4 Replies Latest reply on May 31, 2013 4:14 PM by Indira Akundi

    WS-SecurityPolicy ProtectTokens assertion

    Indira Akundi Newbie

      Using JBoss 7.1.3 and JBoss 7.2, wss4j 1.6.9

       

      Is there support for the ProtectTokens assertion?

       

      JBoss 7.2 Warning:No assertion builder for type {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}ProtectTokens registered

       

      I have tried using JBossWS-CXF SecurityPolicy approach and the wss4jOutInterceptors approach.

       

      The body and timestamp of the message are signed and the SecurityTokenReference contains the SAML.

      But the saml assertion is not referenced in the Signature block along with the timestamp and body.

       

      Is there any way to do this in Jboss?

       

      The policy provided by the web service provider has the ProtectTokens assertion which I believe is getting ignored because of the warning above.

       

      I did see that CXF 2.7.0 probably has a fix for this. 

      Will this be integrated into JBossWS-CXF and JBoss soon?

       

      Thanks

        • 1. Re: WS-SecurityPolicy ProtectTokens assertion
          Alessio Soldano Master

          I'd need to do some checks, but if you're aware of a fix for that being in cxf 2.7 you might want to try the latest WildFly 8.0.0.Alpha1 release, whose JBossWS integration includes Apache CXF 2.7.5.

          • 2. Re: WS-SecurityPolicy ProtectTokens assertion
            Indira Akundi Newbie

            Thanks Alessio.

            I tried Wildfly 8.0.0 Alpha1 with CXF 2.7.5

             

            The SAML assertion is still not signed. The following warning I was seeing in 7.2 is gone though.

            JBoss 7.2 Warning:No assertion builder for type {http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}ProtectTokens registered

             

             

            wsdl with policy:

            <?xml version="1.0" encoding="UTF-8"?>
            <wsdl:definitions name="SecurityService"
                              xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                              xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
                              xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
                              xmlns:tns="http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy/oasis-samples"
                              xmlns:wsp="http://www.w3.org/ns/ws-policy"
                              xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
                              xmlns:wsaws="http://www.w3.org/2005/08/addressing"
                              xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy"
                              xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
                              targetNamespace="http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy/oasis-samples">
                <wsdl:types>
                    <xsd:schema>
                        <xsd:import namespace="http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy/oasis-samples" schemaLocation="SecurityService_schema1.xsd"/>
                    </xsd:schema>
                </wsdl:types>
                <wsdl:message name="sayHello">
                    <wsdl:part name="parameters" element="tns:sayHello"/>
                </wsdl:message>
                <wsdl:message name="sayHelloResponse">
                    <wsdl:part name="parameters" element="tns:sayHelloResponse"/>
                </wsdl:message>
                <wsdl:portType name="ServiceIface">
                    <wsdl:operation name="sayHello">
                        <wsdl:input message="tns:sayHello"/>
                        <wsdl:output message="tns:sayHelloResponse"/>
                    </wsdl:operation>
                </wsdl:portType>
             

             
             
                <wsdl:binding name="SecurityService2315PortBinding" type="tns:ServiceIface">
                    <wsp:PolicyReference URI="#HOK"/>
                    <soap:binding transport="http://schemas.xmlsoap.org/soap/http" style="document"/>
                    <wsdl:operation name="sayHello">
                        <soap:operation soapAction=""/>
                        <wsdl:input>
                            <soap:body use="literal"/>
                            <wsp:PolicyReference URI="#Input_Policy"/>
                        </wsdl:input>
                        <wsdl:output>
                            <soap:body use="literal"/>
                            <wsp:PolicyReference URI="#Output_Policy"/>
                        </wsdl:output>
                    </wsdl:operation>
                </wsdl:binding>
             
                <wsdl:service name="SecurityService">
                    <wsdl:port name="SecurityService2315Port" binding="tns:SecurityService2315PortBinding">
                        <soap:address location="http://localhost:8088/"/>
                    </wsdl:port>
                </wsdl:service>
             
                <wsp:Policy wsu:Id="HOK">
                    <wsp:ExactlyOne>
                        <wsp:All>
                            <sp:AsymmetricBinding>
                                <wsp:Policy>
                                    <sp:InitiatorToken>
                                        <wsp:Policy>
                                            <sp:SamlToken
                                                sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                                                    <wsp:Policy>
                                                    <wsp:ExactlyOne>
                                                        <wsp:All>
                                                            <sp:WssSamlV11Token10/>
                                                        </wsp:All>
                                                        <wsp:All>
                                                            <sp:WssSamlV11Token11/>
                                                        </wsp:All>
                                                    </wsp:ExactlyOne>
                                                </wsp:Policy>
                                            </sp:SamlToken>
                                        </wsp:Policy>
                                    </sp:InitiatorToken>
                                    <sp:AlgorithmSuite>
                                        <wsp:Policy>
                                            <sp:Basic256/>
                                            <sp:STRTransform10/>
                                        </wsp:Policy>
                                    </sp:AlgorithmSuite>
                                    <sp:Layout>
                                        <wsp:Policy>
                                            <sp:Lax/>
                                        </wsp:Policy>
                                    </sp:Layout>
                                    <sp:IncludeTimestamp wsp:Optional="true"/>
                                    <sp:ProtectTokens/>
                                    <sp:OnlySignEntireHeadersAndBody/>
                                </wsp:Policy>
                            </sp:AsymmetricBinding>

             

                            <wsp:ExactlyOne>
                                <wsp:All>
                                </wsp:All>
                                <wsp:All>
                                    <sp:SignedSupportingTokens>
                                        <wsp:Policy>
                                            <sp:X509Token
                                                sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                                                <wsp:Policy>
                                                    <wsp:ExactlyOne>
                                                        <wsp:All>
                                                            <sp:WssX509V3Token10/>
                                                        </wsp:All>
                                                        <wsp:All>
                                                            <sp:WssX509V3Token11/>
                                                        </wsp:All>
                                                    </wsp:ExactlyOne>
                                                </wsp:Policy>
                                            </sp:X509Token>
                                        </wsp:Policy>
                                    </sp:SignedSupportingTokens>
                                </wsp:All>
                            </wsp:ExactlyOne>
                        </wsp:All>
                    </wsp:ExactlyOne>
                </wsp:Policy>
             
                   
                <wsp:Policy wsu:Id="Input_Policy">
                    <wsp:ExactlyOne>
                        <wsp:All>
                            <sp:EncryptedParts wsp:Optional="true">
                                <sp:Body/>
                            </sp:EncryptedParts>
                            <sp:SignedParts>
                                <sp:Body/>
                            </sp:SignedParts>
                        </wsp:All>
                    </wsp:ExactlyOne>
                </wsp:Policy>
               
                <wsp:Policy wsu:Id="myInput_Policy">
                   
                    <sp:SignedParts>
                        <sp:Body/>
                    </sp:SignedParts>
                    <sp:SignedElements>
                        <sp:XPath>
                            /env11:Header/wsse:Security/saml:Assertion
                        </sp:XPath>
                        <sp:XPath>
                            /env12:Header/wsse:Security/saml:Assertion
                        </sp:XPath>
                    </sp:SignedElements>
                </wsp:Policy>
               
                <wsp:Policy wsu:Id="Output_Policy">
                    <wsp:ExactlyOne>
                        <wsp:All>
                            <sp:EncryptedParts>
                                <sp:Body/>
                            </sp:EncryptedParts>
                            <sp:SignedParts>
                                <sp:Body/>
                            </sp:SignedParts>
                        </wsp:All>
                    </wsp:ExactlyOne>
                </wsp:Policy>
            </wsdl:definitions>

             

            Client:

            public class Client {

                public String hello() {
                    String NS = "http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy/oasis-samples";
                    String serviceURL = "http://localhost:8088/SecurityService";
                    // String serviceURLHttps = "http://localhost:8088/service/security/";
                    QName serviceName = new QName(NS, "SecurityService");
            String hello = "Hello";
                    try {


                        Service service = Service.create(new URL(serviceURL + "SecurityService?wsdl"),
                                serviceName);
                        ServiceIface proxy = (ServiceIface) service.getPort(
                                new QName(NS, "SecurityService2315Port"), ServiceIface.class);
                        Map<String, Object> reqCtx = ((BindingProvider) proxy).getRequestContext();
                        SamlCallbackHandler cbh = new SamlCallbackHandler();
                        cbh.setConfirmationMethod("urn:oasis:names:tc:SAML:1.0:cm:holder-of-key");

                        reqCtx.put(SecurityConstants.SAML_CALLBACK_HANDLER, cbh);
                        reqCtx.put(SecurityConstants.CALLBACK_HANDLER, new KeystorePasswordCallback());
                        reqCtx.put(SecurityConstants.SIGNATURE_PROPERTIES, Thread.currentThread()
                                .getContextClassLoader().getResource("META-INF/alice.properties"));
                        reqCtx.put(SecurityConstants.ENCRYPT_PROPERTIES, Thread.currentThread()
                                .getContextClassLoader().getResource("META-INF/alice.properties"));
                        reqCtx.put(SecurityConstants.SIGNATURE_USERNAME, "alice");
                        reqCtx.put(SecurityConstants.ENCRYPT_USERNAME, "bob");
                        reqCtx.put(SecurityConstants.SELF_SIGN_SAML_ASSERTION, "true");

                        System.out.println("Calling hello");
                        proxy.sayHello().equals(
                                "Hello - (WSS1.0) SAML1.1 Holder of Key, Sign, Optional Encrypt");
                         hello=proxy.sayHello();
                       

                    } catch (Exception e) {
                        e.printStackTrace();
                    }
                    return hello;
                }

             

            The soap message:

            What is missing is the reference to the STR in the signature block, in bold.  The STR reference in the signature block is not complete, just to illustrate.

             

            <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
               <SOAP-ENV:Header xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
                  <wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                     <wsu:Timestamp wsu:Id="TS-3">
                        <wsu:Created>2013-05-29T15:21:58.825Z</wsu:Created>
                        <wsu:Expires>2013-05-29T15:26:58.825Z</wsu:Expires>
                     </wsu:Timestamp>
                     <saml1:Assertion AssertionID="_BA7B4FA0A32D651F2F13698409188424" IssueInstant="2013-05-29T15:21:58.842Z" Issuer="sts" MajorVersion="1" MinorVersion="1" xsi:type="saml1:AssertionType" xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                        <saml1:Conditions NotBefore="2013-05-29T15:21:58.842Z" NotOnOrAfter="2013-05-29T15:26:58.842Z"/>
                        <saml1:AttributeStatement>
                           <saml1:Subject>
                              <saml1:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="www.jbws-cxf-sts.org">uid=sts-client,o=jbws-cxf-sts.com</saml1:NameIdentifier>
                              <saml1:SubjectConfirmation>
                                 <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml1:ConfirmationMethod>
                                 <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                                    <ds:X509Data>
                                       <ds:X509Certificate>MIIDDDCCAfSgAwIBAgIQM6YEf7FVYx/tZyEXgVComTANBgkqhkiG9w0BAQUFADAwMQ4wDAYDVQQK
            DAVPQVNJUzEeMBwGA1UEAwwVT0FTSVMgSW50ZXJvcCBUZXN0IENBMB4XDTA1MDMxOTAwMDAwMFoX
            DTE4MDMxOTIzNTk1OVowQjEOMAwGA1UECgwFT0FTSVMxIDAeBgNVBAsMF09BU0lTIEludGVyb3Ag
            VGVzdCBDZXJ0MQ4wDAYDVQQDDAVBbGljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoqi9
            9By1VYo0aHrkKCNT4DkIgPL/SgahbeKdGhrbu3K2XG7arfD9tqIBIKMfrX4Gp90NJa85AV1yiNsE
            yvq+mUnMpNcKnLXLOjkTmMCqDYbbkehJlXPnaWLzve+mW0pJdPxtf3rbD4PS/cBQIvtpjmrDAU8V
            sZKT8DN5Kyz+EZsCAwEAAaOBkzCBkDAJBgNVHRMEAjAAMDMGA1UdHwQsMCowKKImhiRodHRwOi8v
            aW50ZXJvcC5iYnRlc3QubmV0L2NybC9jYS5jcmwwDgYDVR0PAQH/BAQDAgSwMB0GA1UdDgQWBBQK
            4l0TUHZ1QV3V2QtlLNDm+PoxiDAfBgNVHSMEGDAWgBTAnSj8wes1oR3WqqqgHBpNwkkPDzANBgkq
            hkiG9w0BAQUFAAOCAQEABTqpOpvW+6yrLXyUlP2xJbEkohXHI5OWwKWleOb9hlkhWntUalfcFOJA
            gUyH30TTpHldzx1+vK2LPzhoUFKYHE1IyQvokBN2JjFO64BQukCKnZhldLRPxGhfkTdxQgdf5rCK
            /wh3xVsZCNTfuMNmlAM6lOAg8QduDah3WFZpEA0s2nwQaCNQTNMjJC8tav1CBr6+E5FAmwPXP7pJ
            xn9Fw9OXRyqbRA4v2y7YpbGkG2GI9UvOHw6SGvf4FRSthMMO35YbpikGsLix3vAsXWWi4rwfVOYz
            QK0OFPNi9RMCUdSH06m9uLWckiCxjos0FQODZE9l4ATGy9s9hNVwryOJTw==</ds:X509Certificate>
                                    </ds:X509Data>
                                 </ds:KeyInfo>
                              </saml1:SubjectConfirmation>
                           </saml1:Subject>
                           <saml1:Attribute AttributeName="subject-role" AttributeNamespace="http://custom-ns">
                              <saml1:AttributeValue xsi:type="xs:string">system-user</saml1:AttributeValue>
                           </saml1:Attribute>
                        </saml1:AttributeStatement>
                        <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                           <ds:SignedInfo>
                              <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                              <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                              <ds:Reference URI="#_BA7B4FA0A32D651F2F13698409188424">
                                 <ds:Transforms>
                                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                       <ec:InclusiveNamespaces PrefixList="xs" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                    </ds:Transform>
                                 </ds:Transforms>
                                 <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                 <ds:DigestValue>NdeNEMZiuqgAJaYv+GRnzPhYu8U=</ds:DigestValue>
                              </ds:Reference>
                           </ds:SignedInfo>
                           <ds:SignatureValue>eeS4D+8OThfNVTUieE64JJCR2xMamJ6SeyZh+GiJ5IeNuIl8v4gzW8dYPh0YQCNDttnu+jVTqlwe8iuPiq3qXT7ynI/osnpRg7ZKUbtJ62aLcrPaDmdhns/Ys/H0A3a6xEYjCjz5ykc/6hUmE6zLM5rZpLggQq2MZr9X4KZQzRM=</ds:SignatureValue>
                           <ds:KeyInfo>
                              <ds:X509Data>
                                 <ds:X509Certificate>MIIDDDCCAfSgAwIBAgIQM6YEf7FVYx/tZyEXgVComTANBgkqhkiG9w0BAQUFADAwMQ4wDAYDVQQK
            DAVPQVNJUzEeMBwGA1UEAwwVT0FTSVMgSW50ZXJvcCBUZXN0IENBMB4XDTA1MDMxOTAwMDAwMFoX
            DTE4MDMxOTIzNTk1OVowQjEOMAwGA1UECgwFT0FTSVMxIDAeBgNVBAsMF09BU0lTIEludGVyb3Ag
            VGVzdCBDZXJ0MQ4wDAYDVQQDDAVBbGljZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAoqi9
            9By1VYo0aHrkKCNT4DkIgPL/SgahbeKdGhrbu3K2XG7arfD9tqIBIKMfrX4Gp90NJa85AV1yiNsE
            yvq+mUnMpNcKnLXLOjkTmMCqDYbbkehJlXPnaWLzve+mW0pJdPxtf3rbD4PS/cBQIvtpjmrDAU8V
            sZKT8DN5Kyz+EZsCAwEAAaOBkzCBkDAJBgNVHRMEAjAAMDMGA1UdHwQsMCowKKImhiRodHRwOi8v
            aW50ZXJvcC5iYnRlc3QubmV0L2NybC9jYS5jcmwwDgYDVR0PAQH/BAQDAgSwMB0GA1UdDgQWBBQK
            4l0TUHZ1QV3V2QtlLNDm+PoxiDAfBgNVHSMEGDAWgBTAnSj8wes1oR3WqqqgHBpNwkkPDzANBgkq
            hkiG9w0BAQUFAAOCAQEABTqpOpvW+6yrLXyUlP2xJbEkohXHI5OWwKWleOb9hlkhWntUalfcFOJA
            gUyH30TTpHldzx1+vK2LPzhoUFKYHE1IyQvokBN2JjFO64BQukCKnZhldLRPxGhfkTdxQgdf5rCK
            /wh3xVsZCNTfuMNmlAM6lOAg8QduDah3WFZpEA0s2nwQaCNQTNMjJC8tav1CBr6+E5FAmwPXP7pJ
            xn9Fw9OXRyqbRA4v2y7YpbGkG2GI9UvOHw6SGvf4FRSthMMO35YbpikGsLix3vAsXWWi4rwfVOYz
            QK0OFPNi9RMCUdSH06m9uLWckiCxjos0FQODZE9l4ATGy9s9hNVwryOJTw==</ds:X509Certificate>
                              </ds:X509Data>
                           </ds:KeyInfo>
                        </ds:Signature>
                     </saml1:Assertion>
                     <ds:Signature Id="SIG-4" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
                        <ds:SignedInfo>
                           <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                              <ec:InclusiveNamespaces PrefixList="soap" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                           </ds:CanonicalizationMethod>
                           <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                           <ds:Reference URI="#TS-3">
                              <ds:Transforms>
                                 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                    <ec:InclusiveNamespaces PrefixList="wsse soap" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                 </ds:Transform>
                              </ds:Transforms>
                              <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                              <ds:DigestValue>Uz8gwkNs+1OUI1sVu9w8DPlpyR0=</ds:DigestValue>
                           </ds:Reference>
                           <ds:Reference URI="#Id-249693261">
                              <ds:Transforms>
                                 <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                                    <ec:InclusiveNamespaces PrefixList="" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                                 </ds:Transform>
                              </ds:Transforms>
                              <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                              <ds:DigestValue>HsVQOP4ySpEaUA0OLuQlZS/t+jM=</ds:DigestValue>
                           </ds:Reference>

            <ds:Reference URI="#Id-249693261="STR-BA7B4FA0A32D651F2F13698409188626">
                        </ds:SignedInfo>
                        <ds:SignatureValue>fUNBgmdq0j+by6XNG/ZGiNnzWuWoRfl4xaCUbINMOF0fLw5S/1+W0ueV/10h4SpHJ//raV1+RBmDHELnhqS4FSXSMVNeGd2UlFzCu9peB7Kg1se5Cc9mH4Ri1T9jU/gCIVCcy5FhF4TgtAfjpEH6tfyi7MUXA1b/P/b5QGbF2+I=</ds:SignatureValue>
                        <ds:KeyInfo Id="KI-BA7B4FA0A32D651F2F13698409188625">
                           <wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1" wsu:Id="STR-BA7B4FA0A32D651F2F13698409188626" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd">
                              <wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_BA7B4FA0A32D651F2F13698409188424</wsse:KeyIdentifier>
                           </wsse:SecurityTokenReference>
                        </ds:KeyInfo>
                     </ds:Signature>
                  </wsse:Security>
               </SOAP-ENV:Header>
               <soap:Body wsu:Id="Id-249693261" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                  <ns2:sayHello xmlns:ns2="http://www.jboss.org/jbossws/ws-extensions/wssecuritypolicy/oasis-samples"/>
               </soap:Body>
            </soap:Envelope>

             

            Is there any way to reference the STR in the Signature block?

            Thanks so much.

            • 3. Re: WS-SecurityPolicy ProtectTokens assertion
              Alessio Soldano Master

              Thanks for the details info / report. I reproduced your issue by simply adding the sp:ProtectTokens to the 2.3.1.5 sample wsdl used in the test at org.jboss.test.ws.jaxws.samples.wsse.policy.oasis.WSSecurityPolicyExamples23xTestCase. I've created a jira at Apache: https://issues.apache.org/jira/browse/CXF-5051

              • 4. Re: WS-SecurityPolicy ProtectTokens assertion
                Indira Akundi Newbie

                Thanks Alessio.

                I will look out for updates to CXF and JBossWS-CXF.