Hi,
I want to offer for clients to consume a service without a STSClient. In
detail I mean, the client contacts with a username token the STS endpoint
and receive a SAML2 bearer token.
After that the client takes the returned SAML2 bearer token and consume
other services. I configure the STS and implement the service and therefore
I am able to adapt it.
Moreover, everything works fine if I test a client using a STSClient.
If I test it with SOAPUI, I am able to request a SAML token from the STS.
The SAML assertion is taken into the header of the service request. After
calling the service with the SAML assertion I receive several errors on
server side.
org.apache.cxf.binding.soap.SoapFault: A security error was encountered when
verifying the message
at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault
(WSS4JUtils.java:233)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal
(WSS4JInInterceptor.java:324)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage
(WSS4JInInterceptor.java:171)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.
handleMessage(PolicyBasedWSS4JInInterceptor.java:80)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.
handleMessage(PolicyBasedWSS4JInInterceptor.java:66)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept
(PhaseInterceptorChain.java:308)
Caused by: org.apache.wss4j.common.ext.WSSecurityException: SAML signature
validation failed
at org.apache.wss4j.common.saml.SamlAssertionWrapper.verifySignature
(SamlAssertionWrapper.java:624)
at org.apache.wss4j.dom.processor.SAMLTokenProcessor.
verifySignatureKeysAndAlgorithms(SAMLTokenProcessor.java:241)
at org.apache.wss4j.dom.processor.SAMLTokenProcessor.handleToken
(SAMLTokenProcessor.java:98)
at org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader
(WSSecurityEngine.java:344)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal
(WSS4JInInterceptor.java:275)
... 51 common frames omitted
Caused by: org.opensaml.xmlsec.signature.support.SignatureException:
Signature cryptographic validation not successful
at org.opensaml.xmlsec.signature.support.provider.
ApacheSantuarioSignatureValidationProviderImpl.validate(ApacheSantuarioSignatureValidationProviderImpl.java:79)
at org.opensaml.xmlsec.signature.support.SignatureValidator.
validate(SignatureValidator.java:54)
at org.apache.wss4j.common.saml.SamlAssertionWrapper.
verifySignature(SamlAssertionWrapper.java:622)
At the beginning I disable pretty print because I read that pretty print
cause problems during copy – paste at SOAPUI. Unfortunately, disable pretty
print did not help.
After that I read the following Blog entry:
http://coheigea.blogspot.com/2011/06/custom-token-validation-in-apache-cxf.html
If I understand correct under point 3, I have to add a property to my
service endpoint like this …
“ws-security.saml2.validator”, stsTokenValidator()
The “stsTokenValidator” is a defined Bean. But I receive always the same
error like above. I am unsure if I am on the correct way by using a sts
token validator.
Does anybody know, where I do a mistake?
I am using CXF 3.1.12 with Java 8.
Regards,
Patrick
--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
