cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Question on signature confirmation in the security header
Date Thu, 03 Dec 2015 09:53:46 GMT
What security configuration do you have? And what version of CXF?

Colm.

On Wed, Dec 2, 2015 at 11:09 PM, dthomas <deepakzac@gmail.com> wrote:

> I have 2 codebases. They are identical except that one uses the reference
> JAX-WS implementation. The other uses CXF + Wss4j.
>
> I'm seeing a difference in the security header created by each codebase.
> The
> JAX-WS RI creates a <security> element with 2 <signature> elements within
> it.
>
> The codebase that uses CXF+wss4j only adds a single <signature> element.
> Based on what I found by googling, I think the 2nd signature element is
> supposed to be the signature confirmation.
>
> The server expects the signature confirmation and hence rejects the request
> in the case of CXF + Wss4j.
>
> Is this expected?
>
> JAX-WS reference implementation
> ========================
>
> <ns3:Security xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
> xmlns:ns2="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> xmlns:ns3="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
> xmlns:ns4="http://www.w3.org/2005/08/addressing"
> xmlns:ns5="http://www.rsa.com/names/2009/12/std-ext/WS-Trust1.4/advice"
> xmlns:ns6="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:ns7="http://www.w3.org/2000/09/xmldsig#"
> xmlns:ns8="http://www.rsa.com/names/2009/12/std-ext/SAML2.0"
>
> xmlns:ns9="urn:oasis:names:tc:SAML:2.0:conditions:delegation"><ns2:Timestamp
> xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
> xmlns:ns2="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> xmlns:ns3="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
> xmlns:ns4="http://www.w3.org/2005/08/addressing"
> xmlns:ns5="http://www.rsa.com/names/2009/12/std-ext/WS-Trust1.4/advice"
> xmlns:ns6="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:ns7="http://www.w3.org/2000/09/xmldsig#"
> xmlns:ns8="http://www.rsa.com/names/2009/12/std-ext/SAML2.0"
> xmlns:ns9="urn:oasis:names:tc:SAML:2.0:conditions:delegation"
>
> ns2:Id="_a199e922-5238-46ca-a93a-f73db181e918"><ns2:Created>2015-11-29T19:40:02.949Z</ns2:Created><ns2:Expires>2015-11-29T19:50:02.949Z</ns2:Expires></ns2:Timestamp><saml2:Assertion
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:xs="http://www.w3.org/2001/XMLSchema"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> ID="_a5ccb73a-7337-407a-b4c3-a66f2baeacb2"
> IssueInstant="2015-11-29T19:39:58.983Z" Version="2.0"><saml2:Issuer
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
> https://funk.rtp.netapp.com/websso/SAML2/Metadata/vsphere.local
> </saml2:Issuer><ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#
> "><ds:SignedInfo><ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#
> "></ds:CanonicalizationMethod><ds:SignatureMethod
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
> "></ds:SignatureMethod><ds:Reference
> URI="#_a5ccb73a-7337-407a-b4c3-a66f2baeacb2"><ds:Transforms><ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature
> "></ds:Transform><ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#
> "><ec:InclusiveNamespaces
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs
>
> xsi"></ec:InclusiveNamespaces></ds:Transform></ds:Transforms><ds:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256
> "></ds:DigestMethod><ds:DigestValue>6562VNOEAQW4Q7giAAQDaMvsJE31Tr0dKHI8EIOP6Jo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>irRr1jA1PsMefSifkBw5K8UvBWiqpEbTJGFcOtU/sPHrSp2xLvgv8Qrnv5RuFMDbq9u4e1s1bII1
>
> INjkTbK8XDhjvO32YDrpK9ywH5lWi6NYWCUOc31ZJe41s+ooikCrdWDnUAjNesxaqVaovO4aYexS
>
> S7hitB/ms6KuizkwwdocYt2tSBNNwa9Xjw0dsHzSdmMLaUXauOR3dDC/EwLODTd4uvQqVkRPOKYG
>
> oMDXndOC1QFeFphvnZvEgpITF4TPSWQUI7B9nAPDWeZIOUhJovJ2MxWNfGF+XrfBwnMxnGee3gp8
>
> vrwhCDI3wLcs+ndX3Z92F5ga8Xl3uWI4z66KBQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDcjCCAlqgAwIBAgIJANBWyluWaMVFMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNVBAMMAkNBMRcw
>
> FQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYDVQQGEwJV
>
> UzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTAeFw0xNTEwMjcxNDUzNDZaFw0yNTEwMjEx
>
> NTAzMjlaMBgxFjAUBgNVBAMMDXNzb3NlcnZlclNpZ24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
>
> ggEKAoIBAQDB6FmNgUCZiPKXwFtMwGPFdFxy1eBKNQLVqiwJPEk/TBImWLkXRgMdwApPOaPjWPj3
>
> 9nc8zeKfYheGpel9cyqWAjniCo1mTj5r3ko4KlbvDip1MM/o2DwXK1jO1bGX0K1Jj/MEVizfNz4F
>
> 6G7wowY9Drxyg8+aCUY+SQsfkv1tEnjdxl3ybKXL7+yuDnFKBZt4qV68YdN+Zu6T3wURZKhBpCp4
>
> vzSQwn56PEOE2sDb6HQ7R1aJO8JOeHZpXi78iQGHjyZUllm24+645axTs2DhbbJKiFOjoA95liC2
>
> PANhFMjZu0TPMyvdyCYdLJokguDYC/s1D7hdhCQn0a34ZHqTAgMBAAGjbzBtMAsGA1UdDwQEAwIF
>
> 4DAeBgNVHREEFzAVghNmdW5rLnJ0cC5uZXRhcHAuY29tMB0GA1UdDgQWBBSpCGQYYTuwgR5kcNtX
>
> kC8nAjmGezAfBgNVHSMEGDAWgBQzkY4vNOatLsyiR9IEc2qO/SxuYDANBgkqhkiG9w0BAQsFAAOC
>
> AQEAVBw89jzGKzu0Fjd29o5tiTMEhIY2VlHnxiwdxNqFb7P4ADGEHye8OMfJiQb+24NjSV630yWc
>
> 3VNurEpRaT3SIEPqG10iFjnB/Fsxfgb1QlcCSdh3UwoCsmPMaagUlNijWb/eGhLzU2u/joSjPSmS
>
> uGxKCNgEPiCa1uBr0NZuHIll1mPg5TRH1aP05efa/XPb59RQdRbpDdkp2/n/0/gfeKL4F8htjPxS
>
> 6ayPk2ptJAWkDgPWCv8py2MwkzCa8la+aq8v/YZqOlRxnqp/Mh3ingJEmx/6uYbYbi4FJM1tstMv
>
> VROhlUh85fZePM9h1SVnjh+tMOca6Xf5g0FOx8nPpQ==</ds:X509Certificate><ds:X509Certificate>MIIDmDCCAoCgAwIBAgIJANl71jMO0URHMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNVBAMMAkNBMRcw
>
> FQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYDVQQGEwJV
>
> UzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTAeFw0xNTEwMjQxNTAzMjlaFw0yNTEwMjEx
>
> NTAzMjlaMGgxCzAJBgNVBAMMAkNBMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT
>
> 8ixkARkWBWxvY2FsMQswCQYDVQQGEwJVUzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTCC
>
> ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTq9IGaJfEUwWW+rO/9DO8F4wg+lnRGVUNk
>
> pV4YILwfLiAnGF9A/rjumXiMCtc//soxJmI024A5k7PeVPUrkafSjRt7KioM5WzNtOU1OdesLsLA
>
> cHaZTU9XaNJ1+0k0SpQT/i7KzVFXPe54tM3SLhsdnjOeQfbCVYwBP+rARvoqz8vD2Ao+1VOLYqmp
>
> YPnsJimkgqmgNG93wybJWdyr5EXDeMcMw6V6sJOjfvGfTd+HOI3Sq7iw3jIUFE3JvnPve6dltNw+
>
> +2kSZtjIOcHE4fbuRoRUxUMgWnbJn/tvpgnkINf67+RQQRgEsE5CtWMICEO74hyC41K2IL3BbHwP
>
> jsUCAwEAAaNFMEMwHQYDVR0OBBYEFDORji805q0uzKJH0gRzao79LG5gMA4GA1UdDwEB/wQEAwIB
>
> BjASBgNVHRMBAf8ECDAGAQH/AgEAMA0GCSqGSIb3DQEBCwUAA4IBAQAYmkUedlcvX0+lGWYXCUXL
>
> qocza0ZEpY/UV5Z7j6NVAToOV1pENtHKPjfCAe1aJKu+QpG1mltpMK5GBwLkkAqQPqBhQZfu84zS
>
> gcCEKhWNu0oCr1feZu8SOiddQdxQWIYLuwoB+Zvov0DOEB1ItETlRmMmuf1GRn29h+3UQfF83RrI
>
> ua73AXxJgozXI4qBfdGe/cUKT5NsBPOJeDJDZW5apv8mUj/35Z1Y8+8Qx7RIwEZnqjU3B1Zqs+ZQ
>
> KCuzjM31yPkJEby/a5aoPLaHHXVGIL6GN/erko3KxpJxar9TkmeULa2CBwh0hU4cQ4IFXExiNyRH
>
> dtL/iT0sE0nXET7g</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
> Format="http://schemas.xmlsoap.org/claims/UPN">Administrator@VSPHERE.LOCAL
> </saml2:NameID><saml2:SubjectConfirmation
>
> Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"><saml2:SubjectConfirmationData
> xsi:type="saml2:KeyInfoConfirmationDataType"><ds:KeyInfo
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#
> "><ds:X509Data><ds:X509Certificate>MIIChTCCAe6gAwIBAgIIOZzLxyu+aoIwDQYJKoZIhvcNAQEFBQAwgYQxCzAJBgNVBAYTAlVTMRMw
>
> EQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlQYWxvIEFsdG8xFTATBgNVBAoTDFZNd2FyZSwg
>
> SW5jLjEeMBwGA1UECxMVRWNvc3lzdGVtIEVuZ2luZWVyaW5nMRUwEwYDVQQDDAwqLnZtd2FyZS5j
>
> b20wHhcNMTUxMTI5MTkzOTU3WhcNMTYxMTI4MTkzOTU3WjCBhDELMAkGA1UEBhMCVVMxEzARBgNV
>
> BAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVBhbG8gQWx0bzEVMBMGA1UEChMMVk13YXJlLCBJbmMu
>
> MR4wHAYDVQQLExVFY29zeXN0ZW0gRW5naW5lZXJpbmcxFTATBgNVBAMMDCoudm13YXJlLmNvbTCB
>
> nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjHCywBzRtcTz0071B2zocMoN9D7A2Ham4YfITN43
>
> cGTZtAcCOC7OKBkS8bfg04hqnUo59Roxr+jhIToxIMT4O1IxsAjiPXS68WdKh3h6pdfIdYrBTDFG
>
> Fe5UOhJwdG3cas5QJcKUMpWOfnNujIw8UaII8bu6ZvwZnR8kE2spFsUCAwEAATANBgkqhkiG9w0B
>
> AQUFAAOBgQB/PpOlU0yALiXFlIQGj6LW0VScBaOxOzMENKlk0VPt4bBT/3n8YKhri3Yfd/7WQMxJ
>
> Py1PyJvB8cCXEKfGlgQA9jRXbJf+8llVk1OyjCTjpnrPlEynLVxfNdmIn5HT7rXy27PTMC9e/By8
>
> kdNUdcTHWYOVHPNd2akVemA1khaqhA==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></saml2:SubjectConfirmationData></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions
> NotBefore="2015-11-29T19:39:57.916Z"
> NotOnOrAfter="2015-11-29T20:09:57.916Z"><saml2:ProxyRestriction
> Count="10"></saml2:ProxyRestriction><saml2:Condition
> xmlns:rsa="http://www.rsa.com/names/2009/12/std-ext/SAML2.0" Count="10"
>
> xsi:type="rsa:RenewRestrictionType"></saml2:Condition></saml2:Conditions><saml2:AuthnStatement
>
> AuthnInstant="2015-11-29T19:39:58.981Z"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute
> FriendlyName="surname"
> Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
>
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
>
> xsi:type="xs:string">vsphere.local</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
> FriendlyName="givenName"
> Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
>
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
>
> xsi:type="xs:string">Administrator</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
> FriendlyName="Subject Type"
> Name="http://vmware.com/schemas/attr-names/2011/07/isSolution"
>
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
>
> xsi:type="xs:string">false</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
> FriendlyName="Groups"
> Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity"
>
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"><saml2:AttributeValue
>
> xsi:type="xs:string">vsphere.local\Users</saml2:AttributeValue><saml2:AttributeValue
>
> xsi:type="xs:string">vsphere.local\Administrators</saml2:AttributeValue><saml2:AttributeValue
>
> xsi:type="xs:string">vsphere.local\CAAdmins</saml2:AttributeValue><saml2:AttributeValue
>
> xsi:type="xs:string">vsphere.local\ComponentManager.Administrators</saml2:AttributeValue><saml2:AttributeValue
>
> xsi:type="xs:string">vsphere.local\SystemConfiguration.Administrators</saml2:AttributeValue><saml2:AttributeValue
>
> xsi:type="xs:string">vsphere.local\LicenseService.Administrators</saml2:AttributeValue><saml2:AttributeValue
>
> xsi:type="xs:string">vsphere.local\Everyone</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>
>
>
> ####see below 2nd signature element #############
> <ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#
> "><ds:SignedInfo><ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#
> "></ds:CanonicalizationMethod><ds:SignatureMethod
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha512
> "></ds:SignatureMethod><ds:Reference
> URI="#_60b8ff8d-e1b7-48f0-a3ea-43a5b2fd537e"><ds:Transforms><ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#
> "></ds:Transform></ds:Transforms><ds:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha512
> "></ds:DigestMethod><ds:DigestValue>V7sztgOZVF5LUSkR4aJJ7cX9X4UzAUpF3661NCKOs4puRIMiNIXJlrLVQIeS5YXPpme3sf89Xk8B
> aAJD7kt+zA==</ds:DigestValue></ds:Reference><ds:Reference
> URI="#_a199e922-5238-46ca-a93a-f73db181e918"><ds:Transforms><ds:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#
> "></ds:Transform></ds:Transforms><ds:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha512
> "></ds:DigestMethod><ds:DigestValue>QNGwQjyLO3jjAUlcok7jnlVN/IV7Kxrh17rs/7yRxuCsJpkydeBEfEDoXDXLG6/2rK09HDibWnCO
>
> lNKwJ8x5KQ==</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>AkBK81uTZXlCWkiKFTcGygLLI1WgaFv88zzfd0q/fUxy7arwg1HAehEaJASFOzRXbQj+H6JZ+3IY
>
> QJ4W1jG5A20ARuydx7uOh/pOSoT13pKk0loImSWAcBu3wpvUIFDUHFhVYbXtahHwtK7/NYyUfSnv
>
> rBLJghFdfyzaudckLR0=</ds:SignatureValue><ds:KeyInfo><ns3:SecurityTokenReference
> xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
> xmlns:ns2="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> xmlns:ns3="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
> xmlns:ns4="http://www.w3.org/2005/08/addressing"
> xmlns:ns5="http://www.rsa.com/names/2009/12/std-ext/WS-Trust1.4/advice"
> xmlns:ns6="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:ns7="http://www.w3.org/2000/09/xmldsig#"
> xmlns:ns8="http://www.rsa.com/names/2009/12/std-ext/SAML2.0"
> xmlns:ns9="urn:oasis:names:tc:SAML:2.0:conditions:delegation"
> xmlns:wsse11="
> http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
> wsse11:TokenType="
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
> "><ns3:KeyIdentifier
> ValueType="
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
> ">_a5ccb73a-7337-407a-b4c3-a66f2baeacb2</ns3:KeyIdentifier></ns3:SecurityTokenReference></ds:KeyInfo></ds:Signature>
>
> </ns3:Security>
>
>
> CXF + WSS4j
> ==========
>
> <ns3:Security
> xmlns:ns3="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
> xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
> xmlns:ns2="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> xmlns:ns4="http://www.w3.org/2005/08/addressing"
> xmlns:ns5="http://www.rsa.com/names/2009/12/std-ext/WS-Trust1.4/advice"
> xmlns:ns6="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:ns7="http://www.w3.org/2000/09/xmldsig#"
> xmlns:ns8="http://www.rsa.com/names/2009/12/std-ext/SAML2.0"
> xmlns:ns9="urn:oasis:names:tc:SAML:2.0:conditions:delegation">
> <ns2:Timestamp ns2:Id="fsfdsfsfs">
> <ns2:Created>2015-12-01T18:57:08.814Z</ns2:Created>
> <ns2:Expires>2015-12-01T19:07:08.814Z</ns2:Expires>
> </ns2:Timestamp>
> <saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:xs="http://www.w3.org/2001/XMLSchema"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> ID="_50e38388-dbda-4843-9cd1-23730bd65502"
> IssueInstant="2015-12-01T18:56:52.609Z" Version="2.0">
> <saml2:Issuer
> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
> https://funk.rtp.netapp.com/websso/SAML2/Metadata/vsphere.local
> </saml2:Issuer>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> <ds:Reference URI="#_50e38388-dbda-4843-9cd1-23730bd65502">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
> PrefixList="xs xsi"/>
> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
>
> <ds:DigestValue>6IQ6ekeoHmJQHNdnaKYFEgw2UBthqumyFYGG49ltvVg=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
>
> <ds:SignatureValue>pTU4jM27A6HIIm8tFa/kXRn7jIaQDjUE6Z9yjAatr5FuCQRpZYm9IhvvptGp2jKRrdfV3/MoNpAR
>
> aigFdz5t/uf5fBapHhdTYgqqKGg7BFtWQghruWKYmL0OLxCb3AMDHslqbQwckFQnFFygkUQfi7t5
>
> XF/LHM94gJiNsXuaUi3AZ11o7PDXPqAKwMVTS93DKGIrsK7WSw/Iok+F9yIYPUJ/ejFkcbnkg91e
>
> pw7MhP+EH2hjQkpYk0Alx20n5NVV1zXT7LG4niONwwNzBP98W3BE0cV93ZLdLhph7zACKdhlEvjD
> rDSvSF95Ty01bSKrZxFXXTwJoRIimi+Ns0M4RA==</ds:SignatureValue>
> <ds:KeyInfo>
> <ds:X509Data>
>
> <ds:X509Certificate>MIIDcjCCAlqgAwIBAgIJANBWyluWaMVFMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNVBAMMAkNBMRcw
>
> FQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYDVQQGEwJV
>
> UzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTAeFw0xNTEwMjcxNDUzNDZaFw0yNTEwMjEx
>
> NTAzMjlaMBgxFjAUBgNVBAMMDXNzb3NlcnZlclNpZ24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
>
> ggEKAoIBAQDB6FmNgUCZiPKXwFtMwGPFdFxy1eBKNQLVqiwJPEk/TBImWLkXRgMdwApPOaPjWPj3
>
> 9nc8zeKfYheGpel9cyqWAjniCo1mTj5r3ko4KlbvDip1MM/o2DwXK1jO1bGX0K1Jj/MEVizfNz4F
>
> 6G7wowY9Drxyg8+aCUY+SQsfkv1tEnjdxl3ybKXL7+yuDnFKBZt4qV68YdN+Zu6T3wURZKhBpCp4
>
> vzSQwn56PEOE2sDb6HQ7R1aJO8JOeHZpXi78iQGHjyZUllm24+645axTs2DhbbJKiFOjoA95liC2
>
> PANhFMjZu0TPMyvdyCYdLJokguDYC/s1D7hdhCQn0a34ZHqTAgMBAAGjbzBtMAsGA1UdDwQEAwIF
>
> 4DAeBgNVHREEFzAVghNmdW5rLnJ0cC5uZXRhcHAuY29tMB0GA1UdDgQWBBSpCGQYYTuwgR5kcNtX
>
> kC8nAjmGezAfBgNVHSMEGDAWgBQzkY4vNOatLsyiR9IEc2qO/SxuYDANBgkqhkiG9w0BAQsFAAOC
>
> AQEAVBw89jzGKzu0Fjd29o5tiTMEhIY2VlHnxiwdxNqFb7P4ADGEHye8OMfJiQb+24NjSV630yWc
>
> 3VNurEpRaT3SIEPqG10iFjnB/Fsxfgb1QlcCSdh3UwoCsmPMaagUlNijWb/eGhLzU2u/joSjPSmS
>
> uGxKCNgEPiCa1uBr0NZuHIll1mPg5TRH1aP05efa/XPb59RQdRbpDdkp2/n/0/gfeKL4F8htjPxS
>
> 6ayPk2ptJAWkDgPWCv8py2MwkzCa8la+aq8v/YZqOlRxnqp/Mh3ingJEmx/6uYbYbi4FJM1tstMv
> VROhlUh85fZePM9h1SVnjh+tMOca6Xf5g0FOx8nPpQ==</ds:X509Certificate>
>
> <ds:X509Certificate>MIIDmDCCAoCgAwIBAgIJANl71jMO0URHMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNVBAMMAkNBMRcw
>
> FQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYDVQQGEwJV
>
> UzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTAeFw0xNTEwMjQxNTAzMjlaFw0yNTEwMjEx
>
> NTAzMjlaMGgxCzAJBgNVBAMMAkNBMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT
>
> 8ixkARkWBWxvY2FsMQswCQYDVQQGEwJVUzEcMBoGA1UECgwTZnVuay5ydHAubmV0YXBwLmNvbTCC
>
> ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKTq9IGaJfEUwWW+rO/9DO8F4wg+lnRGVUNk
>
> pV4YILwfLiAnGF9A/rjumXiMCtc//soxJmI024A5k7PeVPUrkafSjRt7KioM5WzNtOU1OdesLsLA
>
> cHaZTU9XaNJ1+0k0SpQT/i7KzVFXPe54tM3SLhsdnjOeQfbCVYwBP+rARvoqz8vD2Ao+1VOLYqmp
>
> YPnsJimkgqmgNG93wybJWdyr5EXDeMcMw6V6sJOjfvGfTd+HOI3Sq7iw3jIUFE3JvnPve6dltNw+
>
> +2kSZtjIOcHE4fbuRoRUxUMgWnbJn/tvpgnkINf67+RQQRgEsE5CtWMICEO74hyC41K2IL3BbHwP
>
> jsUCAwEAAaNFMEMwHQYDVR0OBBYEFDORji805q0uzKJH0gRzao79LG5gMA4GA1UdDwEB/wQEAwIB
>
> BjASBgNVHRMBAf8ECDAGAQH/AgEAMA0GCSqGSIb3DQEBCwUAA4IBAQAYmkUedlcvX0+lGWYXCUXL
>
> qocza0ZEpY/UV5Z7j6NVAToOV1pENtHKPjfCAe1aJKu+QpG1mltpMK5GBwLkkAqQPqBhQZfu84zS
>
> gcCEKhWNu0oCr1feZu8SOiddQdxQWIYLuwoB+Zvov0DOEB1ItETlRmMmuf1GRn29h+3UQfF83RrI
>
> ua73AXxJgozXI4qBfdGe/cUKT5NsBPOJeDJDZW5apv8mUj/35Z1Y8+8Qx7RIwEZnqjU3B1Zqs+ZQ
>
> KCuzjM31yPkJEby/a5aoPLaHHXVGIL6GN/erko3KxpJxar9TkmeULa2CBwh0hU4cQ4IFXExiNyRH
> dtL/iT0sE0nXET7g</ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </ds:Signature>
> <saml2:Subject>
> <saml2:NameID
> Format="http://schemas.xmlsoap.org/claims/UPN">Administrator@VSPHERE.LOCAL
> </saml2:NameID>
> <saml2:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
> <saml2:SubjectConfirmationData
> xsi:type="saml2:KeyInfoConfirmationDataType">
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:X509Data>
>
> <ds:X509Certificate>MIIChjCCAe+gAwIBAgIJAOpdwhw5314wMA0GCSqGSIb3DQEBBQUAMIGEMQswCQYDVQQGEwJVUzET
>
> MBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJUGFsbyBBbHRvMRUwEwYDVQQKEwxWTXdhcmUs
>
> IEluYy4xHjAcBgNVBAsTFUVjb3N5c3RlbSBFbmdpbmVlcmluZzEVMBMGA1UEAwwMKi52bXdhcmUu
>
> Y29tMB4XDTE1MTIwMTE4NTY0OFoXDTE2MTEzMDE4NTY0OFowgYQxCzAJBgNVBAYTAlVTMRMwEQYD
>
> VQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlQYWxvIEFsdG8xFTATBgNVBAoTDFZNd2FyZSwgSW5j
>
> LjEeMBwGA1UECxMVRWNvc3lzdGVtIEVuZ2luZWVyaW5nMRUwEwYDVQQDDAwqLnZtd2FyZS5jb20w
>
> gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANs52Y9fJz5M8VeGARSPFjcnUEowoptJTygVqbNh
>
> SnE2oBIV0/WEr6xozmWa1XscvcjfOm2QVfIZwrZc+F5tAQ6yI7CqyDpafEIajX7hgFaLgbpuk+q9
>
> FJlRx6uqIiIYt8GXoM4+W1G/ICfUiAfCq3M2b5ItmAoRc6E2LMJXFY0LAgMBAAEwDQYJKoZIhvcN
>
> AQEFBQADgYEAv9HpjvO3/F7ZbJkDH7eujnGRHw1gSjSMp4TMlveICwoToNn+9svP8LkoT7u8YGxx
>
> nJSklky/d2cpA7zthj+DlYZF5icB/UY0eSRDSr3+MUiIxZt4LqRmW9mGBWxSJ1Dnq3kr821ATTMN
> 8XbO6iyrpnJDv3a/HwBJF7k+Ypk+opY=</ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </saml2:SubjectConfirmationData>
> </saml2:SubjectConfirmation>
> </saml2:Subject>
> <saml2:Conditions NotBefore="2015-12-01T18:56:50.144Z"
> NotOnOrAfter="2015-12-01T19:26:50.144Z">
> <saml2:ProxyRestriction Count="10"/>
> <saml2:Condition
> xmlns:rsa="http://www.rsa.com/names/2009/12/std-ext/SAML2.0" Count="10"
> xsi:type="rsa:RenewRestrictionType"/>
> </saml2:Conditions>
> <saml2:AuthnStatement AuthnInstant="2015-12-01T18:56:52.607Z">
> <saml2:AuthnContext>
>
> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
> </saml2:AuthnContext>
> </saml2:AuthnStatement>
> <saml2:AttributeStatement>
> <saml2:Attribute FriendlyName="surname"
> Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue
> xsi:type="xs:string">vsphere.local</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="givenName"
> Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue
> xsi:type="xs:string">Administrator</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="Subject Type"
> Name="http://vmware.com/schemas/attr-names/2011/07/isSolution"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue xsi:type="xs:string">false</saml2:AttributeValue>
> </saml2:Attribute>
> <saml2:Attribute FriendlyName="Groups"
> Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
> <saml2:AttributeValue
> xsi:type="xs:string">vsphere.local\Users</saml2:AttributeValue>
> <saml2:AttributeValue
> xsi:type="xs:string">vsphere.local\Administrators</saml2:AttributeValue>
> <saml2:AttributeValue
> xsi:type="xs:string">vsphere.local\CAAdmins</saml2:AttributeValue>
> <saml2:AttributeValue
>
> xsi:type="xs:string">vsphere.local\ComponentManager.Administrators</saml2:AttributeValue>
> <saml2:AttributeValue
>
> xsi:type="xs:string">vsphere.local\SystemConfiguration.Administrators</saml2:AttributeValue>
> <saml2:AttributeValue
>
> xsi:type="xs:string">vsphere.local\LicenseService.Administrators</saml2:AttributeValue>
> <saml2:AttributeValue
> xsi:type="xs:string">vsphere.local\Everyone</saml2:AttributeValue>
> </saml2:Attribute>
> </saml2:AttributeStatement>
> </saml2:Assertion>
>
> #### 2nd signature element is missing <------
>
> </ns3:Security>
>
>
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Question-on-signature-confirmation-in-the-security-header-tp5763524.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message