Hi Andreas, This will be fixed for WSS4J 1.6.8:
https://issues.apache.org/jira/browse/WSS-411 The problem is really that WSS4J is not catering for a somewhat unusual request that Weblogic is generating. Namely, Weblogic should be adding a SAML ValueType attribute to the Reference inside the SecurityTokenReference, and also it should be adding the SAML Token above the Signature. Either of those two things would have solved the problem. Colm. On Thu, Nov 15, 2012 at 9:25 AM, andreas_triebel <[email protected]>wrote: > An iterop scenario with Weblogic as service consumer and Apache CXF (on > JBoss) as service provider fails with a "Referenced security token could > not > be retrieved" error. > The referenced security token (SAML assertion) is in place (Reference > "#_0x1f0b85b073c1b3ef9ff63f003b319270"), but CXF cannot resolve it. > > Stacktrace: > 09:00:25,035 WARNING [org.apache.cxf.phase.PhaseInterceptorChain] > Interceptor for SAML2TestService#doit has thrown exception, unwinding now: > org.apache.cxf.binding.soap.SoapFault: The signature or decryption was > invalid > at > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:804) > [jbossweb-7.0.13.Final.jar:] > ... > Caused by: org.apache.ws.security.WSSecurityException: The signature or > decryption was invalid > at > > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:407) > [wss4j.jar:1.6.7] > at > > org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:197) > [wss4j.jar:1.6.7] > at > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) > [wss4j.jar:1.6.7] > at > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:289) > ... 26 more > Caused by: javax.xml.crypto.dsig.XMLSignatureException: > javax.xml.crypto.dsig.TransformException: > org.apache.ws.security.WSSecurityException: Referenced security token could > not be retrieved (Reference "#_0x1f0b85b073c1b3ef9ff63f003b319270") > at > > org.apache.jcp.xml.dsig.internal.dom.DOMReference.transform(DOMReference.java:543) > [xmlsec.jar:1.5.2] > at > > org.apache.jcp.xml.dsig.internal.dom.DOMReference.validate(DOMReference.java:384) > [xmlsec.jar:1.5.2] > at > > org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:267) > [xmlsec.jar:1.5.2] > at > > org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:380) > [wss4j.jar:1.6.7] > ... 29 more > Caused by: javax.xml.crypto.dsig.TransformException: > org.apache.ws.security.WSSecurityException: Referenced security token could > not be retrieved (Reference "#_0x1f0b85b073c1b3ef9ff63f003b319270") > at > > org.apache.ws.security.transform.STRTransform.transformIt(STRTransform.java:274) > [wss4j.jar:1.6.7] > at > > org.apache.ws.security.transform.STRTransform.transform(STRTransform.java:127) > [wss4j.jar:1.6.7] > at > > org.apache.jcp.xml.dsig.internal.dom.DOMTransform.transform(DOMTransform.java:166) > [xmlsec.jar:1.5.2] > at > > org.apache.jcp.xml.dsig.internal.dom.DOMReference.transform(DOMReference.java:458) > [xmlsec.jar:1.5.2] > ... 32 more > Caused by: org.apache.ws.security.WSSecurityException: Referenced security > token could not be retrieved (Reference > "#_0x1f0b85b073c1b3ef9ff63f003b319270") > at > > org.apache.ws.security.message.token.SecurityTokenReference.getTokenElement(SecurityTokenReference.java:235) > [wss4j.jar:1.6.7] > at > > org.apache.ws.security.transform.STRTransformUtil.dereferenceSTR(STRTransformUtil.java:69) > [wss4j.jar:1.6.7] > at > > org.apache.ws.security.transform.STRTransform.transformIt(STRTransform.java:200) > [wss4j.jar:1.6.7] > ... 35 more > > > SOAP message: > <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/";> > <S:Header> > ... > <wsse:Security > > xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > S:mustUnderstand="1"> > ... > <dsig:Signature xmlns:dsig=" > http://www.w3.org/2000/09/xmldsig#";> > <dsig:SignedInfo> > <dsig:CanonicalizationMethod > Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"; /> > <dsig:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; /> > <dsig:Reference > URI="#str_rF7CzO4LdKFt5zs6"> > <dsig:Transforms> > <dsig:Transform > > Algorithm=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform > "> > > <wsse:TransformationParameters> > > <dsig:CanonicalizationMethod > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; /> > > </wsse:TransformationParameters> > </dsig:Transform> > </dsig:Transforms> > <dsig:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"; > /> > > <dsig:DigestValue>iRkzoWPRp+m7x3v9JqX3Q/HdqYU=</dsig:DigestValue> > </dsig:Reference> > ... > </dsig:SignedInfo> > > <dsig:SignatureValue>...</dsig:SignatureValue> > <dsig:KeyInfo>...</dsig:KeyInfo> > </dsig:Signature> > <saml:Assertion > xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" > ID="_0x1f0b85b073c1b3ef9ff63f003b319270" > IssueInstant="2012-11-15T08:00:24.879Z" > Version="2.0"> > ... > </saml:Assertion> > <wsse:SecurityTokenReference > > TokenType=" > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"; > wsu:Id="str_rF7CzO4LdKFt5zs6"> > <wsse:Reference > URI="#_0x1f0b85b073c1b3ef9ff63f003b319270" /> > </wsse:SecurityTokenReference> > <wsu:Timestamp> > ... > </wsu:Timestamp> > </wsse:Security> > </S:Header> > <S:Body> > ... > </S:Body> > </S:Envelope> > > > What I see is a difference between Weblogic and CXF generated > SecurityTokenReference referencing the SAML assertion. > Is this the issue and how could it be resolved? Any suggestions > appreciated. > > Weblogic: > <wsse:SecurityTokenReference > > TokenType=" > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"; > wsu:Id="str_rF7CzO4LdKFt5zs6"> > <wsse:Reference URI="#_0x1f0b85b073c1b3ef9ff63f003b319270" /> > </wsse:SecurityTokenReference> > > CXF: > <wsse:SecurityTokenReference > xmlns:wsse11=" > http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"; > wsse11:TokenType=" > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"; > wsu:Id="STR-C4F98A4E3E98FE682A135290662529414"> > <wsse:KeyIdentifier > > ValueType=" > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID > ">_C4F98A4E3E98FE682A135290662529213</wsse:KeyIdentifier> > </wsse:SecurityTokenReference> > > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Signature-Interop-Issue-Weblogic-Apache-CXF-tp5718487.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
