ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Viliam Repan (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (WSS-519) SAML 2.0 - WSS4J is expecting SecurityTokenReference under KeyInfo in EcryptedAssertion element
Date Thu, 13 Nov 2014 11:57:34 GMT

    [ https://issues.apache.org/jira/browse/WSS-519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14209656#comment-14209656
] 

Viliam Repan commented on WSS-519:
----------------------------------

Hi Colm, thanks for fix. Is there any plan for release date for version 2.0.3? I'm asking
because setProcessor doesn't work as expected. Well it works, but on many places processors
are created on demand. Therefore if I put to WSSConfig just one patched processor (EncryptedKeyProcessor):
{code:java}config.setProcessor(WSSecurityEngine.ENCRYPTED_KEY, EncryptedKeyProcessor.class);{code}
then it doesn't really help, because {{EncryptedDataProcessor}} contains:
{code:java} else if (encryptedKeyElement != null) {
   EncryptedKeyProcessor encrKeyProc = new EncryptedKeyProcessor();{code}
And there are many places like this. It probably should be something like this:
{code:java}EncryptedKeyProcessor encrKeyProc = (EncryptedKeyProcessor)
    request.getWssConfig().getProcessor(WSSecurityEngine.ENCRYPTED_KEY);{code}
This is probably for another jira issue...

> SAML 2.0 - WSS4J is expecting SecurityTokenReference under KeyInfo in EcryptedAssertion
element
> -----------------------------------------------------------------------------------------------
>
>                 Key: WSS-519
>                 URL: https://issues.apache.org/jira/browse/WSS-519
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>    Affects Versions: 1.6.15, 1.6.16, 2.0.2, 1.6.17
>         Environment: MS ADFS 2.0, CXF 3.0.2, CXF 2.7.11
>            Reporter: Erik Mocny
>            Assignee: Colm O hEigeartaigh
>              Labels: encryptedassertion, saml, securitytokenreference, wss4j
>             Fix For: 2.0.3
>
>
> Hi,
> we have a current setup ADFS 2.0 STS and on ESB CXF 2.7.11 whose dependency is WSS4J
1.6.15.
> Currently everything works as expected but only for SAML 1.1 TokenType.
> The problem resides in SAML 2.0 token response where for SAML 1.1 token (important part
of it) looks like: 
> {code:xml}
>    <trust:RequestedSecurityToken>
>                     <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
>                                         xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
>                         <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
>                         <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>                             <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
>                                 <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
>                                     <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>                                 </e:EncryptionMethod>
>                                 <KeyInfo>
>                                     <o:SecurityTokenReference
>                                             xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>                                         <X509Data>
> {code}
> For SAML 2.0, RSTR (just our part) looks like:
> {code:xml}
>     <trust:RequestedSecurityToken>
>                     <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
>                         <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
>                                             xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
>                             <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
>                             <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
>                                 <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
>                                     <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
>                                         <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>                                     </e:EncryptionMethod>
>                                     <KeyInfo>
>                                         <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> {code}
> Please notice missing token referencing element: *SecurityTokenReference*
> WSS4J then while trying to decrypt SAML throws an exception:
> {noformat}
> 2014-11-05 07:24:03,655 [http-/127.0.0.1:8443-2] WARN  (org.apache.cxf.phase.PhaseInterceptorChain):
Interceptor for {http://www.example.org/contract/DoubleIt}DoubleItService#{http://www.example.org/contract/DoubleIt}DoubleIt
has thrown exception, unwinding now
> org.apache.cxf.binding.soap.SoapFault: An error was discovered processing the <wsse:Security>
header.
> 	at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:852)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:327)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:121)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:106)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
~[cxf-api-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
[cxf-api-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:241)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar!/:1.0.2.Final-redhat-1]
> 	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262)
[cxf-rt-transports-http-2.7.11.jar:2.7.11]
> 	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
[jboss-as-web-7.3.0.Final-redhat-14.jar!/:7.3.0.Final-redhat-14]
> 	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
[jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> 	at java.lang.Thread.run(Thread.java:745) [na:1.7.0_60]
> Caused by: org.apache.ws.security.WSSecurityException: General security error (Bad element,
expected "{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}SecurityTokenReference"
while got "{http://www.w3.org/2000/09/xmldsig#}X509Data")
> 	at org.apache.ws.security.message.token.SecurityTokenReference.<init>(SecurityTokenReference.java:93)
~[wss4j-1.6.15.jar:1.6.15]
> 	at org.apache.ws.security.str.EncryptedKeySTRParser.parseSecurityTokenReference(EncryptedKeySTRParser.java:80)
~[wss4j-1.6.15.jar:1.6.15]
> 	at org.apache.ws.security.processor.EncryptedKeyProcessor.getCertificatesFromEncryptedKey(EncryptedKeyProcessor.java:309)
~[wss4j-1.6.15.jar:1.6.15]
> 	at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:126)
~[wss4j-1.6.15.jar:1.6.15]
> 	at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:65)
~[wss4j-1.6.15.jar:1.6.15]
> 	at org.apache.ws.security.processor.EncryptedDataProcessor.handleToken(EncryptedDataProcessor.java:113)
~[wss4j-1.6.15.jar:1.6.15]
> 	at sk.dcom.poc.service.doubleit.security.EncryptedAssertionProcessor.handleToken(EncryptedAssertionProcessor.java:54)
~[classes:na]
> 	at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
~[wss4j-1.6.15.jar:1.6.15]
> 	at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:270)
~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
> 	... 26 common frames omitted
> {noformat}
> I've also tried CXF 3.0.2 which uses WSS4J 2.0.2 but the exception is there too.
> Tried then to change WSS4J versions only (1.6.16, 1.6.17) - we are locked at 2.7.11 because
of ESB, still same issue :/
> Could you please give me some clues so I can maybe manually handle it and correctly reference
token for WSS4J decryption process? (if there is any)
> Thanks for all your answers



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message