ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Russell Orf (JIRA)" <>
Subject [jira] [Commented] (WSS-616) STRTransform TransformException when manually adding SAML Assertion via SAMLCallback.setAssertionElement()
Date Mon, 23 Oct 2017 10:37:00 GMT


Russell Orf commented on WSS-616:

Omitting the SignedSupportingToken block from the policy does eliminate the error, however
the request generated does not contain the wsse:SecurityTokenReference block as required by
the service. Specifically, I need the request header to look like the below. How can I configure
the policy to generate the SecurityTokenReference block?

    <saml:Assertion assertionID="myassertionid">
    <wsse:SecurityTokenReference wsu:Id="SAMLStringId"> 
        <dsig:Reference URI="#SAMLStringId">
              <dsig:Transform Algorithm="">
                <wsse:TransformationParameters xmlns:wsse="">
                   <dsig:CanonicalizationMethod Algorithm=""/>
            <dsig:DigestMethod Algorithm=""/>

> STRTransform TransformException when manually adding SAML Assertion via SAMLCallback.setAssertionElement()
> ----------------------------------------------------------------------------------------------------------
>                 Key: WSS-616
>                 URL:
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 2.1.7
>         Environment: Apache Tomcat 8.0.37
>            Reporter: Russell Orf
>            Assignee: Colm O hEigeartaigh
>              Labels: security
>         Attachments: catalina.out, service-client.war
> In Apache CXF v3.1.7, I have a JAX-WS web service client calling a service that requires
a HolderOfKey SAML Assertion. The assertions are from a custom service that does not adhere
to the WS-Trust SecureTokenService standard, so I am adding them manually in a SAMLCallbackHander,
using the callback.setAssertionElement() method.
> When invoking the client, the WSS4J framework is unable to compute the signature for
the SecurityTokenReference header block, throwing the below error:
> {{
> javax.xml.crypto.dsig.XMLSignatureException: javax.xml.crypto.dsig.TransformException:
org.apache.wss4j.common.ext.WSSecurityException: Referenced token "id-of-SAML-assertion" not
> at org.apache.wss4j.dom.str.STRParserUtil.getTokenElement(
> at org.apache.wss4j.dom.transform.STRTransformUtil.dereferenceSTR(
> at org.apache.wss4j.dom.transform.STRTransform.transformIt(}}
> It appears that the SAML assertion DOM Element that is added via the callback.setAssertionElement()
method is not getting searched by the STRParserUtil.getTokenElement() method.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message