ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Erik Mocny (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (WSS-519) SAML 2.0 - KeyInfo in EcryptedAssertion doesn't contains SecurityTokenReference
Date Wed, 05 Nov 2014 07:05:35 GMT

     [ https://issues.apache.org/jira/browse/WSS-519?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Erik Mocny updated WSS-519:
---------------------------
    Description: 
Hi,

we have a current setup ADFS 2.0 STS and on ESB CXF 2.7.11 whose dependency is WSS4J 1.6.15.

Currently everything works as expected but only for SAML 1.1 TokenType.

The problem resides in SAML 2.0 token response where for SAML 1.1 token (important part of
it) looks like: 
{code:xml}
   <trust:RequestedSecurityToken>
                    <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
                                        xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
                        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                            <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                                <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                </e:EncryptionMethod>
                                <KeyInfo>
                                    <o:SecurityTokenReference
                                            xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                                        <X509Data>
{code}

For SAML 2.0, RSTR (just our part) looks like:
{code:xml}
    <trust:RequestedSecurityToken>
                    <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
                        <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
                                            xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
                            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                                <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                                    <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                                        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                    </e:EncryptionMethod>
                                    <KeyInfo>
                                        <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
{code}

Please notice missing token referencing element: *SecurityTokenReference*

WSS4J when trying to decrypt SAML I got an exception:

{noformat}
2014-11-05 07:24:03,655 [http-/127.0.0.1:8443-2] WARN  (org.apache.cxf.phase.PhaseInterceptorChain):
Interceptor for {http://www.example.org/contract/DoubleIt}DoubleItService#{http://www.example.org/contract/DoubleIt}DoubleIt
has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: An error was discovered processing the <wsse:Security>
header.
	at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:852)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
	at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:327)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
	at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:121)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
	at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:106)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
~[cxf-api-2.7.11.jar:2.7.11]
	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
[cxf-api-2.7.11.jar:2.7.11]
	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:241)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar!/:1.0.2.Final-redhat-1]
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
[jboss-as-web-7.3.0.Final-redhat-14.jar!/:7.3.0.Final-redhat-14]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
	at java.lang.Thread.run(Thread.java:745) [na:1.7.0_60]
Caused by: org.apache.ws.security.WSSecurityException: General security error (Bad element,
expected "{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}SecurityTokenReference"
while got "{http://www.w3.org/2000/09/xmldsig#}X509Data")
	at org.apache.ws.security.message.token.SecurityTokenReference.<init>(SecurityTokenReference.java:93)
~[wss4j-1.6.15.jar:1.6.15]
	at org.apache.ws.security.str.EncryptedKeySTRParser.parseSecurityTokenReference(EncryptedKeySTRParser.java:80)
~[wss4j-1.6.15.jar:1.6.15]
	at org.apache.ws.security.processor.EncryptedKeyProcessor.getCertificatesFromEncryptedKey(EncryptedKeyProcessor.java:309)
~[wss4j-1.6.15.jar:1.6.15]
	at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:126)
~[wss4j-1.6.15.jar:1.6.15]
	at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:65)
~[wss4j-1.6.15.jar:1.6.15]
	at org.apache.ws.security.processor.EncryptedDataProcessor.handleToken(EncryptedDataProcessor.java:113)
~[wss4j-1.6.15.jar:1.6.15]
	at sk.dcom.poc.service.doubleit.security.EncryptedAssertionProcessor.handleToken(EncryptedAssertionProcessor.java:54)
~[classes:na]
	at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
~[wss4j-1.6.15.jar:1.6.15]
	at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:270)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
	... 26 common frames omitted
{noformat}

I tried also CXF 3.0.2 which uses WSS4J 2.0.2, error is there too.
Tried to change WSS4J versions only (1.6.16, 1.6.17) - we are locked at 2.7.11 because of
ESB.

Could you please give me some clues so I can maybe manually handle it and correctly reference
token for WSS4J decryptor? (if there is some way)

Thanks for all your answers


  was:
Hi,

we have a current setup ADFS 2.0 STS and on ESB CXF 2.7.11 where's dependency is WSS4J 1.6.15.

Currently everything works as expected but only for SAML 1.1 TokenType.

The problem resides in SAML 2.0 token response where for SAML 1.1 token (important part of
it) looks like: 
{code:xml}
   <trust:RequestedSecurityToken>
                    <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
                                        xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                        <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
                        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                            <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                                <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                                    <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                </e:EncryptionMethod>
                                <KeyInfo>
                                    <o:SecurityTokenReference
                                            xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
                                        <X509Data>
{code}

For SAML 2.0, RSTR (just our part) looks like:
{code:xml}
    <trust:RequestedSecurityToken>
                    <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
                        <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
                                            xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
                            <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
                            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                                <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
                                    <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
                                        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                                    </e:EncryptionMethod>
                                    <KeyInfo>
                                        <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
{code}

Please notice missing token referencing element: *SecurityTokenReference*

WSS4J when trying to decrypt SAML I got an exception:

{noformat}
2014-11-05 07:24:03,655 [http-/127.0.0.1:8443-2] WARN  (org.apache.cxf.phase.PhaseInterceptorChain):
Interceptor for {http://www.example.org/contract/DoubleIt}DoubleItService#{http://www.example.org/contract/DoubleIt}DoubleIt
has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: An error was discovered processing the <wsse:Security>
header.
	at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:852)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
	at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:327)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
	at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:121)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
	at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:106)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
~[cxf-api-2.7.11.jar:2.7.11]
	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
[cxf-api-2.7.11.jar:2.7.11]
	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:241)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar!/:1.0.2.Final-redhat-1]
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
[jboss-as-web-7.3.0.Final-redhat-14.jar!/:7.3.0.Final-redhat-14]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
	at java.lang.Thread.run(Thread.java:745) [na:1.7.0_60]
Caused by: org.apache.ws.security.WSSecurityException: General security error (Bad element,
expected "{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}SecurityTokenReference"
while got "{http://www.w3.org/2000/09/xmldsig#}X509Data")
	at org.apache.ws.security.message.token.SecurityTokenReference.<init>(SecurityTokenReference.java:93)
~[wss4j-1.6.15.jar:1.6.15]
	at org.apache.ws.security.str.EncryptedKeySTRParser.parseSecurityTokenReference(EncryptedKeySTRParser.java:80)
~[wss4j-1.6.15.jar:1.6.15]
	at org.apache.ws.security.processor.EncryptedKeyProcessor.getCertificatesFromEncryptedKey(EncryptedKeyProcessor.java:309)
~[wss4j-1.6.15.jar:1.6.15]
	at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:126)
~[wss4j-1.6.15.jar:1.6.15]
	at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:65)
~[wss4j-1.6.15.jar:1.6.15]
	at org.apache.ws.security.processor.EncryptedDataProcessor.handleToken(EncryptedDataProcessor.java:113)
~[wss4j-1.6.15.jar:1.6.15]
	at sk.dcom.poc.service.doubleit.security.EncryptedAssertionProcessor.handleToken(EncryptedAssertionProcessor.java:54)
~[classes:na]
	at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
~[wss4j-1.6.15.jar:1.6.15]
	at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:270)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
	... 26 common frames omitted
{noformat}

I tried also CXF 3.0.2 which uses WSS4J 2.0.2, error is there too.
Tried to change WSS4J versions only (1.6.16, 1.6.17) - we are locked at 2.7.11 because of
ESB.

Could you please give me some clues so I can maybe manually handle it and correctly reference
token for WSS4J decryptor? (if there is some way)

Thanks for all your answers



> SAML 2.0 - KeyInfo in EcryptedAssertion doesn't contains SecurityTokenReference
> -------------------------------------------------------------------------------
>
>                 Key: WSS-519
>                 URL: https://issues.apache.org/jira/browse/WSS-519
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 1.6.15, 1.6.16, 2.0.2, 1.6.17
>         Environment: MS ADFS 2.0, CXF 3.0.2, CXF 2.7.11
>            Reporter: Erik Mocny
>            Assignee: Colm O hEigeartaigh
>            Priority: Blocker
>              Labels: encryptedassertion, saml, securitytokenreference, wss4j
>
> Hi,
> we have a current setup ADFS 2.0 STS and on ESB CXF 2.7.11 whose dependency is WSS4J
1.6.15.
> Currently everything works as expected but only for SAML 1.1 TokenType.
> The problem resides in SAML 2.0 token response where for SAML 1.1 token (important part
of it) looks like: 
> {code:xml}
>    <trust:RequestedSecurityToken>
>                     <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
>                                         xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
>                         <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
>                         <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>                             <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
>                                 <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
>                                     <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>                                 </e:EncryptionMethod>
>                                 <KeyInfo>
>                                     <o:SecurityTokenReference
>                                             xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>                                         <X509Data>
> {code}
> For SAML 2.0, RSTR (just our part) looks like:
> {code:xml}
>     <trust:RequestedSecurityToken>
>                     <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
>                         <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
>                                             xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
>                             <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
>                             <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>                                 <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
>                                     <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
>                                         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>                                     </e:EncryptionMethod>
>                                     <KeyInfo>
>                                         <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> {code}
> Please notice missing token referencing element: *SecurityTokenReference*
> WSS4J when trying to decrypt SAML I got an exception:
> {noformat}
> 2014-11-05 07:24:03,655 [http-/127.0.0.1:8443-2] WARN  (org.apache.cxf.phase.PhaseInterceptorChain):
Interceptor for {http://www.example.org/contract/DoubleIt}DoubleItService#{http://www.example.org/contract/DoubleIt}DoubleIt
has thrown exception, unwinding now
> org.apache.cxf.binding.soap.SoapFault: An error was discovered processing the <wsse:Security>
header.
> 	at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:852)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:327)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:121)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:106)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
~[cxf-api-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
[cxf-api-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:241)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar!/:1.0.2.Final-redhat-1]
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
[jboss-as-web-7.3.0.Final-redhat-14.jar!/:7.3.0.Final-redhat-14]
> 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at java.lang.Thread.run(Thread.java:745) [na:1.7.0_60]
> Caused by: org.apache.ws.security.WSSecurityException: General security error (Bad element,
expected "{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}SecurityTokenReference"
while got "{http://www.w3.org/2000/09/xmldsig#}X509Data")
> 	at org.apache.ws.security.message.token.SecurityTokenReference.<init>(SecurityTokenReference.java:93)
~[wss4j-1.6.15.jar:1.6.15]
> 	at org.apache.ws.security.str.EncryptedKeySTRParser.parseSecurityTokenReference(EncryptedKeySTRParser.java:80)
~[wss4j-1.6.15.jar:1.6.15]
> 	at org.apache.ws.security.processor.EncryptedKeyProcessor.getCertificatesFromEncryptedKey(EncryptedKeyProcessor.java:309)
~[wss4j-1.6.15.jar:1.6.15]
> 	at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:126)
~[wss4j-1.6.15.jar:1.6.15]
> 	at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:65)
~[wss4j-1.6.15.jar:1.6.15]
> 	at org.apache.ws.security.processor.EncryptedDataProcessor.handleToken(EncryptedDataProcessor.java:113)
~[wss4j-1.6.15.jar:1.6.15]
> 	at sk.dcom.poc.service.doubleit.security.EncryptedAssertionProcessor.handleToken(EncryptedAssertionProcessor.java:54)
~[classes:na]
> 	at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
~[wss4j-1.6.15.jar:1.6.15]
> 	at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:270)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
> 	... 26 common frames omitted
> {noformat}
> I tried also CXF 3.0.2 which uses WSS4J 2.0.2, error is there too.
> Tried to change WSS4J versions only (1.6.16, 1.6.17) - we are locked at 2.7.11 because
of ESB.
> Could you please give me some clues so I can maybe manually handle it and correctly reference
token for WSS4J decryptor? (if there is some way)
> Thanks for all your answers



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message