You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Erik Mocny (JIRA)" <ji...@apache.org> on 2014/11/09 14:00:36 UTC
[jira] [Comment Edited] (WSS-519) SAML 2.0 - WSS4J is expecting
SecurityTokenReference under KeyInfo in EcryptedAssertion element
[ https://issues.apache.org/jira/browse/WSS-519?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14203909#comment-14203909 ]
Erik Mocny edited comment on WSS-519 at 11/9/14 1:00 PM:
---------------------------------------------------------
Hi Colm, thank you for quick fix.
I tried your fix and I edit EncryptedKeyProcessor in WSS4J 2.0.2, sadly I got another exception also related to SecurityTokenReference.
{noformat}
Caused by: org.apache.wss4j.common.ext.WSSecurityException: BSP:R5426: Any ENC_KEY_INFO MUST contain a child SECURITY_TOKEN_REFERENCE
at org.apache.wss4j.dom.bsp.BSPEnforcer.handleBSPRule(BSPEnforcer.java:57) ~[wss4j-ws-security-dom-2.0.2.jar:2.0.2]
at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.getCertificatesFromEncryptedKey(EncryptedKeyProcessor.java:393) ~[wss4j-ws-security-dom-2.0.2.jar:2.0.2]
at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:143) ~[wss4j-ws-security-dom-2.0.2.jar:2.0.2]
at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:72) ~[wss4j-ws-security-dom-2.0.2.jar:2.0.2]
at org.apache.wss4j.dom.processor.EncryptedDataProcessor.handleToken(EncryptedDataProcessor.java:114) ~[wss4j-ws-security-dom-2.0.2.jar:2.0.2]
at org.apache.wss4j.dom.processor.EncryptedAssertionProcessor.handleToken(EncryptedAssertionProcessor.java:78) ~[wss4j-ws-security-dom-2.0.2.jar:2.0.2]
at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:427) ~[wss4j-ws-security-dom-2.0.2.jar:2.0.2]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:276) ~[cxf-rt-ws-security-3.0.2.jar:3.0.2]
{noformat}
was (Author: vibro):
Hi Colm, thank you for quick fix.
I tried your fix and edit EncryptedKeyProcessor in WSS4J 2.0.2, sadly I got another exception also related to SecurityTokenReference.
{noformat}
Caused by: org.apache.wss4j.common.ext.WSSecurityException: BSP:R5426: Any ENC_KEY_INFO MUST contain a child SECURITY_TOKEN_REFERENCE
at org.apache.wss4j.dom.bsp.BSPEnforcer.handleBSPRule(BSPEnforcer.java:57) ~[wss4j-ws-security-dom-2.0.2.jar:2.0.2]
at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.getCertificatesFromEncryptedKey(EncryptedKeyProcessor.java:393) ~[wss4j-ws-security-dom-2.0.2.jar:2.0.2]
at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:143) ~[wss4j-ws-security-dom-2.0.2.jar:2.0.2]
at org.apache.wss4j.dom.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:72) ~[wss4j-ws-security-dom-2.0.2.jar:2.0.2]
at org.apache.wss4j.dom.processor.EncryptedDataProcessor.handleToken(EncryptedDataProcessor.java:114) ~[wss4j-ws-security-dom-2.0.2.jar:2.0.2]
at org.apache.wss4j.dom.processor.EncryptedAssertionProcessor.handleToken(EncryptedAssertionProcessor.java:78) ~[wss4j-ws-security-dom-2.0.2.jar:2.0.2]
at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:427) ~[wss4j-ws-security-dom-2.0.2.jar:2.0.2]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:276) ~[cxf-rt-ws-security-3.0.2.jar:3.0.2]
{noformat}
> SAML 2.0 - WSS4J is expecting SecurityTokenReference under KeyInfo in EcryptedAssertion element
> -----------------------------------------------------------------------------------------------
>
> Key: WSS-519
> URL: https://issues.apache.org/jira/browse/WSS-519
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.6.15, 1.6.16, 2.0.2, 1.6.17
> Environment: MS ADFS 2.0, CXF 3.0.2, CXF 2.7.11
> Reporter: Erik Mocny
> Assignee: Colm O hEigeartaigh
> Labels: encryptedassertion, saml, securitytokenreference, wss4j
> Fix For: 2.0.3
>
>
> Hi,
> we have a current setup ADFS 2.0 STS and on ESB CXF 2.7.11 whose dependency is WSS4J 1.6.15.
> Currently everything works as expected but only for SAML 1.1 TokenType.
> The problem resides in SAML 2.0 token response where for SAML 1.1 token (important part of it) looks like:
> {code:xml}
> <trust:RequestedSecurityToken>
> <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <X509Data>
> {code}
> For SAML 2.0, RSTR (just our part) looks like:
> {code:xml}
> <trust:RequestedSecurityToken>
> <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> </e:EncryptionMethod>
> <KeyInfo>
> <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> {code}
> Please notice missing token referencing element: *SecurityTokenReference*
> WSS4J then while trying to decrypt SAML throws an exception:
> {noformat}
> 2014-11-05 07:24:03,655 [http-/127.0.0.1:8443-2] WARN (org.apache.cxf.phase.PhaseInterceptorChain): Interceptor for {http://www.example.org/contract/DoubleIt}DoubleItService#{http://www.example.org/contract/DoubleIt}DoubleIt has thrown exception, unwinding now
> org.apache.cxf.binding.soap.SoapFault: An error was discovered processing the <wsse:Security> header.
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:852) ~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:327) ~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
> at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:121) ~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
> at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:106) ~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) ~[cxf-api-2.7.11.jar:2.7.11]
> at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-api-2.7.11.jar:2.7.11]
> at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:241) [cxf-rt-transports-http-2.7.11.jar:2.7.11]
> at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248) [cxf-rt-transports-http-2.7.11.jar:2.7.11]
> at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222) [cxf-rt-transports-http-2.7.11.jar:2.7.11]
> at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153) [cxf-rt-transports-http-2.7.11.jar:2.7.11]
> at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171) [cxf-rt-transports-http-2.7.11.jar:2.7.11]
> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286) [cxf-rt-transports-http-2.7.11.jar:2.7.11]
> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206) [cxf-rt-transports-http-2.7.11.jar:2.7.11]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar!/:1.0.2.Final-redhat-1]
> at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262) [cxf-rt-transports-http-2.7.11.jar:2.7.11]
> at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.3.0.Final-redhat-14.jar!/:7.3.0.Final-redhat-14]
> at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
> at java.lang.Thread.run(Thread.java:745) [na:1.7.0_60]
> Caused by: org.apache.ws.security.WSSecurityException: General security error (Bad element, expected "{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}SecurityTokenReference" while got "{http://www.w3.org/2000/09/xmldsig#}X509Data")
> at org.apache.ws.security.message.token.SecurityTokenReference.<init>(SecurityTokenReference.java:93) ~[wss4j-1.6.15.jar:1.6.15]
> at org.apache.ws.security.str.EncryptedKeySTRParser.parseSecurityTokenReference(EncryptedKeySTRParser.java:80) ~[wss4j-1.6.15.jar:1.6.15]
> at org.apache.ws.security.processor.EncryptedKeyProcessor.getCertificatesFromEncryptedKey(EncryptedKeyProcessor.java:309) ~[wss4j-1.6.15.jar:1.6.15]
> at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:126) ~[wss4j-1.6.15.jar:1.6.15]
> at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:65) ~[wss4j-1.6.15.jar:1.6.15]
> at org.apache.ws.security.processor.EncryptedDataProcessor.handleToken(EncryptedDataProcessor.java:113) ~[wss4j-1.6.15.jar:1.6.15]
> at sk.dcom.poc.service.doubleit.security.EncryptedAssertionProcessor.handleToken(EncryptedAssertionProcessor.java:54) ~[classes:na]
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) ~[wss4j-1.6.15.jar:1.6.15]
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:270) ~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
> ... 26 common frames omitted
> {noformat}
> I've also tried CXF 3.0.2 which uses WSS4J 2.0.2 but the exception is there too.
> Tried then to change WSS4J versions only (1.6.16, 1.6.17) - we are locked at 2.7.11 because of ESB, still same issue :/
> Could you please give me some clues so I can maybe manually handle it and correctly reference token for WSS4J decryption process? (if there is any)
> Thanks for all your answers
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org