On Friday, August 19, 2011 11:47:26 AM Penmatsa, Vinay wrote: > Hi Colm, > I think setting the flag to false is a work around for now, but this should > be considered a bug. Does it make sense?
If it's generating the SecurityTokenReference without the tokenType attribute, then yes, that is a bug. Throwing an exception if the incoming SecurityTokenReference doesn't have it is not a bug. It's properly enforcing WSI profile compliance. Dan > > -Vinay > > -----Original Message----- > From: Colm O hEigeartaigh [mailto:[email protected]] > Sent: Thursday, August 18, 2011 11:10 AM > To: [email protected] > Subject: Re: InitiatorSignatureToken > > Yes. You can disable this by setting the SecurityConstants tag > "ws-security.is-bsp-compliant" to "false". > > Colm. > > On Thu, Aug 18, 2011 at 4:06 PM, Penmatsa, Vinay <[email protected]> wrote: > > It seems the BSPEnforcer rejects the signature security token reference > > without this token type attribute: > > > > > > if (assertion.getSaml2() != null && > > !WSConstants.WSS_SAML2_TOKEN_TYPE.equals(tokenType)) { throw new > > WSSecurityException( > > WSSecurityException.INVALID_SECURITY_TOKEN, > > "invalidTokenType", > > new Object[]{tokenType} > > ); > > } > > > > > > -Vinay > > > > > > -----Original Message----- > > From: Penmatsa, Vinay [mailto:[email protected]] > > Sent: Thursday, August 18, 2011 10:08 AM > > To: [email protected] > > Subject: RE: InitiatorSignatureToken > > > > Hi, > > Thank you very much. That seems to fix the issue with generating the > > signature. But within the signature, the <SecurityTokenReference> is > > missing the "TokenType" attribute. How can I get this? I think the > > expected attribute is > > wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-p > > rofile-1.1#SAMLV2.0" > > > > --- > > <ds:KeyInfo Id="KI-FD02F514C2D45C835B13136725987011"> > > <ns5:SecurityTokenReference > > xmlns:ns5="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wsse > > curity-secext-1.0.xsd"> <ns5:KeyIdentifier > > ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile- > > 1.1#SAMLID">A-WS-2e366482-38f7-4aa5-b0bd-9f2363fcb5b5</ns5:KeyIdentifier > > > </ns5:SecurityTokenReference> > > </ds:KeyInfo> > > > > --- > > > > > > -Vinay > > > > -----Original Message----- > > From: Daniel Kulp [mailto:[email protected]] > > Sent: Thursday, August 18, 2011 9:25 AM > > To: [email protected] > > Cc: Colm O hEigeartaigh > > Subject: Re: InitiatorSignatureToken > > > > On Thursday, August 18, 2011 1:43:09 PM Colm O hEigeartaigh wrote: > >> Could you try it with CXF 2.4.1? I may have fixed a bug related to > >> this. > > > > Actually, try 2.4.2 if you can. If you are going to attempt an > > upgrade, jump to the latest. :-) > > > > Dan > > > >> Colm. > >> > >> On Thu, Aug 18, 2011 at 1:31 PM, Penmatsa, Vinay > >> <[email protected]>> > > wrote: > >> > CXF 2.4.0 > >> > > >> > > >> > -Vinay > >> > > >> > > >> > -----Original Message----- > >> > From: Colm O hEigeartaigh [mailto:[email protected]] > >> > Sent: Thursday, August 18, 2011 8:29 AM > >> > To: [email protected] > >> > Subject: Re: InitiatorSignatureToken > >> > > >> > What version of CXF are you using? > >> > > >> > Colm. > >> > > >> > On Thu, Aug 18, 2011 at 12:53 PM, Penmatsa, Vinay > >> > > >> > <[email protected]> wrote: > >> >> Hi Colm, > >> >> Below is my cxf config client & policy def in the wsdl. The > >> >> result is > >> >> that STS token is included in the message is not signed by the > >> >> client. Am I missing some policy assertion? I'm getting the > >> >> error: " > >> >> Caused by: org.apache.cxf.binding.soap.SoapFault: An error was > >> >> discovered processing the <wsse:Security> header" But when I > >> >> look at > >> >> the message sent, there's no signature that the service expects. > >> >> When > >> >> I do all this programmatically with action SAML_TOKEN_SIGNED, it > >> >> works fine with the message signed. > >> >> > >> >> ----------- > >> >> Client config: > >> >> > >> >> <jaxws:client > >> >> xmlns:ns1="http://webservice.sap.com"; > >> >> id="samlTokenClient" > >> >> > >> >> serviceClass="com.sap.webservice.QueryServiceInterfaceConfigGen > >> >> PortT > >> >> ype" serviceName="ns1:QueryServiceInterfaceConfigGen" > >> >> endpointName="ns1:QueryServiceInterfaceConfigGenPortSoap11" > >> >> address="http://localhost:9101/sourcing/services/QueryServiceSer > >> >> vice. > >> >> Soap11Endpoint" > >> >> wsdlLocation="C:/temp/QueryServiceService-policy.xml"> > >> >> > >> >> <jaxws:properties> > >> >> <entry > >> >> key="ws-security.signature.properties" > >> >> value="wss40_client.properties" /> <entry > >> >> key="ws-security.callback-handler" > >> >> value="com.sap.cxftest.client.ClientPasswordCallback"/> > >> >> > >> >> <entry key="ws-security.sts.client"> > >> >> <bean > >> >> class="org.apache.cxf.ws.security.trust.STSClient"> > >> >> <constructor-arg > >> >> ref="cxf" /> <property name="requiresEntropy" value="false" /> > >> >> <property name="wsdlLocation" value="<STS Endpoint>" /> > >> >> <property > >> >> name="serviceName" > >> >> value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512}STS"; /> > >> >> <property name="endpointName" > >> >> value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512}UT"; /> > >> >> <property name="tokenType" > >> >> value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profi > >> >> le-1. > >> >> 1#SAMLV2.0"/> <property name="keyType" > >> >> value="http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKe > >> >> y"/> > >> >> <property name="properties"> <map> > >> >> <entry > >> >> key="ws-security.username" value="buyer44" /> <entry > >> >> key="ws-security.password" value="password1" /> <!-- <entry > >> >> key="ws-security.username" value="wsclient"/ --> > >> >> > >> >> <entry > >> >> key="ws-security.signature.properties" > >> >> value="wss40_client.properties" /> <entry > >> >> key="ws-security.encryption.properties" > >> >> value="wss40_sts.properties" > >> >> /> <entry key="ws-security.encryption.username" value="sts" /> > >> >> <entry > >> >> key="ws-security.sts.token.properties" > >> >> value="wss40_sts.properties" > >> >> /> <entry key="ws-security.sts.token.username" value="sts" /> > >> >> </map> > >> >> </property> > >> >> </bean> > >> >> </entry> > >> >> </jaxws:properties> > >> >> > >> >> </jaxws:client> > >> >> > >> >> ----------- > >> >> Policy in WSDL: > >> >> > >> >> <wsp:Policy wsu:Id="SAML2Token" > >> >> > >> >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401- > >> >> wss-w > >> >> ssecurity-utility-1.0.xsd" > >> >> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; > >> >> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200 > >> >> 702"> > >> >> <wsp:ExactlyOne> > >> >> <wsp:All> > >> >> <!--wsam:Addressing > >> >> wsp:Optional="false"> <wsp:Policy/> </wsam:Addressing --> > >> >> <sp:AsymmetricBinding> > >> >> <wsp:Policy> > >> >> > >> >> <sp:InitiatorToken> > >> >> > >> >> <wsp:Policy> > >> >> <sp:IssuedToken > >> >> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypol > >> >> icy/2 > >> >> 00702/IncludeToken/AlwaysToRecipient"> > >> >> <sp:RequestSecurityTokenTemplate> > >> >> <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token > >> >> -prof > >> >> ile-1.1#SAMLV2.0</t:TokenType> > >> >> <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Publ > >> >> icKey > >> >> </t:KeyType> <!--t:KeySize>256</t:KeySize--> > >> >> </sp:RequestSecurityTokenTemplate> <wsp:Policy> > >> >> <sp:RequireInternalReference /> </wsp:Policy> </sp:IssuedToken> > >> >> </wsp:Policy> > >> >> > >> >> </sp:InitiatorToken> > >> >> > >> >> <sp:RecipientToken> > >> >> <wsp:Policy> > >> >> <sp:X509Token > >> >> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypol > >> >> icy/2 > >> >> 00702/IncludeToken/Never"> <wsp:Policy> > >> >> > >> >> <sp:WssX509V3Token10/> > >> >> </wsp:Policy> > >> >> </sp:X509Token> > >> >> </wsp:Policy> > >> >> </sp:RecipientToken> > >> >> <sp:Layout> > >> >> > >> >> <wsp:Policy> > >> >> > >> >> <sp:Lax /> </wsp:Policy> </sp:Layout> > >> >> <sp:SignedParts > >> >> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200 > >> >> 702"> > >> >> </sp:SignedParts> <sp:OnlySignEntireHeadersAndBody /> > >> >> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256 /> <!-- To use the > >> >> export grade encryption that comes bundled in the JDK, comment > >> >> out > >> >> the above Basic256 algorithm and uncomment the below Basic128. > >> >> --> > >> >> <!-- <sp:Basic128 /> --> </wsp:Policy> </sp:AlgorithmSuite> > >> >> </wsp:Policy> > >> >> </sp:AsymmetricBinding> > >> >> </wsp:All> > >> >> </wsp:ExactlyOne> > >> >> </wsp:Policy> > >> >> <wsdl:types> > >> >> ----------- > >> >> > >> >> > >> >> -Vinay > >> >> > >> >> > >> >> -----Original Message----- > >> >> From: Colm O hEigeartaigh [mailto:[email protected]] > >> >> Sent: Thursday, August 18, 2011 7:17 AM > >> >> To: [email protected] > >> >> Subject: Re: InitiatorSignatureToken > >> >> > >> >> What does the full policy look like? That fragment looks ok to > >> >> me. > >> >> What error are you getting? Also, what version of CXF are you > >> >> using? > >> >> > >> >> Colm. > >> >> > >> >> On Wed, Aug 17, 2011 at 10:36 PM, Penmatsa, Vinay > >> >> > >> >> <[email protected]> wrote: > >> >>> Hi, > >> >>> I'm unable to define the correct policy for SAML_TOKEN_SIGNED. > >> >>> The > >> >>> following gets the STS token and includes it in the request, > >> >>> but > >> >>> now I need sign the message. > >> >>> > >> >>> <sp:InitiatorToken> > >> >>> <wsp:Policy> > >> >>> <sp:IssuedToken > >> >>> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securityp > >> >>> olicy > >> >>> /200702/IncludeToken/AlwaysToRecipient"> > >> >>> <sp:RequestSecurityTokenTemplate> > >> >>> > >> >>> <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-to > >> >>> ken-p > >> >>> rofile-1.1#SAMLV2.0</t:TokenType> > >> >>> <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Pu > >> >>> blicK > >> >>> ey</t:KeyType> </sp:RequestSecurityTokenTemplate> > >> >>> <wsp:Policy> > >> >>> <sp:RequireInternalReference /> > >> >>> <wsp:Policy> > >> >>> </sp:IssuedToken> > >> >>> </wsp:Policy> > >> >>> </sp:InitiatorToken> > >> >>> > >> >>> I think I've to use InitiatorSignatureToken, but not sure how. > >> >>> > >> >>> > >> >>> Thanks, > >> >>> Vinay > >> >> > >> >> -- > >> >> Colm O hEigeartaigh > >> >> > >> >> http://coheigea.blogspot.com/ > >> >> Talend - http://www.talend.com > >> > > >> > -- > >> > Colm O hEigeartaigh > >> > > >> > http://coheigea.blogspot.com/ > >> > Talend - http://www.talend.com > > > > -- > > Daniel Kulp > > [email protected] > > http://dankulp.com/blog > > Talend - http://www.talend.com -- Daniel Kulp [email protected] http://dankulp.com/blog Talend - http://www.talend.com
