RE: SAML processing, unable to locate an implementation of specified statement type

Thu, 15 Oct 2009 06:36:48 -0700 

Hi Oliver,

WSS4J does not seem to support processing custom Statement types as per:

<Statement xsi:type="ns3:AssertionMetadataType"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
    <ns3:SessionDuration>0</ns3:SessionDuration>
</Statement>

Opensaml seems to expect you to register custom types via a call to:

org.opensaml.SAMLStatement.regFactory(QName, String)

where it attempts to load a class corresponding to the String, which must 
accept a DOM element in the constructor. WSS4J currently has no way to allow 
you to do call this method, although you could always write custom code using 
the WSS4J API's I guess.

Colm.


-----Original Message-----
From: Oliver Wulff [mailto:[email protected]] 
Sent: 15 October 2009 10:29
To: [email protected]
Subject: SAML processing, unable to locate an implementation of specified 
statement type


<img
src="http://zdownload.zurich.com/mailimages/ZHP_MailHeader.gif"; />

Hi there

I use CXF version 2.2 which uses WSS4J 1.5.8 which itself depends on
opensaml 1.1.

I've sent the following soap request to a CXF endpoint where the
WS-SecurityPolicy enforces an issued token. Unfortunately, I get an error
that the specified statement type is not supported.

Example request:

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:typ="http://apache.org/hello_world_soap_http/types";>
   <soapenv:Header>
      <wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
         <Assertion MinorVersion="1" MajorVersion="1" Issuer="Security
Token Service" IssueInstant="2009-10-15T08:18:43.832Z"
AssertionID="id-f95c6d2d-7586-47d4-8884-f9cc14a52a34"
xmlns:ns8="http://schemas.iona.com/saml2";
xmlns:ns7="http://www.w3.org/2001/04/xmlenc#";
xmlns:ns6="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ns5="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";

xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 xmlns:ns3="http://schemas.iona.com/saml";
xmlns:ns2="http://www.w3.org/2000/09/xmldsig#";
xmlns="urn:oasis:names:tc:SAML:1.0:assertion">
            <Statement xsi:type="ns3:AssertionMetadataType"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
               <ns3:SessionDuration>0</ns3:SessionDuration>
            </Statement>
            <AttributeStatement>
               <Subject>
                  <NameIdentifier>alice</NameIdentifier>
                  <SubjectConfirmation>

<ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</ConfirmationMethod>
                  </SubjectConfirmation>
               </Subject>
               <Attribute
AttributeNamespace="http://schemas.iona.com/soa/security/saml-assertion-ext.xsd";
 AttributeName="realms">
                  <AttributeValue xsi:type="ns3:RealmAttributeValueType"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
                     <ns3:Realm name="IONAGlobalRealm" desc="">
                        <ns3:Role name="guest" desc=""/>
                     </ns3:Realm>
                     <ns3:Realm name="corporate" desc="">
                        <ns3:Role name="president" desc=""/>
                     </ns3:Realm>
                  </AttributeValue>
               </Attribute>
            </AttributeStatement>
            <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
               <ds:SignedInfo>
                  <ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                  <ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                  <ds:Reference
URI="#id-f95c6d2d-7586-47d4-8884-f9cc14a52a34">
                     <ds:Transforms>
                        <ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                        <ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                     </ds:Transforms>
                     <ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>

<ds:DigestValue>Km83fx/zBg07cVq6Ef8seyXanu0=</ds:DigestValue>
                  </ds:Reference>
               </ds:SignedInfo>

<ds:SignatureValue>S1ZZn10KLokaJ8GvgeUotlPyfxvMWBumQAQyAAaVb1BigZHY7qVHwP9XepWTqKZ9g9TQKwEwN4tB
TFwAYLNApt4KQcmXazn5NEntxa7RSUwf3ovYcGeAn1bH0Uh35qkVJAPAvuEEefAbMHWVSIxVE9dw
8ANENnH+hxdpprQX/Is=</ds:SignatureValue>
               <KeyInfo
xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";

xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 xmlns="http://www.w3.org/2000/09/xmldsig#";>
                  <ns3:SecurityTokenReference>
                     <X509Data>
                        <X509IssuerSerial>
                           <X509IssuerName>CN=sts-ca, OU=eng,
O=iona.com</X509IssuerName>
                           <X509SerialNumber>1230254082</X509SerialNumber>
                        </X509IssuerSerial>
                     </X509Data>
                  </ns3:SecurityTokenReference>
               </KeyInfo>
            </ds:Signature>
         </Assertion>
      </wsse:Security>
   </soapenv:Header>
   <soapenv:Body>
      <typ:greetMe>
         <typ:requestType>dddd</typ:requestType>
      </typ:greetMe>
   </soapenv:Body>
</soapenv:Envelope>


Log:

[INFO] Caused by: org.apache.ws.security.WSSecurityException: General
security error (SAML token security failure); nested exception is:
[INFO]  org.opensaml.UnsupportedExtensionException:
SAMLStatement.getInstance() unable to locate an implementation of specified
statement type
[INFO]  at
org.apache.ws.security.processor.SAMLTokenProcessor.handleSAMLToken
(SAMLTokenProcessor.java:74)
[INFO]  at org.apache.ws.security.processor.SAMLTokenProcessor.handleToken
(SAMLTokenProcessor.java:53)
[INFO]  at org.apache.ws.security.WSSecurityEngine.processSecurityHeader
(WSSecurityEngine.java:326)
[INFO]  at org.apache.ws.security.WSSecurityEngine.processSecurityHeader
(WSSecurityEngine.java:243)
[INFO]  at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage
(WSS4JInInterceptor.java:198)
[INFO]  ... 18 more
[INFO] Caused by: org.opensaml.UnsupportedExtensionException:
SAMLStatement.getInstance() unable to locate an implementation of specified
statement type
[INFO]  at org.opensaml.SAMLStatement.getInstance(Unknown Source)
[INFO]  at org.opensaml.SAMLAssertion.fromDOM(Unknown Source)
[INFO]  at org.opensaml.SAMLAssertion.<init>(Unknown Source)
[INFO]  at
org.apache.ws.security.processor.SAMLTokenProcessor.handleSAMLToken
(SAMLTokenProcessor.java:68)
[INFO]  ... 22 more


There are only two statements there:
<Statement xsi:type="ns3:AssertionMetadataType"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
...
</Statement>
<AttributeStatement>
...
</AttributeStatement>


Thanks
Oli






******************* BITTE BEACHTEN *******************
Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet
möglicherweise vertrauliche oder gesetzlich geschützte Daten oder
Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter
Ausschluss jeder Reproduktion zu zerstören und die absendende Person
umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe.


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to