.esb.services.security.auth.ws.BinarySecurityTokenExtractor.extractSecurityInfo(BinarySecurityTokenExtractor.java:105)
	at org.jboss.soa.esb.services.security.auth.ws.BinarySecurityTokenExtractor.extractSecurityInfo(BinarySecurityTokenExtractor.java:54)
	at org.jboss.soa.esb.services.security.auth.ExtractorUtil.extract(ExtractorUtil.java:59)
	at org.jboss.soa.esb.listeners.gateway.http.HttpMessageComposer.populateMessage(HttpMessageComposer.java:165)
	at org.jboss.soa.esb.listeners.gateway.http.HttpMessageComposer.populateMessage(HttpMessageComposer.java:79)
	at org.jboss.soa.esb.listeners.message.AbstractMessageComposer.compose(AbstractMessageComposer.java:76)
	at org.jboss.soa.esb.listeners.gateway.http.HttpGatewayServlet.processServiceRequest(HttpGatewayServlet.java:216)
	at org.jboss.soa.esb.listeners.gateway.http.HttpGatewayServlet.service(HttpGatewayServlet.java:195)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
	at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:183)
	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:95)
	at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
	at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:599)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:451)
	at java.lang.Thread.run(Thread.java:662)
Caused by: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
	at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:182)
	at sun.security.provider.X509Factory.engineGenerateCertificate(X509Factory.java:90)
	at java.security.cert.CertificateFactory.generateCertificate(CertificateFactory.java:305)
	at org.jboss.soa.esb.services.security.auth.ws.BinarySecurityToken.setKey(BinarySecurityToken.java:85)
	... 30 more
Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big.
	at sun.security.util.DerInputStream.getLength(DerInputStream.java:544)
	at sun.security.util.DerValue.<init>(DerValue.java:235)
	at sun.security.util.DerInputStream.getDerValue(DerInputStream.java:400)
	at sun.security.x509.X509CertImpl.parse(X509CertImpl.java:1708)
	at sun.security.x509.X509CertImpl.<init>(X509CertImpl.java:179)
	... 33 more

Expected results:
The request is printed in the server log

Additional info:
See https://issues.jboss.org/browse/JBESB-2460 for possible solution.

This case was Raised by Red Hat engineer via GSS in this support case:
https://c.na7.visual.force.com/apex/Case_View?id=500A00000091ml3
Comment 4 JBoss JIRA Server 2012-03-12 15:21:56 EDT
Tom Cunningham <tcunning@redhat.com> updated the status of jira JBESB-2460 to Resolved
Comment 5 JBoss JIRA Server 2012-03-12 15:21:56 EDT
Tom Cunningham <tcunning@redhat.com> made a comment on jira JBESB-2460

Make BinarySecurityToken an interface and make the implementation pluggable.
Adding a property to the security section of the jbossesb-properties.xml
containing your implementation class name makes it pluggable :

example : 
        <property name="org.jboss.soa.esb.services.security.auth.ws.binarysecuritytoken.implementationClass" value="org.jboss.soa.esb.services.security.auth.ws.BinarySecurityTokenImpl" />
Comment 6 JBoss JIRA Server 2012-03-12 15:22:05 EDT
Tom Cunningham <tcunning@redhat.com> updated the status of jira JBESB-2460 to Closed
Comment 7 Rick Wagner 2012-03-19 17:33:11 EDT
Customer facing, so high priority please.
Comment 8 tcunning 2012-04-05 11:46:16 EDT
Should be in ER1, see JBESB-2460 for details.
Comment 9 Rick Wagner 2012-04-16 09:40:54 EDT
See JBESB-3780, addressed in svn commit r38019 on https://svn.jboss.org/repos/labs/labs/jboss 
esb/branches/JBESB_4_10_CP.
Comment 10 Filip Elias 2012-06-11 08:47:43 EDT
Verified in SOA-P 5.3 ER3
Comment 11 David Le Sage 2012-06-12 20:27:58 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
The org.jboss.soa.esb.services.security.auth.ws.BinarySecurityToken class has been made abstract, allowing users to implement Kerberos Token Profiles. 
The BinarySecurityToken has been made into an interface and is pluggable. To use, add a property to the security section of the jbossesb-properties.xml file 
containing your implementation class name.

Note You need to log in before you can comment on or make changes to this bug.