cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gina Choi <ginacho...@gmail.com>
Subject Re: Problem with loading Apache CXF STS with UT authentication
Date Mon, 11 Jun 2012 16:01:51 GMT
Colm,

<<<<
You were getting the error on the service provider side no? You would have
to set it on the service provider endpoint in this case.
>>>>

You are right. I forgot that WSP had a config file. After set it in the WSP
config file, I passed that exception.

Cool! WSP finally generated a response, but client is throwing an NPE. I
will debut it and get back to you. I am getting close to the final line...
Thanks a lot for all your help.



ID: 2

Response-Code: 200

Encoding: UTF-8

Content-Type: text/xml;charset=UTF-8

Headers: {Content-Length=[5277], content-type=[text/xml;charset=UTF-8],
Date=[Mon, 11 Jun 2012 15:53:42 GMT], Server=[Apache-Coyote/1.1]}

Payload: <soap:Envelope xmlns:soap="
http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><Action xmlns="
http://www.w3.org/2005/08/addressing" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-12083469">
http://www.example.org/contract/DoubleIt/DoubleItPortType/DoubleItResponse</Action><MessageIDxmlns="
http://www.w3.org/2005/08/addressing" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-14292879">urn:uuid:c6db815d-2eda-4f38-b8f5-a155e11bc9fc</MessageID><To
xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-23067900">
http://www.w3.org/2005/08/addressing/anonymous</To><RelatesTo xmlns="
http://www.w3.org/2005/08/addressing" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-4247180">urn:uuid:2a1f2ddc-0570-4d0b-985d-13bef961cad1</RelatesTo><wsse:Security
xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="1"><wsu:Timestamp
wsu:Id="TS-4"><wsu:Created>2012-06-11T15:53:42.336Z</wsu:Created><wsu:Expires>2012-06-11T15:58:42.336Z</wsu:Expires></wsu:Timestamp><xenc:ReferenceList
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:DataReference
URI="#ED-6"/></xenc:ReferenceList><ds:Signature xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"
Id="SIG-5"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#hmac-sha1"/><ds:Reference
URI="#Id-25899396"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>8U8AaCZDk7jpxiWM7rbV4qwjfxM=</ds:DigestValue></ds:Reference><ds:Reference
URI="#Id-23067900"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>zLPoiOCsm2/WxFnuq/1NTjy2uPQ=</ds:DigestValue></ds:Reference><ds:Reference
URI="#Id-14292879"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>UhPP+RcBZs61Ys6Xzgsp5cz1as4=</ds:DigestValue></ds:Reference><ds:Reference
URI="#Id-4247180"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>Er7vUiI3Rlg9Y+M4JZkvBbiFSb8=</ds:DigestValue></ds:Reference><ds:Reference
URI="#Id-12083469"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>Gma/VRqyG0J6ctWBsG/E5TWs4jk=</ds:DigestValue></ds:Reference><ds:Reference
URI="#TS-4"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>AdVhb1lPcz0NVbvtc6iMJj4Ydms=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>UrGOgYlMLnkIn1VDZLiY2HCJjBY=</ds:SignatureValue><ds:KeyInfo
Id="KI-9CECF537B18A5D2E2113394300223373"><wsse:SecurityTokenReference
xmlns:wsse11="
http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
wsu:Id="STR-9CECF537B18A5D2E2113394300223374"><wsse:KeyIdentifier
ValueType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_e947a1b5-68f5-49b1-bbff-aa4f98935156</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soap:Header><soap:Body
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-25899396"><xenc:EncryptedData xmlns:xenc="
http://www.w3.org/2001/04/xmlenc#" Id="ED-6" Type="
http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><ds:KeyInfo xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference
xmlns:wsse11="
http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
wsse11:TokenType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"><wsse:KeyIdentifier
ValueType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
">_e947a1b5-68f5-49b1-bbff-aa4f98935156</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>cTsoQzby7eNZDnrXKb7yXo/G1AzGre8QeKzjOuxtq5XqdkHLoG8I7erBJZClIRX9ZSWt0Pe6hw7cvxo4o8Sctr3UWYx7cJlVwQsYQrk5L3hEKynJp9b+ILkDjQ6NqdwWQp1bFNEnVmjQNH2VoiM9hqLG695R5v2lXBzspwlAwvagZI6ySbh2UrkMRT7Q8VlWf6vok0K7FyebINs3wSrkkQ==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>

--------------------------------------

Jun 11, 2012 11:53:43 AM org.apache.ws.security.saml.ext.AssertionWrapper
parseElement

SEVERE: AssertionWrapper: found unexpected type
org.opensaml.xml.encryption.impl.EncryptedDataImpl

Jun 11, 2012 11:53:43 AM org.apache.cxf.phase.PhaseInterceptorChain
doDefaultLogging

WARNING: Interceptor for {
http://www.example.org/contract/DoubleIt}DoubleItService#{http://www.example.org/contract/DoubleIt}DoubleIthas
thrown exception, unwinding now

*java.lang.NullPointerException*

       at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(*
SAMLUtil.java:250*)

       at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(*
SAMLUtil.java:149*)

       at
org.apache.ws.security.str.SecurityTokenRefSTRParser.getSecretKeyFromAssertion(
*SecurityTokenRefSTRParser.java:284*)

       at
org.apache.ws.security.str.SecurityTokenRefSTRParser.parseSecurityTokenReference(
*SecurityTokenRefSTRParser.java:141*)

       at
org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(
*ReferenceListProcessor.java:164*)

       at
org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(
*ReferenceListProcessor.java:100*)

       at
org.apache.ws.security.processor.ReferenceListProcessor.handleToken(*
ReferenceListProcessor.java:60*)

       at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(*
WSSecurityEngine.java:396*)

       at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(
*WSS4JInInterceptor.java:289*)

       at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(
*WSS4JInInterceptor.java:97*)

       at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
PhaseInterceptorChain.java:262*)

       at org.apache.cxf.endpoint.ClientImpl.onMessage(*ClientImpl.java:798*
)

       at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(
*HTTPConduit.java:1679*)

       at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(
*HTTPConduit.java:1532*)

       at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(*
HTTPConduit.java:1440*)

       at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(*
CacheAndWriteOutputStream.java:47*)

       at org.apache.cxf.io.CachedOutputStream.close(*
CachedOutputStream.java:187*)

       at org.apache.cxf.transport.AbstractConduit.close(*
AbstractConduit.java:56*)

       at org.apache.cxf.transport.http.HTTPConduit.close(*
HTTPConduit.java:658*)

       at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(
*MessageSenderInterceptor.java:62*)

       at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
PhaseInterceptorChain.java:262*)

       at org.apache.cxf.endpoint.ClientImpl.doInvoke(*ClientImpl.java:532*)

       at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:464*)

       at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:367*)

       at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:320*)

       at org.apache.cxf.frontend.ClientProxy.invokeSync(*
ClientProxy.java:89*)

       at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(*
JaxWsClientProxy.java:134*)

       at $Proxy26.doubleIt(Unknown Source)

       at client.WSClient.doubleIt(*WSClient.java:18*)

       at client.WSClient.main(*WSClient.java:11*)

Exception in thread "main" *javax.xml.ws.soap.SOAPFaultException*: Fault
string, and possibly fault code, not set

       at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(*
JaxWsClientProxy.java:156*)

       at $Proxy26.doubleIt(Unknown Source)

       at client.WSClient.doubleIt(*WSClient.java:18*)

       at client.WSClient.main(*WSClient.java:11*)

Caused by: *java.lang.NullPointerException*

       at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(*
SAMLUtil.java:250*)

       at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(*
SAMLUtil.java:149*)

       at
org.apache.ws.security.str.SecurityTokenRefSTRParser.getSecretKeyFromAssertion(
*SecurityTokenRefSTRParser.java:284*)

       at
org.apache.ws.security.str.SecurityTokenRefSTRParser.parseSecurityTokenReference(
*SecurityTokenRefSTRParser.java:141*)

       at
org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(
*ReferenceListProcessor.java:164*)

       at
org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(
*ReferenceListProcessor.java:100*)

       at
org.apache.ws.security.processor.ReferenceListProcessor.handleToken(*
ReferenceListProcessor.java:60*)

       at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(*
WSSecurityEngine.java:396*)

       at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(
*WSS4JInInterceptor.java:289*)

       at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(
*WSS4JInInterceptor.java:97*)

       at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
PhaseInterceptorChain.java:262*)

       at org.apache.cxf.endpoint.ClientImpl.onMessage(*ClientImpl.java:798*
)

       at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(
*HTTPConduit.java:1679*)

       at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(
*HTTPConduit.java:1532*)

       at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(*
HTTPConduit.java:1440*)

       at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(*
CacheAndWriteOutputStream.java:47*)

       at org.apache.cxf.io.CachedOutputStream.close(*
CachedOutputStream.java:187*)

       at org.apache.cxf.transport.AbstractConduit.close(*
AbstractConduit.java:56*)

       at org.apache.cxf.transport.http.HTTPConduit.close(*
HTTPConduit.java:658*)

       at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(
*MessageSenderInterceptor.java:62*)

       at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
PhaseInterceptorChain.java:262*)

       at org.apache.cxf.endpoint.ClientImpl.doInvoke(*ClientImpl.java:532*)

       at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:464*)

       at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:367*)

       at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:320*)

       at org.apache.cxf.frontend.ClientProxy.invokeSync(*
ClientProxy.java:89*)

       at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(*
JaxWsClientProxy.java:134*)

       ... 3 more





On Mon, Jun 11, 2012 at 11:40 AM, Colm O hEigeartaigh
<coheigea@apache.org>wrote:

>
> > Does setting "ws-security.is-bsp-compliant" to "false" make Service
> Provider not to check wsse11:TokenType attribute?
>
> Yes.
>
>
> > I set "ws-security.is-bsp-compliant" through client configuration file
> like bellow, but it didn't change any result. I am getting same exception.
>
> You were getting the error on the service provider side no? You would have
> to set it on the service provider endpoint in this case.
>
> Colm.
>
>
>
> On Mon, Jun 11, 2012 at 4:31 PM, Gina Choi <ginachoi88@gmail.com> wrote:
>
>> Hi Colm,
>>
>> <<<
>> You can turn this off by setting the following jax-ws property
>> "ws-security.is-bsp-compliant" to "false" for the service provider.
>> >>>
>>
>> Does setting "ws-security.is-bsp-compliant" to "false" make Service
>> Provider not to check wsse11:TokenType attribute? ADFS2.0 doesn't enforce
>> wsse11:TokenType attribute, so the security token that I got from ADFS2.0
>> wouldn't contain wsse11:TokenType attribute. I set
>> "ws-security.is-bsp-compliant" through client configuration file like
>> bellow, but it didn't change any result. I am getting same exception.
>>
>>
>>    <jaxws:client name="{
>> http://www.example.org/contract/DoubleIt}DoubleItPort"
>> createdFromAPI="true">
>>        <jaxws:properties>
>>        <entry key="ws-security.is-bsp-compliant" value="false"/>
>>
>>        <entry key="ws-security.sts.client">
>>                 <bean class="org.apache.cxf.ws.security.trust.STSClient">
>>      <constructor-arg ref="cxf"/>
>>      <property name="wsdlLocation" value="adfs_new_simple.wsdl"/>
>> ........
>>
>>
>> Gina
>> On Mon, Jun 11, 2012 at 5:02 AM, Colm O hEigeartaigh <coheigea@apache.org
>> > wrote:
>>
>>> CXF enforces the Basic Security Profile 1.1 spec:
>>>
>>> http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html
>>>
>>> "R6611 Any SECURITY_TOKEN_REFERENCE to a SAML_V1_1_TOKEN MUST contain a
>>> wsse11:TokenType attribute with a value of "
>>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".
>>> "
>>>
>>> You can turn this off by setting the following jax-ws property
>>> "ws-security.is-bsp-compliant" to "false" for the service provider.
>>>
>>> Colm.
>>>
>>> On Sat, Jun 9, 2012 at 12:00 AM, Gina Choi <ginachoi88@gmail.com> wrote:
>>>
>>> > I did some research and looked at oasis specification(
>>> >
>>> >
>>> https://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf
>>> > ),
>>> > it looks like that wsse11:TokenType attribute is optional for SAML
>>> 1.1, but
>>> > should contain
>>> >
>>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
>>> .
>>> >
>>> >
>>> > <<<
>>> >
>>> > Now I am getting 'An invalid security token was provided (Bad TokenType
>>> > "")'. I debugged through code again and following is the issue.
>>> > org.apache.ws.security.str.BSPEnforcer.java(wss4j-1.6.6.jar) class
>>> Line 162
>>> > - 169
>>> >
>>> >        String tokenType = secRef.getTokenType();
>>> >        if (assertion.getSaml1() != null &&
>>> > !WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)) {
>>> >            throw new WSSecurityException(
>>> >                WSSecurityException.INVALID_SECURITY_TOKEN,
>>> >                "invalidTokenType",
>>> >                 new Object[]{tokenType}
>>> >            );
>>> >        }
>>> > The content of secRef object as follow. As you can see from above
>>> code, it
>>> > is looking for an attribute named "TokenType", whose value is "
>>> >
>>> >
>>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
>>> > " but SecurityTokenReference doesn't have it. That's why it throws
>>> > exception. What we can do about this? I am going to update *CXF-4367
>>> with
>>> > new content.*
>>> >
>>> > <o:SecurityTokenReference xmlns:o="
>>> >
>>> >
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>>> > ">
>>> >  <o:KeyIdentifier ValueType="
>>> >
>>> >
>>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
>>> > ">
>>> >  _ca94d3c5-0933-4af0-ac12-a83fd407310c</o:KeyIdentifier>
>>> > </o:SecurityTokenReference>
>>> >
>>> > >>>>>>>>
>>> >
>>>
>>>
>>>
>>> --
>>> Colm O hEigeartaigh
>>>
>>> Talend Community Coder
>>> http://coders.talend.com
>>>
>>
>>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message