cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shwetank <shwetan...@imaginea.com>
Subject Signing SAML assertions for OWSM policies
Date Wed, 11 Apr 2012 13:40:03 GMT
Hi

Pardon me if i break a rule or two of mailing-list directives.
I seek help on how to sign SAML 1.1 assertion with CXF 2.5.2 for 
holder-of-key confirmation method:

a) an OWSM policy 
wss10_saml_hok_token_with_message_protection_service_policy is applied 
to a test service
b) the policy and wsdl look like following

<?xml version="1.0"?>
<definitions xmlns="http://schemas.xmlsoap.org/wsdl/" 
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" 
xmlns:tns="http://owsm.test.wsa.bf.hs.com/" 
xmlns:xsd="http://www.w3.org/2001/XMLSchema" 
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" 
name="POManagerService" targetNamespace="http://owsm.test.wsa.bf.hs.com/">
<wsp:Policy 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"

xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
wsu:Id="POManagerPort_Fault_Policy"/>
<wsp:Policy 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"

xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
wsu:Id="POManagerPort_Input_Policy">
<sp:SignedParts 
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
<sp:Header Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
<sp:Header Name="fmw-context" 
Namespace="http://xmlns.oracle.com/fmw/context/1.0"/>
</sp:SignedParts>
<sp:EncryptedParts 
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
<sp:Header Name="fmw-context" 
Namespace="http://xmlns.oracle.com/fmw/context/1.0"/>
</sp:EncryptedParts>
</wsp:Policy>
<wsp:Policy 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"

xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
wsu:Id="POManagerPort_Output_Policy">
<sp:SignedParts 
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts 
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:EncryptedParts>
</wsp:Policy>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
xmlns:oralgp="http://schemas.oracle.com/ws/2006/01/loggingpolicy" 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"

xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy" 
xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy" 
wsu:Id="wss10_saml_hok_token_with_message_protection_service_policy">
<sp:AsymmetricBinding 
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:SamlToken 
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssSamlV11Token10/>
</wsp:Policy>
</sp:SamlToken>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token 
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy/>
</sp:Wss10>
</wsp:Policy>
<types>
<xsd:schema>
<xsd:import namespace="http://owsm.test.wsa.bf.hs.com/" 
schemaLocation="http://server:7001/testwebservice/POManagerPort?xsd=1"/>
</xsd:schema>
</types>
<message name="createOrder">
<part name="parameters" element="tns:createOrder"/>
</message>
<message name="createOrderResponse">
<part name="parameters" element="tns:createOrderResponse"/>
</message>
<portType name="POManager">
<operation name="createOrder">
<input message="tns:createOrder"/>
<output message="tns:createOrderResponse"/>
</operation>
</portType>
<binding name="POManagerPortBinding" type="tns:POManager">
<soap:binding style="document" 
transport="http://schemas.xmlsoap.org/soap/http"/>
<wsp:PolicyReference 
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
URI="#wss10_saml_hok_token_with_message_protection_service_policy" 
wsdl:required="false"/>
<operation name="createOrder">
<soap:operation soapAction=""/>
<input>
<soap:body use="literal"/>
<wsp:PolicyReference 
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
URI="#POManagerPort_Input_Policy" wsdl:required="false"/>
</input>
<output>
<soap:body use="literal"/>
<wsp:PolicyReference 
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" 
URI="#POManagerPort_Output_Policy" wsdl:required="false"/>
</output>
</operation>
</binding>
<service name="POManagerService">
<port name="POManagerPort" binding="tns:POManagerPortBinding">
<soap:address location="http://server:7001/testwebservice/POManagerPort"/>
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address xmlns:wsa="http://www.w3.org/2005/08/addressing">
http://server:7001/testwebservice/POManagerPort
</wsa:Address>
<wsid:Identity 
xmlns:wsid="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:X509Data>
<dsig:X509Certificate>
................
</dsig:X509Certificate>
<dsig:X509IssuerSerial>
<dsig:X509IssuerName>
.........
</dsig:X509IssuerName>
<dsig:X509SerialNumber>-....</dsig:X509SerialNumber>
</dsig:X509IssuerSerial>
<dsig:X509SubjectName>
.......
</dsig:X509SubjectName>
</dsig:X509Data>
</dsig:KeyInfo>
</wsid:Identity>
</wsa:EndpointReference>
</port>
</service>
</definitions>



c) following is message generated by cxf2.5.2 for this policy

<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"

xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"

soap:mustUnderstand="1">
<wsse:BinarySecurityToken 
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"

ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"

wsu:Id="BC59F58138560D687613341497540725">MIIB+DCCAaICCQCbeQ7C1MJrOTANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAkFQMQwwCgYDVQQHEwNIWUQxEDAOBgNVBAoTB3ByYW1hdGkxEDAOBgNVBAsTB3ByYW1hdGkxEjAQBgNVBAMTCXNvYWJwbS12bTEgMB4GCSqGSIb3DQEJARYRZW1haWxAcHJhbWF0aS5jb20wHhcNMTIwNDEwMTI1OTA0WhcNMTMwNDEwMTI1OTA0WjCBgjELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAkFQMQwwCgYDVQQHEwNIWUQxEDAOBgNVBAoTB3ByYW1hdGkxEDAOBgNVBAsTB3ByYW1hdGkxEjAQBgNVBAMTCXNvYWJwbS12bTEgMB4GCSqGSIb3DQEJARYRZW1haWxAcHJhbWF0aS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1ZwvGTS5gxDgGjoHuaqY9dh26un58rF3YFpuNY6F9JROBooMmbEWAWlvN+kjrEBhoQhTMbnwp8Sa+sPxOI+b8QIDAQABMA0GCSqGSIb3DQEBBQUAA0EAIlGPjJUTytuNsfeIy+dPFAT6XXN6sbiTTcFmhGUtP8q3XJRQCFlMKqFrWP/SVck8PPdH6fSO8EzOLLOYF5dkPQ==</wsse:BinarySecurityToken>
<wsu:Timestamp wsu:Id="TS-1">
<wsu:Created>2012-04-11T13:06:42.679Z</wsu:Created>
<wsu:Expires>2012-04-11T13:11:42.679Z</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" 
Id="EK-BC59F58138560D687613341497540724">
<xenc:EncryptionMethod 
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#BC59F58138560D687613341497540725" 
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>tUjFXfI6BPNO78XzWGThNnCvXloGK001IPwzMiEdz4XAuz86gaCCTJ5+KBVKTsMhGxXOVNaOWTeLo3VzMKYWPA==</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#ED-3"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
AssertionID="_BC59F58138560D687613341496647771" 
IssueInstant="2012-04-11T13:07:44.551Z" Issuer="www.oracle.com" 
MajorVersion="1" MinorVersion="1" xsi:type="saml1:AssertionType">
<saml1:Conditions NotBefore="2012-04-11T13:07:44.838Z" 
NotOnOrAfter="2012-04-11T13:12:44.838Z"/>
<saml1:AttributeStatement>
<saml1:Subject>
<saml1:NameIdentifier 
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" 
NameQualifier="www.oracle.com">weblogic</saml1:NameIdentifier>
<saml1:SubjectConfirmation>
<saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml1:ConfirmationMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>........................</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</saml1:SubjectConfirmation>
</saml1:Subject>
<saml1:Attribute AttributeName="subject-role" 
AttributeNamespace="http://custom-ns">
<saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" 
xsi:type="xs:string">system-user</saml1:AttributeValue>
</saml1:Attribute>
</saml1:AttributeStatement>
</saml1:Assertion>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-2">
<ds:SignedInfo>
<ds:CanonicalizationMethod 
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#TS-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>/LPHR8sX+ptPaN8+iZYQxYwffG8=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Id-26930486">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>ej9eQZSJOyVu6TgV8MO/exfxCeA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>uBvdcZ7jkAty14s0tdMKGvI4z1lCbWDo2RQEWjJ9t6z9vASoB98l4NeshQz96JWDqpGFgb4wd93/f9ra0Y68xA==</ds:SignatureValue>
<ds:KeyInfo Id="KI-BC59F58138560D687613341497504882">
<wsse:SecurityTokenReference 
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" 
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"

wsu:Id="STR-BC59F58138560D687613341497504923">
<wsse:KeyIdentifier 
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_BC59F58138560D687613341496647771</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soap:Header>
<soap:Body 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"

wsu:Id="Id-26930486">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" 
Id="ED-3" Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod 
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"

xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" 
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<wsse:Reference URI="#EK-BC59F58138560D687613341497540724"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>.............................</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>


d) and i receive following error from OWSM (oracle web services manager)

Policy compliance failure: Header/Element 
NS=urn:oasis:names:tc:SAML:1.0:assertion; LocalName=Assertion must be signed
[WSM_PolicyName: 
oracle/wss10_saml_hok_token_with_message_protection_service_policy] The 
signed message elements or parts do not comply with the policy.


i seek help to understand which part of the message is not being 
signed..and why..or how could i sign it.
am using the SamlCallbackHandler (supplied with tests) to add attributes

following is the callbackhandler code if that may help

///////////////////////////////////////////////////////////////////////////////
public void handle(Callback[] callbacks) throws IOException, 
UnsupportedCallbackException {
     for (int i = 0; i < callbacks.length; i++)
       if ((callbacks[i] instanceof SAMLCallback)) {
         SAMLCallback callback = (SAMLCallback)callbacks[i];
         if (this.saml2) {
           callback.setSamlVersion(SAMLVersion.VERSION_20);
         }
         callback.setIssuer("www.oracle.com");
         String subjectName = "weblogic";
         String subjectQualifier = "www.oracle.com";

         SubjectBean subjectBean = new SubjectBean(subjectName, 
subjectQualifier, this.confirmationMethod);

         if 
(("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key".equals(this.confirmationMethod)) 
|| 
("urn:oasis:names:tc:SAML:1.0:cm:holder-of-key".equals(this.confirmationMethod))) 
{
           try
           {
             KeyInfoBean keyInfo = createKeyInfo();
             subjectBean.setKeyInfo(keyInfo);
           } catch (Exception ex) {
             throw new IOException("Problem creating KeyInfo: " + 
ex.getMessage());
           }
         }

         callback.setSubject(subjectBean);

         AttributeStatementBean attrBean = new AttributeStatementBean();
         attrBean.setSubject(subjectBean);

         AttributeBean attributeBean = new AttributeBean();
         if (this.saml2) {
           attributeBean.setQualifiedName("subject-role");
         } else {
           attributeBean.setSimpleName("subject-role");
           attributeBean.setQualifiedName("http://custom-ns");
         }
         
attributeBean.setAttributeValues(Collections.singletonList("system-user"));
         
attrBean.setSamlAttributes(Collections.singletonList(attributeBean));
         
callback.setAttributeStatementData(Collections.singletonList(attrBean));
       }
   }

   protected KeyInfoBean createKeyInfo() throws Exception
   {
     Crypto crypto = CryptoFactory.getInstance("signature.properties");

     CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
     cryptoType.setAlias("myprivate");
     X509Certificate[] certs = crypto.getX509Certificates(cryptoType);

     KeyInfoBean keyInfo = new KeyInfoBean();
     keyInfo.setCertificate(certs[0]);
     keyInfo.setCertIdentifer(KeyInfoBean.CERT_IDENTIFIER.X509_CERT);

     return keyInfo;
   }

//////////////////////////////////////////////////////////////////////////////



Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message