ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <>
Subject [jira] [Commented] (WSS-616) STRTransform TransformException when manually adding SAML Assertion via SAMLCallback.setAssertionElement()
Date Fri, 20 Oct 2017 08:55:00 GMT


Colm O hEigeartaigh commented on WSS-616:

Thanks for the test-case. The problem is that your security policy references a SAML Token
both as the InitiatorToken for the AsymmetricBinding + then again as the SignedSupportingToken.
It attempts to add the same SAML Token twice and throws an error as both tokens have the same
ID. I think for this case you don't need the SignedSupportingToken policy.

> STRTransform TransformException when manually adding SAML Assertion via SAMLCallback.setAssertionElement()
> ----------------------------------------------------------------------------------------------------------
>                 Key: WSS-616
>                 URL:
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 2.1.7
>         Environment: Apache Tomcat 8.0.37
>            Reporter: Russell Orf
>            Assignee: Colm O hEigeartaigh
>              Labels: security
>         Attachments: catalina.out, service-client.war
> In Apache CXF v3.1.7, I have a JAX-WS web service client calling a service that requires
a HolderOfKey SAML Assertion. The assertions are from a custom service that does not adhere
to the WS-Trust SecureTokenService standard, so I am adding them manually in a SAMLCallbackHander,
using the callback.setAssertionElement() method.
> When invoking the client, the WSS4J framework is unable to compute the signature for
the SecurityTokenReference header block, throwing the below error:
> {{
> javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.dsig.TransformException:
org.apache.wss4j.common.ext.WSSecurityException: Referenced token "id-of-SAML-assertion" not
> at org.apache.wss4j.dom.str.STRParserUtil.getTokenElement(
> at org.apache.wss4j.dom.transform.STRTransformUtil.dereferenceSTR(
> at org.apache.wss4j.dom.transform.STRTransform.transformIt(}}
> It appears that the SAML assertion DOM Element that is added via the callback.setAssertionElement()
method is not getting searched by the STRParserUtil.getTokenElement() method.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message