JAVA - CXF WS-security “A security error was encountered when verifying the message”

Question

Sorry for this question, it can appear recurrent by I'm completely blocked. I'm trying to implement a Web Service Server on top of CXF framework. Jax-ws is very helpful to handle a web service, it's easy to implement it. But, the problem come when you want to introduce security.

To handle security in implement the following source code :

EndpointImpl jaxWsEndpoint = (EndpointImpl) Endpoint.publish(endPointAddress, httpWebService);
inProps.put("action", "UsernameToken Timestamp");
inProps.put("passwordType", "PasswordText");
inProps.put("passwordCallbackClass", "com.company.webService.PasswordListener");
jaxWsEndpoint.getInInterceptors().add(new WSS4JInInterceptor(inProps));

I push to this Web Service the following SOAP request :

...
<soapenv:Header>
   <wsse:Security soapenv:mustunderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
      <wsse:Usernametoken wsu:id="UsernameToken-27777511" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <wsse:Username>admin</wsse:Username>
        <wsse:Password type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">pass</wsse:Password>
     </wsse:Usernametoken>
   </wsse:Security>
</soapenv:Header>
...

The CXF framework received my request try to handle the security part and throw me the following exception:

Jun 08, 2016 10:48:24 AM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor checkActions
WARNING: Security processing failed (actions mismatch)
Jun 08, 2016 10:48:24 AM org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging
WARNING: Interceptor for {http://httpAbstractHandlerImplementation.webService.company.co /}HttpWebServiceService has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: A security error was encountered when verifying the message at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:218)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:316)

If somebody have an idea where i have done an error.

Thanks

Answer 1

You have inProps.put("action", "UsernameToken Timestamp"); but no Timestamp in your security header. Either remove "Timestamp" from your actions or add the matching security header.

EDIT The message is quite clear "Security processing failed (actions mismatch)" So looking at your request reveals another mistake: It should be wsse:UsernameToken instead of wsse:Usernametoken as of the official spec.