5 Replies Latest reply on Apr 28, 2010 1:37 AM by Srividhya K

    STSValidatingLoginModule (sample request to the esb)

    Srividhya K Newbie

      Hi,

       

      I am trying to configure the STSValidatingLoginModule in my esb application. I referred to the saml_security quickstart which has both the issuing & validating modules. 

       

      I created another esb sample application that only has the STSValidatingLoginModule.

       

      The following exception occurs when I try to send a request to the esb's Http end-point.

      Caused by: javax.security.auth.login.LoginException: Could not locate a Security Token from the callback.

           at org.picketlink.identity.federation.core.wstrust.auth.STSValidatingLoginModule.getSamlTokenFromCaller(STSValidatingLoginModule.java:101)

       

      This is my soap request:

       

      <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:req="http://wsm.hp.com/Finance/Request" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
         <soapenv:Header>
      <wsse:Security>
                  <wsse:BinarySecurityToken EncodingType='wsse:Base64Binary' ValueType='wsse:X509v3'>...............</wsse:BinarySecurityToken>
              </wsse:Security>
         </soapenv:Header>
         <soapenv:Body>
            .....................
         </soapenv:Body>
      </soapenv:Envelope>
      

       

      How should the request be sent to the Validating Login Module ? Can someone please help me with a sample soap request for this ?

       

      Thanks,

      Srividhya

        • 1. Re: STSValidatingLoginModule (sample request to the esb)
          Daniel Bevenius Master

          Hi,

           

          it is expecting a SAML Assertion element in the security header. Something like this:

           

          <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
             <env:Header>
                <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                   <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
                      ...
                   </saml:Assertion>
          
                 </wsse:Security>
              </env:Header>
              <env:Body/>
          </env:Envelope>
          

           

          Regards,

           

          /Daniel

          • 2. Re: STSValidatingLoginModule (sample request to the esb)
            Srividhya K Newbie

            Hi,

             

            Thanks for your reply.

            I tried by adding the saml assertion too.  (I used the  STSIssuingLoginModule)

             

            I get the following exception when the request contains SAML assertions.

            2010-04-21 10:29:47,987 ERROR [org.jboss.soa.esb.listeners.message.ActionProcessingPipeline] (pool-21-thread-1) SecurityService exception :
            org.jboss.soa.esb.services.security.SecurityServiceException: Service 'sendExternal' has been configured for security but no AuthenticationRequest could be located in the Message Context. Cannot authenticate without an AuthenticationRequest.
            at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.processPipeline(ActionProcessingPipeline.java:527)

             

            Can you please suggest if this is an issue with my input token or the esb configuration ?

             

            Thanks,

            Srividhya

            • 3. Re: STSValidatingLoginModule (sample request to the esb)
              Srividhya K Newbie

              Hi Daniel,

               

              I have been using the JBR listener in the SAML Validator esb example for creating the Http end-point.

              The JBR Listener seems to extract only the Http BASIC username & password tokens from the request and creates an auth. request.

               

              I also tried using the HTTP Gateway/Listener.

              This also seems to use only the user-name token and binary-security token extractors for creating the auth. request.

               

              I believe this is why I get the "no Authentication Request in Message Context" error even when the SOAP request contains SAML assertions.

               

              Can you please suggest how I can invoke the extractor for SAML assertions ?

               

              Thanks,

              Srividhya

              • 4. Re: STSValidatingLoginModule (sample request to the esb)
                Daniel Bevenius Master

                You can specify your own message composer for the gateway like this:

                 

                 

                 <jbr-listener name="Http-Gateway" busidref="Http-1" is-gateway="true">
                                    <property name="synchronous" value="false"/>
                                    <property name="composer-class" value="org.jboss.soa.esb.listeners.gateway.MyJBRMessageComposer"/>
                 </jbr-listener>
                

                 

                I've attached the class MyJBRMessageComposer which also adds a SamlAssertionExtractor. You can modify the composer to suite you needs. I just used the JBossRemotingMessageComposer for this.

                 

                I've not had time to try this but hope this helps.

                 

                Regards,

                 

                /Daniel

                • 5. Re: STSValidatingLoginModule (sample request to the esb)
                  Srividhya K Newbie

                  Hi Daniel,

                   

                  Yes, this helped me fix the issue.  Thank you.

                   

                  Regards,

                  Srividhya