Hi Colm, I think setting the flag to false is a work around for now, but this should be considered a bug. Does it make sense?
-Vinay -----Original Message----- From: Colm O hEigeartaigh [mailto:[email protected]] Sent: Thursday, August 18, 2011 11:10 AM To: [email protected] Subject: Re: InitiatorSignatureToken Yes. You can disable this by setting the SecurityConstants tag "ws-security.is-bsp-compliant" to "false". Colm. On Thu, Aug 18, 2011 at 4:06 PM, Penmatsa, Vinay <[email protected]> wrote: > It seems the BSPEnforcer rejects the signature security token reference > without this token type attribute: > > > if (assertion.getSaml2() != null && > !WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)) { > throw new WSSecurityException( > WSSecurityException.INVALID_SECURITY_TOKEN, > "invalidTokenType", > new Object[]{tokenType} > ); > } > > > -Vinay > > > -----Original Message----- > From: Penmatsa, Vinay [mailto:[email protected]] > Sent: Thursday, August 18, 2011 10:08 AM > To: [email protected] > Subject: RE: InitiatorSignatureToken > > Hi, > Thank you very much. That seems to fix the issue with generating the > signature. > But within the signature, the <SecurityTokenReference> is missing the > "TokenType" attribute. How can I get this? > I think the expected attribute is > wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"; > > --- > <ds:KeyInfo Id="KI-FD02F514C2D45C835B13136725987011"> > <ns5:SecurityTokenReference > xmlns:ns5="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";> > <ns5:KeyIdentifier > ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID";>A-WS-2e366482-38f7-4aa5-b0bd-9f2363fcb5b5</ns5:KeyIdentifier> > </ns5:SecurityTokenReference> > </ds:KeyInfo> > > --- > > > -Vinay > > -----Original Message----- > From: Daniel Kulp [mailto:[email protected]] > Sent: Thursday, August 18, 2011 9:25 AM > To: [email protected] > Cc: Colm O hEigeartaigh > Subject: Re: InitiatorSignatureToken > > On Thursday, August 18, 2011 1:43:09 PM Colm O hEigeartaigh wrote: >> Could you try it with CXF 2.4.1? I may have fixed a bug related to this. >> > > Actually, try 2.4.2 if you can. If you are going to attempt an upgrade, > jump to the latest. :-) > > Dan > > >> Colm. >> >> On Thu, Aug 18, 2011 at 1:31 PM, Penmatsa, Vinay <[email protected]> > wrote: >> > CXF 2.4.0 >> > >> > >> > -Vinay >> > >> > >> > -----Original Message----- >> > From: Colm O hEigeartaigh [mailto:[email protected]] >> > Sent: Thursday, August 18, 2011 8:29 AM >> > To: [email protected] >> > Subject: Re: InitiatorSignatureToken >> > >> > What version of CXF are you using? >> > >> > Colm. >> > >> > On Thu, Aug 18, 2011 at 12:53 PM, Penmatsa, Vinay >> > >> > <[email protected]> wrote: >> >> Hi Colm, >> >> Below is my cxf config client & policy def in the wsdl. The result is >> >> that STS token is included in the message is not signed by the >> >> client. Am I missing some policy assertion? I'm getting the error: " >> >> Caused by: org.apache.cxf.binding.soap.SoapFault: An error was >> >> discovered processing the <wsse:Security> header" But when I look at >> >> the message sent, there's no signature that the service expects. When >> >> I do all this programmatically with action SAML_TOKEN_SIGNED, it >> >> works fine with the message signed. >> >> >> >> ----------- >> >> Client config: >> >> >> >> <jaxws:client >> >> xmlns:ns1="http://webservice.sap.com"; >> >> id="samlTokenClient" >> >> >> >> serviceClass="com.sap.webservice.QueryServiceInterfaceConfigGenPortT >> >> ype" serviceName="ns1:QueryServiceInterfaceConfigGen" >> >> endpointName="ns1:QueryServiceInterfaceConfigGenPortSoap11" >> >> address="http://localhost:9101/sourcing/services/QueryServiceService. >> >> Soap11Endpoint" wsdlLocation="C:/temp/QueryServiceService-policy.xml"> >> >> >> >> <jaxws:properties> >> >> <entry key="ws-security.signature.properties" >> >> value="wss40_client.properties" /> <entry >> >> key="ws-security.callback-handler" >> >> value="com.sap.cxftest.client.ClientPasswordCallback"/> >> >> >> >> <entry key="ws-security.sts.client"> >> >> <bean >> >> class="org.apache.cxf.ws.security.trust.STSClient"> <constructor-arg >> >> ref="cxf" /> <property name="requiresEntropy" value="false" /> >> >> <property name="wsdlLocation" value="<STS Endpoint>" /> <property >> >> name="serviceName" >> >> value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512}STS"; /> >> >> <property name="endpointName" >> >> value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512}UT"; /> >> >> <property name="tokenType" >> >> value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1. >> >> 1#SAMLV2.0"/> <property name="keyType" >> >> value="http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey"/> >> >> <property name="properties"> <map> >> >> <entry >> >> key="ws-security.username" value="buyer44" /> <entry >> >> key="ws-security.password" value="password1" /> <!-- <entry >> >> key="ws-security.username" value="wsclient"/ --> >> >> >> >> <entry >> >> key="ws-security.signature.properties" >> >> value="wss40_client.properties" /> <entry >> >> key="ws-security.encryption.properties" value="wss40_sts.properties" >> >> /> <entry key="ws-security.encryption.username" value="sts" /> <entry >> >> key="ws-security.sts.token.properties" value="wss40_sts.properties" >> >> /> <entry key="ws-security.sts.token.username" value="sts" /> </map> >> >> </property> >> >> </bean> >> >> </entry> >> >> </jaxws:properties> >> >> >> >> </jaxws:client> >> >> >> >> ----------- >> >> Policy in WSDL: >> >> >> >> <wsp:Policy wsu:Id="SAML2Token" >> >> >> >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-w >> >> ssecurity-utility-1.0.xsd" >> >> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; >> >> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >> >> <wsp:ExactlyOne> >> >> <wsp:All> >> >> <!--wsam:Addressing >> >> wsp:Optional="false"> <wsp:Policy/> </wsam:Addressing --> >> >> <sp:AsymmetricBinding> >> >> <wsp:Policy> >> >> <sp:InitiatorToken> >> >> <wsp:Policy> >> >> <sp:IssuedToken >> >> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2 >> >> 00702/IncludeToken/AlwaysToRecipient"> >> >> <sp:RequestSecurityTokenTemplate> >> >> <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-prof >> >> ile-1.1#SAMLV2.0</t:TokenType> >> >> <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey >> >> </t:KeyType> <!--t:KeySize>256</t:KeySize--> >> >> </sp:RequestSecurityTokenTemplate> <wsp:Policy> >> >> <sp:RequireInternalReference /> </wsp:Policy> </sp:IssuedToken> >> >> </wsp:Policy> >> >> </sp:InitiatorToken> >> >> <sp:RecipientToken> >> >> <wsp:Policy> >> >> <sp:X509Token >> >> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2 >> >> 00702/IncludeToken/Never"> <wsp:Policy> >> >> >> >> <sp:WssX509V3Token10/> >> >> </wsp:Policy> >> >> </sp:X509Token> >> >> </wsp:Policy> >> >> </sp:RecipientToken> >> >> <sp:Layout> >> >> <wsp:Policy> >> >> <sp:Lax >> >> /> </wsp:Policy> </sp:Layout> >> >> <sp:SignedParts >> >> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >> >> </sp:SignedParts> <sp:OnlySignEntireHeadersAndBody /> >> >> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256 /> <!-- To use the >> >> export grade encryption that comes bundled in the JDK, comment out >> >> the above Basic256 algorithm and uncomment the below Basic128. --> >> >> <!-- <sp:Basic128 /> --> </wsp:Policy> </sp:AlgorithmSuite> >> >> </wsp:Policy> >> >> </sp:AsymmetricBinding> >> >> </wsp:All> >> >> </wsp:ExactlyOne> >> >> </wsp:Policy> >> >> <wsdl:types> >> >> ----------- >> >> >> >> >> >> -Vinay >> >> >> >> >> >> -----Original Message----- >> >> From: Colm O hEigeartaigh [mailto:[email protected]] >> >> Sent: Thursday, August 18, 2011 7:17 AM >> >> To: [email protected] >> >> Subject: Re: InitiatorSignatureToken >> >> >> >> What does the full policy look like? That fragment looks ok to me. >> >> What error are you getting? Also, what version of CXF are you using? >> >> >> >> Colm. >> >> >> >> On Wed, Aug 17, 2011 at 10:36 PM, Penmatsa, Vinay >> >> >> >> <[email protected]> wrote: >> >>> Hi, >> >>> I'm unable to define the correct policy for SAML_TOKEN_SIGNED. The >> >>> following gets the STS token and includes it in the request, but >> >>> now I need sign the message. >> >>> >> >>> <sp:InitiatorToken> >> >>> <wsp:Policy> >> >>> <sp:IssuedToken >> >>> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy >> >>> /200702/IncludeToken/AlwaysToRecipient"> >> >>> <sp:RequestSecurityTokenTemplate> >> >>> >> >>> <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-p >> >>> rofile-1.1#SAMLV2.0</t:TokenType> >> >>> <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicK >> >>> ey</t:KeyType> </sp:RequestSecurityTokenTemplate> >> >>> <wsp:Policy> >> >>> <sp:RequireInternalReference /> >> >>> <wsp:Policy> >> >>> </sp:IssuedToken> >> >>> </wsp:Policy> >> >>> </sp:InitiatorToken> >> >>> >> >>> I think I've to use InitiatorSignatureToken, but not sure how. >> >>> >> >>> >> >>> Thanks, >> >>> Vinay >> >> >> >> -- >> >> Colm O hEigeartaigh >> >> >> >> http://coheigea.blogspot.com/ >> >> Talend - http://www.talend.com >> > >> > -- >> > Colm O hEigeartaigh >> > >> > http://coheigea.blogspot.com/ >> > Talend - http://www.talend.com > -- > Daniel Kulp > [email protected] > http://dankulp.com/blog > Talend - http://www.talend.com > -- Colm O hEigeartaigh http://coheigea.blogspot.com/ Talend - http://www.talend.com
