[
https://issues.apache.org/jira/browse/CXF-8967?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17803347#comment-17803347
]
Peter Palaga commented on CXF-8967:
-----------------------------------
Thanks a lot [~ffang] for the explanation and fix in
https://github.com/ppalaga/quarkus-cxf/pull/2 !
I rebased and reworded the PR here:
https://github.com/quarkiverse/quarkus-cxf/pull/1170
My original issue is thus solved.
I wonder whether we should not introduce some measures so that policies with
multiple security bindings (such as TransportBinding, AsymmetricBinding and
SymmetricBinding) would not be accepted at all given that CXF does not honor
them anyway?
> Body and elements not signed with security.enable.streaming = true
> ------------------------------------------------------------------
>
> Key: CXF-8967
> URL: https://issues.apache.org/jira/browse/CXF-8967
> Project: CXF
> Issue Type: Bug
> Affects Versions: 4.0.3
> Reporter: Peter Palaga
> Assignee: Freeman Yue Fang
> Priority: Major
>
> This might have a similar cause like CXF-8940.
> I am unfortunately not sure at all how to reproduce this with plain CXF. If a
> test is required to demonstrate the issue, I'd be thankful for pointing me to
> an existing test I could adapt.
> I am able to reproduce this with quarkus-cxf - here are the steps to
> reproduce:
> {code}
> git clone g...@github.com:ppalaga/quarkus-cxf.git -o ppalaga
> cd quarkus-cxf
> git checkout CXF-8967
> mvn clean install -DskipTests -Dquarkus.build.skip
> cd integration-tests/ws-security-policy
> mvn clean test -Dtest=UsernameTokenSecurityPolicyStaxTest#helloSaml1
> ...
> 2023-12-25 12:46:31,093 INFO [org.apa.cxf.ser.Sam.REQ_OUT]
> (executor-thread-1) REQ_OUT
> Address: https://localhost:8444/services/helloSaml1
> HttpMethod: POST
> Content-Type: text/xml
> ExchangeId: 1e62cc69-2a90-413d-97a4-b88bbd61d7b8
> ServiceName: Saml1PolicyHelloService
> PortName: Saml1PolicyHelloServicePort
> PortTypeName: Saml1PolicyHelloService
> Headers: {SOAPAction="", Accept=*/*, Connection=Keep-Alive}
> Payload: <soap:Envelope
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
> <soap:Header>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> soap:mustUnderstand="1">
> <wsu:Timestamp
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
> <wsu:Created>2023-12-25T11:46:31.087Z</wsu:Created>
> <wsu:Expires>2023-12-25T11:51:31.087Z</wsu:Expires>
> </wsu:Timestamp>
> <saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> AssertionID="_307cbcf8-4a7d-45a6-a4dc-b46929693b35"
> IssueInstant="2023-12-25T11:46:31.068Z" Issuer="sts" MajorVersion="1"
> MinorVersion="1" xsi:type="saml1:AssertionType">
> <saml1:Conditions NotBefore="2023-12-25T11:46:31.070Z"
> NotOnOrAfter="2023-12-25T11:51:31.070Z"/>
> <saml1:AttributeStatement>
> <saml1:Subject>
> <saml1:NameIdentifier
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
> NameQualifier="www.mock-sts.com">uid=sts-client,o=mock-sts.com</saml1:NameIdentifier>
> <saml1:SubjectConfirmation>
>
> <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml1:ConfirmationMethod>
> </saml1:SubjectConfirmation>
> </saml1:Subject>
> <saml1:Attribute AttributeName="subject-role"
> AttributeNamespace="http://custom-ns";>
> <saml1:AttributeValue
> xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xsi:type="xsd:string">system-user</saml1:AttributeValue>
> </saml1:Attribute>
> </saml1:AttributeStatement>
> </saml1:Assertion>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <ns2:hello xmlns:ns2="http://policy.security.it.cxf.quarkiverse.io/";>
> <arg0>random saml person</arg0>
> </ns2:hello>
> </soap:Body>
> </soap:Envelope>
> 2023-12-25 12:46:31,300 INFO [org.ehc.cor.EhcacheManager]
> (executor-thread-2) Cache 'ws-security.timestamp.cache.instance-1259045699'
> created in EhcacheManager.
> 2023-12-25 12:46:31,311 INFO [org.ehc.cor.EhcacheManager]
> (executor-thread-2) Cache 'ws-security.saml.cache.instance-1259045699'
> created in EhcacheManager.
> 2023-12-25 12:46:31,393 INFO [org.ehc.cor.EhcacheManager]
> (executor-thread-2) Cache
> 'org.apache.cxf.ws.security.tokenstore.TokenStore-1259045699' created in
> EhcacheManager.
> 2023-12-25 12:46:31,414 WARN [org.apa.cxf.pha.PhaseInterceptorChain]
> (executor-thread-2) Interceptor for
> {http://policy.security.it.cxf.quarkiverse.io/}Saml1PolicyHelloServiceImpl
> has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault:
> Error reading XMLStreamReader:
> org.apache.wss4j.common.ext.WSSecurityException: SAML proof-of-possession of
> the private/secret key failed
> at
> org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor.handleMessage(StartBodyInterceptor.java:67)
> at
> org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor.handleMessage(StartBodyInterceptor.java:38)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
> at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:265)
> at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:233)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:207)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:159)
> at
> io.quarkiverse.cxf.transport.CxfHandler.process(CxfHandler.java:241)
> at io.quarkiverse.cxf.transport.CxfHandler.handle(CxfHandler.java:178)
> at io.quarkiverse.cxf.transport.CxfHandler.handle(CxfHandler.java:47)
> at
> io.vertx.ext.web.impl.BlockingHandlerDecorator.lambda$handle$0(BlockingHandlerDecorator.java:48)
> at
> io.vertx.core.impl.ContextBase.lambda$executeBlocking$1(ContextBase.java:180)
> at
> io.vertx.core.impl.ContextInternal.dispatch(ContextInternal.java:277)
> at
> io.vertx.core.impl.ContextBase.lambda$internalExecuteBlocking$2(ContextBase.java:199)
> at
> io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
> at
> org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
> at
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1512)
> at
> org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
> at
> org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
> at
> io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
> at java.base/java.lang.Thread.run(Thread.java:840)
> Caused by: javax.xml.stream.XMLStreamException:
> org.apache.wss4j.common.ext.WSSecurityException: SAML proof-of-possession of
> the private/secret key failed
> at
> org.apache.xml.security.stax.impl.XMLSecurityStreamReader.next(XMLSecurityStreamReader.java:99)
> at
> org.apache.wss4j.stax.impl.WSSecurityStreamReader.next(WSSecurityStreamReader.java:45)
> at
> org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor.handleMessage(StartBodyInterceptor.java:60)
> ... 21 more
> Caused by: org.apache.wss4j.common.ext.WSSecurityException: SAML
> proof-of-possession of the private/secret key failed
> at
> org.apache.wss4j.stax.impl.processor.input.SAMLTokenInputHandler$SAMLTokenVerifierInputProcessor.checkPossessionOfKey(SAMLTokenInputHandler.java:724)
> at
> org.apache.wss4j.stax.impl.processor.input.SAMLTokenInputHandler$SAMLTokenVerifierInputProcessor.processEvent(SAMLTokenInputHandler.java:603)
> at
> org.apache.xml.security.stax.impl.InputProcessorChainImpl.processEvent(InputProcessorChainImpl.java:192)
> at
> org.apache.wss4j.policy.stax.enforcer.PolicyInputProcessor.processEvent(PolicyInputProcessor.java:104)
> at
> org.apache.xml.security.stax.impl.InputProcessorChainImpl.processEvent(InputProcessorChainImpl.java:192)
> at
> org.apache.xml.security.stax.impl.XMLSecurityStreamReader.next(XMLSecurityStreamReader.java:81)
> ... 23 more
> {code}
> Expected: the {{REQ_OUT}} message shown above should have signature and some
> other security related elements. It should work the same like with the DOM
> stack:
> {code}
> mvn clean test -Dtest=UsernameTokenSecurityPolicyTest#helloSaml1
> ...
> 2023-12-25 12:47:52,678 INFO [org.apa.cxf.ser.Sam.REQ_OUT]
> (executor-thread-1) REQ_OUT
> Address: https://localhost:8444/services/helloSaml1
> HttpMethod: POST
> Content-Type: text/xml
> ExchangeId: daf2cdf0-ec9b-4e81-8c0c-d0eb30b64a13
> ServiceName: Saml1PolicyHelloService
> PortName: Saml1PolicyHelloServicePort
> PortTypeName: Saml1PolicyHelloService
> Headers: {SOAPAction="", Accept=*/*, Connection=Keep-Alive}
> Payload: <soap:Envelope
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
> <soap:Header>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> soap:mustUnderstand="1">
> <wsse:BinarySecurityToken
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
>
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
>
> wsu:Id="X509-74c1bd0a-0411-4ae9-822f-8aed0411be08">MIIDejCCAmKgAwIBAgIUZOzZTlVB6/beB7jY10wg/OCEjT0wDQYJKoZIhvcNAQELBQAwSDETMBEGA1UECgwKYXBhY2hlLm9yZzEhMB8GA1UECwwYZW5nIChOT1QgRk9SIFBST0RVQ1RJT04pMQ4wDAYDVQQDDAVjeGZjYTAgFw0yMzEyMjUxMTQ3NDNaGA8yMDUxMDUxMjExNDc0M1owSDETMBEGA1UECgwKYXBhY2hlLm9yZzEhMB8GA1UECwwYZW5nIChOT1QgRk9SIFBST0RVQ1RJT04pMQ4wDAYDVQQDDAVhbGljZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALM2nDESOH5K8ZxfyJGEPj/A+0/P5+9C9vh8eSLLzQ56Rkd/Jvmh7+VYlZAP7DN0NVv8vPRwKCBa1HndUYvWa29W4Vux28LNBdY8/oblGeC6AwseXxP0njgVijl+z9K5LClGfBX5vQaYbHmZYOJCKoaO6phIXbug9z9jPeHtx3Y8Pv2R9U8LNKOBg9PpVxCaP1jMp39ba1LSHWExf6yeBSL4LQVW5w7PHBBiwCE9S2cIy6hplkKn3TfTNJRFBnzIejRtzEPyeadvywb/tTIhUypYBUUGFlXy55BwzqaHgBsXj9ng+lKc4K1zYAglvz73ueATVMFfaOklEhf8rUSGR7ECAwEAAaNaMFgwHwYDVR0jBBgwFoAUaZHQQI7njEO1V9LMGJy1IZos5KAwCQYDVR0TBAIwADALBgNVHQ8EBAMCBPAwHQYDVR0OBBYEFCuD+AooDO0fLSodtd5Xhz7dY54TMA0GCSqGSIb3DQEBCwUAA4IBAQCde7Erxxbj4Thba0dG/1oWFYLZgcOvBZOFHcdDwr8fV3i/M/qjlhCK+Be7r6cq+rg5gOZjo5OvumHd1SCkgRf57wraDsuJ/BCUuL6HJ9oZn7d0HGkdIDcqRdnMQEo+1N7yX5ohoHRdAZBQ8P64+KFl778KCo1FGIo2soocA+Nu4KadCOIUUNOrRIcvRpUVwcz+s/+QxIN41LMDR3xLmZPkf8DDiXUMtWdcUZmsaNI+D+XPuPgz4Qw2QAEipfz3RPaquRTPVK3Q3c7HE4FNl8aBBBLftBhIAHiSoX0Z6KXWIyGEqZEkCM1lA4jxdaveHmmymgA57WW2eohEVb+dMhbt</wsse:BinarySecurityToken>
> <wsu:Timestamp wsu:Id="TS-a7888ebf-0a03-485d-a4e0-67b7e26d4379">
> <wsu:Created>2023-12-25T11:47:52.312Z</wsu:Created>
> <wsu:Expires>2023-12-25T11:52:52.312Z</wsu:Expires>
> </wsu:Timestamp>
> <saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> AssertionID="_9115cf6b-f4b6-4728-a85d-04de8f1489e4"
> IssueInstant="2023-12-25T11:47:52.525Z" Issuer="sts" MajorVersion="1"
> MinorVersion="1" xsi:type="saml1:AssertionType">
> <saml1:Conditions NotBefore="2023-12-25T11:47:52.526Z"
> NotOnOrAfter="2023-12-25T11:52:52.526Z"/>
> <saml1:AttributeStatement>
> <saml1:Subject>
> <saml1:NameIdentifier
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
> NameQualifier="www.mock-sts.com">uid=sts-client,o=mock-sts.com</saml1:NameIdentifier>
> <saml1:SubjectConfirmation>
>
> <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml1:ConfirmationMethod>
> </saml1:SubjectConfirmation>
> </saml1:Subject>
> <saml1:Attribute AttributeName="subject-role"
> AttributeNamespace="http://custom-ns";>
> <saml1:AttributeValue
> xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xsi:type="xsd:string">system-user</saml1:AttributeValue>
> </saml1:Attribute>
> </saml1:AttributeStatement>
> </saml1:Assertion>
> <wsse:SecurityTokenReference
> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
>
> wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
> wsu:Id="STR-d2b2c0e9-b7b6-411f-994a-7096afeaea0a">
> <wsse:KeyIdentifier
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID";>_9115cf6b-f4b6-4728-a85d-04de8f1489e4</wsse:KeyIdentifier>
> </wsse:SecurityTokenReference>
> <wsse:SecurityTokenReference
> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
>
> wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
> wsu:Id="STR-8a8dc10a-f244-4b77-a679-d41fa68c971e">
> <wsse:KeyIdentifier
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID";>_9115cf6b-f4b6-4728-a85d-04de8f1489e4</wsse:KeyIdentifier>
> </wsse:SecurityTokenReference>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
> Id="SIG-d124a707-3ad6-4e4a-900d-0bf5ebd35dee">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="soap"/>
> </ds:CanonicalizationMethod>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="#TS-a7888ebf-0a03-485d-a4e0-67b7e26d4379">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="wsse soap"/>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>qbZmn6wMr917PmaAx7f1po3OEpw=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#_94b5f1aa-3ea2-4742-8a03-6455612918b7">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>ghlTlxu8FaGQq7x1YMGhPmXPsoc=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#STR-8a8dc10a-f244-4b77-a679-d41fa68c971e">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform";>
> <wsse:TransformationParameters>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </wsse:TransformationParameters>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>eXP+srJSSN3KcEZWYzArD87w12c=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#X509-74c1bd0a-0411-4ae9-822f-8aed0411be08">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
> <ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="soap"/>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>28TAIWWt6j4zw7YFbcJLfxS36kQ=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
>
> <ds:SignatureValue>NjkNaCptM1jjYRKZycvYoIyeZolGwOaNg1z52y/vx1oz5eG+Yas/Qz1BLzcLRkCCttupoYFjlpHeiYmf7AsRnoJFgQPsp6lvWIOj0yCCypmJ+dqhtOdo8gz/VvY/0SM+G7z2LG45HQnN+7wyPyhbZ89DOGpNNj1yFiqMgQJsN2pmuSXzE6HEu94lrAgy0gExZeeRfNA9ETLwB0QW9PNjKQbfQtThIWJObjdJE0bhrxMqVThSD3Ccw8P6QVtU/F6rw8QoUf7cpFVPJ/lDE+hqBIQLkFudbeqg3R/PzubU7Bksn0ihVIKVuXzbkYNq1d9XgLaESMRvmc6aRtiZBFQEkg==</ds:SignatureValue>
> <ds:KeyInfo Id="KI-facbfb94-d9d1-41ad-97c0-07570607f954">
> <wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="STR-71d5c38d-3711-440e-84f8-f500ae8fb025">
> <wsse:Reference URI="#X509-74c1bd0a-0411-4ae9-822f-8aed0411be08"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> wsu:Id="_94b5f1aa-3ea2-4742-8a03-6455612918b7">
> <ns2:hello xmlns:ns2="http://policy.security.it.cxf.quarkiverse.io/";>
> <arg0>random saml person</arg0>
> </ns2:hello>
> </soap:Body>
> </soap:Envelope>
> {code}
> It fails in the same way with {{Version.SAML_20}}:
> {code}
> mvn clean test -Dtest=UsernameTokenSecurityPolicyStaxTest#helloSaml2
> ...
> 2023-12-25 12:54:29,644 INFO [org.apa.cxf.ser.Sam.REQ_OUT]
> (executor-thread-1) REQ_OUT
> Address: https://localhost:8444/services/helloSaml2
> HttpMethod: POST
> Content-Type: text/xml
> ExchangeId: f2e41731-6a37-4f1a-be78-64cefc393d2e
> ServiceName: Saml2PolicyHelloService
> PortName: Saml2PolicyHelloServicePort
> PortTypeName: Saml2PolicyHelloService
> Headers: {SOAPAction="", Accept=*/*, Connection=Keep-Alive}
> Payload: <soap:Envelope
> xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
> <soap:Header>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> soap:mustUnderstand="1">
> <wsu:Timestamp
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
> <wsu:Created>2023-12-25T11:54:29.638Z</wsu:Created>
> <wsu:Expires>2023-12-25T11:59:29.638Z</wsu:Expires>
> </wsu:Timestamp>
> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> ID="_47ac5044-c17b-4603-b657-8836fc34fa5d"
> IssueInstant="2023-12-25T11:54:29.621Z" Version="2.0"
> xsi:type="saml2:AssertionType">
> <saml2:Issuer>sts</saml2:Issuer>
> <saml2:Subject>
> <saml2:NameID
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
> NameQualifier="www.mock-sts.com">uid=sts-client,o=mock-sts.com</saml2:NameID>
> <saml2:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
> </saml2:Subject>
> <saml2:Conditions NotBefore="2023-12-25T11:54:29.623Z"
> NotOnOrAfter="2023-12-25T11:59:29.623Z"/>
> <saml2:AttributeStatement>
> <saml2:Attribute Name="subject-role"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue
> xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xsi:type="xsd:string">system-user</saml2:AttributeValue>
> </saml2:Attribute>
> </saml2:AttributeStatement>
> </saml2:Assertion>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <ns2:hello xmlns:ns2="http://policy.security.it.cxf.quarkiverse.io/";>
> <arg0>random saml person</arg0>
> </ns2:hello>
> </soap:Body>
> </soap:Envelope>
> 2023-12-25 12:54:29,843 INFO [org.ehc.cor.EhcacheManager]
> (executor-thread-2) Cache 'ws-security.timestamp.cache.instance-1791157116'
> created in EhcacheManager.
> 2023-12-25 12:54:29,854 INFO [org.ehc.cor.EhcacheManager]
> (executor-thread-2) Cache 'ws-security.saml.cache.instance-1791157116'
> created in EhcacheManager.
> 2023-12-25 12:54:29,937 INFO [org.ehc.cor.EhcacheManager]
> (executor-thread-2) Cache
> 'org.apache.cxf.ws.security.tokenstore.TokenStore-1791157116' created in
> EhcacheManager.
> 2023-12-25 12:54:29,959 WARN [org.apa.cxf.pha.PhaseInterceptorChain]
> (executor-thread-2) Interceptor for
> {http://policy.security.it.cxf.quarkiverse.io/}Saml2PolicyHelloServiceImpl
> has thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault:
> Error reading XMLStreamReader:
> org.apache.wss4j.common.ext.WSSecurityException: SAML proof-of-possession of
> the private/secret key failed
> at
> org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor.handleMessage(StartBodyInterceptor.java:67)
> at
> org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor.handleMessage(StartBodyInterceptor.java:38)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
> at
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> at
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:265)
> at
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:233)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:207)
> at
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:159)
> at
> io.quarkiverse.cxf.transport.CxfHandler.process(CxfHandler.java:241)
> at io.quarkiverse.cxf.transport.CxfHandler.handle(CxfHandler.java:178)
> at io.quarkiverse.cxf.transport.CxfHandler.handle(CxfHandler.java:47)
> at
> io.vertx.ext.web.impl.BlockingHandlerDecorator.lambda$handle$0(BlockingHandlerDecorator.java:48)
> at
> io.vertx.core.impl.ContextBase.lambda$executeBlocking$1(ContextBase.java:180)
> at
> io.vertx.core.impl.ContextInternal.dispatch(ContextInternal.java:277)
> at
> io.vertx.core.impl.ContextBase.lambda$internalExecuteBlocking$2(ContextBase.java:199)
> at
> io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
> at
> org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
> at
> org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1512)
> at
> org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
> at
> org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
> at
> io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
> at java.base/java.lang.Thread.run(Thread.java:840)
> Caused by: javax.xml.stream.XMLStreamException:
> org.apache.wss4j.common.ext.WSSecurityException: SAML proof-of-possession of
> the private/secret key failed
> at
> org.apache.xml.security.stax.impl.XMLSecurityStreamReader.next(XMLSecurityStreamReader.java:99)
> at
> org.apache.wss4j.stax.impl.WSSecurityStreamReader.next(WSSecurityStreamReader.java:45)
> at
> org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor.handleMessage(StartBodyInterceptor.java:60)
> ... 21 more
> Caused by: org.apache.wss4j.common.ext.WSSecurityException: SAML
> proof-of-possession of the private/secret key failed
> at
> org.apache.wss4j.stax.impl.processor.input.SAMLTokenInputHandler$SAMLTokenVerifierInputProcessor.checkPossessionOfKey(SAMLTokenInputHandler.java:724)
> at
> org.apache.wss4j.stax.impl.processor.input.SAMLTokenInputHandler$SAMLTokenVerifierInputProcessor.processEvent(SAMLTokenInputHandler.java:603)
> at
> org.apache.xml.security.stax.impl.InputProcessorChainImpl.processEvent(InputProcessorChainImpl.java:192)
> at
> org.apache.wss4j.policy.stax.enforcer.PolicyInputProcessor.processEvent(PolicyInputProcessor.java:104)
> at
> org.apache.xml.security.stax.impl.InputProcessorChainImpl.processEvent(InputProcessorChainImpl.java:192)
> at
> org.apache.xml.security.stax.impl.XMLSecurityStreamReader.next(XMLSecurityStreamReader.java:81)
> ... 23 more
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
