5 Replies Latest reply on Apr 28, 2010 1:37 AM by srividhyak

    STSValidatingLoginModule (sample request to the esb)

    srividhyak
    srividhyak Apr 19, 2010 6:21 AM

      Hi,

       

      I am trying to configure the STSValidatingLoginModule in my esb application. I referred to the saml_security quickstart which has both the issuing & validating modules. 

       

      I created another esb sample application that only has the STSValidatingLoginModule.

       

      The following exception occurs when I try to send a request to the esb's Http end-point.

      Caused by: javax.security.auth.login.LoginException: Could not locate a Security Token from the callback.

           at org.picketlink.identity.federation.core.wstrust.auth.STSValidatingLoginModule.getSamlTokenFromCaller(STSValidatingLoginModule.java:101)

       

      This is my soap request:

       

      <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:req="http://wsm.hp.com/Finance/Request" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
   <soapenv:Header>
<wsse:Security>
            <wsse:BinarySecurityToken EncodingType='wsse:Base64Binary' ValueType='wsse:X509v3'>...............</wsse:BinarySecurityToken>
        </wsse:Security>
   </soapenv:Header>
   <soapenv:Body>
      .....................
   </soapenv:Body>
</soapenv:Envelope>

       

      How should the request be sent to the Validating Login Module ? Can someone please help me with a sample soap request for this ?

       

      Thanks,

      Srividhya

      • 8136 Views
      • Tags:
        • 1. Re: STSValidatingLoginModule (sample request to the esb)
          beve
          beve Apr 20, 2010 11:23 PM (in response to srividhyak)

          Hi,

           

          it is expecting a SAML Assertion element in the security header. Something like this:

           

          <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
   <env:Header>
      <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
            ...
         </saml:Assertion>

       </wsse:Security>
    </env:Header>
    <env:Body/>
</env:Envelope>

           

          Regards,

           

          /Daniel

            • Actions
          • 2. Re: STSValidatingLoginModule (sample request to the esb)
            srividhyak
            srividhyak Apr 21, 2010 1:10 AM (in response to beve)

            Hi,

             

            Thanks for your reply.

            I tried by adding the saml assertion too.  (I used the  STSIssuingLoginModule)

             

            I get the following exception when the request contains SAML assertions.

            2010-04-21 10:29:47,987 ERROR [org.jboss.soa.esb.listeners.message.ActionProcessingPipeline] (pool-21-thread-1) SecurityService exception :
            org.jboss.soa.esb.services.security.SecurityServiceException: Service 'sendExternal' has been configured for security but no AuthenticationRequest could be located in the Message Context. Cannot authenticate without an AuthenticationRequest.
            at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.processPipeline(ActionProcessingPipeline.java:527)

             

            Can you please suggest if this is an issue with my input token or the esb configuration ?

             

            Thanks,

            Srividhya

              • Actions
            • 3. Re: STSValidatingLoginModule (sample request to the esb)
              srividhyak
              srividhyak Apr 21, 2010 9:11 AM (in response to srividhyak)

              Hi Daniel,

               

              I have been using the JBR listener in the SAML Validator esb example for creating the Http end-point.

              The JBR Listener seems to extract only the Http BASIC username & password tokens from the request and creates an auth. request.

               

              I also tried using the HTTP Gateway/Listener.

              This also seems to use only the user-name token and binary-security token extractors for creating the auth. request.

               

              I believe this is why I get the "no Authentication Request in Message Context" error even when the SOAP request contains SAML assertions.

               

              Can you please suggest how I can invoke the extractor for SAML assertions ?

               

              Thanks,

              Srividhya

                • Actions
              • 4. Re: STSValidatingLoginModule (sample request to the esb)
                beve
                beve Apr 21, 2010 12:11 PM (in response to srividhyak)

                You can specify your own message composer for the gateway like this:

                 

                 

                 <jbr-listener name="Http-Gateway" busidref="Http-1" is-gateway="true">
                    <property name="synchronous" value="false"/>
                    <property name="composer-class" value="org.jboss.soa.esb.listeners.gateway.MyJBRMessageComposer"/>
 </jbr-listener>

                 

                I've attached the class MyJBRMessageComposer which also adds a SamlAssertionExtractor. You can modify the composer to suite you needs. I just used the JBossRemotingMessageComposer for this.

                 

                I've not had time to try this but hope this helps.

                 

                Regards,

                 

                /Daniel

                  • Actions
                • 5. Re: STSValidatingLoginModule (sample request to the esb)
                  srividhyak
                  srividhyak Apr 28, 2010 1:37 AM (in response to beve)

                  Hi Daniel,

                   

                  Yes, this helped me fix the issue.  Thank you.

                   

                  Regards,

                  Srividhya

                    • Actions