Hi Colm, <<<<< I merged another fix for this issue to WSS4J ( https://issues.apache.org/jira/browse/WSS-392). Please try again with the latest WSS4J 1.6.7-SNAPSHOT jar. >>>>>
I have a good news for you. You fix for WSS-392 worked. Nice work! My client ran successfully. Thank you very much. Now I have passive profile(Fediz WS-Federation) and Active profile(Apache CXF) working with ADFS2.0(STS). Next, I am going to pipe them together to test ActAs with ADFS2.0. Thank again for you dedicated effort. Gina On Wed, Jun 13, 2012 at 8:56 AM, Colm O hEigeartaigh <[email protected]>wrote: > Hi Gina, > > I merged another fix for this issue to WSS4J ( > https://issues.apache.org/jira/browse/WSS-392). Please try again with the > latest WSS4J 1.6.7-SNAPSHOT jar. > > Colm. > > On Tue, Jun 12, 2012 at 9:05 PM, Gina Choi <[email protected]> wrote: > > > Hi Colm, > > > > <<<< > > I've just committed a potential fix for this problem to WSS4J. Could you > > add a dependency in your client pom to WSS4J 1.6.7-SNAPSHOT and let me > know > > if it works? > > >>>> > > Thanks for the quick fix. I passed previous NPE issue with WSS4J > > 1.6.7-SNAPSHOT(I only applied it to client). Now I am getting > > WSSecurityException. I have copied WSP response and error message at the > > bottom of this email for your reference. > > Exception is thrown at the line 217 of > > the > > > org.apache.ws.security.str.SignatureSTRParser.java(wss4j-1.6.7-SNAPSHOT.jar) > > class. > > > > AssertionWrapper assertion = > SAMLUtil.getAssertionFromKeyIdentifier(secRef, > > strElement, data, wsDocInfo); > > > > Further, it failed at line 105 of the following code. Inside > > org.apache.ws.security.saml.SAMLUtil.java((wss4j-1.6.7-SNAPSHOT.jar) from > > Line82 to Line 132. It expects that local name of the > > token(xenc:EncryptedData) equal to "Assertion", but local name is " > > EncryptedData". > > > > > > public static AssertionWrapper getAssertionFromKeyIdentifier( > > SecurityTokenReference secRef, > > Element strElement, > > RequestData request, > > WSDocInfo wsDocInfo > > ) throws WSSecurityException { > > String keyIdentifierValue = secRef.getKeyIdentifierValue(); > > String type = secRef.getKeyIdentifierValueType(); > > WSSecurityEngineResult result = > > wsDocInfo.getResult(keyIdentifierValue); > > AssertionWrapper assertion = null; > > Element token = null; > > if (result != null) { > > assertion = > > > > (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION); > > return assertion; > > } else { > > token = > > secRef.findProcessedTokenElement( > > strElement.getOwnerDocument(), wsDocInfo, > > request.getCallbackHandler(), > > keyIdentifierValue, type > > ); > > if (token != null) { > > if (!"Assertion".equals(token.getLocalName())) { > > throw new WSSecurityException( > > WSSecurityException.FAILURE, "invalidSAMLsecurity" > > ); > > } > > return new AssertionWrapper(token); > > } > > token = > > secRef.findUnprocessedTokenElement( > > strElement.getOwnerDocument(), wsDocInfo, > > request.getCallbackHandler(), keyIdentifierValue, type > > ); > > > > if (token == null || > !"Assertion".equals(token.getLocalName())) > > { > > throw new WSSecurityException( > > WSSecurityException.FAILURE, "invalidSAMLsecurity" > > ); > > } > > Processor proc = > > request.getWssConfig().getProcessor(WSSecurityEngine.SAML_TOKEN); > > List<WSSecurityEngineResult> samlResult = > > proc.handleToken(token, request, wsDocInfo); > > return > > (AssertionWrapper)samlResult.get(0).get( > > WSSecurityEngineResult.TAG_SAML_ASSERTION > > ); > > } > > } > > > > > > > > > > -----------------------Part of client side log ------------------- > > > > > > > > Jun 12, 2012 2:20:21 PM > > org.apache.cxf.services.DoubleItService.DoubleItPort.DoubleItPortType > > > > INFO: Inbound Message > > > > ---------------------------- > > > > ID: 2 > > > > Response-Code: 200 > > > > Encoding: UTF-8 > > > > Content-Type: text/xml;charset=UTF-8 > > > > Headers: {Content-Length=[5284], content-type=[text/xml;charset=UTF-8], > > Date=[Tue, 12 Jun 2012 18:20:21 GMT], Server=[Apache-Coyote/1.1]} > > > > Payload: <soap:Envelope xmlns:soap=" > > http://schemas.xmlsoap.org/soap/envelope/";><soap:Header><Action xmlns=" > > http://www.w3.org/2005/08/addressing"; xmlns:wsu=" > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > > " > > wsu:Id="Id-21392541"> > > > http://www.example.org/contract/DoubleIt/DoubleItPortType/DoubleItResponse > > </Action><MessageIDxmlns=" > > http://www.w3.org/2005/08/addressing"; xmlns:wsu=" > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > > " > > > > > wsu:Id="Id-27404023">urn:uuid:14a7ee50-a80b-4e8e-8a24-501a1f27c37f</MessageID><To > > xmlns="http://www.w3.org/2005/08/addressing"; xmlns:wsu=" > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > > " > > wsu:Id="Id-6617884"> > > http://www.w3.org/2005/08/addressing/anonymous</To><RelatesTo xmlns=" > > http://www.w3.org/2005/08/addressing"; xmlns:wsu=" > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > > " > > > > > wsu:Id="Id-11283244">urn:uuid:c3b2508b-3b8a-4e3b-a3ce-d146073a3fc5</RelatesTo><wsse:Security > > xmlns:wsse=" > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > > " > > xmlns:wsu=" > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > > " > > soap:mustUnderstand="1"><wsu:Timestamp > > > > > wsu:Id="TS-52"><wsu:Created>2012-06-12T18:20:21.062Z</wsu:Created><wsu:Expires>2012-06-12T18:25:21.062Z</wsu:Expires></wsu:Timestamp><xenc:ReferenceList > > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:DataReference > > URI="#ED-54"/></xenc:ReferenceList><ds:Signature xmlns:ds=" > > http://www.w3.org/2000/09/xmldsig#"; > > Id="SIG-53"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=" > > http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod > Algorithm=" > > http://www.w3.org/2000/09/xmldsig#hmac-sha1"/><ds:Reference > > URI="#Id-13175005"><ds:Transforms><ds:Transform Algorithm=" > > http://www.w3.org/2001/10/xml-exc-c14n# > "/></ds:Transforms><ds:DigestMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 > > > "/><ds:DigestValue>1qaC4/pteNP1OxZYGlIaeO9JnNg=</ds:DigestValue></ds:Reference><ds:Reference > > URI="#Id-6617884"><ds:Transforms><ds:Transform Algorithm=" > > http://www.w3.org/2001/10/xml-exc-c14n# > "/></ds:Transforms><ds:DigestMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 > > > "/><ds:DigestValue>AgU1e6t+Kz/maMvdm+LjtMSOT88=</ds:DigestValue></ds:Reference><ds:Reference > > URI="#Id-27404023"><ds:Transforms><ds:Transform Algorithm=" > > http://www.w3.org/2001/10/xml-exc-c14n# > "/></ds:Transforms><ds:DigestMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 > > > "/><ds:DigestValue>sn+kmoST3NluP8jcFrre1Z3dLKE=</ds:DigestValue></ds:Reference><ds:Reference > > URI="#Id-11283244"><ds:Transforms><ds:Transform Algorithm=" > > http://www.w3.org/2001/10/xml-exc-c14n# > "/></ds:Transforms><ds:DigestMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 > > > "/><ds:DigestValue>WmIxk6sQRlvmi0mlXbm1Emm+zg4=</ds:DigestValue></ds:Reference><ds:Reference > > URI="#Id-21392541"><ds:Transforms><ds:Transform Algorithm=" > > http://www.w3.org/2001/10/xml-exc-c14n# > "/></ds:Transforms><ds:DigestMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 > > > "/><ds:DigestValue>aOhKo4T8h5RibX7oHoA716O0x/4=</ds:DigestValue></ds:Reference><ds:Reference > > URI="#TS-52"><ds:Transforms><ds:Transform Algorithm=" > > http://www.w3.org/2001/10/xml-exc-c14n# > "/></ds:Transforms><ds:DigestMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 > > > "/><ds:DigestValue>yRbx7ao7zPuxMcVZCHJ07F/seGc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>phUYBjMU8fePqv+08yIBdfS3Gys=</ds:SignatureValue><ds:KeyInfo > > Id="KI-36455561753DCD790C133952522106235"><wsse:SecurityTokenReference > > xmlns:wsse11=" > > http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"; > > wsse11:TokenType=" > > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 > " > > wsu:Id="STR-36455561753DCD790C133952522106236"><wsse:KeyIdentifier > > ValueType=" > > > > > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID > > > ">_ee537478-0ff0-4423-8fef-21aff2633353</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soap:Header><soap:Body > > xmlns:wsu=" > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > > " > > wsu:Id="Id-13175005"><xenc:EncryptedData xmlns:xenc=" > > http://www.w3.org/2001/04/xmlenc#"; Id="ED-54" Type=" > > http://www.w3.org/2001/04/xmlenc#Content";><xenc:EncryptionMethod > > Algorithm=" > > http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><ds:KeyInfo xmlns:ds=" > > http://www.w3.org/2000/09/xmldsig#";><wsse:SecurityTokenReference > > xmlns:wsse11=" > > http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"; > > xmlns:wsse=" > > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > > " > > wsse11:TokenType=" > > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 > > "><wsse:KeyIdentifier > > ValueType=" > > > > > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID > > > > > ">_ee537478-0ff0-4423-8fef-21aff2633353</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>6WkAa0DPtBlT7HPhOof9rz2mAD1d4rC+3ArAav06B2UwZohawM/8ydSrhalqGmkolyFydGLJUah3zo57zZSjt5m+VoctQ9QIbdzdz02ERE34aJe9vF3pmn083obo1ouAOFLlBbkViShYtJi6eO2ir8+N+OBQ8TsJHYf07LUwyHtvjhxh30htbUEyoAWlY1NZfurAGqLmL/4FSWaqyDArYQ==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope> > > > > -------------------------------------- > > > > Jun 12, 2012 3:18:39 PM > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor > > handleMessage > > > > WARNING: > > > > *org.apache.ws.security.WSSecurityException*: General security error > (SAML > > token security failure) > > > > at > > org.apache.ws.security.saml.SAMLUtil.getAssertionFromKeyIdentifier(* > > SAMLUtil.java:107*) > > > > at > > > org.apache.ws.security.str.SignatureSTRParser.parseSecurityTokenReference(* > > SignatureSTRParser.java:217*) > > > > at > org.apache.ws.security.processor.SignatureProcessor.handleToken(* > > SignatureProcessor.java:164*) > > > > at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(* > > WSSecurityEngine.java:396*) > > > > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage( > > *WSS4JInInterceptor.java:289*) > > > > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage( > > *WSS4JInInterceptor.java:97*) > > > > at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(* > > PhaseInterceptorChain.java:262*) > > > > at > org.apache.cxf.endpoint.ClientImpl.onMessage(*ClientImpl.java:798* > > ) > > > > at > > > > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal( > > *HTTPConduit.java:1679*) > > > > at > > > > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse( > > *HTTPConduit.java:1532*) > > > > at > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(* > > HTTPConduit.java:1440*) > > > > at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(* > > CacheAndWriteOutputStream.java:47*) > > > > at org.apache.cxf.io.CachedOutputStream.close(* > > CachedOutputStream.java:187*) > > > > at org.apache.cxf.transport.AbstractConduit.close(* > > AbstractConduit.java:56*) > > > > at org.apache.cxf.transport.http.HTTPConduit.close(* > > HTTPConduit.java:658*) > > > > at > > > > > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage( > > *MessageSenderInterceptor.java:62*) > > > > at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(* > > PhaseInterceptorChain.java:262*) > > > > at > org.apache.cxf.endpoint.ClientImpl.doInvoke(*ClientImpl.java:532*) > > > > at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:464*) > > > > at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:367*) > > > > at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:320*) > > > > at org.apache.cxf.frontend.ClientProxy.invokeSync(* > > ClientProxy.java:89*) > > > > at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(* > > JaxWsClientProxy.java:134*) > > > > at $Proxy26.doubleIt(Unknown Source) > > > > at client.WSClient.doubleIt(*WSClient.java:18*) > > > > at client.WSClient.main(*WSClient.java:11*) > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com >
