Hi,
Prabath Siriwardena mentioned in his book "Advanced API" that a STSClient can
get a SAML token from the first STS1 and uses it to authenticate to the second
one (STS2) to get a new SAML token from STS2.
So I try to implement this scenario as follows:
1. The STSClient authenticates to STS1 with a Username token and gets a SAML
assertion in response: OK2. Now I secure STS2 with "Transport Binding" and
"Supporting Token". Since WSO2 does not have this policy. I register a custom
policy for STS2 (as in [1]).3. I implement a ServiceClient with the STS2 policy
above and set the SAML assertion (received from step 1) as the
"KEY_CUSTOM_ISSUED_TOKEN". All Rampart configurations also use the default
keystore "wso2carbon".
However, the STS2 logs a NullpointerException when wso2-wss4j [2] tries to
fetch the X.509 credential (in the KeyInfo of the SAML) to validate the
signature:
TID: [-1234] [] [2018-10-20 21:28:45,414] DEBUG
{org.apache.xml.security.utils.ElementProxy} - setElement("ds:Signature", "")
TID: [-1234] [] [2018-10-20 21:28:45,417] DEBUG
{org.apache.xml.security.utils.ElementProxy} - setElement("ds:SignedInfo", "")
TID: [-1234] [] [2018-10-20 21:28:45,417] DEBUG
{org.apache.xml.security.utils.ElementProxy} -
setElement("ds:SignatureMethod", "") TID: [-1234] [] [2018-10-20 21:28:45,417]
DEBUG {org.apache.xml.security.algorithms.SignatureAlgorithm} - Create URI
"http://www.w3.org/2000/09/xmldsig#rsa-sha1"; class "class
org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1"
TID: [-1234] [] [2018-10-20 21:28:45,418] DEBUG
{org.apache.xml.security.algorithms.JCEMapper} - Request for URI
http://www.w3.org/2000/09/xmldsig#rsa-sha1 TID: [-1234] [] [2018-10-20
21:28:45,418] DEBUG
{org.apache.xml.security.algorithms.implementations.SignatureBaseRSA} -
Created SignatureRSA using SHA1withRSA TID: [-1234] [] [2018-10-20
21:28:45,420] DEBUG {org.apache.xml.security.utils.ElementProxy} -
setElement("ds:KeyInfo", "") TID: [-1234] [] [2018-10-20 21:28:45,432] DEBUG
{org.apache.ws.security.processor.SAML2TokenProcessor} - SAML2 Token was
validated successfully. TID: [-1234] [] [2018-10-20 21:28:45,437] ERROR
{org.apache.axis2.transport.http.AxisServlet} -
java.lang.NullPointerException at
org.apache.ws.security.saml.SAML2Util.validateSignature(SAML2Util.java:437) at
org.apache.ws.security.processor.SAML2TokenProcessor.handleToken(SAML2TokenProcessor.java:66)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
and a ClassNotFoundException for JuiCEProviderOpenSSL:
TID: [-1234] [] [2018-10-20 21:28:45,243] DEBUG
{org.apache.ws.security.util.Loader} -
org.apache.security.juice.provider.JuiCEProviderOpenSSL
java.lang.ClassNotFoundException:
org.apache.security.juice.provider.JuiCEProviderOpenSSL at
java.net.URLClassLoader.findClass(URLClassLoader.java:381)
I am stuck here for several days without further process. Is my approach
correct or I misunderstand the concept? Please give me some hints.I test on
WSO2 Identity Provider: 5.6.0
[1]
https://sourceforge.net/p/charithablogsam/code/ci/master/tree/resources/policies/axis2service.policy.xml[2]
https://github.com/wso2/wso2-wss4j/blob/release-1.5.11-wso2v17/modules/wss4j/src/org/apache/ws/security/saml/SAML2Util.java#L437
Best,Joni
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
