ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WSS-519) SAML 2.0 - WSS4J is expecting SecurityTokenReference under KeyInfo in EcryptedAssertion element
Date Mon, 10 Nov 2014 10:25:34 GMT

    [ https://issues.apache.org/jira/browse/WSS-519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14204610#comment-14204610
] 

Colm O hEigeartaigh commented on WSS-519:
-----------------------------------------

That error is expected, as not having a SecurityTokenReference in place breaks the Basic Security
Profile specification as per the error message:

BSP:R5426: Any ENC_KEY_INFO MUST contain a child SECURITY_TOKEN_REFERENCE

To get it working you will need to disable "BSP compliance". In CXF you can do this by setting
the JAX-WS property "ws-security.is-bsp-compliant" to "false" if you are using WS-SecurityPolicy.
If you are configuring the WSS4JInInterceptor directly via properties, it's "isBSPCompliant".

Colm.

> SAML 2.0 - WSS4J is expecting SecurityTokenReference under KeyInfo in EcryptedAssertion
element
> -----------------------------------------------------------------------------------------------
>
>                 Key: WSS-519
>                 URL: https://issues.apache.org/jira/browse/WSS-519
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 1.6.15, 1.6.16, 2.0.2, 1.6.17
>         Environment: MS ADFS 2.0, CXF 3.0.2, CXF 2.7.11
>            Reporter: Erik Mocny
>            Assignee: Colm O hEigeartaigh
>              Labels: encryptedassertion, saml, securitytokenreference, wss4j
>             Fix For: 2.0.3
>
>
> Hi,
> we have a current setup ADFS 2.0 STS and on ESB CXF 2.7.11 whose dependency is WSS4J
1.6.15.
> Currently everything works as expected but only for SAML 1.1 TokenType.
> The problem resides in SAML 2.0 token response where for SAML 1.1 token (important part
of it) looks like: 
> {code:xml}
>    <trust:RequestedSecurityToken>
>                     <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
>                                         xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
>                         <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
>                         <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>                             <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
>                                 <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
>                                     <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>                                 </e:EncryptionMethod>
>                                 <KeyInfo>
>                                     <o:SecurityTokenReference
>                                             xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>                                         <X509Data>
> {code}
> For SAML 2.0, RSTR (just our part) looks like:
> {code:xml}
>     <trust:RequestedSecurityToken>
>                     <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
>                         <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
>                                             xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
>                             <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
>                             <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>                                 <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
>                                     <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
>                                         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>                                     </e:EncryptionMethod>
>                                     <KeyInfo>
>                                         <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> {code}
> Please notice missing token referencing element: *SecurityTokenReference*
> WSS4J then while trying to decrypt SAML throws an exception:
> {noformat}
> 2014-11-05 07:24:03,655 [http-/127.0.0.1:8443-2] WARN  (org.apache.cxf.phase.PhaseInterceptorChain):
Interceptor for {http://www.example.org/contract/DoubleIt}DoubleItService#{http://www.example.org/contract/DoubleIt}DoubleIt
has thrown exception, unwinding now
> org.apache.cxf.binding.soap.SoapFault: An error was discovered processing the <wsse:Security>
header.
> 	at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:852)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:327)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:121)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:106)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
~[cxf-api-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
[cxf-api-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:241)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar!/:1.0.2.Final-redhat-1]
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
[jboss-as-web-7.3.0.Final-redhat-14.jar!/:7.3.0.Final-redhat-14]
> 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at java.lang.Thread.run(Thread.java:745) [na:1.7.0_60]
> Caused by: org.apache.ws.security.WSSecurityException: General security error (Bad element,
expected "{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}SecurityTokenReference"
while got "{http://www.w3.org/2000/09/xmldsig#}X509Data")
> 	at org.apache.ws.security.message.token.SecurityTokenReference.<init>(SecurityTokenReference.java:93)
~[wss4j-1.6.15.jar:1.6.15]
> 	at org.apache.ws.security.str.EncryptedKeySTRParser.parseSecurityTokenReference(EncryptedKeySTRParser.java:80)
~[wss4j-1.6.15.jar:1.6.15]
> 	at org.apache.ws.security.processor.EncryptedKeyProcessor.getCertificatesFromEncryptedKey(EncryptedKeyProcessor.java:309)
~[wss4j-1.6.15.jar:1.6.15]
> 	at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:126)
~[wss4j-1.6.15.jar:1.6.15]
> 	at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:65)
~[wss4j-1.6.15.jar:1.6.15]
> 	at org.apache.ws.security.processor.EncryptedDataProcessor.handleToken(EncryptedDataProcessor.java:113)
~[wss4j-1.6.15.jar:1.6.15]
> 	at sk.dcom.poc.service.doubleit.security.EncryptedAssertionProcessor.handleToken(EncryptedAssertionProcessor.java:54)
~[classes:na]
> 	at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
~[wss4j-1.6.15.jar:1.6.15]
> 	at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:270)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
> 	... 26 common frames omitted
> {noformat}
> I've also tried CXF 3.0.2 which uses WSS4J 2.0.2 but the exception is there too.
> Tried then to change WSS4J versions only (1.6.16, 1.6.17) - we are locked at 2.7.11 because
of ESB, still same issue :/
> Could you please give me some clues so I can maybe manually handle it and correctly reference
token for WSS4J decryption process? (if there is any)
> Thanks for all your answers



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message