Hi Gina, I merged another fix for this issue to WSS4J ( https://issues.apache.org/jira/browse/WSS-392). Please try again with the latest WSS4J 1.6.7-SNAPSHOT jar.
Colm. On Tue, Jun 12, 2012 at 9:05 PM, Gina Choi <[email protected]> wrote: > Hi Colm, > > <<<< > I've just committed a potential fix for this problem to WSS4J. Could you > add a dependency in your client pom to WSS4J 1.6.7-SNAPSHOT and let me know > if it works? > >>>> > Thanks for the quick fix. I passed previous NPE issue with WSS4J > 1.6.7-SNAPSHOT(I only applied it to client). Now I am getting > WSSecurityException. I have copied WSP response and error message at the > bottom of this email for your reference. > Exception is thrown at the line 217 of > the > org.apache.ws.security.str.SignatureSTRParser.java(wss4j-1.6.7-SNAPSHOT.jar) > class. > > AssertionWrapper assertion = SAMLUtil.getAssertionFromKeyIdentifier(secRef, > strElement, data, wsDocInfo); > > Further, it failed at line 105 of the following code. Inside > org.apache.ws.security.saml.SAMLUtil.java((wss4j-1.6.7-SNAPSHOT.jar) from > Line82 to Line 132. It expects that local name of the > token(xenc:EncryptedData) equal to "Assertion", but local name is " > EncryptedData". > > > public static AssertionWrapper getAssertionFromKeyIdentifier( > SecurityTokenReference secRef, > Element strElement, > RequestData request, > WSDocInfo wsDocInfo > ) throws WSSecurityException { > String keyIdentifierValue = secRef.getKeyIdentifierValue(); > String type = secRef.getKeyIdentifierValueType(); > WSSecurityEngineResult result = > wsDocInfo.getResult(keyIdentifierValue); > AssertionWrapper assertion = null; > Element token = null; > if (result != null) { > assertion = > > (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION); > return assertion; > } else { > token = > secRef.findProcessedTokenElement( > strElement.getOwnerDocument(), wsDocInfo, > request.getCallbackHandler(), > keyIdentifierValue, type > ); > if (token != null) { > if (!"Assertion".equals(token.getLocalName())) { > throw new WSSecurityException( > WSSecurityException.FAILURE, "invalidSAMLsecurity" > ); > } > return new AssertionWrapper(token); > } > token = > secRef.findUnprocessedTokenElement( > strElement.getOwnerDocument(), wsDocInfo, > request.getCallbackHandler(), keyIdentifierValue, type > ); > > if (token == null || !"Assertion".equals(token.getLocalName())) > { > throw new WSSecurityException( > WSSecurityException.FAILURE, "invalidSAMLsecurity" > ); > } > Processor proc = > request.getWssConfig().getProcessor(WSSecurityEngine.SAML_TOKEN); > List<WSSecurityEngineResult> samlResult = > proc.handleToken(token, request, wsDocInfo); > return > (AssertionWrapper)samlResult.get(0).get( > WSSecurityEngineResult.TAG_SAML_ASSERTION > ); > } > } > > > > > -----------------------Part of client side log ------------------- > > > > Jun 12, 2012 2:20:21 PM > org.apache.cxf.services.DoubleItService.DoubleItPort.DoubleItPortType > > INFO: Inbound Message > > ---------------------------- > > ID: 2 > > Response-Code: 200 > > Encoding: UTF-8 > > Content-Type: text/xml;charset=UTF-8 > > Headers: {Content-Length=[5284], content-type=[text/xml;charset=UTF-8], > Date=[Tue, 12 Jun 2012 18:20:21 GMT], Server=[Apache-Coyote/1.1]} > > Payload: <soap:Envelope xmlns:soap=" > http://schemas.xmlsoap.org/soap/envelope/";><soap:Header><Action xmlns=" > http://www.w3.org/2005/08/addressing"; xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > wsu:Id="Id-21392541"> > http://www.example.org/contract/DoubleIt/DoubleItPortType/DoubleItResponse > </Action><MessageIDxmlns=" > http://www.w3.org/2005/08/addressing"; xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > > wsu:Id="Id-27404023">urn:uuid:14a7ee50-a80b-4e8e-8a24-501a1f27c37f</MessageID><To > xmlns="http://www.w3.org/2005/08/addressing"; xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > wsu:Id="Id-6617884"> > http://www.w3.org/2005/08/addressing/anonymous</To><RelatesTo xmlns=" > http://www.w3.org/2005/08/addressing"; xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > > wsu:Id="Id-11283244">urn:uuid:c3b2508b-3b8a-4e3b-a3ce-d146073a3fc5</RelatesTo><wsse:Security > xmlns:wsse=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > soap:mustUnderstand="1"><wsu:Timestamp > > wsu:Id="TS-52"><wsu:Created>2012-06-12T18:20:21.062Z</wsu:Created><wsu:Expires>2012-06-12T18:25:21.062Z</wsu:Expires></wsu:Timestamp><xenc:ReferenceList > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";><xenc:DataReference > URI="#ED-54"/></xenc:ReferenceList><ds:Signature xmlns:ds=" > http://www.w3.org/2000/09/xmldsig#"; > Id="SIG-53"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm=" > http://www.w3.org/2000/09/xmldsig#hmac-sha1"/><ds:Reference > URI="#Id-13175005"><ds:Transforms><ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 > "/><ds:DigestValue>1qaC4/pteNP1OxZYGlIaeO9JnNg=</ds:DigestValue></ds:Reference><ds:Reference > URI="#Id-6617884"><ds:Transforms><ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 > "/><ds:DigestValue>AgU1e6t+Kz/maMvdm+LjtMSOT88=</ds:DigestValue></ds:Reference><ds:Reference > URI="#Id-27404023"><ds:Transforms><ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 > "/><ds:DigestValue>sn+kmoST3NluP8jcFrre1Z3dLKE=</ds:DigestValue></ds:Reference><ds:Reference > URI="#Id-11283244"><ds:Transforms><ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 > "/><ds:DigestValue>WmIxk6sQRlvmi0mlXbm1Emm+zg4=</ds:DigestValue></ds:Reference><ds:Reference > URI="#Id-21392541"><ds:Transforms><ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 > "/><ds:DigestValue>aOhKo4T8h5RibX7oHoA716O0x/4=</ds:DigestValue></ds:Reference><ds:Reference > URI="#TS-52"><ds:Transforms><ds:Transform Algorithm=" > http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1 > "/><ds:DigestValue>yRbx7ao7zPuxMcVZCHJ07F/seGc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>phUYBjMU8fePqv+08yIBdfS3Gys=</ds:SignatureValue><ds:KeyInfo > Id="KI-36455561753DCD790C133952522106235"><wsse:SecurityTokenReference > xmlns:wsse11=" > http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"; > wsse11:TokenType=" > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"; > wsu:Id="STR-36455561753DCD790C133952522106236"><wsse:KeyIdentifier > ValueType=" > > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID > ">_ee537478-0ff0-4423-8fef-21aff2633353</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soap:Header><soap:Body > xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > wsu:Id="Id-13175005"><xenc:EncryptedData xmlns:xenc=" > http://www.w3.org/2001/04/xmlenc#"; Id="ED-54" Type=" > http://www.w3.org/2001/04/xmlenc#Content";><xenc:EncryptionMethod > Algorithm=" > http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><ds:KeyInfo xmlns:ds=" > http://www.w3.org/2000/09/xmldsig#";><wsse:SecurityTokenReference > xmlns:wsse11=" > http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"; > xmlns:wsse=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > wsse11:TokenType=" > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 > "><wsse:KeyIdentifier > ValueType=" > > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID > > ">_ee537478-0ff0-4423-8fef-21aff2633353</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>6WkAa0DPtBlT7HPhOof9rz2mAD1d4rC+3ArAav06B2UwZohawM/8ydSrhalqGmkolyFydGLJUah3zo57zZSjt5m+VoctQ9QIbdzdz02ERE34aJe9vF3pmn083obo1ouAOFLlBbkViShYtJi6eO2ir8+N+OBQ8TsJHYf07LUwyHtvjhxh30htbUEyoAWlY1NZfurAGqLmL/4FSWaqyDArYQ==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope> > > -------------------------------------- > > Jun 12, 2012 3:18:39 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor > handleMessage > > WARNING: > > *org.apache.ws.security.WSSecurityException*: General security error (SAML > token security failure) > > at > org.apache.ws.security.saml.SAMLUtil.getAssertionFromKeyIdentifier(* > SAMLUtil.java:107*) > > at > org.apache.ws.security.str.SignatureSTRParser.parseSecurityTokenReference(* > SignatureSTRParser.java:217*) > > at org.apache.ws.security.processor.SignatureProcessor.handleToken(* > SignatureProcessor.java:164*) > > at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(* > WSSecurityEngine.java:396*) > > at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage( > *WSS4JInInterceptor.java:289*) > > at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage( > *WSS4JInInterceptor.java:97*) > > at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(* > PhaseInterceptorChain.java:262*) > > at org.apache.cxf.endpoint.ClientImpl.onMessage(*ClientImpl.java:798* > ) > > at > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal( > *HTTPConduit.java:1679*) > > at > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse( > *HTTPConduit.java:1532*) > > at > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(* > HTTPConduit.java:1440*) > > at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(* > CacheAndWriteOutputStream.java:47*) > > at org.apache.cxf.io.CachedOutputStream.close(* > CachedOutputStream.java:187*) > > at org.apache.cxf.transport.AbstractConduit.close(* > AbstractConduit.java:56*) > > at org.apache.cxf.transport.http.HTTPConduit.close(* > HTTPConduit.java:658*) > > at > > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage( > *MessageSenderInterceptor.java:62*) > > at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(* > PhaseInterceptorChain.java:262*) > > at org.apache.cxf.endpoint.ClientImpl.doInvoke(*ClientImpl.java:532*) > > at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:464*) > > at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:367*) > > at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:320*) > > at org.apache.cxf.frontend.ClientProxy.invokeSync(* > ClientProxy.java:89*) > > at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(* > JaxWsClientProxy.java:134*) > > at $Proxy26.doubleIt(Unknown Source) > > at client.WSClient.doubleIt(*WSClient.java:18*) > > at client.WSClient.main(*WSClient.java:11*) > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
