cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Glen Mazza (JIRA)" <>
Subject [jira] Commented: (CXF-2894) use wsse:KeyIdentifier instead of wsse:Reference for SAML token profile
Date Sat, 24 Jul 2010 03:07:51 GMT


Glen Mazza commented on CXF-2894:

This is all that is needed to fix *this* particular problem.  (The Metro web service provider
complains about another bug after this, namely:  "Encryption Policy verification error: Looking
for an Encryption Element  in Security header, but found"
 I'll look at that next.)

mvn clean install, at least from the security submodule, returns no errors with this change.
 I will go ahead and commit it so we'll know ASAP what other heartaches this change might
(or might not) create--it can be easily reverted.

--- src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/
(revision 978410)
+++ src/main/java/org/apache/cxf/ws/security/wss4j/policyhandlers/
(working copy)
@@ -641,7 +641,7 @@
             } else {
                                       + WSConstants.SAML_ASSERTION_ID);
-                sig.setKeyIdentifierType(type);
+                sig.setKeyIdentifierType(WSConstants.CUSTOM_KEY_IDENTIFIER);

> use wsse:KeyIdentifier instead of wsse:Reference for SAML token profile
> -----------------------------------------------------------------------
>                 Key: CXF-2894
>                 URL:
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>            Reporter: Glen Mazza
>         Attachments:, CXF2894Example.txt
> CXF should be using the KeyIdentifier element when identifying SAML Assertions within
wsse:SecurityTokenReference elements.
> Issue and explanation in this thread:
> Attached zip contains a Metro web service and STS (intended for standalone Tomcat deployment),
a working Metro client, and a complaining CXF one, all components Mavenized for easily compilation,
deployment, and execution.
> Instructions to host sample web service and STS from attachment:
> 1.) If necessary, to allow mvn tomcat:deploy to work in next step, set up Maven tomcat
> Pale green "Maven only" section of Step #8 here has instructions:
> 2.) From root directory, type mvn clean install tomcat:deploy
> (can call tomcat:undeploy on subsequent runs)
> Once done, confirm can see Metro web service WSDL from browser:
> https://localhost:8443/doubleit/services/doubleit?wsdl
> And confirm can see Metro STS WSDL:
> http://localhost:8080/DoubleItSTS/DoubleItSTSService?wsdl
> 3.) 
> Place the 2.2 version of jaxws-api.jar ( in the JDK_HOME/jre/lib/endorsed
> Once done, navigate to Metro client folder (/client-metro) and run mvn exec:exec
> Confirm can see output of doubled number results (10 doubled is 20).
> Wireshark results of the whole STS process w/Metro is here:
> 5.) 
> Remove 2.2 JAXWS-api.jar from endorsed folder.
> Navigate to CXF client folder (/client-cxf) and run 
> mvn clean install exec:exec (need to build here, as client-cxf is not part of parent
POM due to Metro dependencies.)
> Should see this error message:
> [INFO] Jul 14, 2010 8:00:46 AM org.apache.cxf.service.factory.ReflectionServiceFactoryBean
> [INFO] INFO: Creating Service {}DoubleItService
from WSDL: file:/work/workspace/DoubleItMetroWSTrust/client-cxf/src/main/resources/DoubleItService.wsdl
> [INFO] Jul 14, 2010 8:00:48 AM handleMessage
> [INFO] WARNING: Request does not contain required Security header, but it's a fault.
> ----->[INFO] Exception in thread "main" unsupported
directreference ValueType<-----
> [INFO] 	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(
> [INFO] 	at $Proxy38.doubleIt(Unknown Source)
> [INFO] 	at client.WSClient.doubleIt(
> [INFO] 	at client.WSClient.main(
> [INFO] Caused by: org.apache.cxf.binding.soap.SoapFault: unsupported directreference
> [INFO] 	at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(
> [INFO] 	at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(
> [INFO] 	at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(
> [INFO] 	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
> If you can use Wireshark to trace localhost calls (always can on Linux, sometimes on
Windows), can use Wireshark's Show TCP stream capability to get more of error message:

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message