[
https://issues.apache.org/jira/browse/WSS-238?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12933504#action_12933504
]
Glen Mazza commented on WSS-238:
--------------------------------
OK, changing the Metro WSP to Always results in neither the Metro nor the CXF
client working. I'm attaching the SOAP calls and responses for Metro and CXF.
Just to make sure I did nothing screwy in the interim, switching back to
AlwaysToRecipient results in the Metro client working again and the CXF failing
as it did yesterday.
The two stacks' error messages are as follows:
CXF error message:
[INFO] Nov 18, 2010 12:10:11 PM
org.apache.cxf.service.factory.ReflectionServiceFactoryBean buildServiceFromWSDL
[INFO] INFO: Creating Service
{http://www.example.org/contract/DoubleIt}DoubleItService from WSDL:
file:/media/NewDriveExt3/workspace/DoubleItMetroWSTrust/client-cxf/src/main/resources/DoubleItService.wsdl
[INFO] Nov 18, 2010 12:10:11 PM
org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl build
[INFO] WARNING: No assertion builder for type
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RequireInternalReference
registered.
[INFO] Nov 18, 2010 12:10:13 PM
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage
[INFO] WARNING:
[INFO] org.apache.ws.security.WSSecurityException: The signature or decryption
was invalid (<Reference> token could not be retrieved)
[INFO] at
org.apache.ws.security.processor.ReferenceListProcessor.getKeyFromSecurityTokenReference(ReferenceListProcessor.java:393)
[INFO] at
org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:162)
[INFO] at
org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:113)
[INFO] at
org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:76)
[INFO] at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:328)
[INFO] at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:245)
[INFO] at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:215)
[INFO] at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:81)
[INFO] at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:247)
[INFO] at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:733)
[INFO] at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:2304)
[INFO] at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:2166)
[INFO] at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:2019)
[INFO] at
org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
[INFO] at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:712)
[INFO] at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
[INFO] at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:247)
[INFO] at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:516)
[INFO] at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313)
[INFO] at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:265)
[INFO] at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
[INFO] at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
[INFO] at $Proxy24.doubleIt(Unknown Source)
[INFO] at client.WSClient.doubleIt(WSClient.java:17)
[INFO] at client.WSClient.main(WSClient.java:11)
[INFO] Nov 18, 2010 12:10:13 PM org.apache.cxf.phase.PhaseInterceptorChain
doDefaultLogging
[INFO] WARNING: Interceptor for
{http://www.example.org/contract/DoubleIt}DoubleItService#{http://www.example.org/contract/DoubleIt}DoubleIt
has thrown exception, unwinding now
Metro error message:
[INFO] INFO: WSP5018: Loaded WSIT configuration from file:
file:/media/NewDriveExt3/workspace/DoubleItMetroWSTrust/client-metro/target/classes/wsit-client.xml.
[INFO] Nov 18, 2010 12:15:50 PM
com.sun.xml.ws.security.opt.impl.incoming.EncryptedData getCipherInputStream
[INFO] SEVERE: WSS1926: Key not set for EncryptedData
[INFO] Exception in thread "main" javax.xml.ws.WebServiceException:
com.sun.xml.wss.impl.WssSoapFaultException: WSS1926: Key not set for
EncryptedData
[INFO] at
com.sun.xml.wss.jaxws.impl.SecurityClientTube.processResponse(SecurityClientTube.java:348)
...
[INFO] at com.sun.xml.ws.client.Stub.process(Stub.java:319)
[INFO] at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:157)
[INFO] at
com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:109)
[INFO] at
com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:89)
[INFO] at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:140)
[INFO] at $Proxy43.doubleIt(Unknown Source)
[INFO] at client.WSClient.doubleIt(WSClient.java:18)
[INFO] at client.WSClient.main(WSClient.java:11)
[INFO] Caused by: com.sun.xml.wss.impl.WssSoapFaultException: WSS1926: Key not
set for EncryptedData
[INFO] at
com.sun.xml.ws.security.opt.impl.util.SOAPUtil.newSOAPFaultException(SOAPUtil.java:133)
[INFO] at
com.sun.xml.ws.security.opt.impl.incoming.EncryptedData.getCipherInputStream(EncryptedData.java:216)
[INFO] at
com.sun.xml.ws.security.opt.impl.incoming.EncryptedData.getDecryptedData(EncryptedData.java:236)
[INFO] ... 12 more
I'll mention to the Metro JIRA the items we discussed earlier.
> Switch to wsse:KeyIdentifier instead of wsse:Reference for SAML references
> within SOAP:body EncryptedData elements.
> -------------------------------------------------------------------------------------------------------------------
>
> Key: WSS-238
> URL: https://issues.apache.org/jira/browse/WSS-238
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.9
> Reporter: Glen Mazza
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.10, 1.6
>
> Attachments: EncryptedDataPatch.txt, patch238.txt,
> TestWSSecuritySAMLKeyIdentifier.java, wss-238-revised.patch,
> WSS-238Results.txt
>
>
> Per CXF bug CXF-2894: http://tinyurl.com/23jx6cx
> Within the soap:body/EncryptedData/SecurityTokenReference element, Glassfish
> Metro is requiring wsse:KeyIdentifiers instead of wsse:Reference elements
> when referring to SAML Assertions. Metro appears correct because the SAML
> Token Profile does not define usage of wsse:Reference for SAML Assertions,
> only KeyIdentifier or EmbeddedReference. (Section 3.3 of SAML Token Profile
> of 1 Dec. 2004 pdf lines 250-272.)
> The attached patch will switch SecurityTokenReference from wsse:Reference to
> wsse:KeyIdentifier when handling SAML Assertions. I've confirmed Metro web
> service providers will now work with this patch. However, backwards
> compatibility issues with systems expecting the current wsse:Reference may
> need to be taken into account.
> WSS4J has another problem with not being able to decrypt SOAP responses that
> use wsse:KeyIdentifier instead of wsse:Reference for SAML Assertions.
> Namely, org.apache.ws.security.processor.ReferenceListProcessor's
> getKeyFromSecurityTokenReference() method will need changing to be able to
> work with SAML Assertions coming from a wsse:KeyIdentifier element instead of
> wsse:Reference. I was not immediately successful in getting this second part
> to work because I could not see how a SAMLTokenProcessor can be initialized
> from a KeyIdentifier instead of the Reference element within this method.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
