The problem is that the "ws-security.signature.validator" configuration tag controls the Validator instance for a standalone Signature Element in the security header, and not the trust validation for a signed SAML Token, which has an internal (embedded) Signature.
What you need to do is to set either "ws-security.saml1.validator" or "ws-security.saml2.validator" (see here: http://cxf.apache.org/docs/ws-securitypolicy.html) to a custom SAML Token Validator that is based on the default SamlAssertionValidator, but wraps your custom Signature Validator for trust verification. Colm. On Thu, Dec 20, 2012 at 8:05 PM, [email protected] <[email protected]>wrote: > I got this spun up but CXF doesn't seem to be acknowledging that I have > provided a custom interceptor. I use spring to provision endpoints, here is > an excerpt of my service definition: > > <jaxws:properties> > <entry key="ws-security.callback-handler" > > value="gov.hhs.fha.nhinc.callback.cxf.CXFSAMLCallbackHandler" /> > <entry key="ws-security.signature.properties" > value="keystore.properties" > /> > <entry key="ws-security.encryption.properties" > value="truststore.properties" /> > <entry key="ws-security.signature.validator"> > <bean > class="gov.hhs.fha.nhinc.callback.cxf.CONNECTSignatureTrustValidator" /> > </entry> > </jaxws:properties> > > However when I receive a web service message, I get the following > stacktrace: > > [#|2012-12-20T14:49:02.901-0500|WARNING|glassfish3.1.2|org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor|_ThreadID=106;_ThreadName=Thread-2;|org.apache.ws.security.WSSecurityException: > The security token could not be authenticated or authorized > at > > org.apache.ws.security.validate.SignatureTrustValidator.validate(SignatureTrustValidator.java:86) > at > > org.apache.ws.security.validate.SamlAssertionValidator.verifySignedAssertion(SamlAssertionValidator.java:121) > at > > org.apache.ws.security.validate.SamlAssertionValidator.validate(SamlAssertionValidator.java:100) > at > > org.apache.ws.security.processor.SAMLTokenProcessor.handleSAMLToken(SAMLTokenProcessor.java:188) > at > > org.apache.ws.security.processor.SAMLTokenProcessor.handleToken(SAMLTokenProcessor.java:78) > at > > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) > at > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:273) > at > > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:95) > at > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271) > > It doesn't appear that my custom validator is being invoked. Any thoughts? > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/CXF-WSS4J-signature-validation-problem-tp5719033p5720609.html > Sent from the cxf-dev mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
