I found out that the Crypto object that contains the certificate of the STS
Issuer is NULL.
Here is the logs of STS configuration. It looks good. But why "crypto" is null?
[2018-10-21 19:30:49,804] DEBUG
{org.wso2.carbon.security.util.SecurityConfigParamBuilder} - Trust Config
property name : org.wso2.carbon.security.crypto.truststores value :
wso2carbon.jks[2018-10-21 19:30:49,804] DEBUG
{org.wso2.carbon.security.util.SecurityConfigParamBuilder} - Trust Config
property name : org.wso2.carbon.security.crypto.privatestore value :
wso2carbon.jks[2018-10-21 19:30:49,804] DEBUG
{org.wso2.carbon.security.util.SecurityConfigParamBuilder} - Trust Config
property name : org.wso2.carbon.security.crypto.alias value : wso2carbon
According to Thilina's blog [3], I should configure the "cryptoProperties" in
the param "saml-issuer-config" (of services.xml) of rampart. But cannot find
how to do so in WSO2.[3]
https://thilinamb.wordpress.com/2009/10/20/saml-2-0-token-profile-support-in-rampart-1-5/
On Sunday, October 21, 2018, 3:54:08 PM GMT+2, <[email protected]> wrote:
Message: 1
Date: Sun, 21 Oct 2018 09:46:35 +0000 (UTC)
From: Joni Lee <[email protected]>
To: "[email protected]" <[email protected]>
Subject: [Dev] From the book of Prabath
Message-ID: <[email protected]>
Content-Type: text/plain; charset="utf-8"
Hi,
Prabath Siriwardena mentioned in his book "Advanced API" that a STSClient can
get a SAML token from the first STS1 and uses it to authenticate to the second
one (STS2) to get a new SAML token from STS2.
So I try to implement this scenario as follows:
1. The STSClient? authenticates to STS1 with a Username token and gets a SAML
assertion in response: OK2. Now I secure STS2 with "Transport Binding" and
"Supporting Token". Since WSO2 does not have this policy. I register a custom
policy for STS2 (as in [1]).3. I implement a ServiceClient?with the STS2 policy
above and set the SAML assertion (received from step 1) as the
"KEY_CUSTOM_ISSUED_TOKEN". All Rampart configurations also use the default
keystore "wso2carbon".
However, the STS2 logs a NullpointerException when wso2-wss4j?[2] tries to
fetch the X.509 credential (in the KeyInfo of the SAML) to validate the
signature:
TID: [-1234] [] [2018-10-20 21:28:45,414] DEBUG
{org.apache.xml.security.utils.ElementProxy} -? setElement("ds:Signature",
"")?TID: [-1234] [] [2018-10-20 21:28:45,417] DEBUG
{org.apache.xml.security.utils.ElementProxy} -? setElement("ds:SignedInfo",
"")?TID: [-1234] [] [2018-10-20 21:28:45,417] DEBUG
{org.apache.xml.security.utils.ElementProxy} -?
setElement("ds:SignatureMethod", "")?TID: [-1234] [] [2018-10-20 21:28:45,417]
DEBUG {org.apache.xml.security.algorithms.SignatureAlgorithm} -? Create URI
"http://www.w3.org/2000/09/xmldsig#rsa-sha1"; class "class
org.apache.xml.security.algorithms.implementations.SignatureBaseRSA$SignatureRSASHA1"?TID:
[-1234] [] [2018-10-20 21:28:45,418] DEBUG
{org.apache.xml.security.algorithms.JCEMapper} -? Request for URI
http://www.w3.org/2000/09/xmldsig#rsa-sha1?TID: [-1234] [] [2018-10-20
21:28:45,418] DEBUG
{org.apache.xml.security.algorithms.implementations.SignatureBaseRSA} -?
Created SignatureRSA using SHA1withRSA?TID: [-1234] [] [2018-10-20 21:
28:45,420] DEBUG {org.apache.xml.security.utils.ElementProxy} -?
setElement("ds:KeyInfo", "")?TID: [-1234] [] [2018-10-20 21:28:45,432] DEBUG
{org.apache.ws.security.processor.SAML2TokenProcessor} -? SAML2 Token was
validated successfully.?TID: [-1234] [] [2018-10-20 21:28:45,437] ERROR
{org.apache.axis2.transport.http.AxisServlet} -?
?java.lang.NullPointerException at
org.apache.ws.security.saml.SAML2Util.validateSignature(SAML2Util.java:437) at
org.apache.ws.security.processor.SAML2TokenProcessor.handleToken(SAML2TokenProcessor.java:66)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:332)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:249)
and a?ClassNotFoundException for?JuiCEProviderOpenSSL:
TID: [-1234] [] [2018-10-20 21:28:45,243] DEBUG
{org.apache.ws.security.util.Loader} -?
org.apache.security.juice.provider.JuiCEProviderOpenSSL?java.lang.ClassNotFoundException:
org.apache.security.juice.provider.JuiCEProviderOpenSSL at
java.net.URLClassLoader.findClass(URLClassLoader.java:381)
I am stuck here for several days without further process. Is my approach
correct or I misunderstand the concept? Please give me some hints.I test on
WSO2 Identity Provider: 5.6.0
[1]?https://sourceforge.net/p/charithablogsam/code/ci/master/tree/resources/policies/axis2service.policy.xml[2]?https://github.com/wso2/wso2-wss4j/blob/release-1.5.11-wso2v17/modules/wss4j/src/org/apache/ws/security/saml/SAML2Util.java#L437
Best,Joni
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
