cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: CXF WSS4J signature validation problem.
Date Fri, 21 Dec 2012 10:45:51 GMT
The problem is that the "ws-security.signature.validator" configuration tag
controls the Validator instance for a standalone Signature Element in the
security header, and not the trust validation for a signed SAML Token,
which has an internal (embedded) Signature.

What you need to do is to set either "ws-security.saml1.validator" or
"ws-security.saml2.validator" (see here:
http://cxf.apache.org/docs/ws-securitypolicy.html) to a custom SAML Token
Validator that is based on the default SamlAssertionValidator, but wraps
your custom Signature Validator for trust verification.

Colm.

On Thu, Dec 20, 2012 at 8:05 PM, mw4forums@gmail.com <mw4forums@gmail.com>wrote:

> I got this spun up but CXF doesn't seem to be acknowledging that I have
> provided a custom interceptor. I use spring to provision endpoints, here is
> an excerpt of my service definition:
>
>                 <jaxws:properties>
>                         <entry key="ws-security.callback-handler"
>
> value="gov.hhs.fha.nhinc.callback.cxf.CXFSAMLCallbackHandler" />
>                         <entry key="ws-security.signature.properties"
> value="keystore.properties"
> />
>                         <entry key="ws-security.encryption.properties"
> value="truststore.properties" />
>                         <entry key="ws-security.signature.validator">
>                                 <bean
> class="gov.hhs.fha.nhinc.callback.cxf.CONNECTSignatureTrustValidator" />
>                         </entry>
>                 </jaxws:properties>
>
> However when I receive a web service message, I get the following
> stacktrace:
>
> [#|2012-12-20T14:49:02.901-0500|WARNING|glassfish3.1.2|org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor|_ThreadID=106;_ThreadName=Thread-2;|org.apache.ws.security.WSSecurityException:
> The security token could not be authenticated or authorized
>         at
>
> org.apache.ws.security.validate.SignatureTrustValidator.validate(SignatureTrustValidator.java:86)
>         at
>
> org.apache.ws.security.validate.SamlAssertionValidator.verifySignedAssertion(SamlAssertionValidator.java:121)
>         at
>
> org.apache.ws.security.validate.SamlAssertionValidator.validate(SamlAssertionValidator.java:100)
>         at
>
> org.apache.ws.security.processor.SAMLTokenProcessor.handleSAMLToken(SAMLTokenProcessor.java:188)
>         at
>
> org.apache.ws.security.processor.SAMLTokenProcessor.handleToken(SAMLTokenProcessor.java:78)
>         at
>
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
>         at
>
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:273)
>         at
>
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:95)
>         at
>
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271)
>
> It doesn't appear that my custom validator is being invoked. Any thoughts?
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-WSS4J-signature-validation-problem-tp5719033p5720609.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message