An iterop scenario with Weblogic as service consumer and Apache CXF (on
JBoss) as service provider fails with a "Referenced security token could not
be retrieved" error.
The referenced security token (SAML assertion) is in place (Reference
"#_0x1f0b85b073c1b3ef9ff63f003b319270"), but CXF cannot resolve it.
Stacktrace:
09:00:25,035 WARNING [org.apache.cxf.phase.PhaseInterceptorChain]
Interceptor for SAML2TestService#doit has thrown exception, unwinding now:
org.apache.cxf.binding.soap.SoapFault: The signature or decryption was
invalid
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:804)
[jbossweb-7.0.13.Final.jar:]
...
Caused by: org.apache.ws.security.WSSecurityException: The signature or
decryption was invalid
at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:407)
[wss4j.jar:1.6.7]
at
org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:197)
[wss4j.jar:1.6.7]
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
[wss4j.jar:1.6.7]
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:289)
... 26 more
Caused by: javax.xml.crypto.dsig.XMLSignatureException:
javax.xml.crypto.dsig.TransformException:
org.apache.ws.security.WSSecurityException: Referenced security token could
not be retrieved (Reference "#_0x1f0b85b073c1b3ef9ff63f003b319270")
at
org.apache.jcp.xml.dsig.internal.dom.DOMReference.transform(DOMReference.java:543)
[xmlsec.jar:1.5.2]
at
org.apache.jcp.xml.dsig.internal.dom.DOMReference.validate(DOMReference.java:384)
[xmlsec.jar:1.5.2]
at
org.apache.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:267)
[xmlsec.jar:1.5.2]
at
org.apache.ws.security.processor.SignatureProcessor.verifyXMLSignature(SignatureProcessor.java:380)
[wss4j.jar:1.6.7]
... 29 more
Caused by: javax.xml.crypto.dsig.TransformException:
org.apache.ws.security.WSSecurityException: Referenced security token could
not be retrieved (Reference "#_0x1f0b85b073c1b3ef9ff63f003b319270")
at
org.apache.ws.security.transform.STRTransform.transformIt(STRTransform.java:274)
[wss4j.jar:1.6.7]
at
org.apache.ws.security.transform.STRTransform.transform(STRTransform.java:127)
[wss4j.jar:1.6.7]
at
org.apache.jcp.xml.dsig.internal.dom.DOMTransform.transform(DOMTransform.java:166)
[xmlsec.jar:1.5.2]
at
org.apache.jcp.xml.dsig.internal.dom.DOMReference.transform(DOMReference.java:458)
[xmlsec.jar:1.5.2]
... 32 more
Caused by: org.apache.ws.security.WSSecurityException: Referenced security
token could not be retrieved (Reference
"#_0x1f0b85b073c1b3ef9ff63f003b319270")
at
org.apache.ws.security.message.token.SecurityTokenReference.getTokenElement(SecurityTokenReference.java:235)
[wss4j.jar:1.6.7]
at
org.apache.ws.security.transform.STRTransformUtil.dereferenceSTR(STRTransformUtil.java:69)
[wss4j.jar:1.6.7]
at
org.apache.ws.security.transform.STRTransform.transformIt(STRTransform.java:200)
[wss4j.jar:1.6.7]
... 35 more
SOAP message:
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/";>
<S:Header>
...
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
S:mustUnderstand="1">
...
<dsig:Signature
xmlns:dsig="http://www.w3.org/2000/09/xmldsig#";>
<dsig:SignedInfo>
<dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
<dsig:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"; />
<dsig:Reference
URI="#str_rF7CzO4LdKFt5zs6">
<dsig:Transforms>
<dsig:Transform
Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform";>
<wsse:TransformationParameters>
<dsig:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"; />
</wsse:TransformationParameters>
</dsig:Transform>
</dsig:Transforms>
<dsig:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1";
/>
<dsig:DigestValue>iRkzoWPRp+m7x3v9JqX3Q/HdqYU=</dsig:DigestValue>
</dsig:Reference>
...
</dsig:SignedInfo>
<dsig:SignatureValue>...</dsig:SignatureValue>
<dsig:KeyInfo>...</dsig:KeyInfo>
</dsig:Signature>
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_0x1f0b85b073c1b3ef9ff63f003b319270"
IssueInstant="2012-11-15T08:00:24.879Z"
Version="2.0">
...
</saml:Assertion>
<wsse:SecurityTokenReference
TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
wsu:Id="str_rF7CzO4LdKFt5zs6">
<wsse:Reference
URI="#_0x1f0b85b073c1b3ef9ff63f003b319270" />
</wsse:SecurityTokenReference>
<wsu:Timestamp>
...
</wsu:Timestamp>
</wsse:Security>
</S:Header>
<S:Body>
...
</S:Body>
</S:Envelope>
What I see is a difference between Weblogic and CXF generated
SecurityTokenReference referencing the SAML assertion.
Is this the issue and how could it be resolved? Any suggestions appreciated.
Weblogic:
<wsse:SecurityTokenReference
TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
wsu:Id="str_rF7CzO4LdKFt5zs6">
<wsse:Reference URI="#_0x1f0b85b073c1b3ef9ff63f003b319270" />
</wsse:SecurityTokenReference>
CXF:
<wsse:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
wsu:Id="STR-C4F98A4E3E98FE682A135290662529414">
<wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID";>_C4F98A4E3E98FE682A135290662529213</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
--
View this message in context:
http://cxf.547215.n5.nabble.com/Signature-Interop-Issue-Weblogic-Apache-CXF-tp5718487.html
Sent from the cxf-user mailing list archive at Nabble.com.
