AW: Problem with SAML token with "sender vouches" option

Tue, 11 Jul 2006 07:53:06 -0700

That Warning shows that the content of the message was modified
somehow, that mfailure is independent of the keystore.
 
"Verfication failed" is a message from xml-sec library that recomputes
the digest of the message part that the id identifies, in this case the
part with the id "#STRSAMLId-136". Somehow this part of the message
was modified, thus the message digests do not match.
 
 
Regards,
Werner


Von: Montebove Luciano [mailto:[EMAIL PROTECTED]
Gesendet: Dienstag, 11. Juli 2006 16:35
An: [email protected]
Betreff: Problem with SAML token with "sender vouches" option

I'm trying to use a SAML token with WSS4J with the "sender vouches" option.
I followed the configuration tips in the interop files but while the client generate the assertion and sign both the assertion and the body of the message, server side I can verify only the body sign while I get always an error for the assertion sign:
 
16:08:51,515 WARN  [Reference] Verification failed for URI "#STRSAMLId-136"
16:08:51,515 INFO  [Reference] Verification successful for URI "#id-137"
16:08:51,531 INFO  [STDOUT] org.apache.ws.security.WSSecurityException: The sign
ature verification failed
16:08:51,531 INFO  [STDOUT]     at org.apache.ws.security.processor.SignaturePro
cessor.verifyXMLSignature(SignatureProcessor.java:327)
 
My Axis configuration client side is:
   <requestFlow >
    <handler type="java:org.apache.ws.axis.security.WSDoAllSender" >
                    <parameter name="action" value="Timestamp SAMLTokenSigned"/>
                    <parameter name="samlPropFile" value="saml3.properties"/>
                    <parameter name="signatureKeyIdentifier"
                               value="DirectReference"/>
</handler>
   </requestFlow >
 
and server side is:
   <requestFlow>
   <handler type="java:org.apache.ws.axis.security.WSDoAllReceiver">
    <parameter name="action" value="Timestamp Signature SAMLTokenUnsigned"/>
    <parameter name="signaturePropFile" value="pa-crypto.properties" />
   </handler>
  </requestFlow>
 
Quite strange if I use the "keyHolder" option (with little changes to the Axis configuration as described in interop files)  all works fine with the same keystore.
 
Thanks
 
Luciano Montebove
 

Reply via email to