-
1. Re: WS-SecurityPolicy ProtectTokens assertion
I'd need to do some checks, but if you're aware of a fix for that being in cxf 2.7 you might want to try the latest WildFly 8.0.0.Alpha1 release, whose JBossWS integration includes Apache CXF 2.7.5.
-
2. Re: WS-SecurityPolicy ProtectTokens assertion
Thanks Alessio.
I tried Wildfly 8.0.0 Alpha1 with CXF 2.7.5
The SAML assertion is still not signed. The following warning I was seeing in 7.2 is gone though.
wsdl with policy:
<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions name="SecurityService"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:tns="http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy/oasis-samples"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsaws="http://www.w3.org/2005/08/addressing"
xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
targetNamespace="http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy/oasis-samples">
<wsdl:types>
<xsd:schema>
<xsd:import namespace="http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy/oasis-samples" schemaLocation="SecurityService_schema1.xsd"/>
</xsd:schema>
</wsdl:types>
<wsdl:message name="sayHello">
<wsdl:part name="parameters" element="tns:sayHello"/>
</wsdl:message>
<wsdl:message name="sayHelloResponse">
<wsdl:part name="parameters" element="tns:sayHelloResponse"/>
</wsdl:message>
<wsdl:portType name="ServiceIface">
<wsdl:operation name="sayHello">
<wsdl:input message="tns:sayHello"/>
<wsdl:output message="tns:sayHelloResponse"/>
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="SecurityService2315PortBinding" type="tns:ServiceIface">
<wsp:PolicyReference URI="#HOK"/>
<soap:binding transport="http://schemas.xmlsoap.org/soap/http" style="document"/>
<wsdl:operation name="sayHello">
<soap:operation soapAction=""/>
<wsdl:input>
<soap:body use="literal"/>
<wsp:PolicyReference URI="#Input_Policy"/>
</wsdl:input>
<wsdl:output>
<soap:body use="literal"/>
<wsp:PolicyReference URI="#Output_Policy"/>
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="SecurityService">
<wsdl:port name="SecurityService2315Port" binding="tns:SecurityService2315PortBinding">
<soap:address location="http://localhost:8088/"/>
</wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="HOK">
<wsp:ExactlyOne>
<wsp:All>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:SamlToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<wsp:ExactlyOne>
<wsp:All>
<sp:WssSamlV11Token10/>
</wsp:All>
<wsp:All>
<sp:WssSamlV11Token11/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</sp:SamlToken>
</wsp:Policy>
</sp:InitiatorToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
<sp:STRTransform10/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp wsp:Optional="true"/>
<sp:ProtectTokens/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding><wsp:ExactlyOne>
<wsp:All>
</wsp:All>
<wsp:All>
<sp:SignedSupportingTokens>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<wsp:ExactlyOne>
<wsp:All>
<sp:WssX509V3Token10/>
</wsp:All>
<wsp:All>
<sp:WssX509V3Token11/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:SignedSupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="Input_Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:EncryptedParts wsp:Optional="true">
<sp:Body/>
</sp:EncryptedParts>
<sp:SignedParts>
<sp:Body/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="myInput_Policy">
<sp:SignedParts>
<sp:Body/>
</sp:SignedParts>
<sp:SignedElements>
<sp:XPath>
/env11:Header/wsse:Security/saml:Assertion
</sp:XPath>
<sp:XPath>
/env12:Header/wsse:Security/saml:Assertion
</sp:XPath>
</sp:SignedElements>
</wsp:Policy>
<wsp:Policy wsu:Id="Output_Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
<sp:SignedParts>
<sp:Body/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</wsdl:definitions>Client:
public class Client {
public String hello() {
String NS = "http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy/oasis-samples";
String serviceURL = "http://localhost:8088/SecurityService";
// String serviceURLHttps = "http://localhost:8088/service/security/";
QName serviceName = new QName(NS, "SecurityService");
String hello = "Hello";
try {
Service service = Service.create(new URL(serviceURL + "SecurityService?wsdl"),
serviceName);
ServiceIface proxy = (ServiceIface) service.getPort(
new QName(NS, "SecurityService2315Port"), ServiceIface.class);
Map<String, Object> reqCtx = ((BindingProvider) proxy).getRequestContext();
SamlCallbackHandler cbh = new SamlCallbackHandler();
cbh.setConfirmationMethod("urn:oasis:names:tc:SAML:1.0:cm:holder-of-key");reqCtx.put(SecurityConstants.SAML_CALLBACK_HANDLER, cbh);
reqCtx.put(SecurityConstants.CALLBACK_HANDLER, new KeystorePasswordCallback());
reqCtx.put(SecurityConstants.SIGNATURE_PROPERTIES, Thread.currentThread()
.getContextClassLoader().getResource("META-INF/alice.properties"));
reqCtx.put(SecurityConstants.ENCRYPT_PROPERTIES, Thread.currentThread()
.getContextClassLoader().getResource("META-INF/alice.properties"));
reqCtx.put(SecurityConstants.SIGNATURE_USERNAME, "alice");
reqCtx.put(SecurityConstants.ENCRYPT_USERNAME, "bob");
reqCtx.put(SecurityConstants.SELF_SIGN_SAML_ASSERTION, "true");System.out.println("Calling hello");
proxy.sayHello().equals(
"Hello - (WSS1.0) SAML1.1 Holder of Key, Sign, Optional Encrypt");
hello=proxy.sayHello();
} catch (Exception e) {
e.printStackTrace();
}
return hello;
}The soap message:
What is missing is the reference to the STR in the signature block, in bold. The STR reference in the signature block is not complete, just to illustrate.
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Timestamp wsu:Id="TS-3">
<wsu:Created>2013-05-29T15:21:58.825Z</wsu:Created>
<wsu:Expires>2013-05-29T15:26:58.825Z</wsu:Expires>
</wsu:Timestamp>
<saml1:Assertion AssertionID="_BA7B4FA0A32D651F2F13698409188424" IssueInstant="2013-05-29T15:21:58.842Z" Issuer="sts" MajorVersion="1" MinorVersion="1" xsi:type="saml1:AssertionType" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<saml1:Conditions NotBefore="2013-05-29T15:21:58.842Z" NotOnOrAfter="2013-05-29T15:26:58.842Z"/>
<saml1:AttributeStatement>
<saml1:Subject>
<saml1:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="www.jbws-cxf-sts.org">uid=sts-client,o=jbws-cxf-sts.com</saml1:NameIdentifier>
<saml1:SubjectConfirmation>
<saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml1:ConfirmationMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDDDCCAfSgAwIBAgIQM6YEf7FVYx/tZyEXgVComTANBgkqhkiG9w0BAQUFADAwMQ4wDAYDVQQK
DAVPQVNJUzEeMBwGA1UEAwwVT0FTSVMgSW50ZXJvcCBUZXN0IENBMB4XDTA1MDMxOTAwMDAwMFoX
DTE4MDMxOTIzNTk1OVowQjEOMAwGA1UECgwFT0FTSVMxIDAeBgNVBAsMF09BU0lTIEludGVyb3Ag
VGVzdCBDZXJ0MQ4wDAYDVQQDDAVBbGljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoqi9
9By1VYo0aHrkKCNT4DkIgPL/SgahbeKdGhrbu3K2XG7arfD9tqIBIKMfrX4Gp90NJa85AV1yiNsE
yvq+mUnMpNcKnLXLOjkTmMCqDYbbkehJlXPnaWLzve+mW0pJdPxtf3rbD4PS/cBQIvtpjmrDAU8V
sZKT8DN5Kyz+EZsCAwEAAaOBkzCBkDAJBgNVHRMEAjAAMDMGA1UdHwQsMCowKKImhiRodHRwOi8v
aW50ZXJvcC5iYnRlc3QubmV0L2NybC9jYS5jcmwwDgYDVR0PAQH/BAQDAgSwMB0GA1UdDgQWBBQK
4l0TUHZ1QV3V2QtlLNDm+PoxiDAfBgNVHSMEGDAWgBTAnSj8wes1oR3WqqqgHBpNwkkPDzANBgkq
hkiG9w0BAQUFAAOCAQEABTqpOpvW+6yrLXyUlP2xJbEkohXHI5OWwKWleOb9hlkhWntUalfcFOJA
gUyH30TTpHldzx1+vK2LPzhoUFKYHE1IyQvokBN2JjFO64BQukCKnZhldLRPxGhfkTdxQgdf5rCK
/wh3xVsZCNTfuMNmlAM6lOAg8QduDah3WFZpEA0s2nwQaCNQTNMjJC8tav1CBr6+E5FAmwPXP7pJ
xn9Fw9OXRyqbRA4v2y7YpbGkG2GI9UvOHw6SGvf4FRSthMMO35YbpikGsLix3vAsXWWi4rwfVOYz
QK0OFPNi9RMCUdSH06m9uLWckiCxjos0FQODZE9l4ATGy9s9hNVwryOJTw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</saml1:SubjectConfirmation>
</saml1:Subject>
<saml1:Attribute AttributeName="subject-role" AttributeNamespace="http://custom-ns">
<saml1:AttributeValue xsi:type="xs:string">system-user</saml1:AttributeValue>
</saml1:Attribute>
</saml1:AttributeStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_BA7B4FA0A32D651F2F13698409188424">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>NdeNEMZiuqgAJaYv+GRnzPhYu8U=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>eeS4D+8OThfNVTUieE64JJCR2xMamJ6SeyZh+GiJ5IeNuIl8v4gzW8dYPh0YQCNDttnu+jVTqlwe8iuPiq3qXT7ynI/osnpRg7ZKUbtJ62aLcrPaDmdhns/Ys/H0A3a6xEYjCjz5ykc/6hUmE6zLM5rZpLggQq2MZr9X4KZQzRM=</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIIDDDCCAfSgAwIBAgIQM6YEf7FVYx/tZyEXgVComTANBgkqhkiG9w0BAQUFADAwMQ4wDAYDVQQK
DAVPQVNJUzEeMBwGA1UEAwwVT0FTSVMgSW50ZXJvcCBUZXN0IENBMB4XDTA1MDMxOTAwMDAwMFoX
DTE4MDMxOTIzNTk1OVowQjEOMAwGA1UECgwFT0FTSVMxIDAeBgNVBAsMF09BU0lTIEludGVyb3Ag
VGVzdCBDZXJ0MQ4wDAYDVQQDDAVBbGljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoqi9
9By1VYo0aHrkKCNT4DkIgPL/SgahbeKdGhrbu3K2XG7arfD9tqIBIKMfrX4Gp90NJa85AV1yiNsE
yvq+mUnMpNcKnLXLOjkTmMCqDYbbkehJlXPnaWLzve+mW0pJdPxtf3rbD4PS/cBQIvtpjmrDAU8V
sZKT8DN5Kyz+EZsCAwEAAaOBkzCBkDAJBgNVHRMEAjAAMDMGA1UdHwQsMCowKKImhiRodHRwOi8v
aW50ZXJvcC5iYnRlc3QubmV0L2NybC9jYS5jcmwwDgYDVR0PAQH/BAQDAgSwMB0GA1UdDgQWBBQK
4l0TUHZ1QV3V2QtlLNDm+PoxiDAfBgNVHSMEGDAWgBTAnSj8wes1oR3WqqqgHBpNwkkPDzANBgkq
hkiG9w0BAQUFAAOCAQEABTqpOpvW+6yrLXyUlP2xJbEkohXHI5OWwKWleOb9hlkhWntUalfcFOJA
gUyH30TTpHldzx1+vK2LPzhoUFKYHE1IyQvokBN2JjFO64BQukCKnZhldLRPxGhfkTdxQgdf5rCK
/wh3xVsZCNTfuMNmlAM6lOAg8QduDah3WFZpEA0s2nwQaCNQTNMjJC8tav1CBr6+E5FAmwPXP7pJ
xn9Fw9OXRyqbRA4v2y7YpbGkG2GI9UvOHw6SGvf4FRSthMMO35YbpikGsLix3vAsXWWi4rwfVOYz
QK0OFPNi9RMCUdSH06m9uLWckiCxjos0FQODZE9l4ATGy9s9hNVwryOJTw==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
</saml1:Assertion>
<ds:Signature Id="SIG-4" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="soap" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#TS-3">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="wsse soap" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>Uz8gwkNs+1OUI1sVu9w8DPlpyR0=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Id-249693261">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces PrefixList="" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>HsVQOP4ySpEaUA0OLuQlZS/t+jM=</ds:DigestValue>
</ds:Reference><ds:Reference URI="#Id-249693261="STR-BA7B4FA0A32D651F2F13698409188626">
</ds:SignedInfo>
<ds:SignatureValue>fUNBgmdq0j+by6XNG/ZGiNnzWuWoRfl4xaCUbINMOF0fLw5S/1+W0ueV/10h4SpHJ//raV1+RBmDHELnhqS4FSXSMVNeGd2UlFzCu9peB7Kg1se5Cc9mH4Ri1T9jU/gCIVCcy5FhF4TgtAfjpEH6tfyi7MUXA1b/P/b5QGbF2+I=</ds:SignatureValue>
<ds:KeyInfo Id="KI-BA7B4FA0A32D651F2F13698409188625">
<wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" wsu:Id="STR-BA7B4FA0A32D651F2F13698409188626" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_BA7B4FA0A32D651F2F13698409188424</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</SOAP-ENV:Header>
<soap:Body wsu:Id="Id-249693261" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<ns2:sayHello xmlns:ns2="http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy/oasis-samples"/>
</soap:Body>
</soap:Envelope>Is there any way to reference the STR in the Signature block?
Thanks so much.
-
3. Re: WS-SecurityPolicy ProtectTokens assertion
Thanks for the details info / report. I reproduced your issue by simply adding the sp:ProtectTokens to the 2.3.1.5 sample wsdl used in the test at org.jboss.test.ws.jaxws.samples.wsse.policy.oasis.WSSecurityPolicyExamples23xTestCase. I've created a jira at Apache: https://issues.apache.org/jira/browse/CXF-5051
-
4. Re: WS-SecurityPolicy ProtectTokens assertion
Thanks Alessio.
I will look out for updates to CXF and JBossWS-CXF.