Web service client using WS-Security fails when calling an EAP 6 endpoint with "WSSecurityException: An invalid security token was provided". Calling a WCF endpoint returns "An item with the same key has already been added"

Solution Verified - Updated -

Issue

  • My web service client is using WS-Security to contact an endpoint running on JBoss EAP 6. When a request is sent, this exception is thrown on the server:
13:00:39,038 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] (http-xxx.xxx.example.com/135.153.58.72:8280-1) Interceptor for {http://xxx.example.com/soapheader/inband}InBandSoapHeaderService has thrown exception, unwinding now: org.apache.cxf.interceptor.Fault: An invalid security token was provided (An error happened processing a Username Token "{0}")
        at org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.processUsernameToken(UsernameTokenInterceptor.java:163) [cxf-rt-ws-security-2.4.6-redhat-1.jar:2.4.6-redhat-1]
        at org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.handleMessage(UsernameTokenInterceptor.java:118) [cxf-rt-ws-security-2.4.6-redhat-1.jar:2.4.6-redhat-1]
        at org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.handleMessage(UsernameTokenInterceptor.java:76) [cxf-rt-ws-security-2.4.6-redhat-1.jar:2.4.6-redhat-1]
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) [cxf-api-2.4.6-redhat-1.jar:2.4.6-redhat-1]
        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-rt-core-2.4.6-redhat-1.jar:2.4.6-redhat-1]
        at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:207) [cxf-rt-transports-http-2.4.6-redhat-1.jar:2.4.6-redhat-1]
        at org.jboss.wsf.stack.cxf.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:91)
        at org.jboss.wsf.stack.cxf.transport.ServletHelper.callRequestHandler(ServletHelper.java:169)
        at org.jboss.wsf.stack.cxf.CXFServletExt.invoke(CXFServletExt.java:87)
Caused by: org.apache.ws.security.WSSecurityException: An invalid security token was provided (An error happened processing a Username Token "{0}")
        at org.apache.ws.security.message.token.UsernameToken.checkBSPCompliance(UsernameToken.java:1078) [wss4j-1.6.5-redhat-1.jar:]
        at org.apache.ws.security.message.token.UsernameToken.<init>(UsernameToken.java:154) [wss4j-1.6.5-redhat-1.jar:]
        at org.apache.ws.security.message.token.UsernameToken.<init>(UsernameToken.java:95) [wss4j-1.6.5-redhat-1.jar:]
        at org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.parseTokenAndCreatePrincipal(UsernameTokenInterceptor.java:204) [cxf-rt-ws-security-2.4.6-redhat-1.jar:2.4.6-redhat-1]
        at org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.getPrincipal(UsernameTokenInterceptor.java:196) [cxf-rt-ws-security-2.4.6-redhat-1.jar:2.4.6-redhat-1]
        at org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor.processUsernameToken(UsernameTokenInterceptor.java:133) [cxf-rt-ws-security-2.4.6-redhat-1.jar:2.4.6-redhat-1]
        ... 27 more
  • Here is a sample SOAP message:
<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Header>
    <ns2:Security xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xs" xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:ns3="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:ns4="http://www.w3.org/2000/09/xmldsig#" xmlns:ns5="http://schemas.iona.com/saml" xmlns:ns6="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns7="http://www.w3.org/2001/04/xmlenc#" xmlns:ns8="http://schemas.iona.com/saml2">
      <ns2:UsernameToken>
        <ns2:Username>jbosswsse</ns2:Username>
        <ns2:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">klape</ns2:Password>
        <ns2:Nonce>/sAPV6kz/NKJamcFKMvWFw==</ns2:Nonce>
        <ns1:Created>2012-09-21T18:00:36Z</ns1:Created>
      </ns2:UsernameToken>
    </ns2:Security>
  </soap:Header>
  <soap:Body>
    <ns2:FooRequest xmlns="http://jboss.org/" xmlns:ns2="http://jboss.org">
      <ns2:Body>the Foo request body</ns2:Body>
    </ns2:FooRequest>
  </soap:Body>
</soap:Envelope>
  • Calling a WCF endpoint from JBoss I get the error returned "ArgumentException: An item with the same key has already been added.". There is no further information from the server and we don't have access to the payload or stack trace from the server side.

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 6.x
  • JBossWS-CXF

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content