I was using stax-ex because it was required by xwss, which I use to build my SAML Token. I switched to woodstox on the client side and it serializes the request properly now.
I also figured out my Token ID problem. I wasn't including a RequestedAttachedReference which was necessary since SAML tokens don't have a wsu:Id attribute. Thanks, John -----Original Message----- From: Daniel Kulp [mailto:[email protected]] Sent: Monday, March 01, 2010 10:20 PM To: [email protected] Cc: John Hite Subject: Re: STSClient in CXF 2.2.6 not binding wst prefix. Do you know what stax parser you are picking up? Can you check to make sure woodstox is there? That said, I see what is going on and am testing a fix now. Dan On Mon March 1 2010 2:19:14 pm John Hite wrote: > Hi, I am trying to create an STS using CXF. Right now I have a very basic > STS implementation that just returns a hard coded SAML 2.0 token. Right > now I am just creating the STS client and calling requestSecurityToken(). > I was using CXF 2.2.5 and I was able send the request and get my hard > coded saml token back but the STSClient was throwing an exception saying > that it could not determine a Token ID from RequestSecurityToken Response. > I tried using CXF 2.2.6 but the message that the STS client sends is not > valid. > > CXF 2.2.5 message > <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";> > <soap:Header> > <Action > xmlns="http://www.w3.org/2005/08/addressing";>http://docs.oasis-open.org/ws > -sx/ws-trust/200512/RST/Issue</Action> <MessageID > xmlns="http://www.w3.org/2005/08/addressing";>urn:uuid:011b65c5-dffd-4ddb-9 > ab5-56ec9dd357fe</MessageID> <To > xmlns="http://www.w3.org/2005/08/addressing";>http://localhost/services/sts > </To> <ReplyTo xmlns="http://www.w3.org/2005/08/addressing";> > <Address>http://www.w3.org/2005/08/addressing/anonymous</Address> > </ReplyTo> > </soap:Header> > <soap:Body> > <wst:RequestSecurityToken > xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";> > <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</w > st:RequestType> > <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey > </wst:KeyType> <wst:KeySize>256</wst:KeySize> > <wst:Entropy> > <wst:BinarySecret > Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce";>7ZKTA8MENMk= > </wst:BinarySecret> </wst:Entropy> > > <wst:ComputedKeyAlgorithm>http://docs.oasis-open.org/ws-sx/ws-trust/200512 > /CK/PSHA1</wst:ComputedKeyAlgorithm> </wst:RequestSecurityToken> > </soap:Body> > </soap:Envelope> > > CXF 2.2.6 message > <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";> > <soap:Header> > <Action > xmlns="http://www.w3.org/2005/08/addressing";>http://docs.oasis-open.org/ws > -sx/ws-trust/200512/RST/Issue</Action> <MessageID > xmlns="http://www.w3.org/2005/08/addressing";>urn:uuid:5a5d50d4-f6f4-4d92-a > 6e7-2a98dbd2f1a5</MessageID> <To > xmlns="http://www.w3.org/2005/08/addressing";>http://localhost/services/sts > </To> <ReplyTo xmlns="http://www.w3.org/2005/08/addressing";> > <Address>http://www.w3.org/2005/08/addressing/anonymous</Address> > </ReplyTo> > </soap:Header> > <soap:Body> > <wst:RequestSecurityToken> > > <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</w > st:RequestType> > <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey > </wst:KeyType> <wst:KeySize>256</wst:KeySize> > <wst:Entropy> > <wst:BinarySecret > Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce";>cLzr27D8kZs= > </wst:BinarySecret> </wst:Entropy> > > <wst:ComputedKeyAlgorithm>http://docs.oasis-open.org/ws-sx/ws-trust/200512 > /CK/PSHA1</wst:ComputedKeyAlgorithm> </wst:RequestSecurityToken> > </soap:Body> > </soap:Envelope> > > Notice the missing wst namespace binding on <wst:RequestSecurityToken>. > Anyone know what is causing this? > > > Here's the response I send from the STS's Issue method. > > <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";> > <soap:Header> > <Action > xmlns="http://www.w3.org/2005/08/addressing";>http://docs.oasis-open.org/ws > -sx/ws-trust/200512/RST/Issue</Action> <MessageID > xmlns="http://www.w3.org/2005/08/addressing";>urn:uuid:4f9fed96-7d08-40f2-b > 6fb-3f59361dfd69</MessageID> <To > xmlns="http://www.w3.org/2005/08/addressing";>http://www.w3.org/2005/08/add > ressing/anonymous</To> <RelatesTo > xmlns="http://www.w3.org/2005/08/addressing";>urn:uuid:bf2877a6-effc-488e-9 > e43-6592c6146263</RelatesTo> </soap:Header> > <soap:Body> > <ns2:RequestSecurityTokenResponse xmlns="http://service.example.com"; > xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-trust/200512";> > <ns2:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile > -1.1#SAMLV2.0</ns2:TokenType> <ns2:RequestedSecurityToken> > <saml2:Assertion > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"; > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; > xmlns:xs="http://www.w3.org/2001/XMLSchema"; ID="12345" > IssueInstant="2010-03-01T14:12:17.649-05:00" Version="2.0"> <saml2:Issuer > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" > NameQualifier="nycapt35k.com">http://service.example.com</saml2:Issuer> > <ds:Signature> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference > URI="#12345"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <ds:DigestValue>YjV9NMHmUX/6uMK23I0e/ZsQyWk=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue> > > K9OkRkOrCTWWq0GsDqsdiz7ZO6Do0/hcrJ3sXo80H9wERrCZnOl6ruSWZHAOCpm+1oaieDIDWy > R8 > FzZnjuE60aSQWXCZfgDQDs/ldEEg7B1KR4nzYnRl0PlFMeFZzlTT2CLIOnexwMrfPBihNktz4J > cB rRt0VwNAABCsPen9oSU= > </ds:SignatureValue> > <ds:KeyInfo> > <ds:KeyValue> > <ds:RSAKeyValue> > <ds:Modulus> > > hP+W377YbK5AkrcEINzfaTR/YNk2lDgRia8FVeoOr8guwxKwsuvQ+9Nq7F74i53Y7my2fV+8Ww > WN > R/5ewSbSTpzYYVH1SAxp+EcZNkedP6f6x+W6uVIkm2W3jg2k+h9yV3l2e9iJXbQ61nGNbMetKw > gr Wmy0vFNaq5DhLPQi8D8= > </ds:Modulus> > <ds:Exponent>AQAB</ds:Exponent> > </ds:RSAKeyValue> > </ds:KeyValue> > </ds:KeyInfo> > </ds:Signature> > <saml2:Subject> > <saml2:NameID > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName" > NameQualifier="example.com">jdoe</saml2:NameID> </saml2:Subject> > <saml2:AuthnStatement > AuthnInstant="2010-03-01T14:12:17.649-05:00"> <saml2:AuthnContext> > > <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Passwor > d</saml2:AuthnContextClassRef> <saml2:AuthenticatingAuthority/> > </saml2:AuthnContext> > </saml2:AuthnStatement> > </saml2:Assertion> > </ns2:RequestedSecurityToken> > </ns2:RequestSecurityTokenResponse> > </soap:Body> > </soap:Envelope> -- Daniel Kulp [email protected] http://www.dankulp.com/blog
