You need to set SecurityConstants.SELF_SIGN_SAML_ASSERTION to "true" in your configuration (and define the appropriate CallbackHandler and crypto property tags):
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?view=markup Colm. On Wed, Apr 11, 2012 at 2:40 PM, Shwetank <[email protected]> wrote: > Hi > > Pardon me if i break a rule or two of mailing-list directives. > I seek help on how to sign SAML 1.1 assertion with CXF 2.5.2 for > holder-of-key confirmation method: > > a) an OWSM policy > wss10_saml_hok_token_with_message_protection_service_policy is applied to a > test service > b) the policy and wsdl look like following > > <?xml version="1.0"?> > <definitions xmlns="http://schemas.xmlsoap.org/wsdl/"; > xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"; > xmlns:tns="http://owsm.test.wsa.bf.hs.com/"; > xmlns:xsd="http://www.w3.org/2001/XMLSchema"; > xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; name="POManagerService" > targetNamespace="http://owsm.test.wsa.bf.hs.com/";> > <wsp:Policy > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > wsu:Id="POManagerPort_Fault_Policy"/> > <wsp:Policy > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > wsu:Id="POManagerPort_Input_Policy"> > <sp:SignedParts > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <sp:Body/> > <sp:Header Namespace="http://www.w3.org/2005/08/addressing"/> > <sp:Header Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/> > <sp:Header Name="fmw-context" > Namespace="http://xmlns.oracle.com/fmw/context/1.0"/> > </sp:SignedParts> > <sp:EncryptedParts > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <sp:Body/> > <sp:Header Name="fmw-context" > Namespace="http://xmlns.oracle.com/fmw/context/1.0"/> > </sp:EncryptedParts> > </wsp:Policy> > <wsp:Policy > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > wsu:Id="POManagerPort_Output_Policy"> > <sp:SignedParts > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <sp:Body/> > </sp:SignedParts> > <sp:EncryptedParts > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <sp:Body/> > </sp:EncryptedParts> > </wsp:Policy> > <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > xmlns:oralgp="http://schemas.oracle.com/ws/2006/01/loggingpolicy"; > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy"; > xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy"; > wsu:Id="wss10_saml_hok_token_with_message_protection_service_policy"> > <sp:AsymmetricBinding > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:InitiatorToken> > <wsp:Policy> > <sp:SamlToken > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";> > <wsp:Policy> > <sp:WssSamlV11Token10/> > </wsp:Policy> > </sp:SamlToken> > </wsp:Policy> > </sp:InitiatorToken> > <sp:RecipientToken> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always";> > <wsp:Policy> > <sp:WssX509V3Token10/> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:RecipientToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic128/> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Lax/> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp/> > <sp:OnlySignEntireHeadersAndBody/> > </wsp:Policy> > </sp:AsymmetricBinding> > <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy/> > </sp:Wss10> > </wsp:Policy> > <types> > <xsd:schema> > <xsd:import namespace="http://owsm.test.wsa.bf.hs.com/"; > schemaLocation="http://server:7001/testwebservice/POManagerPort?xsd=1"/> > </xsd:schema> > </types> > <message name="createOrder"> > <part name="parameters" element="tns:createOrder"/> > </message> > <message name="createOrderResponse"> > <part name="parameters" element="tns:createOrderResponse"/> > </message> > <portType name="POManager"> > <operation name="createOrder"> > <input message="tns:createOrder"/> > <output message="tns:createOrderResponse"/> > </operation> > </portType> > <binding name="POManagerPortBinding" type="tns:POManager"> > <soap:binding style="document" > transport="http://schemas.xmlsoap.org/soap/http"/> > <wsp:PolicyReference > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > URI="#wss10_saml_hok_token_with_message_protection_service_policy" > wsdl:required="false"/> > <operation name="createOrder"> > <soap:operation soapAction=""/> > <input> > <soap:body use="literal"/> > <wsp:PolicyReference > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > URI="#POManagerPort_Input_Policy" wsdl:required="false"/> > </input> > <output> > <soap:body use="literal"/> > <wsp:PolicyReference > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > URI="#POManagerPort_Output_Policy" wsdl:required="false"/> > </output> > </operation> > </binding> > <service name="POManagerService"> > <port name="POManagerPort" binding="tns:POManagerPortBinding"> > <soap:address location="http://server:7001/testwebservice/POManagerPort"/> > <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing";> > <wsa:Address xmlns:wsa="http://www.w3.org/2005/08/addressing";> > http://server:7001/testwebservice/POManagerPort > </wsa:Address> > <wsid:Identity > xmlns:wsid="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity";> > <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";> > <dsig:X509Data> > <dsig:X509Certificate> > ................ > </dsig:X509Certificate> > <dsig:X509IssuerSerial> > <dsig:X509IssuerName> > ......... > </dsig:X509IssuerName> > <dsig:X509SerialNumber>-....</dsig:X509SerialNumber> > </dsig:X509IssuerSerial> > <dsig:X509SubjectName> > ....... > </dsig:X509SubjectName> > </dsig:X509Data> > </dsig:KeyInfo> > </wsid:Identity> > </wsa:EndpointReference> > </port> > </service> > </definitions> > > > > c) following is message generated by cxf2.5.2 for this policy > > <?xml version="1.0"?> > <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";> > <soap:Header> > <wsse:Security > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > soap:mustUnderstand="1"> > <wsse:BinarySecurityToken > EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"; > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"; > wsu:Id="BC59F58138560D687613341497540725">MIIB+DCCAaICCQCbeQ7C1MJrOTANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAkFQMQwwCgYDVQQHEwNIWUQxEDAOBgNVBAoTB3ByYW1hdGkxEDAOBgNVBAsTB3ByYW1hdGkxEjAQBgNVBAMTCXNvYWJwbS12bTEgMB4GCSqGSIb3DQEJARYRZW1haWxAcHJhbWF0aS5jb20wHhcNMTIwNDEwMTI1OTA0WhcNMTMwNDEwMTI1OTA0WjCBgjELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAkFQMQwwCgYDVQQHEwNIWUQxEDAOBgNVBAoTB3ByYW1hdGkxEDAOBgNVBAsTB3ByYW1hdGkxEjAQBgNVBAMTCXNvYWJwbS12bTEgMB4GCSqGSIb3DQEJARYRZW1haWxAcHJhbWF0aS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1ZwvGTS5gxDgGjoHuaqY9dh26un58rF3YFpuNY6F9JROBooMmbEWAWlvN+kjrEBhoQhTMbnwp8Sa+sPxOI+b8QIDAQABMA0GCSqGSIb3DQEBBQUAA0EAIlGPjJUTytuNsfeIy+dPFAT6XXN6sbiTTcFmhGUtP8q3XJRQCFlMKqFrWP/SVck8PPdH6fSO8EzOLLOYF5dkPQ==</wsse:BinarySecurityToken> > <wsu:Timestamp wsu:Id="TS-1"> > <wsu:Created>2012-04-11T13:06:42.679Z</wsu:Created> > <wsu:Expires>2012-04-11T13:11:42.679Z</wsu:Expires> > </wsu:Timestamp> > <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; > Id="EK-BC59F58138560D687613341497540724"> > <xenc:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <wsse:SecurityTokenReference> > <wsse:Reference URI="#BC59F58138560D687613341497540725" > ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > <xenc:CipherData> > <xenc:CipherValue>tUjFXfI6BPNO78XzWGThNnCvXloGK001IPwzMiEdz4XAuz86gaCCTJ5+KBVKTsMhGxXOVNaOWTeLo3VzMKYWPA==</xenc:CipherValue> > </xenc:CipherData> > <xenc:ReferenceList> > <xenc:DataReference URI="#ED-3"/> > </xenc:ReferenceList> > </xenc:EncryptedKey> > <saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > AssertionID="_BC59F58138560D687613341496647771" > IssueInstant="2012-04-11T13:07:44.551Z" Issuer="www.oracle.com" > MajorVersion="1" MinorVersion="1" xsi:type="saml1:AssertionType"> > <saml1:Conditions NotBefore="2012-04-11T13:07:44.838Z" > NotOnOrAfter="2012-04-11T13:12:44.838Z"/> > <saml1:AttributeStatement> > <saml1:Subject> > <saml1:NameIdentifier > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" > NameQualifier="www.oracle.com">weblogic</saml1:NameIdentifier> > <saml1:SubjectConfirmation> > <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml1:ConfirmationMethod> > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:X509Data> > <ds:X509Certificate>........................</ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </saml1:SubjectConfirmation> > </saml1:Subject> > <saml1:Attribute AttributeName="subject-role" > AttributeNamespace="http://custom-ns";> > <saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xsi:type="xs:string">system-user</saml1:AttributeValue> > </saml1:Attribute> > </saml1:AttributeStatement> > </saml1:Assertion> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; Id="SIG-2"> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <ds:Reference URI="#TS-1"> > <ds:Transforms> > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transforms> > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <ds:DigestValue>/LPHR8sX+ptPaN8+iZYQxYwffG8=</ds:DigestValue> > </ds:Reference> > <ds:Reference URI="#Id-26930486"> > <ds:Transforms> > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transforms> > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <ds:DigestValue>ej9eQZSJOyVu6TgV8MO/exfxCeA=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue>uBvdcZ7jkAty14s0tdMKGvI4z1lCbWDo2RQEWjJ9t6z9vASoB98l4NeshQz96JWDqpGFgb4wd93/f9ra0Y68xA==</ds:SignatureValue> > <ds:KeyInfo Id="KI-BC59F58138560D687613341497504882"> > <wsse:SecurityTokenReference > xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"; > wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"; > wsu:Id="STR-BC59F58138560D687613341497504923"> > <wsse:KeyIdentifier > ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID";>_BC59F58138560D687613341496647771</wsse:KeyIdentifier> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > </ds:Signature> > </wsse:Security> > </soap:Header> > <soap:Body > xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > wsu:Id="Id-26930486"> > <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; Id="ED-3" > Type="http://www.w3.org/2001/04/xmlenc#Content";> > <xenc:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/> > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <wsse:SecurityTokenReference > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"; > xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"; > wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey";> > <wsse:Reference URI="#EK-BC59F58138560D687613341497540724"/> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > <xenc:CipherData> > <xenc:CipherValue>.............................</xenc:CipherValue> > </xenc:CipherData> > </xenc:EncryptedData> > </soap:Body> > </soap:Envelope> > > > d) and i receive following error from OWSM (oracle web services manager) > > Policy compliance failure: Header/Element > NS=urn:oasis:names:tc:SAML:1.0:assertion; LocalName=Assertion must be signed > [WSM_PolicyName: > oracle/wss10_saml_hok_token_with_message_protection_service_policy] The > signed message elements or parts do not comply with the policy. > > > i seek help to understand which part of the message is not being signed..and > why..or how could i sign it. > am using the SamlCallbackHandler (supplied with tests) to add attributes > > following is the callbackhandler code if that may help > > /////////////////////////////////////////////////////////////////////////////// > public void handle(Callback[] callbacks) throws IOException, > UnsupportedCallbackException { > for (int i = 0; i < callbacks.length; i++) > if ((callbacks[i] instanceof SAMLCallback)) { > SAMLCallback callback = (SAMLCallback)callbacks[i]; > if (this.saml2) { > callback.setSamlVersion(SAMLVersion.VERSION_20); > } > callback.setIssuer("www.oracle.com"); > String subjectName = "weblogic"; > String subjectQualifier = "www.oracle.com"; > > SubjectBean subjectBean = new SubjectBean(subjectName, > subjectQualifier, this.confirmationMethod); > > if > (("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key".equals(this.confirmationMethod)) > || > ("urn:oasis:names:tc:SAML:1.0:cm:holder-of-key".equals(this.confirmationMethod))) > { > try > { > KeyInfoBean keyInfo = createKeyInfo(); > subjectBean.setKeyInfo(keyInfo); > } catch (Exception ex) { > throw new IOException("Problem creating KeyInfo: " + > ex.getMessage()); > } > } > > callback.setSubject(subjectBean); > > AttributeStatementBean attrBean = new AttributeStatementBean(); > attrBean.setSubject(subjectBean); > > AttributeBean attributeBean = new AttributeBean(); > if (this.saml2) { > attributeBean.setQualifiedName("subject-role"); > } else { > attributeBean.setSimpleName("subject-role"); > attributeBean.setQualifiedName("http://custom-ns";); > } > > attributeBean.setAttributeValues(Collections.singletonList("system-user")); > attrBean.setSamlAttributes(Collections.singletonList(attributeBean)); > > callback.setAttributeStatementData(Collections.singletonList(attrBean)); > } > } > > protected KeyInfoBean createKeyInfo() throws Exception > { > Crypto crypto = CryptoFactory.getInstance("signature.properties"); > > CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS); > cryptoType.setAlias("myprivate"); > X509Certificate[] certs = crypto.getX509Certificates(cryptoType); > > KeyInfoBean keyInfo = new KeyInfoBean(); > keyInfo.setCertificate(certs[0]); > keyInfo.setCertIdentifer(KeyInfoBean.CERT_IDENTIFIER.X509_CERT); > > return keyInfo; > } > > ////////////////////////////////////////////////////////////////////////////// > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
