You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by John Hite <jh...@appsecinc.com> on 2010/03/01 20:19:14 UTC
STSClient in CXF 2.2.6 not binding wst prefix.
Hi, I am trying to create an STS using CXF. Right now I have a very basic STS implementation that just returns a hard coded SAML 2.0 token. Right now I am just creating the STS client and calling requestSecurityToken(). I was using CXF 2.2.5 and I was able send the request and get my hard coded saml token back but the STSClient was throwing an exception saying that it could not determine a Token ID from RequestSecurityToken Response. I tried using CXF 2.2.6 but the message that the STS client sends is not valid.
CXF 2.2.5 message
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<Action xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action>
<MessageID xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:011b65c5-dffd-4ddb-9ab5-56ec9dd357fe</MessageID>
<To xmlns="http://www.w3.org/2005/08/addressing">http://localhost/services/sts</To>
<ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
</soap:Header>
<soap:Body>
<wst:RequestSecurityToken xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
<wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</wst:KeyType>
<wst:KeySize>256</wst:KeySize>
<wst:Entropy>
<wst:BinarySecret Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">7ZKTA8MENMk=</wst:BinarySecret>
</wst:Entropy>
<wst:ComputedKeyAlgorithm>http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1</wst:ComputedKeyAlgorithm>
</wst:RequestSecurityToken>
</soap:Body>
</soap:Envelope>
CXF 2.2.6 message
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<Action xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action>
<MessageID xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:5a5d50d4-f6f4-4d92-a6e7-2a98dbd2f1a5</MessageID>
<To xmlns="http://www.w3.org/2005/08/addressing">http://localhost/services/sts</To>
<ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
</soap:Header>
<soap:Body>
<wst:RequestSecurityToken>
<wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
<wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</wst:KeyType>
<wst:KeySize>256</wst:KeySize>
<wst:Entropy>
<wst:BinarySecret Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">cLzr27D8kZs=</wst:BinarySecret>
</wst:Entropy>
<wst:ComputedKeyAlgorithm>http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1</wst:ComputedKeyAlgorithm>
</wst:RequestSecurityToken>
</soap:Body>
</soap:Envelope>
Notice the missing wst namespace binding on <wst:RequestSecurityToken>. Anyone know what is causing this?
Here's the response I send from the STS's Issue method.
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<Action xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action>
<MessageID xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:4f9fed96-7d08-40f2-b6fb-3f59361dfd69</MessageID>
<To xmlns="http://www.w3.org/2005/08/addressing">http://www.w3.org/2005/08/addressing/anonymous</To>
<RelatesTo xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:bf2877a6-effc-488e-9e43-6592c6146263</RelatesTo>
</soap:Header>
<soap:Body>
<ns2:RequestSecurityTokenResponse xmlns="http://service.example.com" xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<ns2:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</ns2:TokenType>
<ns2:RequestedSecurityToken>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="12345" IssueInstant="2010-03-01T14:12:17.649-05:00" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="nycapt35k.com">http://service.example.com</saml2:Issuer>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#12345">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>YjV9NMHmUX/6uMK23I0e/ZsQyWk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
K9OkRkOrCTWWq0GsDqsdiz7ZO6Do0/hcrJ3sXo80H9wERrCZnOl6ruSWZHAOCpm+1oaieDIDWyR8
FzZnjuE60aSQWXCZfgDQDs/ldEEg7B1KR4nzYnRl0PlFMeFZzlTT2CLIOnexwMrfPBihNktz4JcB
rRt0VwNAABCsPen9oSU=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
hP+W377YbK5AkrcEINzfaTR/YNk2lDgRia8FVeoOr8guwxKwsuvQ+9Nq7F74i53Y7my2fV+8WwWN
R/5ewSbSTpzYYVH1SAxp+EcZNkedP6f6x+W6uVIkm2W3jg2k+h9yV3l2e9iJXbQ61nGNbMetKwgr
Wmy0vFNaq5DhLPQi8D8=
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName" NameQualifier="example.com">jdoe</saml2:NameID>
</saml2:Subject>
<saml2:AuthnStatement AuthnInstant="2010-03-01T14:12:17.649-05:00">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
<saml2:AuthenticatingAuthority/>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</ns2:RequestedSecurityToken>
</ns2:RequestSecurityTokenResponse>
</soap:Body>
</soap:Envelope>
Re: STSClient in CXF 2.2.6 not binding wst prefix.
Posted by Daniel Kulp <dk...@apache.org>.
Just an FYI: my fix is committed so the latest snapshots should work with the
other parsers.
Dan
On Tuesday 02 March 2010 11:01:53 am John Hite wrote:
> I was using stax-ex because it was required by xwss, which I use to build
> my SAML Token. I switched to woodstox on the client side and it serializes
> the request properly now.
>
> I also figured out my Token ID problem. I wasn't including a
> RequestedAttachedReference which was necessary since SAML tokens don't
> have a wsu:Id attribute.
>
> Thanks,
> John
>
> -----Original Message-----
> From: Daniel Kulp [mailto:dkulp@apache.org]
> Sent: Monday, March 01, 2010 10:20 PM
> To: users@cxf.apache.org
> Cc: John Hite
> Subject: Re: STSClient in CXF 2.2.6 not binding wst prefix.
>
>
> Do you know what stax parser you are picking up? Can you check to make
> sure woodstox is there?
>
> That said, I see what is going on and am testing a fix now.
>
> Dan
>
> On Mon March 1 2010 2:19:14 pm John Hite wrote:
> > Hi, I am trying to create an STS using CXF. Right now I have a very basic
> > STS implementation that just returns a hard coded SAML 2.0 token. Right
> > now I am just creating the STS client and calling requestSecurityToken().
> > I was using CXF 2.2.5 and I was able send the request and get my hard
> > coded saml token back but the STSClient was throwing an exception saying
> > that it could not determine a Token ID from RequestSecurityToken
> > Response. I tried using CXF 2.2.6 but the message that the STS client
> > sends is not valid.
> >
> > CXF 2.2.5 message
> > <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
> >
> > <soap:Header>
> >
> > <Action
> >
> > xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/w
> > s -sx/ws-trust/200512/RST/Issue</Action> <MessageID
> > xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:011b65c5-dffd-4ddb-
> > 9 ab5-56ec9dd357fe</MessageID> <To
> > xmlns="http://www.w3.org/2005/08/addressing">http://localhost/services/st
> > s </To> <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
> >
> > <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
> >
> > </ReplyTo>
> >
> > </soap:Header>
> > <soap:Body>
> >
> > <wst:RequestSecurityToken
> >
> > xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
> > <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</
> > w st:RequestType>
> > <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKe
> > y </wst:KeyType> <wst:KeySize>256</wst:KeySize>
> >
> > <wst:Entropy>
> >
> > <wst:BinarySecret
> >
> > Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">7ZKTA8MENMk
> > = </wst:BinarySecret> </wst:Entropy>
> >
> > <wst:ComputedKeyAlgorithm>http://docs.oasis-open.org/ws-sx/ws-trust/20051
> > 2 /CK/PSHA1</wst:ComputedKeyAlgorithm> </wst:RequestSecurityToken>
> >
> > </soap:Body>
> >
> > </soap:Envelope>
> >
> > CXF 2.2.6 message
> > <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
> >
> > <soap:Header>
> >
> > <Action
> >
> > xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/w
> > s -sx/ws-trust/200512/RST/Issue</Action> <MessageID
> > xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:5a5d50d4-f6f4-4d92-
> > a 6e7-2a98dbd2f1a5</MessageID> <To
> > xmlns="http://www.w3.org/2005/08/addressing">http://localhost/services/st
> > s </To> <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
> >
> > <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
> >
> > </ReplyTo>
> >
> > </soap:Header>
> > <soap:Body>
> >
> > <wst:RequestSecurityToken>
> >
> > <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</
> > w st:RequestType>
> > <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKe
> > y </wst:KeyType> <wst:KeySize>256</wst:KeySize>
> >
> > <wst:Entropy>
> >
> > <wst:BinarySecret
> >
> > Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">cLzr27D8kZs
> > = </wst:BinarySecret> </wst:Entropy>
> >
> > <wst:ComputedKeyAlgorithm>http://docs.oasis-open.org/ws-sx/ws-trust/20051
> > 2 /CK/PSHA1</wst:ComputedKeyAlgorithm> </wst:RequestSecurityToken>
> >
> > </soap:Body>
> >
> > </soap:Envelope>
> >
> > Notice the missing wst namespace binding on <wst:RequestSecurityToken>.
> > Anyone know what is causing this?
> >
> >
> > Here's the response I send from the STS's Issue method.
> >
> > <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
> >
> > <soap:Header>
> >
> > <Action
> >
> > xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/w
> > s -sx/ws-trust/200512/RST/Issue</Action> <MessageID
> > xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:4f9fed96-7d08-40f2-
> > b 6fb-3f59361dfd69</MessageID> <To
> > xmlns="http://www.w3.org/2005/08/addressing">http://www.w3.org/2005/08/ad
> > d ressing/anonymous</To> <RelatesTo
> > xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:bf2877a6-effc-488e-
> > 9 e43-6592c6146263</RelatesTo> </soap:Header>
> >
> > <soap:Body>
> >
> > <ns2:RequestSecurityTokenResponse xmlns="http://service.example.com"
> >
> > xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
> > <ns2:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profil
> > e -1.1#SAMLV2.0</ns2:TokenType> <ns2:RequestedSecurityToken>
> >
> > <saml2:Assertion
> >
> > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> > xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> > xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"
> > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
> > xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="12345"
> > IssueInstant="2010-03-01T14:12:17.649-05:00" Version="2.0"> <saml2:Issuer
> > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
> > NameQualifier="nycapt35k.com">http://service.example.com</saml2:Issuer>
> > <ds:Signature>
> >
> > <ds:SignedInfo>
> >
> > <ds:CanonicalizationMethod
> >
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference
> > URI="#12345">
> >
> > <ds:Transforms>
> >
> > <ds:Transform
> >
> > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> > </ds:Transforms>
> >
> > <ds:DigestMethod
> >
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> > <ds:DigestValue>YjV9NMHmUX/6uMK23I0e/ZsQyWk=</ds:DigestValue>
> > </ds:Reference>
> >
> > </ds:SignedInfo>
> > <ds:SignatureValue>
> >
> > K9OkRkOrCTWWq0GsDqsdiz7ZO6Do0/hcrJ3sXo80H9wERrCZnOl6ruSWZHAOCpm+1oaieDIDW
> > y R8
> > FzZnjuE60aSQWXCZfgDQDs/ldEEg7B1KR4nzYnRl0PlFMeFZzlTT2CLIOnexwMrfPBihNktz4
> > J cB rRt0VwNAABCsPen9oSU=
> >
> > </ds:SignatureValue>
> > <ds:KeyInfo>
> >
> > <ds:KeyValue>
> >
> > <ds:RSAKeyValue>
> >
> > <ds:Modulus>
> >
> > hP+W377YbK5AkrcEINzfaTR/YNk2lDgRia8FVeoOr8guwxKwsuvQ+9Nq7F74i53Y7my2fV+8W
> > w WN
> > R/5ewSbSTpzYYVH1SAxp+EcZNkedP6f6x+W6uVIkm2W3jg2k+h9yV3l2e9iJXbQ61nGNbMetK
> > w gr Wmy0vFNaq5DhLPQi8D8=
> >
> > </ds:Modulus>
> > <ds:Exponent>AQAB</ds:Exponent>
> >
> > </ds:RSAKeyValue>
> >
> > </ds:KeyValue>
> >
> > </ds:KeyInfo>
> >
> > </ds:Signature>
> > <saml2:Subject>
> >
> > <saml2:NameID
> >
> > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName"
> > NameQualifier="example.com">jdoe</saml2:NameID> </saml2:Subject>
> >
> > <saml2:AuthnStatement
> >
> > AuthnInstant="2010-03-01T14:12:17.649-05:00"> <saml2:AuthnContext>
> >
> > <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Passwo
> > r d</saml2:AuthnContextClassRef> <saml2:AuthenticatingAuthority/>
> >
> > </saml2:AuthnContext>
> >
> > </saml2:AuthnStatement>
> >
> > </saml2:Assertion>
> >
> > </ns2:RequestedSecurityToken>
> >
> > </ns2:RequestSecurityTokenResponse>
> >
> > </soap:Body>
> >
> > </soap:Envelope>
--
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog
RE: STSClient in CXF 2.2.6 not binding wst prefix.
Posted by John Hite <jh...@appsecinc.com>.
I was using stax-ex because it was required by xwss, which I use to build my SAML Token. I switched to woodstox on the client side and it serializes the request properly now.
I also figured out my Token ID problem. I wasn't including a RequestedAttachedReference which was necessary since SAML tokens don't have a wsu:Id attribute.
Thanks,
John
-----Original Message-----
From: Daniel Kulp [mailto:dkulp@apache.org]
Sent: Monday, March 01, 2010 10:20 PM
To: users@cxf.apache.org
Cc: John Hite
Subject: Re: STSClient in CXF 2.2.6 not binding wst prefix.
Do you know what stax parser you are picking up? Can you check to make sure
woodstox is there?
That said, I see what is going on and am testing a fix now.
Dan
On Mon March 1 2010 2:19:14 pm John Hite wrote:
> Hi, I am trying to create an STS using CXF. Right now I have a very basic
> STS implementation that just returns a hard coded SAML 2.0 token. Right
> now I am just creating the STS client and calling requestSecurityToken().
> I was using CXF 2.2.5 and I was able send the request and get my hard
> coded saml token back but the STSClient was throwing an exception saying
> that it could not determine a Token ID from RequestSecurityToken Response.
> I tried using CXF 2.2.6 but the message that the STS client sends is not
> valid.
>
> CXF 2.2.5 message
> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
> <soap:Header>
> <Action
> xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws
> -sx/ws-trust/200512/RST/Issue</Action> <MessageID
> xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:011b65c5-dffd-4ddb-9
> ab5-56ec9dd357fe</MessageID> <To
> xmlns="http://www.w3.org/2005/08/addressing">http://localhost/services/sts
> </To> <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
> <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
> </ReplyTo>
> </soap:Header>
> <soap:Body>
> <wst:RequestSecurityToken
> xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
> <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</w
> st:RequestType>
> <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
> </wst:KeyType> <wst:KeySize>256</wst:KeySize>
> <wst:Entropy>
> <wst:BinarySecret
> Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">7ZKTA8MENMk=
> </wst:BinarySecret> </wst:Entropy>
>
> <wst:ComputedKeyAlgorithm>http://docs.oasis-open.org/ws-sx/ws-trust/200512
> /CK/PSHA1</wst:ComputedKeyAlgorithm> </wst:RequestSecurityToken>
> </soap:Body>
> </soap:Envelope>
>
> CXF 2.2.6 message
> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
> <soap:Header>
> <Action
> xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws
> -sx/ws-trust/200512/RST/Issue</Action> <MessageID
> xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:5a5d50d4-f6f4-4d92-a
> 6e7-2a98dbd2f1a5</MessageID> <To
> xmlns="http://www.w3.org/2005/08/addressing">http://localhost/services/sts
> </To> <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
> <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
> </ReplyTo>
> </soap:Header>
> <soap:Body>
> <wst:RequestSecurityToken>
>
> <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</w
> st:RequestType>
> <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
> </wst:KeyType> <wst:KeySize>256</wst:KeySize>
> <wst:Entropy>
> <wst:BinarySecret
> Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">cLzr27D8kZs=
> </wst:BinarySecret> </wst:Entropy>
>
> <wst:ComputedKeyAlgorithm>http://docs.oasis-open.org/ws-sx/ws-trust/200512
> /CK/PSHA1</wst:ComputedKeyAlgorithm> </wst:RequestSecurityToken>
> </soap:Body>
> </soap:Envelope>
>
> Notice the missing wst namespace binding on <wst:RequestSecurityToken>.
> Anyone know what is causing this?
>
>
> Here's the response I send from the STS's Issue method.
>
> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
> <soap:Header>
> <Action
> xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws
> -sx/ws-trust/200512/RST/Issue</Action> <MessageID
> xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:4f9fed96-7d08-40f2-b
> 6fb-3f59361dfd69</MessageID> <To
> xmlns="http://www.w3.org/2005/08/addressing">http://www.w3.org/2005/08/add
> ressing/anonymous</To> <RelatesTo
> xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:bf2877a6-effc-488e-9
> e43-6592c6146263</RelatesTo> </soap:Header>
> <soap:Body>
> <ns2:RequestSecurityTokenResponse xmlns="http://service.example.com"
> xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
> <ns2:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile
> -1.1#SAMLV2.0</ns2:TokenType> <ns2:RequestedSecurityToken>
> <saml2:Assertion
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
> xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="12345"
> IssueInstant="2010-03-01T14:12:17.649-05:00" Version="2.0"> <saml2:Issuer
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
> NameQualifier="nycapt35k.com">http://service.example.com</saml2:Issuer>
> <ds:Signature>
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference
> URI="#12345">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>YjV9NMHmUX/6uMK23I0e/ZsQyWk=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
>
> K9OkRkOrCTWWq0GsDqsdiz7ZO6Do0/hcrJ3sXo80H9wERrCZnOl6ruSWZHAOCpm+1oaieDIDWy
> R8
> FzZnjuE60aSQWXCZfgDQDs/ldEEg7B1KR4nzYnRl0PlFMeFZzlTT2CLIOnexwMrfPBihNktz4J
> cB rRt0VwNAABCsPen9oSU=
> </ds:SignatureValue>
> <ds:KeyInfo>
> <ds:KeyValue>
> <ds:RSAKeyValue>
> <ds:Modulus>
>
> hP+W377YbK5AkrcEINzfaTR/YNk2lDgRia8FVeoOr8guwxKwsuvQ+9Nq7F74i53Y7my2fV+8Ww
> WN
> R/5ewSbSTpzYYVH1SAxp+EcZNkedP6f6x+W6uVIkm2W3jg2k+h9yV3l2e9iJXbQ61nGNbMetKw
> gr Wmy0vFNaq5DhLPQi8D8=
> </ds:Modulus>
> <ds:Exponent>AQAB</ds:Exponent>
> </ds:RSAKeyValue>
> </ds:KeyValue>
> </ds:KeyInfo>
> </ds:Signature>
> <saml2:Subject>
> <saml2:NameID
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName"
> NameQualifier="example.com">jdoe</saml2:NameID> </saml2:Subject>
> <saml2:AuthnStatement
> AuthnInstant="2010-03-01T14:12:17.649-05:00"> <saml2:AuthnContext>
>
> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Passwor
> d</saml2:AuthnContextClassRef> <saml2:AuthenticatingAuthority/>
> </saml2:AuthnContext>
> </saml2:AuthnStatement>
> </saml2:Assertion>
> </ns2:RequestedSecurityToken>
> </ns2:RequestSecurityTokenResponse>
> </soap:Body>
> </soap:Envelope>
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
Re: STSClient in CXF 2.2.6 not binding wst prefix.
Posted by Daniel Kulp <dk...@apache.org>.
Do you know what stax parser you are picking up? Can you check to make sure
woodstox is there?
That said, I see what is going on and am testing a fix now.
Dan
On Mon March 1 2010 2:19:14 pm John Hite wrote:
> Hi, I am trying to create an STS using CXF. Right now I have a very basic
> STS implementation that just returns a hard coded SAML 2.0 token. Right
> now I am just creating the STS client and calling requestSecurityToken().
> I was using CXF 2.2.5 and I was able send the request and get my hard
> coded saml token back but the STSClient was throwing an exception saying
> that it could not determine a Token ID from RequestSecurityToken Response.
> I tried using CXF 2.2.6 but the message that the STS client sends is not
> valid.
>
> CXF 2.2.5 message
> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
> <soap:Header>
> <Action
> xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws
> -sx/ws-trust/200512/RST/Issue</Action> <MessageID
> xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:011b65c5-dffd-4ddb-9
> ab5-56ec9dd357fe</MessageID> <To
> xmlns="http://www.w3.org/2005/08/addressing">http://localhost/services/sts
> </To> <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
> <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
> </ReplyTo>
> </soap:Header>
> <soap:Body>
> <wst:RequestSecurityToken
> xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
> <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</w
> st:RequestType>
> <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
> </wst:KeyType> <wst:KeySize>256</wst:KeySize>
> <wst:Entropy>
> <wst:BinarySecret
> Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">7ZKTA8MENMk=
> </wst:BinarySecret> </wst:Entropy>
>
> <wst:ComputedKeyAlgorithm>http://docs.oasis-open.org/ws-sx/ws-trust/200512
> /CK/PSHA1</wst:ComputedKeyAlgorithm> </wst:RequestSecurityToken>
> </soap:Body>
> </soap:Envelope>
>
> CXF 2.2.6 message
> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
> <soap:Header>
> <Action
> xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws
> -sx/ws-trust/200512/RST/Issue</Action> <MessageID
> xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:5a5d50d4-f6f4-4d92-a
> 6e7-2a98dbd2f1a5</MessageID> <To
> xmlns="http://www.w3.org/2005/08/addressing">http://localhost/services/sts
> </To> <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
> <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
> </ReplyTo>
> </soap:Header>
> <soap:Body>
> <wst:RequestSecurityToken>
>
> <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</w
> st:RequestType>
> <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
> </wst:KeyType> <wst:KeySize>256</wst:KeySize>
> <wst:Entropy>
> <wst:BinarySecret
> Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">cLzr27D8kZs=
> </wst:BinarySecret> </wst:Entropy>
>
> <wst:ComputedKeyAlgorithm>http://docs.oasis-open.org/ws-sx/ws-trust/200512
> /CK/PSHA1</wst:ComputedKeyAlgorithm> </wst:RequestSecurityToken>
> </soap:Body>
> </soap:Envelope>
>
> Notice the missing wst namespace binding on <wst:RequestSecurityToken>.
> Anyone know what is causing this?
>
>
> Here's the response I send from the STS's Issue method.
>
> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
> <soap:Header>
> <Action
> xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws
> -sx/ws-trust/200512/RST/Issue</Action> <MessageID
> xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:4f9fed96-7d08-40f2-b
> 6fb-3f59361dfd69</MessageID> <To
> xmlns="http://www.w3.org/2005/08/addressing">http://www.w3.org/2005/08/add
> ressing/anonymous</To> <RelatesTo
> xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:bf2877a6-effc-488e-9
> e43-6592c6146263</RelatesTo> </soap:Header>
> <soap:Body>
> <ns2:RequestSecurityTokenResponse xmlns="http://service.example.com"
> xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
> <ns2:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile
> -1.1#SAMLV2.0</ns2:TokenType> <ns2:RequestedSecurityToken>
> <saml2:Assertion
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
> xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="12345"
> IssueInstant="2010-03-01T14:12:17.649-05:00" Version="2.0"> <saml2:Issuer
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
> NameQualifier="nycapt35k.com">http://service.example.com</saml2:Issuer>
> <ds:Signature>
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference
> URI="#12345">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>YjV9NMHmUX/6uMK23I0e/ZsQyWk=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>
>
> K9OkRkOrCTWWq0GsDqsdiz7ZO6Do0/hcrJ3sXo80H9wERrCZnOl6ruSWZHAOCpm+1oaieDIDWy
> R8
> FzZnjuE60aSQWXCZfgDQDs/ldEEg7B1KR4nzYnRl0PlFMeFZzlTT2CLIOnexwMrfPBihNktz4J
> cB rRt0VwNAABCsPen9oSU=
> </ds:SignatureValue>
> <ds:KeyInfo>
> <ds:KeyValue>
> <ds:RSAKeyValue>
> <ds:Modulus>
>
> hP+W377YbK5AkrcEINzfaTR/YNk2lDgRia8FVeoOr8guwxKwsuvQ+9Nq7F74i53Y7my2fV+8Ww
> WN
> R/5ewSbSTpzYYVH1SAxp+EcZNkedP6f6x+W6uVIkm2W3jg2k+h9yV3l2e9iJXbQ61nGNbMetKw
> gr Wmy0vFNaq5DhLPQi8D8=
> </ds:Modulus>
> <ds:Exponent>AQAB</ds:Exponent>
> </ds:RSAKeyValue>
> </ds:KeyValue>
> </ds:KeyInfo>
> </ds:Signature>
> <saml2:Subject>
> <saml2:NameID
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:x509SubjectName"
> NameQualifier="example.com">jdoe</saml2:NameID> </saml2:Subject>
> <saml2:AuthnStatement
> AuthnInstant="2010-03-01T14:12:17.649-05:00"> <saml2:AuthnContext>
>
> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Passwor
> d</saml2:AuthnContextClassRef> <saml2:AuthenticatingAuthority/>
> </saml2:AuthnContext>
> </saml2:AuthnStatement>
> </saml2:Assertion>
> </ns2:RequestedSecurityToken>
> </ns2:RequestSecurityTokenResponse>
> </soap:Body>
> </soap:Envelope>
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog