Are you sure you're using the ut_encrypted port? Because the token that is issued by the STS is encrypted for the WSP and so should appear in the WSC -> WSP request as an "EncryptedData" structure, whereas in your test-case I can see the SAML Assertion.
Colm. On Wed, Jul 18, 2012 at 2:50 PM, Gina Choi <[email protected]> wrote: > Hi Colm, > > <<< > What error are you seeing? The default value is rsa-1_5 so it shouldn't > make any difference whether it's specified or not. > >>> > No doubt that rsa01_5 is default value. When I comment out > "encryptionProperties", client sends following SOAP request to WSP. I > abbreviated some part of request to save space. The other thing that I > noticed is encryption algorithm for Body is > "*aes256-cbc<http://www.w3.org/2001/04/xmlenc#aes256-cbc> > ",* I think this is because I set SymmetricKey key size to* "256"* in WSP > wsdl file.. > > So, I tried following combinations, but I am getting same error message(*The > signature or decryption was invalid*) that I was getting at the > begging(detailed error message is at the end of this email). > > <bean id="encProperties" > class="org.apache.cxf.sts.service.EncryptionProperties"> > <property name="encryptionAlgorithm" value=" > http://www.w3.org/2001/04/xmlenc#aes256-cbc"; /> > <property name="keyWrapAlgorithm" value=" > http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"; /> > </bean> > > or > > <bean id="encProperties" > class="org.apache.cxf.sts.service.EncryptionProperties"> > <property name="encryptionAlgorithm" value=" > http://www.w3.org/2001/04/xmlenc#aes256-cbc"; /> > <property name="keyWrapAlgorithm" value=" > http://www.w3.org/2001/04/xmlenc#rsa-1_5"; /> > </bean> > > > <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";> > > <soap:Header> > > <Action xmlns="http://www.w3.org/2005/08/addressing"; > > …………………………….. > > <Address> > > http://www.w3.org/2005/08/addressing/anonymous</Address> > > </ReplyTo> > > <wsse:Security xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > > soap:mustUnderstand="1"> > > <wsu:Timestamp wsu:Id="TS-9"> > > <wsu:Created>2012-07-18T13:27:33.561Z</wsu:Created> > > <wsu:Expires>2012-07-18T13:32:33.561Z</wsu:Expires> > > </wsu:Timestamp> > > <saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" > > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > > AssertionID="_8FD304F766D8EC9F4913426180531752" > > IssueInstant="2012-07-18T13:27:33.135Z" > > Issuer="DoubleItSTSIssuer" MajorVersion="1" MinorVersion="1" > > xsi:type="saml1:AssertionType"> > > <saml1:Conditions NotBefore="2012-07-18T13:27:33.192Z" > > NotOnOrAfter="2012-07-18T13:57:33.192Z"> > > <saml1:AudienceRestrictionCondition> > > <saml1:Audience> > > > https://wkengchoi.global.sdl.corp:8443/doubleit/services/doubleit</saml1:Audience > > > > </saml1:AudienceRestrictionCondition> > > </saml1:Conditions> > > <saml1:AttributeStatement> > > <saml1:Subject> > > <saml1:NameIdentifier > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" > > NameQualifier="http://cxf.apache.org/sts";> > > gchoi</saml1:NameIdentifier> > > <saml1:SubjectConfirmation> > > <saml1:ConfirmationMethod> > > > urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml1:ConfirmationMethod> > > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > > > > <xenc:EncryptedKey xmlns:xenc=" > http://www.w3.org/2001/04/xmlenc#"; > > Id="EK-8FD304F766D8EC9F4913426180521881"> > > *<xenc:EncryptionMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#rsa-1_5"; />* > > <ds:KeyInfo> > > <wsse:SecurityTokenReference xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > "> > > <ds:X509Data> > > ………………………………………….. > > </ds:Signature> > > </wsse:Security> > > </soap:Header> > > <soap:Body xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > > wsu:Id="Id-33117811"> > > <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"; > > Id="ED-11" Type="http://www.w3.org/2001/04/xmlenc#Content";> > > *<xenc:EncryptionMethod Algorithm=" > http://www.w3.org/2001/04/xmlenc#aes256-cbc"; />* > > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > > <ns3:SecurityTokenReference xmlns:ns3=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > > xmlns:wsse11=" > http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"; > > wsse11:TokenType=" > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";> > > <ns3:KeyIdentifier ValueType=" > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID > "> > > #_8FD304F766D8EC9F4913426180531752</ns3:KeyIdentifier> > > </ns3:SecurityTokenReference> > > </ds:KeyInfo> > > <xenc:CipherData> > > <xenc:CipherValue> > > > N2Uccex7TOVh2BpffQu1e0KSyxSp3CAWh0iVkNeQ2FjB4GClOpd56C6zk6p39j5L8n/DoOqbBMmoufG848qQUACKfikmjqfmKQXBcaLZlFYk05BBr5myToUl7FnyJpChLlAJNNdERM2R5Z2eHz1GhYEIm3uS3Xz5UFzX/M0bE9KtaLkhP4CfQWTP/hskcDmg</xenc:CipherValue> > > </xenc:CipherData> > > </xenc:EncryptedData> > > </soap:Body> > > </soap:Envelope> > > > > Following is error message on WSP side. > > > Jul 18, 2012 9:24:55 AM > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage > WARNING: > *org.apache.ws.security.WSSecurityException: The signature or decryption > was invalid* > at > org.apache.ws.security.processor.ReferenceListProcessor.decryptEncryptedData(ReferenceListProcessor.java:314) > at > org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:172) > at > org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:100) > at > org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:60) > at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:289) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:97) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) > at > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > at > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:211) > at > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213) > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:193) > at > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:130) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:221) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:141) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:197) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565) > at > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307) > at > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) > at java.lang.Thread.run(Thread.java:662) > *Caused by: org.apache.xml.security.encryption.XMLEncryptionException: > Given final block not properly padded* > Original Exception was javax.crypto.BadPaddingException: Given final block > not properly padded > at > org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1766) > at > org.apache.xml.security.encryption.XMLCipher.decryptElement(XMLCipher.java:1612) > at > org.apache.xml.security.encryption.XMLCipher.decryptElementContent(XMLCipher.java:1650) > at > org.apache.xml.security.encryption.XMLCipher.doFinal(XMLCipher.java:978) > at > org.apache.ws.security.processor.ReferenceListProcessor.decryptEncryptedData(ReferenceListProcessor.java:312) > ... 32 more > Caused by: javax.crypto.BadPaddingException: Given final block not > properly padded > at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..) > at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..) > at com.sun.crypto.provider.AESCipher.engineDoFinal(DashoA13*..) > at javax.crypto.Cipher.doFinal(DashoA13*..) > at > org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1762) > ... 36 more > Jul 18, 2012 9:24:55 AM org.apache.cxf.phase.PhaseInterceptorChain > doDefaultLogging > WARNING: Interceptor for { > http://www.example.org/contract/DoubleIt}DoubleItService has thrown > exception, unwinding now > org.apache.cxf.binding.soap.SoapFault: The signature or decryption was > invalid > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:780) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:357) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:97) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) > at > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > at > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:211) > at > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213) > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:193) > at > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:130) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:221) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:141) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:197) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565) > at > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307) > at > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) > at java.lang.Thread.run(Thread.java:662) > Caused by: org.apache.ws.security.WSSecurityException: The signature or > decryption was invalid > at > org.apache.ws.security.processor.ReferenceListProcessor.decryptEncryptedData(ReferenceListProcessor.java:314) > at > org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:172) > at > org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:100) > at > org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:60) > at > org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) > at > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:289) > ... 27 more > *Caused by: org.apache.xml.security.encryption.XMLEncryptionException: > Given final block not properly padded* > Original Exception was javax.crypto.BadPaddingException: Given final block > not properly padded > at > org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1766) > at > org.apache.xml.security.encryption.XMLCipher.decryptElement(XMLCipher.java:1612) > at > org.apache.xml.security.encryption.XMLCipher.decryptElementContent(XMLCipher.java:1650) > at > org.apache.xml.security.encryption.XMLCipher.doFinal(XMLCipher.java:978) > at > org.apache.ws.security.processor.ReferenceListProcessor.decryptEncryptedData(ReferenceListProcessor.java:312) > ... 32 more > Caused by: javax.crypto.BadPaddingException: Given final block not > properly padded > at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..) > at com.sun.crypto.provider.SunJCE_f.b(DashoA13*..) > at com.sun.crypto.provider.AESCipher.engineDoFinal(DashoA13*..) > at javax.crypto.Cipher.doFinal(DashoA13*..) > at > org.apache.xml.security.encryption.XMLCipher.decryptToByteArray(XMLCipher.java:1762) > ... 36 more > Jul 18, 2012 9:24:55 AM > org.apache.cxf.services.DoubleItService.DoubleItPort.DoubleItPortType > INFO: Outbound Message > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
