Just an FYI: my fix is committed so the latest snapshots should work with the other parsers.
Dan On Tuesday 02 March 2010 11:01:53 am John Hite wrote: > I was using stax-ex because it was required by xwss, which I use to build > my SAML Token. I switched to woodstox on the client side and it serializes > the request properly now. > > I also figured out my Token ID problem. I wasn't including a > RequestedAttachedReference which was necessary since SAML tokens don't > have a wsu:Id attribute. > > Thanks, > John > > -----Original Message----- > From: Daniel Kulp [mailto:[email protected]] > Sent: Monday, March 01, 2010 10:20 PM > To: [email protected] > Cc: John Hite > Subject: Re: STSClient in CXF 2.2.6 not binding wst prefix. > > > Do you know what stax parser you are picking up? Can you check to make > sure woodstox is there? > > That said, I see what is going on and am testing a fix now. > > Dan > > On Mon March 1 2010 2:19:14 pm John Hite wrote: > > Hi, I am trying to create an STS using CXF. Right now I have a very basic > > STS implementation that just returns a hard coded SAML 2.0 token. Right > > now I am just creating the STS client and calling requestSecurityToken(). > > I was using CXF 2.2.5 and I was able send the request and get my hard > > coded saml token back but the STSClient was throwing an exception saying > > that it could not determine a Token ID from RequestSecurityToken > > Response. I tried using CXF 2.2.6 but the message that the STS client > > sends is not valid. > > > > CXF 2.2.5 message > > <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";> > > > > <soap:Header> > > > > <Action > > > > xmlns="http://www.w3.org/2005/08/addressing";>http://docs.oasis-open.org/w > > s -sx/ws-trust/200512/RST/Issue</Action> <MessageID > > xmlns="http://www.w3.org/2005/08/addressing";>urn:uuid:011b65c5-dffd-4ddb- > > 9 ab5-56ec9dd357fe</MessageID> <To > > xmlns="http://www.w3.org/2005/08/addressing";>http://localhost/services/st > > s </To> <ReplyTo xmlns="http://www.w3.org/2005/08/addressing";> > > > > <Address>http://www.w3.org/2005/08/addressing/anonymous</Address> > > > > </ReplyTo> > > > > </soap:Header> > > <soap:Body> > > > > <wst:RequestSecurityToken > > > > xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";> > > <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</ > > w st:RequestType> > > <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKe > > y </wst:KeyType> <wst:KeySize>256</wst:KeySize> > > > > <wst:Entropy> > > > > <wst:BinarySecret > > > > Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce";>7ZKTA8MENMk > > = </wst:BinarySecret> </wst:Entropy> > > > > <wst:ComputedKeyAlgorithm>http://docs.oasis-open.org/ws-sx/ws-trust/20051 > > 2 /CK/PSHA1</wst:ComputedKeyAlgorithm> </wst:RequestSecurityToken> > > > > </soap:Body> > > > > </soap:Envelope> > > > > CXF 2.2.6 message > > <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";> > > > > <soap:Header> > > > > <Action > > > > xmlns="http://www.w3.org/2005/08/addressing";>http://docs.oasis-open.org/w > > s -sx/ws-trust/200512/RST/Issue</Action> <MessageID > > xmlns="http://www.w3.org/2005/08/addressing";>urn:uuid:5a5d50d4-f6f4-4d92- > > a 6e7-2a98dbd2f1a5</MessageID> <To > > xmlns="http://www.w3.org/2005/08/addressing";>http://localhost/services/st > > s </To> <ReplyTo xmlns="http://www.w3.org/2005/08/addressing";> > > > > <Address>http://www.w3.org/2005/08/addressing/anonymous</Address> > > > > </ReplyTo> > > > > </soap:Header> > > <soap:Body> > > > > <wst:RequestSecurityToken> > > > > <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</ > > w st:RequestType> > > <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKe > > y </wst:KeyType> <wst:KeySize>256</wst:KeySize> > > > > <wst:Entropy> > > > > <wst:BinarySecret > > > > Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce";>cLzr27D8kZs > > = </wst:BinarySecret> </wst:Entropy> > > > > <wst:ComputedKeyAlgorithm>http://docs.oasis-open.org/ws-sx/ws-trust/20051 > > 2 /CK/PSHA1</wst:ComputedKeyAlgorithm> </wst:RequestSecurityToken> > > > > </soap:Body> > > > > </soap:Envelope> > > > > Notice the missing wst namespace binding on <wst:RequestSecurityToken>. > > Anyone know what is causing this? > > > > > > Here's the response I send from the STS's Issue method. > > > > <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";> > > > > <soap:Header> > > > > <Action > > > > xmlns="http://www.w3.org/2005/08/addressing";>http://docs.oasis-open.org/w > > s -sx/ws-trust/200512/RST/Issue</Action> <MessageID > > xmlns="http://www.w3.org/2005/08/addressing";>urn:uuid:4f9fed96-7d08-40f2- > > b 6fb-3f59361dfd69</MessageID> <To > > xmlns="http://www.w3.org/2005/08/addressing";>http://www.w3.org/2005/08/ad > > d ressing/anonymous</To> <RelatesTo > > xmlns="http://www.w3.org/2005/08/addressing";>urn:uuid:bf2877a6-effc-488e- > > 9 e43-6592c6146263</RelatesTo> </soap:Header> > > > > <soap:Body> > > > > <ns2:RequestSecurityTokenResponse xmlns="http://service.example.com"; > > > > xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-trust/200512";> > > <ns2:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profil > > e -1.1#SAMLV2.0</ns2:TokenType> <ns2:RequestedSecurityToken> > > > > <saml2:Assertion > > > > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > > xmlns:ds="http://www.w3.org/2000/09/xmldsig#"; > > xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"; > > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; > > xmlns:xs="http://www.w3.org/2001/XMLSchema"; ID="12345" > > IssueInstant="2010-03-01T14:12:17.649-05:00" Version="2.0"> <saml2:Issuer > > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" > > NameQualifier="nycapt35k.com">http://service.example.com</saml2:Issuer> > > <ds:Signature> > > > > <ds:SignedInfo> > > > > <ds:CanonicalizationMethod > > > > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod > > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference > > URI="#12345"> > > > > <ds:Transforms> > > > > <ds:Transform > > > > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > > </ds:Transforms> > > > > <ds:DigestMethod > > > > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <ds:DigestValue>YjV9NMHmUX/6uMK23I0e/ZsQyWk=</ds:DigestValue> > > </ds:Reference> > > > > </ds:SignedInfo> > > <ds:SignatureValue> > > > > K9OkRkOrCTWWq0GsDqsdiz7ZO6Do0/hcrJ3sXo80H9wERrCZnOl6ruSWZHAOCpm+1oaieDIDW > > y R8 > > FzZnjuE60aSQWXCZfgDQDs/ldEEg7B1KR4nzYnRl0PlFMeFZzlTT2CLIOnexwMrfPBihNktz4 > > J cB rRt0VwNAABCsPen9oSU= > > > > </ds:SignatureValue> > > <ds:KeyInfo> > > > > <ds:KeyValue> > > > > <ds:RSAKeyValue> > > > > <ds:Modulus> > > > > hP+W377YbK5AkrcEINzfaTR/YNk2lDgRia8FVeoOr8guwxKwsuvQ+9Nq7F74i53Y7my2fV+8W > > w WN > > R/5ewSbSTpzYYVH1SAxp+EcZNkedP6f6x+W6uVIkm2W3jg2k+h9yV3l2e9iJXbQ61nGNbMetK > > w gr Wmy0vFNaq5DhLPQi8D8= > > > > </ds:Modulus> > > <ds:Exponent>AQAB</ds:Exponent> > > > > </ds:RSAKeyValue> > > > > </ds:KeyValue> > > > > </ds:KeyInfo> > > > > </ds:Signature> > > <saml2:Subject> > > > > <saml2:NameID > > > > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName" > > NameQualifier="example.com">jdoe</saml2:NameID> </saml2:Subject> > > > > <saml2:AuthnStatement > > > > AuthnInstant="2010-03-01T14:12:17.649-05:00"> <saml2:AuthnContext> > > > > <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Passwo > > r d</saml2:AuthnContextClassRef> <saml2:AuthenticatingAuthority/> > > > > </saml2:AuthnContext> > > > > </saml2:AuthnStatement> > > > > </saml2:Assertion> > > > > </ns2:RequestedSecurityToken> > > > > </ns2:RequestSecurityTokenResponse> > > > > </soap:Body> > > > > </soap:Envelope> -- Daniel Kulp [email protected] http://dankulp.com/blog
