Re: Problem with loading Apache CXF STS with UT authentication

Tue, 12 Jun 2012 13:06:24 -0700 

Hi Colm,

<<<<
I've just committed a potential fix for this problem to WSS4J. Could you
add a dependency in your client pom to WSS4J 1.6.7-SNAPSHOT and let me know
if it works?
>>>>
Thanks for the quick fix. I passed previous NPE issue with WSS4J
1.6.7-SNAPSHOT(I only applied it to client). Now I am getting
WSSecurityException. I have copied WSP response and error message at the
bottom of this email for your reference.
Exception is thrown at the line 217 of
the org.apache.ws.security.str.SignatureSTRParser.java(wss4j-1.6.7-SNAPSHOT.jar)
class.

AssertionWrapper assertion = SAMLUtil.getAssertionFromKeyIdentifier(secRef,
strElement, data, wsDocInfo);

Further, it failed at line 105 of the following code. Inside
org.apache.ws.security.saml.SAMLUtil.java((wss4j-1.6.7-SNAPSHOT.jar) from
Line82 to Line  132. It expects that local name of the
token(xenc:EncryptedData) equal to "Assertion", but local name is "
EncryptedData".


    public static AssertionWrapper getAssertionFromKeyIdentifier(
        SecurityTokenReference secRef,
        Element strElement,
        RequestData request,
        WSDocInfo wsDocInfo
    ) throws WSSecurityException {
        String keyIdentifierValue = secRef.getKeyIdentifierValue();
        String type = secRef.getKeyIdentifierValueType();
        WSSecurityEngineResult result =
wsDocInfo.getResult(keyIdentifierValue);
        AssertionWrapper assertion = null;
        Element token = null;
        if (result != null) {
            assertion =

(AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
            return assertion;
        } else {
            token =
                secRef.findProcessedTokenElement(
                    strElement.getOwnerDocument(), wsDocInfo,
                    request.getCallbackHandler(),
                    keyIdentifierValue, type
                );
            if (token != null) {
                if (!"Assertion".equals(token.getLocalName())) {
                    throw new WSSecurityException(
                        WSSecurityException.FAILURE, "invalidSAMLsecurity"
                    );
                }
                return new AssertionWrapper(token);
            }
            token =
                secRef.findUnprocessedTokenElement(
                    strElement.getOwnerDocument(), wsDocInfo,
                    request.getCallbackHandler(), keyIdentifierValue, type
                );

            if (token == null || !"Assertion".equals(token.getLocalName()))
{
                throw new WSSecurityException(
                    WSSecurityException.FAILURE, "invalidSAMLsecurity"
                );
            }
            Processor proc =
request.getWssConfig().getProcessor(WSSecurityEngine.SAML_TOKEN);
            List<WSSecurityEngineResult> samlResult =
                proc.handleToken(token, request, wsDocInfo);
            return
                (AssertionWrapper)samlResult.get(0).get(
                    WSSecurityEngineResult.TAG_SAML_ASSERTION
                );
        }
    }




 -----------------------Part of client side log -------------------



Jun 12, 2012 2:20:21 PM
org.apache.cxf.services.DoubleItService.DoubleItPort.DoubleItPortType

INFO: Inbound Message

----------------------------

ID: 2

Response-Code: 200

Encoding: UTF-8

Content-Type: text/xml;charset=UTF-8

Headers: {Content-Length=[5284], content-type=[text/xml;charset=UTF-8],
Date=[Tue, 12 Jun 2012 18:20:21 GMT], Server=[Apache-Coyote/1.1]}

Payload: <soap:Envelope xmlns:soap="
http://schemas.xmlsoap.org/soap/envelope/";><soap:Header><Action xmlns="
http://www.w3.org/2005/08/addressing"; xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Id-21392541">
http://www.example.org/contract/DoubleIt/DoubleItPortType/DoubleItResponse</Action><MessageIDxmlns="
http://www.w3.org/2005/08/addressing"; xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Id-27404023">urn:uuid:14a7ee50-a80b-4e8e-8a24-501a1f27c37f</MessageID><To
xmlns="http://www.w3.org/2005/08/addressing"; xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Id-6617884">
http://www.w3.org/2005/08/addressing/anonymous</To><RelatesTo xmlns="
http://www.w3.org/2005/08/addressing"; xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Id-11283244">urn:uuid:c3b2508b-3b8a-4e3b-a3ce-d146073a3fc5</RelatesTo><wsse:Security
xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
soap:mustUnderstand="1"><wsu:Timestamp
wsu:Id="TS-52"><wsu:Created>2012-06-12T18:20:21.062Z</wsu:Created><wsu:Expires>2012-06-12T18:25:21.062Z</wsu:Expires></wsu:Timestamp><xenc:ReferenceList
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:DataReference
URI="#ED-54"/></xenc:ReferenceList><ds:Signature xmlns:ds="
http://www.w3.org/2000/09/xmldsig#";
Id="SIG-53"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#hmac-sha1"/><ds:Reference
URI="#Id-13175005"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>1qaC4/pteNP1OxZYGlIaeO9JnNg=</ds:DigestValue></ds:Reference><ds:Reference
URI="#Id-6617884"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>AgU1e6t+Kz/maMvdm+LjtMSOT88=</ds:DigestValue></ds:Reference><ds:Reference
URI="#Id-27404023"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>sn+kmoST3NluP8jcFrre1Z3dLKE=</ds:DigestValue></ds:Reference><ds:Reference
URI="#Id-11283244"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>WmIxk6sQRlvmi0mlXbm1Emm+zg4=</ds:DigestValue></ds:Reference><ds:Reference
URI="#Id-21392541"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>aOhKo4T8h5RibX7oHoA716O0x/4=</ds:DigestValue></ds:Reference><ds:Reference
URI="#TS-52"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>yRbx7ao7zPuxMcVZCHJ07F/seGc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>phUYBjMU8fePqv+08yIBdfS3Gys=</ds:SignatureValue><ds:KeyInfo
Id="KI-36455561753DCD790C133952522106235"><wsse:SecurityTokenReference
xmlns:wsse11="
http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
wsse11:TokenType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
wsu:Id="STR-36455561753DCD790C133952522106236"><wsse:KeyIdentifier
ValueType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID";>_ee537478-0ff0-4423-8fef-21aff2633353</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soap:Header><soap:Body
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="Id-13175005"><xenc:EncryptedData xmlns:xenc="
http://www.w3.org/2001/04/xmlenc#"; Id="ED-54" Type="
http://www.w3.org/2001/04/xmlenc#Content";><xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><ds:KeyInfo xmlns:ds="
http://www.w3.org/2000/09/xmldsig#";><wsse:SecurityTokenReference
xmlns:wsse11="
http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
wsse11:TokenType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";><wsse:KeyIdentifier
ValueType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
">_ee537478-0ff0-4423-8fef-21aff2633353</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>6WkAa0DPtBlT7HPhOof9rz2mAD1d4rC+3ArAav06B2UwZohawM/8ydSrhalqGmkolyFydGLJUah3zo57zZSjt5m+VoctQ9QIbdzdz02ERE34aJe9vF3pmn083obo1ouAOFLlBbkViShYtJi6eO2ir8+N+OBQ8TsJHYf07LUwyHtvjhxh30htbUEyoAWlY1NZfurAGqLmL/4FSWaqyDArYQ==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>

--------------------------------------

Jun 12, 2012 3:18:39 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
handleMessage

WARNING:

*org.apache.ws.security.WSSecurityException*: General security error (SAML
token security failure)

       at
org.apache.ws.security.saml.SAMLUtil.getAssertionFromKeyIdentifier(*
SAMLUtil.java:107*)

       at
org.apache.ws.security.str.SignatureSTRParser.parseSecurityTokenReference(*
SignatureSTRParser.java:217*)

       at org.apache.ws.security.processor.SignatureProcessor.handleToken(*
SignatureProcessor.java:164*)

       at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(*
WSSecurityEngine.java:396*)

       at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(
*WSS4JInInterceptor.java:289*)

       at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(
*WSS4JInInterceptor.java:97*)

       at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
PhaseInterceptorChain.java:262*)

       at org.apache.cxf.endpoint.ClientImpl.onMessage(*ClientImpl.java:798*
)

       at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(
*HTTPConduit.java:1679*)

       at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(
*HTTPConduit.java:1532*)

       at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(*
HTTPConduit.java:1440*)

       at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(*
CacheAndWriteOutputStream.java:47*)

       at org.apache.cxf.io.CachedOutputStream.close(*
CachedOutputStream.java:187*)

       at org.apache.cxf.transport.AbstractConduit.close(*
AbstractConduit.java:56*)

       at org.apache.cxf.transport.http.HTTPConduit.close(*
HTTPConduit.java:658*)

       at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(
*MessageSenderInterceptor.java:62*)

       at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
PhaseInterceptorChain.java:262*)

       at org.apache.cxf.endpoint.ClientImpl.doInvoke(*ClientImpl.java:532*)

       at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:464*)

       at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:367*)

       at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:320*)

       at org.apache.cxf.frontend.ClientProxy.invokeSync(*
ClientProxy.java:89*)

       at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(*
JaxWsClientProxy.java:134*)

       at $Proxy26.doubleIt(Unknown Source)

       at client.WSClient.doubleIt(*WSClient.java:18*)

       at client.WSClient.main(*WSClient.java:11*)

Reply via email to