Hi Amitesh;
The attached policy uses an IssuedToken [SAML] for signing.
You may develop the policy there to cater your requirement.
Thanks & regards.
-Prabath
amiteshksingh wrote:
Does anybody know whether it is supported by AXIS2/Rampart or not?
Thanks,
Amitesh
amiteshksingh wrote:
Hi,
I am not finding any sample which desribes the use of signed supporting
token uses issued token and requesting for SAML.
I would appreciate, if anybody can provide that one.
I am using the below policy
<sp:SignedSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:IssuedToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
<Issuer
xmlns="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<Address
xmlns="http://www.w3.org/2005/08/addressing";>http://localhost:8090/axis2/services/STS</Address>
<Metadata
xmlns="http://www.w3.org/2005/08/addressing";>
<mex:Metadata
xmlns:mex="http://schemas.xmlsoap.org/ws/2004/09/mex";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<mex:MetadataSection
Dialect="http://schemas.xmlsoap.org/ws/2004/09/mex";>
<mex:MetadataReference>
<Address
xmlns="http://www.w3.org/2005/08/addressing";>http://localhost:8090/axis2/services/mex</Address>
</mex:MetadataReference>
</mex:MetadataSection>
</mex:Metadata>
</Metadata>
</Issuer>
<sp:RequestSecurityTokenTemplate>
<t:TokenType
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</t:TokenType>
<t:KeyType
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey</t:KeyType>
<t:KeySize
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>256</t:KeySize>
<t:CanonicalizationAlgorithm
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>http://www.w3.org/2001/10/xml-exc-c14n#</t:CanonicalizationAlgorithm>
<t:EncryptionAlgorithm
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>http://www.w3.org/2001/04/xmlenc#aes256-cbc</t:EncryptionAlgorithm>
<t:EncryptWith
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>http://www.w3.org/2001/04/xmlenc#aes256-cbc</t:EncryptWith>
<t:SignWith
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>http://www.w3.org/2000/09/xmldsig#hmac-sha1</t:SignWith>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:RequireInternalReference/>
</wsp:Policy>
</sp:IssuedToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
but I am not able to get the saml assetion. I am getting the below error
Exception in thread "main" org.apache.axis2.AxisFault: Error in signature
with a custom token
at
org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:70)
at org.apache.axis2.engine.Phase.invoke(Phase.java:317)
at org.apache.axis2.engine.AxisEngine.invoke(AxisEngine.java:264)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:429)
at
org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:401)
at
org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228)
at
org.apache.axis2.client.OperationClient.execute(OperationClient.java:163)
at
org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:548)
at
org.apache.axis2.client.ServiceClient.sendReceive(ServiceClient.java:528)
at com.accenture.apsp.security.Client.main(Client.java:82)
Caused by: org.apache.rampart.RampartException: Error in signature with a
custom token
at
org.apache.rampart.builder.BindingBuilder.doSymmSignature(BindingBuilder.java:683)
at
org.apache.rampart.builder.SymmetricBindingBuilder.doSignBeforeEncrypt(SymmetricBindingBuilder.java:504)
at
org.apache.rampart.builder.SymmetricBindingBuilder.build(SymmetricBindingBuilder.java:90)
at org.apache.rampart.MessageBuilder.build(MessageBuilder.java:144)
at
org.apache.rampart.handler.RampartSender.invoke(RampartSender.java:64)
... 9 more
Caused by: org.apache.ws.security.WSSecurityException: Signature creation
failed; nested exception is:
org.apache.xml.security.signature.XMLSignatureException: Id not found
Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException: Id not
found
Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException: Id not
found
Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException: Id not
found
Original Exception was
org.apache.xml.security.utils.resolver.ResourceResolverException: Id not
found
at
org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:683)
at
org.apache.rampart.builder.BindingBuilder.doSymmSignature(BindingBuilder.java:665)
... 13 more
Caused by: org.apache.xml.security.signature.XMLSignatureException: Id not
found
Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException: Id not
found
Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException: Id not
found
Original Exception was
org.apache.xml.security.signature.ReferenceNotInitializedException: Id not
found
Original Exception was
org.apache.xml.security.utils.resolver.ResourceResolverException: Id not
found
at org.apache.xml.security.signature.XMLSignature.sign(Unknown Source)
at
org.apache.ws.security.message.WSSecSignature.computeSignature(WSSecSignature.java:677)
... 14 more
<wsp:Policy wsu:Id="SigEncr2"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing";
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl";>
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:IssuedToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
<Issuer xmlns="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<Address xmlns="http://www.w3.org/2005/08/addressing";>
https://localhost:9443/services/wso2carbon-sts
</Address>
</Issuer>
<sp:RequestSecurityTokenTemplate
xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>
<t:TokenType xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
</t:TokenType>
<t:KeyType xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";>
http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
</t:KeyType>
<t:KeySize>256</t:KeySize>
<t:Claims Dialect="http://wso2.org/claims";
xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity";>
<ic:ClaimType Uri="http://wso2.org/claims/UserSecurityTicket"; />
<ic:ClaimType Uri="http://wso2.org/claims/UserUniqueId"; />
</t:Claims>
</sp:RequestSecurityTokenTemplate>
</sp:IssuedToken>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:EncryptSignature />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
</wsp:Policy>
</sp:Wss11>
<sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<sp:RequireClientEntropy />
<sp:RequireServerEntropy />
</wsp:Policy>
</sp:Trust10>
<wsaw:UsingAddressing />
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body />
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"; />
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"; />
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"; />
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"; />
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"; />
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"; />
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"; />
</sp:SignedParts>
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<sp:Body />
</sp:EncryptedParts>
<rampart:RampartConfig xmlns:rampart="http://ws.apache.org/rampart/policy";>
<rampart:user>wso2carbon</rampart:user>
<rampart:encryptionUser>useReqSigCert
</rampart:encryptionUser>
<rampart:timestampPrecisionInMilliseconds>true
</rampart:timestampPrecisionInMilliseconds>
<rampart:timestampTTL>300</rampart:timestampTTL>
<rampart:timestampMaxSkew>300</rampart:timestampMaxSkew>
<rampart:tokenStoreClass>
org.wso2.carbon.security.util.SecurityTokenStore
</rampart:tokenStoreClass>
<rampart:encryptionCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto">
<rampart:property name="org.wso2.carbon.security.crypto.alias">wso2carbon
</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks
</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks,
</rampart:property>
<rampart:property name="rampart.config.user">wso2carbon
</rampart:property>
</rampart:crypto>
</rampart:encryptionCrypto>
<rampart:signatureCrypto>
<rampart:crypto provider="org.wso2.carbon.security.util.ServerCrypto">
<rampart:property name="org.wso2.carbon.security.crypto.alias">wso2carbon
</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.privatestore">wso2carbon.jks
</rampart:property>
<rampart:property name="org.wso2.carbon.security.crypto.truststores">wso2carbon.jks,
</rampart:property>
<rampart:property name="rampart.config.user">wso2carbon
</rampart:property>
</rampart:crypto>
</rampart:signatureCrypto>
</rampart:RampartConfig>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
