WSO2 SECURITY USERNAMETOKEN ESB AND DSS

1
votes

proxyI'm trying to build a web service using ESB from WSO2. My service use a dataservice to get data from a database so I need to connect esb with dss. When proxy and dataservice aren't securice they work ok, but when they are securice I get the follow error

  <soapenv:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
     <faultcode>wsse:InvalidSecurity</faultcode>
     <faultstring>Nonce value : 8/BKMsFNs2gTJ58FXyV43Q==, already seen before for user name : UsuarioPrueba1. Possibly this could be a replay attack.</faultstring>
     <detail/>
  </soapenv:Fault>

Securizing dataservice but not proxy its work ok. I send the usernametoken and password created in user and roles from ESB and DSS

1
securityproxywso2esbdss

1 Answers

1
votes

One possible scenario where we could get this error is, if we are using the header mediator to send a custom SOAP security header.

For example, I created a proxy as in [1], and you may notice that I have put the following element in the soap message security header.

<wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">95euUDNp5wT7nT3BadS9Tw==</wsse:Nonce>

Since I'm sending the same nonce everytime to the backened, it is detected as a possible replay attack by the backend.

To get rid of this error, I remove the above 'Nonce' element. Then the backend stopped giving the error

"Nonce value : 95euUDNp5wT7nT3BadS9Tw==, already seen before for user name : admin. Possibly this could be a replay attack."

anymore.

Only if we send the 'Nonce' element in the Soap security header, the backend will check for possible replay attacks. So removing that element is one way of getting rid of the error.

This also means that, this is a solution only if you don't want the backend to evaluate the Nonce value for detecting replay attacks.

I know this question is one year-old; but thought to add an answer as a reference.

[1]

    <?xml version="1.0" encoding="UTF-8"?>
<proxy xmlns="http://ws.apache.org/ns/synapse"
       name="InsuranceServiceProxy2"
       transports="https,http"
       statistics="disable"
       trace="disable"
       startOnLoad="true">
   <target>
      <inSequence>
         <header scope="default">
            <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
                           xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
                           xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                           soapenv:mustUnderstand="1">
               <wsu:Timestamp wsu:Id="TS-23">
                  <wsu:Created>2015-06-13T03:07:55Z</wsu:Created>
               </wsu:Timestamp>
               <wsse:UsernameToken wsu:Id="UsernameToken-22">
                  <wsse:Username>admin</wsse:Username>
                  <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:Password>
                  <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">95euUDNp5wT7nT3BadS9Tw==</wsse:Nonce>
                  <wsu:Created>2015-06-13T03:07:55.091Z</wsu:Created>
               </wsse:UsernameToken>
            </wsse:Security>
         </header>
         <property name="Authorization"
                   value="Basic YWRtaW46YWRtaW4="
                   scope="transport"
                   type="STRING"/>
      </inSequence>
      <outSequence>
         <send/>
      </outSequence>
      <endpoint>
         <address uri="https://localhost:8243/services/InsuranceServiceBEProxy2"/>
      </endpoint>
   </target>
   <description/>
</proxy>