cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: SAML2 RACS for signed responses
Date Wed, 27 Nov 2013 10:31:08 GMT
Hi Colm

I can see that it is a bearer assertion, which is where KeyInfo is 
optional, right ?

I'm fine with the fix not being done at WSS4J level because WSS4J is 
dedicated primarily to managing SAML (and other) assertions coming on 
the WS path where no bearer assertions exist AFAIK so no need to relax 
it there.

But we can def expect bearer SAML assertions on the RS path (the example 
in http://en.wikipedia.org/wiki/SAML_2.0#Web_Browser_SSO_Profile shows 
no KeyInfo), and the bearer is expected in case of OAuth2 SAML2 grants.

IMHO we need to get it fixed in CXF RS code, I'll be happy to poke a bit 
and offer it for the review once it is done

Thanks, Sergey

On 27/11/13 09:57, Colm O hEigeartaigh wrote:
> Hi Christian,
>
> I am not inclined to fix this issue in CXF/WSS4J, as it will involve
> changing how we use keystores for signature validation. It is quite unusual
> IMO to have a XML Signature without a KeyInfo pointing to the public key to
> use to validate the signature.
>
> For different IdPs, I have tested (successfully) against WSo2's Identity
> Server, Josso, Shibboleth, Picketlink and OpenAM.
>
> Colm.
>
>
> On Wed, Nov 27, 2013 at 8:52 AM, Christian Metzler <
> Christian.Metzler@abas.de> wrote:
>
>> Hi Sergey,
>>
>> thanks for your reply. The problem seems to be in the
>> SAMLProtocolResponseValidator class. Overriding the methods you suggested
>> would not be sufficient. Instead I would have to write my own
>> SAMLProtocolResponseValidator and intantiate it in the
>> RequestAssertionConsumerService.
>>
>> The method which fails is the private
>>      validateResponseSignature(...)
>>
>> which will do the following:
>>
>>      samlKeyInfo =
>>                  SAMLUtil.getCredentialFromKeyInfo(
>>                      keyInfo.getDOM(), requestData, docInfo,
>>                      requestData.getWssConfig().isWsiBSPCompliant()
>>                  );
>>
>>
>> Perhaps I should look for a different IDP implementation. I currently
>> tried to work with Mujina IDP for testing purposes.
>> Are there any suggestions, which IDP could work? I know your example works
>> with Shibboleth, but I think Shibboleth is hard to set up and configure for
>> testing purposes. Actually a IDP Mock would be really handsome... But I
>> could not find anything else than Mujina.
>>
>>
>> Kind regards,
>>
>> Christian
>>
>>
>>
>> Am 26.11.2013 22:56, schrieb Sergey Beryozkin:
>>
>>   Hi
>>>
>>> Thanks for reporting the issue, appears to be a bug in CXF or at the
>>> lower level. I guess the KeyInfo is typically available on the WS path
>>> hence the issue arises when it is not included.
>>>
>>> I can suggest a workaround for now, till the problem has been resolved:
>>>
>>> RequestAssertionConsumerService validateSamlResponseProtocol and
>>> validateSamlSSOResponse methods are protected: I wonder if you can override
>>> the method where the problem occurs and do the manual validation for now or
>>> simply ignore the validation for now to get the POC done.
>>>
>>>
>>>
>>> HTH
>>> Sergey
>>>
>>> On 26/11/13 13:25, Christian Metzler wrote:
>>>
>>>> Hi,
>>>>
>>>> I am trying to implement a SAML Request Assertion Consumer Service
>>>> (RACS) with Apache CXF 2.7.7
>>>> Unfortunately the response of my Identity Provider does not include a
>>>> keyInfo (which is defined optional in the SAML specification).This leads
>>>> to an exception when processing the response, because CXF tries to load
>>>> a DOM for the keyInfo.
>>>>
>>>> |java.lang.NullPointerException
>>>> at
>>>> org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:536)
>>>>
>>>>
>>>>
>>>> |
>>>>
>>>> I have a valid keystore.properties file as well as the certificate on my
>>>> RACS site, but this does not chage the behaviour. Is this a bug in CXF
>>>> or did I miss something to set up for my RACS?
>>>>
>>>> That's my current configuration
>>>>
>>>>       <bean id="consumerService"
>>>> class="org.apache.cxf.rs.security.saml.sso.
>>>> RequestAssertionConsumerService">
>>>>
>>>>           <property name="stateProvider" ref="stateManager" />
>>>>           <property name="enforceAssertionsSigned" value="false"/>
>>>>           <property name="signaturePropertiesFile"
>>>> value="serviceKeystore.properties"/>
>>>>           <property name="supportBase64Encoding" value="true" />
>>>>       </bean>
>>>>
>>>> And the response from my IDP is:
>>>>
>>>> <saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
>>>> Destination="https://localhost:8181/CxfOAuthServer/racs/sso"
>>>> ID="9ba6bc1d-178e-4c34-82ac-c7fb4482f339"
>>>>       InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
>>>> IssueInstant="2013-11-26T09:46:48.020Z"
>>>>       Version="2.0">
>>>>       <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
>>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
>>>> http://mock-idp</saml2:Issuer>
>>>>
>>>>       <saml2p:Status>
>>>>           <saml2p:StatusCode
>>>> Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
>>>>       </saml2p:Status>
>>>>       <saml2:Assertion xmlns:saml2="urn:oasis:names:
>>>> tc:SAML:2.0:assertion"
>>>>           ID="176247f7-0559-400c-8e5b-dafedbe5be4a"
>>>> IssueInstant="2013-11-26T09:46:48.008Z"
>>>>           Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema">
>>>>           <saml2:Issuer
>>>> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">
>>>> http://mock-idp</saml2:Issuer>
>>>>
>>>>           <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>>>               <ds:SignedInfo>
>>>>                   <ds:CanonicalizationMethod
>>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
>>>>                   <ds:SignatureMethod
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
>>>>                   <ds:Reference URI="#176247f7-0559-400c-8e5b-
>>>> dafedbe5be4a">
>>>>                       <ds:Transforms>
>>>>                           <ds:Transform
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
>>>>                           <ds:Transform
>>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>>>>                               <ec:InclusiveNamespaces
>>>> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"
>>>>                                   PrefixList="xs" />
>>>>                           </ds:Transform>
>>>>                       </ds:Transforms>
>>>>                       <ds:DigestMethod
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
>>>> <ds:DigestValue>d2VEe93L57zXiywl0rZxlMHE3Vw=</ds:DigestValue>
>>>>                   </ds:Reference>
>>>>               </ds:SignedInfo>
>>>> <ds:SignatureValue>dFzHOV7wr1IfJoW+ZC71mXDuW4ZIj9pWyJftLfCldtCPTr
>>>> zVxnHBokmtlohxjlPf7M4Ox9wgnFXKlFUB5c6mHlRpG6cq4rcaYKGTf4eRU+
>>>> oO54bdZ2tP5HBoZRgyd1lpZLnIG05f56vZEfALWFz2HYraC6Y6VKnwLXK6sc9frII=</ds:SignatureValue>
>>>>
>>>>
>>>>           </ds:Signature>
>>>>           <saml2:Subject>
>>>>               <saml2:NameID
>>>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:
>>>> unspecified">admin</saml2:NameID>
>>>>
>>>>               <saml2:SubjectConfirmation
>>>> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
>>>>                   <saml2:SubjectConfirmationData
>>>>                       Address="127.0.0.1"
>>>> InResponseTo="9b2b1a98-76bb-4a66-a909-81790a02a6c8"
>>>>                       NotOnOrAfter="2013-11-26T09:48:18.007Z"
>>>> Recipient="https://localhost:8181/CxfOAuthServer/racs/sso" />
>>>>               </saml2:SubjectConfirmation>
>>>>           </saml2:Subject>
>>>>           <saml2:AuthnStatement AuthnInstant="2013-11-26T09:46:47.989Z">
>>>>               <saml2:AuthnContext>
>>>> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:
>>>> ac:classes:Password</saml2:AuthnContextClassRef>
>>>>
>>>> <saml2:AuthenticatingAuthority>http://mock-idp</saml2:AuthenticatingAuthority>
>>>>
>>>>
>>>>               </saml2:AuthnContext>
>>>>           </saml2:AuthnStatement>
>>>>           <saml2:AttributeStatement>
>>>>               <saml2:Attribute Name="urn:mace:dir:attribute-def:uid">
>>>>                   <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">admin</saml2:AttributeValue>
>>>>               </saml2:Attribute>
>>>>               <saml2:Attribute
>>>> Name="urn:oid:1.3.6.1.4.1.1076.20.100.10.10.1">
>>>>                   <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">guest</saml2:AttributeValue>
>>>>               </saml2:Attribute>
>>>>               <saml2:Attribute Name="urn:mace:dir:attribute-def:sn">
>>>>                   <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">Doe</saml2:AttributeValue>
>>>>               </saml2:Attribute>
>>>>               <saml2:Attribute Name="urn:mace:dir:attribute-def:mail">
>>>>                   <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">j.doe@example.com</saml2:AttributeValue>
>>>>               </saml2:Attribute>
>>>>               <saml2:Attribute
>>>> Name="urn:mace:dir:attribute-def:eduPersonPrincipalName">
>>>>                   <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">j.doe@example.com</saml2:AttributeValue>
>>>>               </saml2:Attribute>
>>>>               <saml2:Attribute
>>>> Name="urn:mace:dir:attribute-def:displayName">
>>>>                   <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">admin</saml2:AttributeValue>
>>>>               </saml2:Attribute>
>>>>               <saml2:Attribute Name="urn:mace:dir:attribute-
>>>> def:givenName">
>>>>                   <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">John</saml2:AttributeValue>
>>>>               </saml2:Attribute>
>>>>               <saml2:Attribute
>>>> Name="urn:mace:terena.org:attribute-def:schacHomeOrganization">
>>>>                   <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> xsi:type="xs:string">example.com</saml2:AttributeValue>
>>>>               </saml2:Attribute>
>>>>               <saml2:Attribute Name="urn:mace:dir:attribute-def:cn">
>>>>                   <saml2:AttributeValue
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>>                       xsi:type="xs:string">John Doe</saml2:AttributeValue>
>>>>               </saml2:Attribute>
>>>>           </saml2:AttributeStatement>
>>>>       </saml2:Assertion>
>>>> </saml2p:Response>
>>>>
>>>> Thanks for your help.
>>>>
>>>>
>>>
>>>
>>
>> --
>> ***********************************************************************
>> Christian Metzler * Software Developer
>> ABAS Software AG * Südendstraße 42 * 76135 Karlsruhe * GERMANY
>> Phone: +49(0)721-96723-0 * Fax: +49(0)721-96723-100
>> http://www.abas-software.com * http://www.abas.de
>> Board of Directors / Vorstand: Werner Strub, Jürgen Nöding
>> Chairman Board of Directors / Vorstandsvorsitzender: Werner Strub
>> Chairman Supervisory Board / Aufsichtsratsvorsitzender: Udo Stößer
>> Registered Office / Sitz der Gesellschaft: Karlsruhe
>> Commercial Register / Handelsregister:  HRB 107644 Amtsgericht Mannheim
>> ***********************************************************************
>>
>>
>
>


-- 
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com

Mime
View raw message