Hi, Colm,
I've just found some time in between my works to look into the failed
tests. They seems to be all related to the cases of signing the security
token using STR-Transform. Because in this case the Reference refers to
the security token indirectly via the <SecurityTokenReference> inside
the <Signature> and my change delayed the creation of the <Signature>
element until the very end, the resolver failed to find the referred
element in the original SOAP message.
At this point, I don't have a generic solution, but a workaround that
works on most cases but signing the security token. I think the root
cause is still that wss4j (more accurately xml-sec) used a set of DOM
objects to refer and change the <SignatureValue> and <DigestValue>, but
IBM WAS changed the DOM objects dynamically.
Should I create an issue in JIRA?
Gang
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@progress.com]
Sent: Tuesday, November 24, 2009 12:01 PM
To: Yang, Gang CTR USA; wss4j-dev@ws.apache.org
Subject: RE: Wss4j working with WebSphere?
Eclipse. I normally run tests from the command line, e.g. "mvn clean
install" or "mvn test".
Colm.
-----Original Message-----
From: Yang, Gang CTR USA [mailto:gang.yang@us.army.mil]
Sent: 24 November 2009 16:02
To: Colm O hEigeartaigh; wss4j-dev@ws.apache.org
Subject: RE: Wss4j working with WebSphere?
Hi, Colm,
What's your dev env? I checked out 1_5_x-fixes branch into MyEclipse 7.5
and MyEclipse hung at "Initinalizging Java Tools" each time I restart
MyEclipse.
Gang
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@progress.com]
Sent: Tuesday, November 24, 2009 6:33 AM
To: Yang, Gang CTR USA; wss4j-dev@ws.apache.org
Subject: RE: Wss4j working with WebSphere?
Hi Gang,
If I apply your fix it breaks 5 tests, one in TestWSSecurityNew3 and 4
in TestWSSecurityNew11. Can you take a look at these tests in
branches/1_5_x-fixes after applying your fix?
Colm.
-----Original Message-----
From: Yang, Gang CTR USA [mailto:gang.yang@us.army.mil]
Sent: 18 November 2009 22:30
To: wss4j-dev@ws.apache.org
Subject: RE: Wss4j working with WebSphere?
Hi,
After some debugging, I think I found why wss4j isn't working with WAS
properly. The problem is caused by the way WAS's SOAP/DOM implements
Node.appendChild() and Node.insertBefore() and the timing wss4j inserts
the <Signature> element into the header. WAS's element insertion
implementation puts the appended/inserted child in a temp area
(altContent) and used the API to hide that. When the child element is
actually accessed, it would put the child and its sub-tree into the
normal place by "copying", which causes "new" node objects to be
generated. Back to wss4j, WSSecSignature.build() calls "prependToHeader"
to insert <Signature> element into the header (and doc) early and then
was trying to do the signing. During the signing process, it actually
accesses the <Signature> element causing WAS to copy and regenerate.
This would cause the object references to the <DigestValue> and
<SignatureValue> in sig (XMLSignaure) member to stale. Therefore the
inserted <DigestValue> values and <SignatureValue> value are not
actually inserted into the final SOAP document.
I modified the code to call prependToHeader() at last after the
computeSignature() call. This seems to have worked fine with WAS now.
However, since I'm not an expert in wss4j and would like some one, Cole
maybe?, to bless the change and pull that into the codebase if that's
fine.
Thanks,
Gang
PS: The modified WSSecSignature.build() code:
public Document build(Document doc, Crypto cr, WSSecHeader
secHeader)
throws WSSecurityException {
doDebug = log.isDebugEnabled();
if (doDebug) {
log.debug("Beginning signing...");
}
prepare(doc, cr, secHeader);
SOAPConstants soapConstants =
WSSecurityUtil.getSOAPConstants(doc.getDocumentElement());
if (parts == null) {
parts = new Vector();
WSEncryptionPart encP =
new WSEncryptionPart(
soapConstants.getBodyQName().getLocalPart(),
soapConstants.getEnvelopeURI(),
"Content"
);
parts.add(encP);
}
addReferencesToSign(parts, secHeader);
// put at the end instead:
// prependToHeader(secHeader);
//
// if we have a BST prepend it in front of the Signature
according to
// strict layout rules.
//
if (bstToken != null) {
prependBSTElementToHeader(secHeader);
}
computeSignature();
prependToHeader(secHeader);
return doc;
}
-----Original Message-----
From: Yang, Gang CTR USA [mailto:gang.yang@us.army.mil]
Sent: Tuesday, November 17, 2009 9:31 AM
To: wss4j-dev@ws.apache.org
Subject: Wss4j working with WebSphere?
Hi,
Has any one used wss4j with WebSphere successfully? I'm using wss4j
1.5.8 with WAS 7.0 unsuccessfully. I'm using wss4j to build the SOAP
security headers and signature using JAX-WS handlers. After the
WSSSingnature.build() call without any error, the security headers were
added to the SOAP message without the digest values and signature value.
Has any one experienced similar behavior and has any insight?
Thanks,
Gang
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
<img
src="http://zdownload.zurich.com/mailimages/ZHP_MailHeader.gif" />
Hi all
Another option might be XKMS or WS-Trust instead of a "proprietary"
protocol like LDAP (from a web services point of view).
Thanks
Oliver
"Dittmann, Werner
(NSN -
DE/Munich)" An
<werner.dittmann@ "ext Cole Ferrier"
nsn.com> <cole@coleferrier.com>,
<wss4j-dev@ws.apache.org>
04.12.2009 10:43 Kopie
Thema
RE: Question about x509
certificates
Cole,
the advise given by Daniel is correct. The Merlin implementation uses a
local
keystore based on JKS. Because you mention LDAP in your mail: IIRC someone
already implemented LDAP access to get certificates. I don't know who it
was but maybe you can ask here or try google :-) .
Regards,
Werner
From: ext Cole Ferrier [mailto:cole@coleferrier.com]
Sent: Thursday, December 03, 2009 11:22 PM
To: wss4j-dev@ws.apache.org
Subject: Fwd: Question about x509 certificates
I was referred to this list, from Daniel Kulp from the CXF list.
Here is what i'm trying to do:
I want to be able to accept an signed (not encrypted) message without
having the public key in my keystore prior to someone calling me. I have a
service available that i can go and get all the public keys for anyone,
but i want to do that on demand, so that i don't have to maintain a local
key store. How could one go about doing this?
I wouldn't mind using a local key store to cache copies of the public key
once i looked them up once, but i don't want to have to have the key prior
to them calling me.
(Also I have a certificate revocation list, that i want to validate
against, which i could do at this point or later in the process).
He stated that i should look at implementing a
org.apache.ws.security.components.crypto.Crypto
Do you have any suggestions on where i should start?
Or is this not the right approach?
My use case is that we have a central group that manages x509 certs and
"flags" for applications for authorization purposes.
So i was going to use the x509 signature for authentication, then lookup
in ldap the flags on their account for authorization. (the authorization i
was going to do later in a CXF interceptor)
Thanks in advance,
Cole
---------- Forwarded message ----------
From: Daniel Kulp <dkulp@apache.org>
Date: Thu, Dec 3, 2009 at 12:09 PM
Subject: Re: Question about x509 certificates
To: users@cxf.apache.org
Cc: Cole Ferrier <cole@coleferrier.com>
On Wed December 2 2009 6:36:11 pm Cole Ferrier wrote:
> I've done some basic testing and setup with x509 certificates, but i
have a
> few requirements that i'm trying to figure out how i could implement.
>
> 1) I want to be able to accept an signed (not encrypted) message without
> having the public key in my keystore prior to someone calling me.
> I have a service available that i can go and get all the public keys
for
> anyone, but i want to do that on demand, so that i don't have to
maintain a
> local key store. How could one go about doing this?
This PROBABLY should be redirected to the WSS4J list. I THINK the only
way
to do this would be to write your own
org.apache.ws.security.components.crypto.Crypto
object that implements all the needed methods. That's the class that
WSS4J
uses to handle all the key manipulation and such. You would set your
classname in the properties file instead of the Merlin version.
> 2) Then of course i need to check a revocation list, so i'm assuming i
> could just use an interceptor to go and check that? or??
An interceptor could work here. Alternatively, the Crypto object you
create
above could just throw an exception if a revoked cert is asked for.
> 3) then the question comes to authorization, (since i've already done
the
> above to validate that i know who they are.. ) Should this be done in a
> separate interceptor? I am talking i want to authorize at the per
service
> layer or operation, not at the whole application..
> How early should i try to do this.. i think i was able to get what the
> user is doing on what interface
> message.get(Message.WSDL_OPERATION)
> message.get(Message.WSDL_INTERFACE)
> and who the user is:
> //ignore the ugly code
> Vector v = (Vector) message.get
(WSHandlerConstants.RECV_RESULTS);
> WSSecurityEngineResult r = (WSSecurityEngineResult)
> ((WSHandlerResult) v.get(0)).getResults().get(0);
> WSUsernameTokenPrincipal p = (WSUsernameTokenPrincipal)
> r.get(WSSecurityEngineResult.TAG_PRINCIPAL);
>
> then i could take the user and what they are doing and validate that
they
> are authorized for that operation.
>
> Right now i tried this at the Phase.USER_LOGICAL and it seems to work,
is
> this the right place for that?
Yep. You can simplify a bit by doing:
SecurityContext sc = msg.get(SecurityContext.class);
Principal p = sc.getUserPrincipal();
> If anyone has had to do anything like this and has sample code, i'd
> appreciate it.
>
> Cole
>
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
******************* BITTE BEACHTEN *******************
Diese Nachricht (wie auch allfällige Anhänge dazu) beinhaltet
möglicherweise vertrauliche oder gesetzlich geschützte Daten oder
Informationen. Zum Empfang derselben ist (sind) ausschliesslich die
genannte(n) Person(en) bestimmt. Falls Sie diese Nachricht
irrtümlicherweise erreicht hat, sind Sie höflich gebeten, diese unter
Ausschluss jeder Reproduktion zu zerstören und die absendende Person
umgehend zu benachrichtigen. Vielen Dank für Ihre Hilfe.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Cole, the advise given by Daniel is correct. The Merlin implementation uses a local keystore based on JKS. Because you mention LDAP in your mail: IIRC someone already implemented LDAP access to get certificates. I don't know who it was but maybe you can ask here or try google :-) . Regards, Werner ________________________________ From: ext Cole Ferrier [mailto:cole@coleferrier.com] Sent: Thursday, December 03, 2009 11:22 PM To: wss4j-dev@ws.apache.org Subject: Fwd: Question about x509 certificates I was referred to this list, from Daniel Kulp from the CXF list. Here is what i'm trying to do: I want to be able to accept an signed (not encrypted) message without having the public key in my keystore prior to someone calling me. I have a service available that i can go and get all the public keys for anyone, but i want to do that on demand, so that i don't have to maintain a local key store. How could one go about doing this? I wouldn't mind using a local key store to cache copies of the public key once i looked them up once, but i don't want to have to have the key prior to them calling me. (Also I have a certificate revocation list, that i want to validate against, which i could do at this point or later in the process). He stated that i should look at implementing a org.apache.ws.security.components.crypto.Crypto Do you have any suggestions on where i should start? Or is this not the right approach? My use case is that we have a central group that manages x509 certs and "flags" for applications for authorization purposes. So i was going to use the x509 signature for authentication, then lookup in ldap the flags on their account for authorization. (the authorization i was going to do later in a CXF interceptor) Thanks in advance, Cole ---------- Forwarded message ---------- From: Daniel Kulp <dkulp@apache.org> Date: Thu, Dec 3, 2009 at 12:09 PM Subject: Re: Question about x509 certificates To: users@cxf.apache.org Cc: Cole Ferrier <cole@coleferrier.com> On Wed December 2 2009 6:36:11 pm Cole Ferrier wrote: > I've done some basic testing and setup with x509 certificates, but i have a > few requirements that i'm trying to figure out how i could implement. > > 1) I want to be able to accept an signed (not encrypted) message without > having the public key in my keystore prior to someone calling me. > I have a service available that i can go and get all the public keys for > anyone, but i want to do that on demand, so that i don't have to maintain a > local key store. How could one go about doing this? This PROBABLY should be redirected to the WSS4J list. I THINK the only way to do this would be to write your own org.apache.ws.security.components.crypto.Crypto object that implements all the needed methods. That's the class that WSS4J uses to handle all the key manipulation and such. You would set your classname in the properties file instead of the Merlin version. > 2) Then of course i need to check a revocation list, so i'm assuming i > could just use an interceptor to go and check that? or?? An interceptor could work here. Alternatively, the Crypto object you create above could just throw an exception if a revoked cert is asked for. > 3) then the question comes to authorization, (since i've already done the > above to validate that i know who they are.. ) Should this be done in a > separate interceptor? I am talking i want to authorize at the per service > layer or operation, not at the whole application.. > How early should i try to do this.. i think i was able to get what the > user is doing on what interface > message.get(Message.WSDL_OPERATION) > message.get(Message.WSDL_INTERFACE) > and who the user is: > //ignore the ugly code > Vector v = (Vector) message.get(WSHandlerConstants.RECV_RESULTS); > WSSecurityEngineResult r = (WSSecurityEngineResult) > ((WSHandlerResult) v.get(0)).getResults().get(0); > WSUsernameTokenPrincipal p = (WSUsernameTokenPrincipal) > r.get(WSSecurityEngineResult.TAG_PRINCIPAL); > > then i could take the user and what they are doing and validate that they > are authorized for that operation. > > Right now i tried this at the Phase.USER_LOGICAL and it seems to work, is > this the right place for that? Yep. You can simplify a bit by doing: SecurityContext sc = msg.get(SecurityContext.class); Principal p = sc.getUserPrincipal(); > If anyone has had to do anything like this and has sample code, i'd > appreciate it. > > Cole > -- Daniel Kulp dkulp@apache.org http://www.dankulp.com/blog
[ https://issues.apache.org/jira/browse/WSS-203?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12785647#action_12785647
]
Mike Youngstrom commented on WSS-203:
-------------------------------------
With this issue fixed is the xmlsec dependency now optional for those on Java 6?
> Move trunk to use JSR-105 APIs instead of custom XML-Security APIs for XML digital signature
functionality.
> ------------------------------------------------------------------------------------------------------------
>
> Key: WSS-203
> URL: https://issues.apache.org/jira/browse/WSS-203
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.7
> Reporter: Colm O hEigeartaigh
> Assignee: Colm O hEigeartaigh
> Fix For: 1.6
>
>
> Move trunk to use JSR-105 APIs instead of custom XML-Security APIs for XML digital signature
functionality.
> Colm.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
I was referred to this list, from Daniel Kulp from the CXF list. Here is what i'm trying to do: I want to be able to accept an signed (not encrypted) message without having the public key in my keystore prior to someone calling me. I have a service available that i can go and get all the public keys for anyone, but i want to do that on demand, so that i don't have to maintain a local key store. How could one go about doing this? I wouldn't mind using a local key store to cache copies of the public key once i looked them up once, but i don't want to have to have the key prior to them calling me. (Also I have a certificate revocation list, that i want to validate against, which i could do at this point or later in the process). He stated that i should look at implementing a org.apache.ws.security.components.crypto.Crypto Do you have any suggestions on where i should start? Or is this not the right approach? My use case is that we have a central group that manages x509 certs and "flags" for applications for authorization purposes. So i was going to use the x509 signature for authentication, then lookup in ldap the flags on their account for authorization. (the authorization i was going to do later in a CXF interceptor) Thanks in advance, Cole ---------- Forwarded message ---------- From: Daniel Kulp <dkulp@apache.org> Date: Thu, Dec 3, 2009 at 12:09 PM Subject: Re: Question about x509 certificates To: users@cxf.apache.org Cc: Cole Ferrier <cole@coleferrier.com> On Wed December 2 2009 6:36:11 pm Cole Ferrier wrote: > I've done some basic testing and setup with x509 certificates, but i have a > few requirements that i'm trying to figure out how i could implement. > > 1) I want to be able to accept an signed (not encrypted) message without > having the public key in my keystore prior to someone calling me. > I have a service available that i can go and get all the public keys for > anyone, but i want to do that on demand, so that i don't have to maintain a > local key store. How could one go about doing this? This PROBABLY should be redirected to the WSS4J list. I THINK the only way to do this would be to write your own org.apache.ws.security.components.crypto.Crypto object that implements all the needed methods. That's the class that WSS4J uses to handle all the key manipulation and such. You would set your classname in the properties file instead of the Merlin version. > 2) Then of course i need to check a revocation list, so i'm assuming i > could just use an interceptor to go and check that? or?? An interceptor could work here. Alternatively, the Crypto object you create above could just throw an exception if a revoked cert is asked for. > 3) then the question comes to authorization, (since i've already done the > above to validate that i know who they are.. ) Should this be done in a > separate interceptor? I am talking i want to authorize at the per service > layer or operation, not at the whole application.. > How early should i try to do this.. i think i was able to get what the > user is doing on what interface > message.get(Message.WSDL_OPERATION) > message.get(Message.WSDL_INTERFACE) > and who the user is: > //ignore the ugly code > Vector v = (Vector) message.get(WSHandlerConstants.RECV_RESULTS); > WSSecurityEngineResult r = (WSSecurityEngineResult) > ((WSHandlerResult) v.get(0)).getResults().get(0); > WSUsernameTokenPrincipal p = (WSUsernameTokenPrincipal) > r.get(WSSecurityEngineResult.TAG_PRINCIPAL); > > then i could take the user and what they are doing and validate that they > are authorized for that operation. > > Right now i tried this at the Phase.USER_LOGICAL and it seems to work, is > this the right place for that? Yep. You can simplify a bit by doing: SecurityContext sc = msg.get(SecurityContext.class); Principal p = sc.getUserPrincipal(); > If anyone has had to do anything like this and has sample code, i'd > appreciate it. > > Cole > -- Daniel Kulp dkulp@apache.org http://www.dankulp.com/blog
Hi Team, I have a requirement to engage rampart for username token authentication and sending and receiving signed and encrypt messages. But for authentication i have to pass the username and password from client program, instead of harding coding in policy.xml at client side. Could anyone please tell me how can i do this. Thanks, Swapna Soni. -- View this message in context: http://old.nabble.com/how-to-have-usernmae-token-authentication-and-SecureConversation-using-rampart-tp26610442p26610442.html Sent from the WSS4J mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org For additional commands, e-mail: wss4j-dev-help@ws.apache.org
That's quite simple: the disPartner.jks does not contain a key
with that alias, only a certificate. The key in disPartner.jks
is named "dispartner".
Regards,
Werner
> -----Original Message-----
> From: ext NewToGit [mailto:omarnetbox@gmail.com]
> Sent: Monday, November 30, 2009 1:54 PM
> To: wss4j-dev@ws.apache.org
> Subject: keyStore.isKeyEntry() returning false
>
>
> Hi,
>
> I'm creating my KeyStore (disPartner.jks) as shown below but the
> isKeyEntry("dispubcer") method is returning false can someone
> tell me why
> please.
>
> But when I retrieve the certificate using
> getCertiticate("dispubcer") it
> finds it no problem.
>
> %-| please help me.
>
> echo 'Create dis store ... '
> $JAVA_HOME/bin/keytool -genkeypair -alias dis -keystore
> disStore.jks -dname
> "cn=dis" -keypass dispass -storepass dispass -keyalg rsa
> echo 'Self-sign dis ... '
> $JAVA_HOME/bin/keytool -selfcert -alias dis -keystore
> disStore.jks -keypass
> dispass -storepass dispass
> echo 'Export dis public key...'
> $JAVA_HOME/bin/keytool -export -keystore disStore.jks -alias
> dis -storepass
> dispass -file dispub.cer
>
> echo 'Create disPartner store ... '
> $JAVA_HOME/bin/keytool -genkeypair -alias dispartner -keystore
> disPartner.jks -dname "cn=dispartner" -keypass disPartnerpass
> -storepass
> disPartnerpass -keyalg rsa
> echo 'Self-sign disPartner ... '
> $JAVA_HOME/bin/keytool -selfcert -alias dispartner -keystore
> disPartner.jks
> -keypass disPartnerpass -storepass disPartnerpass
> echo 'Export disPartner public key...'
> $JAVA_HOME/bin/keytool -export -keystore disPartner.jks
> -alias dispartner
> -storepass disPartnerpass -file disPartnerpub.cer
>
> echo 'Import dispub.cer->disPartner.jks... '
> $JAVA_HOME/bin/keytool -import -alias dispubcer -file
> dispub.cer -keystore
> disPartner.jks -storepass disPartnerpass
> echo 'removing dispub.cer ...'
> rm dispub.cer
> echo 'Import disPartnerpub.cer->disStore.jks... '
> $JAVA_HOME/bin/keytool -import -alias disPartnerpubcert -file
> disPartnerpub.cer -keystore disStore.jks -storepass dispass
> echo 'removing disPartnerpub.cer ...'
> rm disPartnerpub.cer
>
> echo 'Done.'
>
> --
> View this message in context:
> http://old.nabble.com/keyStore.isKeyEntry%28%29-returning-fals
> e-tp26574263p26574263.html
> Sent from the WSS4J mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Content-type: text/plain; CHARSET=US-ASCII Content-transfer-encoding: quoted-printable Can I use WSS4J with Axis 1.1? WSS4J documentation points to Axis 1.2. -------------------------------------------------------------------------= - This message w/attachments (message) may be privileged, confidential or = proprietary, and if you are not an intended recipient, please notify the = sender, do not use or share it and delete it. The information contained = in this e-mail was obtained from sources believed to be reliable; = however, the accuracy or completeness of this information is not = guaranteed. Unless specifically indicated, this message is not an offer = to sell or a solicitation of any investment products or other financial = product or service, an official confirmation of any transaction, or an = official statement of Merrill Lynch. Subject to applicable law, Merrill = Lynch may monitor, review and retain e-communications (EC) traveling = through its networks/systems. The laws of the country of each = sender/recipient may impact the handling of EC, and EC may be archived, = supervised and produced in countries other than the country in which you = are located. This message cannot be guaranteed to be secure or = error-free. References to "Merrill Lynch" are references to any company = in the Merrill Lynch & Co., Inc. group of companies, which are = wholly-owned by Bank of America Corporation. Securities and Insurance = Products: * Are Not FDIC Insured * Are Not Bank Guaranteed * May Lose = Value * Are Not a Bank Deposit * Are Not a Condition to Any Banking = Service or Activity * Are Not Insured by Any Federal Government Agency. = Past performance is no guarantee of future results. Attachments that are = part of this E-communication may have additional important disclosures = and disclaimers, which you should read. This message is subject to terms = available at the following link: = http://www.ml.com/e-communications_terms/. By messaging with Merrill = Lynch you consent to the foregoing. -------------------------------------------------------------------------= - =20
Hi,
I'm creating my KeyStore (disPartner.jks) as shown below but the
isKeyEntry("dispubcer") method is returning false can someone tell me why
please.
But when I retrieve the certificate using getCertiticate("dispubcer") it
finds it no problem.
%-| please help me.
echo 'Create dis store ... '
$JAVA_HOME/bin/keytool -genkeypair -alias dis -keystore disStore.jks -dname
"cn=dis" -keypass dispass -storepass dispass -keyalg rsa
echo 'Self-sign dis ... '
$JAVA_HOME/bin/keytool -selfcert -alias dis -keystore disStore.jks -keypass
dispass -storepass dispass
echo 'Export dis public key...'
$JAVA_HOME/bin/keytool -export -keystore disStore.jks -alias dis -storepass
dispass -file dispub.cer
echo 'Create disPartner store ... '
$JAVA_HOME/bin/keytool -genkeypair -alias dispartner -keystore
disPartner.jks -dname "cn=dispartner" -keypass disPartnerpass -storepass
disPartnerpass -keyalg rsa
echo 'Self-sign disPartner ... '
$JAVA_HOME/bin/keytool -selfcert -alias dispartner -keystore disPartner.jks
-keypass disPartnerpass -storepass disPartnerpass
echo 'Export disPartner public key...'
$JAVA_HOME/bin/keytool -export -keystore disPartner.jks -alias dispartner
-storepass disPartnerpass -file disPartnerpub.cer
echo 'Import dispub.cer->disPartner.jks... '
$JAVA_HOME/bin/keytool -import -alias dispubcer -file dispub.cer -keystore
disPartner.jks -storepass disPartnerpass
echo 'removing dispub.cer ...'
rm dispub.cer
echo 'Import disPartnerpub.cer->disStore.jks... '
$JAVA_HOME/bin/keytool -import -alias disPartnerpubcert -file
disPartnerpub.cer -keystore disStore.jks -storepass dispass
echo 'removing disPartnerpub.cer ...'
rm disPartnerpub.cer
echo 'Done.'
--
View this message in context: http://old.nabble.com/keyStore.isKeyEntry%28%29-returning-false-tp26574263p26574263.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Eclipse. I normally run tests from the command line, e.g. "mvn clean
install" or "mvn test".
Colm.
-----Original Message-----
From: Yang, Gang CTR USA [mailto:gang.yang@us.army.mil]
Sent: 24 November 2009 16:02
To: Colm O hEigeartaigh; wss4j-dev@ws.apache.org
Subject: RE: Wss4j working with WebSphere?
Hi, Colm,
What's your dev env? I checked out 1_5_x-fixes branch into MyEclipse 7.5
and MyEclipse hung at "Initinalizging Java Tools" each time I restart
MyEclipse.
Gang
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@progress.com]
Sent: Tuesday, November 24, 2009 6:33 AM
To: Yang, Gang CTR USA; wss4j-dev@ws.apache.org
Subject: RE: Wss4j working with WebSphere?
Hi Gang,
If I apply your fix it breaks 5 tests, one in TestWSSecurityNew3 and 4
in TestWSSecurityNew11. Can you take a look at these tests in
branches/1_5_x-fixes after applying your fix?
Colm.
-----Original Message-----
From: Yang, Gang CTR USA [mailto:gang.yang@us.army.mil]
Sent: 18 November 2009 22:30
To: wss4j-dev@ws.apache.org
Subject: RE: Wss4j working with WebSphere?
Hi,
After some debugging, I think I found why wss4j isn't working with WAS
properly. The problem is caused by the way WAS's SOAP/DOM implements
Node.appendChild() and Node.insertBefore() and the timing wss4j inserts
the <Signature> element into the header. WAS's element insertion
implementation puts the appended/inserted child in a temp area
(altContent) and used the API to hide that. When the child element is
actually accessed, it would put the child and its sub-tree into the
normal place by "copying", which causes "new" node objects to be
generated. Back to wss4j, WSSecSignature.build() calls "prependToHeader"
to insert <Signature> element into the header (and doc) early and then
was trying to do the signing. During the signing process, it actually
accesses the <Signature> element causing WAS to copy and regenerate.
This would cause the object references to the <DigestValue> and
<SignatureValue> in sig (XMLSignaure) member to stale. Therefore the
inserted <DigestValue> values and <SignatureValue> value are not
actually inserted into the final SOAP document.
I modified the code to call prependToHeader() at last after the
computeSignature() call. This seems to have worked fine with WAS now.
However, since I'm not an expert in wss4j and would like some one, Cole
maybe?, to bless the change and pull that into the codebase if that's
fine.
Thanks,
Gang
PS: The modified WSSecSignature.build() code:
public Document build(Document doc, Crypto cr, WSSecHeader
secHeader)
throws WSSecurityException {
doDebug = log.isDebugEnabled();
if (doDebug) {
log.debug("Beginning signing...");
}
prepare(doc, cr, secHeader);
SOAPConstants soapConstants =
WSSecurityUtil.getSOAPConstants(doc.getDocumentElement());
if (parts == null) {
parts = new Vector();
WSEncryptionPart encP =
new WSEncryptionPart(
soapConstants.getBodyQName().getLocalPart(),
soapConstants.getEnvelopeURI(),
"Content"
);
parts.add(encP);
}
addReferencesToSign(parts, secHeader);
// put at the end instead:
// prependToHeader(secHeader);
//
// if we have a BST prepend it in front of the Signature
according to
// strict layout rules.
//
if (bstToken != null) {
prependBSTElementToHeader(secHeader);
}
computeSignature();
prependToHeader(secHeader);
return doc;
}
-----Original Message-----
From: Yang, Gang CTR USA [mailto:gang.yang@us.army.mil]
Sent: Tuesday, November 17, 2009 9:31 AM
To: wss4j-dev@ws.apache.org
Subject: Wss4j working with WebSphere?
Hi,
Has any one used wss4j with WebSphere successfully? I'm using wss4j
1.5.8 with WAS 7.0 unsuccessfully. I'm using wss4j to build the SOAP
security headers and signature using JAX-WS handlers. After the
WSSSingnature.build() call without any error, the security headers were
added to the SOAP message without the digest values and signature value.
Has any one experienced similar behavior and has any insight?
Thanks,
Gang
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Hi, Colm,
What's your dev env? I checked out 1_5_x-fixes branch into MyEclipse 7.5
and MyEclipse hung at "Initinalizging Java Tools" each time I restart
MyEclipse.
Gang
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@progress.com]
Sent: Tuesday, November 24, 2009 6:33 AM
To: Yang, Gang CTR USA; wss4j-dev@ws.apache.org
Subject: RE: Wss4j working with WebSphere?
Hi Gang,
If I apply your fix it breaks 5 tests, one in TestWSSecurityNew3 and 4
in TestWSSecurityNew11. Can you take a look at these tests in
branches/1_5_x-fixes after applying your fix?
Colm.
-----Original Message-----
From: Yang, Gang CTR USA [mailto:gang.yang@us.army.mil]
Sent: 18 November 2009 22:30
To: wss4j-dev@ws.apache.org
Subject: RE: Wss4j working with WebSphere?
Hi,
After some debugging, I think I found why wss4j isn't working with WAS
properly. The problem is caused by the way WAS's SOAP/DOM implements
Node.appendChild() and Node.insertBefore() and the timing wss4j inserts
the <Signature> element into the header. WAS's element insertion
implementation puts the appended/inserted child in a temp area
(altContent) and used the API to hide that. When the child element is
actually accessed, it would put the child and its sub-tree into the
normal place by "copying", which causes "new" node objects to be
generated. Back to wss4j, WSSecSignature.build() calls "prependToHeader"
to insert <Signature> element into the header (and doc) early and then
was trying to do the signing. During the signing process, it actually
accesses the <Signature> element causing WAS to copy and regenerate.
This would cause the object references to the <DigestValue> and
<SignatureValue> in sig (XMLSignaure) member to stale. Therefore the
inserted <DigestValue> values and <SignatureValue> value are not
actually inserted into the final SOAP document.
I modified the code to call prependToHeader() at last after the
computeSignature() call. This seems to have worked fine with WAS now.
However, since I'm not an expert in wss4j and would like some one, Cole
maybe?, to bless the change and pull that into the codebase if that's
fine.
Thanks,
Gang
PS: The modified WSSecSignature.build() code:
public Document build(Document doc, Crypto cr, WSSecHeader
secHeader)
throws WSSecurityException {
doDebug = log.isDebugEnabled();
if (doDebug) {
log.debug("Beginning signing...");
}
prepare(doc, cr, secHeader);
SOAPConstants soapConstants =
WSSecurityUtil.getSOAPConstants(doc.getDocumentElement());
if (parts == null) {
parts = new Vector();
WSEncryptionPart encP =
new WSEncryptionPart(
soapConstants.getBodyQName().getLocalPart(),
soapConstants.getEnvelopeURI(),
"Content"
);
parts.add(encP);
}
addReferencesToSign(parts, secHeader);
// put at the end instead:
// prependToHeader(secHeader);
//
// if we have a BST prepend it in front of the Signature
according to
// strict layout rules.
//
if (bstToken != null) {
prependBSTElementToHeader(secHeader);
}
computeSignature();
prependToHeader(secHeader);
return doc;
}
-----Original Message-----
From: Yang, Gang CTR USA [mailto:gang.yang@us.army.mil]
Sent: Tuesday, November 17, 2009 9:31 AM
To: wss4j-dev@ws.apache.org
Subject: Wss4j working with WebSphere?
Hi,
Has any one used wss4j with WebSphere successfully? I'm using wss4j
1.5.8 with WAS 7.0 unsuccessfully. I'm using wss4j to build the SOAP
security headers and signature using JAX-WS handlers. After the
WSSSingnature.build() call without any error, the security headers were
added to the SOAP message without the digest values and signature value.
Has any one experienced similar behavior and has any insight?
Thanks,
Gang
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Hi Gang,
If I apply your fix it breaks 5 tests, one in TestWSSecurityNew3 and 4
in TestWSSecurityNew11. Can you take a look at these tests in
branches/1_5_x-fixes after applying your fix?
Colm.
-----Original Message-----
From: Yang, Gang CTR USA [mailto:gang.yang@us.army.mil]
Sent: 18 November 2009 22:30
To: wss4j-dev@ws.apache.org
Subject: RE: Wss4j working with WebSphere?
Hi,
After some debugging, I think I found why wss4j isn't working with WAS
properly. The problem is caused by the way WAS's SOAP/DOM implements
Node.appendChild() and Node.insertBefore() and the timing wss4j inserts
the <Signature> element into the header. WAS's element insertion
implementation puts the appended/inserted child in a temp area
(altContent) and used the API to hide that. When the child element is
actually accessed, it would put the child and its sub-tree into the
normal place by "copying", which causes "new" node objects to be
generated. Back to wss4j, WSSecSignature.build() calls "prependToHeader"
to insert <Signature> element into the header (and doc) early and then
was trying to do the signing. During the signing process, it actually
accesses the <Signature> element causing WAS to copy and regenerate.
This would cause the object references to the <DigestValue> and
<SignatureValue> in sig (XMLSignaure) member to stale. Therefore the
inserted <DigestValue> values and <SignatureValue> value are not
actually inserted into the final SOAP document.
I modified the code to call prependToHeader() at last after the
computeSignature() call. This seems to have worked fine with WAS now.
However, since I'm not an expert in wss4j and would like some one, Cole
maybe?, to bless the change and pull that into the codebase if that's
fine.
Thanks,
Gang
PS: The modified WSSecSignature.build() code:
public Document build(Document doc, Crypto cr, WSSecHeader
secHeader)
throws WSSecurityException {
doDebug = log.isDebugEnabled();
if (doDebug) {
log.debug("Beginning signing...");
}
prepare(doc, cr, secHeader);
SOAPConstants soapConstants =
WSSecurityUtil.getSOAPConstants(doc.getDocumentElement());
if (parts == null) {
parts = new Vector();
WSEncryptionPart encP =
new WSEncryptionPart(
soapConstants.getBodyQName().getLocalPart(),
soapConstants.getEnvelopeURI(),
"Content"
);
parts.add(encP);
}
addReferencesToSign(parts, secHeader);
// put at the end instead:
// prependToHeader(secHeader);
//
// if we have a BST prepend it in front of the Signature
according to
// strict layout rules.
//
if (bstToken != null) {
prependBSTElementToHeader(secHeader);
}
computeSignature();
prependToHeader(secHeader);
return doc;
}
-----Original Message-----
From: Yang, Gang CTR USA [mailto:gang.yang@us.army.mil]
Sent: Tuesday, November 17, 2009 9:31 AM
To: wss4j-dev@ws.apache.org
Subject: Wss4j working with WebSphere?
Hi,
Has any one used wss4j with WebSphere successfully? I'm using wss4j
1.5.8 with WAS 7.0 unsuccessfully. I'm using wss4j to build the SOAP
security headers and signature using JAX-WS handlers. After the
WSSSingnature.build() call without any error, the security headers were
added to the SOAP message without the digest values and signature value.
Has any one experienced similar behavior and has any insight?
Thanks,
Gang
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Hi,
After some debugging, I think I found why wss4j isn't working with WAS
properly. The problem is caused by the way WAS's SOAP/DOM implements
Node.appendChild() and Node.insertBefore() and the timing wss4j inserts
the <Signature> element into the header. WAS's element insertion
implementation puts the appended/inserted child in a temp area
(altContent) and used the API to hide that. When the child element is
actually accessed, it would put the child and its sub-tree into the
normal place by "copying", which causes "new" node objects to be
generated. Back to wss4j, WSSecSignature.build() calls "prependToHeader"
to insert <Signature> element into the header (and doc) early and then
was trying to do the signing. During the signing process, it actually
accesses the <Signature> element causing WAS to copy and regenerate.
This would cause the object references to the <DigestValue> and
<SignatureValue> in sig (XMLSignaure) member to stale. Therefore the
inserted <DigestValue> values and <SignatureValue> value are not
actually inserted into the final SOAP document.
I modified the code to call prependToHeader() at last after the
computeSignature() call. This seems to have worked fine with WAS now.
However, since I'm not an expert in wss4j and would like some one, Cole
maybe?, to bless the change and pull that into the codebase if that's
fine.
Thanks,
Gang
PS: The modified WSSecSignature.build() code:
public Document build(Document doc, Crypto cr, WSSecHeader
secHeader)
throws WSSecurityException {
doDebug = log.isDebugEnabled();
if (doDebug) {
log.debug("Beginning signing...");
}
prepare(doc, cr, secHeader);
SOAPConstants soapConstants =
WSSecurityUtil.getSOAPConstants(doc.getDocumentElement());
if (parts == null) {
parts = new Vector();
WSEncryptionPart encP =
new WSEncryptionPart(
soapConstants.getBodyQName().getLocalPart(),
soapConstants.getEnvelopeURI(),
"Content"
);
parts.add(encP);
}
addReferencesToSign(parts, secHeader);
// put at the end instead:
// prependToHeader(secHeader);
//
// if we have a BST prepend it in front of the Signature
according to
// strict layout rules.
//
if (bstToken != null) {
prependBSTElementToHeader(secHeader);
}
computeSignature();
prependToHeader(secHeader);
return doc;
}
-----Original Message-----
From: Yang, Gang CTR USA [mailto:gang.yang@us.army.mil]
Sent: Tuesday, November 17, 2009 9:31 AM
To: wss4j-dev@ws.apache.org
Subject: Wss4j working with WebSphere?
Hi,
Has any one used wss4j with WebSphere successfully? I'm using wss4j
1.5.8 with WAS 7.0 unsuccessfully. I'm using wss4j to build the SOAP
security headers and signature using JAX-WS handlers. After the
WSSSingnature.build() call without any error, the security headers were
added to the SOAP message without the digest values and signature value.
Has any one experienced similar behavior and has any insight?
Thanks,
Gang
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Hi, Has any one used wss4j with WebSphere successfully? I'm using wss4j 1.5.8 with WAS 7.0 unsuccessfully. I'm using wss4j to build the SOAP security headers and signature using JAX-WS handlers. After the WSSSingnature.build() call without any error, the security headers were added to the SOAP message without the digest values and signature value. Has any one experienced similar behavior and has any insight? Thanks, Gang --------------------------------------------------------------------- To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Hi,
superk888 wrote:
> Yep, I've figured it out afterward. But when working with asymmetric
> encryption, aren't we suppose to have 2 possibilities with one key pair?
>
> - A encrypts with A's private key --> B decrypts with A's public key
>
It's a signature operation which happens with A's private key and B
verifies the signature with A's public key. if we use public key to
decrypt then many guys 'C', 'D', 'E', etc would decrypt the message,
which we don't want, we wanted only 'B' to decrypt as it's encrypted for
'B' only. Hence, encryption won't work here. This is a Signature, where
everyone can come to know that only 'A' has sent the message.
> - A encrypts with B's public key --> B decrypts with B's private key
>
This is right for Encryption. We do encryption so that only one guy 'B'
who has it's private key can decrypt. All other's won't be having 'B's
private key, hence can't decrypt.
> Besides, there is something wrong with the WSPasswordCallback class from
> WSS4J : this class uses a private key to decrypt a message. It logically
> throws an exception when we try to decrypt with a public key.
>
> But then, why the hell does it allow to encrypt with a private key?
>
I hope this helps.
With Regards,
Mayank
>
> Colm O hEigeartaigh wrote:
>
>>
>>> For an unknown reason to me, the crypto engine is looking for a
>>>
>> private
>>
>>> key in the specified keystore object, which actually only contains a
>>> certificate since it is the server's public key:confused:
>>>
>> The client needs a private key to decrypt the (encrypted) message
>> received from the server. The service should be configured to encrypt
>> the response using the client's public key.
>>
>> Colm.
>>
>> -----Original Message-----
>> From: superk888 [mailto:superk888@gmail.com]
>> Sent: 12 November 2009 12:04
>> To: wss4j-dev@ws.apache.org
>> Subject: WSS4J Encryption with public key ???
>>
>>
>> Hi everyone,
>>
>> I've implemented a Web Service that supports 2-ways encryption features
>> using the X.509 Certificates method. Everything works fine when using 2
>> pairs of keys as it is described in the Apache CXF documentation, but
>> what I
>> am trying to do, is to use only one pair of keys : server-side keeps its
>> own
>> private key and gives its public key to the service client.
>> Consequently,
>> client-side has to encrypt messages before sending with the server's
>> public
>> key, which should work since this is an asymmetric encryption method.
>>
>> Nevertheless, my service client succeeds to encrypt a message with the
>> server's public key but when the latter sends a response, my service
>> client
>> fails to decode the encrypted response. Is this case, I got the
>> following
>> error :
>>
>> 2009-11-12 12:55:22,261 [main] ERROR
>> org.apache.ws.security.components.crypto.CryptoBase - Cannot find key
>> for
>> alias: [myAlias] in keystore of type [jks] from provider [SUN version
>> 1.5]
>> with size [1] and aliases: {myAlias}
>> 12-nov.-2009 12:55:22
>> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
>> handleMessage
>> ATTENTION:
>> org.apache.ws.security.WSSecurityException: The signature or decryption
>> was
>> invalid; nested exception is:
>> java.lang.Exception: Cannot find key for alias: [myAlias]
>> at ...
>> ...
>> Caused by: java.lang.Exception: Cannot find key for alias: [myAlias]
>> at
>> org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(Crypto
>> Base.java:214)
>> at
>> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKe
>> y(EncryptedKeyProcessor.java:328)
>> ... 71 more
>> 12-nov.-2009 12:55:22 org.apache.cxf.phase.PhaseInterceptorChain
>> doIntercept
>> ATTENTION: Interceptor has thrown exception, unwinding now
>> org.apache.cxf.binding.soap.SoapFault: The signature or decryption was
>> invalid; nested exception is:
>>
>> For an unknown reason to me, the crypto engine is looking for a private
>> key
>> in the specified keystore object, which actually only contains a
>> certificate
>> since it is the server's public key:confused:
>>
>> What am I missing?
>> --
>> View this message in context:
>> http://old.nabble.com/WSS4J-Encryption-with-public-key-----tp26316077p26
>> 316077.html
>> Sent from the WSS4J mailing list archive at Nabble.com.
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
>> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>>
>>
>>
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Yep, I've figured it out afterward. But when working with asymmetric
encryption, aren't we suppose to have 2 possibilities with one key pair?
- A encrypts with A's private key --> B decrypts with A's public key
- A encrypts with B's public key --> B decrypts with B's private key
Besides, there is something wrong with the WSPasswordCallback class from
WSS4J : this class uses a private key to decrypt a message. It logically
throws an exception when we try to decrypt with a public key.
But then, why the hell does it allow to encrypt with a private key?
Colm O hEigeartaigh wrote:
>
>
>> For an unknown reason to me, the crypto engine is looking for a
> private
>> key in the specified keystore object, which actually only contains a
>> certificate since it is the server's public key:confused:
>
> The client needs a private key to decrypt the (encrypted) message
> received from the server. The service should be configured to encrypt
> the response using the client's public key.
>
> Colm.
>
> -----Original Message-----
> From: superk888 [mailto:superk888@gmail.com]
> Sent: 12 November 2009 12:04
> To: wss4j-dev@ws.apache.org
> Subject: WSS4J Encryption with public key ???
>
>
> Hi everyone,
>
> I've implemented a Web Service that supports 2-ways encryption features
> using the X.509 Certificates method. Everything works fine when using 2
> pairs of keys as it is described in the Apache CXF documentation, but
> what I
> am trying to do, is to use only one pair of keys : server-side keeps its
> own
> private key and gives its public key to the service client.
> Consequently,
> client-side has to encrypt messages before sending with the server's
> public
> key, which should work since this is an asymmetric encryption method.
>
> Nevertheless, my service client succeeds to encrypt a message with the
> server's public key but when the latter sends a response, my service
> client
> fails to decode the encrypted response. Is this case, I got the
> following
> error :
>
> 2009-11-12 12:55:22,261 [main] ERROR
> org.apache.ws.security.components.crypto.CryptoBase - Cannot find key
> for
> alias: [myAlias] in keystore of type [jks] from provider [SUN version
> 1.5]
> with size [1] and aliases: {myAlias}
> 12-nov.-2009 12:55:22
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
> handleMessage
> ATTENTION:
> org.apache.ws.security.WSSecurityException: The signature or decryption
> was
> invalid; nested exception is:
> java.lang.Exception: Cannot find key for alias: [myAlias]
> at ...
> ...
> Caused by: java.lang.Exception: Cannot find key for alias: [myAlias]
> at
> org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(Crypto
> Base.java:214)
> at
> org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKe
> y(EncryptedKeyProcessor.java:328)
> ... 71 more
> 12-nov.-2009 12:55:22 org.apache.cxf.phase.PhaseInterceptorChain
> doIntercept
> ATTENTION: Interceptor has thrown exception, unwinding now
> org.apache.cxf.binding.soap.SoapFault: The signature or decryption was
> invalid; nested exception is:
>
> For an unknown reason to me, the crypto engine is looking for a private
> key
> in the specified keystore object, which actually only contains a
> certificate
> since it is the server's public key:confused:
>
> What am I missing?
> --
> View this message in context:
> http://old.nabble.com/WSS4J-Encryption-with-public-key-----tp26316077p26
> 316077.html
> Sent from the WSS4J mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: wss4j-dev-help@ws.apache.org
>
>
>
--
View this message in context: http://old.nabble.com/WSS4J-Encryption-with-public-key-----tp26316077p26341857.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
> For an unknown reason to me, the crypto engine is looking for a
private
> key in the specified keystore object, which actually only contains a
> certificate since it is the server's public key:confused:
The client needs a private key to decrypt the (encrypted) message
received from the server. The service should be configured to encrypt
the response using the client's public key.
Colm.
-----Original Message-----
From: superk888 [mailto:superk888@gmail.com]
Sent: 12 November 2009 12:04
To: wss4j-dev@ws.apache.org
Subject: WSS4J Encryption with public key ???
Hi everyone,
I've implemented a Web Service that supports 2-ways encryption features
using the X.509 Certificates method. Everything works fine when using 2
pairs of keys as it is described in the Apache CXF documentation, but
what I
am trying to do, is to use only one pair of keys : server-side keeps its
own
private key and gives its public key to the service client.
Consequently,
client-side has to encrypt messages before sending with the server's
public
key, which should work since this is an asymmetric encryption method.
Nevertheless, my service client succeeds to encrypt a message with the
server's public key but when the latter sends a response, my service
client
fails to decode the encrypted response. Is this case, I got the
following
error :
2009-11-12 12:55:22,261 [main] ERROR
org.apache.ws.security.components.crypto.CryptoBase - Cannot find key
for
alias: [myAlias] in keystore of type [jks] from provider [SUN version
1.5]
with size [1] and aliases: {myAlias}
12-nov.-2009 12:55:22
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
handleMessage
ATTENTION:
org.apache.ws.security.WSSecurityException: The signature or decryption
was
invalid; nested exception is:
java.lang.Exception: Cannot find key for alias: [myAlias]
at ...
...
Caused by: java.lang.Exception: Cannot find key for alias: [myAlias]
at
org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(Crypto
Base.java:214)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKe
y(EncryptedKeyProcessor.java:328)
... 71 more
12-nov.-2009 12:55:22 org.apache.cxf.phase.PhaseInterceptorChain
doIntercept
ATTENTION: Interceptor has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: The signature or decryption was
invalid; nested exception is:
For an unknown reason to me, the crypto engine is looking for a private
key
in the specified keystore object, which actually only contains a
certificate
since it is the server's public key:confused:
What am I missing?
--
View this message in context:
http://old.nabble.com/WSS4J-Encryption-with-public-key-----tp26316077p26
316077.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Hi everyone, What follows isn't an issue I'm currently running into but it is actually a situation I could face pretty soon: I've implemented a web service (Code First) which is deployed via spring-based xml configuration file in a Tomcat server. My service also implements security by referencing a keystore and a truststore. Suppose I wanna add a new client to my service. Its public key should be added to the server-side truststore and normally, the Tomcat server should be restarted, since WSS4J loads keystores' content only once, at the service deployment. So here's what I am wondering : would it be possible to dynamically update a keystore object without having to turn off the application server, even for a brief moment? -- View this message in context: http://old.nabble.com/Server-side%3A-updating-keystore--tp26327780p26327780.html Sent from the WSS4J mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Hi everyone,
I've implemented a Web Service that supports 2-ways encryption features
using the X.509 Certificates method. Everything works fine when using 2
pairs of keys as it is described in the Apache CXF documentation, but what I
am trying to do, is to use only one pair of keys : server-side keeps its own
private key and gives its public key to the service client. Consequently,
client-side has to encrypt messages before sending with the server's public
key, which should work since this is an asymmetric encryption method.
Nevertheless, my service client succeeds to encrypt a message with the
server's public key but when the latter sends a response, my service client
fails to decode the encrypted response. Is this case, I got the following
error :
2009-11-12 12:55:22,261 [main] ERROR
org.apache.ws.security.components.crypto.CryptoBase - Cannot find key for
alias: [myAlias] in keystore of type [jks] from provider [SUN version 1.5]
with size [1] and aliases: {myAlias}
12-nov.-2009 12:55:22 org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
handleMessage
ATTENTION:
org.apache.ws.security.WSSecurityException: The signature or decryption was
invalid; nested exception is:
java.lang.Exception: Cannot find key for alias: [myAlias]
at ...
...
Caused by: java.lang.Exception: Cannot find key for alias: [myAlias]
at
org.apache.ws.security.components.crypto.CryptoBase.getPrivateKey(CryptoBase.java:214)
at
org.apache.ws.security.processor.EncryptedKeyProcessor.handleEncryptedKey(EncryptedKeyProcessor.java:328)
... 71 more
12-nov.-2009 12:55:22 org.apache.cxf.phase.PhaseInterceptorChain doIntercept
ATTENTION: Interceptor has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: The signature or decryption was
invalid; nested exception is:
For an unknown reason to me, the crypto engine is looking for a private key
in the specified keystore object, which actually only contains a certificate
since it is the server's public key:confused:
What am I missing?
--
View this message in context: http://old.nabble.com/WSS4J-Encryption-with-public-key-----tp26316077p26316077.html
Sent from the WSS4J mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[ https://issues.apache.org/jira/browse/WSS-218?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12775438#action_12775438
]
Michel Schudel commented on WSS-218:
------------------------------------
Thanks.
> getAliasForX509Cert(String, BigInteger) in CryptoBase returns null if not all aliases
are certificates
> ------------------------------------------------------------------------------------------------------
>
> Key: WSS-218
> URL: https://issues.apache.org/jira/browse/WSS-218
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: Michel Schudel
> Assignee: Colm O hEigeartaigh
> Original Estimate: 4h
> Remaining Estimate: 4h
>
> We want to retrieve a certificate based an on X509IssuerSerial. Our keystore has not
only the correct certificates but also a lot of secret (3DES) keys.
> The method getAliasForX509Cert(String, BigInteger) does not check if an alias is a certificate
entry, resulting in a null return when the first alias found is a (secret) key.
> Please wrap line 334-353 in version 1.5.8 as follows:
> if (keystore.isCertificateEntry(alias) {
> (line 334-353)
> }
> That should do it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[ https://issues.apache.org/jira/browse/WSS-218?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12775437#action_12775437
]
Colm O hEigeartaigh commented on WSS-218:
-----------------------------------------
> Have you fixed this bug (wss-218) in the private method (getAliasForX509Cert(String,
BigInteger) explicitly too?
Yes, check the subversion diff given in WSS-218.
Colm.
> getAliasForX509Cert(String, BigInteger) in CryptoBase returns null if not all aliases
are certificates
> ------------------------------------------------------------------------------------------------------
>
> Key: WSS-218
> URL: https://issues.apache.org/jira/browse/WSS-218
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: Michel Schudel
> Assignee: Colm O hEigeartaigh
> Original Estimate: 4h
> Remaining Estimate: 4h
>
> We want to retrieve a certificate based an on X509IssuerSerial. Our keystore has not
only the correct certificates but also a lot of secret (3DES) keys.
> The method getAliasForX509Cert(String, BigInteger) does not check if an alias is a certificate
entry, resulting in a null return when the first alias found is a (secret) key.
> Please wrap line 334-353 in version 1.5.8 as follows:
> if (keystore.isCertificateEntry(alias) {
> (line 334-353)
> }
> That should do it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[ https://issues.apache.org/jira/browse/WSS-218?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12775435#action_12775435
]
Michel Schudel commented on WSS-218:
------------------------------------
Colm,
The patch supplied in WSS-210 does not fix this issue, which is in a different method: getAliasForX509Cert(Certificate).
Have you fixed this bug (wss-218) in the private method (getAliasForX509Cert(String, BigInteger)
explicitly too?
Regards,
Michel
> getAliasForX509Cert(String, BigInteger) in CryptoBase returns null if not all aliases
are certificates
> ------------------------------------------------------------------------------------------------------
>
> Key: WSS-218
> URL: https://issues.apache.org/jira/browse/WSS-218
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: Michel Schudel
> Assignee: Colm O hEigeartaigh
> Original Estimate: 4h
> Remaining Estimate: 4h
>
> We want to retrieve a certificate based an on X509IssuerSerial. Our keystore has not
only the correct certificates but also a lot of secret (3DES) keys.
> The method getAliasForX509Cert(String, BigInteger) does not check if an alias is a certificate
entry, resulting in a null return when the first alias found is a (secret) key.
> Please wrap line 334-353 in version 1.5.8 as follows:
> if (keystore.isCertificateEntry(alias) {
> (line 334-353)
> }
> That should do it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[ https://issues.apache.org/jira/browse/WSS-218?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh closed WSS-218.
-----------------------------------
> getAliasForX509Cert(String, BigInteger) in CryptoBase returns null if not all aliases
are certificates
> ------------------------------------------------------------------------------------------------------
>
> Key: WSS-218
> URL: https://issues.apache.org/jira/browse/WSS-218
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: Michel Schudel
> Assignee: Colm O hEigeartaigh
> Original Estimate: 4h
> Remaining Estimate: 4h
>
> We want to retrieve a certificate based an on X509IssuerSerial. Our keystore has not
only the correct certificates but also a lot of secret (3DES) keys.
> The method getAliasForX509Cert(String, BigInteger) does not check if an alias is a certificate
entry, resulting in a null return when the first alias found is a (secret) key.
> Please wrap line 334-353 in version 1.5.8 as follows:
> if (keystore.isCertificateEntry(alias) {
> (line 334-353)
> }
> That should do it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[ https://issues.apache.org/jira/browse/WSS-218?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh resolved WSS-218.
-------------------------------------
Resolution: Duplicate
Assignee: Colm O hEigeartaigh (was: Ruchith Udayanga Fernando)
This has already been fixed for 1.5.9:
https://issues.apache.org/jira/browse/WSS-210
Colm.
> getAliasForX509Cert(String, BigInteger) in CryptoBase returns null if not all aliases
are certificates
> ------------------------------------------------------------------------------------------------------
>
> Key: WSS-218
> URL: https://issues.apache.org/jira/browse/WSS-218
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: Michel Schudel
> Assignee: Colm O hEigeartaigh
> Original Estimate: 4h
> Remaining Estimate: 4h
>
> We want to retrieve a certificate based an on X509IssuerSerial. Our keystore has not
only the correct certificates but also a lot of secret (3DES) keys.
> The method getAliasForX509Cert(String, BigInteger) does not check if an alias is a certificate
entry, resulting in a null return when the first alias found is a (secret) key.
> Please wrap line 334-353 in version 1.5.8 as follows:
> if (keystore.isCertificateEntry(alias) {
> (line 334-353)
> }
> That should do it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[ https://issues.apache.org/jira/browse/WSS-218?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michel Schudel updated WSS-218:
-------------------------------
Description:
We want to retrieve a certificate based an on X509IssuerSerial. Our keystore has not only
the correct certificates but also a lot of secret (3DES) keys.
The method getAliasForX509Cert(String, BigInteger) does not check if an alias is a certificate
entry, resulting in a null return when the first alias found is a (secret) key.
Please wrap line 334-353 in version 1.5.8 as follows:
if (keystore.isCertificateEntry(alias) {
(line 334-353)
}
That should do it.
was:
We want to retrieve a certificate based an on X509IssuerSerial. Our keystore has not only
the correct certificates but also a lot of secret (3DES) keys.
The method getAliasForX509Cert(String, BigInteger) does not check if an alias is a certificate
entry, resulting in a null return when the first alias found is a (secret) key.
Please wrap line 334-353 in version 1.5.8 as follows:
if (keystore.isCertificate(alias) {
(line 334-353)
}
That should do it.
> getAliasForX509Cert(String, BigInteger) in CryptoBase returns null if not all aliases
are certificates
> ------------------------------------------------------------------------------------------------------
>
> Key: WSS-218
> URL: https://issues.apache.org/jira/browse/WSS-218
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: Michel Schudel
> Assignee: Ruchith Udayanga Fernando
> Original Estimate: 4h
> Remaining Estimate: 4h
>
> We want to retrieve a certificate based an on X509IssuerSerial. Our keystore has not
only the correct certificates but also a lot of secret (3DES) keys.
> The method getAliasForX509Cert(String, BigInteger) does not check if an alias is a certificate
entry, resulting in a null return when the first alias found is a (secret) key.
> Please wrap line 334-353 in version 1.5.8 as follows:
> if (keystore.isCertificateEntry(alias) {
> (line 334-353)
> }
> That should do it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
getAliasForX509Cert(String, BigInteger) in CryptoBase returns null if not all aliases are certificates
------------------------------------------------------------------------------------------------------
Key: WSS-218
URL: https://issues.apache.org/jira/browse/WSS-218
Project: WSS4J
Issue Type: Bug
Components: WSS4J Core
Affects Versions: 1.5.8
Reporter: Michel Schudel
Assignee: Ruchith Udayanga Fernando
We want to retrieve a certificate based an on X509IssuerSerial. Our keystore has not only
the correct certificates but also a lot of secret (3DES) keys.
The method getAliasForX509Cert(String, BigInteger) does not check if an alias is a certificate
entry, resulting in a null return when the first alias found is a (secret) key.
Please wrap line 334-353 in version 1.5.8 as follows:
if (keystore.isCertificate(alias) {
(line 334-353)
}
That should do it.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Hi, I've tried setting the SIG_KEY_ID to "X509KeyIdentifier" and SKIKeyIdentifier and get an GeneralSecurityError that they are an "Unsupported Key Identification". Is there some other approach you would recommend? Thanks, -- Steve Colm O hEigeartaigh wrote: > > Hi, > > WSS4J does not currently support constructing a KeyInfo object that > includes the X509 Cert in x509Data. According to the SOAP Message > Security spec: > > "However, in this specification, the use of <wsse:BinarySecurityToken> > is the RECOMMENDED mechanism to carry key material if the key type > contains binary data." > > You have a few other options to use for referring to a Key from a > signature: > > http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHand > lerConstants.html#SIG_KEY_ID > > http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHand > lerConstants.html#keyIdentifier > > Colm. > > -----Original Message----- > From: vroom [mailto:vroom3@gmail.com] > Sent: 06 November 2009 23:25 > To: wss4j-dev@ws.apache.org > Subject: help: directReference, senderVouches & X509Certificate > > > > I have a integration test coming up and have been trying for a few days > to > figure out how to format a client-side SOAP message so it will be > accepted > by a service. The example client message I've been shown requires > senderVouches and has the clients' x509 certificate being transferred to > the > service in the KeyInfo like so: > > keyInfo > x509Data > x509Certificate > > The message I'm generating with senderVouches and directReference places > provides: > > > Wsse:securityTokenReference > wsse:BinarySecurityToken in header > > keyInfo > SecurityTokenReference > Reference to BinarySecurityToken > > My requirement therefore is to remove the > SecurityTokenReference/BinarySecurityToken from the header and add the > x509certificate to the KeyInfo. > > The software stack I'm using is: > xFire 1.2.6 > Wss4j 1.5.1 > openSaml 1.0.1 > Xmlsecurity 1.3 > > I'm trying to get it upgraded but its a very long and tedious process. > Will > an upgrade supply this functionality? > > > > > -- > View this message in context: > http://old.nabble.com/help%3A-directReference%2C-senderVouches---X509Cer > tificate-tp26230917p26230917.html > Sent from the WSS4J mailing list archive at Nabble.com. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org > For additional commands, e-mail: wss4j-dev-help@ws.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org > For additional commands, e-mail: wss4j-dev-help@ws.apache.org > > > -- View this message in context: http://old.nabble.com/help%3A-directReference%2C-senderVouches---X509Certificate-tp26230917p26270886.html Sent from the WSS4J mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[ https://issues.apache.org/jira/browse/WSS-213?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774952#action_12774952
]
Colm O hEigeartaigh commented on WSS-213:
-----------------------------------------
> How would I find out what types of SAML Assertions can be created and controlled through
the properties files like (saml and crypto) as opposed to using the API directly?
Probably the best way is to look at the source:
http://ws.apache.org/wss4j/xref/org/apache/ws/security/saml/SAMLIssuerFactory.html
http://ws.apache.org/wss4j/xref/org/apache/ws/security/saml/SAMLIssuerImpl.html
> And it sounds like the type of SAML Token that I want to create is not possible this
way
Yes, the range of SAML assertions that can be generated through the properties file is quite
limited.
Colm.
> Running TestWSSecurityNewST2 Fails - General security error (No certificates were found
for SAML signature)
> -----------------------------------------------------------------------------------------------------------
>
> Key: WSS-213
> URL: https://issues.apache.org/jira/browse/WSS-213
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.8
> Environment: OS = Ubuntu 9.04
> Eclipse = JEE Eclipse, Galileo, STS, m2eclipse
> JDK = java-6-sun-1.6.0.16, java-1.5.0-sun-1.5.0.19 (attempted as well)
> Reporter: Jay Blanton
> Assignee: Ruchith Udayanga Fernando
> Priority: Critical
> Attachments: wss4j.saml-jks.tar.gz, wss4j.saml.tar.gz
>
>
> I pulled down the 1.5.8, 1.5.8-SNAPSHOT, and pulled down the trunk for 1.6.
> I tried to build the trunk by doing a mvn package -Dmaven.test.skip=true (because quite
a few unit tests fail).
> Then I try to run TestWSSecurityNewST2 and it fails.
> This is the exact issue I am having when trying to get my Spring Web Service Implementation
to work with WSS4J's SAML Support (which it appears that Spring does not expose so I have
to create a custom Interceptor).
> I have working examples of a digital signature, encryption, and UsernameToken with Spring
Web Services support for SAML, but the SAML is not working. So I specifically went to the
WSS4J examples to see if I could get those working first, and then working with my keystores,
but the default test does not work for me that shipped with WSS4J.
> [INFO] Scanning for projects...
> [INFO] ------------------------------------------------------------------------
> [INFO] Building Ping Web Service Client
> [INFO]
> [INFO] Id: com.foo:ping.ws-saml:jar:0.0.1-SNAPSHOT
> [INFO] task-segment: [package]
> [INFO] ------------------------------------------------------------------------
> [INFO] [resources:resources]
> [INFO] Using default encoding to copy filtered resources.
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [compiler:compile]
> [INFO] Compiling 10 source files to /home/a068071/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/classes
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [jibx:bind]
> [INFO] Not running JiBX binding compiler (single-module mode) - no binding files
> [INFO] [resources:testResources]
> [INFO] Using default encoding to copy filtered resources.
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [compiler:testCompile]
> [INFO] Compiling 4 source files to /home/a068071/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/test-classes
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [surefire:test]
> [INFO] Surefire report directory: /home/a068071/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/surefire-reports
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> -------------------------------------------------------
> T E S T S
> -------------------------------------------------------
> Running wssec.TestWSSecurityNewST2
> DEBUG [security.util.Loader] Trying to find [saml.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> INFO [wssec.TestWSSecurityNewST2] Before SAMLSignedSenderVouches....
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> DEBUG [security.util.Loader] Trying to find [saml.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> INFO [wssec.TestWSSecurityNewST2] Before SAMLSignedSenderVouches....
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> DEBUG [security.util.Loader] Trying to find [saml3.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> INFO [wssec.TestWSSecurityNewST2] Before SAMLSignedSenderVouches....
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> DEBUG [security.util.Loader] Trying to find [saml.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> Tests run: 4, Failures: 0, Errors: 4, Skipped: 0, Time elapsed: 0.222 sec <<<
FAILURE!
> Results :
> Tests in error:
> testSAMLSignedSenderVouches(wssec.TestWSSecurityNewST2)
> testSAMLSignedSenderVouchesKeyIdentifier(wssec.TestWSSecurityNewST2)
> testDefaultIssuerClass(wssec.TestWSSecurityNewST2)
> testWSS62(wssec.TestWSSecurityNewST2)
> Tests run: 5, Failures: 0, Errors: 5, Skipped: 0
> [ERROR]
> Mojo:
> org.apache.maven.plugins:maven-surefire-plugin:2.4.2:test
> FAILED for project:
> com.foo:ping.ws-saml:jar:0.0.1-SNAPSHOT
> Reason:
> There are test failures.
> Please refer to /home/jay/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/surefire-reports
for the individual test results.
> [INFO] ------------------------------------------------------------------------
> [INFO] For more information, run with the -e flag
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD FAILED
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 16 seconds
> [INFO] Finished at: Wed Oct 07 13:29:03 PDT 2009
> [INFO] Final Memory: 4M/25M
> [INFO] ------------------------------------------------------------------------
> Here is the errors from the test report:
> -------------------------------------------------------------------------------
> Test set: wssec.TestWSSecurityNewST2
> -------------------------------------------------------------------------------
> Tests run: 4, Failures: 0, Errors: 4, Skipped: 0, Time elapsed: 0.731 sec <<<
FAILURE!
> testSAMLSignedSenderVouches(wssec.TestWSSecurityNewST2) Time elapsed: 0.486 sec <<<
ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were
found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testSAMLSignedSenderVouches(TestWSSecurityNewST2.java:114)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)
> testSAMLSignedSenderVouchesKeyIdentifier(wssec.TestWSSecurityNewST2) Time elapsed: 0.064
sec <<< ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were
found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testSAMLSignedSenderVouchesKeyIdentifier(TestWSSecurityNewST2.java:156)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)
> testDefaultIssuerClass(wssec.TestWSSecurityNewST2) Time elapsed: 0.156 sec <<<
ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were
found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testDefaultIssuerClass(TestWSSecurityNewST2.java:200)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)
> testWSS62(wssec.TestWSSecurityNewST2) Time elapsed: 0.011 sec <<< ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were
found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testWSS62(TestWSSecurityNewST2.java:241)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Hi, WSS4J does not currently support constructing a KeyInfo object that includes the X509 Cert in x509Data. According to the SOAP Message Security spec: "However, in this specification, the use of <wsse:BinarySecurityToken> is the RECOMMENDED mechanism to carry key material if the key type contains binary data." You have a few other options to use for referring to a Key from a signature: http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHand lerConstants.html#SIG_KEY_ID http://ws.apache.org/wss4j/apidocs/org/apache/ws/security/handler/WSHand lerConstants.html#keyIdentifier Colm. -----Original Message----- From: vroom [mailto:vroom3@gmail.com] Sent: 06 November 2009 23:25 To: wss4j-dev@ws.apache.org Subject: help: directReference, senderVouches & X509Certificate I have a integration test coming up and have been trying for a few days to figure out how to format a client-side SOAP message so it will be accepted by a service. The example client message I've been shown requires senderVouches and has the clients' x509 certificate being transferred to the service in the KeyInfo like so: keyInfo x509Data x509Certificate The message I'm generating with senderVouches and directReference places provides: Wsse:securityTokenReference wsse:BinarySecurityToken in header keyInfo SecurityTokenReference Reference to BinarySecurityToken My requirement therefore is to remove the SecurityTokenReference/BinarySecurityToken from the header and add the x509certificate to the KeyInfo. The software stack I'm using is: xFire 1.2.6 Wss4j 1.5.1 openSaml 1.0.1 Xmlsecurity 1.3 I'm trying to get it upgraded but its a very long and tedious process. Will an upgrade supply this functionality? -- View this message in context: http://old.nabble.com/help%3A-directReference%2C-senderVouches---X509Cer tificate-tp26230917p26230917.html Sent from the WSS4J mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org For additional commands, e-mail: wss4j-dev-help@ws.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org For additional commands, e-mail: wss4j-dev-help@ws.apache.org
How do you configure wss4j/opensaml to provide a keyInfo containing something other than the default BST? In this case I'm looking for a x509certificate. I'm currently stuck with wss4j 1.5.1 and opensaml 1.0.1 (hopefully not for much longer). Thanks -- View this message in context: http://old.nabble.com/how-to-specify-keyInfo-content-type--tp26259101p26259101.html Sent from the WSS4J mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org For additional commands, e-mail: wss4j-dev-help@ws.apache.org
I have a integration test coming up and have been trying for a few days to figure out how to format a client-side SOAP message so it will be accepted by a service. The example client message I've been shown requires senderVouches and has the clients' x509 certificate being transferred to the service in the KeyInfo like so: keyInfo x509Data x509Certificate The message I'm generating with senderVouches and directReference places provides: Wsse:securityTokenReference wsse:BinarySecurityToken in header keyInfo SecurityTokenReference Reference to BinarySecurityToken My requirement therefore is to remove the SecurityTokenReference/BinarySecurityToken from the header and add the x509certificate to the KeyInfo. The software stack I'm using is: xFire 1.2.6 Wss4j 1.5.1 openSaml 1.0.1 Xmlsecurity 1.3 I'm trying to get it upgraded but its a very long and tedious process. Will an upgrade supply this functionality? -- View this message in context: http://old.nabble.com/help%3A-directReference%2C-senderVouches---X509Certificate-tp26230917p26230917.html Sent from the WSS4J mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[ https://issues.apache.org/jira/browse/WSS-217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh resolved WSS-217.
-------------------------------------
Resolution: Fixed
> Add ability to specify a reference to an absolute URI in the derived key functionality
> --------------------------------------------------------------------------------------
>
> Key: WSS-217
> URL: https://issues.apache.org/jira/browse/WSS-217
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: Colm O hEigeartaigh
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.9, 1.6
>
>
> Currently, WSSecDKSign and WSSecDKEncrypt only allow references using a relative URI.
This is problematic for the case of refering to a SecurityContextToken via the wsc:Identifier,
which must be an absolute reference.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[ https://issues.apache.org/jira/browse/WSS-217?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh closed WSS-217.
-----------------------------------
> Add ability to specify a reference to an absolute URI in the derived key functionality
> --------------------------------------------------------------------------------------
>
> Key: WSS-217
> URL: https://issues.apache.org/jira/browse/WSS-217
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.8
> Reporter: Colm O hEigeartaigh
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.9, 1.6
>
>
> Currently, WSSecDKSign and WSSecDKEncrypt only allow references using a relative URI.
This is problematic for the case of refering to a SecurityContextToken via the wsc:Identifier,
which must be an absolute reference.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Author: coheigea
Date: Fri Nov 6 11:55:23 2009
New Revision: 833365
URL: http://svn.apache.org/viewvc?rev=833365&view=rev
Log:
[WSS-217] - Forward merging to trunk
Modified:
webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDerivedKeyBase.java
webservices/wss4j/trunk/test/wssec/TestWSSecurityNewSCT.java
Modified: webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDerivedKeyBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDerivedKeyBase.java?rev=833365&r1=833364&r2=833365&view=diff
==============================================================================
--- webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDerivedKeyBase.java (original)
+++ webservices/wss4j/trunk/src/org/apache/ws/security/message/WSSecDerivedKeyBase.java Fri
Nov 6 11:55:23 2009
@@ -64,7 +64,7 @@
* wsu:Id of the wsc:DerivedKeyToken
*/
protected String dktId = null;
-
+
/**
* Client's label value
*/
@@ -85,6 +85,12 @@
* is (or to be) derived from.
*/
protected String tokenIdentifier = null;
+
+ /**
+ * True if the tokenIdentifier is a direct reference to a key identifier
+ * instead of a URI to a key
+ */
+ protected boolean tokenIdDirectId;
/**
* The derived key will change depending on the sig/encr algorithm.
@@ -208,7 +214,12 @@
//Create the SecurityTokenRef to the Encrypted Key
SecurityTokenReference strEncKey = new SecurityTokenReference(document);
Reference ref = new Reference(document);
- ref.setURI("#" + tokenIdentifier);
+
+ if (tokenIdDirectId) {
+ ref.setURI(tokenIdentifier);
+ } else {
+ ref.setURI("#" + tokenIdentifier);
+ }
if (customValueType != null && customValueType.trim().length() > 0)
{
ref.setValueType(customValueType);
}
@@ -259,4 +270,8 @@
public void setCustomValueType(String customValueType) {
this.customValueType = customValueType;
}
+
+ public void setTokenIdDirectId(boolean b) {
+ tokenIdDirectId = b;
+ }
}
Modified: webservices/wss4j/trunk/test/wssec/TestWSSecurityNewSCT.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/trunk/test/wssec/TestWSSecurityNewSCT.java?rev=833365&r1=833364&r2=833365&view=diff
==============================================================================
--- webservices/wss4j/trunk/test/wssec/TestWSSecurityNewSCT.java (original)
+++ webservices/wss4j/trunk/test/wssec/TestWSSecurityNewSCT.java Fri Nov 6 11:55:23 2009
@@ -196,6 +196,50 @@
}
}
+ /**
+ * Test for WSS-217:
+ * "Add ability to specify a reference to an absolute URI in the derived key functionality".
+ */
+ public void testSCTKDKTSignAbsolute() {
+ try {
+ Document doc = SOAPUtil.toSOAPPart(SOAPMSG);
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ WSSecSecurityContextToken sctBuilder = new WSSecSecurityContextToken();
+ sctBuilder.prepare(doc, crypto);
+
+ SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
+ byte[] tempSecret = new byte[16];
+ random.nextBytes(tempSecret);
+
+ // Store the secret
+ this.secrets.put(sctBuilder.getIdentifier(), tempSecret);
+
+ // Derived key signature
+ WSSecDKSign sigBuilder = new WSSecDKSign();
+ sigBuilder.setExternalKey(tempSecret, sctBuilder.getIdentifier());
+ sigBuilder.setTokenIdDirectId(true);
+ sigBuilder.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
+ sigBuilder.build(doc, secHeader);
+
+ sctBuilder.prependSCTElementToHeader(doc, secHeader);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("DKT Absolute");
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+ LOG.debug(outputString);
+ }
+
+ verify(doc);
+ } catch (Exception e) {
+ e.printStackTrace();
+ fail(e.getMessage());
+ }
+ }
+
+
public void testSCTKDKTSignEncrypt() {
try {
Document doc = SOAPUtil.toSOAPPart(SOAPMSG);
@@ -309,7 +353,8 @@
WSSecSignature builder = new WSSecSignature();
builder.setSecretKey(tempSecret);
- builder.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING_DIRECT);
+ builder.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
+ builder.setCustomTokenValueType(WSConstants.WSC_SCT);
builder.setCustomTokenId(tokenId);
builder.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
builder.build(doc, crypto, secHeader);
@@ -330,7 +375,6 @@
}
}
-
/**
* Verifies the soap envelope <p/>
*
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Author: coheigea
Date: Fri Nov 6 11:45:38 2009
New Revision: 833359
URL: http://svn.apache.org/viewvc?rev=833359&view=rev
Log:
[WSS-217] - Add ability to specify a reference to an absolute URI in the derived key functionality
Modified:
webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/message/WSSecDerivedKeyBase.java
webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecurityNewSCT.java
Modified: webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/message/WSSecDerivedKeyBase.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/message/WSSecDerivedKeyBase.java?rev=833359&r1=833358&r2=833359&view=diff
==============================================================================
--- webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/message/WSSecDerivedKeyBase.java
(original)
+++ webservices/wss4j/branches/1_5_x-fixes/src/org/apache/ws/security/message/WSSecDerivedKeyBase.java
Fri Nov 6 11:45:38 2009
@@ -62,7 +62,7 @@
* wsu:Id of the wsc:DerivedKeyToken
*/
protected String dktId = null;
-
+
/**
* Client's label value
*/
@@ -83,6 +83,12 @@
* is (or to be) derived from.
*/
protected String tokenIdentifier = null;
+
+ /**
+ * True if the tokenIdentifier is a direct reference to a key identifier
+ * instead of a URI to a key
+ */
+ protected boolean tokenIdDirectId;
/**
* The derived key will change depending on the sig/encr algorithm.
@@ -206,7 +212,11 @@
//Create the SecurityTokenRef to the Encrypted Key
SecurityTokenReference strEncKey = new SecurityTokenReference(document);
Reference ref = new Reference(document);
- ref.setURI("#" + this.tokenIdentifier);
+ if (tokenIdDirectId) {
+ ref.setURI(this.tokenIdentifier);
+ } else {
+ ref.setURI("#" + this.tokenIdentifier);
+ }
if (this.customValueType != null && this.customValueType.trim().length()
> 0) {
ref.setValueType(this.customValueType);
}
@@ -257,4 +267,8 @@
public void setCustomValueType(String customValueType) {
this.customValueType = customValueType;
}
+
+ public void setTokenIdDirectId(boolean b) {
+ tokenIdDirectId = b;
+ }
}
Modified: webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecurityNewSCT.java
URL: http://svn.apache.org/viewvc/webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecurityNewSCT.java?rev=833359&r1=833358&r2=833359&view=diff
==============================================================================
--- webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecurityNewSCT.java (original)
+++ webservices/wss4j/branches/1_5_x-fixes/test/wssec/TestWSSecurityNewSCT.java Fri Nov 6
11:45:38 2009
@@ -215,6 +215,51 @@
}
}
+ /**
+ * Test for WSS-217:
+ * "Add ability to specify a reference to an absolute URI in the derived key functionality".
+ */
+ public void testSCTKDKTSignAbsolute() {
+ try {
+ SOAPEnvelope unsignedEnvelope = message.getSOAPEnvelope();
+ Document doc = unsignedEnvelope.getAsDocument();
+ WSSecHeader secHeader = new WSSecHeader();
+ secHeader.insertSecurityHeader(doc);
+
+ WSSecSecurityContextToken sctBuilder = new WSSecSecurityContextToken();
+ sctBuilder.prepare(doc, crypto);
+
+ SecureRandom random = SecureRandom.getInstance("SHA1PRNG");
+ byte[] tempSecret = new byte[16];
+ random.nextBytes(tempSecret);
+
+ // Store the secret
+ this.secrets.put(sctBuilder.getIdentifier(), tempSecret);
+
+ // Derived key signature
+ WSSecDKSign sigBuilder = new WSSecDKSign();
+ sigBuilder.setExternalKey(tempSecret, sctBuilder.getIdentifier());
+ sigBuilder.setTokenIdDirectId(true);
+ sigBuilder.setSignatureAlgorithm(XMLSignature.ALGO_ID_MAC_HMAC_SHA1);
+ sigBuilder.build(doc, secHeader);
+
+ sctBuilder.prependSCTElementToHeader(doc, secHeader);
+
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("DKT Absolute");
+ String outputString =
+ org.apache.ws.security.util.XMLUtils.PrettyDocumentToString(doc);
+ LOG.debug(outputString);
+ }
+
+ verify(doc);
+ } catch (Exception e) {
+ e.printStackTrace();
+ fail(e.getMessage());
+ }
+ }
+
+
public void testSCTKDKTSignEncrypt() {
try {
SOAPEnvelope unsignedEnvelope = message.getSOAPEnvelope();
@@ -334,7 +379,8 @@
WSSecSignature builder = new WSSecSignature();
builder.setSecretKey(tempSecret);
- builder.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING_DIRECT);
+ builder.setKeyIdentifierType(WSConstants.CUSTOM_SYMM_SIGNING);
+ builder.setCustomTokenValueType(WSConstants.WSC_SCT);
builder.setCustomTokenId(tokenId);
builder.setSignatureAlgorithm(SignatureMethod.HMAC_SHA1);
builder.build(doc, crypto, secHeader);
@@ -355,7 +401,6 @@
}
}
-
/**
* Verifies the soap envelope <p/>
*
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
Add ability to specify a reference to an absolute URI in the derived key functionality
--------------------------------------------------------------------------------------
Key: WSS-217
URL: https://issues.apache.org/jira/browse/WSS-217
Project: WSS4J
Issue Type: Improvement
Components: WSS4J Core
Affects Versions: 1.5.8
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 1.5.9, 1.6
Currently, WSSecDKSign and WSSecDKEncrypt only allow references using a relative URI. This
is problematic for the case of refering to a SecurityContextToken via the wsc:Identifier,
which must be an absolute reference.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[ https://issues.apache.org/jira/browse/WSS-213?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773584#action_12773584
]
Jay Blanton commented on WSS-213:
---------------------------------
Colm,
How would I find out what types of SAML Assertions can be created and controlled through the
properties files like (saml and crypto) as opposed to using the API directly?
I am trying to understand through this whether a specific type of SAML Token is created when
saml and crypto properties are used.
And it sounds like the type of SAML Token that I want to create is not possible this way (since
I want to create an Assertion and then Digitally Sign just the assertion), so I must always
use the API directly.
Does this sound correctly?
Thanks,
Jay Blanton
> Running TestWSSecurityNewST2 Fails - General security error (No certificates were found
for SAML signature)
> -----------------------------------------------------------------------------------------------------------
>
> Key: WSS-213
> URL: https://issues.apache.org/jira/browse/WSS-213
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.8
> Environment: OS = Ubuntu 9.04
> Eclipse = JEE Eclipse, Galileo, STS, m2eclipse
> JDK = java-6-sun-1.6.0.16, java-1.5.0-sun-1.5.0.19 (attempted as well)
> Reporter: Jay Blanton
> Assignee: Ruchith Udayanga Fernando
> Priority: Critical
> Attachments: wss4j.saml-jks.tar.gz, wss4j.saml.tar.gz
>
>
> I pulled down the 1.5.8, 1.5.8-SNAPSHOT, and pulled down the trunk for 1.6.
> I tried to build the trunk by doing a mvn package -Dmaven.test.skip=true (because quite
a few unit tests fail).
> Then I try to run TestWSSecurityNewST2 and it fails.
> This is the exact issue I am having when trying to get my Spring Web Service Implementation
to work with WSS4J's SAML Support (which it appears that Spring does not expose so I have
to create a custom Interceptor).
> I have working examples of a digital signature, encryption, and UsernameToken with Spring
Web Services support for SAML, but the SAML is not working. So I specifically went to the
WSS4J examples to see if I could get those working first, and then working with my keystores,
but the default test does not work for me that shipped with WSS4J.
> [INFO] Scanning for projects...
> [INFO] ------------------------------------------------------------------------
> [INFO] Building Ping Web Service Client
> [INFO]
> [INFO] Id: com.foo:ping.ws-saml:jar:0.0.1-SNAPSHOT
> [INFO] task-segment: [package]
> [INFO] ------------------------------------------------------------------------
> [INFO] [resources:resources]
> [INFO] Using default encoding to copy filtered resources.
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [compiler:compile]
> [INFO] Compiling 10 source files to /home/a068071/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/classes
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [jibx:bind]
> [INFO] Not running JiBX binding compiler (single-module mode) - no binding files
> [INFO] [resources:testResources]
> [INFO] Using default encoding to copy filtered resources.
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [compiler:testCompile]
> [INFO] Compiling 4 source files to /home/a068071/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/test-classes
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [surefire:test]
> [INFO] Surefire report directory: /home/a068071/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/surefire-reports
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> -------------------------------------------------------
> T E S T S
> -------------------------------------------------------
> Running wssec.TestWSSecurityNewST2
> DEBUG [security.util.Loader] Trying to find [saml.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> INFO [wssec.TestWSSecurityNewST2] Before SAMLSignedSenderVouches....
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> DEBUG [security.util.Loader] Trying to find [saml.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> INFO [wssec.TestWSSecurityNewST2] Before SAMLSignedSenderVouches....
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> DEBUG [security.util.Loader] Trying to find [saml3.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> INFO [wssec.TestWSSecurityNewST2] Before SAMLSignedSenderVouches....
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> DEBUG [security.util.Loader] Trying to find [saml.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> Tests run: 4, Failures: 0, Errors: 4, Skipped: 0, Time elapsed: 0.222 sec <<<
FAILURE!
> Results :
> Tests in error:
> testSAMLSignedSenderVouches(wssec.TestWSSecurityNewST2)
> testSAMLSignedSenderVouchesKeyIdentifier(wssec.TestWSSecurityNewST2)
> testDefaultIssuerClass(wssec.TestWSSecurityNewST2)
> testWSS62(wssec.TestWSSecurityNewST2)
> Tests run: 5, Failures: 0, Errors: 5, Skipped: 0
> [ERROR]
> Mojo:
> org.apache.maven.plugins:maven-surefire-plugin:2.4.2:test
> FAILED for project:
> com.foo:ping.ws-saml:jar:0.0.1-SNAPSHOT
> Reason:
> There are test failures.
> Please refer to /home/jay/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/surefire-reports
for the individual test results.
> [INFO] ------------------------------------------------------------------------
> [INFO] For more information, run with the -e flag
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD FAILED
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 16 seconds
> [INFO] Finished at: Wed Oct 07 13:29:03 PDT 2009
> [INFO] Final Memory: 4M/25M
> [INFO] ------------------------------------------------------------------------
> Here is the errors from the test report:
> -------------------------------------------------------------------------------
> Test set: wssec.TestWSSecurityNewST2
> -------------------------------------------------------------------------------
> Tests run: 4, Failures: 0, Errors: 4, Skipped: 0, Time elapsed: 0.731 sec <<<
FAILURE!
> testSAMLSignedSenderVouches(wssec.TestWSSecurityNewST2) Time elapsed: 0.486 sec <<<
ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were
found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testSAMLSignedSenderVouches(TestWSSecurityNewST2.java:114)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)
> testSAMLSignedSenderVouchesKeyIdentifier(wssec.TestWSSecurityNewST2) Time elapsed: 0.064
sec <<< ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were
found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testSAMLSignedSenderVouchesKeyIdentifier(TestWSSecurityNewST2.java:156)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)
> testDefaultIssuerClass(wssec.TestWSSecurityNewST2) Time elapsed: 0.156 sec <<<
ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were
found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testDefaultIssuerClass(TestWSSecurityNewST2.java:200)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)
> testWSS62(wssec.TestWSSecurityNewST2) Time elapsed: 0.011 sec <<< ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were
found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testWSS62(TestWSSecurityNewST2.java:241)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[ https://issues.apache.org/jira/browse/WSS-213?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12772002#action_12772002
]
Jay Blanton commented on WSS-213:
---------------------------------
Colm...thanks again for your help.
Here is a sample class for background.
This is a class we built with BEA support so that we could implement SAML Sender Vouches (version
1.1) and just a digital signature of the SAML Assertion.
It uses just OpenSAML.
package foo.opensaml;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Set;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.BooleanUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.xml.security.signature.XMLSignature;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAttribute;
import org.opensaml.SAMLAttributeStatement;
import org.opensaml.SAMLAuthenticationStatement;
import org.opensaml.SAMLException;
import org.opensaml.SAMLNameIdentifier;
import org.opensaml.SAMLResponse;
import org.opensaml.SAMLSignedObject;
import org.opensaml.SAMLSubject;
import org.opensaml.SAMLSubjectStatement;
import org.springframework.core.io.ClassPathResource;
import org.springframework.core.io.DefaultResourceLoader;
import org.springframework.core.io.ResourceLoader;
/**
* The Class SAMLAuthenticationHandler.
*/
public class SAMLAuthenticationHandler {
/** The Constant ASSERTION_ISSUER. */
public static final String ASSERTION_ISSUER = "assertion.issuer";
/** The Constant CERTIFICATE_PASSWORD. */
public static final String CERTIFICATE_PASSWORD = "certificate.password";
/** The Constant CERTIFICATE_ALIAS. */
public static final String CERTIFICATE_ALIAS = "certificate.alias";
/** The Constant CERTIFICATE_KEYSTORE_PATH. */
public static final String CERTIFICATE_KEYSTORE_PATH = "certificate.keystore.path";
/** The Constant ASSERTION_SIGN. */
public static final String ASSERTION_SIGN = "assertion.sign";
/** The Constant ASSERTION_USERNAME. */
public static final String ASSERTION_USERNAME = "assertion.username";
/** The Constant SIGNATURE_INCLUDECERT. */
public static final String SIGNATURE_INCLUDECERT = "signature.includecert";
/** The Constant SAML_ASSERTION. */
public static final String SAML_ASSERTION = "SAML.Assertion";
/** The Constant SAML_ASSERTION_CERTPATH. */
public static final String SAML_ASSERTION_CERTPATH = "SAML.Assertion.Certpath";
private String credentialType = SAML_ASSERTION;
private String assertionUserName;
private boolean signAssertion = false;
private Set<?> groups = Collections.EMPTY_SET;
private long notBeforeMs;
private long notAfterMs;
private String certKeystorePath;
private String certKeystoreType = "JKS";
private String certAlias;
private String certPassword;
private String assertionIssuer;
private String recipient;
/**
* Instantiates a new SAML authentication handler.
*
* @param config
* the config
*/
public SAMLAuthenticationHandler() {
super();
}
/**
* Handle request.
*
* @return the SOAP header block
*/
public String getSamlAssertion() {
String assertion = getSAMLAssertion(assertionUserName, // username
groups, // groups
signAssertion, // isSigned
notBeforeMs, // not before condition
notAfterMs, // not after condition
certKeystorePath, // keystore uri
certKeystoreType, // trusted keystore type
certAlias, // trusted cert alias
certPassword, // trusted cert alias password
credentialType, // credentialType
assertionIssuer, // issuerURI
recipient // recipient
);
System.out.println(assertion);
return assertion;
}
public String getCredentialType() {
return credentialType;
}
public void setCredentialType(String credentialType) {
this.credentialType = credentialType;
}
public String getAssertionUserName() {
return assertionUserName;
}
public void setAssertionUserName(String assertionUserName) {
this.assertionUserName = assertionUserName;
}
public boolean isSignAssertion() {
return signAssertion;
}
public void setSignAssertion(boolean signAssertion) {
this.signAssertion = signAssertion;
}
public void setSignAssertion(String signAssertion) {
this.signAssertion = BooleanUtils.toBoolean(signAssertion);
}
public Set<?> getGroups() {
return groups;
}
public void setGroups(Set<?> groups) {
this.groups = groups;
}
public long getNotBeforeMs() {
return notBeforeMs;
}
public void setNotBeforeMs(long notBeforeMs) {
this.notBeforeMs = notBeforeMs;
}
public long getNotAfterMs() {
return notAfterMs;
}
public void setNotAfterMs(long notAfterMs) {
this.notAfterMs = notAfterMs;
}
public String getCertKeystorePath() {
return certKeystorePath;
}
public void setCertKeystorePath(String certKeystorePath) {
this.certKeystorePath = certKeystorePath;
}
public String getCertKeystoreType() {
return certKeystoreType;
}
public void setCertKeystoreType(String certKeystoreType) {
this.certKeystoreType = certKeystoreType;
}
public String getCertAlias() {
return certAlias;
}
public void setCertAlias(String certAlias) {
this.certAlias = certAlias;
}
public String getCertPassword() {
return certPassword;
}
public void setCertPassword(String certPassword) {
this.certPassword = certPassword;
}
public String getAssertionIssuer() {
return assertionIssuer;
}
public void setAssertionIssuer(String assertionIssuer) {
this.assertionIssuer = assertionIssuer;
}
public String getRecipient() {
return recipient;
}
public void setRecipient(String recipient) {
this.recipient = recipient;
}
/** The Constant UNKNOWN_RECIPIENT. */
public static final String UNKNOWN_RECIPIENT = "unknown";
/** The Constant SAML_RESPONSE. */
public static final String SAML_RESPONSE = "SAML.Profile.POST";
/** The Constant SAML_RESPONSE_CERTPATH. */
public static final String SAML_RESPONSE_CERTPATH = "SAML.Profile.POST.Certpath";
/** The Constant SAML_RESPONSE_NO_CERTPATH. */
public static final String SAML_RESPONSE_NO_CERTPATH = "SAML.Profile.POST.NoCertpath";
/** The Constant WLES_GROUP_TAG. */
private static final String WLES_GROUP_TAG = "WLESGroup";
/** The Constant WLES_GROUP_NS. */
private static final String WLES_GROUP_NS = "urn:bea:security:saml:groups";
/**
* Gets the SAML assertion.
*
* @param userName
* the user name
* @param groups
* the groups
* @param isSigned
* the is signed
* @param notBeforeMs
* the not before_ms
* @param notAfterMs
* the not after_ms
* @param trustedKeystore
* the trusted keystore
* @param trustedKeystoreType
* the trusted keystore type
* @param trustedCertAlias
* the trusted cert alias
* @param trustedCertAliasPasswd
* the trusted cert alias passwd
* @param credentialType
* the credential type
* @param issuer
* the issuer
* @param recipient
* the recipient
*
* @return the SAML assertion
*/
public String getSAMLAssertion(String userName, Set<?> groups,
boolean isSigned, long notBeforeMs, long notAfterMs,
String trustedKeystore, String trustedKeystoreType,
String trustedCertAlias, String trustedCertAliasPasswd,
String credentialType, String issuer, String recipient) {
boolean asResponse = isResponseType(credentialType);
boolean withCertPath = requireCertpath(credentialType);
ClassLoader dirCLDR = this.getClass().getClassLoader();
ClassLoader threadCLDR = Thread.currentThread().getContextClassLoader();
try {
Thread.currentThread().setContextClassLoader(dirCLDR);
SAMLSubject subject = new SAMLSubject(new SAMLNameIdentifier(
userName, null, null), Collections
.singleton(SAMLSubject.CONF_SENDER_VOUCHES), null, null);
SAMLAttributeStatement attrStat = null;
if ((groups != null) && (groups.size() != 0)) {
attrStat = createAttributeStatement(subject, groups);
}
SAMLAssertion assertion = createAssertion(
createAuthenticationStatement(subject), attrStat,
notBeforeMs, notAfterMs, issuer);
SAMLSignedObject signedObject = null;
if (asResponse) {
List<SAMLAssertion> assertionList = new ArrayList<SAMLAssertion>();
assertionList.add(assertion);
String responseRecipient = recipient;
if (StringUtils.isEmpty(recipient)) {
responseRecipient = UNKNOWN_RECIPIENT;
}
SAMLResponse response = new SAMLResponse(null,
responseRecipient, assertionList, null);
if (isSigned) {
signedObject = getSignedAssertion(response,
trustedKeystore, trustedKeystoreType,
trustedCertAlias, trustedCertAliasPasswd,
withCertPath, asResponse);
}
}
else {
if (isSigned) {
signedObject = getSignedAssertion(assertion,
trustedKeystore, trustedKeystoreType,
trustedCertAlias, trustedCertAliasPasswd,
withCertPath, asResponse);
}
}
if (signedObject != null) {
return signedObject.toString();
}
else {
return assertion.toString();
}
}
catch (SAMLException e) {
throw new RuntimeException(e);
}
finally {
Thread.currentThread().setContextClassLoader(threadCLDR);
}
}
/**
* Creates a new SAMLToken object.
*
* @param authnStat
* the authn stat
* @param attrStat
* the attr stat
* @param notBeforeMs
* the not before_ms
* @param notAfterMs
* the not after_ms
* @param issuer
* the issuer
*
* @return the SAML assertion
*/
private SAMLAssertion createAssertion(
SAMLAuthenticationStatement authnStat,
SAMLAttributeStatement attrStat, long notBeforeMs, long notAfterMs,
String issuer) {
SAMLAssertion samlAssertion = null;
long now = System.currentTimeMillis();
Date notBefore = new Date(now - notBeforeMs);
Date notOnOrAfter = new Date(now + notAfterMs);
List<SAMLSubjectStatement> statements = new ArrayList<SAMLSubjectStatement>();
if (authnStat != null) {
statements.add(authnStat);
}
if (attrStat != null) {
statements.add(attrStat);
}
try {
samlAssertion = new SAMLAssertion(issuer, notBefore, notOnOrAfter,
null, null, statements);
}
catch (SAMLException e) {
throw new RuntimeException(e);
}
return samlAssertion;
}
/**
* Creates a new SAMLToken object.
*
* @param subject
* the subject
* @param groups
* the groups
*
* @return the SAML attribute statement
*/
private SAMLAttributeStatement createAttributeStatement(
SAMLSubject subject, Collection<?> groups) {
SAMLAttributeStatement attrStmt = null;
try {
SAMLAttribute wlesGroup = new SAMLAttribute(WLES_GROUP_TAG,
WLES_GROUP_NS, null, 0, groups);
ArrayList<SAMLAttribute> wlesGroups = new ArrayList<SAMLAttribute>();
wlesGroups.add(wlesGroup);
attrStmt = new SAMLAttributeStatement(
(SAMLSubject) subject.clone(), wlesGroups);
}
catch (SAMLException e) {
throw new RuntimeException(e);
}
catch (CloneNotSupportedException e) {
throw new RuntimeException(e);
}
return attrStmt;
}
/**
* Creates a new SAMLToken object.
*
* @param subject
* the subject
*
* @return the SAML authentication statement
*/
private SAMLAuthenticationStatement createAuthenticationStatement(
SAMLSubject subject) {
String authnMtd = SAMLAuthenticationStatement.AuthenticationMethod_Password;
SAMLAuthenticationStatement authnStat = null;
try {
authnStat = new SAMLAuthenticationStatement((SAMLSubject) subject
.clone(), authnMtd, new Date(), null, null, null);
}
catch (SAMLException e) {
throw new RuntimeException(e);
}
catch (CloneNotSupportedException e) {
throw new RuntimeException(e);
}
return authnStat;
}
/**
* Gets the signed assertion.
*
* @param assertion
* the assertion
* @param keyStoreFilename
* the key store filename
* @param keyStoreType
* the key store type
* @param certAlias
* the cert alias
* @param certPswd
* the cert pswd
* @param includeCertpath
* the include certpath
* @param isResponse
* the is response
*
* @return the signed assertion
*/
private SAMLSignedObject getSignedAssertion(SAMLSignedObject assertion,
String keyStoreFilename, String keyStoreType, String certAlias,
String certPswd, boolean includeCertpath, boolean isResponse) {
if (StringUtils.isEmpty(keyStoreFilename)) {
throw new SecurityException(
"keyStoreFilename is either null or empty string");
}
if (StringUtils.isEmpty(keyStoreType)) {
throw new SecurityException("keyStoreType is either null or empty");
}
if (StringUtils.isEmpty(certAlias)) {
throw new SecurityException("certAlias is either null or empty");
}
if (StringUtils.isEmpty(certPswd)) {
throw new SecurityException("certPswd is either null or empty");
}
FileInputStream fin = null;
try {
KeyStore store = KeyStore.getInstance(keyStoreType);
ResourceLoader rs = new DefaultResourceLoader();
ClassPathResource resource = (ClassPathResource) rs
.getResource(keyStoreFilename);
fin = new FileInputStream(resource.getFile());
store.load(fin, null);
Key privateKey = store.getKey(certAlias, certPswd.toCharArray());
if (privateKey != null) {
List<Certificate> certs = new ArrayList<Certificate>();
if (includeCertpath) {
if (isResponse) {
Certificate cert = store.getCertificate(certAlias);
if (cert == null) {
throw new SecurityException(
"unable to get certificate using certAlias");
}
certs.add(cert);
}
else {
Certificate certArray[] = store
.getCertificateChain(certAlias);
if (certArray == null) {
throw new SecurityException(
"unable to get certificate chain using certAlias");
}
certs.addAll(Arrays.asList(certArray));
}
assertion.sign(XMLSignature.ALGO_ID_SIGNATURE_RSA,
privateKey, certs);
}
else {
assertion.sign(XMLSignature.ALGO_ID_SIGNATURE_RSA,
privateKey, null);
}
}
else {
throw new SecurityException(
"private key was null and hence cannot sign assertion");
}
}
catch (KeyStoreException e) {
throw new RuntimeException(e);
}
catch (FileNotFoundException e) {
throw new RuntimeException(e);
}
catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
catch (CertificateException e) {
throw new RuntimeException(e);
}
catch (UnrecoverableKeyException e) {
throw new RuntimeException(e);
}
catch (IOException e) {
throw new RuntimeException(e);
}
catch (SAMLException e) {
throw new RuntimeException(e);
}
finally {
IOUtils.closeQuietly(fin);
}
return assertion;
}
/**
* Checks if is response type.
*
* @param credentialTypes
* the credential types
*
* @return true, if is response type
*/
private boolean isResponseType(String credentialTypes) {
boolean responseType = false;
if (SAML_RESPONSE.equals(credentialTypes)
|| SAML_RESPONSE_CERTPATH.equals(credentialTypes)
|| SAML_RESPONSE_NO_CERTPATH.equals(credentialTypes)) {
responseType = true;
}
return responseType;
}
/**
* Require certpath.
*
* @param credentialTypes
* the credential types
*
* @return true, if successful
*/
private boolean requireCertpath(String credentialTypes) {
boolean requireCertpath = false;
if (SAML_ASSERTION_CERTPATH.equals(credentialTypes)
|| SAML_RESPONSE.equals(credentialTypes)
|| SAML_RESPONSE_CERTPATH.equals(credentialTypes)) {
requireCertpath = true;
}
return requireCertpath;
}
}
> Running TestWSSecurityNewST2 Fails - General security error (No certificates were found
for SAML signature)
> -----------------------------------------------------------------------------------------------------------
>
> Key: WSS-213
> URL: https://issues.apache.org/jira/browse/WSS-213
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.8
> Environment: OS = Ubuntu 9.04
> Eclipse = JEE Eclipse, Galileo, STS, m2eclipse
> JDK = java-6-sun-1.6.0.16, java-1.5.0-sun-1.5.0.19 (attempted as well)
> Reporter: Jay Blanton
> Assignee: Ruchith Udayanga Fernando
> Priority: Critical
> Attachments: wss4j.saml-jks.tar.gz, wss4j.saml.tar.gz
>
>
> I pulled down the 1.5.8, 1.5.8-SNAPSHOT, and pulled down the trunk for 1.6.
> I tried to build the trunk by doing a mvn package -Dmaven.test.skip=true (because quite
a few unit tests fail).
> Then I try to run TestWSSecurityNewST2 and it fails.
> This is the exact issue I am having when trying to get my Spring Web Service Implementation
to work with WSS4J's SAML Support (which it appears that Spring does not expose so I have
to create a custom Interceptor).
> I have working examples of a digital signature, encryption, and UsernameToken with Spring
Web Services support for SAML, but the SAML is not working. So I specifically went to the
WSS4J examples to see if I could get those working first, and then working with my keystores,
but the default test does not work for me that shipped with WSS4J.
> [INFO] Scanning for projects...
> [INFO] ------------------------------------------------------------------------
> [INFO] Building Ping Web Service Client
> [INFO]
> [INFO] Id: com.foo:ping.ws-saml:jar:0.0.1-SNAPSHOT
> [INFO] task-segment: [package]
> [INFO] ------------------------------------------------------------------------
> [INFO] [resources:resources]
> [INFO] Using default encoding to copy filtered resources.
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [compiler:compile]
> [INFO] Compiling 10 source files to /home/a068071/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/classes
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [jibx:bind]
> [INFO] Not running JiBX binding compiler (single-module mode) - no binding files
> [INFO] [resources:testResources]
> [INFO] Using default encoding to copy filtered resources.
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [compiler:testCompile]
> [INFO] Compiling 4 source files to /home/a068071/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/test-classes
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [surefire:test]
> [INFO] Surefire report directory: /home/a068071/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/surefire-reports
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> -------------------------------------------------------
> T E S T S
> -------------------------------------------------------
> Running wssec.TestWSSecurityNewST2
> DEBUG [security.util.Loader] Trying to find [saml.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> INFO [wssec.TestWSSecurityNewST2] Before SAMLSignedSenderVouches....
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> DEBUG [security.util.Loader] Trying to find [saml.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> INFO [wssec.TestWSSecurityNewST2] Before SAMLSignedSenderVouches....
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> DEBUG [security.util.Loader] Trying to find [saml3.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> INFO [wssec.TestWSSecurityNewST2] Before SAMLSignedSenderVouches....
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> DEBUG [security.util.Loader] Trying to find [saml.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> Tests run: 4, Failures: 0, Errors: 4, Skipped: 0, Time elapsed: 0.222 sec <<<
FAILURE!
> Results :
> Tests in error:
> testSAMLSignedSenderVouches(wssec.TestWSSecurityNewST2)
> testSAMLSignedSenderVouchesKeyIdentifier(wssec.TestWSSecurityNewST2)
> testDefaultIssuerClass(wssec.TestWSSecurityNewST2)
> testWSS62(wssec.TestWSSecurityNewST2)
> Tests run: 5, Failures: 0, Errors: 5, Skipped: 0
> [ERROR]
> Mojo:
> org.apache.maven.plugins:maven-surefire-plugin:2.4.2:test
> FAILED for project:
> com.foo:ping.ws-saml:jar:0.0.1-SNAPSHOT
> Reason:
> There are test failures.
> Please refer to /home/jay/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/surefire-reports
for the individual test results.
> [INFO] ------------------------------------------------------------------------
> [INFO] For more information, run with the -e flag
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD FAILED
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 16 seconds
> [INFO] Finished at: Wed Oct 07 13:29:03 PDT 2009
> [INFO] Final Memory: 4M/25M
> [INFO] ------------------------------------------------------------------------
> Here is the errors from the test report:
> -------------------------------------------------------------------------------
> Test set: wssec.TestWSSecurityNewST2
> -------------------------------------------------------------------------------
> Tests run: 4, Failures: 0, Errors: 4, Skipped: 0, Time elapsed: 0.731 sec <<<
FAILURE!
> testSAMLSignedSenderVouches(wssec.TestWSSecurityNewST2) Time elapsed: 0.486 sec <<<
ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were
found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testSAMLSignedSenderVouches(TestWSSecurityNewST2.java:114)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)
> testSAMLSignedSenderVouchesKeyIdentifier(wssec.TestWSSecurityNewST2) Time elapsed: 0.064
sec <<< ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were
found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testSAMLSignedSenderVouchesKeyIdentifier(TestWSSecurityNewST2.java:156)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)
> testDefaultIssuerClass(wssec.TestWSSecurityNewST2) Time elapsed: 0.156 sec <<<
ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were
found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testDefaultIssuerClass(TestWSSecurityNewST2.java:200)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)
> testWSS62(wssec.TestWSSecurityNewST2) Time elapsed: 0.011 sec <<< ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were
found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testWSS62(TestWSSecurityNewST2.java:241)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[ https://issues.apache.org/jira/browse/WSS-213?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12772002#action_12772002 ]
Jay Blanton edited comment on WSS-213 at 10/30/09 5:35 PM:
-----------------------------------------------------------
Colm...thanks again for your help.
Here is a sample class for background.
This is a class we built with BEA support so that we could implement SAML Sender Vouches (version 1.1) and just a digital signature of the SAML Assertion.
We currently use this class on the Service Client side to attach SAML Tokens onto the service request and this is then resolved in the Oracle Service Bus and the WSDL hosted on that Bus.
It uses just OpenSAML.
package foo.opensaml;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Set;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.BooleanUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.xml.security.signature.XMLSignature;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAttribute;
import org.opensaml.SAMLAttributeStatement;
import org.opensaml.SAMLAuthenticationStatement;
import org.opensaml.SAMLException;
import org.opensaml.SAMLNameIdentifier;
import org.opensaml.SAMLResponse;
import org.opensaml.SAMLSignedObject;
import org.opensaml.SAMLSubject;
import org.opensaml.SAMLSubjectStatement;
import org.springframework.core.io.ClassPathResource;
import org.springframework.core.io.DefaultResourceLoader;
import org.springframework.core.io.ResourceLoader;
/**
* The Class SAMLAuthenticationHandler.
*/
public class SAMLAuthenticationHandler {
/** The Constant ASSERTION_ISSUER. */
public static final String ASSERTION_ISSUER = "assertion.issuer";
/** The Constant CERTIFICATE_PASSWORD. */
public static final String CERTIFICATE_PASSWORD = "certificate.password";
/** The Constant CERTIFICATE_ALIAS. */
public static final String CERTIFICATE_ALIAS = "certificate.alias";
/** The Constant CERTIFICATE_KEYSTORE_PATH. */
public static final String CERTIFICATE_KEYSTORE_PATH = "certificate.keystore.path";
/** The Constant ASSERTION_SIGN. */
public static final String ASSERTION_SIGN = "assertion.sign";
/** The Constant ASSERTION_USERNAME. */
public static final String ASSERTION_USERNAME = "assertion.username";
/** The Constant SIGNATURE_INCLUDECERT. */
public static final String SIGNATURE_INCLUDECERT = "signature.includecert";
/** The Constant SAML_ASSERTION. */
public static final String SAML_ASSERTION = "SAML.Assertion";
/** The Constant SAML_ASSERTION_CERTPATH. */
public static final String SAML_ASSERTION_CERTPATH = "SAML.Assertion.Certpath";
private String credentialType = SAML_ASSERTION;
private String assertionUserName;
private boolean signAssertion = false;
private Set<?> groups = Collections.EMPTY_SET;
private long notBeforeMs;
private long notAfterMs;
private String certKeystorePath;
private String certKeystoreType = "JKS";
private String certAlias;
private String certPassword;
private String assertionIssuer;
private String recipient;
/**
* Instantiates a new SAML authentication handler.
*
* @param config
* the config
*/
public SAMLAuthenticationHandler() {
super();
}
/**
* Handle request.
*
* @return the SOAP header block
*/
public String getSamlAssertion() {
String assertion = getSAMLAssertion(assertionUserName, // username
groups, // groups
signAssertion, // isSigned
notBeforeMs, // not before condition
notAfterMs, // not after condition
certKeystorePath, // keystore uri
certKeystoreType, // trusted keystore type
certAlias, // trusted cert alias
certPassword, // trusted cert alias password
credentialType, // credentialType
assertionIssuer, // issuerURI
recipient // recipient
);
System.out.println(assertion);
return assertion;
}
public String getCredentialType() {
return credentialType;
}
public void setCredentialType(String credentialType) {
this.credentialType = credentialType;
}
public String getAssertionUserName() {
return assertionUserName;
}
public void setAssertionUserName(String assertionUserName) {
this.assertionUserName = assertionUserName;
}
public boolean isSignAssertion() {
return signAssertion;
}
public void setSignAssertion(boolean signAssertion) {
this.signAssertion = signAssertion;
}
public void setSignAssertion(String signAssertion) {
this.signAssertion = BooleanUtils.toBoolean(signAssertion);
}
public Set<?> getGroups() {
return groups;
}
public void setGroups(Set<?> groups) {
this.groups = groups;
}
public long getNotBeforeMs() {
return notBeforeMs;
}
public void setNotBeforeMs(long notBeforeMs) {
this.notBeforeMs = notBeforeMs;
}
public long getNotAfterMs() {
return notAfterMs;
}
public void setNotAfterMs(long notAfterMs) {
this.notAfterMs = notAfterMs;
}
public String getCertKeystorePath() {
return certKeystorePath;
}
public void setCertKeystorePath(String certKeystorePath) {
this.certKeystorePath = certKeystorePath;
}
public String getCertKeystoreType() {
return certKeystoreType;
}
public void setCertKeystoreType(String certKeystoreType) {
this.certKeystoreType = certKeystoreType;
}
public String getCertAlias() {
return certAlias;
}
public void setCertAlias(String certAlias) {
this.certAlias = certAlias;
}
public String getCertPassword() {
return certPassword;
}
public void setCertPassword(String certPassword) {
this.certPassword = certPassword;
}
public String getAssertionIssuer() {
return assertionIssuer;
}
public void setAssertionIssuer(String assertionIssuer) {
this.assertionIssuer = assertionIssuer;
}
public String getRecipient() {
return recipient;
}
public void setRecipient(String recipient) {
this.recipient = recipient;
}
/** The Constant UNKNOWN_RECIPIENT. */
public static final String UNKNOWN_RECIPIENT = "unknown";
/** The Constant SAML_RESPONSE. */
public static final String SAML_RESPONSE = "SAML.Profile.POST";
/** The Constant SAML_RESPONSE_CERTPATH. */
public static final String SAML_RESPONSE_CERTPATH = "SAML.Profile.POST.Certpath";
/** The Constant SAML_RESPONSE_NO_CERTPATH. */
public static final String SAML_RESPONSE_NO_CERTPATH = "SAML.Profile.POST.NoCertpath";
/** The Constant WLES_GROUP_TAG. */
private static final String WLES_GROUP_TAG = "WLESGroup";
/** The Constant WLES_GROUP_NS. */
private static final String WLES_GROUP_NS = "urn:bea:security:saml:groups";
/**
* Gets the SAML assertion.
*
* @param userName
* the user name
* @param groups
* the groups
* @param isSigned
* the is signed
* @param notBeforeMs
* the not before_ms
* @param notAfterMs
* the not after_ms
* @param trustedKeystore
* the trusted keystore
* @param trustedKeystoreType
* the trusted keystore type
* @param trustedCertAlias
* the trusted cert alias
* @param trustedCertAliasPasswd
* the trusted cert alias passwd
* @param credentialType
* the credential type
* @param issuer
* the issuer
* @param recipient
* the recipient
*
* @return the SAML assertion
*/
public String getSAMLAssertion(String userName, Set<?> groups,
boolean isSigned, long notBeforeMs, long notAfterMs,
String trustedKeystore, String trustedKeystoreType,
String trustedCertAlias, String trustedCertAliasPasswd,
String credentialType, String issuer, String recipient) {
boolean asResponse = isResponseType(credentialType);
boolean withCertPath = requireCertpath(credentialType);
ClassLoader dirCLDR = this.getClass().getClassLoader();
ClassLoader threadCLDR = Thread.currentThread().getContextClassLoader();
try {
Thread.currentThread().setContextClassLoader(dirCLDR);
SAMLSubject subject = new SAMLSubject(new SAMLNameIdentifier(
userName, null, null), Collections
.singleton(SAMLSubject.CONF_SENDER_VOUCHES), null, null);
SAMLAttributeStatement attrStat = null;
if ((groups != null) && (groups.size() != 0)) {
attrStat = createAttributeStatement(subject, groups);
}
SAMLAssertion assertion = createAssertion(
createAuthenticationStatement(subject), attrStat,
notBeforeMs, notAfterMs, issuer);
SAMLSignedObject signedObject = null;
if (asResponse) {
List<SAMLAssertion> assertionList = new ArrayList<SAMLAssertion>();
assertionList.add(assertion);
String responseRecipient = recipient;
if (StringUtils.isEmpty(recipient)) {
responseRecipient = UNKNOWN_RECIPIENT;
}
SAMLResponse response = new SAMLResponse(null,
responseRecipient, assertionList, null);
if (isSigned) {
signedObject = getSignedAssertion(response,
trustedKeystore, trustedKeystoreType,
trustedCertAlias, trustedCertAliasPasswd,
withCertPath, asResponse);
}
}
else {
if (isSigned) {
signedObject = getSignedAssertion(assertion,
trustedKeystore, trustedKeystoreType,
trustedCertAlias, trustedCertAliasPasswd,
withCertPath, asResponse);
}
}
if (signedObject != null) {
return signedObject.toString();
}
else {
return assertion.toString();
}
}
catch (SAMLException e) {
throw new RuntimeException(e);
}
finally {
Thread.currentThread().setContextClassLoader(threadCLDR);
}
}
/**
* Creates a new SAMLToken object.
*
* @param authnStat
* the authn stat
* @param attrStat
* the attr stat
* @param notBeforeMs
* the not before_ms
* @param notAfterMs
* the not after_ms
* @param issuer
* the issuer
*
* @return the SAML assertion
*/
private SAMLAssertion createAssertion(
SAMLAuthenticationStatement authnStat,
SAMLAttributeStatement attrStat, long notBeforeMs, long notAfterMs,
String issuer) {
SAMLAssertion samlAssertion = null;
long now = System.currentTimeMillis();
Date notBefore = new Date(now - notBeforeMs);
Date notOnOrAfter = new Date(now + notAfterMs);
List<SAMLSubjectStatement> statements = new ArrayList<SAMLSubjectStatement>();
if (authnStat != null) {
statements.add(authnStat);
}
if (attrStat != null) {
statements.add(attrStat);
}
try {
samlAssertion = new SAMLAssertion(issuer, notBefore, notOnOrAfter,
null, null, statements);
}
catch (SAMLException e) {
throw new RuntimeException(e);
}
return samlAssertion;
}
/**
* Creates a new SAMLToken object.
*
* @param subject
* the subject
* @param groups
* the groups
*
* @return the SAML attribute statement
*/
private SAMLAttributeStatement createAttributeStatement(
SAMLSubject subject, Collection<?> groups) {
SAMLAttributeStatement attrStmt = null;
try {
SAMLAttribute wlesGroup = new SAMLAttribute(WLES_GROUP_TAG,
WLES_GROUP_NS, null, 0, groups);
ArrayList<SAMLAttribute> wlesGroups = new ArrayList<SAMLAttribute>();
wlesGroups.add(wlesGroup);
attrStmt = new SAMLAttributeStatement(
(SAMLSubject) subject.clone(), wlesGroups);
}
catch (SAMLException e) {
throw new RuntimeException(e);
}
catch (CloneNotSupportedException e) {
throw new RuntimeException(e);
}
return attrStmt;
}
/**
* Creates a new SAMLToken object.
*
* @param subject
* the subject
*
* @return the SAML authentication statement
*/
private SAMLAuthenticationStatement createAuthenticationStatement(
SAMLSubject subject) {
String authnMtd = SAMLAuthenticationStatement.AuthenticationMethod_Password;
SAMLAuthenticationStatement authnStat = null;
try {
authnStat = new SAMLAuthenticationStatement((SAMLSubject) subject
.clone(), authnMtd, new Date(), null, null, null);
}
catch (SAMLException e) {
throw new RuntimeException(e);
}
catch (CloneNotSupportedException e) {
throw new RuntimeException(e);
}
return authnStat;
}
/**
* Gets the signed assertion.
*
* @param assertion
* the assertion
* @param keyStoreFilename
* the key store filename
* @param keyStoreType
* the key store type
* @param certAlias
* the cert alias
* @param certPswd
* the cert pswd
* @param includeCertpath
* the include certpath
* @param isResponse
* the is response
*
* @return the signed assertion
*/
private SAMLSignedObject getSignedAssertion(SAMLSignedObject assertion,
String keyStoreFilename, String keyStoreType, String certAlias,
String certPswd, boolean includeCertpath, boolean isResponse) {
if (StringUtils.isEmpty(keyStoreFilename)) {
throw new SecurityException(
"keyStoreFilename is either null or empty string");
}
if (StringUtils.isEmpty(keyStoreType)) {
throw new SecurityException("keyStoreType is either null or empty");
}
if (StringUtils.isEmpty(certAlias)) {
throw new SecurityException("certAlias is either null or empty");
}
if (StringUtils.isEmpty(certPswd)) {
throw new SecurityException("certPswd is either null or empty");
}
FileInputStream fin = null;
try {
KeyStore store = KeyStore.getInstance(keyStoreType);
ResourceLoader rs = new DefaultResourceLoader();
ClassPathResource resource = (ClassPathResource) rs
.getResource(keyStoreFilename);
fin = new FileInputStream(resource.getFile());
store.load(fin, null);
Key privateKey = store.getKey(certAlias, certPswd.toCharArray());
if (privateKey != null) {
List<Certificate> certs = new ArrayList<Certificate>();
if (includeCertpath) {
if (isResponse) {
Certificate cert = store.getCertificate(certAlias);
if (cert == null) {
throw new SecurityException(
"unable to get certificate using certAlias");
}
certs.add(cert);
}
else {
Certificate certArray[] = store
.getCertificateChain(certAlias);
if (certArray == null) {
throw new SecurityException(
"unable to get certificate chain using certAlias");
}
certs.addAll(Arrays.asList(certArray));
}
assertion.sign(XMLSignature.ALGO_ID_SIGNATURE_RSA,
privateKey, certs);
}
else {
assertion.sign(XMLSignature.ALGO_ID_SIGNATURE_RSA,
privateKey, null);
}
}
else {
throw new SecurityException(
"private key was null and hence cannot sign assertion");
}
}
catch (KeyStoreException e) {
throw new RuntimeException(e);
}
catch (FileNotFoundException e) {
throw new RuntimeException(e);
}
catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
catch (CertificateException e) {
throw new RuntimeException(e);
}
catch (UnrecoverableKeyException e) {
throw new RuntimeException(e);
}
catch (IOException e) {
throw new RuntimeException(e);
}
catch (SAMLException e) {
throw new RuntimeException(e);
}
finally {
IOUtils.closeQuietly(fin);
}
return assertion;
}
/**
* Checks if is response type.
*
* @param credentialTypes
* the credential types
*
* @return true, if is response type
*/
private boolean isResponseType(String credentialTypes) {
boolean responseType = false;
if (SAML_RESPONSE.equals(credentialTypes)
|| SAML_RESPONSE_CERTPATH.equals(credentialTypes)
|| SAML_RESPONSE_NO_CERTPATH.equals(credentialTypes)) {
responseType = true;
}
return responseType;
}
/**
* Require certpath.
*
* @param credentialTypes
* the credential types
*
* @return true, if successful
*/
private boolean requireCertpath(String credentialTypes) {
boolean requireCertpath = false;
if (SAML_ASSERTION_CERTPATH.equals(credentialTypes)
|| SAML_RESPONSE.equals(credentialTypes)
|| SAML_RESPONSE_CERTPATH.equals(credentialTypes)) {
requireCertpath = true;
}
return requireCertpath;
}
}
was (Author: jaybytez):
Colm...thanks again for your help.
Here is a sample class for background.
This is a class we built with BEA support so that we could implement SAML Sender Vouches (version 1.1) and just a digital signature of the SAML Assertion.
It uses just OpenSAML.
package foo.opensaml;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Set;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.BooleanUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.xml.security.signature.XMLSignature;
import org.opensaml.SAMLAssertion;
import org.opensaml.SAMLAttribute;
import org.opensaml.SAMLAttributeStatement;
import org.opensaml.SAMLAuthenticationStatement;
import org.opensaml.SAMLException;
import org.opensaml.SAMLNameIdentifier;
import org.opensaml.SAMLResponse;
import org.opensaml.SAMLSignedObject;
import org.opensaml.SAMLSubject;
import org.opensaml.SAMLSubjectStatement;
import org.springframework.core.io.ClassPathResource;
import org.springframework.core.io.DefaultResourceLoader;
import org.springframework.core.io.ResourceLoader;
/**
* The Class SAMLAuthenticationHandler.
*/
public class SAMLAuthenticationHandler {
/** The Constant ASSERTION_ISSUER. */
public static final String ASSERTION_ISSUER = "assertion.issuer";
/** The Constant CERTIFICATE_PASSWORD. */
public static final String CERTIFICATE_PASSWORD = "certificate.password";
/** The Constant CERTIFICATE_ALIAS. */
public static final String CERTIFICATE_ALIAS = "certificate.alias";
/** The Constant CERTIFICATE_KEYSTORE_PATH. */
public static final String CERTIFICATE_KEYSTORE_PATH = "certificate.keystore.path";
/** The Constant ASSERTION_SIGN. */
public static final String ASSERTION_SIGN = "assertion.sign";
/** The Constant ASSERTION_USERNAME. */
public static final String ASSERTION_USERNAME = "assertion.username";
/** The Constant SIGNATURE_INCLUDECERT. */
public static final String SIGNATURE_INCLUDECERT = "signature.includecert";
/** The Constant SAML_ASSERTION. */
public static final String SAML_ASSERTION = "SAML.Assertion";
/** The Constant SAML_ASSERTION_CERTPATH. */
public static final String SAML_ASSERTION_CERTPATH = "SAML.Assertion.Certpath";
private String credentialType = SAML_ASSERTION;
private String assertionUserName;
private boolean signAssertion = false;
private Set<?> groups = Collections.EMPTY_SET;
private long notBeforeMs;
private long notAfterMs;
private String certKeystorePath;
private String certKeystoreType = "JKS";
private String certAlias;
private String certPassword;
private String assertionIssuer;
private String recipient;
/**
* Instantiates a new SAML authentication handler.
*
* @param config
* the config
*/
public SAMLAuthenticationHandler() {
super();
}
/**
* Handle request.
*
* @return the SOAP header block
*/
public String getSamlAssertion() {
String assertion = getSAMLAssertion(assertionUserName, // username
groups, // groups
signAssertion, // isSigned
notBeforeMs, // not before condition
notAfterMs, // not after condition
certKeystorePath, // keystore uri
certKeystoreType, // trusted keystore type
certAlias, // trusted cert alias
certPassword, // trusted cert alias password
credentialType, // credentialType
assertionIssuer, // issuerURI
recipient // recipient
);
System.out.println(assertion);
return assertion;
}
public String getCredentialType() {
return credentialType;
}
public void setCredentialType(String credentialType) {
this.credentialType = credentialType;
}
public String getAssertionUserName() {
return assertionUserName;
}
public void setAssertionUserName(String assertionUserName) {
this.assertionUserName = assertionUserName;
}
public boolean isSignAssertion() {
return signAssertion;
}
public void setSignAssertion(boolean signAssertion) {
this.signAssertion = signAssertion;
}
public void setSignAssertion(String signAssertion) {
this.signAssertion = BooleanUtils.toBoolean(signAssertion);
}
public Set<?> getGroups() {
return groups;
}
public void setGroups(Set<?> groups) {
this.groups = groups;
}
public long getNotBeforeMs() {
return notBeforeMs;
}
public void setNotBeforeMs(long notBeforeMs) {
this.notBeforeMs = notBeforeMs;
}
public long getNotAfterMs() {
return notAfterMs;
}
public void setNotAfterMs(long notAfterMs) {
this.notAfterMs = notAfterMs;
}
public String getCertKeystorePath() {
return certKeystorePath;
}
public void setCertKeystorePath(String certKeystorePath) {
this.certKeystorePath = certKeystorePath;
}
public String getCertKeystoreType() {
return certKeystoreType;
}
public void setCertKeystoreType(String certKeystoreType) {
this.certKeystoreType = certKeystoreType;
}
public String getCertAlias() {
return certAlias;
}
public void setCertAlias(String certAlias) {
this.certAlias = certAlias;
}
public String getCertPassword() {
return certPassword;
}
public void setCertPassword(String certPassword) {
this.certPassword = certPassword;
}
public String getAssertionIssuer() {
return assertionIssuer;
}
public void setAssertionIssuer(String assertionIssuer) {
this.assertionIssuer = assertionIssuer;
}
public String getRecipient() {
return recipient;
}
public void setRecipient(String recipient) {
this.recipient = recipient;
}
/** The Constant UNKNOWN_RECIPIENT. */
public static final String UNKNOWN_RECIPIENT = "unknown";
/** The Constant SAML_RESPONSE. */
public static final String SAML_RESPONSE = "SAML.Profile.POST";
/** The Constant SAML_RESPONSE_CERTPATH. */
public static final String SAML_RESPONSE_CERTPATH = "SAML.Profile.POST.Certpath";
/** The Constant SAML_RESPONSE_NO_CERTPATH. */
public static final String SAML_RESPONSE_NO_CERTPATH = "SAML.Profile.POST.NoCertpath";
/** The Constant WLES_GROUP_TAG. */
private static final String WLES_GROUP_TAG = "WLESGroup";
/** The Constant WLES_GROUP_NS. */
private static final String WLES_GROUP_NS = "urn:bea:security:saml:groups";
/**
* Gets the SAML assertion.
*
* @param userName
* the user name
* @param groups
* the groups
* @param isSigned
* the is signed
* @param notBeforeMs
* the not before_ms
* @param notAfterMs
* the not after_ms
* @param trustedKeystore
* the trusted keystore
* @param trustedKeystoreType
* the trusted keystore type
* @param trustedCertAlias
* the trusted cert alias
* @param trustedCertAliasPasswd
* the trusted cert alias passwd
* @param credentialType
* the credential type
* @param issuer
* the issuer
* @param recipient
* the recipient
*
* @return the SAML assertion
*/
public String getSAMLAssertion(String userName, Set<?> groups,
boolean isSigned, long notBeforeMs, long notAfterMs,
String trustedKeystore, String trustedKeystoreType,
String trustedCertAlias, String trustedCertAliasPasswd,
String credentialType, String issuer, String recipient) {
boolean asResponse = isResponseType(credentialType);
boolean withCertPath = requireCertpath(credentialType);
ClassLoader dirCLDR = this.getClass().getClassLoader();
ClassLoader threadCLDR = Thread.currentThread().getContextClassLoader();
try {
Thread.currentThread().setContextClassLoader(dirCLDR);
SAMLSubject subject = new SAMLSubject(new SAMLNameIdentifier(
userName, null, null), Collections
.singleton(SAMLSubject.CONF_SENDER_VOUCHES), null, null);
SAMLAttributeStatement attrStat = null;
if ((groups != null) && (groups.size() != 0)) {
attrStat = createAttributeStatement(subject, groups);
}
SAMLAssertion assertion = createAssertion(
createAuthenticationStatement(subject), attrStat,
notBeforeMs, notAfterMs, issuer);
SAMLSignedObject signedObject = null;
if (asResponse) {
List<SAMLAssertion> assertionList = new ArrayList<SAMLAssertion>();
assertionList.add(assertion);
String responseRecipient = recipient;
if (StringUtils.isEmpty(recipient)) {
responseRecipient = UNKNOWN_RECIPIENT;
}
SAMLResponse response = new SAMLResponse(null,
responseRecipient, assertionList, null);
if (isSigned) {
signedObject = getSignedAssertion(response,
trustedKeystore, trustedKeystoreType,
trustedCertAlias, trustedCertAliasPasswd,
withCertPath, asResponse);
}
}
else {
if (isSigned) {
signedObject = getSignedAssertion(assertion,
trustedKeystore, trustedKeystoreType,
trustedCertAlias, trustedCertAliasPasswd,
withCertPath, asResponse);
}
}
if (signedObject != null) {
return signedObject.toString();
}
else {
return assertion.toString();
}
}
catch (SAMLException e) {
throw new RuntimeException(e);
}
finally {
Thread.currentThread().setContextClassLoader(threadCLDR);
}
}
/**
* Creates a new SAMLToken object.
*
* @param authnStat
* the authn stat
* @param attrStat
* the attr stat
* @param notBeforeMs
* the not before_ms
* @param notAfterMs
* the not after_ms
* @param issuer
* the issuer
*
* @return the SAML assertion
*/
private SAMLAssertion createAssertion(
SAMLAuthenticationStatement authnStat,
SAMLAttributeStatement attrStat, long notBeforeMs, long notAfterMs,
String issuer) {
SAMLAssertion samlAssertion = null;
long now = System.currentTimeMillis();
Date notBefore = new Date(now - notBeforeMs);
Date notOnOrAfter = new Date(now + notAfterMs);
List<SAMLSubjectStatement> statements = new ArrayList<SAMLSubjectStatement>();
if (authnStat != null) {
statements.add(authnStat);
}
if (attrStat != null) {
statements.add(attrStat);
}
try {
samlAssertion = new SAMLAssertion(issuer, notBefore, notOnOrAfter,
null, null, statements);
}
catch (SAMLException e) {
throw new RuntimeException(e);
}
return samlAssertion;
}
/**
* Creates a new SAMLToken object.
*
* @param subject
* the subject
* @param groups
* the groups
*
* @return the SAML attribute statement
*/
private SAMLAttributeStatement createAttributeStatement(
SAMLSubject subject, Collection<?> groups) {
SAMLAttributeStatement attrStmt = null;
try {
SAMLAttribute wlesGroup = new SAMLAttribute(WLES_GROUP_TAG,
WLES_GROUP_NS, null, 0, groups);
ArrayList<SAMLAttribute> wlesGroups = new ArrayList<SAMLAttribute>();
wlesGroups.add(wlesGroup);
attrStmt = new SAMLAttributeStatement(
(SAMLSubject) subject.clone(), wlesGroups);
}
catch (SAMLException e) {
throw new RuntimeException(e);
}
catch (CloneNotSupportedException e) {
throw new RuntimeException(e);
}
return attrStmt;
}
/**
* Creates a new SAMLToken object.
*
* @param subject
* the subject
*
* @return the SAML authentication statement
*/
private SAMLAuthenticationStatement createAuthenticationStatement(
SAMLSubject subject) {
String authnMtd = SAMLAuthenticationStatement.AuthenticationMethod_Password;
SAMLAuthenticationStatement authnStat = null;
try {
authnStat = new SAMLAuthenticationStatement((SAMLSubject) subject
.clone(), authnMtd, new Date(), null, null, null);
}
catch (SAMLException e) {
throw new RuntimeException(e);
}
catch (CloneNotSupportedException e) {
throw new RuntimeException(e);
}
return authnStat;
}
/**
* Gets the signed assertion.
*
* @param assertion
* the assertion
* @param keyStoreFilename
* the key store filename
* @param keyStoreType
* the key store type
* @param certAlias
* the cert alias
* @param certPswd
* the cert pswd
* @param includeCertpath
* the include certpath
* @param isResponse
* the is response
*
* @return the signed assertion
*/
private SAMLSignedObject getSignedAssertion(SAMLSignedObject assertion,
String keyStoreFilename, String keyStoreType, String certAlias,
String certPswd, boolean includeCertpath, boolean isResponse) {
if (StringUtils.isEmpty(keyStoreFilename)) {
throw new SecurityException(
"keyStoreFilename is either null or empty string");
}
if (StringUtils.isEmpty(keyStoreType)) {
throw new SecurityException("keyStoreType is either null or empty");
}
if (StringUtils.isEmpty(certAlias)) {
throw new SecurityException("certAlias is either null or empty");
}
if (StringUtils.isEmpty(certPswd)) {
throw new SecurityException("certPswd is either null or empty");
}
FileInputStream fin = null;
try {
KeyStore store = KeyStore.getInstance(keyStoreType);
ResourceLoader rs = new DefaultResourceLoader();
ClassPathResource resource = (ClassPathResource) rs
.getResource(keyStoreFilename);
fin = new FileInputStream(resource.getFile());
store.load(fin, null);
Key privateKey = store.getKey(certAlias, certPswd.toCharArray());
if (privateKey != null) {
List<Certificate> certs = new ArrayList<Certificate>();
if (includeCertpath) {
if (isResponse) {
Certificate cert = store.getCertificate(certAlias);
if (cert == null) {
throw new SecurityException(
"unable to get certificate using certAlias");
}
certs.add(cert);
}
else {
Certificate certArray[] = store
.getCertificateChain(certAlias);
if (certArray == null) {
throw new SecurityException(
"unable to get certificate chain using certAlias");
}
certs.addAll(Arrays.asList(certArray));
}
assertion.sign(XMLSignature.ALGO_ID_SIGNATURE_RSA,
privateKey, certs);
}
else {
assertion.sign(XMLSignature.ALGO_ID_SIGNATURE_RSA,
privateKey, null);
}
}
else {
throw new SecurityException(
"private key was null and hence cannot sign assertion");
}
}
catch (KeyStoreException e) {
throw new RuntimeException(e);
}
catch (FileNotFoundException e) {
throw new RuntimeException(e);
}
catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
catch (CertificateException e) {
throw new RuntimeException(e);
}
catch (UnrecoverableKeyException e) {
throw new RuntimeException(e);
}
catch (IOException e) {
throw new RuntimeException(e);
}
catch (SAMLException e) {
throw new RuntimeException(e);
}
finally {
IOUtils.closeQuietly(fin);
}
return assertion;
}
/**
* Checks if is response type.
*
* @param credentialTypes
* the credential types
*
* @return true, if is response type
*/
private boolean isResponseType(String credentialTypes) {
boolean responseType = false;
if (SAML_RESPONSE.equals(credentialTypes)
|| SAML_RESPONSE_CERTPATH.equals(credentialTypes)
|| SAML_RESPONSE_NO_CERTPATH.equals(credentialTypes)) {
responseType = true;
}
return responseType;
}
/**
* Require certpath.
*
* @param credentialTypes
* the credential types
*
* @return true, if successful
*/
private boolean requireCertpath(String credentialTypes) {
boolean requireCertpath = false;
if (SAML_ASSERTION_CERTPATH.equals(credentialTypes)
|| SAML_RESPONSE.equals(credentialTypes)
|| SAML_RESPONSE_CERTPATH.equals(credentialTypes)) {
requireCertpath = true;
}
return requireCertpath;
}
}
> Running TestWSSecurityNewST2 Fails - General security error (No certificates were found for SAML signature)
> -----------------------------------------------------------------------------------------------------------
>
> Key: WSS-213
> URL: https://issues.apache.org/jira/browse/WSS-213
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.8
> Environment: OS = Ubuntu 9.04
> Eclipse = JEE Eclipse, Galileo, STS, m2eclipse
> JDK = java-6-sun-1.6.0.16, java-1.5.0-sun-1.5.0.19 (attempted as well)
> Reporter: Jay Blanton
> Assignee: Ruchith Udayanga Fernando
> Priority: Critical
> Attachments: wss4j.saml-jks.tar.gz, wss4j.saml.tar.gz
>
>
> I pulled down the 1.5.8, 1.5.8-SNAPSHOT, and pulled down the trunk for 1.6.
> I tried to build the trunk by doing a mvn package -Dmaven.test.skip=true (because quite a few unit tests fail).
> Then I try to run TestWSSecurityNewST2 and it fails.
> This is the exact issue I am having when trying to get my Spring Web Service Implementation to work with WSS4J's SAML Support (which it appears that Spring does not expose so I have to create a custom Interceptor).
> I have working examples of a digital signature, encryption, and UsernameToken with Spring Web Services support for SAML, but the SAML is not working. So I specifically went to the WSS4J examples to see if I could get those working first, and then working with my keystores, but the default test does not work for me that shipped with WSS4J.
> [INFO] Scanning for projects...
> [INFO] ------------------------------------------------------------------------
> [INFO] Building Ping Web Service Client
> [INFO]
> [INFO] Id: com.foo:ping.ws-saml:jar:0.0.1-SNAPSHOT
> [INFO] task-segment: [package]
> [INFO] ------------------------------------------------------------------------
> [INFO] [resources:resources]
> [INFO] Using default encoding to copy filtered resources.
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [compiler:compile]
> [INFO] Compiling 10 source files to /home/a068071/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/classes
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [jibx:bind]
> [INFO] Not running JiBX binding compiler (single-module mode) - no binding files
> [INFO] [resources:testResources]
> [INFO] Using default encoding to copy filtered resources.
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [compiler:testCompile]
> [INFO] Compiling 4 source files to /home/a068071/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/test-classes
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [surefire:test]
> [INFO] Surefire report directory: /home/a068071/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/surefire-reports
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> -------------------------------------------------------
> T E S T S
> -------------------------------------------------------
> Running wssec.TestWSSecurityNewST2
> DEBUG [security.util.Loader] Trying to find [saml.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> INFO [wssec.TestWSSecurityNewST2] Before SAMLSignedSenderVouches....
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> DEBUG [security.util.Loader] Trying to find [saml.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> INFO [wssec.TestWSSecurityNewST2] Before SAMLSignedSenderVouches....
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> DEBUG [security.util.Loader] Trying to find [saml3.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> INFO [wssec.TestWSSecurityNewST2] Before SAMLSignedSenderVouches....
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> DEBUG [security.util.Loader] Trying to find [saml.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> Tests run: 4, Failures: 0, Errors: 4, Skipped: 0, Time elapsed: 0.222 sec <<< FAILURE!
> Results :
> Tests in error:
> testSAMLSignedSenderVouches(wssec.TestWSSecurityNewST2)
> testSAMLSignedSenderVouchesKeyIdentifier(wssec.TestWSSecurityNewST2)
> testDefaultIssuerClass(wssec.TestWSSecurityNewST2)
> testWSS62(wssec.TestWSSecurityNewST2)
> Tests run: 5, Failures: 0, Errors: 5, Skipped: 0
> [ERROR]
> Mojo:
> org.apache.maven.plugins:maven-surefire-plugin:2.4.2:test
> FAILED for project:
> com.foo:ping.ws-saml:jar:0.0.1-SNAPSHOT
> Reason:
> There are test failures.
> Please refer to /home/jay/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/surefire-reports for the individual test results.
> [INFO] ------------------------------------------------------------------------
> [INFO] For more information, run with the -e flag
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD FAILED
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 16 seconds
> [INFO] Finished at: Wed Oct 07 13:29:03 PDT 2009
> [INFO] Final Memory: 4M/25M
> [INFO] ------------------------------------------------------------------------
> Here is the errors from the test report:
> -------------------------------------------------------------------------------
> Test set: wssec.TestWSSecurityNewST2
> -------------------------------------------------------------------------------
> Tests run: 4, Failures: 0, Errors: 4, Skipped: 0, Time elapsed: 0.731 sec <<< FAILURE!
> testSAMLSignedSenderVouches(wssec.TestWSSecurityNewST2) Time elapsed: 0.486 sec <<< ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testSAMLSignedSenderVouches(TestWSSecurityNewST2.java:114)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)
> testSAMLSignedSenderVouchesKeyIdentifier(wssec.TestWSSecurityNewST2) Time elapsed: 0.064 sec <<< ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testSAMLSignedSenderVouchesKeyIdentifier(TestWSSecurityNewST2.java:156)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)
> testDefaultIssuerClass(wssec.TestWSSecurityNewST2) Time elapsed: 0.156 sec <<< ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testDefaultIssuerClass(TestWSSecurityNewST2.java:200)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)
> testWSS62(wssec.TestWSSecurityNewST2) Time elapsed: 0.011 sec <<< ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testWSS62(TestWSSecurityNewST2.java:241)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org
[ https://issues.apache.org/jira/browse/WSS-213?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12771911#action_12771911
]
Colm O hEigeartaigh commented on WSS-213:
-----------------------------------------
> The SAML Assertion produced is not the same as the one I need, so I just need to figure
out through the forums on how to Sign the Assertion, not the message itself.
Just to be clear, the assertion is getting signed, but the message body itself is also signed.
I think with the current code you must sign the body or else explicitly specify something
else to sign.
> The one I need is like this (so I also need to add a Conditions statement if possible):
I'm not sure if this is currently supported. Let me know how you get on.
Colm.
> Running TestWSSecurityNewST2 Fails - General security error (No certificates were found
for SAML signature)
> -----------------------------------------------------------------------------------------------------------
>
> Key: WSS-213
> URL: https://issues.apache.org/jira/browse/WSS-213
> Project: WSS4J
> Issue Type: Bug
> Affects Versions: 1.5.8
> Environment: OS = Ubuntu 9.04
> Eclipse = JEE Eclipse, Galileo, STS, m2eclipse
> JDK = java-6-sun-1.6.0.16, java-1.5.0-sun-1.5.0.19 (attempted as well)
> Reporter: Jay Blanton
> Assignee: Ruchith Udayanga Fernando
> Priority: Critical
> Attachments: wss4j.saml-jks.tar.gz, wss4j.saml.tar.gz
>
>
> I pulled down the 1.5.8, 1.5.8-SNAPSHOT, and pulled down the trunk for 1.6.
> I tried to build the trunk by doing a mvn package -Dmaven.test.skip=true (because quite
a few unit tests fail).
> Then I try to run TestWSSecurityNewST2 and it fails.
> This is the exact issue I am having when trying to get my Spring Web Service Implementation
to work with WSS4J's SAML Support (which it appears that Spring does not expose so I have
to create a custom Interceptor).
> I have working examples of a digital signature, encryption, and UsernameToken with Spring
Web Services support for SAML, but the SAML is not working. So I specifically went to the
WSS4J examples to see if I could get those working first, and then working with my keystores,
but the default test does not work for me that shipped with WSS4J.
> [INFO] Scanning for projects...
> [INFO] ------------------------------------------------------------------------
> [INFO] Building Ping Web Service Client
> [INFO]
> [INFO] Id: com.foo:ping.ws-saml:jar:0.0.1-SNAPSHOT
> [INFO] task-segment: [package]
> [INFO] ------------------------------------------------------------------------
> [INFO] [resources:resources]
> [INFO] Using default encoding to copy filtered resources.
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [compiler:compile]
> [INFO] Compiling 10 source files to /home/a068071/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/classes
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [jibx:bind]
> [INFO] Not running JiBX binding compiler (single-module mode) - no binding files
> [INFO] [resources:testResources]
> [INFO] Using default encoding to copy filtered resources.
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [compiler:testCompile]
> [INFO] Compiling 4 source files to /home/a068071/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/test-classes
> url = http://repo1.maven.org/maven2
> Downloading: http://repo1.maven.org/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://static.appfuse.org/repository
> Downloading: http://static.appfuse.org/repository/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> url = http://repository.jboss.com/maven2
> Downloading: http://repository.jboss.com/maven2/com/sun/xml/wss/xws-security/2.0-FCS/xws-security-2.0-FCS.pom
> [INFO] [surefire:test]
> [INFO] Surefire report directory: /home/a068071/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/surefire-reports
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> -------------------------------------------------------
> T E S T S
> -------------------------------------------------------
> Running wssec.TestWSSecurityNewST2
> DEBUG [security.util.Loader] Trying to find [saml.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> INFO [wssec.TestWSSecurityNewST2] Before SAMLSignedSenderVouches....
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> DEBUG [security.util.Loader] Trying to find [saml.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> INFO [wssec.TestWSSecurityNewST2] Before SAMLSignedSenderVouches....
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> DEBUG [security.util.Loader] Trying to find [saml3.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> INFO [wssec.TestWSSecurityNewST2] Before SAMLSignedSenderVouches....
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> DEBUG [security.util.Loader] Trying to find [saml.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> INFO [security.saml.SAMLIssuerFactory] Using Crypto Engine [org.apache.ws.security.saml.SAMLIssuerImpl]
> DEBUG [security.util.Loader] Trying to find [crypto.properties] using sun.misc.Launcher$AppClassLoader@133056f
class loader.
> DEBUG [components.crypto.CryptoFactory] Using Crypto Engine [org.apache.ws.security.components.crypto.Merlin]
> DEBUG [components.crypto.AbstractCrypto] CA certs have been loaded
> DEBUG [security.saml.SAMLIssuerImpl] Begin add SAMLAssertion token...
> DEBUG [security.saml.WSSecSignatureSAML] Beginning ST signing...
> Tests run: 4, Failures: 0, Errors: 4, Skipped: 0, Time elapsed: 0.222 sec <<<
FAILURE!
> Results :
> Tests in error:
> testSAMLSignedSenderVouches(wssec.TestWSSecurityNewST2)
> testSAMLSignedSenderVouchesKeyIdentifier(wssec.TestWSSecurityNewST2)
> testDefaultIssuerClass(wssec.TestWSSecurityNewST2)
> testWSS62(wssec.TestWSSecurityNewST2)
> Tests run: 5, Failures: 0, Errors: 5, Skipped: 0
> [ERROR]
> Mojo:
> org.apache.maven.plugins:maven-surefire-plugin:2.4.2:test
> FAILED for project:
> com.foo:ping.ws-saml:jar:0.0.1-SNAPSHOT
> Reason:
> There are test failures.
> Please refer to /home/jay/Public/Development/eclipse3.5-workspace/ping.ws-saml/target/surefire-reports
for the individual test results.
> [INFO] ------------------------------------------------------------------------
> [INFO] For more information, run with the -e flag
> [INFO] ------------------------------------------------------------------------
> [INFO] BUILD FAILED
> [INFO] ------------------------------------------------------------------------
> [INFO] Total time: 16 seconds
> [INFO] Finished at: Wed Oct 07 13:29:03 PDT 2009
> [INFO] Final Memory: 4M/25M
> [INFO] ------------------------------------------------------------------------
> Here is the errors from the test report:
> -------------------------------------------------------------------------------
> Test set: wssec.TestWSSecurityNewST2
> -------------------------------------------------------------------------------
> Tests run: 4, Failures: 0, Errors: 4, Skipped: 0, Time elapsed: 0.731 sec <<<
FAILURE!
> testSAMLSignedSenderVouches(wssec.TestWSSecurityNewST2) Time elapsed: 0.486 sec <<<
ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were
found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testSAMLSignedSenderVouches(TestWSSecurityNewST2.java:114)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)
> testSAMLSignedSenderVouchesKeyIdentifier(wssec.TestWSSecurityNewST2) Time elapsed: 0.064
sec <<< ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were
found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testSAMLSignedSenderVouchesKeyIdentifier(TestWSSecurityNewST2.java:156)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)
> testDefaultIssuerClass(wssec.TestWSSecurityNewST2) Time elapsed: 0.156 sec <<<
ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were
found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testDefaultIssuerClass(TestWSSecurityNewST2.java:200)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)
> testWSS62(wssec.TestWSSecurityNewST2) Time elapsed: 0.011 sec <<< ERROR!
> org.apache.ws.security.WSSecurityException: General security error (No certificates were
found for SAML signature)
> at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:276)
> at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:110)
> at wssec.TestWSSecurityNewST2.testWSS62(TestWSSecurityNewST2.java:241)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at junit.framework.TestCase.runTest(TestCase.java:168)
> at junit.framework.TestCase.runBare(TestCase.java:134)
> at junit.framework.TestResult$1.protect(TestResult.java:110)
> at junit.framework.TestResult.runProtected(TestResult.java:128)
> at junit.framework.TestResult.run(TestResult.java:113)
> at junit.framework.TestCase.run(TestCase.java:124)
> at junit.framework.TestSuite.runTest(TestSuite.java:232)
> at junit.framework.TestSuite.run(TestSuite.java:227)
> at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:81)
> at org.apache.maven.surefire.junit4.JUnit4TestSet.execute(JUnit4TestSet.java:62)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.executeTestSet(AbstractDirectoryTestSuite.java:140)
> at org.apache.maven.surefire.suite.AbstractDirectoryTestSuite.execute(AbstractDirectoryTestSuite.java:127)
> at org.apache.maven.surefire.Surefire.run(Surefire.java:177)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.maven.surefire.booter.SurefireBooter.runSuitesInProcess(SurefireBooter.java:338)
> at org.apache.maven.surefire.booter.SurefireBooter.main(SurefireBooter.java:997)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: wss4j-dev-unsubscribe@ws.apache.org
For additional commands, e-mail: wss4j-dev-help@ws.apache.org