cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dthomas <deepak...@gmail.com>
Subject Question on signature confirmation in the security header
Date Wed, 02 Dec 2015 23:09:53 GMT
I have 2 codebases. They are identical except that one uses the reference
JAX-WS implementation. The other uses CXF + Wss4j.

I'm seeing a difference in the security header created by each codebase. The
JAX-WS RI creates a <security> element with 2 <signature> elements within
it. 

The codebase that uses CXF+wss4j only adds a single <signature> element.
Based on what I found by googling, I think the 2nd signature element is
supposed to be the signature confirmation.

The server expects the signature confirmation and hence rejects the request
in the case of CXF + Wss4j.

Is this expected? 

JAX-WS reference implementation
========================

<ns3:Security xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:ns4="http://www.w3.org/2005/08/addressing"
xmlns:ns5="http://www.rsa.com/names/2009/12/std-ext/WS-Trust1.4/advice"
xmlns:ns6="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ns7="http://www.w3.org/2000/09/xmldsig#"
xmlns:ns8="http://www.rsa.com/names/2009/12/std-ext/SAML2.0"
xmlns:ns9="urn:oasis:names:tc:SAML:2.0:conditions:delegation"><ns2:Timestamp
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:ns4="http://www.w3.org/2005/08/addressing"
xmlns:ns5="http://www.rsa.com/names/2009/12/std-ext/WS-Trust1.4/advice"
xmlns:ns6="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ns7="http://www.w3.org/2000/09/xmldsig#"
xmlns:ns8="http://www.rsa.com/names/2009/12/std-ext/SAML2.0"
xmlns:ns9="urn:oasis:names:tc:SAML:2.0:conditions:delegation"
ns2:Id="_a199e922-5238-46ca-a93a-f73db181e918"><ns2:Created>2015-11-29T19:40:02.949Z</ns2:Created><ns2:Expires>2015-11-29T19:50:02.949Z</ns2:Expires></ns2:Timestamp><saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="_a5ccb73a-7337-407a-b4c3-a66f2baeacb2"
IssueInstant="2015-11-29T19:39:58.983Z" Version="2.0"><saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://funk.rtp.netapp.com/websso/SAML2/Metadata/vsphere.local</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"></ds:SignatureMethod><ds:Reference
URI="#_a5ccb73a-7337-407a-b4c3-a66f2baeacb2"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></ds:Transform><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs
xsi"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"></ds:DigestMethod><ds:DigestValue>6562VNOEAQW4Q7giAAQDaMvsJE31Tr0dKHI8EIOP6Jo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>irRr1jA1PsMefSifkBw5K8UvBWiqpEbTJGFcOtU/sPHrSp2xLvgv8Qrnv5RuFMDbq9u4e1s1bII1
INjkTbK8XDhjvO32YDrpK9ywH5lWi6NYWCUOc31ZJe41s+ooikCrdWDnUAjNesxaqVaovO4aYexS
S7hitB/ms6KuizkwwdocYt2tSBNNwa9Xjw0dsHzSdmMLaUXauOR3dDC/EwLODTd4uvQqVkRPOKYG
oMDXndOC1QFeFphvnZvEgpITF4TPSWQUI7B9nAPDWeZIOUhJovJ2MxWNfGF+XrfBwnMxnGee3gp8
vrwhCDI3wLcs+ndX3Z92F5ga8Xl3uWI4z66KBQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDcjCCAlqgAwIBAgIJANBWyluWaMVFMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNVBAMMAkNBMRcw
FQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYDVQQGEwJV
UzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTAeFw0xNTEwMjcxNDUzNDZaFw0yNTEwMjEx
NTAzMjlaMBgxFjAUBgNVBAMMDXNzb3NlcnZlclNpZ24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDB6FmNgUCZiPKXwFtMwGPFdFxy1eBKNQLVqiwJPEk/TBImWLkXRgMdwApPOaPjWPj3
9nc8zeKfYheGpel9cyqWAjniCo1mTj5r3ko4KlbvDip1MM/o2DwXK1jO1bGX0K1Jj/MEVizfNz4F
6G7wowY9Drxyg8+aCUY+SQsfkv1tEnjdxl3ybKXL7+yuDnFKBZt4qV68YdN+Zu6T3wURZKhBpCp4
vzSQwn56PEOE2sDb6HQ7R1aJO8JOeHZpXi78iQGHjyZUllm24+645axTs2DhbbJKiFOjoA95liC2
PANhFMjZu0TPMyvdyCYdLJokguDYC/s1D7hdhCQn0a34ZHqTAgMBAAGjbzBtMAsGA1UdDwQEAwIF
4DAeBgNVHREEFzAVghNmdW5rLnJ0cC5uZXRhcHAuY29tMB0GA1UdDgQWBBSpCGQYYTuwgR5kcNtX
kC8nAjmGezAfBgNVHSMEGDAWgBQzkY4vNOatLsyiR9IEc2qO/SxuYDANBgkqhkiG9w0BAQsFAAOC
AQEAVBw89jzGKzu0Fjd29o5tiTMEhIY2VlHnxiwdxNqFb7P4ADGEHye8OMfJiQb+24NjSV630yWc
3VNurEpRaT3SIEPqG10iFjnB/Fsxfgb1QlcCSdh3UwoCsmPMaagUlNijWb/eGhLzU2u/joSjPSmS
uGxKCNgEPiCa1uBr0NZuHIll1mPg5TRH1aP05efa/XPb59RQdRbpDdkp2/n/0/gfeKL4F8htjPxS
6ayPk2ptJAWkDgPWCv8py2MwkzCa8la+aq8v/YZqOlRxnqp/Mh3ingJEmx/6uYbYbi4FJM1tstMv
VROhlUh85fZePM9h1SVnjh+tMOca6Xf5g0FOx8nPpQ==</ds:X509Certificate><ds:X509Certificate>MIIDmDCCAoCgAwIBAgIJANl71jMO0URHMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNVBAMMAkNBMRcw
FQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYDVQQGEwJV
UzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTAeFw0xNTEwMjQxNTAzMjlaFw0yNTEwMjEx
NTAzMjlaMGgxCzAJBgNVBAMMAkNBMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT
8ixkARkWBWxvY2FsMQswCQYDVQQGEwJVUzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTq9IGaJfEUwWW+rO/9DO8F4wg+lnRGVUNk
pV4YILwfLiAnGF9A/rjumXiMCtc//soxJmI024A5k7PeVPUrkafSjRt7KioM5WzNtOU1OdesLsLA
cHaZTU9XaNJ1+0k0SpQT/i7KzVFXPe54tM3SLhsdnjOeQfbCVYwBP+rARvoqz8vD2Ao+1VOLYqmp
YPnsJimkgqmgNG93wybJWdyr5EXDeMcMw6V6sJOjfvGfTd+HOI3Sq7iw3jIUFE3JvnPve6dltNw+
+2kSZtjIOcHE4fbuRoRUxUMgWnbJn/tvpgnkINf67+RQQRgEsE5CtWMICEO74hyC41K2IL3BbHwP
jsUCAwEAAaNFMEMwHQYDVR0OBBYEFDORji805q0uzKJH0gRzao79LG5gMA4GA1UdDwEB/wQEAwIB
BjASBgNVHRMBAf8ECDAGAQH/AgEAMA0GCSqGSIb3DQEBCwUAA4IBAQAYmkUedlcvX0+lGWYXCUXL
qocza0ZEpY/UV5Z7j6NVAToOV1pENtHKPjfCAe1aJKu+QpG1mltpMK5GBwLkkAqQPqBhQZfu84zS
gcCEKhWNu0oCr1feZu8SOiddQdxQWIYLuwoB+Zvov0DOEB1ItETlRmMmuf1GRn29h+3UQfF83RrI
ua73AXxJgozXI4qBfdGe/cUKT5NsBPOJeDJDZW5apv8mUj/35Z1Y8+8Qx7RIwEZnqjU3B1Zqs+ZQ
KCuzjM31yPkJEby/a5aoPLaHHXVGIL6GN/erko3KxpJxar9TkmeULa2CBwh0hU4cQ4IFXExiNyRH
dtL/iT0sE0nXET7g</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="http://schemas.xmlsoap.org/claims/UPN">Administrator@VSPHERE.LOCAL</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"><saml2:SubjectConfirmationData
xsi:type="saml2:KeyInfoConfirmationDataType"><ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIChTCCAe6gAwIBAgIIOZzLxyu+aoIwDQYJKoZIhvcNAQEFBQAwgYQxCzAJBgNVBAYTAlVTMRMw
EQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlQYWxvIEFsdG8xFTATBgNVBAoTDFZNd2FyZSwg
SW5jLjEeMBwGA1UECxMVRWNvc3lzdGVtIEVuZ2luZWVyaW5nMRUwEwYDVQQDDAwqLnZtd2FyZS5j
b20wHhcNMTUxMTI5MTkzOTU3WhcNMTYxMTI4MTkzOTU3WjCBhDELMAkGA1UEBhMCVVMxEzARBgNV
BAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVBhbG8gQWx0bzEVMBMGA1UEChMMVk13YXJlLCBJbmMu
MR4wHAYDVQQLExVFY29zeXN0ZW0gRW5naW5lZXJpbmcxFTATBgNVBAMMDCoudm13YXJlLmNvbTCB
nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjHCywBzRtcTz0071B2zocMoN9D7A2Ham4YfITN43
cGTZtAcCOC7OKBkS8bfg04hqnUo59Roxr+jhIToxIMT4O1IxsAjiPXS68WdKh3h6pdfIdYrBTDFG
Fe5UOhJwdG3cas5QJcKUMpWOfnNujIw8UaII8bu6ZvwZnR8kE2spFsUCAwEAATANBgkqhkiG9w0B
AQUFAAOBgQB/PpOlU0yALiXFlIQGj6LW0VScBaOxOzMENKlk0VPt4bBT/3n8YKhri3Yfd/7WQMxJ
Py1PyJvB8cCXEKfGlgQA9jRXbJf+8llVk1OyjCTjpnrPlEynLVxfNdmIn5HT7rXy27PTMC9e/By8
kdNUdcTHWYOVHPNd2akVemA1khaqhA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></saml2:SubjectConfirmationData></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions
NotBefore="2015-11-29T19:39:57.916Z"
NotOnOrAfter="2015-11-29T20:09:57.916Z"><saml2:ProxyRestriction
Count="10"></saml2:ProxyRestriction><saml2:Condition
xmlns:rsa="http://www.rsa.com/names/2009/12/std-ext/SAML2.0" Count="10"
xsi:type="rsa:RenewRestrictionType"></saml2:Condition></saml2:Conditions><saml2:AuthnStatement
AuthnInstant="2015-11-29T19:39:58.981Z"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute
FriendlyName="surname"
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
xsi:type="xs:string">vsphere.local</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
FriendlyName="givenName"
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
xsi:type="xs:string">Administrator</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
FriendlyName="Subject Type"
Name="http://vmware.com/schemas/attr-names/2011/07/isSolution"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
xsi:type="xs:string">false</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
FriendlyName="Groups"
Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
xsi:type="xs:string">vsphere.local\Users</saml2:AttributeValue><saml2:AttributeValue
xsi:type="xs:string">vsphere.local\Administrators</saml2:AttributeValue><saml2:AttributeValue
xsi:type="xs:string">vsphere.local\CAAdmins</saml2:AttributeValue><saml2:AttributeValue
xsi:type="xs:string">vsphere.local\ComponentManager.Administrators</saml2:AttributeValue><saml2:AttributeValue
xsi:type="xs:string">vsphere.local\SystemConfiguration.Administrators</saml2:AttributeValue><saml2:AttributeValue
xsi:type="xs:string">vsphere.local\LicenseService.Administrators</saml2:AttributeValue><saml2:AttributeValue
xsi:type="xs:string">vsphere.local\Everyone</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>


####see below 2nd signature element #############
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:CanonicalizationMethod><ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512"></ds:SignatureMethod><ds:Reference
URI="#_60b8ff8d-e1b7-48f0-a3ea-43a5b2fd537e"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"></ds:DigestMethod><ds:DigestValue>V7sztgOZVF5LUSkR4aJJ7cX9X4UzAUpF3661NCKOs4puRIMiNIXJlrLVQIeS5YXPpme3sf89Xk8B
aAJD7kt+zA==</ds:DigestValue></ds:Reference><ds:Reference
URI="#_a199e922-5238-46ca-a93a-f73db181e918"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha512"></ds:DigestMethod><ds:DigestValue>QNGwQjyLO3jjAUlcok7jnlVN/IV7Kxrh17rs/7yRxuCsJpkydeBEfEDoXDXLG6/2rK09HDibWnCO
lNKwJ8x5KQ==</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>AkBK81uTZXlCWkiKFTcGygLLI1WgaFv88zzfd0q/fUxy7arwg1HAehEaJASFOzRXbQj+H6JZ+3IY
QJ4W1jG5A20ARuydx7uOh/pOSoT13pKk0loImSWAcBu3wpvUIFDUHFhVYbXtahHwtK7/NYyUfSnv
rBLJghFdfyzaudckLR0=</ds:SignatureValue><ds:KeyInfo><ns3:SecurityTokenReference
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:ns4="http://www.w3.org/2005/08/addressing"
xmlns:ns5="http://www.rsa.com/names/2009/12/std-ext/WS-Trust1.4/advice"
xmlns:ns6="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ns7="http://www.w3.org/2000/09/xmldsig#"
xmlns:ns8="http://www.rsa.com/names/2009/12/std-ext/SAML2.0"
xmlns:ns9="urn:oasis:names:tc:SAML:2.0:conditions:delegation"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"><ns3:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_a5ccb73a-7337-407a-b4c3-a66f2baeacb2</ns3:KeyIdentifier></ns3:SecurityTokenReference></ds:KeyInfo></ds:Signature>

</ns3:Security>


CXF + WSS4j
==========

<ns3:Security
xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ns2="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:ns4="http://www.w3.org/2005/08/addressing"
xmlns:ns5="http://www.rsa.com/names/2009/12/std-ext/WS-Trust1.4/advice"
xmlns:ns6="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:ns7="http://www.w3.org/2000/09/xmldsig#"
xmlns:ns8="http://www.rsa.com/names/2009/12/std-ext/SAML2.0"
xmlns:ns9="urn:oasis:names:tc:SAML:2.0:conditions:delegation">
<ns2:Timestamp ns2:Id="fsfdsfsfs">
<ns2:Created>2015-12-01T18:57:08.814Z</ns2:Created>
<ns2:Expires>2015-12-01T19:07:08.814Z</ns2:Expires>
</ns2:Timestamp>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
ID="_50e38388-dbda-4843-9cd1-23730bd65502"
IssueInstant="2015-12-01T18:56:52.609Z" Version="2.0">
<saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://funk.rtp.netapp.com/websso/SAML2/Metadata/vsphere.local</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
<ds:Reference URI="#_50e38388-dbda-4843-9cd1-23730bd65502">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="xs xsi"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>6IQ6ekeoHmJQHNdnaKYFEgw2UBthqumyFYGG49ltvVg=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>pTU4jM27A6HIIm8tFa/kXRn7jIaQDjUE6Z9yjAatr5FuCQRpZYm9IhvvptGp2jKRrdfV3/MoNpAR
aigFdz5t/uf5fBapHhdTYgqqKGg7BFtWQghruWKYmL0OLxCb3AMDHslqbQwckFQnFFygkUQfi7t5
XF/LHM94gJiNsXuaUi3AZ11o7PDXPqAKwMVTS93DKGIrsK7WSw/Iok+F9yIYPUJ/ejFkcbnkg91e
pw7MhP+EH2hjQkpYk0Alx20n5NVV1zXT7LG4niONwwNzBP98W3BE0cV93ZLdLhph7zACKdhlEvjD
rDSvSF95Ty01bSKrZxFXXTwJoRIimi+Ns0M4RA==</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDcjCCAlqgAwIBAgIJANBWyluWaMVFMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNVBAMMAkNBMRcw
FQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYDVQQGEwJV
UzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTAeFw0xNTEwMjcxNDUzNDZaFw0yNTEwMjEx
NTAzMjlaMBgxFjAUBgNVBAMMDXNzb3NlcnZlclNpZ24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDB6FmNgUCZiPKXwFtMwGPFdFxy1eBKNQLVqiwJPEk/TBImWLkXRgMdwApPOaPjWPj3
9nc8zeKfYheGpel9cyqWAjniCo1mTj5r3ko4KlbvDip1MM/o2DwXK1jO1bGX0K1Jj/MEVizfNz4F
6G7wowY9Drxyg8+aCUY+SQsfkv1tEnjdxl3ybKXL7+yuDnFKBZt4qV68YdN+Zu6T3wURZKhBpCp4
vzSQwn56PEOE2sDb6HQ7R1aJO8JOeHZpXi78iQGHjyZUllm24+645axTs2DhbbJKiFOjoA95liC2
PANhFMjZu0TPMyvdyCYdLJokguDYC/s1D7hdhCQn0a34ZHqTAgMBAAGjbzBtMAsGA1UdDwQEAwIF
4DAeBgNVHREEFzAVghNmdW5rLnJ0cC5uZXRhcHAuY29tMB0GA1UdDgQWBBSpCGQYYTuwgR5kcNtX
kC8nAjmGezAfBgNVHSMEGDAWgBQzkY4vNOatLsyiR9IEc2qO/SxuYDANBgkqhkiG9w0BAQsFAAOC
AQEAVBw89jzGKzu0Fjd29o5tiTMEhIY2VlHnxiwdxNqFb7P4ADGEHye8OMfJiQb+24NjSV630yWc
3VNurEpRaT3SIEPqG10iFjnB/Fsxfgb1QlcCSdh3UwoCsmPMaagUlNijWb/eGhLzU2u/joSjPSmS
uGxKCNgEPiCa1uBr0NZuHIll1mPg5TRH1aP05efa/XPb59RQdRbpDdkp2/n/0/gfeKL4F8htjPxS
6ayPk2ptJAWkDgPWCv8py2MwkzCa8la+aq8v/YZqOlRxnqp/Mh3ingJEmx/6uYbYbi4FJM1tstMv
VROhlUh85fZePM9h1SVnjh+tMOca6Xf5g0FOx8nPpQ==</ds:X509Certificate>
<ds:X509Certificate>MIIDmDCCAoCgAwIBAgIJANl71jMO0URHMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNVBAMMAkNBMRcw
FQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYDVQQGEwJV
UzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTAeFw0xNTEwMjQxNTAzMjlaFw0yNTEwMjEx
NTAzMjlaMGgxCzAJBgNVBAMMAkNBMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT
8ixkARkWBWxvY2FsMQswCQYDVQQGEwJVUzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTq9IGaJfEUwWW+rO/9DO8F4wg+lnRGVUNk
pV4YILwfLiAnGF9A/rjumXiMCtc//soxJmI024A5k7PeVPUrkafSjRt7KioM5WzNtOU1OdesLsLA
cHaZTU9XaNJ1+0k0SpQT/i7KzVFXPe54tM3SLhsdnjOeQfbCVYwBP+rARvoqz8vD2Ao+1VOLYqmp
YPnsJimkgqmgNG93wybJWdyr5EXDeMcMw6V6sJOjfvGfTd+HOI3Sq7iw3jIUFE3JvnPve6dltNw+
+2kSZtjIOcHE4fbuRoRUxUMgWnbJn/tvpgnkINf67+RQQRgEsE5CtWMICEO74hyC41K2IL3BbHwP
jsUCAwEAAaNFMEMwHQYDVR0OBBYEFDORji805q0uzKJH0gRzao79LG5gMA4GA1UdDwEB/wQEAwIB
BjASBgNVHRMBAf8ECDAGAQH/AgEAMA0GCSqGSIb3DQEBCwUAA4IBAQAYmkUedlcvX0+lGWYXCUXL
qocza0ZEpY/UV5Z7j6NVAToOV1pENtHKPjfCAe1aJKu+QpG1mltpMK5GBwLkkAqQPqBhQZfu84zS
gcCEKhWNu0oCr1feZu8SOiddQdxQWIYLuwoB+Zvov0DOEB1ItETlRmMmuf1GRn29h+3UQfF83RrI
ua73AXxJgozXI4qBfdGe/cUKT5NsBPOJeDJDZW5apv8mUj/35Z1Y8+8Qx7RIwEZnqjU3B1Zqs+ZQ
KCuzjM31yPkJEby/a5aoPLaHHXVGIL6GN/erko3KxpJxar9TkmeULa2CBwh0hU4cQ4IFXExiNyRH
dtL/iT0sE0nXET7g</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID
Format="http://schemas.xmlsoap.org/claims/UPN">Administrator@VSPHERE.LOCAL</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml2:SubjectConfirmationData xsi:type="saml2:KeyInfoConfirmationDataType">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIChjCCAe+gAwIBAgIJAOpdwhw5314wMA0GCSqGSIb3DQEBBQUAMIGEMQswCQYDVQQGEwJVUzET
MBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJUGFsbyBBbHRvMRUwEwYDVQQKEwxWTXdhcmUs
IEluYy4xHjAcBgNVBAsTFUVjb3N5c3RlbSBFbmdpbmVlcmluZzEVMBMGA1UEAwwMKi52bXdhcmUu
Y29tMB4XDTE1MTIwMTE4NTY0OFoXDTE2MTEzMDE4NTY0OFowgYQxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlQYWxvIEFsdG8xFTATBgNVBAoTDFZNd2FyZSwgSW5j
LjEeMBwGA1UECxMVRWNvc3lzdGVtIEVuZ2luZWVyaW5nMRUwEwYDVQQDDAwqLnZtd2FyZS5jb20w
gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANs52Y9fJz5M8VeGARSPFjcnUEowoptJTygVqbNh
SnE2oBIV0/WEr6xozmWa1XscvcjfOm2QVfIZwrZc+F5tAQ6yI7CqyDpafEIajX7hgFaLgbpuk+q9
FJlRx6uqIiIYt8GXoM4+W1G/ICfUiAfCq3M2b5ItmAoRc6E2LMJXFY0LAgMBAAEwDQYJKoZIhvcN
AQEFBQADgYEAv9HpjvO3/F7ZbJkDH7eujnGRHw1gSjSMp4TMlveICwoToNn+9svP8LkoT7u8YGxx
nJSklky/d2cpA7zthj+DlYZF5icB/UY0eSRDSr3+MUiIxZt4LqRmW9mGBWxSJ1Dnq3kr821ATTMN
8XbO6iyrpnJDv3a/HwBJF7k+Ypk+opY=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2015-12-01T18:56:50.144Z"
NotOnOrAfter="2015-12-01T19:26:50.144Z">
<saml2:ProxyRestriction Count="10"/>
<saml2:Condition
xmlns:rsa="http://www.rsa.com/names/2009/12/std-ext/SAML2.0" Count="10"
xsi:type="rsa:RenewRestrictionType"/>
</saml2:Conditions>
<saml2:AuthnStatement AuthnInstant="2015-12-01T18:56:52.607Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute FriendlyName="surname"
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xsi:type="xs:string">vsphere.local</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="givenName"
Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xsi:type="xs:string">Administrator</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="Subject Type"
Name="http://vmware.com/schemas/attr-names/2011/07/isSolution"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xsi:type="xs:string">false</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute FriendlyName="Groups"
Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue
xsi:type="xs:string">vsphere.local\Users</saml2:AttributeValue>
<saml2:AttributeValue
xsi:type="xs:string">vsphere.local\Administrators</saml2:AttributeValue>
<saml2:AttributeValue
xsi:type="xs:string">vsphere.local\CAAdmins</saml2:AttributeValue>
<saml2:AttributeValue
xsi:type="xs:string">vsphere.local\ComponentManager.Administrators</saml2:AttributeValue>
<saml2:AttributeValue
xsi:type="xs:string">vsphere.local\SystemConfiguration.Administrators</saml2:AttributeValue>
<saml2:AttributeValue
xsi:type="xs:string">vsphere.local\LicenseService.Administrators</saml2:AttributeValue>
<saml2:AttributeValue
xsi:type="xs:string">vsphere.local\Everyone</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>

#### 2nd signature element is missing <------

</ns3:Security>






--
View this message in context: http://cxf.547215.n5.nabble.com/Question-on-signature-confirmation-in-the-security-header-tp5763524.html
Sent from the cxf-dev mailing list archive at Nabble.com.

Mime
View raw message