cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Glen Mazza (JIRA)" <j...@apache.org>
Subject [jira] Commented: (CXF-2894) use wsse:KeyIdentifier instead of wsse:Reference for SAML token profile
Date Fri, 30 Jul 2010 01:26:16 GMT

    [ https://issues.apache.org/jira/browse/CXF-2894?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12893894#action_12893894
] 

Glen Mazza commented on CXF-2894:
---------------------------------

OK, from my 24/Jul/10 12:23 PM posting above I did Part 1 already in the CXF code, and submitted
a WSS4J patch for Part II: https://issues.apache.org/jira/browse/WSS-238.  When both changes
are in production, we'll be able to make SOAP calls using SAML assertions that will be accepted
by a Metro web service provider.

This is just half the story, however.  More work is needed in WSS4J for it to be able to process
the Metro response to this call as I explained in WSS-238.


> use wsse:KeyIdentifier instead of wsse:Reference for SAML token profile
> -----------------------------------------------------------------------
>
>                 Key: CXF-2894
>                 URL: https://issues.apache.org/jira/browse/CXF-2894
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>            Reporter: Glen Mazza
>            Assignee: Glen Mazza
>         Attachments: 20100724DoubleItMetroWSTrust.zip, CXF2894Example.txt
>
>
> CXF should be using the KeyIdentifier element when identifying SAML Assertions within
wsse:SecurityTokenReference elements.
> Issue and explanation in this thread:
> http://cxf.547215.n5.nabble.com/Problem-using-SAML-token-profile-to-access-a-Metro-web-service-td1064848.html#a1064848
> Attached zip contains a Metro web service and STS (intended for standalone Tomcat deployment),
a working Metro client, and a complaining CXF one, all components Mavenized for easily compilation,
deployment, and execution.
> Instructions to host sample web service and STS from attachment:
> 1.) If necessary, to allow mvn tomcat:deploy to work in next step, set up Maven tomcat
config:
> Pale green "Maven only" section of Step #8 here has instructions:
> http://www.jroller.com/gmazza/entry/web_service_tutorial#WFstep8
> 2.) From root directory, type mvn clean install tomcat:deploy
> (can call tomcat:undeploy on subsequent runs)
> Once done, confirm can see Metro web service WSDL from browser:
> https://localhost:8443/doubleit/services/doubleit?wsdl
> And confirm can see Metro STS WSDL:
> http://localhost:8080/DoubleItSTS/DoubleItSTSService?wsdl
> 3.) 
> Place the 2.2 version of jaxws-api.jar (https://jax-ws.dev.java.net/) in the JDK_HOME/jre/lib/endorsed
folder. 
> Once done, navigate to Metro client folder (/client-metro) and run mvn exec:exec
> Confirm can see output of doubled number results (10 doubled is 20).
> Wireshark results of the whole STS process w/Metro is here:
> http://www.jroller.com/gmazza/entry/metro_wstrust_analysis
> 5.) 
> Remove 2.2 JAXWS-api.jar from endorsed folder.
> Navigate to CXF client folder (/client-cxf) and run 
> mvn clean install exec:exec (need to build here, as client-cxf is not part of parent
POM due to Metro dependencies.)
> Should see this error message:
> [INFO] Jul 14, 2010 8:00:46 AM org.apache.cxf.service.factory.ReflectionServiceFactoryBean
buildServiceFromWSDL
> [INFO] INFO: Creating Service {http://www.example.org/contract/DoubleIt}DoubleItService
from WSDL: file:/work/workspace/DoubleItMetroWSTrust/client-cxf/src/main/resources/DoubleItService.wsdl
> [INFO] Jul 14, 2010 8:00:48 AM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage
> [INFO] WARNING: Request does not contain required Security header, but it's a fault.
> ----->[INFO] Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: unsupported
directreference ValueType http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID<-----
> [INFO] 	at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:146)
> [INFO] 	at $Proxy38.doubleIt(Unknown Source)
> [INFO] 	at client.WSClient.doubleIt(WSClient.java:18)
> [INFO] 	at client.WSClient.main(WSClient.java:11)
> [INFO] Caused by: org.apache.cxf.binding.soap.SoapFault: unsupported directreference
ValueType http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
> [INFO] 	at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(Soap11FaultInInterceptor.java:75)
> [INFO] 	at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:46)
> [INFO] 	at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:35)
> [INFO] 	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:243)
> If you can use Wireshark to trace localhost calls (always can on Linux, sometimes on
Windows), can use Wireshark's Show TCP stream capability to get more of error message: http://www.jroller.com/gmazza/entry/soap_calls_over_wireshark

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message