Return-Path: X-Original-To: apmail-cxf-users-archive@www.apache.org Delivered-To: apmail-cxf-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A2BD5CE4D for ; Mon, 11 Jun 2012 16:02:20 +0000 (UTC) Received: (qmail 82905 invoked by uid 500); 11 Jun 2012 16:02:19 -0000 Delivered-To: apmail-cxf-users-archive@cxf.apache.org Received: (qmail 82841 invoked by uid 500); 11 Jun 2012 16:02:19 -0000 Mailing-List: contact users-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cxf.apache.org Delivered-To: mailing list users@cxf.apache.org Received: (qmail 82833 invoked by uid 99); 11 Jun 2012 16:02:19 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Jun 2012 16:02:19 +0000 X-ASF-Spam-Status: No, hits=1.8 required=5.0 tests=FREEMAIL_ENVFROM_END_DIGIT,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS,T_FRT_BELOW2 X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of ginachoi88@gmail.com designates 74.125.82.169 as permitted sender) Received: from [74.125.82.169] (HELO mail-we0-f169.google.com) (74.125.82.169) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Jun 2012 16:02:12 +0000 Received: by wefh52 with SMTP id h52so3246672wef.0 for ; Mon, 11 Jun 2012 09:01:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=gwDPq4FFXaTS4OZu17KULBJ/CsiSTvsC7gAMotBAxEI=; b=ROy1BdDwhga1vxv31CAm7n+Spp1NXsrOttvNHbhov8iAOcSYBL+m1lhqNxjG44bxf0 RSDqIX5Q2hCS2bZZh7htYWLyrRnrpXVx9CSgkeS6azA2rhUsBmJ8/WFfPOU82NHkDIaD gKTr4wVMlz9Zfz80GuoM9iSZMzs0JD4dChX4N5XqIHjb8b+XVFiwqmXCV3Ql5Mc0oVfk te7wZ7ANCdFdC8j1lfyf9VdfnHur8d1sRbdZcbL9klhx1PAiBB5kV/UJ5uWNRUPJ64zK cugXvobe07BtQGaOvNjz1VKJnN0ccetCTgTuTzU4rP32tsvaZH8P3CisN+6R2EbFmH9a FX9g== MIME-Version: 1.0 Received: by 10.180.85.129 with SMTP id h1mr22020939wiz.2.1339430511589; Mon, 11 Jun 2012 09:01:51 -0700 (PDT) Received: by 10.223.70.130 with HTTP; Mon, 11 Jun 2012 09:01:51 -0700 (PDT) In-Reply-To: References: Date: Mon, 11 Jun 2012 12:01:51 -0400 Message-ID: Subject: Re: Problem with loading Apache CXF STS with UT authentication From: Gina Choi To: coheigea@apache.org Cc: users@cxf.apache.org Content-Type: multipart/alternative; boundary=f46d0444e943d838b404c2347728 --f46d0444e943d838b404c2347728 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Colm, <<<< You were getting the error on the service provider side no? You would have to set it on the service provider endpoint in this case. >>>> You are right. I forgot that WSP had a config file. After set it in the WSP config file, I passed that exception. Cool! WSP finally generated a response, but client is throwing an NPE. I will debut it and get back to you. I am getting close to the final line... Thanks a lot for all your help. ID: 2 Response-Code: 200 Encoding: UTF-8 Content-Type: text/xml;charset=3DUTF-8 Headers: {Content-Length=3D[5277], content-type=3D[text/xml;charset=3DUTF-8= ], Date=3D[Mon, 11 Jun 2012 15:53:42 GMT], Server=3D[Apache-Coyote/1.1]} Payload: http://www.example.org/contract/DoubleIt/DoubleItPortType/DoubleItResponse<= /Action>urn:uuid:c6db815d-2eda-4f38-b8f5-a155e11bc9fc http://www.w3.org/2005/08/addressing/anonymousurn:uuid:2a1f2ddc-0570-4d0b-985d-13bef961cad12012-06-11T15:53:42.336Z2012-06-11T15:58:42.336Z8U8Aa= CZDk7jpxiWM7rbV4qwjfxM=3DzLPoi= OCsm2/WxFnuq/1NTjy2uPQ=3DUhPP+= RcBZs61Ys6Xzgsp5cz1as4=3DEr7vU= iI3Rlg9Y+M4JZkvBbiFSb8=3DGma/V= RqyG0J6ctWBsG/E5TWs4jk=3DAdVhb= 1lPcz0NVbvtc6iMJj4Ydms=3DUrGOgYlMLnkIn1VDZLiY2HCJjBY=3D_e947a1b5-68f5-49b1-bbff-aa4f98935156<= wsse:KeyIdentifier ValueType=3D" http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAsserti= onID ">_e947a1b5-68f5-49b1-bbff-aa4f98935156cTsoQzby7eNZ= DnrXKb7yXo/G1AzGre8QeKzjOuxtq5XqdkHLoG8I7erBJZClIRX9ZSWt0Pe6hw7cvxo4o8Sctr3= UWYx7cJlVwQsYQrk5L3hEKynJp9b+ILkDjQ6NqdwWQp1bFNEnVmjQNH2VoiM9hqLG695R5v2lXB= zspwlAwvagZI6ySbh2UrkMRT7Q8VlWf6vok0K7FyebINs3wSrkkQ=3D=3D -------------------------------------- Jun 11, 2012 11:53:43 AM org.apache.ws.security.saml.ext.AssertionWrapper parseElement SEVERE: AssertionWrapper: found unexpected type org.opensaml.xml.encryption.impl.EncryptedDataImpl Jun 11, 2012 11:53:43 AM org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging WARNING: Interceptor for { http://www.example.org/contract/DoubleIt}DoubleItService#{http://www.exampl= e.org/contract/DoubleIt}DoubleIthas thrown exception, unwinding now *java.lang.NullPointerException* at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(* SAMLUtil.java:250*) at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(* SAMLUtil.java:149*) at org.apache.ws.security.str.SecurityTokenRefSTRParser.getSecretKeyFromAssert= ion( *SecurityTokenRefSTRParser.java:284*) at org.apache.ws.security.str.SecurityTokenRefSTRParser.parseSecurityTokenRefe= rence( *SecurityTokenRefSTRParser.java:141*) at org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbed= ded( *ReferenceListProcessor.java:164*) at org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList= ( *ReferenceListProcessor.java:100*) at org.apache.ws.security.processor.ReferenceListProcessor.handleToken(* ReferenceListProcessor.java:60*) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(* WSSecurityEngine.java:396*) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage= ( *WSS4JInInterceptor.java:289*) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage= ( *WSS4JInInterceptor.java:97*) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(* PhaseInterceptorChain.java:262*) at org.apache.cxf.endpoint.ClientImpl.onMessage(*ClientImpl.java:798= * ) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleRespons= eInternal( *HTTPConduit.java:1679*) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleRespons= e( *HTTPConduit.java:1532*) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(* HTTPConduit.java:1440*) at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(* CacheAndWriteOutputStream.java:47*) at org.apache.cxf.io.CachedOutputStream.close(* CachedOutputStream.java:187*) at org.apache.cxf.transport.AbstractConduit.close(* AbstractConduit.java:56*) at org.apache.cxf.transport.http.HTTPConduit.close(* HTTPConduit.java:658*) at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInte= rceptor.handleMessage( *MessageSenderInterceptor.java:62*) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(* PhaseInterceptorChain.java:262*) at org.apache.cxf.endpoint.ClientImpl.doInvoke(*ClientImpl.java:532*= ) at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:464*) at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:367*) at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:320*) at org.apache.cxf.frontend.ClientProxy.invokeSync(* ClientProxy.java:89*) at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(* JaxWsClientProxy.java:134*) at $Proxy26.doubleIt(Unknown Source) at client.WSClient.doubleIt(*WSClient.java:18*) at client.WSClient.main(*WSClient.java:11*) Exception in thread "main" *javax.xml.ws.soap.SOAPFaultException*: Fault string, and possibly fault code, not set at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(* JaxWsClientProxy.java:156*) at $Proxy26.doubleIt(Unknown Source) at client.WSClient.doubleIt(*WSClient.java:18*) at client.WSClient.main(*WSClient.java:11*) Caused by: *java.lang.NullPointerException* at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(* SAMLUtil.java:250*) at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(* SAMLUtil.java:149*) at org.apache.ws.security.str.SecurityTokenRefSTRParser.getSecretKeyFromAssert= ion( *SecurityTokenRefSTRParser.java:284*) at org.apache.ws.security.str.SecurityTokenRefSTRParser.parseSecurityTokenRefe= rence( *SecurityTokenRefSTRParser.java:141*) at org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbed= ded( *ReferenceListProcessor.java:164*) at org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList= ( *ReferenceListProcessor.java:100*) at org.apache.ws.security.processor.ReferenceListProcessor.handleToken(* ReferenceListProcessor.java:60*) at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(* WSSecurityEngine.java:396*) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage= ( *WSS4JInInterceptor.java:289*) at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage= ( *WSS4JInInterceptor.java:97*) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(* PhaseInterceptorChain.java:262*) at org.apache.cxf.endpoint.ClientImpl.onMessage(*ClientImpl.java:798= * ) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleRespons= eInternal( *HTTPConduit.java:1679*) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleRespons= e( *HTTPConduit.java:1532*) at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(* HTTPConduit.java:1440*) at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(* CacheAndWriteOutputStream.java:47*) at org.apache.cxf.io.CachedOutputStream.close(* CachedOutputStream.java:187*) at org.apache.cxf.transport.AbstractConduit.close(* AbstractConduit.java:56*) at org.apache.cxf.transport.http.HTTPConduit.close(* HTTPConduit.java:658*) at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInte= rceptor.handleMessage( *MessageSenderInterceptor.java:62*) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(* PhaseInterceptorChain.java:262*) at org.apache.cxf.endpoint.ClientImpl.doInvoke(*ClientImpl.java:532*= ) at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:464*) at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:367*) at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:320*) at org.apache.cxf.frontend.ClientProxy.invokeSync(* ClientProxy.java:89*) at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(* JaxWsClientProxy.java:134*) ... 3 more On Mon, Jun 11, 2012 at 11:40 AM, Colm O hEigeartaigh wrote: > > > Does setting "ws-security.is-bsp-compliant" to "false" make Service > Provider not to check wsse11:TokenType attribute? > > Yes. > > > > I set "ws-security.is-bsp-compliant" through client configuration file > like bellow, but it didn't change any result. I am getting same exception= . > > You were getting the error on the service provider side no? You would hav= e > to set it on the service provider endpoint in this case. > > Colm. > > > > On Mon, Jun 11, 2012 at 4:31 PM, Gina Choi wrote: > >> Hi Colm, >> >> <<< >> You can turn this off by setting the following jax-ws property >> "ws-security.is-bsp-compliant" to "false" for the service provider. >> >>> >> >> Does setting "ws-security.is-bsp-compliant" to "false" make Service >> Provider not to check wsse11:TokenType attribute? ADFS2.0 doesn't enforc= e >> wsse11:TokenType attribute, so the security token that I got from ADFS2.= 0 >> wouldn't contain wsse11:TokenType attribute. I set >> "ws-security.is-bsp-compliant" through client configuration file like >> bellow, but it didn't change any result. I am getting same exception. >> >> >> > http://www.example.org/contract/DoubleIt}DoubleItPort" >> createdFromAPI=3D"true"> >> >> >> >> >> >> >> >> ........ >> >> >> Gina >> On Mon, Jun 11, 2012 at 5:02 AM, Colm O hEigeartaigh > > wrote: >> >>> CXF enforces the Basic Security Profile 1.1 spec: >>> >>> http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html >>> >>> "R6611 Any SECURITY_TOKEN_REFERENCE to a SAML_V1_1_TOKEN MUST contain a >>> wsse11:TokenType attribute with a value of " >>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.= 1". >>> " >>> >>> You can turn this off by setting the following jax-ws property >>> "ws-security.is-bsp-compliant" to "false" for the service provider. >>> >>> Colm. >>> >>> On Sat, Jun 9, 2012 at 12:00 AM, Gina Choi wrote= : >>> >>> > I did some research and looked at oasis specification( >>> > >>> > >>> https://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-= os-SAMLTokenProfile.pdf >>> > ), >>> > it looks like that wsse11:TokenType attribute is optional for SAML >>> 1.1, but >>> > should contain >>> > >>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.= 1 >>> . >>> > >>> > >>> > <<< >>> > >>> > Now I am getting 'An invalid security token was provided (Bad TokenTy= pe >>> > "")'. I debugged through code again and following is the issue. >>> > org.apache.ws.security.str.BSPEnforcer.java(wss4j-1.6.6.jar) class >>> Line 162 >>> > - 169 >>> > >>> > String tokenType =3D secRef.getTokenType(); >>> > if (assertion.getSaml1() !=3D null && >>> > !WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)) { >>> > throw new WSSecurityException( >>> > WSSecurityException.INVALID_SECURITY_TOKEN, >>> > "invalidTokenType", >>> > new Object[]{tokenType} >>> > ); >>> > } >>> > The content of secRef object as follow. As you can see from above >>> code, it >>> > is looking for an attribute named "TokenType", whose value is " >>> > >>> > >>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.= 1 >>> > " but SecurityTokenReference doesn't have it. That's why it throws >>> > exception. What we can do about this? I am going to update *CXF-4367 >>> with >>> > new content.* >>> > >>> > >> > >>> > >>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-sece= xt-1.0.xsd >>> > "> >>> > >> > >>> > >>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAss= ertionID >>> > "> >>> > _ca94d3c5-0933-4af0-ac12-a83fd407310c >>> > >>> > >>> > >>>>>>>> >>> > >>> >>> >>> >>> -- >>> Colm O hEigeartaigh >>> >>> Talend Community Coder >>> http://coders.talend.com >>> >> >> > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > > --f46d0444e943d838b404c2347728--