It should be related to the fact that no name identifier is in the
Subject in the AttributeStatement in the ActAs SAML assertion.
Can you modify the ActiveSTSAttributeProvider so that in the last line
to add a check if the name if null or not:
String idName = isActAs ? "ActAs" : NAME_IDENTIFIER;
List<String> nameIds = new ArrayList<String>();
if (name != null){
nameIds.add(name);
}
attrs.put(new QName(nameNS, idName), nameIds);
Thanks!
Jiandong
Pablo Cibraro wrote:
Cool, that fixed the issue. Now I am getting a different exception :(. It looks
like a problem in the classes that parse the SAML token.
Caused by: com.sun.xml.ws.api.security.trust.WSTrustException:
java.lang.NullPointerException
at
com.sun.xml.ws.security.trust.util.WSTrustUtil.addSamlAttributes(WSTrustUtil.java:452)
at
com.sun.xml.ws.security.trust.impl.DefaultSAMLTokenProvider.createSAML11Assertion(DefaultSAMLTokenProvider.java:328)
at
com.sun.xml.ws.security.trust.impl.DefaultSAMLTokenProvider.generateToken(DefaultSAMLTokenProvider.java:137)
at
com.sun.xml.ws.security.trust.impl.WSTrustContractImpl.issue(WSTrustContractImpl.java:468)
at
com.sun.xml.ws.security.trust.impl.WSTrustContractImpl.issue(WSTrustContractImpl.java:119)
at
com.sun.xml.ws.security.trust.sts.BaseSTSImpl.issue(BaseSTSImpl.java:323)
at
com.sun.xml.ws.security.trust.sts.BaseSTSImpl.invoke(BaseSTSImpl.java:186)
This is the message I am sending,
<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<a:Action
s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</a:Action>
<a:MessageID>urn:uuid:da07e494-db6b-4bcc-9b6d-33da8e4260a7</a:MessageID>
<ActivityId CorrelationId="60d4ee43-dffd-4819-ac32-8ec3178055f2"
xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">d0345bad-835f-4113-bd1f-53cd83bb4ae6</ActivityId>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
</s:Header>
<s:Body>
<trust:RequestSecurityToken
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
<wsp:AppliesTo
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<EndpointReference
xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://localhost:9000/tradebusinessserviceSTS</Address>
<Identity
xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
<Dns>OPS.Com</Dns>
</Identity>
</EndpointReference>
</wsp:AppliesTo>
<trust:Entropy>
<trust:BinarySecret u:Id="uuid-4ccc7bdf-36c4-45d6-ba4a-bcd4908ff63d-4"
Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">/79WCRSK74FVVUaBwXAIY41i91HIiANhnTrOTWK4LrM=</trust:BinarySecret>
</trust:Entropy>
<trust:KeySize>256</trust:KeySize>
<trust:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</trust:TokenType>
<trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
<tr:ActAs
xmlns:tr="http://docs.oasis-open.org/ws-sx/ws-trust/200802">
<saml:Assertion MajorVersion="1" MinorVersion="1"
AssertionID="_bb3684bb-3c3e-47ef-8aac-aad57b9f8097" Issuer="PassiveSTS" IssueInstant="2009-11-05T21:01:48.142Z"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2009-11-05T21:01:48.073Z"
NotOnOrAfter="2009-11-06T07:01:48.073Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>http://localhost/trade/</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="privatepersonalidentifier"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>uid:0</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference
URI="#_bb3684bb-3c3e-47ef-8aac-aad57b9f8097">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>hgbn0uuZPJcwqBpu3lGrPmJKHtg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>rSHPlFsllQ2XunkjLu2nzXTAj4LnrknKSFsJ4ukNiID9wXV7FodFpAd+WH+5TDtMtKKCJwmrKDEpD8nTbTSLdKHqAHCgayLwT5hYV6yfjKXw0Zz13WaawweEZl9YNNXklENIBo8dWmSotHHbdI3RrQykjh+HT010t9nFlIHkgEA=</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIB8DCCAVmgAwIBAgIQblTMtVPsaJNFRKtH3ePDszANBgkqhkiG9w0BAQQFADASMRAwDgYDVQQDEwdCU0wuQ29tMB4XDTA4MDUyMTA0NDgxNVoXDTM5MTIzMTIzNTk1OVowEjEQMA4GA1UEAxMHQlNMLkNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArai/gNTS+dU4GvMSB5VfkFL1e5ielRhgtnWJ70Xpl51ABksTFkpRNcLDo56sdXtnk3sKEGWe2QeQ1uoBo0bN7aQTsHCNjuT5K/YD4/y2j+oeRESrz905mJ4owW08MnxkhUzpa6+iPGq0l3TdZaG0GHuuky6wEWe3Chc0hdwCdv0CAwEAAaNHMEUwQwYDVR0BBDwwOoAQcMZu+2G/jyh39/5QO/5nIKEUMBIxEDAOBgNVBAMTB0JTTC5Db22CEG5UzLVT7GiTRUSrR93jw7MwDQYJKoZIhvcNAQEEBQADgYEApc0gYQl50mS2RklQnoCpRX/wEfdwhNIQXcMj/6eqcf9Ul6623Ge2jDNMgQesLAK+rp+kKFqgL6F4odrqxY1u00QvUPQi9LLjWBUi1xAiNnd9lBwmD7z4ITsxhU40/ON+GVIHJ1CbeWvTwE5TaFyCP6uRSDX1Ojv+tovYt6X5Y4w=</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
</saml:Assertion>
</tr:ActAs>
<trust:ComputedKeyAlgorithm>http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1</trust:ComputedKeyAlgorithm>
</trust:RequestSecurityToken>
</s:Body>
</s:Envelope>
-----Original Message-----
From: jiandong....@sun.com [mailto:jiandong....@sun.com]
Sent: Thursday, November 05, 2009 5:57 PM
To: stonehenge-dev@incubator.apache.org
Subject: Re: Fourth interop test between .NET and Metro
Ok. That is the problem: <a:Action
s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
You use the old version of WS-Trust 1.2
(http://schemas.xmlsoap.org/ws/2005/02).
We have set up Metro ActiveSTS to use WS-Trust1.3/WS-Trust 1.4 with
namespace http://docs.oasis-open.org/ws-sx/ws-trust/200512
(ActAs is only introduced in WS-Trust 1.4; looks like Geneva also back
supports it with the old version.).
This is also the reason for some of the issues you experienced with your
Third interop test between .NET and Metro.
Thanks!
Jiandong
Pablo Cibraro wrote:
Yes, sure. This is the message.
<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<a:Action
s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action>
<a:MessageID>urn:uuid:5c95445c-8f57-49b7-9030-23af6d989f0a</a:MessageID>
<ActivityId CorrelationId="a2f6cc3b-bf91-4f90-ad06-ef751ca1b269"
xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">19c20fa7-c861-4128-8e8d-766b9926ff90</ActivityId>
</s:Header>
<s:Body>
<t:RequestSecurityToken
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">
<t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType>
<wsp:AppliesTo
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<EndpointReference
xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://localhost:9000/tradebusinessserviceSTS</Address>
<Identity
xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
<Dns>OPS.Com</Dns>
</Identity>
</EndpointReference>
</wsp:AppliesTo>
<t:Entropy>
<!--Removed-->
</t:Entropy>
<t:KeySize>256</t:KeySize>
<t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</t:TokenType>
<t:KeyType>http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</t:KeyType>
<tr:ActAs
xmlns:tr="http://docs.oasis-open.org/ws-sx/ws-trust/200802">
<saml:Assertion MajorVersion="1" MinorVersion="1"
AssertionID="_a762551d-f167-4bcd-bd82-18cb650d084c" Issuer="PassiveSTS" IssueInstant="2009-11-05T20:31:03.293Z"
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2009-11-05T20:31:03.181Z"
NotOnOrAfter="2009-11-06T06:31:03.181Z">
<saml:AudienceRestrictionCondition>
<saml:Audience>http://localhost/trade/</saml:Audience>
</saml:AudienceRestrictionCondition>
</saml:Conditions>
<saml:AttributeStatement>
<saml:Subject>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:bearer</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="privatepersonalidentifier"
AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>
<!--Removed-->
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></ds:SignatureMethod>
<ds:Reference
URI="#_a762551d-f167-4bcd-bd82-18cb650d084c">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></ds:DigestMethod>
<ds:DigestValue>nWnrqj91iQyZxA27R06YBcFNaEI=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>LP886alP3p3DpSrLmSHsgXer+cXVhUylHwTyG0F/iRF3KPJoBcO2/TGogGgxBmn1P9g67nQJGuAKil/et6B5Xq+EbLyssrQQgfS4SVb7lhXku1mn47dhozq7npKi9O4IgEp+Zi5Npp3D6MZyBV3EfVslie9VfUIquAZszHg+zqE=</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<X509Data>
<X509Certificate>MIIBsTCCAV+gAwIBAgIQFa2WQ+HN8J1Oqb/k/DTGczAJBgUrDgMCHQUAMBYxFDASBgNVBAMTC1Jvb3QgQWdlbmN5MB4XDTA4MDMyNzA2MDg1NVoXDTM5MTIzMTIzNTk1OVowFDESMBAGA1UEAxMJVHJhZGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/eioYq7dcZ85yaKsjnzrajDrh+NPjmaBYxscAf0+vsN+dR7eKDKph4bMycnHGMzdZrE6KoQYZ8GFYuria7muLV3I3ESnbNZpeVFV35XeP5aMIYw1LkmLslqRvO7HnVrcotSmCUkjT64k0PVmtm2SCOOAxr2UH1BjbUKoJHwDxmwIDAQABo0swSTBHBgNVHQEEQDA+gBAS5AktBh0dTwCNYSHcFmRjoRgwFjEUMBIGA1UEAxMLUm9vdCBBZ2VuY3mCEAY3bACqAGSKEc+41KpcNfQwCQYFKw4DAh0FAANBACkuJgzyXvNAGjtJzrwteHxgo6ojzs4twc/XhLEG0NB4PKZOMiBJK75v0IATeUsf6Xxg0qG6QTmRuCPFdiXj1LM=</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
</saml:Assertion>
</tr:ActAs>
<t:ComputedKeyAlgorithm>http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1</t:ComputedKeyAlgorithm>
</t:RequestSecurityToken>
</s:Body>
</s:Envelope>
Thanks
Pablo.
-----Original Message-----
From: jiandong....@sun.com [mailto:jiandong....@sun.com]
Sent: Thursday, November 05, 2009 4:56 PM
To: stonehenge-dev@incubator.apache.org
Subject: Re: Fourth interop test between .NET and Metro
Pablo,
That means there is no policy spotted in the sts wsdl for the request
message.
Can you send me the request meesage to STS?
Thanks!
Jiandong
Pablo Cibraro wrote:
Jiandong,
I am getting the following exception when the .NET trader client implementation
tries to negotiate a SAML token with the metro Active STS.
[#|2009-11-05T15:21:58.904-0400|SEVERE|sun-appserver9.1|javax.enterprise.resource.xml.webservices.security|_ThreadID=13;_ThreadName=httpSSLWorkerThread-1316-1;_RequestID=78bbc6ca-ee7d-40ec-b727-f709265e7636;|Policy
is null|#]
ERROR: Policy for the service could not be obtained
I am using the following configuration,
Configuration Service: .NET
Business Service: .NET
Passive STS: .NET
Active STS: Metro
Trader client: .NET
Have you seen this error before ?. Do you know how to fix it ?.
Thanks
Pablo.