What security configuration do you have? And what version of CXF? Colm.
On Wed, Dec 2, 2015 at 11:09 PM, dthomas <[email protected]> wrote: > I have 2 codebases. They are identical except that one uses the reference > JAX-WS implementation. The other uses CXF + Wss4j. > > I'm seeing a difference in the security header created by each codebase. > The > JAX-WS RI creates a <security> element with 2 <signature> elements within > it. > > The codebase that uses CXF+wss4j only adds a single <signature> element. > Based on what I found by googling, I think the 2nd signature element is > supposed to be the signature confirmation. > > The server expects the signature confirmation and hence rejects the request > in the case of CXF + Wss4j. > > Is this expected? > > JAX-WS reference implementation > ======================== > > <ns3:Security xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"; > xmlns:ns2=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > xmlns:ns3=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > xmlns:ns4="http://www.w3.org/2005/08/addressing"; > xmlns:ns5="http://www.rsa.com/names/2009/12/std-ext/WS-Trust1.4/advice"; > xmlns:ns6="urn:oasis:names:tc:SAML:2.0:assertion" > xmlns:ns7="http://www.w3.org/2000/09/xmldsig#"; > xmlns:ns8="http://www.rsa.com/names/2009/12/std-ext/SAML2.0"; > > xmlns:ns9="urn:oasis:names:tc:SAML:2.0:conditions:delegation"><ns2:Timestamp > xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"; > xmlns:ns2=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > xmlns:ns3=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > xmlns:ns4="http://www.w3.org/2005/08/addressing"; > xmlns:ns5="http://www.rsa.com/names/2009/12/std-ext/WS-Trust1.4/advice"; > xmlns:ns6="urn:oasis:names:tc:SAML:2.0:assertion" > xmlns:ns7="http://www.w3.org/2000/09/xmldsig#"; > xmlns:ns8="http://www.rsa.com/names/2009/12/std-ext/SAML2.0"; > xmlns:ns9="urn:oasis:names:tc:SAML:2.0:conditions:delegation" > > ns2:Id="_a199e922-5238-46ca-a93a-f73db181e918"><ns2:Created>2015-11-29T19:40:02.949Z</ns2:Created><ns2:Expires>2015-11-29T19:50:02.949Z</ns2:Expires></ns2:Timestamp><saml2:Assertion > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > ID="_a5ccb73a-7337-407a-b4c3-a66f2baeacb2" > IssueInstant="2015-11-29T19:39:58.983Z" Version="2.0"><saml2:Issuer > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> > https://funk.rtp.netapp.com/websso/SAML2/Metadata/vsphere.local > </saml2:Issuer><ds:Signature > xmlns:ds="http://www.w3.org/2000/09/xmldsig# > "><ds:SignedInfo><ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# > "></ds:CanonicalizationMethod><ds:SignatureMethod > Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 > "></ds:SignatureMethod><ds:Reference > URI="#_a5ccb73a-7337-407a-b4c3-a66f2baeacb2"><ds:Transforms><ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature > "></ds:Transform><ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# > "><ec:InclusiveNamespaces > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="xs > > xsi"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256 > "></ds:DigestMethod><ds:DigestValue>6562VNOEAQW4Q7giAAQDaMvsJE31Tr0dKHI8EIOP6Jo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>irRr1jA1PsMefSifkBw5K8UvBWiqpEbTJGFcOtU/sPHrSp2xLvgv8Qrnv5RuFMDbq9u4e1s1bII1 > > INjkTbK8XDhjvO32YDrpK9ywH5lWi6NYWCUOc31ZJe41s+ooikCrdWDnUAjNesxaqVaovO4aYexS > > S7hitB/ms6KuizkwwdocYt2tSBNNwa9Xjw0dsHzSdmMLaUXauOR3dDC/EwLODTd4uvQqVkRPOKYG > > oMDXndOC1QFeFphvnZvEgpITF4TPSWQUI7B9nAPDWeZIOUhJovJ2MxWNfGF+XrfBwnMxnGee3gp8 > > vrwhCDI3wLcs+ndX3Z92F5ga8Xl3uWI4z66KBQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDcjCCAlqgAwIBAgIJANBWyluWaMVFMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNVBAMMAkNBMRcw > > FQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYDVQQGEwJV > > UzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTAeFw0xNTEwMjcxNDUzNDZaFw0yNTEwMjEx > > NTAzMjlaMBgxFjAUBgNVBAMMDXNzb3NlcnZlclNpZ24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw > > ggEKAoIBAQDB6FmNgUCZiPKXwFtMwGPFdFxy1eBKNQLVqiwJPEk/TBImWLkXRgMdwApPOaPjWPj3 > > 9nc8zeKfYheGpel9cyqWAjniCo1mTj5r3ko4KlbvDip1MM/o2DwXK1jO1bGX0K1Jj/MEVizfNz4F > > 6G7wowY9Drxyg8+aCUY+SQsfkv1tEnjdxl3ybKXL7+yuDnFKBZt4qV68YdN+Zu6T3wURZKhBpCp4 > > vzSQwn56PEOE2sDb6HQ7R1aJO8JOeHZpXi78iQGHjyZUllm24+645axTs2DhbbJKiFOjoA95liC2 > > PANhFMjZu0TPMyvdyCYdLJokguDYC/s1D7hdhCQn0a34ZHqTAgMBAAGjbzBtMAsGA1UdDwQEAwIF > > 4DAeBgNVHREEFzAVghNmdW5rLnJ0cC5uZXRhcHAuY29tMB0GA1UdDgQWBBSpCGQYYTuwgR5kcNtX > > kC8nAjmGezAfBgNVHSMEGDAWgBQzkY4vNOatLsyiR9IEc2qO/SxuYDANBgkqhkiG9w0BAQsFAAOC > > AQEAVBw89jzGKzu0Fjd29o5tiTMEhIY2VlHnxiwdxNqFb7P4ADGEHye8OMfJiQb+24NjSV630yWc > > 3VNurEpRaT3SIEPqG10iFjnB/Fsxfgb1QlcCSdh3UwoCsmPMaagUlNijWb/eGhLzU2u/joSjPSmS > > uGxKCNgEPiCa1uBr0NZuHIll1mPg5TRH1aP05efa/XPb59RQdRbpDdkp2/n/0/gfeKL4F8htjPxS > > 6ayPk2ptJAWkDgPWCv8py2MwkzCa8la+aq8v/YZqOlRxnqp/Mh3ingJEmx/6uYbYbi4FJM1tstMv > > VROhlUh85fZePM9h1SVnjh+tMOca6Xf5g0FOx8nPpQ==</ds:X509Certificate><ds:X509Certificate>MIIDmDCCAoCgAwIBAgIJANl71jMO0URHMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNVBAMMAkNBMRcw > > FQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYDVQQGEwJV > > UzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTAeFw0xNTEwMjQxNTAzMjlaFw0yNTEwMjEx > > NTAzMjlaMGgxCzAJBgNVBAMMAkNBMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT > > 8ixkARkWBWxvY2FsMQswCQYDVQQGEwJVUzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTCC > > ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTq9IGaJfEUwWW+rO/9DO8F4wg+lnRGVUNk > > pV4YILwfLiAnGF9A/rjumXiMCtc//soxJmI024A5k7PeVPUrkafSjRt7KioM5WzNtOU1OdesLsLA > > cHaZTU9XaNJ1+0k0SpQT/i7KzVFXPe54tM3SLhsdnjOeQfbCVYwBP+rARvoqz8vD2Ao+1VOLYqmp > > YPnsJimkgqmgNG93wybJWdyr5EXDeMcMw6V6sJOjfvGfTd+HOI3Sq7iw3jIUFE3JvnPve6dltNw+ > > +2kSZtjIOcHE4fbuRoRUxUMgWnbJn/tvpgnkINf67+RQQRgEsE5CtWMICEO74hyC41K2IL3BbHwP > > jsUCAwEAAaNFMEMwHQYDVR0OBBYEFDORji805q0uzKJH0gRzao79LG5gMA4GA1UdDwEB/wQEAwIB > > BjASBgNVHRMBAf8ECDAGAQH/AgEAMA0GCSqGSIb3DQEBCwUAA4IBAQAYmkUedlcvX0+lGWYXCUXL > > qocza0ZEpY/UV5Z7j6NVAToOV1pENtHKPjfCAe1aJKu+QpG1mltpMK5GBwLkkAqQPqBhQZfu84zS > > gcCEKhWNu0oCr1feZu8SOiddQdxQWIYLuwoB+Zvov0DOEB1ItETlRmMmuf1GRn29h+3UQfF83RrI > > ua73AXxJgozXI4qBfdGe/cUKT5NsBPOJeDJDZW5apv8mUj/35Z1Y8+8Qx7RIwEZnqjU3B1Zqs+ZQ > > KCuzjM31yPkJEby/a5aoPLaHHXVGIL6GN/erko3KxpJxar9TkmeULa2CBwh0hU4cQ4IFXExiNyRH > > dtL/iT0sE0nXET7g</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID > Format="http://schemas.xmlsoap.org/claims/UPN";>[email protected] > </saml2:NameID><saml2:SubjectConfirmation > > Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"><saml2:SubjectConfirmationData > xsi:type="saml2:KeyInfoConfirmationDataType"><ds:KeyInfo > xmlns:ds="http://www.w3.org/2000/09/xmldsig# > "><ds:X509Data><ds:X509Certificate>MIIChTCCAe6gAwIBAgIIOZzLxyu+aoIwDQYJKoZIhvcNAQEFBQAwgYQxCzAJBgNVBAYTAlVTMRMw > > EQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlQYWxvIEFsdG8xFTATBgNVBAoTDFZNd2FyZSwg > > SW5jLjEeMBwGA1UECxMVRWNvc3lzdGVtIEVuZ2luZWVyaW5nMRUwEwYDVQQDDAwqLnZtd2FyZS5j > > b20wHhcNMTUxMTI5MTkzOTU3WhcNMTYxMTI4MTkzOTU3WjCBhDELMAkGA1UEBhMCVVMxEzARBgNV > > BAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVBhbG8gQWx0bzEVMBMGA1UEChMMVk13YXJlLCBJbmMu > > MR4wHAYDVQQLExVFY29zeXN0ZW0gRW5naW5lZXJpbmcxFTATBgNVBAMMDCoudm13YXJlLmNvbTCB > > nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjHCywBzRtcTz0071B2zocMoN9D7A2Ham4YfITN43 > > cGTZtAcCOC7OKBkS8bfg04hqnUo59Roxr+jhIToxIMT4O1IxsAjiPXS68WdKh3h6pdfIdYrBTDFG > > Fe5UOhJwdG3cas5QJcKUMpWOfnNujIw8UaII8bu6ZvwZnR8kE2spFsUCAwEAATANBgkqhkiG9w0B > > AQUFAAOBgQB/PpOlU0yALiXFlIQGj6LW0VScBaOxOzMENKlk0VPt4bBT/3n8YKhri3Yfd/7WQMxJ > > Py1PyJvB8cCXEKfGlgQA9jRXbJf+8llVk1OyjCTjpnrPlEynLVxfNdmIn5HT7rXy27PTMC9e/By8 > > kdNUdcTHWYOVHPNd2akVemA1khaqhA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></saml2:SubjectConfirmationData></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions > NotBefore="2015-11-29T19:39:57.916Z" > NotOnOrAfter="2015-11-29T20:09:57.916Z"><saml2:ProxyRestriction > Count="10"></saml2:ProxyRestriction><saml2:Condition > xmlns:rsa="http://www.rsa.com/names/2009/12/std-ext/SAML2.0"; Count="10" > > xsi:type="rsa:RenewRestrictionType"></saml2:Condition></saml2:Conditions><saml2:AuthnStatement > > AuthnInstant="2015-11-29T19:39:58.981Z"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute > FriendlyName="surname" > Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"; > > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue > > xsi:type="xs:string">vsphere.local</saml2:AttributeValue></saml2:Attribute><saml2:Attribute > FriendlyName="givenName" > Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"; > > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue > > xsi:type="xs:string">Administrator</saml2:AttributeValue></saml2:Attribute><saml2:Attribute > FriendlyName="Subject Type" > Name="http://vmware.com/schemas/attr-names/2011/07/isSolution"; > > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue > > xsi:type="xs:string">false</saml2:AttributeValue></saml2:Attribute><saml2:Attribute > FriendlyName="Groups" > Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity"; > > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue > > xsi:type="xs:string">vsphere.local\Users</saml2:AttributeValue><saml2:AttributeValue > > xsi:type="xs:string">vsphere.local\Administrators</saml2:AttributeValue><saml2:AttributeValue > > xsi:type="xs:string">vsphere.local\CAAdmins</saml2:AttributeValue><saml2:AttributeValue > > xsi:type="xs:string">vsphere.local\ComponentManager.Administrators</saml2:AttributeValue><saml2:AttributeValue > > xsi:type="xs:string">vsphere.local\SystemConfiguration.Administrators</saml2:AttributeValue><saml2:AttributeValue > > xsi:type="xs:string">vsphere.local\LicenseService.Administrators</saml2:AttributeValue><saml2:AttributeValue > > xsi:type="xs:string">vsphere.local\Everyone</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion> > > > ####see below 2nd signature element ############# > <ds:Signature > xmlns:ds="http://www.w3.org/2000/09/xmldsig# > "><ds:SignedInfo><ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# > "></ds:CanonicalizationMethod><ds:SignatureMethod > Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512 > "></ds:SignatureMethod><ds:Reference > URI="#_60b8ff8d-e1b7-48f0-a3ea-43a5b2fd537e"><ds:Transforms><ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# > "></ds:Transform></ds:Transforms><ds:DigestMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#sha512 > "></ds:DigestMethod><ds:DigestValue>V7sztgOZVF5LUSkR4aJJ7cX9X4UzAUpF3661NCKOs4puRIMiNIXJlrLVQIeS5YXPpme3sf89Xk8B > aAJD7kt+zA==</ds:DigestValue></ds:Reference><ds:Reference > URI="#_a199e922-5238-46ca-a93a-f73db181e918"><ds:Transforms><ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n# > "></ds:Transform></ds:Transforms><ds:DigestMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#sha512 > "></ds:DigestMethod><ds:DigestValue>QNGwQjyLO3jjAUlcok7jnlVN/IV7Kxrh17rs/7yRxuCsJpkydeBEfEDoXDXLG6/2rK09HDibWnCO > > lNKwJ8x5KQ==</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>AkBK81uTZXlCWkiKFTcGygLLI1WgaFv88zzfd0q/fUxy7arwg1HAehEaJASFOzRXbQj+H6JZ+3IY > > QJ4W1jG5A20ARuydx7uOh/pOSoT13pKk0loImSWAcBu3wpvUIFDUHFhVYbXtahHwtK7/NYyUfSnv > > rBLJghFdfyzaudckLR0=</ds:SignatureValue><ds:KeyInfo><ns3:SecurityTokenReference > xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"; > xmlns:ns2=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > xmlns:ns3=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > xmlns:ns4="http://www.w3.org/2005/08/addressing"; > xmlns:ns5="http://www.rsa.com/names/2009/12/std-ext/WS-Trust1.4/advice"; > xmlns:ns6="urn:oasis:names:tc:SAML:2.0:assertion" > xmlns:ns7="http://www.w3.org/2000/09/xmldsig#"; > xmlns:ns8="http://www.rsa.com/names/2009/12/std-ext/SAML2.0"; > xmlns:ns9="urn:oasis:names:tc:SAML:2.0:conditions:delegation" > xmlns:wsse11=" > http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"; > wsse11:TokenType=" > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 > "><ns3:KeyIdentifier > ValueType=" > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID > ">_a5ccb73a-7337-407a-b4c3-a66f2baeacb2</ns3:KeyIdentifier></ns3:SecurityTokenReference></ds:KeyInfo></ds:Signature> > > </ns3:Security> > > > CXF + WSS4j > ========== > > <ns3:Security > xmlns:ns3=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"; > xmlns:ns2=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > xmlns:ns4="http://www.w3.org/2005/08/addressing"; > xmlns:ns5="http://www.rsa.com/names/2009/12/std-ext/WS-Trust1.4/advice"; > xmlns:ns6="urn:oasis:names:tc:SAML:2.0:assertion" > xmlns:ns7="http://www.w3.org/2000/09/xmldsig#"; > xmlns:ns8="http://www.rsa.com/names/2009/12/std-ext/SAML2.0"; > xmlns:ns9="urn:oasis:names:tc:SAML:2.0:conditions:delegation"> > <ns2:Timestamp ns2:Id="fsfdsfsfs"> > <ns2:Created>2015-12-01T18:57:08.814Z</ns2:Created> > <ns2:Expires>2015-12-01T19:07:08.814Z</ns2:Expires> > </ns2:Timestamp> > <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > ID="_50e38388-dbda-4843-9cd1-23730bd65502" > IssueInstant="2015-12-01T18:56:52.609Z" Version="2.0"> > <saml2:Issuer > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity"> > https://funk.rtp.netapp.com/websso/SAML2/Metadata/vsphere.local > </saml2:Issuer> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> > <ds:Reference URI="#_50e38388-dbda-4843-9cd1-23730bd65502"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; > PrefixList="xs xsi"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> > > <ds:DigestValue>6IQ6ekeoHmJQHNdnaKYFEgw2UBthqumyFYGG49ltvVg=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > > <ds:SignatureValue>pTU4jM27A6HIIm8tFa/kXRn7jIaQDjUE6Z9yjAatr5FuCQRpZYm9IhvvptGp2jKRrdfV3/MoNpAR > > aigFdz5t/uf5fBapHhdTYgqqKGg7BFtWQghruWKYmL0OLxCb3AMDHslqbQwckFQnFFygkUQfi7t5 > > XF/LHM94gJiNsXuaUi3AZ11o7PDXPqAKwMVTS93DKGIrsK7WSw/Iok+F9yIYPUJ/ejFkcbnkg91e > > pw7MhP+EH2hjQkpYk0Alx20n5NVV1zXT7LG4niONwwNzBP98W3BE0cV93ZLdLhph7zACKdhlEvjD > rDSvSF95Ty01bSKrZxFXXTwJoRIimi+Ns0M4RA==</ds:SignatureValue> > <ds:KeyInfo> > <ds:X509Data> > > <ds:X509Certificate>MIIDcjCCAlqgAwIBAgIJANBWyluWaMVFMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNVBAMMAkNBMRcw > > FQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYDVQQGEwJV > > UzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTAeFw0xNTEwMjcxNDUzNDZaFw0yNTEwMjEx > > NTAzMjlaMBgxFjAUBgNVBAMMDXNzb3NlcnZlclNpZ24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw > > ggEKAoIBAQDB6FmNgUCZiPKXwFtMwGPFdFxy1eBKNQLVqiwJPEk/TBImWLkXRgMdwApPOaPjWPj3 > > 9nc8zeKfYheGpel9cyqWAjniCo1mTj5r3ko4KlbvDip1MM/o2DwXK1jO1bGX0K1Jj/MEVizfNz4F > > 6G7wowY9Drxyg8+aCUY+SQsfkv1tEnjdxl3ybKXL7+yuDnFKBZt4qV68YdN+Zu6T3wURZKhBpCp4 > > vzSQwn56PEOE2sDb6HQ7R1aJO8JOeHZpXi78iQGHjyZUllm24+645axTs2DhbbJKiFOjoA95liC2 > > PANhFMjZu0TPMyvdyCYdLJokguDYC/s1D7hdhCQn0a34ZHqTAgMBAAGjbzBtMAsGA1UdDwQEAwIF > > 4DAeBgNVHREEFzAVghNmdW5rLnJ0cC5uZXRhcHAuY29tMB0GA1UdDgQWBBSpCGQYYTuwgR5kcNtX > > kC8nAjmGezAfBgNVHSMEGDAWgBQzkY4vNOatLsyiR9IEc2qO/SxuYDANBgkqhkiG9w0BAQsFAAOC > > AQEAVBw89jzGKzu0Fjd29o5tiTMEhIY2VlHnxiwdxNqFb7P4ADGEHye8OMfJiQb+24NjSV630yWc > > 3VNurEpRaT3SIEPqG10iFjnB/Fsxfgb1QlcCSdh3UwoCsmPMaagUlNijWb/eGhLzU2u/joSjPSmS > > uGxKCNgEPiCa1uBr0NZuHIll1mPg5TRH1aP05efa/XPb59RQdRbpDdkp2/n/0/gfeKL4F8htjPxS > > 6ayPk2ptJAWkDgPWCv8py2MwkzCa8la+aq8v/YZqOlRxnqp/Mh3ingJEmx/6uYbYbi4FJM1tstMv > VROhlUh85fZePM9h1SVnjh+tMOca6Xf5g0FOx8nPpQ==</ds:X509Certificate> > > <ds:X509Certificate>MIIDmDCCAoCgAwIBAgIJANl71jMO0URHMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNVBAMMAkNBMRcw > > FQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYDVQQGEwJV > > UzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTAeFw0xNTEwMjQxNTAzMjlaFw0yNTEwMjEx > > NTAzMjlaMGgxCzAJBgNVBAMMAkNBMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT > > 8ixkARkWBWxvY2FsMQswCQYDVQQGEwJVUzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTCC > > ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTq9IGaJfEUwWW+rO/9DO8F4wg+lnRGVUNk > > pV4YILwfLiAnGF9A/rjumXiMCtc//soxJmI024A5k7PeVPUrkafSjRt7KioM5WzNtOU1OdesLsLA > > cHaZTU9XaNJ1+0k0SpQT/i7KzVFXPe54tM3SLhsdnjOeQfbCVYwBP+rARvoqz8vD2Ao+1VOLYqmp > > YPnsJimkgqmgNG93wybJWdyr5EXDeMcMw6V6sJOjfvGfTd+HOI3Sq7iw3jIUFE3JvnPve6dltNw+ > > +2kSZtjIOcHE4fbuRoRUxUMgWnbJn/tvpgnkINf67+RQQRgEsE5CtWMICEO74hyC41K2IL3BbHwP > > jsUCAwEAAaNFMEMwHQYDVR0OBBYEFDORji805q0uzKJH0gRzao79LG5gMA4GA1UdDwEB/wQEAwIB > > BjASBgNVHRMBAf8ECDAGAQH/AgEAMA0GCSqGSIb3DQEBCwUAA4IBAQAYmkUedlcvX0+lGWYXCUXL > > qocza0ZEpY/UV5Z7j6NVAToOV1pENtHKPjfCAe1aJKu+QpG1mltpMK5GBwLkkAqQPqBhQZfu84zS > > gcCEKhWNu0oCr1feZu8SOiddQdxQWIYLuwoB+Zvov0DOEB1ItETlRmMmuf1GRn29h+3UQfF83RrI > > ua73AXxJgozXI4qBfdGe/cUKT5NsBPOJeDJDZW5apv8mUj/35Z1Y8+8Qx7RIwEZnqjU3B1Zqs+ZQ > > KCuzjM31yPkJEby/a5aoPLaHHXVGIL6GN/erko3KxpJxar9TkmeULa2CBwh0hU4cQ4IFXExiNyRH > dtL/iT0sE0nXET7g</ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </ds:Signature> > <saml2:Subject> > <saml2:NameID > Format="http://schemas.xmlsoap.org/claims/UPN";>[email protected] > </saml2:NameID> > <saml2:SubjectConfirmation > Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"> > <saml2:SubjectConfirmationData > xsi:type="saml2:KeyInfoConfirmationDataType"> > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:X509Data> > > <ds:X509Certificate>MIIChjCCAe+gAwIBAgIJAOpdwhw5314wMA0GCSqGSIb3DQEBBQUAMIGEMQswCQYDVQQGEwJVUzET > > MBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJUGFsbyBBbHRvMRUwEwYDVQQKEwxWTXdhcmUs > > IEluYy4xHjAcBgNVBAsTFUVjb3N5c3RlbSBFbmdpbmVlcmluZzEVMBMGA1UEAwwMKi52bXdhcmUu > > Y29tMB4XDTE1MTIwMTE4NTY0OFoXDTE2MTEzMDE4NTY0OFowgYQxCzAJBgNVBAYTAlVTMRMwEQYD > > VQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlQYWxvIEFsdG8xFTATBgNVBAoTDFZNd2FyZSwgSW5j > > LjEeMBwGA1UECxMVRWNvc3lzdGVtIEVuZ2luZWVyaW5nMRUwEwYDVQQDDAwqLnZtd2FyZS5jb20w > > gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANs52Y9fJz5M8VeGARSPFjcnUEowoptJTygVqbNh > > SnE2oBIV0/WEr6xozmWa1XscvcjfOm2QVfIZwrZc+F5tAQ6yI7CqyDpafEIajX7hgFaLgbpuk+q9 > > FJlRx6uqIiIYt8GXoM4+W1G/ICfUiAfCq3M2b5ItmAoRc6E2LMJXFY0LAgMBAAEwDQYJKoZIhvcN > > AQEFBQADgYEAv9HpjvO3/F7ZbJkDH7eujnGRHw1gSjSMp4TMlveICwoToNn+9svP8LkoT7u8YGxx > > nJSklky/d2cpA7zthj+DlYZF5icB/UY0eSRDSr3+MUiIxZt4LqRmW9mGBWxSJ1Dnq3kr821ATTMN > 8XbO6iyrpnJDv3a/HwBJF7k+Ypk+opY=</ds:X509Certificate> > </ds:X509Data> > </ds:KeyInfo> > </saml2:SubjectConfirmationData> > </saml2:SubjectConfirmation> > </saml2:Subject> > <saml2:Conditions NotBefore="2015-12-01T18:56:50.144Z" > NotOnOrAfter="2015-12-01T19:26:50.144Z"> > <saml2:ProxyRestriction Count="10"/> > <saml2:Condition > xmlns:rsa="http://www.rsa.com/names/2009/12/std-ext/SAML2.0"; Count="10" > xsi:type="rsa:RenewRestrictionType"/> > </saml2:Conditions> > <saml2:AuthnStatement AuthnInstant="2015-12-01T18:56:52.607Z"> > <saml2:AuthnContext> > > <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef> > </saml2:AuthnContext> > </saml2:AuthnStatement> > <saml2:AttributeStatement> > <saml2:Attribute FriendlyName="surname" > Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"; > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> > <saml2:AttributeValue > xsi:type="xs:string">vsphere.local</saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute FriendlyName="givenName" > Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"; > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> > <saml2:AttributeValue > xsi:type="xs:string">Administrator</saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute FriendlyName="Subject Type" > Name="http://vmware.com/schemas/attr-names/2011/07/isSolution"; > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> > <saml2:AttributeValue xsi:type="xs:string">false</saml2:AttributeValue> > </saml2:Attribute> > <saml2:Attribute FriendlyName="Groups" > Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity"; > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> > <saml2:AttributeValue > xsi:type="xs:string">vsphere.local\Users</saml2:AttributeValue> > <saml2:AttributeValue > xsi:type="xs:string">vsphere.local\Administrators</saml2:AttributeValue> > <saml2:AttributeValue > xsi:type="xs:string">vsphere.local\CAAdmins</saml2:AttributeValue> > <saml2:AttributeValue > > xsi:type="xs:string">vsphere.local\ComponentManager.Administrators</saml2:AttributeValue> > <saml2:AttributeValue > > xsi:type="xs:string">vsphere.local\SystemConfiguration.Administrators</saml2:AttributeValue> > <saml2:AttributeValue > > xsi:type="xs:string">vsphere.local\LicenseService.Administrators</saml2:AttributeValue> > <saml2:AttributeValue > xsi:type="xs:string">vsphere.local\Everyone</saml2:AttributeValue> > </saml2:Attribute> > </saml2:AttributeStatement> > </saml2:Assertion> > > #### 2nd signature element is missing <------ > > </ns3:Security> > > > > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Question-on-signature-confirmation-in-the-security-header-tp5763524.html > Sent from the cxf-dev mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
