Hi Colm,
Your fix passed ADFS2.0. Setting "sendRenewing" to "false" seem better
option since this does not limit STS capabilities.
I got back RSTR from ADFS2.0 and client generated SOAP request to Web
service, but web service failed during token validation.
I am not sure if it is something to do with X509Data from ADFS2.0.
<KeyInfo>
<o:SecurityTokenReference xmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
">
<X509Data>
<X509IssuerSerial>
<X509IssuerName>CN=servicecn, OU=SCT, O=SDL,
L=wakefield, S=massachusetts,
C=US</X509IssuerName>
<X509SerialNumber>
14822468329318157300</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
At the beginning I had email address in the service certificate issuer
field like bellow.
Alias name: myservicekey
Creation date: Apr 10, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: [email protected], CN=servicecn, OU=SCT, O=SDL,
L=wakefield, ST=massachusetts, C=US
Issuer: [email protected], CN=servicecn, OU=SCT, O=SDL,
L=wakefield, ST=massachusetts, C=US
Serial number: c8eea90bc902c540
Valid from: Tue Apr 10 10:40:33 EDT 2012 until: Fri Apr 08 10:40:33 EDT 2022
Certificate fingerprints:
MD5: B2:76:5C:F9:41:52:45:FE:6D:EC:54:FC:5E:A5:EF:6C
SHA1: 8F:1B:17:A0:AB:6F:8B:C6:02:65:7F:7E:E5:15:9C:79:AE:AE:01:D5
Signature algorithm name: SHA1withRSA
Version: 3
With that I was getting following exceptions.
Exception in thread "main" *javax.xml.ws.soap.SOAPFaultException*:
improperly specified input name: [email protected], CN=servicecn, OU=SCT,
O=SDL, L=wakefield, S=massachusetts, C=US
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(*
JaxWsClientProxy.java:156*)
at $Proxy26.doubleIt(Unknown Source)
I thought that this is bebause ADFS changes "EMAILADDRESS" to "E" and "ST"
to "T". So, I regenerated a service certificate without entering email
address, but I couldn't eliminate state field of "ST". I updated other
keystores accordingly. Now I am getting following error. One might be a
problem is serial number. ADFS2.0 sends decimal value of serial number
while service keystore has hex value. I am not sure if this is a bug, but I
needed a placeholder to attache all logs and files, so I opened CXF-4367(
https://issues.apache.org/jira/browse/CXF-4367) and added detailed
info(client log, service log etc.) there. Please let me know if you need
further informaiton.
org.apache.ws.security.WSSecurityException: The security token could not be
authenticated or authorized
at
org.apache.ws.security.validate.SignatureTrustValidator.validate(SignatureTrustValidator.java:83)
at
org.apache.ws.security.validate.SamlAssertionValidator.verifySignedAssertion(SamlAssertionValidator.java:121)
at
org.apache.ws.security.validate.SamlAssertionValidator.validate(SamlAssertionValidator.java:100)
at
org.apache.ws.security.processor.SAMLTokenProcessor.handleSAMLToken(SAMLTokenProcessor.java:118)
at
org.apache.ws.security.processor.SAMLTokenProcessor.handleToken(SAMLTokenProcessor.java:53)
at
org.apache.ws.security.processor.EncryptedDataProcessor.handleToken(EncryptedDataProcessor.java:175)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:289)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:97)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:122)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:211)
Thanks.
Gina
> On Thu, Jun 7, 2012 at 6:29 AM, Colm O hEigeartaigh
> <[email protected]>wrote:
>
>>
>> I've merged a fix to trunk to allow the user to not send the
>> <wst:Renewing/> tag at all. You can do this by setting the property
>> "sendRenewing" to "false" on the STSClient. Setting "allowRenewing" to
>> "false" means that you are instructing the STS not to issue a token that
>> can be renewed, so they have different meanings. Let me know if this fixes
>> the problem.
>>
>> Colm.
>
>
