cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Signing SAML assertions for OWSM policies
Date Wed, 11 Apr 2012 14:03:34 GMT
You need to set SecurityConstants.SELF_SIGN_SAML_ASSERTION to "true"
in your configuration (and define the appropriate CallbackHandler and
crypto property tags):

http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?view=markup

Colm.

On Wed, Apr 11, 2012 at 2:40 PM, Shwetank <shwetank.s@imaginea.com> wrote:
> Hi
>
> Pardon me if i break a rule or two of mailing-list directives.
> I seek help on how to sign SAML 1.1 assertion with CXF 2.5.2 for
> holder-of-key confirmation method:
>
> a) an OWSM policy
> wss10_saml_hok_token_with_message_protection_service_policy is applied to a
> test service
> b) the policy and wsdl look like following
>
> <?xml version="1.0"?>
> <definitions xmlns="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:tns="http://owsm.test.wsa.bf.hs.com/"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" name="POManagerService"
> targetNamespace="http://owsm.test.wsa.bf.hs.com/">
> <wsp:Policy
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> wsu:Id="POManagerPort_Fault_Policy"/>
> <wsp:Policy
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> wsu:Id="POManagerPort_Input_Policy">
> <sp:SignedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> <sp:Header Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
> <sp:Header Name="fmw-context"
> Namespace="http://xmlns.oracle.com/fmw/context/1.0"/>
> </sp:SignedParts>
> <sp:EncryptedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> <sp:Header Name="fmw-context"
> Namespace="http://xmlns.oracle.com/fmw/context/1.0"/>
> </sp:EncryptedParts>
> </wsp:Policy>
> <wsp:Policy
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> wsu:Id="POManagerPort_Output_Policy">
> <sp:SignedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> </sp:SignedParts>
> <sp:EncryptedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> </sp:EncryptedParts>
> </wsp:Policy>
> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> xmlns:oralgp="http://schemas.oracle.com/ws/2006/01/loggingpolicy"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy"
> xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy"
> wsu:Id="wss10_saml_hok_token_with_message_protection_service_policy">
> <sp:AsymmetricBinding
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:SamlToken
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:WssSamlV11Token10/>
> </wsp:Policy>
> </sp:SamlToken>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy/>
> </sp:Wss10>
> </wsp:Policy>
> <types>
> <xsd:schema>
> <xsd:import namespace="http://owsm.test.wsa.bf.hs.com/"
> schemaLocation="http://server:7001/testwebservice/POManagerPort?xsd=1"/>
> </xsd:schema>
> </types>
> <message name="createOrder">
> <part name="parameters" element="tns:createOrder"/>
> </message>
> <message name="createOrderResponse">
> <part name="parameters" element="tns:createOrderResponse"/>
> </message>
> <portType name="POManager">
> <operation name="createOrder">
> <input message="tns:createOrder"/>
> <output message="tns:createOrderResponse"/>
> </operation>
> </portType>
> <binding name="POManagerPortBinding" type="tns:POManager">
> <soap:binding style="document"
> transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsp:PolicyReference
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> URI="#wss10_saml_hok_token_with_message_protection_service_policy"
> wsdl:required="false"/>
> <operation name="createOrder">
> <soap:operation soapAction=""/>
> <input>
> <soap:body use="literal"/>
> <wsp:PolicyReference
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> URI="#POManagerPort_Input_Policy" wsdl:required="false"/>
> </input>
> <output>
> <soap:body use="literal"/>
> <wsp:PolicyReference
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> URI="#POManagerPort_Output_Policy" wsdl:required="false"/>
> </output>
> </operation>
> </binding>
> <service name="POManagerService">
> <port name="POManagerPort" binding="tns:POManagerPortBinding">
> <soap:address location="http://server:7001/testwebservice/POManagerPort"/>
> <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
> <wsa:Address xmlns:wsa="http://www.w3.org/2005/08/addressing">
> http://server:7001/testwebservice/POManagerPort
> </wsa:Address>
> <wsid:Identity
> xmlns:wsid="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
> <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
> <dsig:X509Data>
> <dsig:X509Certificate>
> ................
> </dsig:X509Certificate>
> <dsig:X509IssuerSerial>
> <dsig:X509IssuerName>
> .........
> </dsig:X509IssuerName>
> <dsig:X509SerialNumber>-....</dsig:X509SerialNumber>
> </dsig:X509IssuerSerial>
> <dsig:X509SubjectName>
> .......
> </dsig:X509SubjectName>
> </dsig:X509Data>
> </dsig:KeyInfo>
> </wsid:Identity>
> </wsa:EndpointReference>
> </port>
> </service>
> </definitions>
>
>
>
> c) following is message generated by cxf2.5.2 for this policy
>
> <?xml version="1.0"?>
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Header>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> soap:mustUnderstand="1">
> <wsse:BinarySecurityToken
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
> wsu:Id="BC59F58138560D687613341497540725">MIIB+DCCAaICCQCbeQ7C1MJrOTANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAkFQMQwwCgYDVQQHEwNIWUQxEDAOBgNVBAoTB3ByYW1hdGkxEDAOBgNVBAsTB3ByYW1hdGkxEjAQBgNVBAMTCXNvYWJwbS12bTEgMB4GCSqGSIb3DQEJARYRZW1haWxAcHJhbWF0aS5jb20wHhcNMTIwNDEwMTI1OTA0WhcNMTMwNDEwMTI1OTA0WjCBgjELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAkFQMQwwCgYDVQQHEwNIWUQxEDAOBgNVBAoTB3ByYW1hdGkxEDAOBgNVBAsTB3ByYW1hdGkxEjAQBgNVBAMTCXNvYWJwbS12bTEgMB4GCSqGSIb3DQEJARYRZW1haWxAcHJhbWF0aS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1ZwvGTS5gxDgGjoHuaqY9dh26un58rF3YFpuNY6F9JROBooMmbEWAWlvN+kjrEBhoQhTMbnwp8Sa+sPxOI+b8QIDAQABMA0GCSqGSIb3DQEBBQUAA0EAIlGPjJUTytuNsfeIy+dPFAT6XXN6sbiTTcFmhGUtP8q3XJRQCFlMKqFrWP/SVck8PPdH6fSO8EzOLLOYF5dkPQ==</wsse:BinarySecurityToken>
> <wsu:Timestamp wsu:Id="TS-1">
> <wsu:Created>2012-04-11T13:06:42.679Z</wsu:Created>
> <wsu:Expires>2012-04-11T13:11:42.679Z</wsu:Expires>
> </wsu:Timestamp>
> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
> Id="EK-BC59F58138560D687613341497540724">
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <wsse:SecurityTokenReference>
> <wsse:Reference URI="#BC59F58138560D687613341497540725"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> <xenc:CipherData>
> <xenc:CipherValue>tUjFXfI6BPNO78XzWGThNnCvXloGK001IPwzMiEdz4XAuz86gaCCTJ5+KBVKTsMhGxXOVNaOWTeLo3VzMKYWPA==</xenc:CipherValue>
> </xenc:CipherData>
> <xenc:ReferenceList>
> <xenc:DataReference URI="#ED-3"/>
> </xenc:ReferenceList>
> </xenc:EncryptedKey>
> <saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> AssertionID="_BC59F58138560D687613341496647771"
> IssueInstant="2012-04-11T13:07:44.551Z" Issuer="www.oracle.com"
> MajorVersion="1" MinorVersion="1" xsi:type="saml1:AssertionType">
> <saml1:Conditions NotBefore="2012-04-11T13:07:44.838Z"
> NotOnOrAfter="2012-04-11T13:12:44.838Z"/>
> <saml1:AttributeStatement>
> <saml1:Subject>
> <saml1:NameIdentifier
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
> NameQualifier="www.oracle.com">weblogic</saml1:NameIdentifier>
> <saml1:SubjectConfirmation>
> <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml1:ConfirmationMethod>
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:X509Data>
> <ds:X509Certificate>........................</ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </saml1:SubjectConfirmation>
> </saml1:Subject>
> <saml1:Attribute AttributeName="subject-role"
> AttributeNamespace="http://custom-ns">
> <saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
> xsi:type="xs:string">system-user</saml1:AttributeValue>
> </saml1:Attribute>
> </saml1:AttributeStatement>
> </saml1:Assertion>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-2">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="#TS-1">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>/LPHR8sX+ptPaN8+iZYQxYwffG8=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#Id-26930486">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>ej9eQZSJOyVu6TgV8MO/exfxCeA=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>uBvdcZ7jkAty14s0tdMKGvI4z1lCbWDo2RQEWjJ9t6z9vASoB98l4NeshQz96JWDqpGFgb4wd93/f9ra0Y68xA==</ds:SignatureValue>
> <ds:KeyInfo Id="KI-BC59F58138560D687613341497504882">
> <wsse:SecurityTokenReference
> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
> wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
> wsu:Id="STR-BC59F58138560D687613341497504923">
> <wsse:KeyIdentifier
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_BC59F58138560D687613341496647771</wsse:KeyIdentifier>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="Id-26930486">
> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-3"
> Type="http://www.w3.org/2001/04/xmlenc#Content">
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
> wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
> <wsse:Reference URI="#EK-BC59F58138560D687613341497540724"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> <xenc:CipherData>
> <xenc:CipherValue>.............................</xenc:CipherValue>
> </xenc:CipherData>
> </xenc:EncryptedData>
> </soap:Body>
> </soap:Envelope>
>
>
> d) and i receive following error from OWSM (oracle web services manager)
>
> Policy compliance failure: Header/Element
> NS=urn:oasis:names:tc:SAML:1.0:assertion; LocalName=Assertion must be signed
> [WSM_PolicyName:
> oracle/wss10_saml_hok_token_with_message_protection_service_policy] The
> signed message elements or parts do not comply with the policy.
>
>
> i seek help to understand which part of the message is not being signed..and
> why..or how could i sign it.
> am using the SamlCallbackHandler (supplied with tests) to add attributes
>
> following is the callbackhandler code if that may help
>
> ///////////////////////////////////////////////////////////////////////////////
> public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException {
>    for (int i = 0; i < callbacks.length; i++)
>      if ((callbacks[i] instanceof SAMLCallback)) {
>        SAMLCallback callback = (SAMLCallback)callbacks[i];
>        if (this.saml2) {
>          callback.setSamlVersion(SAMLVersion.VERSION_20);
>        }
>        callback.setIssuer("www.oracle.com");
>        String subjectName = "weblogic";
>        String subjectQualifier = "www.oracle.com";
>
>        SubjectBean subjectBean = new SubjectBean(subjectName,
> subjectQualifier, this.confirmationMethod);
>
>        if
> (("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key".equals(this.confirmationMethod))
> ||
> ("urn:oasis:names:tc:SAML:1.0:cm:holder-of-key".equals(this.confirmationMethod)))
> {
>          try
>          {
>            KeyInfoBean keyInfo = createKeyInfo();
>            subjectBean.setKeyInfo(keyInfo);
>          } catch (Exception ex) {
>            throw new IOException("Problem creating KeyInfo: " +
> ex.getMessage());
>          }
>        }
>
>        callback.setSubject(subjectBean);
>
>        AttributeStatementBean attrBean = new AttributeStatementBean();
>        attrBean.setSubject(subjectBean);
>
>        AttributeBean attributeBean = new AttributeBean();
>        if (this.saml2) {
>          attributeBean.setQualifiedName("subject-role");
>        } else {
>          attributeBean.setSimpleName("subject-role");
>          attributeBean.setQualifiedName("http://custom-ns");
>        }
>
>  attributeBean.setAttributeValues(Collections.singletonList("system-user"));
>        attrBean.setSamlAttributes(Collections.singletonList(attributeBean));
>
>  callback.setAttributeStatementData(Collections.singletonList(attrBean));
>      }
>  }
>
>  protected KeyInfoBean createKeyInfo() throws Exception
>  {
>    Crypto crypto = CryptoFactory.getInstance("signature.properties");
>
>    CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
>    cryptoType.setAlias("myprivate");
>    X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
>
>    KeyInfoBean keyInfo = new KeyInfoBean();
>    keyInfo.setCertificate(certs[0]);
>    keyInfo.setCertIdentifer(KeyInfoBean.CERT_IDENTIFIER.X509_CERT);
>
>    return keyInfo;
>  }
>
> //////////////////////////////////////////////////////////////////////////////
>
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message