0 Replies Latest reply on May 29, 2013 11:43 AM by crumbs

    Wildfly 8.0.0 Alpha1 saml assertion not signed

    crumbs
    crumbs May 29, 2013 11:43 AM

      I tried Wildfly 8.0.0 Alpha1 with CXF 2.7.5

       

      The SAML assertion is still not signed. The following warning I was seeing in 7.2 is gone though.

      JBoss 7.2 Warning:No assertion builder for type {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}ProtectTokens registered

       

       

      wsdl with policy:

      <?xml version="1.0" encoding="UTF-8"?>
      <wsdl:definitions name="SecurityService"
                        xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                        xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
                        xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
                        xmlns:tns="http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy/oasis-samples"
                        xmlns:wsp="http://www.w3.org/ns/ws-policy"
                        xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                        xmlns:wsaws="http://www.w3.org/2005/08/addressing"
                        xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy"
                        xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
                        targetNamespace="http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy/oasis-samples">
          <wsdl:types>
              <xsd:schema>
                  <xsd:import namespace="http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy/oasis-samples" schemaLocation="SecurityService_schema1.xsd"/>
              </xsd:schema>
          </wsdl:types>
          <wsdl:message name="sayHello">
              <wsdl:part name="parameters" element="tns:sayHello"/>
          </wsdl:message>
          <wsdl:message name="sayHelloResponse">
              <wsdl:part name="parameters" element="tns:sayHelloResponse"/>
          </wsdl:message>
          <wsdl:portType name="ServiceIface">
              <wsdl:operation name="sayHello">
                  <wsdl:input message="tns:sayHello"/>
                  <wsdl:output message="tns:sayHelloResponse"/>
              </wsdl:operation>
          </wsdl:portType>
       

       

       
       
          <wsdl:binding name="SecurityService2315PortBinding" type="tns:ServiceIface">
              <wsp:PolicyReference URI="#HOK"/>
              <soap:binding transport="http://schemas.xmlsoap.org/soap/http" style="document"/>
              <wsdl:operation name="sayHello">
                  <soap:operation soapAction=""/>
                  <wsdl:input>
                      <soap:body use="literal"/>
                      <wsp:PolicyReference URI="#Input_Policy"/>
                  </wsdl:input>
                  <wsdl:output>
                      <soap:body use="literal"/>
                      <wsp:PolicyReference URI="#Output_Policy"/>
                  </wsdl:output>
              </wsdl:operation>
          </wsdl:binding>
       
          <wsdl:service name="SecurityService">
              <wsdl:port name="SecurityService2315Port" binding="tns:SecurityService2315PortBinding">
                  <soap:address location="http://localhost:8088/"/>
              </wsdl:port>
          </wsdl:service>
       
          <wsp:Policy wsu:Id="HOK">
              <wsp:ExactlyOne>
                  <wsp:All>
                      <sp:AsymmetricBinding>
                          <wsp:Policy>
                              <sp:InitiatorToken>
                                  <wsp:Policy>
                                      <sp:SamlToken
                                          sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                                              <wsp:Policy>
                                              <wsp:ExactlyOne>
                                                  <wsp:All>
                                                      <sp:WssSamlV11Token10/>
                                                  </wsp:All>
                                                  <wsp:All>
                                                      <sp:WssSamlV11Token11/>
                                                  </wsp:All>
                                              </wsp:ExactlyOne>
                                          </wsp:Policy>
                                      </sp:SamlToken>
                                  </wsp:Policy>
                              </sp:InitiatorToken>
                              <sp:AlgorithmSuite>
                                  <wsp:Policy>
                                      <sp:Basic256/>
                                      <sp:STRTransform10/>
                                  </wsp:Policy>
                              </sp:AlgorithmSuite>
                              <sp:Layout>
                                  <wsp:Policy>
                                      <sp:Lax/>
                                  </wsp:Policy>
                              </sp:Layout>
                              <sp:IncludeTimestamp wsp:Optional="true"/>
                              <sp:ProtectTokens/>
                              <sp:OnlySignEntireHeadersAndBody/>
                          </wsp:Policy>
                      </sp:AsymmetricBinding>

       

                      <wsp:ExactlyOne>
                          <wsp:All>
                          </wsp:All>
                          <wsp:All>
                              <sp:SignedSupportingTokens>
                                  <wsp:Policy>
                                      <sp:X509Token
                                          sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                                          <wsp:Policy>
                                              <wsp:ExactlyOne>
                                                  <wsp:All>
                                                      <sp:WssX509V3Token10/>
                                                  </wsp:All>
                                                  <wsp:All>
                                                      <sp:WssX509V3Token11/>
                                                  </wsp:All>
                                              </wsp:ExactlyOne>
                                          </wsp:Policy>
                                      </sp:X509Token>
                                  </wsp:Policy>
                              </sp:SignedSupportingTokens>
                          </wsp:All>
                      </wsp:ExactlyOne>
                  </wsp:All>
              </wsp:ExactlyOne>
          </wsp:Policy>
       
             
          <wsp:Policy wsu:Id="Input_Policy">
              <wsp:ExactlyOne>
                  <wsp:All>
                      <sp:EncryptedParts wsp:Optional="true">
                          <sp:Body/>
                      </sp:EncryptedParts>
                      <sp:SignedParts>
                          <sp:Body/>
                      </sp:SignedParts>
                  </wsp:All>
              </wsp:ExactlyOne>
          </wsp:Policy>
         
          <wsp:Policy wsu:Id="myInput_Policy">
             
              <sp:SignedParts>
                  <sp:Body/>
              </sp:SignedParts>
              <sp:SignedElements>
                  <sp:XPath>
                      /env11:Header/wsse:Security/saml:Assertion
                  </sp:XPath>
                  <sp:XPath>
                      /env12:Header/wsse:Security/saml:Assertion
                  </sp:XPath>
              </sp:SignedElements>
          </wsp:Policy>
         
          <wsp:Policy wsu:Id="Output_Policy">
              <wsp:ExactlyOne>
                  <wsp:All>
                      <sp:EncryptedParts>
                          <sp:Body/>
                      </sp:EncryptedParts>
                      <sp:SignedParts>
                          <sp:Body/>
                      </sp:SignedParts>
                  </wsp:All>
              </wsp:ExactlyOne>
          </wsp:Policy>
      </wsdl:definitions>

       

      Client:

      public class Client {

          public String hello() {
              String NS = "http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy/oasis-samples";
              String serviceURL = "http://localhost:8088/SecurityService";
              // String serviceURLHttps = "http://localhost:8088/service/security/";
              QName serviceName = new QName(NS, "SecurityService");
      String hello = "Hello";
              try {


                  Service service = Service.create(new URL(serviceURL + "SecurityService?wsdl"),
                          serviceName);
                  ServiceIface proxy = (ServiceIface) service.getPort(
                          new QName(NS, "SecurityService2315Port"), ServiceIface.class);
                  Map<String, Object> reqCtx = ((BindingProvider) proxy).getRequestContext();
                  SamlCallbackHandler cbh = new SamlCallbackHandler();
                  cbh.setConfirmationMethod("urn:oasis:names:tc:SAML:1.0:cm:holder-of-key");

                  reqCtx.put(SecurityConstants.SAML_CALLBACK_HANDLER, cbh);
                  reqCtx.put(SecurityConstants.CALLBACK_HANDLER, new KeystorePasswordCallback());
                  reqCtx.put(SecurityConstants.SIGNATURE_PROPERTIES, Thread.currentThread()
                          .getContextClassLoader().getResource("META-INF/alice.properties"));
                  reqCtx.put(SecurityConstants.ENCRYPT_PROPERTIES, Thread.currentThread()
                          .getContextClassLoader().getResource("META-INF/alice.properties"));
                  reqCtx.put(SecurityConstants.SIGNATURE_USERNAME, "alice");
                  reqCtx.put(SecurityConstants.ENCRYPT_USERNAME, "bob");
                  reqCtx.put(SecurityConstants.SELF_SIGN_SAML_ASSERTION, "true");

                  System.out.println("Calling hello");
                  proxy.sayHello().equals(
                          "Hello - (WSS1.0) SAML1.1 Holder of Key, Sign, Optional Encrypt");
                   hello=proxy.sayHello();
                 

              } catch (Exception e) {
                  e.printStackTrace();
              }
              return hello;
          }

       

      The soap message:

      What is missing is the reference to the STR in the signature block, in bold.  The STR reference in the signature block is not complete, just to illustrate.

       

      <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
         <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
            <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
               <wsu:Timestamp wsu:Id="TS-3">
                  <wsu:Created>2013-05-29T15:21:58.825Z</wsu:Created>
                  <wsu:Expires>2013-05-29T15:26:58.825Z</wsu:Expires>
               </wsu:Timestamp>
               <saml1:Assertion AssertionID="_BA7B4FA0A32D651F2F13698409188424" IssueInstant="2013-05-29T15:21:58.842Z" Issuer="sts" MajorVersion="1" MinorVersion="1" xsi:type="saml1:AssertionType" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                  <saml1:Conditions NotBefore="2013-05-29T15:21:58.842Z" NotOnOrAfter="2013-05-29T15:26:58.842Z"/>
                  <saml1:AttributeStatement>
                     <saml1:Subject>
                        <saml1:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="www.jbws-cxf-sts.org">uid=sts-client,o=jbws-cxf-sts.com</saml1:NameIdentifier>
                        <saml1:SubjectConfirmation>
                           <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml1:ConfirmationMethod>
                           <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                              <ds:X509Data>
                                 <ds:X509Certificate>MIIDDDCCAfSgAwIBAgIQM6YEf7FVYx/tZyEXgVComTANBgkqhkiG9w0BAQUFADAwMQ4wDAYDVQQK
      DAVPQVNJUzEeMBwGA1UEAwwVT0FTSVMgSW50ZXJvcCBUZXN0IENBMB4XDTA1MDMxOTAwMDAwMFoX
      DTE4MDMxOTIzNTk1OVowQjEOMAwGA1UECgwFT0FTSVMxIDAeBgNVBAsMF09BU0lTIEludGVyb3Ag
      VGVzdCBDZXJ0MQ4wDAYDVQQDDAVBbGljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoqi9
      9By1VYo0aHrkKCNT4DkIgPL/SgahbeKdGhrbu3K2XG7arfD9tqIBIKMfrX4Gp90NJa85AV1yiNsE
      yvq+mUnMpNcKnLXLOjkTmMCqDYbbkehJlXPnaWLzve+mW0pJdPxtf3rbD4PS/cBQIvtpjmrDAU8V
      sZKT8DN5Kyz+EZsCAwEAAaOBkzCBkDAJBgNVHRMEAjAAMDMGA1UdHwQsMCowKKImhiRodHRwOi8v
      aW50ZXJvcC5iYnRlc3QubmV0L2NybC9jYS5jcmwwDgYDVR0PAQH/BAQDAgSwMB0GA1UdDgQWBBQK
      4l0TUHZ1QV3V2QtlLNDm+PoxiDAfBgNVHSMEGDAWgBTAnSj8wes1oR3WqqqgHBpNwkkPDzANBgkq
      hkiG9w0BAQUFAAOCAQEABTqpOpvW+6yrLXyUlP2xJbEkohXHI5OWwKWleOb9hlkhWntUalfcFOJA
      gUyH30TTpHldzx1+vK2LPzhoUFKYHE1IyQvokBN2JjFO64BQukCKnZhldLRPxGhfkTdxQgdf5rCK
      /wh3xVsZCNTfuMNmlAM6lOAg8QduDah3WFZpEA0s2nwQaCNQTNMjJC8tav1CBr6+E5FAmwPXP7pJ
      xn9Fw9OXRyqbRA4v2y7YpbGkG2GI9UvOHw6SGvf4FRSthMMO35YbpikGsLix3vAsXWWi4rwfVOYz
      QK0OFPNi9RMCUdSH06m9uLWckiCxjos0FQODZE9l4ATGy9s9hNVwryOJTw==</ds:X509Certificate>
                              </ds:X509Data>
                           </ds:KeyInfo>
                        </saml1:SubjectConfirmation>
                     </saml1:Subject>
                     <saml1:Attribute AttributeName="subject-role" AttributeNamespace="http://custom-ns">
                        <saml1:AttributeValue xsi:type="xs:string">system-user</saml1:AttributeValue>
                     </saml1:Attribute>
                  </saml1:AttributeStatement>
                  <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                     <ds:SignedInfo>
                        <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                        <ds:Reference URI="#_BA7B4FA0A32D651F2F13698409188424">
                           <ds:Transforms>
                              <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                              <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                 <ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                              </ds:Transform>
                           </ds:Transforms>
                           <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                           <ds:DigestValue>NdeNEMZiuqgAJaYv+GRnzPhYu8U=</ds:DigestValue>
                        </ds:Reference>
                     </ds:SignedInfo>
                     <ds:SignatureValue>eeS4D+8OThfNVTUieE64JJCR2xMamJ6SeyZh+GiJ5IeNuIl8v4gzW8dYPh0YQCNDttnu+jVTqlwe8iuPiq3qXT7ynI/osnpRg7ZKUbtJ62aLcrPaDmdhns/Ys/H0A3a6xEYjCjz5ykc/6hUmE6zLM5rZpLggQq2MZr9X4KZQzRM=</ds:SignatureValue>
                     <ds:KeyInfo>
                        <ds:X509Data>
                           <ds:X509Certificate>MIIDDDCCAfSgAwIBAgIQM6YEf7FVYx/tZyEXgVComTANBgkqhkiG9w0BAQUFADAwMQ4wDAYDVQQK
      DAVPQVNJUzEeMBwGA1UEAwwVT0FTSVMgSW50ZXJvcCBUZXN0IENBMB4XDTA1MDMxOTAwMDAwMFoX
      DTE4MDMxOTIzNTk1OVowQjEOMAwGA1UECgwFT0FTSVMxIDAeBgNVBAsMF09BU0lTIEludGVyb3Ag
      VGVzdCBDZXJ0MQ4wDAYDVQQDDAVBbGljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoqi9
      9By1VYo0aHrkKCNT4DkIgPL/SgahbeKdGhrbu3K2XG7arfD9tqIBIKMfrX4Gp90NJa85AV1yiNsE
      yvq+mUnMpNcKnLXLOjkTmMCqDYbbkehJlXPnaWLzve+mW0pJdPxtf3rbD4PS/cBQIvtpjmrDAU8V
      sZKT8DN5Kyz+EZsCAwEAAaOBkzCBkDAJBgNVHRMEAjAAMDMGA1UdHwQsMCowKKImhiRodHRwOi8v
      aW50ZXJvcC5iYnRlc3QubmV0L2NybC9jYS5jcmwwDgYDVR0PAQH/BAQDAgSwMB0GA1UdDgQWBBQK
      4l0TUHZ1QV3V2QtlLNDm+PoxiDAfBgNVHSMEGDAWgBTAnSj8wes1oR3WqqqgHBpNwkkPDzANBgkq
      hkiG9w0BAQUFAAOCAQEABTqpOpvW+6yrLXyUlP2xJbEkohXHI5OWwKWleOb9hlkhWntUalfcFOJA
      gUyH30TTpHldzx1+vK2LPzhoUFKYHE1IyQvokBN2JjFO64BQukCKnZhldLRPxGhfkTdxQgdf5rCK
      /wh3xVsZCNTfuMNmlAM6lOAg8QduDah3WFZpEA0s2nwQaCNQTNMjJC8tav1CBr6+E5FAmwPXP7pJ
      xn9Fw9OXRyqbRA4v2y7YpbGkG2GI9UvOHw6SGvf4FRSthMMO35YbpikGsLix3vAsXWWi4rwfVOYz
      QK0OFPNi9RMCUdSH06m9uLWckiCxjos0FQODZE9l4ATGy9s9hNVwryOJTw==</ds:X509Certificate>
                        </ds:X509Data>
                     </ds:KeyInfo>
                  </ds:Signature>
               </saml1:Assertion>
               <ds:Signature Id="SIG-4" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                  <ds:SignedInfo>
                     <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <ec:InclusiveNamespaces PrefixList="soap" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                     </ds:CanonicalizationMethod>
                     <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                     <ds:Reference URI="#TS-3">
                        <ds:Transforms>
                           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                              <ec:InclusiveNamespaces PrefixList="wsse soap" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                           </ds:Transform>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <ds:DigestValue>Uz8gwkNs+1OUI1sVu9w8DPlpyR0=</ds:DigestValue>
                     </ds:Reference>
                     <ds:Reference URI="#Id-249693261">
                        <ds:Transforms>
                           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                              <ec:InclusiveNamespaces PrefixList="" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                           </ds:Transform>
                        </ds:Transforms>
                        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                        <ds:DigestValue>HsVQOP4ySpEaUA0OLuQlZS/t+jM=</ds:DigestValue>
                     </ds:Reference>

      <ds:Reference URI="#Id-249693261="STR-BA7B4FA0A32D651F2F13698409188626">
                  </ds:SignedInfo>
                  <ds:SignatureValue>fUNBgmdq0j+by6XNG/ZGiNnzWuWoRfl4xaCUbINMOF0fLw5S/1+W0ueV/10h4SpHJ//raV1+RBmDHELnhqS4FSXSMVNeGd2UlFzCu9peB7Kg1se5Cc9mH4Ri1T9jU/gCIVCcy5FhF4TgtAfjpEH6tfyi7MUXA1b/P/b5QGbF2+I=</ds:SignatureValue>
                  <ds:KeyInfo Id="KI-BA7B4FA0A32D651F2F13698409188625">
                     <wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" wsu:Id="STR-BA7B4FA0A32D651F2F13698409188626" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
                        <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_BA7B4FA0A32D651F2F13698409188424</wsse:KeyIdentifier>
                     </wsse:SecurityTokenReference>
                  </ds:KeyInfo>
               </ds:Signature>
            </wsse:Security>
         </SOAP-ENV:Header>
         <soap:Body wsu:Id="Id-249693261" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
            <ns2:sayHello xmlns:ns2="http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy/oasis-samples"/>
         </soap:Body>
      </soap:Envelope>

       

      Is there any way to reference the STR in the Signature block?

      Thanks so much.

       

      Correct Answer

      Helpful Answer

       

       

      Go to original post 

       

      • 231 Views
      • Tags: