You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Gina Choi <gi...@gmail.com> on 2012/06/05 21:55:06 UTC
Re: Problem with loading Apache CXF STS with UT authentication
Hi Colm,
Thanks for the quick fix. I am planning to check it once your fix reflected
to 2.6.2-SNAPSHOT.
Gina
On Tue, Jun 5, 2012 at 7:14 AM, Colm O hEigeartaigh <co...@apache.org>wrote:
>
> The NPE you were seeing is now fixed on trunk, if you want to test with
> the latest CXF 2.6.2-SNAPSHOT code. You will need to make sure that the WSC
> has a keystore with a private key to support the KeyValueToken policy.
>
> Colm.
>
>
>
>
> On Tue, Jun 5, 2012 at 10:14 AM, Colm O hEigeartaigh <co...@apache.org>wrote:
>
>>
>> Is the client successfully invoking on the STS? In other words, is this
>> error occurring when the client is sending a message to the STS or to the
>> WSP?
>>
>> Colm.
>>
>>
>> On Fri, Jun 1, 2012 at 6:30 PM, Gina Choi <gi...@gmail.com> wrote:
>>
>>> To make it clear here is what I have so far.
>>>
>>> 1. WSP: SymmetricBinding, ProtectionToken is IssuedToken
>>> 2. STS: endpoint:
>>>
>>> https://strts01.ams.dev/adfs/services/trust/13/usernamemixed
>>>
>>> Following policy is used.
>>>
>>> <wsp:Policy wsu:Id="UserNameWSTrustBinding_IWSTrust13Async2_policy">
>>> <wsp:ExactlyOne>
>>> <wsp:All>
>>> <sp:TransportBinding xmlns:sp="
>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>>> <wsp:Policy>
>>>
>>> <sp:TransportToken>
>>> <wsp:Policy>
>>> <sp:HttpsToken>
>>> <wsp:Policy />
>>> </sp:HttpsToken>
>>> </wsp:Policy>
>>> </sp:TransportToken>
>>> <sp:AlgorithmSuite>
>>> <wsp:Policy>
>>> <sp:Basic256 />
>>> </wsp:Policy>
>>> </sp:AlgorithmSuite>
>>> <sp:Layout>
>>> <wsp:Policy>
>>> <sp:Strict />
>>> </wsp:Policy>
>>> </sp:Layout>
>>> <sp:IncludeTimestamp />
>>> </wsp:Policy>
>>> </sp:TransportBinding>
>>> <sp:SignedEncryptedSupportingTokens xmlns:sp="
>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>>> <wsp:Policy>
>>>
>>> <sp:UsernameToken sp:IncludeToken="
>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
>>> ">
>>> <wsp:Policy>
>>> <sp:WssUsernameToken10 />
>>> </wsp:Policy>
>>> </sp:UsernameToken>
>>> </wsp:Policy>
>>> </sp:SignedEncryptedSupportingTokens>
>>> <sp:EndorsingSupportingTokens xmlns:sp="
>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>>> <wsp:Policy>
>>> <sp:KeyValueToken sp:IncludeToken="
>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
>>> "
>>> wsp:Optional="true">
>>> <wsp:Policy/>
>>> </sp:KeyValueToken>
>>> <sp:SignedParts>
>>> <sp:Header Name="To"
>>> Namespace="http://www.w3.org/2005/08/addressing" />
>>> </sp:SignedParts>
>>> </wsp:Policy>
>>> </sp:EndorsingSupportingTokens>
>>> <sp:Wss11 xmlns:sp="
>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>>> <wsp:Policy>
>>>
>>> <sp:MustSupportRefKeyIdentifier />
>>> <sp:MustSupportRefIssuerSerial />
>>> <sp:MustSupportRefThumbprint />
>>> <sp:MustSupportRefEncryptedKey />
>>> </wsp:Policy>
>>> </sp:Wss11>
>>> <sp:Trust13 xmlns:sp="
>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>>> <wsp:Policy>
>>>
>>> <sp:MustSupportIssuedTokens />
>>> <sp:RequireClientEntropy />
>>> <sp:RequireServerEntropy />
>>> </wsp:Policy>
>>> </sp:Trust13>
>>> <wsaw:UsingAddressing />
>>> </wsp:All>
>>> </wsp:ExactlyOne>
>>> </wsp:Policy>
>>>
>>> 3. WSC
>>> Following is client configuration.
>>>
>>> <jaxws:client name="{
>>> http://www.example.org/contract/DoubleIt}DoubleItPort"
>>> createdFromAPI="true">
>>> <jaxws:properties>
>>> <entry key="ws-security.sts.client">
>>> <bean class="org.apache.cxf.ws.security.trust.STSClient">
>>> <constructor-arg ref="cxf"/>
>>> <property name="wsdlLocation" value="adfs_new_simple.wsdl"/>
>>> <property name="serviceName" value="{
>>> http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}SecurityTokenService
>>> "/>
>>> <property name="endpointName" value="{
>>> http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}UserNameWSTrustBinding_IWSTrust13Async2
>>> "/>
>>> <property name="properties">
>>> <map>
>>> <entry key="ws-security.username" value="gchoi"/>
>>>
>>> <entry key="ws-security.callback-handler"
>>> value="client.ClientCallbackHandler"/>
>>> <entry key="ws-security.encryption.properties"
>>> value="clientKeystore.properties"/>
>>> <entry key="ws-security.encryption.username" value="mystskey"/>
>>> </map>
>>> </property>
>>> </bean>
>>> </entry>
>>> </jaxws:properties>
>>> </jaxws:client>
>>> </beans>
>>>
>>> I am getting following exception when I execute client.
>>>
>>> WARNING: Interceptor for {
>>> http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}SecurityTokenService#{http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}Trust13IssueAsynchas thrown exception, unwinding now
>>> org.apache.cxf.interceptor.Fault
>>> at
>>> org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleBinding(TransportBindingHandler.java:153)
>>> at
>>> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:159)
>>> at
>>> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:89)
>>> at
>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
>>> at
>>> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:532)
>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:464)
>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:367)
>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:320)
>>> at
>>> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:722)
>>> at
>>> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:602)
>>> at
>>> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:594)
>>> at
>>> org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.getTokenFromSTS(IssuedTokenInterceptorProvider.java:404)
>>> at
>>> org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:188)
>>> at
>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
>>> at
>>> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:532)
>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:464)
>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:367)
>>> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:320)
>>> at
>>> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:89)
>>> at
>>> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
>>> at $Proxy25.doubleIt(Unknown Source)
>>> at client.WSClient.doubleIt(WSClient.java:18)
>>> at client.WSClient.main(WSClient.java:11)
>>> Caused by: java.lang.NullPointerException
>>> at
>>> org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.doIssuedTokenSignature(TransportBindingHandler.java:429)
>>> at
>>> org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleEndorsingToken(TransportBindingHandler.java:283)
>>> at
>>> org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleEndorsingSupportingTokens(TransportBindingHandler.java:240)
>>> at
>>> org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleBinding(TransportBindingHandler.java:147)
>>> ... 22 more
>>> Jun 1, 2012 1:12:51 PM org.apache.cxf.phase.PhaseInterceptorChain
>>> doDefaultLogging
>>>
>>>
>>> On Fri, Jun 1, 2012 at 1:06 PM, Gina Choi <gi...@gmail.com> wrote:
>>>
>>>> Hi Colm,
>>>>
>>>> <<<
>>>> The client needs to configure the HTTP conduit with the keystore that
>>>> contains the certificate of the STS, e.g.:
>>>> >>>
>>>> Forgot to ask you. ADFS exposes three different certificates - Service
>>>> communications, Token-decrypting and Token-singing, but most of the time I
>>>> had to deal with decrypting and signing cert. Which of the STS certificate
>>>> do I need to have in client keystore?
>>>>
>>>> On Fri, Jun 1, 2012 at 12:52 PM, Gina Choi <gi...@gmail.com>wrote:
>>>>
>>>>> <<<
>>>>> The following policy (KeyValueToken) is not supported, but you could
>>>>> remove it as it is optional and see if that works:
>>>>> >>>
>>>>> Per Oliver advise, after I added an empty <wsp:Policy />element as a
>>>>> child of <sp:KeyValueToken>, I don't receive anymore compaining.
>>>>>
>>>>> <<<
>>>>> The client needs to configure the HTTP conduit with the keystore that
>>>>> contains the certificate of the STS, e.g.:
>>>>> <http:conduit name="https://localhost:.*">
>>>>> <http:tlsClientParameters disableCNCheck="true">
>>>>> <sec:trustManagers>
>>>>> <sec:keyStore type="jks" password="cspass"
>>>>> resource="clientstore.jks"/>
>>>>> </sec:trustManagers>
>>>>> </http:tlsClientParameters>
>>>>> </http:conduit>
>>>>> >>>
>>>>> Afer added following to my client configuration, now I am getting new
>>>>> exception. By the way, with ADFS, I have to use https.
>>>>>
>>>>> <http:conduit name="https://strts01.ams.dev.*">
>>>>>
>>>>> <http:tlsClientParameters disableCNCheck="true">
>>>>> <sec:trustManagers>
>>>>> <sec:keyStore type="jks" password="cspass"
>>>>> resource="clientstore.jks"/>
>>>>> </sec:trustManagers>
>>>>> </http:tlsClientParameters>
>>>>> </http:conduit>
>>>>>
>>>>>
>>>>> Jun 1, 2012 12:47:33 PM org.apache.cxf.bus.spring.SpringBusFactory
>>>>> createApplicationContext
>>>>> WARNING: Initial attempt to create application context was
>>>>> unsuccessful.
>>>>> org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException:
>>>>> Line 57 in XML document from class path resource [cxf.xml] is invalid;
>>>>> nested exception is org.xml.sax.SAXParseException: The prefix "http" for
>>>>> element "http:conduit" is not bo
>>>>> .
>>>>> at
>>>>> org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:396)
>>>>> at
>>>>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader.doLoadBeanDefinitions(ControlledValidationXmlBeanDefinitionReader.java:115)
>>>>> at
>>>>> org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:334)
>>>>> at
>>>>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader.internalLoadBeanDefinitions(ControlledValidationXmlBeanDefinitionReader.java:154)
>>>>> at
>>>>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader.access$000(ControlledValidationXmlBeanDefinitionReader.java:66)
>>>>> at
>>>>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader$1.run(ControlledValidationXmlBeanDefinitionReader.java:141)
>>>>> at
>>>>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader$1.run(ControlledValidationXmlBeanDefinitionReader.java:140)
>>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>>> at
>>>>> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader.loadBeanDefinitions(ControlledValidationXmlBeanDefinitionReader.java:139)
>>>>> at
>>>>> org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:302)
>>>>> at
>>>>> org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:143)
>>>>> at
>>>>> org.springframework.context.support.AbstractXmlApplicationContext.loadBeanDefinitions(AbstractXmlApplicationContext.java:122)
>>>>> at
>>>>> org.apache.cxf.bus.spring.BusApplicationContext.loadBeanDefinitions(BusApplicationContext.java:309)
>>>>> at
>>>>> org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:130)
>>>>> at
>>>>> org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:467)
>>>>> at
>>>>> org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:397)
>>>>> at
>>>>> org.apache.cxf.bus.spring.BusApplicationContext$1.run(BusApplicationContext.java:101)
>>>>> at
>>>>> org.apache.cxf.bus.spring.BusApplicationContext$1.run(BusApplicationContext.java:100)
>>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>>> at
>>>>> org.apache.cxf.bus.spring.BusApplicationContext.<init>(BusApplicationContext.java:99)
>>>>> at
>>>>> org.apache.cxf.bus.spring.SpringBusFactory.createApplicationContext(SpringBusFactory.java:130)
>>>>> at
>>>>> org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:121)
>>>>> at
>>>>> org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:95)
>>>>> at
>>>>> org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:69)
>>>>> at
>>>>> org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:58)
>>>>> at org.apache.cxf.BusFactory.getDefaultBus(BusFactory.java:99)
>>>>> at
>>>>> org.apache.cxf.BusFactory.createThreadBus(BusFactory.java:165)
>>>>> at
>>>>> org.apache.cxf.BusFactory.getThreadDefaultBus(BusFactory.java:155)
>>>>> at
>>>>> org.apache.cxf.BusFactory.getThreadDefaultBus(BusFactory.java:140)
>>>>> at
>>>>> org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:96)
>>>>> at javax.xml.ws.Service.<init>(Service.java:92)
>>>>> at
>>>>> org.example.contract.doubleit.DoubleItService.<init>(DoubleItService.java:47)
>>>>> at client.WSClient.main(WSClient.java:8)
>>>>>
>>>>>
>>>>> On Fri, Jun 1, 2012 at 12:13 PM, Colm O hEigeartaigh <
>>>>> coheigea@apache.org> wrote:
>>>>>
>>>>>>
>>>>>> The client needs to configure the HTTP conduit with the keystore that
>>>>>> contains the certificate of the STS, e.g.:
>>>>>>
>>>>>> <http:conduit name="https://localhost:.*">
>>>>>> <http:tlsClientParameters disableCNCheck="true">
>>>>>> <sec:trustManagers>
>>>>>> <sec:keyStore type="jks" password="cspass"
>>>>>> resource="clientstore.jks"/>
>>>>>> </sec:trustManagers>
>>>>>> </http:tlsClientParameters>
>>>>>> </http:conduit>
>>>>>>
>>>>>> What NPE are you getting? The following policy (KeyValueToken) is not
>>>>>> supported, but you could remove it as it is optional and see if that works:
>>>>>>
>>>>>>
>>>>>> <sp:EndorsingSupportingTokens xmlns:sp="
>>>>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>>>>>> <wsp:Policy>
>>>>>> <sp:KeyValueToken sp:IncludeToken="
>>>>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
>>>>>> "
>>>>>> wsp:Optional="true">
>>>>>> <wsp:Policy />
>>>>>> </sp:KeyValueToken>
>>>>>> <sp:SignedParts>
>>>>>> <sp:Header Name="To"
>>>>>> Namespace="http://www.w3.org/2005/08/addressing" />
>>>>>> </sp:SignedParts>
>>>>>> </wsp:Policy>
>>>>>> </sp:
>>>>>> EndorsingSupportingTokens>
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>
>>>>
>>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Gina Choi <gi...@gmail.com>.
<<<
it's the CXF WSC that is complaining about the absent TokenType from the
STS? (I thought the complaint was from a CXF WSP about the ADFS token it
was getting from the WSC).
>>>
For but report 4367, it was WSP that complaining about TokenType. After I
set "ws-security.is-bsp-compliant" to "false: on the WSP side per Colm's
advise, I passed problem with CXF-4367. WSP generated a response, but
Client throwing an exception. So, I am having a new issue now.
Thanks.
Gina
On Mon, Jun 11, 2012 at 4:10 PM, Glen Mazza <gm...@talend.com> wrote:
> Oh, I misunderstood your problem--it's the CXF WSC that is complaining
> about the absent TokenType from the STS? (I thought the complaint was from
> a CXF WSP about the ADFS token it was getting from the WSC). I'm not sure
> if the is-bsp-compliant setting would work if attached to the WSC
> complaining about the STS (haven't tested it).
>
> Your bug report 4367 is kind of vague -- it doesn't specify what you're
> using for the WSP or WSC (CXF for one or both?), and in step #4 when you
> say "Now I am getting 'An invalid security token was provided (Bad
> TokenType "")' it's best to let us know whether it's the WSC or WSP
> reporting that. Try to be more specific next time.
>
> Glen
>
>
> On 06/11/2012 03:54 PM, Gina Choi wrote:
>
>> Glen,
>> <<<
>> Since you're using ADFS as the STS, the above setting wouldn't be
>> relevant for the STS _but it would be proper on the CXF WSP_, so the ADSF
>> SAML assertion (which is missing the TokenType field) in the WSC's request
>> will still be accepted by the CXF WSP.
>>
>> >>>
>> It would be proper WSP configuration, if I use CXF STS, correct? I prefer
>> that I control through client configuration since usually I don't have much
>> control over either WSP(If it is a .NET web service) or STS(ADFS2.0) config.
>> Gina
>> On Mon, Jun 11, 2012 at 3:38 PM, Glen Mazza <gmazza@talend.com <mailto:
>> gmazza@talend.com>> wrote:
>>
>> Sorry for the confusion, I dislike the naming
>> "ws-security.is-bsp-compliant"**, it's misleading and should be
>> called "ws-security.enforce-bsp-**compliance". A CXF STS is always
>> BSP compliant (at least in this regard), that setting is just
>> about whether it's to complain when it gets a WSC request that
>> doesn't provide the BSP-required TokenType.
>>
>> Since you're using ADFS as the STS, the above setting wouldn't be
>> relevant for the STS but it would be proper on the CXF WSP, so the
>> ADSF SAML assertion (which is missing the TokenType field) in the
>> WSC's request will still be accepted by the CXF WSP.
>>
>> Glen
>>
>>
>> On 06/11/2012 03:10 PM, Gina Choi wrote:
>>
>> Hi Glen,
>> So, if I set up "ws-security.is-bsp-compliant" in STS config,
>> STS will generate a token without TokenType attribute, but in
>> WSP side, I still need to set up
>> "ws-security.is-bsp-compliant"**=false to turn off checking
>> "ws-security.is-bsp-compliant" attribute, correct?
>> Thanks.
>> Gina
>> On Mon, Jun 11, 2012 at 1:10 PM, Glen Mazza <gmazza@talend.com
>> <ma...@talend.com> <mailto:gmazza@talend.com
>>
>> <ma...@talend.com>>> wrote:
>>
>> The STS syntax for it (also good for WSP) is as line #75 here:
>> https://github.com/gmazza/**blog-samples/blob/master/cxf_**
>> sts_tutorial/sts-war/src/main/**webapp/WEB-INF/cxf-servlet.xml<https://github.com/gmazza/blog-samples/blob/master/cxf_sts_tutorial/sts-war/src/main/webapp/WEB-INF/cxf-servlet.xml>
>>
>> This worked for me with Metro clients that don't provide a
>> TokenType.
>>
>> Glen
>>
>>
>> On 06/11/2012 11:31 AM, Gina Choi wrote:
>>
>> Hi Colm,
>>
>> <<<
>> You can turn this off by setting the following jax-ws
>> property
>> "ws-security.is-bsp-compliant" to "false" for the service
>> provider.
>> Does setting "ws-security.is-bsp-compliant" to "false" make
>> Service
>> Provider not to check wsse11:TokenType attribute? ADFS2.0
>> doesn't enforce
>> wsse11:TokenType attribute, so the security token that
>> I got
>> from ADFS2.0
>> wouldn't contain wsse11:TokenType attribute. I set
>> "ws-security.is-bsp-compliant" through client configuration
>> file like
>> bellow, but it didn't change any result. I am getting same
>> exception.
>>
>>
>> <jaxws:client name="{
>> http://www.example.org/**contract/DoubleIt}DoubleItPort<http://www.example.org/contract/DoubleIt%7DDoubleItPort>
>> <http://www.example.org/**contract/DoubleIt%**7DDoubleItPort<http://www.example.org/contract/DoubleIt%7DDoubleItPort>
>> >
>> <http://www.example.org/**contract/DoubleIt%**7DDoubleItPort<http://www.example.org/contract/DoubleIt%7DDoubleItPort>
>> >"
>>
>> createdFromAPI="true">
>> <jaxws:properties>
>> <entry key="ws-security.is-bsp-**compliant" value="false"/>
>> <entry key="ws-security.sts.client">
>> <bean class="org.apache.cxf.ws <http://org.apache.cxf.ws>
>> <http://org.apache.cxf.ws>.**security.trust.STSClient">
>>
>> <constructor-arg ref="cxf"/>
>> <property name="wsdlLocation" value="adfs_new_simple.wsdl"/>
>> ........
>>
>>
>> Gina
>> On Mon, Jun 11, 2012 at 5:02 AM, Colm O
>> hEigeartaigh<coheigea@apache.**org <co...@apache.org>
>> <ma...@apache.org>
>> <mailto:coheigea@apache.org <ma...@apache.org>>>**wrote:
>>
>>
>>
>> CXF enforces the Basic Security Profile 1.1 spec:
>>
>> http://www.ws-i.org/profiles/**basicsecurityprofile-1.1.html<http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html>
>>
>> "R6611 Any SECURITY_TOKEN_REFERENCE to a
>> SAML_V1_1_TOKEN
>> MUST contain a
>> wsse11:TokenType attribute with a value of "
>> http://docs.oasis-open.org/**wss/oasis-wss-saml-token-**
>> profile-1.1#SAMLV1.1<http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1>
>> ".
>> "
>>
>> You can turn this off by setting the following
>> jax-ws property
>> "ws-security.is-bsp-compliant" to "false" for the
>> service
>> provider.
>>
>> Colm.
>>
>> On Sat, Jun 9, 2012 at 12:00 AM, Gina
>> Choi<ginachoi88@gmail.com
>> <ma...@gmail.com> <mailto:ginachoi88@gmail.com
>>
>> <ma...@gmail.com>>**>
>>
>> wrote:
>>
>> I did some research and looked at oasis
>> specification(
>>
>>
>> https://www.oasis-open.org/**committees/download.php/16768/**
>> wss-v1.1-spec-os-**SAMLTokenProfile.pdf<https://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf>
>>
>> ),
>> it looks like that wsse11:TokenType attribute is
>> optional for SAML 1.1,
>>
>> but
>>
>> should contain
>> http://docs.oasis-open.org/**wss/oasis-wss-saml-token-**
>> profile-1.1#SAMLV1.1<http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1>
>>
>> .
>>
>>
>> <<<
>>
>> Now I am getting 'An invalid security token was
>> provided (Bad TokenType
>> "")'. I debugged through code again and
>> following is
>> the issue.
>> org.apache.ws.security.str.**
>> BSPEnforcer.java(wss4j-1.6.6.**jar)
>> class Line
>>
>> 162
>>
>> - 169
>>
>> String tokenType = secRef.getTokenType();
>> if (assertion.getSaml1() != null&&
>> !WSConstants.WSS_SAML_TOKEN_**TYPE.equals(tokenType))
>> {
>> throw new WSSecurityException(
>> WSSecurityException.INVALID_*
>> *SECURITY_TOKEN,
>> "invalidTokenType",
>> new Object[]{tokenType}
>> );
>> }
>> The content of secRef object as follow. As you
>> can see
>> from above code,
>>
>> it
>>
>> is looking for an attribute named "TokenType",
>> whose
>> value is "
>>
>> http://docs.oasis-open.org/**wss/oasis-wss-saml-token-**
>> profile-1.1#SAMLV1.1<http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1>
>> " but SecurityTokenReference doesn't have it.
>> That's
>> why it throws
>> exception. What we can do about this? I am going to
>> update *CXF-4367 with
>> new content.*
>>
>> <o:SecurityTokenReference xmlns:o="
>>
>>
>> http://docs.oasis-open.org/**wss/2004/01/oasis-200401-wss-**
>> wssecurity-secext-1.0.xsd<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd>
>>
>> ">
>> <o:KeyIdentifier ValueType="
>>
>>
>> http://docs.oasis-open.org/**wss/oasis-wss-saml-token-**
>> profile-1.0#SAMLAssertionID<http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID>
>>
>> ">
>> _ca94d3c5-0933-4af0-ac12-**
>> a83fd407310c</o:KeyIdentifier>
>> </o:SecurityTokenReference>
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>>
>>
>> -- Glen Mazza
>> Talend Community Coders
>> coders.talend.com <http://coders.talend.com>
>> <http://coders.talend.com>
>> blog: www.jroller.com/gmazza
>> <http://www.jroller.com/gmazza**> <http://www.jroller.com/gmazza**
>> >
>>
>>
>>
>>
>>
>> -- Glen Mazza
>> Talend Community Coders
>> coders.talend.com <http://coders.talend.com>
>> blog: www.jroller.com/gmazza <http://www.jroller.com/gmazza**>
>>
>>
>>
>
> --
> Glen Mazza
> Talend Community Coders
> coders.talend.com
> blog: www.jroller.com/gmazza
>
>
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Glen Mazza <gm...@talend.com>.
Oh, I misunderstood your problem--it's the CXF WSC that is complaining
about the absent TokenType from the STS? (I thought the complaint was
from a CXF WSP about the ADFS token it was getting from the WSC). I'm
not sure if the is-bsp-compliant setting would work if attached to the
WSC complaining about the STS (haven't tested it).
Your bug report 4367 is kind of vague -- it doesn't specify what you're
using for the WSP or WSC (CXF for one or both?), and in step #4 when you
say "Now I am getting 'An invalid security token was provided (Bad
TokenType "")' it's best to let us know whether it's the WSC or WSP
reporting that. Try to be more specific next time.
Glen
On 06/11/2012 03:54 PM, Gina Choi wrote:
> Glen,
> <<<
> Since you're using ADFS as the STS, the above setting wouldn't be
> relevant for the STS _but it would be proper on the CXF WSP_, so the
> ADSF SAML assertion (which is missing the TokenType field) in the
> WSC's request will still be accepted by the CXF WSP.
> >>>
> It would be proper WSP configuration, if I use CXF STS, correct? I
> prefer that I control through client configuration since usually I
> don't have much control over either WSP(If it is a .NET web service)
> or STS(ADFS2.0) config.
> Gina
> On Mon, Jun 11, 2012 at 3:38 PM, Glen Mazza <gmazza@talend.com
> <ma...@talend.com>> wrote:
>
> Sorry for the confusion, I dislike the naming
> "ws-security.is-bsp-compliant", it's misleading and should be
> called "ws-security.enforce-bsp-compliance". A CXF STS is always
> BSP compliant (at least in this regard), that setting is just
> about whether it's to complain when it gets a WSC request that
> doesn't provide the BSP-required TokenType.
>
> Since you're using ADFS as the STS, the above setting wouldn't be
> relevant for the STS but it would be proper on the CXF WSP, so the
> ADSF SAML assertion (which is missing the TokenType field) in the
> WSC's request will still be accepted by the CXF WSP.
>
> Glen
>
>
> On 06/11/2012 03:10 PM, Gina Choi wrote:
>
> Hi Glen,
> So, if I set up "ws-security.is-bsp-compliant" in STS config,
> STS will generate a token without TokenType attribute, but in
> WSP side, I still need to set up
> "ws-security.is-bsp-compliant"=false to turn off checking
> "ws-security.is-bsp-compliant" attribute, correct?
> Thanks.
> Gina
> On Mon, Jun 11, 2012 at 1:10 PM, Glen Mazza <gmazza@talend.com
> <ma...@talend.com> <mailto:gmazza@talend.com
> <ma...@talend.com>>> wrote:
>
> The STS syntax for it (also good for WSP) is as line #75 here:
> https://github.com/gmazza/blog-samples/blob/master/cxf_sts_tutorial/sts-war/src/main/webapp/WEB-INF/cxf-servlet.xml
>
> This worked for me with Metro clients that don't provide a
> TokenType.
>
> Glen
>
>
> On 06/11/2012 11:31 AM, Gina Choi wrote:
>
> Hi Colm,
>
> <<<
> You can turn this off by setting the following jax-ws
> property
> "ws-security.is-bsp-compliant" to "false" for the service
> provider.
> Does setting "ws-security.is-bsp-compliant" to "false" make
> Service
> Provider not to check wsse11:TokenType attribute? ADFS2.0
> doesn't enforce
> wsse11:TokenType attribute, so the security token that
> I got
> from ADFS2.0
> wouldn't contain wsse11:TokenType attribute. I set
> "ws-security.is-bsp-compliant" through client configuration
> file like
> bellow, but it didn't change any result. I am getting same
> exception.
>
>
> <jaxws:client name="{
> http://www.example.org/contract/DoubleIt}DoubleItPort
> <http://www.example.org/contract/DoubleIt%7DDoubleItPort>
> <http://www.example.org/contract/DoubleIt%7DDoubleItPort>"
>
> createdFromAPI="true">
> <jaxws:properties>
> <entry key="ws-security.is-bsp-compliant" value="false"/>
> <entry key="ws-security.sts.client">
> <bean class="org.apache.cxf.ws <http://org.apache.cxf.ws>
> <http://org.apache.cxf.ws>.security.trust.STSClient">
>
> <constructor-arg ref="cxf"/>
> <property name="wsdlLocation" value="adfs_new_simple.wsdl"/>
> ........
>
>
> Gina
> On Mon, Jun 11, 2012 at 5:02 AM, Colm O
> hEigeartaigh<coheigea@apache.org
> <ma...@apache.org>
> <mailto:coheigea@apache.org <ma...@apache.org>>>wrote:
>
>
> CXF enforces the Basic Security Profile 1.1 spec:
>
> http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html
>
> "R6611 Any SECURITY_TOKEN_REFERENCE to a
> SAML_V1_1_TOKEN
> MUST contain a
> wsse11:TokenType attribute with a value of "
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".
> "
>
> You can turn this off by setting the following
> jax-ws property
> "ws-security.is-bsp-compliant" to "false" for the
> service
> provider.
>
> Colm.
>
> On Sat, Jun 9, 2012 at 12:00 AM, Gina
> Choi<ginachoi88@gmail.com
> <ma...@gmail.com> <mailto:ginachoi88@gmail.com
> <ma...@gmail.com>>>
>
> wrote:
>
> I did some research and looked at oasis
> specification(
>
>
> https://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf
>
> ),
> it looks like that wsse11:TokenType attribute is
> optional for SAML 1.1,
>
> but
>
> should contain
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
>
> .
>
>
> <<<
>
> Now I am getting 'An invalid security token was
> provided (Bad TokenType
> "")'. I debugged through code again and
> following is
> the issue.
>
> org.apache.ws.security.str.BSPEnforcer.java(wss4j-1.6.6.jar)
> class Line
>
> 162
>
> - 169
>
> String tokenType = secRef.getTokenType();
> if (assertion.getSaml1() != null&&
>
> !WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)) {
> throw new WSSecurityException(
>
> WSSecurityException.INVALID_SECURITY_TOKEN,
> "invalidTokenType",
> new Object[]{tokenType}
> );
> }
> The content of secRef object as follow. As you
> can see
> from above code,
>
> it
>
> is looking for an attribute named "TokenType",
> whose
> value is "
>
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
> " but SecurityTokenReference doesn't have it.
> That's
> why it throws
> exception. What we can do about this? I am going to
> update *CXF-4367 with
> new content.*
>
> <o:SecurityTokenReference xmlns:o="
>
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>
> ">
> <o:KeyIdentifier ValueType="
>
>
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
>
> ">
>
> _ca94d3c5-0933-4af0-ac12-a83fd407310c</o:KeyIdentifier>
> </o:SecurityTokenReference>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
>
> -- Glen Mazza
> Talend Community Coders
> coders.talend.com <http://coders.talend.com>
> <http://coders.talend.com>
> blog: www.jroller.com/gmazza
> <http://www.jroller.com/gmazza> <http://www.jroller.com/gmazza>
>
>
>
>
> --
> Glen Mazza
> Talend Community Coders
> coders.talend.com <http://coders.talend.com>
> blog: www.jroller.com/gmazza <http://www.jroller.com/gmazza>
>
>
--
Glen Mazza
Talend Community Coders
coders.talend.com
blog: www.jroller.com/gmazza
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Gina Choi <gi...@gmail.com>.
Glen,
<<<
Since you're using ADFS as the STS, the above setting wouldn't be relevant
for the STS *but it would be proper on the CXF WSP*, so the ADSF SAML
assertion (which is missing the TokenType field) in the WSC's request will
still be accepted by the CXF WSP.
>>>
It would be proper WSP configuration, if I use CXF STS, correct? I prefer
that I control through client configuration since usually I don't have much
control over either WSP(If it is a .NET web service) or STS(ADFS2.0) config.
Gina
On Mon, Jun 11, 2012 at 3:38 PM, Glen Mazza <gm...@talend.com> wrote:
> Sorry for the confusion, I dislike the naming
> "ws-security.is-bsp-compliant"**, it's misleading and should be called
> "ws-security.enforce-bsp-**compliance". A CXF STS is always BSP
> compliant (at least in this regard), that setting is just about whether
> it's to complain when it gets a WSC request that doesn't provide the
> BSP-required TokenType.
>
> Since you're using ADFS as the STS, the above setting wouldn't be relevant
> for the STS but it would be proper on the CXF WSP, so the ADSF SAML
> assertion (which is missing the TokenType field) in the WSC's request will
> still be accepted by the CXF WSP.
>
> Glen
>
>
> On 06/11/2012 03:10 PM, Gina Choi wrote:
>
>> Hi Glen,
>> So, if I set up "ws-security.is-bsp-compliant" in STS config, STS will
>> generate a token without TokenType attribute, but in WSP side, I still need
>> to set up "ws-security.is-bsp-compliant"**=false to turn off checking
>> "ws-security.is-bsp-compliant" attribute, correct?
>> Thanks.
>> Gina
>> On Mon, Jun 11, 2012 at 1:10 PM, Glen Mazza <gmazza@talend.com <mailto:
>> gmazza@talend.com>> wrote:
>>
>> The STS syntax for it (also good for WSP) is as line #75 here:
>> https://github.com/gmazza/**blog-samples/blob/master/cxf_**
>> sts_tutorial/sts-war/src/main/**webapp/WEB-INF/cxf-servlet.xml<https://github.com/gmazza/blog-samples/blob/master/cxf_sts_tutorial/sts-war/src/main/webapp/WEB-INF/cxf-servlet.xml>
>>
>> This worked for me with Metro clients that don't provide a TokenType.
>>
>> Glen
>>
>>
>> On 06/11/2012 11:31 AM, Gina Choi wrote:
>>
>> Hi Colm,
>>
>> <<<
>> You can turn this off by setting the following jax-ws property
>> "ws-security.is-bsp-compliant" to "false" for the service
>> provider.
>> Does setting "ws-security.is-bsp-compliant" to "false" make
>> Service
>> Provider not to check wsse11:TokenType attribute? ADFS2.0
>> doesn't enforce
>> wsse11:TokenType attribute, so the security token that I got
>> from ADFS2.0
>> wouldn't contain wsse11:TokenType attribute. I set
>> "ws-security.is-bsp-compliant" through client configuration
>> file like
>> bellow, but it didn't change any result. I am getting same
>> exception.
>>
>>
>> <jaxws:client name="{
>> http://www.example.org/**contract/DoubleIt}DoubleItPort<http://www.example.org/contract/DoubleIt%7DDoubleItPort>
>> <http://www.example.org/**contract/DoubleIt%**7DDoubleItPort<http://www.example.org/contract/DoubleIt%7DDoubleItPort>
>> >"
>>
>> createdFromAPI="true">
>> <jaxws:properties>
>> <entry key="ws-security.is-bsp-**compliant" value="false"/>
>> <entry key="ws-security.sts.client">
>> <bean class="org.apache.cxf.ws
>> <http://org.apache.cxf.ws>.**security.trust.STSClient">
>>
>> <constructor-arg ref="cxf"/>
>> <property name="wsdlLocation" value="adfs_new_simple.wsdl"/>
>> ........
>>
>>
>> Gina
>> On Mon, Jun 11, 2012 at 5:02 AM, Colm O
>> hEigeartaigh<coheigea@apache.**org <co...@apache.org>
>> <ma...@apache.org>>**wrote:
>>
>>
>> CXF enforces the Basic Security Profile 1.1 spec:
>>
>> http://www.ws-i.org/profiles/**basicsecurityprofile-1.1.html<http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html>
>>
>> "R6611 Any SECURITY_TOKEN_REFERENCE to a SAML_V1_1_TOKEN
>> MUST contain a
>> wsse11:TokenType attribute with a value of "
>> http://docs.oasis-open.org/**wss/oasis-wss-saml-token-**
>> profile-1.1#SAMLV1.1<http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1>
>> ".
>> "
>>
>> You can turn this off by setting the following jax-ws property
>> "ws-security.is-bsp-compliant" to "false" for the service
>> provider.
>>
>> Colm.
>>
>> On Sat, Jun 9, 2012 at 12:00 AM, Gina
>> Choi<ginachoi88@gmail.com <ma...@gmail.com>>
>>
>> wrote:
>>
>> I did some research and looked at oasis specification(
>>
>>
>> https://www.oasis-open.org/**committees/download.php/16768/**
>> wss-v1.1-spec-os-**SAMLTokenProfile.pdf<https://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf>
>>
>> ),
>> it looks like that wsse11:TokenType attribute is
>> optional for SAML 1.1,
>>
>> but
>>
>> should contain
>> http://docs.oasis-open.org/**wss/oasis-wss-saml-token-**
>> profile-1.1#SAMLV1.1<http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1>
>>
>> .
>>
>>
>> <<<
>>
>> Now I am getting 'An invalid security token was
>> provided (Bad TokenType
>> "")'. I debugged through code again and following is
>> the issue.
>> org.apache.ws.security.str.**BSPEnforcer.java(wss4j-1.6.6.
>> **jar)
>> class Line
>>
>> 162
>>
>> - 169
>>
>> String tokenType = secRef.getTokenType();
>> if (assertion.getSaml1() != null&&
>> !WSConstants.WSS_SAML_TOKEN_**TYPE.equals(tokenType)) {
>> throw new WSSecurityException(
>> WSSecurityException.INVALID_**
>> SECURITY_TOKEN,
>> "invalidTokenType",
>> new Object[]{tokenType}
>> );
>> }
>> The content of secRef object as follow. As you can see
>> from above code,
>>
>> it
>>
>> is looking for an attribute named "TokenType", whose
>> value is "
>>
>> http://docs.oasis-open.org/**wss/oasis-wss-saml-token-**
>> profile-1.1#SAMLV1.1<http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1>
>> " but SecurityTokenReference doesn't have it. That's
>> why it throws
>> exception. What we can do about this? I am going to
>> update *CXF-4367 with
>> new content.*
>>
>> <o:SecurityTokenReference xmlns:o="
>>
>>
>> http://docs.oasis-open.org/**wss/2004/01/oasis-200401-wss-**
>> wssecurity-secext-1.0.xsd<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd>
>>
>> ">
>> <o:KeyIdentifier ValueType="
>>
>>
>> http://docs.oasis-open.org/**wss/oasis-wss-saml-token-**
>> profile-1.0#SAMLAssertionID<http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID>
>>
>> ">
>> _ca94d3c5-0933-4af0-ac12-**a83fd407310c</o:KeyIdentifier>
>> </o:SecurityTokenReference>
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>>
>>
>> -- Glen Mazza
>> Talend Community Coders
>> coders.talend.com <http://coders.talend.com>
>> blog: www.jroller.com/gmazza <http://www.jroller.com/gmazza**>
>>
>>
>>
>
> --
> Glen Mazza
> Talend Community Coders
> coders.talend.com
> blog: www.jroller.com/gmazza
>
>
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Glen Mazza <gm...@talend.com>.
Sorry for the confusion, I dislike the naming
"ws-security.is-bsp-compliant", it's misleading and should be called
"ws-security.enforce-bsp-compliance". A CXF STS is always BSP compliant
(at least in this regard), that setting is just about whether it's to
complain when it gets a WSC request that doesn't provide the
BSP-required TokenType.
Since you're using ADFS as the STS, the above setting wouldn't be
relevant for the STS but it would be proper on the CXF WSP, so the ADSF
SAML assertion (which is missing the TokenType field) in the WSC's
request will still be accepted by the CXF WSP.
Glen
On 06/11/2012 03:10 PM, Gina Choi wrote:
> Hi Glen,
> So, if I set up "ws-security.is-bsp-compliant" in STS config, STS will
> generate a token without TokenType attribute, but in WSP side, I still
> need to set up "ws-security.is-bsp-compliant"=false to turn off
> checking "ws-security.is-bsp-compliant" attribute, correct?
> Thanks.
> Gina
> On Mon, Jun 11, 2012 at 1:10 PM, Glen Mazza <gmazza@talend.com
> <ma...@talend.com>> wrote:
>
> The STS syntax for it (also good for WSP) is as line #75 here:
> https://github.com/gmazza/blog-samples/blob/master/cxf_sts_tutorial/sts-war/src/main/webapp/WEB-INF/cxf-servlet.xml
>
> This worked for me with Metro clients that don't provide a TokenType.
>
> Glen
>
>
> On 06/11/2012 11:31 AM, Gina Choi wrote:
>
> Hi Colm,
>
> <<<
> You can turn this off by setting the following jax-ws property
> "ws-security.is-bsp-compliant" to "false" for the service
> provider.
> Does setting "ws-security.is-bsp-compliant" to "false" make
> Service
> Provider not to check wsse11:TokenType attribute? ADFS2.0
> doesn't enforce
> wsse11:TokenType attribute, so the security token that I got
> from ADFS2.0
> wouldn't contain wsse11:TokenType attribute. I set
> "ws-security.is-bsp-compliant" through client configuration
> file like
> bellow, but it didn't change any result. I am getting same
> exception.
>
>
> <jaxws:client name="{
> http://www.example.org/contract/DoubleIt}DoubleItPort
> <http://www.example.org/contract/DoubleIt%7DDoubleItPort>"
> createdFromAPI="true">
> <jaxws:properties>
> <entry key="ws-security.is-bsp-compliant" value="false"/>
> <entry key="ws-security.sts.client">
> <bean class="org.apache.cxf.ws
> <http://org.apache.cxf.ws>.security.trust.STSClient">
> <constructor-arg ref="cxf"/>
> <property name="wsdlLocation" value="adfs_new_simple.wsdl"/>
> ........
>
>
> Gina
> On Mon, Jun 11, 2012 at 5:02 AM, Colm O
> hEigeartaigh<coheigea@apache.org
> <ma...@apache.org>>wrote:
>
> CXF enforces the Basic Security Profile 1.1 spec:
>
> http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html
>
> "R6611 Any SECURITY_TOKEN_REFERENCE to a SAML_V1_1_TOKEN
> MUST contain a
> wsse11:TokenType attribute with a value of "
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".
> "
>
> You can turn this off by setting the following jax-ws property
> "ws-security.is-bsp-compliant" to "false" for the service
> provider.
>
> Colm.
>
> On Sat, Jun 9, 2012 at 12:00 AM, Gina
> Choi<ginachoi88@gmail.com <ma...@gmail.com>>
> wrote:
>
> I did some research and looked at oasis specification(
>
>
> https://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf
>
> ),
> it looks like that wsse11:TokenType attribute is
> optional for SAML 1.1,
>
> but
>
> should contain
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
>
> .
>
>
> <<<
>
> Now I am getting 'An invalid security token was
> provided (Bad TokenType
> "")'. I debugged through code again and following is
> the issue.
> org.apache.ws.security.str.BSPEnforcer.java(wss4j-1.6.6.jar)
> class Line
>
> 162
>
> - 169
>
> String tokenType = secRef.getTokenType();
> if (assertion.getSaml1() != null&&
> !WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)) {
> throw new WSSecurityException(
> WSSecurityException.INVALID_SECURITY_TOKEN,
> "invalidTokenType",
> new Object[]{tokenType}
> );
> }
> The content of secRef object as follow. As you can see
> from above code,
>
> it
>
> is looking for an attribute named "TokenType", whose
> value is "
>
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
> " but SecurityTokenReference doesn't have it. That's
> why it throws
> exception. What we can do about this? I am going to
> update *CXF-4367 with
> new content.*
>
> <o:SecurityTokenReference xmlns:o="
>
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>
> ">
> <o:KeyIdentifier ValueType="
>
>
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
>
> ">
> _ca94d3c5-0933-4af0-ac12-a83fd407310c</o:KeyIdentifier>
> </o:SecurityTokenReference>
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
>
> --
> Glen Mazza
> Talend Community Coders
> coders.talend.com <http://coders.talend.com>
> blog: www.jroller.com/gmazza <http://www.jroller.com/gmazza>
>
>
--
Glen Mazza
Talend Community Coders
coders.talend.com
blog: www.jroller.com/gmazza
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Gina Choi <gi...@gmail.com>.
Hi Glen,
So, if I set up "ws-security.is-bsp-**compliant" in STS config, STS will
generate a token without TokenType attribute, but in WSP side, I still need
to set up "ws-security.is-bsp-**compliant"=false to turn off checking
"ws-security.is-bsp-**compliant" attribute, correct?
Thanks.
Gina
On Mon, Jun 11, 2012 at 1:10 PM, Glen Mazza <gm...@talend.com> wrote:
> The STS syntax for it (also good for WSP) is as line #75 here:
> https://github.com/gmazza/**blog-samples/blob/master/cxf_**
> sts_tutorial/sts-war/src/main/**webapp/WEB-INF/cxf-servlet.xml<https://github.com/gmazza/blog-samples/blob/master/cxf_sts_tutorial/sts-war/src/main/webapp/WEB-INF/cxf-servlet.xml>
>
> This worked for me with Metro clients that don't provide a TokenType.
>
> Glen
>
>
> On 06/11/2012 11:31 AM, Gina Choi wrote:
>
>> Hi Colm,
>>
>> <<<
>> You can turn this off by setting the following jax-ws property
>> "ws-security.is-bsp-compliant" to "false" for the service provider.
>> Does setting "ws-security.is-bsp-compliant" to "false" make Service
>> Provider not to check wsse11:TokenType attribute? ADFS2.0 doesn't enforce
>> wsse11:TokenType attribute, so the security token that I got from ADFS2.0
>> wouldn't contain wsse11:TokenType attribute. I set
>> "ws-security.is-bsp-compliant" through client configuration file like
>> bellow, but it didn't change any result. I am getting same exception.
>>
>>
>> <jaxws:client name="{
>> http://www.example.org/**contract/DoubleIt}DoubleItPort<http://www.example.org/contract/DoubleIt%7DDoubleItPort>
>> **"
>> createdFromAPI="true">
>> <jaxws:properties>
>> <entry key="ws-security.is-bsp-**compliant" value="false"/>
>> <entry key="ws-security.sts.client">
>> <bean class="org.apache.cxf.ws.**
>> security.trust.STSClient">
>> <constructor-arg ref="cxf"/>
>> <property name="wsdlLocation" value="adfs_new_simple.wsdl"/>
>> ........
>>
>>
>> Gina
>> On Mon, Jun 11, 2012 at 5:02 AM, Colm O hEigeartaigh<coheigea@apache.**
>> org <co...@apache.org>>wrote:
>>
>> CXF enforces the Basic Security Profile 1.1 spec:
>>>
>>> http://www.ws-i.org/profiles/**basicsecurityprofile-1.1.html<http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html>
>>>
>>> "R6611 Any SECURITY_TOKEN_REFERENCE to a SAML_V1_1_TOKEN MUST contain a
>>> wsse11:TokenType attribute with a value of "
>>> http://docs.oasis-open.org/**wss/oasis-wss-saml-token-**
>>> profile-1.1#SAMLV1.1<http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1>
>>> ".
>>> "
>>>
>>> You can turn this off by setting the following jax-ws property
>>> "ws-security.is-bsp-compliant" to "false" for the service provider.
>>>
>>> Colm.
>>>
>>> On Sat, Jun 9, 2012 at 12:00 AM, Gina Choi<gi...@gmail.com> wrote:
>>>
>>> I did some research and looked at oasis specification(
>>>>
>>>>
>>>> https://www.oasis-open.org/**committees/download.php/16768/**
>>> wss-v1.1-spec-os-**SAMLTokenProfile.pdf<https://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf>
>>>
>>>> ),
>>>> it looks like that wsse11:TokenType attribute is optional for SAML 1.1,
>>>>
>>> but
>>>
>>>> should contain
>>>> http://docs.oasis-open.org/**wss/oasis-wss-saml-token-**
>>>> profile-1.1#SAMLV1.1<http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1>
>>>>
>>> .
>>>
>>>>
>>>> <<<
>>>>
>>>> Now I am getting 'An invalid security token was provided (Bad TokenType
>>>> "")'. I debugged through code again and following is the issue.
>>>> org.apache.ws.security.str.**BSPEnforcer.java(wss4j-1.6.6.**jar) class
>>>> Line
>>>>
>>> 162
>>>
>>>> - 169
>>>>
>>>> String tokenType = secRef.getTokenType();
>>>> if (assertion.getSaml1() != null&&
>>>> !WSConstants.WSS_SAML_TOKEN_**TYPE.equals(tokenType)) {
>>>> throw new WSSecurityException(
>>>> WSSecurityException.INVALID_**SECURITY_TOKEN,
>>>> "invalidTokenType",
>>>> new Object[]{tokenType}
>>>> );
>>>> }
>>>> The content of secRef object as follow. As you can see from above code,
>>>>
>>> it
>>>
>>>> is looking for an attribute named "TokenType", whose value is "
>>>>
>>>> http://docs.oasis-open.org/**wss/oasis-wss-saml-token-**
>>>> profile-1.1#SAMLV1.1<http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1>
>>>> " but SecurityTokenReference doesn't have it. That's why it throws
>>>> exception. What we can do about this? I am going to update *CXF-4367
>>>> with
>>>> new content.*
>>>>
>>>> <o:SecurityTokenReference xmlns:o="
>>>>
>>>>
>>>> http://docs.oasis-open.org/**wss/2004/01/oasis-200401-wss-**
>>> wssecurity-secext-1.0.xsd<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd>
>>>
>>>> ">
>>>> <o:KeyIdentifier ValueType="
>>>>
>>>>
>>>> http://docs.oasis-open.org/**wss/oasis-wss-saml-token-**
>>> profile-1.0#SAMLAssertionID<http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID>
>>>
>>>> ">
>>>> _ca94d3c5-0933-4af0-ac12-**a83fd407310c</o:KeyIdentifier>
>>>> </o:SecurityTokenReference>
>>>>
>>>>
>>>
>>> --
>>> Colm O hEigeartaigh
>>>
>>> Talend Community Coder
>>> http://coders.talend.com
>>>
>>>
>
> --
> Glen Mazza
> Talend Community Coders
> coders.talend.com
> blog: www.jroller.com/gmazza
>
>
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Glen Mazza <gm...@talend.com>.
The STS syntax for it (also good for WSP) is as line #75 here:
https://github.com/gmazza/blog-samples/blob/master/cxf_sts_tutorial/sts-war/src/main/webapp/WEB-INF/cxf-servlet.xml
This worked for me with Metro clients that don't provide a TokenType.
Glen
On 06/11/2012 11:31 AM, Gina Choi wrote:
> Hi Colm,
>
> <<<
> You can turn this off by setting the following jax-ws property
> "ws-security.is-bsp-compliant" to "false" for the service provider.
> Does setting "ws-security.is-bsp-compliant" to "false" make Service
> Provider not to check wsse11:TokenType attribute? ADFS2.0 doesn't enforce
> wsse11:TokenType attribute, so the security token that I got from ADFS2.0
> wouldn't contain wsse11:TokenType attribute. I set
> "ws-security.is-bsp-compliant" through client configuration file like
> bellow, but it didn't change any result. I am getting same exception.
>
>
> <jaxws:client name="{
> http://www.example.org/contract/DoubleIt}DoubleItPort"
> createdFromAPI="true">
> <jaxws:properties>
> <entry key="ws-security.is-bsp-compliant" value="false"/>
> <entry key="ws-security.sts.client">
> <bean class="org.apache.cxf.ws.security.trust.STSClient">
> <constructor-arg ref="cxf"/>
> <property name="wsdlLocation" value="adfs_new_simple.wsdl"/>
> ........
>
>
> Gina
> On Mon, Jun 11, 2012 at 5:02 AM, Colm O hEigeartaigh<co...@apache.org>wrote:
>
>> CXF enforces the Basic Security Profile 1.1 spec:
>>
>> http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html
>>
>> "R6611 Any SECURITY_TOKEN_REFERENCE to a SAML_V1_1_TOKEN MUST contain a
>> wsse11:TokenType attribute with a value of "
>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".
>> "
>>
>> You can turn this off by setting the following jax-ws property
>> "ws-security.is-bsp-compliant" to "false" for the service provider.
>>
>> Colm.
>>
>> On Sat, Jun 9, 2012 at 12:00 AM, Gina Choi<gi...@gmail.com> wrote:
>>
>>> I did some research and looked at oasis specification(
>>>
>>>
>> https://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf
>>> ),
>>> it looks like that wsse11:TokenType attribute is optional for SAML 1.1,
>> but
>>> should contain
>>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
>> .
>>>
>>> <<<
>>>
>>> Now I am getting 'An invalid security token was provided (Bad TokenType
>>> "")'. I debugged through code again and following is the issue.
>>> org.apache.ws.security.str.BSPEnforcer.java(wss4j-1.6.6.jar) class Line
>> 162
>>> - 169
>>>
>>> String tokenType = secRef.getTokenType();
>>> if (assertion.getSaml1() != null&&
>>> !WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)) {
>>> throw new WSSecurityException(
>>> WSSecurityException.INVALID_SECURITY_TOKEN,
>>> "invalidTokenType",
>>> new Object[]{tokenType}
>>> );
>>> }
>>> The content of secRef object as follow. As you can see from above code,
>> it
>>> is looking for an attribute named "TokenType", whose value is "
>>>
>>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
>>> " but SecurityTokenReference doesn't have it. That's why it throws
>>> exception. What we can do about this? I am going to update *CXF-4367 with
>>> new content.*
>>>
>>> <o:SecurityTokenReference xmlns:o="
>>>
>>>
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>>> ">
>>> <o:KeyIdentifier ValueType="
>>>
>>>
>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
>>> ">
>>> _ca94d3c5-0933-4af0-ac12-a83fd407310c</o:KeyIdentifier>
>>> </o:SecurityTokenReference>
>>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
--
Glen Mazza
Talend Community Coders
coders.talend.com
blog: www.jroller.com/gmazza
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Gina Choi <gi...@gmail.com>.
Hi Colm,
<<<<<
I merged another fix for this issue to WSS4J (
https://issues.apache.org/jira/browse/WSS-392). Please try again with the
latest WSS4J 1.6.7-SNAPSHOT jar.
>>>>>
I have a good news for you. You fix for WSS-392 worked. Nice work! My
client ran successfully. Thank you very much.
Now I have passive profile(Fediz WS-Federation) and Active profile(Apache
CXF) working with ADFS2.0(STS). Next, I am going to pipe them together to
test ActAs with ADFS2.0.
Thank again for you dedicated effort.
Gina
On Wed, Jun 13, 2012 at 8:56 AM, Colm O hEigeartaigh <co...@apache.org>wrote:
> Hi Gina,
>
> I merged another fix for this issue to WSS4J (
> https://issues.apache.org/jira/browse/WSS-392). Please try again with the
> latest WSS4J 1.6.7-SNAPSHOT jar.
>
> Colm.
>
> On Tue, Jun 12, 2012 at 9:05 PM, Gina Choi <gi...@gmail.com> wrote:
>
> > Hi Colm,
> >
> > <<<<
> > I've just committed a potential fix for this problem to WSS4J. Could you
> > add a dependency in your client pom to WSS4J 1.6.7-SNAPSHOT and let me
> know
> > if it works?
> > >>>>
> > Thanks for the quick fix. I passed previous NPE issue with WSS4J
> > 1.6.7-SNAPSHOT(I only applied it to client). Now I am getting
> > WSSecurityException. I have copied WSP response and error message at the
> > bottom of this email for your reference.
> > Exception is thrown at the line 217 of
> > the
> >
> org.apache.ws.security.str.SignatureSTRParser.java(wss4j-1.6.7-SNAPSHOT.jar)
> > class.
> >
> > AssertionWrapper assertion =
> SAMLUtil.getAssertionFromKeyIdentifier(secRef,
> > strElement, data, wsDocInfo);
> >
> > Further, it failed at line 105 of the following code. Inside
> > org.apache.ws.security.saml.SAMLUtil.java((wss4j-1.6.7-SNAPSHOT.jar) from
> > Line82 to Line 132. It expects that local name of the
> > token(xenc:EncryptedData) equal to "Assertion", but local name is "
> > EncryptedData".
> >
> >
> > public static AssertionWrapper getAssertionFromKeyIdentifier(
> > SecurityTokenReference secRef,
> > Element strElement,
> > RequestData request,
> > WSDocInfo wsDocInfo
> > ) throws WSSecurityException {
> > String keyIdentifierValue = secRef.getKeyIdentifierValue();
> > String type = secRef.getKeyIdentifierValueType();
> > WSSecurityEngineResult result =
> > wsDocInfo.getResult(keyIdentifierValue);
> > AssertionWrapper assertion = null;
> > Element token = null;
> > if (result != null) {
> > assertion =
> >
> > (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
> > return assertion;
> > } else {
> > token =
> > secRef.findProcessedTokenElement(
> > strElement.getOwnerDocument(), wsDocInfo,
> > request.getCallbackHandler(),
> > keyIdentifierValue, type
> > );
> > if (token != null) {
> > if (!"Assertion".equals(token.getLocalName())) {
> > throw new WSSecurityException(
> > WSSecurityException.FAILURE, "invalidSAMLsecurity"
> > );
> > }
> > return new AssertionWrapper(token);
> > }
> > token =
> > secRef.findUnprocessedTokenElement(
> > strElement.getOwnerDocument(), wsDocInfo,
> > request.getCallbackHandler(), keyIdentifierValue, type
> > );
> >
> > if (token == null ||
> !"Assertion".equals(token.getLocalName()))
> > {
> > throw new WSSecurityException(
> > WSSecurityException.FAILURE, "invalidSAMLsecurity"
> > );
> > }
> > Processor proc =
> > request.getWssConfig().getProcessor(WSSecurityEngine.SAML_TOKEN);
> > List<WSSecurityEngineResult> samlResult =
> > proc.handleToken(token, request, wsDocInfo);
> > return
> > (AssertionWrapper)samlResult.get(0).get(
> > WSSecurityEngineResult.TAG_SAML_ASSERTION
> > );
> > }
> > }
> >
> >
> >
> >
> > -----------------------Part of client side log -------------------
> >
> >
> >
> > Jun 12, 2012 2:20:21 PM
> > org.apache.cxf.services.DoubleItService.DoubleItPort.DoubleItPortType
> >
> > INFO: Inbound Message
> >
> > ----------------------------
> >
> > ID: 2
> >
> > Response-Code: 200
> >
> > Encoding: UTF-8
> >
> > Content-Type: text/xml;charset=UTF-8
> >
> > Headers: {Content-Length=[5284], content-type=[text/xml;charset=UTF-8],
> > Date=[Tue, 12 Jun 2012 18:20:21 GMT], Server=[Apache-Coyote/1.1]}
> >
> > Payload: <soap:Envelope xmlns:soap="
> > http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><Action xmlns="
> > http://www.w3.org/2005/08/addressing" xmlns:wsu="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > "
> > wsu:Id="Id-21392541">
> >
> http://www.example.org/contract/DoubleIt/DoubleItPortType/DoubleItResponse
> > </Action><MessageIDxmlns="
> > http://www.w3.org/2005/08/addressing" xmlns:wsu="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > "
> >
> >
> wsu:Id="Id-27404023">urn:uuid:14a7ee50-a80b-4e8e-8a24-501a1f27c37f</MessageID><To
> > xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > "
> > wsu:Id="Id-6617884">
> > http://www.w3.org/2005/08/addressing/anonymous</To><RelatesTo xmlns="
> > http://www.w3.org/2005/08/addressing" xmlns:wsu="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > "
> >
> >
> wsu:Id="Id-11283244">urn:uuid:c3b2508b-3b8a-4e3b-a3ce-d146073a3fc5</RelatesTo><wsse:Security
> > xmlns:wsse="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> > "
> > xmlns:wsu="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > "
> > soap:mustUnderstand="1"><wsu:Timestamp
> >
> >
> wsu:Id="TS-52"><wsu:Created>2012-06-12T18:20:21.062Z</wsu:Created><wsu:Expires>2012-06-12T18:25:21.062Z</wsu:Expires></wsu:Timestamp><xenc:ReferenceList
> > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:DataReference
> > URI="#ED-54"/></xenc:ReferenceList><ds:Signature xmlns:ds="
> > http://www.w3.org/2000/09/xmldsig#"
> > Id="SIG-53"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
> Algorithm="
> > http://www.w3.org/2000/09/xmldsig#hmac-sha1"/><ds:Reference
> > URI="#Id-13175005"><ds:Transforms><ds:Transform Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#
> "/></ds:Transforms><ds:DigestMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> >
> "/><ds:DigestValue>1qaC4/pteNP1OxZYGlIaeO9JnNg=</ds:DigestValue></ds:Reference><ds:Reference
> > URI="#Id-6617884"><ds:Transforms><ds:Transform Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#
> "/></ds:Transforms><ds:DigestMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> >
> "/><ds:DigestValue>AgU1e6t+Kz/maMvdm+LjtMSOT88=</ds:DigestValue></ds:Reference><ds:Reference
> > URI="#Id-27404023"><ds:Transforms><ds:Transform Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#
> "/></ds:Transforms><ds:DigestMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> >
> "/><ds:DigestValue>sn+kmoST3NluP8jcFrre1Z3dLKE=</ds:DigestValue></ds:Reference><ds:Reference
> > URI="#Id-11283244"><ds:Transforms><ds:Transform Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#
> "/></ds:Transforms><ds:DigestMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> >
> "/><ds:DigestValue>WmIxk6sQRlvmi0mlXbm1Emm+zg4=</ds:DigestValue></ds:Reference><ds:Reference
> > URI="#Id-21392541"><ds:Transforms><ds:Transform Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#
> "/></ds:Transforms><ds:DigestMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> >
> "/><ds:DigestValue>aOhKo4T8h5RibX7oHoA716O0x/4=</ds:DigestValue></ds:Reference><ds:Reference
> > URI="#TS-52"><ds:Transforms><ds:Transform Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#
> "/></ds:Transforms><ds:DigestMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> >
> "/><ds:DigestValue>yRbx7ao7zPuxMcVZCHJ07F/seGc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>phUYBjMU8fePqv+08yIBdfS3Gys=</ds:SignatureValue><ds:KeyInfo
> > Id="KI-36455561753DCD790C133952522106235"><wsse:SecurityTokenReference
> > xmlns:wsse11="
> > http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
> > wsse11:TokenType="
> > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
> "
> > wsu:Id="STR-36455561753DCD790C133952522106236"><wsse:KeyIdentifier
> > ValueType="
> >
> >
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
> >
> ">_ee537478-0ff0-4423-8fef-21aff2633353</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soap:Header><soap:Body
> > xmlns:wsu="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > "
> > wsu:Id="Id-13175005"><xenc:EncryptedData xmlns:xenc="
> > http://www.w3.org/2001/04/xmlenc#" Id="ED-54" Type="
> > http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod
> > Algorithm="
> > http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><ds:KeyInfo xmlns:ds="
> > http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference
> > xmlns:wsse11="
> > http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
> > xmlns:wsse="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> > "
> > wsse11:TokenType="
> > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
> > "><wsse:KeyIdentifier
> > ValueType="
> >
> >
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
> >
> >
> ">_ee537478-0ff0-4423-8fef-21aff2633353</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>6WkAa0DPtBlT7HPhOof9rz2mAD1d4rC+3ArAav06B2UwZohawM/8ydSrhalqGmkolyFydGLJUah3zo57zZSjt5m+VoctQ9QIbdzdz02ERE34aJe9vF3pmn083obo1ouAOFLlBbkViShYtJi6eO2ir8+N+OBQ8TsJHYf07LUwyHtvjhxh30htbUEyoAWlY1NZfurAGqLmL/4FSWaqyDArYQ==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
> >
> > --------------------------------------
> >
> > Jun 12, 2012 3:18:39 PM
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
> > handleMessage
> >
> > WARNING:
> >
> > *org.apache.ws.security.WSSecurityException*: General security error
> (SAML
> > token security failure)
> >
> > at
> > org.apache.ws.security.saml.SAMLUtil.getAssertionFromKeyIdentifier(*
> > SAMLUtil.java:107*)
> >
> > at
> >
> org.apache.ws.security.str.SignatureSTRParser.parseSecurityTokenReference(*
> > SignatureSTRParser.java:217*)
> >
> > at
> org.apache.ws.security.processor.SignatureProcessor.handleToken(*
> > SignatureProcessor.java:164*)
> >
> > at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(*
> > WSSecurityEngine.java:396*)
> >
> > at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(
> > *WSS4JInInterceptor.java:289*)
> >
> > at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(
> > *WSS4JInInterceptor.java:97*)
> >
> > at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
> > PhaseInterceptorChain.java:262*)
> >
> > at
> org.apache.cxf.endpoint.ClientImpl.onMessage(*ClientImpl.java:798*
> > )
> >
> > at
> >
> >
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(
> > *HTTPConduit.java:1679*)
> >
> > at
> >
> >
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(
> > *HTTPConduit.java:1532*)
> >
> > at
> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(*
> > HTTPConduit.java:1440*)
> >
> > at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(*
> > CacheAndWriteOutputStream.java:47*)
> >
> > at org.apache.cxf.io.CachedOutputStream.close(*
> > CachedOutputStream.java:187*)
> >
> > at org.apache.cxf.transport.AbstractConduit.close(*
> > AbstractConduit.java:56*)
> >
> > at org.apache.cxf.transport.http.HTTPConduit.close(*
> > HTTPConduit.java:658*)
> >
> > at
> >
> >
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(
> > *MessageSenderInterceptor.java:62*)
> >
> > at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
> > PhaseInterceptorChain.java:262*)
> >
> > at
> org.apache.cxf.endpoint.ClientImpl.doInvoke(*ClientImpl.java:532*)
> >
> > at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:464*)
> >
> > at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:367*)
> >
> > at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:320*)
> >
> > at org.apache.cxf.frontend.ClientProxy.invokeSync(*
> > ClientProxy.java:89*)
> >
> > at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(*
> > JaxWsClientProxy.java:134*)
> >
> > at $Proxy26.doubleIt(Unknown Source)
> >
> > at client.WSClient.doubleIt(*WSClient.java:18*)
> >
> > at client.WSClient.main(*WSClient.java:11*)
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Gina,
I merged another fix for this issue to WSS4J (
https://issues.apache.org/jira/browse/WSS-392). Please try again with the
latest WSS4J 1.6.7-SNAPSHOT jar.
Colm.
On Tue, Jun 12, 2012 at 9:05 PM, Gina Choi <gi...@gmail.com> wrote:
> Hi Colm,
>
> <<<<
> I've just committed a potential fix for this problem to WSS4J. Could you
> add a dependency in your client pom to WSS4J 1.6.7-SNAPSHOT and let me know
> if it works?
> >>>>
> Thanks for the quick fix. I passed previous NPE issue with WSS4J
> 1.6.7-SNAPSHOT(I only applied it to client). Now I am getting
> WSSecurityException. I have copied WSP response and error message at the
> bottom of this email for your reference.
> Exception is thrown at the line 217 of
> the
> org.apache.ws.security.str.SignatureSTRParser.java(wss4j-1.6.7-SNAPSHOT.jar)
> class.
>
> AssertionWrapper assertion = SAMLUtil.getAssertionFromKeyIdentifier(secRef,
> strElement, data, wsDocInfo);
>
> Further, it failed at line 105 of the following code. Inside
> org.apache.ws.security.saml.SAMLUtil.java((wss4j-1.6.7-SNAPSHOT.jar) from
> Line82 to Line 132. It expects that local name of the
> token(xenc:EncryptedData) equal to "Assertion", but local name is "
> EncryptedData".
>
>
> public static AssertionWrapper getAssertionFromKeyIdentifier(
> SecurityTokenReference secRef,
> Element strElement,
> RequestData request,
> WSDocInfo wsDocInfo
> ) throws WSSecurityException {
> String keyIdentifierValue = secRef.getKeyIdentifierValue();
> String type = secRef.getKeyIdentifierValueType();
> WSSecurityEngineResult result =
> wsDocInfo.getResult(keyIdentifierValue);
> AssertionWrapper assertion = null;
> Element token = null;
> if (result != null) {
> assertion =
>
> (AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
> return assertion;
> } else {
> token =
> secRef.findProcessedTokenElement(
> strElement.getOwnerDocument(), wsDocInfo,
> request.getCallbackHandler(),
> keyIdentifierValue, type
> );
> if (token != null) {
> if (!"Assertion".equals(token.getLocalName())) {
> throw new WSSecurityException(
> WSSecurityException.FAILURE, "invalidSAMLsecurity"
> );
> }
> return new AssertionWrapper(token);
> }
> token =
> secRef.findUnprocessedTokenElement(
> strElement.getOwnerDocument(), wsDocInfo,
> request.getCallbackHandler(), keyIdentifierValue, type
> );
>
> if (token == null || !"Assertion".equals(token.getLocalName()))
> {
> throw new WSSecurityException(
> WSSecurityException.FAILURE, "invalidSAMLsecurity"
> );
> }
> Processor proc =
> request.getWssConfig().getProcessor(WSSecurityEngine.SAML_TOKEN);
> List<WSSecurityEngineResult> samlResult =
> proc.handleToken(token, request, wsDocInfo);
> return
> (AssertionWrapper)samlResult.get(0).get(
> WSSecurityEngineResult.TAG_SAML_ASSERTION
> );
> }
> }
>
>
>
>
> -----------------------Part of client side log -------------------
>
>
>
> Jun 12, 2012 2:20:21 PM
> org.apache.cxf.services.DoubleItService.DoubleItPort.DoubleItPortType
>
> INFO: Inbound Message
>
> ----------------------------
>
> ID: 2
>
> Response-Code: 200
>
> Encoding: UTF-8
>
> Content-Type: text/xml;charset=UTF-8
>
> Headers: {Content-Length=[5284], content-type=[text/xml;charset=UTF-8],
> Date=[Tue, 12 Jun 2012 18:20:21 GMT], Server=[Apache-Coyote/1.1]}
>
> Payload: <soap:Envelope xmlns:soap="
> http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><Action xmlns="
> http://www.w3.org/2005/08/addressing" xmlns:wsu="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> wsu:Id="Id-21392541">
> http://www.example.org/contract/DoubleIt/DoubleItPortType/DoubleItResponse
> </Action><MessageIDxmlns="
> http://www.w3.org/2005/08/addressing" xmlns:wsu="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
>
> wsu:Id="Id-27404023">urn:uuid:14a7ee50-a80b-4e8e-8a24-501a1f27c37f</MessageID><To
> xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> wsu:Id="Id-6617884">
> http://www.w3.org/2005/08/addressing/anonymous</To><RelatesTo xmlns="
> http://www.w3.org/2005/08/addressing" xmlns:wsu="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
>
> wsu:Id="Id-11283244">urn:uuid:c3b2508b-3b8a-4e3b-a3ce-d146073a3fc5</RelatesTo><wsse:Security
> xmlns:wsse="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
> xmlns:wsu="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> soap:mustUnderstand="1"><wsu:Timestamp
>
> wsu:Id="TS-52"><wsu:Created>2012-06-12T18:20:21.062Z</wsu:Created><wsu:Expires>2012-06-12T18:25:21.062Z</wsu:Expires></wsu:Timestamp><xenc:ReferenceList
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:DataReference
> URI="#ED-54"/></xenc:ReferenceList><ds:Signature xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#"
> Id="SIG-53"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="
> http://www.w3.org/2000/09/xmldsig#hmac-sha1"/><ds:Reference
> URI="#Id-13175005"><ds:Transforms><ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> "/><ds:DigestValue>1qaC4/pteNP1OxZYGlIaeO9JnNg=</ds:DigestValue></ds:Reference><ds:Reference
> URI="#Id-6617884"><ds:Transforms><ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> "/><ds:DigestValue>AgU1e6t+Kz/maMvdm+LjtMSOT88=</ds:DigestValue></ds:Reference><ds:Reference
> URI="#Id-27404023"><ds:Transforms><ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> "/><ds:DigestValue>sn+kmoST3NluP8jcFrre1Z3dLKE=</ds:DigestValue></ds:Reference><ds:Reference
> URI="#Id-11283244"><ds:Transforms><ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> "/><ds:DigestValue>WmIxk6sQRlvmi0mlXbm1Emm+zg4=</ds:DigestValue></ds:Reference><ds:Reference
> URI="#Id-21392541"><ds:Transforms><ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> "/><ds:DigestValue>aOhKo4T8h5RibX7oHoA716O0x/4=</ds:DigestValue></ds:Reference><ds:Reference
> URI="#TS-52"><ds:Transforms><ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> "/><ds:DigestValue>yRbx7ao7zPuxMcVZCHJ07F/seGc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>phUYBjMU8fePqv+08yIBdfS3Gys=</ds:SignatureValue><ds:KeyInfo
> Id="KI-36455561753DCD790C133952522106235"><wsse:SecurityTokenReference
> xmlns:wsse11="
> http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
> wsse11:TokenType="
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
> wsu:Id="STR-36455561753DCD790C133952522106236"><wsse:KeyIdentifier
> ValueType="
>
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
> ">_ee537478-0ff0-4423-8fef-21aff2633353</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soap:Header><soap:Body
> xmlns:wsu="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> wsu:Id="Id-13175005"><xenc:EncryptedData xmlns:xenc="
> http://www.w3.org/2001/04/xmlenc#" Id="ED-54" Type="
> http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod
> Algorithm="
> http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><ds:KeyInfo xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference
> xmlns:wsse11="
> http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
> xmlns:wsse="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
> wsse11:TokenType="
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
> "><wsse:KeyIdentifier
> ValueType="
>
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
>
> ">_ee537478-0ff0-4423-8fef-21aff2633353</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>6WkAa0DPtBlT7HPhOof9rz2mAD1d4rC+3ArAav06B2UwZohawM/8ydSrhalqGmkolyFydGLJUah3zo57zZSjt5m+VoctQ9QIbdzdz02ERE34aJe9vF3pmn083obo1ouAOFLlBbkViShYtJi6eO2ir8+N+OBQ8TsJHYf07LUwyHtvjhxh30htbUEyoAWlY1NZfurAGqLmL/4FSWaqyDArYQ==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
>
> --------------------------------------
>
> Jun 12, 2012 3:18:39 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
> handleMessage
>
> WARNING:
>
> *org.apache.ws.security.WSSecurityException*: General security error (SAML
> token security failure)
>
> at
> org.apache.ws.security.saml.SAMLUtil.getAssertionFromKeyIdentifier(*
> SAMLUtil.java:107*)
>
> at
> org.apache.ws.security.str.SignatureSTRParser.parseSecurityTokenReference(*
> SignatureSTRParser.java:217*)
>
> at org.apache.ws.security.processor.SignatureProcessor.handleToken(*
> SignatureProcessor.java:164*)
>
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(*
> WSSecurityEngine.java:396*)
>
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(
> *WSS4JInInterceptor.java:289*)
>
> at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(
> *WSS4JInInterceptor.java:97*)
>
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
> PhaseInterceptorChain.java:262*)
>
> at org.apache.cxf.endpoint.ClientImpl.onMessage(*ClientImpl.java:798*
> )
>
> at
>
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(
> *HTTPConduit.java:1679*)
>
> at
>
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(
> *HTTPConduit.java:1532*)
>
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(*
> HTTPConduit.java:1440*)
>
> at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(*
> CacheAndWriteOutputStream.java:47*)
>
> at org.apache.cxf.io.CachedOutputStream.close(*
> CachedOutputStream.java:187*)
>
> at org.apache.cxf.transport.AbstractConduit.close(*
> AbstractConduit.java:56*)
>
> at org.apache.cxf.transport.http.HTTPConduit.close(*
> HTTPConduit.java:658*)
>
> at
>
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(
> *MessageSenderInterceptor.java:62*)
>
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
> PhaseInterceptorChain.java:262*)
>
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(*ClientImpl.java:532*)
>
> at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:464*)
>
> at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:367*)
>
> at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:320*)
>
> at org.apache.cxf.frontend.ClientProxy.invokeSync(*
> ClientProxy.java:89*)
>
> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(*
> JaxWsClientProxy.java:134*)
>
> at $Proxy26.doubleIt(Unknown Source)
>
> at client.WSClient.doubleIt(*WSClient.java:18*)
>
> at client.WSClient.main(*WSClient.java:11*)
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Gina Choi <gi...@gmail.com>.
Hi Colm,
<<<<
I've just committed a potential fix for this problem to WSS4J. Could you
add a dependency in your client pom to WSS4J 1.6.7-SNAPSHOT and let me know
if it works?
>>>>
Thanks for the quick fix. I passed previous NPE issue with WSS4J
1.6.7-SNAPSHOT(I only applied it to client). Now I am getting
WSSecurityException. I have copied WSP response and error message at the
bottom of this email for your reference.
Exception is thrown at the line 217 of
the org.apache.ws.security.str.SignatureSTRParser.java(wss4j-1.6.7-SNAPSHOT.jar)
class.
AssertionWrapper assertion = SAMLUtil.getAssertionFromKeyIdentifier(secRef,
strElement, data, wsDocInfo);
Further, it failed at line 105 of the following code. Inside
org.apache.ws.security.saml.SAMLUtil.java((wss4j-1.6.7-SNAPSHOT.jar) from
Line82 to Line 132. It expects that local name of the
token(xenc:EncryptedData) equal to "Assertion", but local name is "
EncryptedData".
public static AssertionWrapper getAssertionFromKeyIdentifier(
SecurityTokenReference secRef,
Element strElement,
RequestData request,
WSDocInfo wsDocInfo
) throws WSSecurityException {
String keyIdentifierValue = secRef.getKeyIdentifierValue();
String type = secRef.getKeyIdentifierValueType();
WSSecurityEngineResult result =
wsDocInfo.getResult(keyIdentifierValue);
AssertionWrapper assertion = null;
Element token = null;
if (result != null) {
assertion =
(AssertionWrapper)result.get(WSSecurityEngineResult.TAG_SAML_ASSERTION);
return assertion;
} else {
token =
secRef.findProcessedTokenElement(
strElement.getOwnerDocument(), wsDocInfo,
request.getCallbackHandler(),
keyIdentifierValue, type
);
if (token != null) {
if (!"Assertion".equals(token.getLocalName())) {
throw new WSSecurityException(
WSSecurityException.FAILURE, "invalidSAMLsecurity"
);
}
return new AssertionWrapper(token);
}
token =
secRef.findUnprocessedTokenElement(
strElement.getOwnerDocument(), wsDocInfo,
request.getCallbackHandler(), keyIdentifierValue, type
);
if (token == null || !"Assertion".equals(token.getLocalName()))
{
throw new WSSecurityException(
WSSecurityException.FAILURE, "invalidSAMLsecurity"
);
}
Processor proc =
request.getWssConfig().getProcessor(WSSecurityEngine.SAML_TOKEN);
List<WSSecurityEngineResult> samlResult =
proc.handleToken(token, request, wsDocInfo);
return
(AssertionWrapper)samlResult.get(0).get(
WSSecurityEngineResult.TAG_SAML_ASSERTION
);
}
}
-----------------------Part of client side log -------------------
Jun 12, 2012 2:20:21 PM
org.apache.cxf.services.DoubleItService.DoubleItPort.DoubleItPortType
INFO: Inbound Message
----------------------------
ID: 2
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml;charset=UTF-8
Headers: {Content-Length=[5284], content-type=[text/xml;charset=UTF-8],
Date=[Tue, 12 Jun 2012 18:20:21 GMT], Server=[Apache-Coyote/1.1]}
Payload: <soap:Envelope xmlns:soap="
http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><Action xmlns="
http://www.w3.org/2005/08/addressing" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-21392541">
http://www.example.org/contract/DoubleIt/DoubleItPortType/DoubleItResponse</Action><MessageIDxmlns="
http://www.w3.org/2005/08/addressing" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-27404023">urn:uuid:14a7ee50-a80b-4e8e-8a24-501a1f27c37f</MessageID><To
xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-6617884">
http://www.w3.org/2005/08/addressing/anonymous</To><RelatesTo xmlns="
http://www.w3.org/2005/08/addressing" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-11283244">urn:uuid:c3b2508b-3b8a-4e3b-a3ce-d146073a3fc5</RelatesTo><wsse:Security
xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="1"><wsu:Timestamp
wsu:Id="TS-52"><wsu:Created>2012-06-12T18:20:21.062Z</wsu:Created><wsu:Expires>2012-06-12T18:25:21.062Z</wsu:Expires></wsu:Timestamp><xenc:ReferenceList
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:DataReference
URI="#ED-54"/></xenc:ReferenceList><ds:Signature xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"
Id="SIG-53"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#hmac-sha1"/><ds:Reference
URI="#Id-13175005"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>1qaC4/pteNP1OxZYGlIaeO9JnNg=</ds:DigestValue></ds:Reference><ds:Reference
URI="#Id-6617884"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>AgU1e6t+Kz/maMvdm+LjtMSOT88=</ds:DigestValue></ds:Reference><ds:Reference
URI="#Id-27404023"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>sn+kmoST3NluP8jcFrre1Z3dLKE=</ds:DigestValue></ds:Reference><ds:Reference
URI="#Id-11283244"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>WmIxk6sQRlvmi0mlXbm1Emm+zg4=</ds:DigestValue></ds:Reference><ds:Reference
URI="#Id-21392541"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>aOhKo4T8h5RibX7oHoA716O0x/4=</ds:DigestValue></ds:Reference><ds:Reference
URI="#TS-52"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>yRbx7ao7zPuxMcVZCHJ07F/seGc=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>phUYBjMU8fePqv+08yIBdfS3Gys=</ds:SignatureValue><ds:KeyInfo
Id="KI-36455561753DCD790C133952522106235"><wsse:SecurityTokenReference
xmlns:wsse11="
http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
wsu:Id="STR-36455561753DCD790C133952522106236"><wsse:KeyIdentifier
ValueType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_ee537478-0ff0-4423-8fef-21aff2633353</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soap:Header><soap:Body
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-13175005"><xenc:EncryptedData xmlns:xenc="
http://www.w3.org/2001/04/xmlenc#" Id="ED-54" Type="
http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><ds:KeyInfo xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference
xmlns:wsse11="
http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
wsse11:TokenType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"><wsse:KeyIdentifier
ValueType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
">_ee537478-0ff0-4423-8fef-21aff2633353</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>6WkAa0DPtBlT7HPhOof9rz2mAD1d4rC+3ArAav06B2UwZohawM/8ydSrhalqGmkolyFydGLJUah3zo57zZSjt5m+VoctQ9QIbdzdz02ERE34aJe9vF3pmn083obo1ouAOFLlBbkViShYtJi6eO2ir8+N+OBQ8TsJHYf07LUwyHtvjhxh30htbUEyoAWlY1NZfurAGqLmL/4FSWaqyDArYQ==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
--------------------------------------
Jun 12, 2012 3:18:39 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
handleMessage
WARNING:
*org.apache.ws.security.WSSecurityException*: General security error (SAML
token security failure)
at
org.apache.ws.security.saml.SAMLUtil.getAssertionFromKeyIdentifier(*
SAMLUtil.java:107*)
at
org.apache.ws.security.str.SignatureSTRParser.parseSecurityTokenReference(*
SignatureSTRParser.java:217*)
at org.apache.ws.security.processor.SignatureProcessor.handleToken(*
SignatureProcessor.java:164*)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(*
WSSecurityEngine.java:396*)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(
*WSS4JInInterceptor.java:289*)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(
*WSS4JInInterceptor.java:97*)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
PhaseInterceptorChain.java:262*)
at org.apache.cxf.endpoint.ClientImpl.onMessage(*ClientImpl.java:798*
)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(
*HTTPConduit.java:1679*)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(
*HTTPConduit.java:1532*)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(*
HTTPConduit.java:1440*)
at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(*
CacheAndWriteOutputStream.java:47*)
at org.apache.cxf.io.CachedOutputStream.close(*
CachedOutputStream.java:187*)
at org.apache.cxf.transport.AbstractConduit.close(*
AbstractConduit.java:56*)
at org.apache.cxf.transport.http.HTTPConduit.close(*
HTTPConduit.java:658*)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(
*MessageSenderInterceptor.java:62*)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
PhaseInterceptorChain.java:262*)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(*ClientImpl.java:532*)
at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:464*)
at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:367*)
at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:320*)
at org.apache.cxf.frontend.ClientProxy.invokeSync(*
ClientProxy.java:89*)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(*
JaxWsClientProxy.java:134*)
at $Proxy26.doubleIt(Unknown Source)
at client.WSClient.doubleIt(*WSClient.java:18*)
at client.WSClient.main(*WSClient.java:11*)
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Gina,
I've just committed a potential fix for this problem to WSS4J. Could you
add a dependency in your client pom to WSS4J 1.6.7-SNAPSHOT and let me know
if it works?
Colm.
On Mon, Jun 11, 2012 at 10:50 PM, Gina Choi <gi...@gmail.com> wrote:
> Colm,
>
> <<<<<
>
> Jun 11, 2012 5:09:18 PM org.apache.ws.security.saml.ext.AssertionWrapper
> parseElement
>
> *SEVERE: AssertionWrapper: found unexpected type
> org.opensaml.xml.encryption.impl.EncryptedDataImpl*
>
> Jun 11, 2012 5:11:16 PM org.apache.cxf.phase.PhaseInterceptorChain
> doDefaultLogging
>
> WARNING: Interceptor for {
>
> http://www.example.org/contract/DoubleIt}DoubleItService#{http://www.example.org/contract/DoubleIt}DoubleIthas
> thrown exception, unwinding now
>
> *java.lang.NullPointerException*
>
> at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(*
> SAMLUtil.java:250*)
>
> at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(*
> SAMLUtil.java:149*)
> >>>>>>>
>
> Spent pretty long time today to figure that out. WSP generated a response
> and I don't see any error message from server side. So, it looks like that
> this exception was thrown by the client during security header validation.
>
> Following is code for parseElement(Line696-709) method inside
> org.apache.ws.security.saml.ext.AssertionWrapper.java(wss4j-1.6.6.jar)
> class. So, 'element' type should be org.opensaml.saml1.core.Assertion to
> make this code happy, but why should WSP generate a token which is saml1
> Assertion type? I thought that only STS generates Assertion token. Kind of
> confused here. Do you think of any configuration issue? Shouldn't throw an
> exception inside else statement after logging if that condition is
> unacceptable?
>
>
>
> *private* *void* parseElement(Element element)
> *throws*WSSecurityException {
>
> *this*.xmlObject = OpenSAMLUtil.*fromDom*(element);
>
> *if* (xmlObject *instanceof* org.opensaml.saml1.core.Assertion) {
>
> *this*.saml1 = (org.opensaml.saml1.core.Assertion) xmlObject;
>
> samlVersion = SAMLVersion.*VERSION_11*;
>
> } *else* *if* (xmlObject
> *instanceof*org.opensaml.saml2.core.Assertion) {
>
> *this*.saml2 = (org.opensaml.saml2.core.Assertion) xmlObject;
>
> samlVersion = SAMLVersion.*VERSION_20*;
>
> } *else* {
>
> *LOG*.error(
>
> "AssertionWrapper: found unexpected type "
>
> + (xmlObject != *null* ? xmlObject.getClass().getName() :
> xmlObject)
>
> );
>
> }
>
>
>
> assertionElement = element;
>
> }
>
>
> On Mon, Jun 11, 2012 at 12:01 PM, Gina Choi <gi...@gmail.com> wrote:
>
> > Colm,
> >
> > <<<<
> > You were getting the error on the service provider side no? You would
> have
> > to set it on the service provider endpoint in this case.
> > >>>>
> >
> > You are right. I forgot that WSP had a config file. After set it in the
> > WSP config file, I passed that exception.
> >
> > Cool! WSP finally generated a response, but client is throwing an NPE. I
> > will debut it and get back to you. I am getting close to the final
> line...
> > Thanks a lot for all your help.
> >
> >
> >
> > ID: 2
> >
> > Response-Code: 200
> >
> > Encoding: UTF-8
> >
> > Content-Type: text/xml;charset=UTF-8
> >
> > Headers: {Content-Length=[5277], content-type=[text/xml;charset=UTF-8],
> > Date=[Mon, 11 Jun 2012 15:53:42 GMT], Server=[Apache-Coyote/1.1]}
> >
> > Payload: <soap:Envelope xmlns:soap="
> > http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><Action xmlns="
> > http://www.w3.org/2005/08/addressing" xmlns:wsu="
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> > wsu:Id="Id-12083469">
> >
> http://www.example.org/contract/DoubleIt/DoubleItPortType/DoubleItResponse
> </Action><MessageIDxmlns="
> > http://www.w3.org/2005/08/addressing" xmlns:wsu="
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> >
> wsu:Id="Id-14292879">urn:uuid:c6db815d-2eda-4f38-b8f5-a155e11bc9fc</MessageID><To
> > xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> > wsu:Id="Id-23067900">
> > http://www.w3.org/2005/08/addressing/anonymous</To><RelatesTo xmlns="
> > http://www.w3.org/2005/08/addressing" xmlns:wsu="
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> >
> wsu:Id="Id-4247180">urn:uuid:2a1f2ddc-0570-4d0b-985d-13bef961cad1</RelatesTo><wsse:Security
> > xmlns:wsse="
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
> > xmlns:wsu="
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> > soap:mustUnderstand="1"><wsu:Timestamp
> >
> wsu:Id="TS-4"><wsu:Created>2012-06-11T15:53:42.336Z</wsu:Created><wsu:Expires>2012-06-11T15:58:42.336Z</wsu:Expires></wsu:Timestamp><xenc:ReferenceList
> > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:DataReference
> > URI="#ED-6"/></xenc:ReferenceList><ds:Signature xmlns:ds="
> > http://www.w3.org/2000/09/xmldsig#"
> > Id="SIG-5"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
> Algorithm="
> > http://www.w3.org/2000/09/xmldsig#hmac-sha1"/><ds:Reference
> > URI="#Id-25899396"><ds:Transforms><ds:Transform Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#
> "/></ds:Transforms><ds:DigestMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> "/><ds:DigestValue>8U8AaCZDk7jpxiWM7rbV4qwjfxM=</ds:DigestValue></ds:Reference><ds:Reference
> > URI="#Id-23067900"><ds:Transforms><ds:Transform Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#
> "/></ds:Transforms><ds:DigestMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> "/><ds:DigestValue>zLPoiOCsm2/WxFnuq/1NTjy2uPQ=</ds:DigestValue></ds:Reference><ds:Reference
> > URI="#Id-14292879"><ds:Transforms><ds:Transform Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#
> "/></ds:Transforms><ds:DigestMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> "/><ds:DigestValue>UhPP+RcBZs61Ys6Xzgsp5cz1as4=</ds:DigestValue></ds:Reference><ds:Reference
> > URI="#Id-4247180"><ds:Transforms><ds:Transform Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#
> "/></ds:Transforms><ds:DigestMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> "/><ds:DigestValue>Er7vUiI3Rlg9Y+M4JZkvBbiFSb8=</ds:DigestValue></ds:Reference><ds:Reference
> > URI="#Id-12083469"><ds:Transforms><ds:Transform Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#
> "/></ds:Transforms><ds:DigestMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> "/><ds:DigestValue>Gma/VRqyG0J6ctWBsG/E5TWs4jk=</ds:DigestValue></ds:Reference><ds:Reference
> > URI="#TS-4"><ds:Transforms><ds:Transform Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#
> "/></ds:Transforms><ds:DigestMethod
> > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1
> "/><ds:DigestValue>AdVhb1lPcz0NVbvtc6iMJj4Ydms=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>UrGOgYlMLnkIn1VDZLiY2HCJjBY=</ds:SignatureValue><ds:KeyInfo
> > Id="KI-9CECF537B18A5D2E2113394300223373"><wsse:SecurityTokenReference
> > xmlns:wsse11="
> > http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
> > wsse11:TokenType="
> > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
> "
> > wsu:Id="STR-9CECF537B18A5D2E2113394300223374"><wsse:KeyIdentifier
> > ValueType="
> >
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
> ">_e947a1b5-68f5-49b1-bbff-aa4f98935156</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soap:Header><soap:Body
> > xmlns:wsu="
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> > wsu:Id="Id-25899396"><xenc:EncryptedData xmlns:xenc="
> > http://www.w3.org/2001/04/xmlenc#" Id="ED-6" Type="
> > http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod
> > Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><ds:KeyInfo
> > xmlns:ds="http://www.w3.org/2000/09/xmldsig#
> "><wsse:SecurityTokenReference
> > xmlns:wsse11="
> > http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
> > xmlns:wsse="
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
> > wsse11:TokenType="
> > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
> "><wsse:KeyIdentifier
> > ValueType="
> >
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
> >
> ">_e947a1b5-68f5-49b1-bbff-aa4f98935156</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>cTsoQzby7eNZDnrXKb7yXo/G1AzGre8QeKzjOuxtq5XqdkHLoG8I7erBJZClIRX9ZSWt0Pe6hw7cvxo4o8Sctr3UWYx7cJlVwQsYQrk5L3hEKynJp9b+ILkDjQ6NqdwWQp1bFNEnVmjQNH2VoiM9hqLG695R5v2lXBzspwlAwvagZI6ySbh2UrkMRT7Q8VlWf6vok0K7FyebINs3wSrkkQ==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
> >
> > --------------------------------------
> >
> > Jun 11, 2012 11:53:43 AM org.apache.ws.security.saml.ext.AssertionWrapper
> > parseElement
> >
> > SEVERE: AssertionWrapper: found unexpected type
> > org.opensaml.xml.encryption.impl.EncryptedDataImpl
> >
> > Jun 11, 2012 11:53:43 AM org.apache.cxf.phase.PhaseInterceptorChain
> > doDefaultLogging
> >
> > WARNING: Interceptor for {
> >
> http://www.example.org/contract/DoubleIt}DoubleItService#{http://www.example.org/contract/DoubleIt}DoubleIthasthrown exception, unwinding now
> >
> > *java.lang.NullPointerException*
> >
> > at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(*
> > SAMLUtil.java:250*)
> >
> > at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(*
> > SAMLUtil.java:149*)
> >
> > at
> >
> org.apache.ws.security.str.SecurityTokenRefSTRParser.getSecretKeyFromAssertion(
> > *SecurityTokenRefSTRParser.java:284*)
> >
> > at
> >
> org.apache.ws.security.str.SecurityTokenRefSTRParser.parseSecurityTokenReference(
> > *SecurityTokenRefSTRParser.java:141*)
> >
> > at
> >
> org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(
> > *ReferenceListProcessor.java:164*)
> >
> > at
> >
> org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(
> > *ReferenceListProcessor.java:100*)
> >
> > at
> > org.apache.ws.security.processor.ReferenceListProcessor.handleToken(*
> > ReferenceListProcessor.java:60*)
> >
> > at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(*
> > WSSecurityEngine.java:396*)
> >
> > at
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(*
> > WSS4JInInterceptor.java:289*)
> >
> > at
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(*
> > WSS4JInInterceptor.java:97*)
> >
> > at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
> > PhaseInterceptorChain.java:262*)
> >
> > at org.apache.cxf.endpoint.ClientImpl.onMessage(*
> > ClientImpl.java:798*)
> >
> > at
> >
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(
> > *HTTPConduit.java:1679*)
> >
> > at
> >
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(
> > *HTTPConduit.java:1532*)
> >
> > at
> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(*
> > HTTPConduit.java:1440*)
> >
> > at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(*
> > CacheAndWriteOutputStream.java:47*)
> >
> > at org.apache.cxf.io.CachedOutputStream.close(*
> > CachedOutputStream.java:187*)
> >
> > at org.apache.cxf.transport.AbstractConduit.close(*
> > AbstractConduit.java:56*)
> >
> > at org.apache.cxf.transport.http.HTTPConduit.close(*
> > HTTPConduit.java:658*)
> >
> > at
> >
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(
> > *MessageSenderInterceptor.java:62*)
> >
> > at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
> > PhaseInterceptorChain.java:262*)
> >
> > at
> org.apache.cxf.endpoint.ClientImpl.doInvoke(*ClientImpl.java:532
> > *)
> >
> > at
> org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:464*)
> >
> > at
> org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:367*)
> >
> > at
> org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:320*)
> >
> > at org.apache.cxf.frontend.ClientProxy.invokeSync(*
> > ClientProxy.java:89*)
> >
> > at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(*
> > JaxWsClientProxy.java:134*)
> >
> > at $Proxy26.doubleIt(Unknown Source)
> >
> > at client.WSClient.doubleIt(*WSClient.java:18*)
> >
> > at client.WSClient.main(*WSClient.java:11*)
> >
> > Exception in thread "main" *javax.xml.ws.soap.SOAPFaultException*: Fault
> > string, and possibly fault code, not set
> >
> > at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(*
> > JaxWsClientProxy.java:156*)
> >
> > at $Proxy26.doubleIt(Unknown Source)
> >
> > at client.WSClient.doubleIt(*WSClient.java:18*)
> >
> > at client.WSClient.main(*WSClient.java:11*)
> >
> > Caused by: *java.lang.NullPointerException*
> >
> > at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(*
> > SAMLUtil.java:250*)
> >
> > at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(*
> > SAMLUtil.java:149*)
> >
> > at
> >
> org.apache.ws.security.str.SecurityTokenRefSTRParser.getSecretKeyFromAssertion(
> > *SecurityTokenRefSTRParser.java:284*)
> >
> > at
> >
> org.apache.ws.security.str.SecurityTokenRefSTRParser.parseSecurityTokenReference(
> > *SecurityTokenRefSTRParser.java:141*)
> >
> > at
> >
> org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(
> > *ReferenceListProcessor.java:164*)
> >
> > at
> >
> org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(
> > *ReferenceListProcessor.java:100*)
> >
> > at
> > org.apache.ws.security.processor.ReferenceListProcessor.handleToken(*
> > ReferenceListProcessor.java:60*)
> >
> > at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(*
> > WSSecurityEngine.java:396*)
> >
> > at
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(*
> > WSS4JInInterceptor.java:289*)
> >
> > at
> > org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(*
> > WSS4JInInterceptor.java:97*)
> >
> > at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
> > PhaseInterceptorChain.java:262*)
> >
> > at org.apache.cxf.endpoint.ClientImpl.onMessage(*
> > ClientImpl.java:798*)
> >
> > at
> >
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(
> > *HTTPConduit.java:1679*)
> >
> > at
> >
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(
> > *HTTPConduit.java:1532*)
> >
> > at
> > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(*
> > HTTPConduit.java:1440*)
> >
> > at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(*
> > CacheAndWriteOutputStream.java:47*)
> >
> > at org.apache.cxf.io.CachedOutputStream.close(*
> > CachedOutputStream.java:187*)
> >
> > at org.apache.cxf.transport.AbstractConduit.close(*
> > AbstractConduit.java:56*)
> >
> > at org.apache.cxf.transport.http.HTTPConduit.close(*
> > HTTPConduit.java:658*)
> >
> > at
> >
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(
> > *MessageSenderInterceptor.java:62*)
> >
> > at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
> > PhaseInterceptorChain.java:262*)
> >
> > at
> org.apache.cxf.endpoint.ClientImpl.doInvoke(*ClientImpl.java:532
> > *)
> >
> > at
> org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:464*)
> >
> > at
> org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:367*)
> >
> > at
> org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:320*)
> >
> > at org.apache.cxf.frontend.ClientProxy.invokeSync(*
> > ClientProxy.java:89*)
> >
> > at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(*
> > JaxWsClientProxy.java:134*)
> >
> > ... 3 more
> >
> >
> >
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Gina Choi <gi...@gmail.com>.
Colm,
<<<<<
Jun 11, 2012 5:09:18 PM org.apache.ws.security.saml.ext.AssertionWrapper
parseElement
*SEVERE: AssertionWrapper: found unexpected type
org.opensaml.xml.encryption.impl.EncryptedDataImpl*
Jun 11, 2012 5:11:16 PM org.apache.cxf.phase.PhaseInterceptorChain
doDefaultLogging
WARNING: Interceptor for {
http://www.example.org/contract/DoubleIt}DoubleItService#{http://www.example.org/contract/DoubleIt}DoubleIthas
thrown exception, unwinding now
*java.lang.NullPointerException*
at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(*
SAMLUtil.java:250*)
at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(*
SAMLUtil.java:149*)
>>>>>>>
Spent pretty long time today to figure that out. WSP generated a response
and I don't see any error message from server side. So, it looks like that
this exception was thrown by the client during security header validation.
Following is code for parseElement(Line696-709) method inside
org.apache.ws.security.saml.ext.AssertionWrapper.java(wss4j-1.6.6.jar)
class. So, 'element' type should be org.opensaml.saml1.core.Assertion to
make this code happy, but why should WSP generate a token which is saml1
Assertion type? I thought that only STS generates Assertion token. Kind of
confused here. Do you think of any configuration issue? Shouldn't throw an
exception inside else statement after logging if that condition is
unacceptable?
*private* *void* parseElement(Element element) *throws*WSSecurityException {
*this*.xmlObject = OpenSAMLUtil.*fromDom*(element);
*if* (xmlObject *instanceof* org.opensaml.saml1.core.Assertion) {
*this*.saml1 = (org.opensaml.saml1.core.Assertion) xmlObject;
samlVersion = SAMLVersion.*VERSION_11*;
} *else* *if* (xmlObject
*instanceof*org.opensaml.saml2.core.Assertion) {
*this*.saml2 = (org.opensaml.saml2.core.Assertion) xmlObject;
samlVersion = SAMLVersion.*VERSION_20*;
} *else* {
*LOG*.error(
"AssertionWrapper: found unexpected type "
+ (xmlObject != *null* ? xmlObject.getClass().getName() :
xmlObject)
);
}
assertionElement = element;
}
On Mon, Jun 11, 2012 at 12:01 PM, Gina Choi <gi...@gmail.com> wrote:
> Colm,
>
> <<<<
> You were getting the error on the service provider side no? You would have
> to set it on the service provider endpoint in this case.
> >>>>
>
> You are right. I forgot that WSP had a config file. After set it in the
> WSP config file, I passed that exception.
>
> Cool! WSP finally generated a response, but client is throwing an NPE. I
> will debut it and get back to you. I am getting close to the final line...
> Thanks a lot for all your help.
>
>
>
> ID: 2
>
> Response-Code: 200
>
> Encoding: UTF-8
>
> Content-Type: text/xml;charset=UTF-8
>
> Headers: {Content-Length=[5277], content-type=[text/xml;charset=UTF-8],
> Date=[Mon, 11 Jun 2012 15:53:42 GMT], Server=[Apache-Coyote/1.1]}
>
> Payload: <soap:Envelope xmlns:soap="
> http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><Action xmlns="
> http://www.w3.org/2005/08/addressing" xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="Id-12083469">
> http://www.example.org/contract/DoubleIt/DoubleItPortType/DoubleItResponse</Action><MessageIDxmlns="
> http://www.w3.org/2005/08/addressing" xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="Id-14292879">urn:uuid:c6db815d-2eda-4f38-b8f5-a155e11bc9fc</MessageID><To
> xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="Id-23067900">
> http://www.w3.org/2005/08/addressing/anonymous</To><RelatesTo xmlns="
> http://www.w3.org/2005/08/addressing" xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="Id-4247180">urn:uuid:2a1f2ddc-0570-4d0b-985d-13bef961cad1</RelatesTo><wsse:Security
> xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> soap:mustUnderstand="1"><wsu:Timestamp
> wsu:Id="TS-4"><wsu:Created>2012-06-11T15:53:42.336Z</wsu:Created><wsu:Expires>2012-06-11T15:58:42.336Z</wsu:Expires></wsu:Timestamp><xenc:ReferenceList
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:DataReference
> URI="#ED-6"/></xenc:ReferenceList><ds:Signature xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#"
> Id="SIG-5"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="
> http://www.w3.org/2000/09/xmldsig#hmac-sha1"/><ds:Reference
> URI="#Id-25899396"><ds:Transforms><ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>8U8AaCZDk7jpxiWM7rbV4qwjfxM=</ds:DigestValue></ds:Reference><ds:Reference
> URI="#Id-23067900"><ds:Transforms><ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>zLPoiOCsm2/WxFnuq/1NTjy2uPQ=</ds:DigestValue></ds:Reference><ds:Reference
> URI="#Id-14292879"><ds:Transforms><ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>UhPP+RcBZs61Ys6Xzgsp5cz1as4=</ds:DigestValue></ds:Reference><ds:Reference
> URI="#Id-4247180"><ds:Transforms><ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>Er7vUiI3Rlg9Y+M4JZkvBbiFSb8=</ds:DigestValue></ds:Reference><ds:Reference
> URI="#Id-12083469"><ds:Transforms><ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>Gma/VRqyG0J6ctWBsG/E5TWs4jk=</ds:DigestValue></ds:Reference><ds:Reference
> URI="#TS-4"><ds:Transforms><ds:Transform Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>AdVhb1lPcz0NVbvtc6iMJj4Ydms=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>UrGOgYlMLnkIn1VDZLiY2HCJjBY=</ds:SignatureValue><ds:KeyInfo
> Id="KI-9CECF537B18A5D2E2113394300223373"><wsse:SecurityTokenReference
> xmlns:wsse11="
> http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
> wsse11:TokenType="
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
> wsu:Id="STR-9CECF537B18A5D2E2113394300223374"><wsse:KeyIdentifier
> ValueType="
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_e947a1b5-68f5-49b1-bbff-aa4f98935156</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soap:Header><soap:Body
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="Id-25899396"><xenc:EncryptedData xmlns:xenc="
> http://www.w3.org/2001/04/xmlenc#" Id="ED-6" Type="
> http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><ds:KeyInfo
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference
> xmlns:wsse11="
> http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
> xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> wsse11:TokenType="
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"><wsse:KeyIdentifier
> ValueType="
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
> ">_e947a1b5-68f5-49b1-bbff-aa4f98935156</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>cTsoQzby7eNZDnrXKb7yXo/G1AzGre8QeKzjOuxtq5XqdkHLoG8I7erBJZClIRX9ZSWt0Pe6hw7cvxo4o8Sctr3UWYx7cJlVwQsYQrk5L3hEKynJp9b+ILkDjQ6NqdwWQp1bFNEnVmjQNH2VoiM9hqLG695R5v2lXBzspwlAwvagZI6ySbh2UrkMRT7Q8VlWf6vok0K7FyebINs3wSrkkQ==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
>
> --------------------------------------
>
> Jun 11, 2012 11:53:43 AM org.apache.ws.security.saml.ext.AssertionWrapper
> parseElement
>
> SEVERE: AssertionWrapper: found unexpected type
> org.opensaml.xml.encryption.impl.EncryptedDataImpl
>
> Jun 11, 2012 11:53:43 AM org.apache.cxf.phase.PhaseInterceptorChain
> doDefaultLogging
>
> WARNING: Interceptor for {
> http://www.example.org/contract/DoubleIt}DoubleItService#{http://www.example.org/contract/DoubleIt}DoubleIthas thrown exception, unwinding now
>
> *java.lang.NullPointerException*
>
> at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(*
> SAMLUtil.java:250*)
>
> at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(*
> SAMLUtil.java:149*)
>
> at
> org.apache.ws.security.str.SecurityTokenRefSTRParser.getSecretKeyFromAssertion(
> *SecurityTokenRefSTRParser.java:284*)
>
> at
> org.apache.ws.security.str.SecurityTokenRefSTRParser.parseSecurityTokenReference(
> *SecurityTokenRefSTRParser.java:141*)
>
> at
> org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(
> *ReferenceListProcessor.java:164*)
>
> at
> org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(
> *ReferenceListProcessor.java:100*)
>
> at
> org.apache.ws.security.processor.ReferenceListProcessor.handleToken(*
> ReferenceListProcessor.java:60*)
>
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(*
> WSSecurityEngine.java:396*)
>
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(*
> WSS4JInInterceptor.java:289*)
>
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(*
> WSS4JInInterceptor.java:97*)
>
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
> PhaseInterceptorChain.java:262*)
>
> at org.apache.cxf.endpoint.ClientImpl.onMessage(*
> ClientImpl.java:798*)
>
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(
> *HTTPConduit.java:1679*)
>
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(
> *HTTPConduit.java:1532*)
>
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(*
> HTTPConduit.java:1440*)
>
> at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(*
> CacheAndWriteOutputStream.java:47*)
>
> at org.apache.cxf.io.CachedOutputStream.close(*
> CachedOutputStream.java:187*)
>
> at org.apache.cxf.transport.AbstractConduit.close(*
> AbstractConduit.java:56*)
>
> at org.apache.cxf.transport.http.HTTPConduit.close(*
> HTTPConduit.java:658*)
>
> at
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(
> *MessageSenderInterceptor.java:62*)
>
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
> PhaseInterceptorChain.java:262*)
>
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(*ClientImpl.java:532
> *)
>
> at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:464*)
>
> at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:367*)
>
> at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:320*)
>
> at org.apache.cxf.frontend.ClientProxy.invokeSync(*
> ClientProxy.java:89*)
>
> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(*
> JaxWsClientProxy.java:134*)
>
> at $Proxy26.doubleIt(Unknown Source)
>
> at client.WSClient.doubleIt(*WSClient.java:18*)
>
> at client.WSClient.main(*WSClient.java:11*)
>
> Exception in thread "main" *javax.xml.ws.soap.SOAPFaultException*: Fault
> string, and possibly fault code, not set
>
> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(*
> JaxWsClientProxy.java:156*)
>
> at $Proxy26.doubleIt(Unknown Source)
>
> at client.WSClient.doubleIt(*WSClient.java:18*)
>
> at client.WSClient.main(*WSClient.java:11*)
>
> Caused by: *java.lang.NullPointerException*
>
> at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(*
> SAMLUtil.java:250*)
>
> at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(*
> SAMLUtil.java:149*)
>
> at
> org.apache.ws.security.str.SecurityTokenRefSTRParser.getSecretKeyFromAssertion(
> *SecurityTokenRefSTRParser.java:284*)
>
> at
> org.apache.ws.security.str.SecurityTokenRefSTRParser.parseSecurityTokenReference(
> *SecurityTokenRefSTRParser.java:141*)
>
> at
> org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(
> *ReferenceListProcessor.java:164*)
>
> at
> org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(
> *ReferenceListProcessor.java:100*)
>
> at
> org.apache.ws.security.processor.ReferenceListProcessor.handleToken(*
> ReferenceListProcessor.java:60*)
>
> at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(*
> WSSecurityEngine.java:396*)
>
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(*
> WSS4JInInterceptor.java:289*)
>
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(*
> WSS4JInInterceptor.java:97*)
>
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
> PhaseInterceptorChain.java:262*)
>
> at org.apache.cxf.endpoint.ClientImpl.onMessage(*
> ClientImpl.java:798*)
>
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(
> *HTTPConduit.java:1679*)
>
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(
> *HTTPConduit.java:1532*)
>
> at
> org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(*
> HTTPConduit.java:1440*)
>
> at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(*
> CacheAndWriteOutputStream.java:47*)
>
> at org.apache.cxf.io.CachedOutputStream.close(*
> CachedOutputStream.java:187*)
>
> at org.apache.cxf.transport.AbstractConduit.close(*
> AbstractConduit.java:56*)
>
> at org.apache.cxf.transport.http.HTTPConduit.close(*
> HTTPConduit.java:658*)
>
> at
> org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(
> *MessageSenderInterceptor.java:62*)
>
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
> PhaseInterceptorChain.java:262*)
>
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(*ClientImpl.java:532
> *)
>
> at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:464*)
>
> at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:367*)
>
> at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:320*)
>
> at org.apache.cxf.frontend.ClientProxy.invokeSync(*
> ClientProxy.java:89*)
>
> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(*
> JaxWsClientProxy.java:134*)
>
> ... 3 more
>
>
>
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Gina Choi <gi...@gmail.com>.
Colm,
<<<<
You were getting the error on the service provider side no? You would have
to set it on the service provider endpoint in this case.
>>>>
You are right. I forgot that WSP had a config file. After set it in the WSP
config file, I passed that exception.
Cool! WSP finally generated a response, but client is throwing an NPE. I
will debut it and get back to you. I am getting close to the final line...
Thanks a lot for all your help.
ID: 2
Response-Code: 200
Encoding: UTF-8
Content-Type: text/xml;charset=UTF-8
Headers: {Content-Length=[5277], content-type=[text/xml;charset=UTF-8],
Date=[Mon, 11 Jun 2012 15:53:42 GMT], Server=[Apache-Coyote/1.1]}
Payload: <soap:Envelope xmlns:soap="
http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><Action xmlns="
http://www.w3.org/2005/08/addressing" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-12083469">
http://www.example.org/contract/DoubleIt/DoubleItPortType/DoubleItResponse</Action><MessageIDxmlns="
http://www.w3.org/2005/08/addressing" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-14292879">urn:uuid:c6db815d-2eda-4f38-b8f5-a155e11bc9fc</MessageID><To
xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-23067900">
http://www.w3.org/2005/08/addressing/anonymous</To><RelatesTo xmlns="
http://www.w3.org/2005/08/addressing" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-4247180">urn:uuid:2a1f2ddc-0570-4d0b-985d-13bef961cad1</RelatesTo><wsse:Security
xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="1"><wsu:Timestamp
wsu:Id="TS-4"><wsu:Created>2012-06-11T15:53:42.336Z</wsu:Created><wsu:Expires>2012-06-11T15:58:42.336Z</wsu:Expires></wsu:Timestamp><xenc:ReferenceList
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:DataReference
URI="#ED-6"/></xenc:ReferenceList><ds:Signature xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"
Id="SIG-5"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#hmac-sha1"/><ds:Reference
URI="#Id-25899396"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>8U8AaCZDk7jpxiWM7rbV4qwjfxM=</ds:DigestValue></ds:Reference><ds:Reference
URI="#Id-23067900"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>zLPoiOCsm2/WxFnuq/1NTjy2uPQ=</ds:DigestValue></ds:Reference><ds:Reference
URI="#Id-14292879"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>UhPP+RcBZs61Ys6Xzgsp5cz1as4=</ds:DigestValue></ds:Reference><ds:Reference
URI="#Id-4247180"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>Er7vUiI3Rlg9Y+M4JZkvBbiFSb8=</ds:DigestValue></ds:Reference><ds:Reference
URI="#Id-12083469"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>Gma/VRqyG0J6ctWBsG/E5TWs4jk=</ds:DigestValue></ds:Reference><ds:Reference
URI="#TS-4"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>AdVhb1lPcz0NVbvtc6iMJj4Ydms=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>UrGOgYlMLnkIn1VDZLiY2HCJjBY=</ds:SignatureValue><ds:KeyInfo
Id="KI-9CECF537B18A5D2E2113394300223373"><wsse:SecurityTokenReference
xmlns:wsse11="
http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
wsu:Id="STR-9CECF537B18A5D2E2113394300223374"><wsse:KeyIdentifier
ValueType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_e947a1b5-68f5-49b1-bbff-aa4f98935156</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soap:Header><soap:Body
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-25899396"><xenc:EncryptedData xmlns:xenc="
http://www.w3.org/2001/04/xmlenc#" Id="ED-6" Type="
http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><ds:KeyInfo xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"><wsse:SecurityTokenReference
xmlns:wsse11="
http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
wsse11:TokenType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"><wsse:KeyIdentifier
ValueType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
">_e947a1b5-68f5-49b1-bbff-aa4f98935156</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>cTsoQzby7eNZDnrXKb7yXo/G1AzGre8QeKzjOuxtq5XqdkHLoG8I7erBJZClIRX9ZSWt0Pe6hw7cvxo4o8Sctr3UWYx7cJlVwQsYQrk5L3hEKynJp9b+ILkDjQ6NqdwWQp1bFNEnVmjQNH2VoiM9hqLG695R5v2lXBzspwlAwvagZI6ySbh2UrkMRT7Q8VlWf6vok0K7FyebINs3wSrkkQ==</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
--------------------------------------
Jun 11, 2012 11:53:43 AM org.apache.ws.security.saml.ext.AssertionWrapper
parseElement
SEVERE: AssertionWrapper: found unexpected type
org.opensaml.xml.encryption.impl.EncryptedDataImpl
Jun 11, 2012 11:53:43 AM org.apache.cxf.phase.PhaseInterceptorChain
doDefaultLogging
WARNING: Interceptor for {
http://www.example.org/contract/DoubleIt}DoubleItService#{http://www.example.org/contract/DoubleIt}DoubleIthas
thrown exception, unwinding now
*java.lang.NullPointerException*
at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(*
SAMLUtil.java:250*)
at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(*
SAMLUtil.java:149*)
at
org.apache.ws.security.str.SecurityTokenRefSTRParser.getSecretKeyFromAssertion(
*SecurityTokenRefSTRParser.java:284*)
at
org.apache.ws.security.str.SecurityTokenRefSTRParser.parseSecurityTokenReference(
*SecurityTokenRefSTRParser.java:141*)
at
org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(
*ReferenceListProcessor.java:164*)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(
*ReferenceListProcessor.java:100*)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleToken(*
ReferenceListProcessor.java:60*)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(*
WSSecurityEngine.java:396*)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(
*WSS4JInInterceptor.java:289*)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(
*WSS4JInInterceptor.java:97*)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
PhaseInterceptorChain.java:262*)
at org.apache.cxf.endpoint.ClientImpl.onMessage(*ClientImpl.java:798*
)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(
*HTTPConduit.java:1679*)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(
*HTTPConduit.java:1532*)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(*
HTTPConduit.java:1440*)
at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(*
CacheAndWriteOutputStream.java:47*)
at org.apache.cxf.io.CachedOutputStream.close(*
CachedOutputStream.java:187*)
at org.apache.cxf.transport.AbstractConduit.close(*
AbstractConduit.java:56*)
at org.apache.cxf.transport.http.HTTPConduit.close(*
HTTPConduit.java:658*)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(
*MessageSenderInterceptor.java:62*)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
PhaseInterceptorChain.java:262*)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(*ClientImpl.java:532*)
at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:464*)
at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:367*)
at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:320*)
at org.apache.cxf.frontend.ClientProxy.invokeSync(*
ClientProxy.java:89*)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(*
JaxWsClientProxy.java:134*)
at $Proxy26.doubleIt(Unknown Source)
at client.WSClient.doubleIt(*WSClient.java:18*)
at client.WSClient.main(*WSClient.java:11*)
Exception in thread "main" *javax.xml.ws.soap.SOAPFaultException*: Fault
string, and possibly fault code, not set
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(*
JaxWsClientProxy.java:156*)
at $Proxy26.doubleIt(Unknown Source)
at client.WSClient.doubleIt(*WSClient.java:18*)
at client.WSClient.main(*WSClient.java:11*)
Caused by: *java.lang.NullPointerException*
at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(*
SAMLUtil.java:250*)
at org.apache.ws.security.saml.SAMLUtil.getCredentialFromSubject(*
SAMLUtil.java:149*)
at
org.apache.ws.security.str.SecurityTokenRefSTRParser.getSecretKeyFromAssertion(
*SecurityTokenRefSTRParser.java:284*)
at
org.apache.ws.security.str.SecurityTokenRefSTRParser.parseSecurityTokenReference(
*SecurityTokenRefSTRParser.java:141*)
at
org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(
*ReferenceListProcessor.java:164*)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(
*ReferenceListProcessor.java:100*)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleToken(*
ReferenceListProcessor.java:60*)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(*
WSSecurityEngine.java:396*)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(
*WSS4JInInterceptor.java:289*)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(
*WSS4JInInterceptor.java:97*)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
PhaseInterceptorChain.java:262*)
at org.apache.cxf.endpoint.ClientImpl.onMessage(*ClientImpl.java:798*
)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(
*HTTPConduit.java:1679*)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(
*HTTPConduit.java:1532*)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(*
HTTPConduit.java:1440*)
at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(*
CacheAndWriteOutputStream.java:47*)
at org.apache.cxf.io.CachedOutputStream.close(*
CachedOutputStream.java:187*)
at org.apache.cxf.transport.AbstractConduit.close(*
AbstractConduit.java:56*)
at org.apache.cxf.transport.http.HTTPConduit.close(*
HTTPConduit.java:658*)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(
*MessageSenderInterceptor.java:62*)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
PhaseInterceptorChain.java:262*)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(*ClientImpl.java:532*)
at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:464*)
at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:367*)
at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:320*)
at org.apache.cxf.frontend.ClientProxy.invokeSync(*
ClientProxy.java:89*)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(*
JaxWsClientProxy.java:134*)
... 3 more
On Mon, Jun 11, 2012 at 11:40 AM, Colm O hEigeartaigh
<co...@apache.org>wrote:
>
> > Does setting "ws-security.is-bsp-compliant" to "false" make Service
> Provider not to check wsse11:TokenType attribute?
>
> Yes.
>
>
> > I set "ws-security.is-bsp-compliant" through client configuration file
> like bellow, but it didn't change any result. I am getting same exception.
>
> You were getting the error on the service provider side no? You would have
> to set it on the service provider endpoint in this case.
>
> Colm.
>
>
>
> On Mon, Jun 11, 2012 at 4:31 PM, Gina Choi <gi...@gmail.com> wrote:
>
>> Hi Colm,
>>
>> <<<
>> You can turn this off by setting the following jax-ws property
>> "ws-security.is-bsp-compliant" to "false" for the service provider.
>> >>>
>>
>> Does setting "ws-security.is-bsp-compliant" to "false" make Service
>> Provider not to check wsse11:TokenType attribute? ADFS2.0 doesn't enforce
>> wsse11:TokenType attribute, so the security token that I got from ADFS2.0
>> wouldn't contain wsse11:TokenType attribute. I set
>> "ws-security.is-bsp-compliant" through client configuration file like
>> bellow, but it didn't change any result. I am getting same exception.
>>
>>
>> <jaxws:client name="{
>> http://www.example.org/contract/DoubleIt}DoubleItPort"
>> createdFromAPI="true">
>> <jaxws:properties>
>> <entry key="ws-security.is-bsp-compliant" value="false"/>
>>
>> <entry key="ws-security.sts.client">
>> <bean class="org.apache.cxf.ws.security.trust.STSClient">
>> <constructor-arg ref="cxf"/>
>> <property name="wsdlLocation" value="adfs_new_simple.wsdl"/>
>> ........
>>
>>
>> Gina
>> On Mon, Jun 11, 2012 at 5:02 AM, Colm O hEigeartaigh <coheigea@apache.org
>> > wrote:
>>
>>> CXF enforces the Basic Security Profile 1.1 spec:
>>>
>>> http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html
>>>
>>> "R6611 Any SECURITY_TOKEN_REFERENCE to a SAML_V1_1_TOKEN MUST contain a
>>> wsse11:TokenType attribute with a value of "
>>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".
>>> "
>>>
>>> You can turn this off by setting the following jax-ws property
>>> "ws-security.is-bsp-compliant" to "false" for the service provider.
>>>
>>> Colm.
>>>
>>> On Sat, Jun 9, 2012 at 12:00 AM, Gina Choi <gi...@gmail.com> wrote:
>>>
>>> > I did some research and looked at oasis specification(
>>> >
>>> >
>>> https://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf
>>> > ),
>>> > it looks like that wsse11:TokenType attribute is optional for SAML
>>> 1.1, but
>>> > should contain
>>> >
>>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
>>> .
>>> >
>>> >
>>> > <<<
>>> >
>>> > Now I am getting 'An invalid security token was provided (Bad TokenType
>>> > "")'. I debugged through code again and following is the issue.
>>> > org.apache.ws.security.str.BSPEnforcer.java(wss4j-1.6.6.jar) class
>>> Line 162
>>> > - 169
>>> >
>>> > String tokenType = secRef.getTokenType();
>>> > if (assertion.getSaml1() != null &&
>>> > !WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)) {
>>> > throw new WSSecurityException(
>>> > WSSecurityException.INVALID_SECURITY_TOKEN,
>>> > "invalidTokenType",
>>> > new Object[]{tokenType}
>>> > );
>>> > }
>>> > The content of secRef object as follow. As you can see from above
>>> code, it
>>> > is looking for an attribute named "TokenType", whose value is "
>>> >
>>> >
>>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
>>> > " but SecurityTokenReference doesn't have it. That's why it throws
>>> > exception. What we can do about this? I am going to update *CXF-4367
>>> with
>>> > new content.*
>>> >
>>> > <o:SecurityTokenReference xmlns:o="
>>> >
>>> >
>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>>> > ">
>>> > <o:KeyIdentifier ValueType="
>>> >
>>> >
>>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
>>> > ">
>>> > _ca94d3c5-0933-4af0-ac12-a83fd407310c</o:KeyIdentifier>
>>> > </o:SecurityTokenReference>
>>> >
>>> > >>>>>>>>
>>> >
>>>
>>>
>>>
>>> --
>>> Colm O hEigeartaigh
>>>
>>> Talend Community Coder
>>> http://coders.talend.com
>>>
>>
>>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Colm O hEigeartaigh <co...@apache.org>.
> Does setting "ws-security.is-bsp-compliant" to "false" make Service
Provider not to check wsse11:TokenType attribute?
Yes.
> I set "ws-security.is-bsp-compliant" through client configuration file
like bellow, but it didn't change any result. I am getting same exception.
You were getting the error on the service provider side no? You would have
to set it on the service provider endpoint in this case.
Colm.
On Mon, Jun 11, 2012 at 4:31 PM, Gina Choi <gi...@gmail.com> wrote:
> Hi Colm,
>
> <<<
> You can turn this off by setting the following jax-ws property
> "ws-security.is-bsp-compliant" to "false" for the service provider.
> >>>
>
> Does setting "ws-security.is-bsp-compliant" to "false" make Service
> Provider not to check wsse11:TokenType attribute? ADFS2.0 doesn't enforce
> wsse11:TokenType attribute, so the security token that I got from ADFS2.0
> wouldn't contain wsse11:TokenType attribute. I set
> "ws-security.is-bsp-compliant" through client configuration file like
> bellow, but it didn't change any result. I am getting same exception.
>
>
> <jaxws:client name="{
> http://www.example.org/contract/DoubleIt}DoubleItPort"
> createdFromAPI="true">
> <jaxws:properties>
> <entry key="ws-security.is-bsp-compliant" value="false"/>
>
> <entry key="ws-security.sts.client">
> <bean class="org.apache.cxf.ws.security.trust.STSClient">
> <constructor-arg ref="cxf"/>
> <property name="wsdlLocation" value="adfs_new_simple.wsdl"/>
> ........
>
>
> Gina
> On Mon, Jun 11, 2012 at 5:02 AM, Colm O hEigeartaigh <co...@apache.org>wrote:
>
>> CXF enforces the Basic Security Profile 1.1 spec:
>>
>> http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html
>>
>> "R6611 Any SECURITY_TOKEN_REFERENCE to a SAML_V1_1_TOKEN MUST contain a
>> wsse11:TokenType attribute with a value of "
>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".
>> "
>>
>> You can turn this off by setting the following jax-ws property
>> "ws-security.is-bsp-compliant" to "false" for the service provider.
>>
>> Colm.
>>
>> On Sat, Jun 9, 2012 at 12:00 AM, Gina Choi <gi...@gmail.com> wrote:
>>
>> > I did some research and looked at oasis specification(
>> >
>> >
>> https://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf
>> > ),
>> > it looks like that wsse11:TokenType attribute is optional for SAML 1.1,
>> but
>> > should contain
>> >
>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1.
>> >
>> >
>> > <<<
>> >
>> > Now I am getting 'An invalid security token was provided (Bad TokenType
>> > "")'. I debugged through code again and following is the issue.
>> > org.apache.ws.security.str.BSPEnforcer.java(wss4j-1.6.6.jar) class Line
>> 162
>> > - 169
>> >
>> > String tokenType = secRef.getTokenType();
>> > if (assertion.getSaml1() != null &&
>> > !WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)) {
>> > throw new WSSecurityException(
>> > WSSecurityException.INVALID_SECURITY_TOKEN,
>> > "invalidTokenType",
>> > new Object[]{tokenType}
>> > );
>> > }
>> > The content of secRef object as follow. As you can see from above code,
>> it
>> > is looking for an attribute named "TokenType", whose value is "
>> >
>> >
>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
>> > " but SecurityTokenReference doesn't have it. That's why it throws
>> > exception. What we can do about this? I am going to update *CXF-4367
>> with
>> > new content.*
>> >
>> > <o:SecurityTokenReference xmlns:o="
>> >
>> >
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
>> > ">
>> > <o:KeyIdentifier ValueType="
>> >
>> >
>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
>> > ">
>> > _ca94d3c5-0933-4af0-ac12-a83fd407310c</o:KeyIdentifier>
>> > </o:SecurityTokenReference>
>> >
>> > >>>>>>>>
>> >
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Gina Choi <gi...@gmail.com>.
Hi Colm,
<<<
You can turn this off by setting the following jax-ws property
"ws-security.is-bsp-compliant" to "false" for the service provider.
>>>
Does setting "ws-security.is-bsp-compliant" to "false" make Service
Provider not to check wsse11:TokenType attribute? ADFS2.0 doesn't enforce
wsse11:TokenType attribute, so the security token that I got from ADFS2.0
wouldn't contain wsse11:TokenType attribute. I set
"ws-security.is-bsp-compliant" through client configuration file like
bellow, but it didn't change any result. I am getting same exception.
<jaxws:client name="{
http://www.example.org/contract/DoubleIt}DoubleItPort"
createdFromAPI="true">
<jaxws:properties>
<entry key="ws-security.is-bsp-compliant" value="false"/>
<entry key="ws-security.sts.client">
<bean class="org.apache.cxf.ws.security.trust.STSClient">
<constructor-arg ref="cxf"/>
<property name="wsdlLocation" value="adfs_new_simple.wsdl"/>
........
Gina
On Mon, Jun 11, 2012 at 5:02 AM, Colm O hEigeartaigh <co...@apache.org>wrote:
> CXF enforces the Basic Security Profile 1.1 spec:
>
> http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html
>
> "R6611 Any SECURITY_TOKEN_REFERENCE to a SAML_V1_1_TOKEN MUST contain a
> wsse11:TokenType attribute with a value of "
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1".
> "
>
> You can turn this off by setting the following jax-ws property
> "ws-security.is-bsp-compliant" to "false" for the service provider.
>
> Colm.
>
> On Sat, Jun 9, 2012 at 12:00 AM, Gina Choi <gi...@gmail.com> wrote:
>
> > I did some research and looked at oasis specification(
> >
> >
> https://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf
> > ),
> > it looks like that wsse11:TokenType attribute is optional for SAML 1.1,
> but
> > should contain
> > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
> .
> >
> >
> > <<<
> >
> > Now I am getting 'An invalid security token was provided (Bad TokenType
> > "")'. I debugged through code again and following is the issue.
> > org.apache.ws.security.str.BSPEnforcer.java(wss4j-1.6.6.jar) class Line
> 162
> > - 169
> >
> > String tokenType = secRef.getTokenType();
> > if (assertion.getSaml1() != null &&
> > !WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)) {
> > throw new WSSecurityException(
> > WSSecurityException.INVALID_SECURITY_TOKEN,
> > "invalidTokenType",
> > new Object[]{tokenType}
> > );
> > }
> > The content of secRef object as follow. As you can see from above code,
> it
> > is looking for an attribute named "TokenType", whose value is "
> >
> > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
> > " but SecurityTokenReference doesn't have it. That's why it throws
> > exception. What we can do about this? I am going to update *CXF-4367 with
> > new content.*
> >
> > <o:SecurityTokenReference xmlns:o="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> > ">
> > <o:KeyIdentifier ValueType="
> >
> >
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
> > ">
> > _ca94d3c5-0933-4af0-ac12-a83fd407310c</o:KeyIdentifier>
> > </o:SecurityTokenReference>
> >
> > >>>>>>>>
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Colm O hEigeartaigh <co...@apache.org>.
CXF enforces the Basic Security Profile 1.1 spec:
http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html
"R6611 Any SECURITY_TOKEN_REFERENCE to a SAML_V1_1_TOKEN MUST contain a
wsse11:TokenType attribute with a value of "
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1". "
You can turn this off by setting the following jax-ws property
"ws-security.is-bsp-compliant" to "false" for the service provider.
Colm.
On Sat, Jun 9, 2012 at 12:00 AM, Gina Choi <gi...@gmail.com> wrote:
> I did some research and looked at oasis specification(
>
> https://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf
> ),
> it looks like that wsse11:TokenType attribute is optional for SAML 1.1, but
> should contain
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1.
>
>
> <<<
>
> Now I am getting 'An invalid security token was provided (Bad TokenType
> "")'. I debugged through code again and following is the issue.
> org.apache.ws.security.str.BSPEnforcer.java(wss4j-1.6.6.jar) class Line 162
> - 169
>
> String tokenType = secRef.getTokenType();
> if (assertion.getSaml1() != null &&
> !WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)) {
> throw new WSSecurityException(
> WSSecurityException.INVALID_SECURITY_TOKEN,
> "invalidTokenType",
> new Object[]{tokenType}
> );
> }
> The content of secRef object as follow. As you can see from above code, it
> is looking for an attribute named "TokenType", whose value is "
>
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
> " but SecurityTokenReference doesn't have it. That's why it throws
> exception. What we can do about this? I am going to update *CXF-4367 with
> new content.*
>
> <o:SecurityTokenReference xmlns:o="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">
> <o:KeyIdentifier ValueType="
>
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
> ">
> _ca94d3c5-0933-4af0-ac12-a83fd407310c</o:KeyIdentifier>
> </o:SecurityTokenReference>
>
> >>>>>>>>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Gina Choi <gi...@gmail.com>.
I did some research and looked at oasis specification(
https://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf),
it looks like that wsse11:TokenType attribute is optional for SAML 1.1, but
should contain
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1.
<<<
Now I am getting 'An invalid security token was provided (Bad TokenType
"")'. I debugged through code again and following is the issue.
org.apache.ws.security.str.BSPEnforcer.java(wss4j-1.6.6.jar) class Line 162
- 169
String tokenType = secRef.getTokenType();
if (assertion.getSaml1() != null &&
!WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)) {
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY_TOKEN,
"invalidTokenType",
new Object[]{tokenType}
);
}
The content of secRef object as follow. As you can see from above code, it
is looking for an attribute named "TokenType", whose value is "
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
" but SecurityTokenReference doesn't have it. That's why it throws
exception. What we can do about this? I am going to update *CXF-4367 with
new content.*
<o:SecurityTokenReference xmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
">
<o:KeyIdentifier ValueType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
">
_ca94d3c5-0933-4af0-ac12-a83fd407310c</o:KeyIdentifier>
</o:SecurityTokenReference>
>>>>>>>>
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Gina Choi <gi...@gmail.com>.
Hi Colm,
1. I passed previous issue. I debugged through web service code and fount
out that web serivice is expecting ADFS2.0 signing cert in it's
keystore(encryption cert was there). So, I imported it and passed following
issue.
Prevoius issue:
org.apache.ws.security.WSSecurityException: The security token could not be
authenticated or authorized
at
org.apache.ws.security.validate.SignatureTrustValidator.validate(SignatureTrustValidator.java:83)
2. New issue: Now I am getting 'An invalid security token was provided (Bad
TokenType "")'. I debugged through code again and following is the issue.
org.apache.ws.security.str.BSPEnforcer.java(wss4j-1.6.6.jar) class Line 162
- 169
String tokenType = secRef.getTokenType();
if (assertion.getSaml1() != null &&
!WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)) {
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY_TOKEN,
"invalidTokenType",
new Object[]{tokenType}
);
}
The content of secRef object as follow. As you can see from above code, it
is looking for an attribute named "TokenType", whose value is "
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
" but SecurityTokenReference doesn't have it. That's why it throws
exception. What we can do about this? I am going to update *CXF-4367 with
new content.*
<o:SecurityTokenReference xmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
">
<o:KeyIdentifier ValueType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
">
_ca94d3c5-0933-4af0-ac12-a83fd407310c</o:KeyIdentifier>
</o:SecurityTokenReference>
Client side log:
INFO: Creating Service {
http://www.example.org/contract/DoubleIt}DoubleItService from WSDL:
file:/C:/gina/gmazza-blog-samples-92d152c/cxf_sts_tutorial/service/src/main/resources/DoubleIt.wsdl
Jun 8, 2012 5:48:24 PM
org.apache.cxf.services.SecurityTokenService.UserNameWSTrustBinding_IWSTrust13Async2.IWSTrust13Async
INFO: Outbound Message
---------------------------
ID: 1
Address: https://strts01.ams.dev/adfs/services/trust/13/usernamemixed
Encoding: UTF-8
Content-Type: application/soap+xml; action="
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"
Headers: {Accept=[*/*]}
Payload: <soap:Envelope
xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><Action
xmlns="http://www.w3.org/2005/08/addressing">
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action><MessageIDxmlns="
http://www.w3.org/2005/08/addressing">urn:uuid:9b053b95-ef37-4411-b237-769f55389207</MessageID><To
xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-16293853">
https://strts01.ams.dev/adfs/services/trust/13/usernamemixed</To><ReplyToxmlns="
http://www.w3.org/2005/08/addressing"><Address>
http://www.w3.org/2005/08/addressing/anonymous</Address></ReplyTo><wsse:Securityxmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="true"><wsu:Timestamp
wsu:Id="TS-1"><wsu:Created>2012-06-08T21:48:24.131Z</wsu:Created><wsu:Expires>2012-06-08T21:53:24.131Z</wsu:Expires></wsu:Timestamp><wsse:UsernameToken
wsu:Id="UsernameToken-2"><wsse:Username>GLOBAL\gchoi</wsse:Username><wsse:Password
Type="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">Monday0001</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wst:SecondaryParameters><t:TokenType
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</t:TokenType><t:KeyTypexmlns:t="
http://docs.oasis-open.org/ws-sx/ws-trust/200512">
http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</t:KeyType><t:KeySizexmlns:t="
http://docs.oasis-open.org/ws-sx/ws-trust/200512
">256</t:KeySize></wst:SecondaryParameters><wst:RequestType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType><wsp:AppliesToxmlns:wsp="
http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>
https://wkengchoi.global.sdl.corp:8443/doubleit/services/doubleit</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:Entropy><wst:BinarySecretType="
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce
">v8ylZhPqy1kH6EXnt/dpid0P+pwsFq5iHXA08IstGto=</wst:BinarySecret></wst:Entropy><wst:ComputedKeyAlgorithm>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1</wst:ComputedKeyAlgorithm></wst:RequestSecurityToken></soap:Body></soap:Envelope
>
--------------------------------------
Jun 8, 2012 5:48:27 PM
org.apache.cxf.services.SecurityTokenService.UserNameWSTrustBinding_IWSTrust13Async2.IWSTrust13Async
INFO: Inbound Message
----------------------------
ID: 1
Response-Code: 200
Encoding: UTF-8
Content-Type: application/soap+xml; charset=utf-8
Headers: {Content-Length=[11973], content-type=[application/soap+xml;
charset=utf-8], Date=[Fri, 08 Jun 2012 21:48:02 GMT],
Server=[Microsoft-HTTPAPI/2.0]}
Payload: <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Header><a:Action
s:mustUnderstand="1">
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal</a:Action><a:RelatesTo>urn:uuid:9b053b95-ef37-4411-b237-769f55389207</a:RelatesTo><o:Securitys:mustUnderstand="1"
xmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><u:Timestamp
u:Id="_0"><u:Created>2012-06-08T21:48:02.086Z</u:Created><u:Expires>2012-06-08T21:53:02.086Z</u:Expires></u:Timestamp></o:Security></s:Header><s:Body><trust:RequestSecurityTokenResponseCollection
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><trust:RequestSecurityTokenResponse><trust:Entropy><trust:BinarySecret>QzGPD0r9+Jg0xDD/5eik2MO5a33YsQZwL3Zeg5K/zrw=</trust:BinarySecret></trust:Entropy><trust:Lifetime><wsu:Created
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2012-06-08T21:48:01.961Z</wsu:Created><wsu:Expires
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2012-06-08T22:48:01.961Z</wsu:Expires></trust:Lifetime><wsp:AppliesTo
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>
https://wkengchoi.global.sdl.corp:8443/doubleit/services/doubleit</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><trust:RequestedSecurityToken><xenc:EncryptedDataType="
http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="
http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><KeyInfo xmlns="
http://www.w3.org/2000/09/xmldsig#"><e:EncryptedKey xmlns:e="
http://www.w3.org/2001/04/xmlenc#"><e:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"><DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/></e:EncryptionMethod><KeyInfo><o:SecurityTokenReference
xmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><X509Data><X509IssuerSerial><X509IssuerName>CN=servicecn,
OU=SCT, O=SDL, L=wakefield, S=massachusetts,
C=US</X509IssuerName><X509SerialNumber>14822468329318157300</X509SerialNumber></X509IssuerSerial></X509Data></o:SecurityTokenReference></KeyInfo><e:CipherData><e:CipherValue>b8jEnEjwmCDmJ3I+JBieKVNWwZvwlRWH+1Tz5WmczWc3RqATpVmkuozVTbFeAPrjq06imbc82MIY3nhso5qcJhU3iKvkPWJ47YVAlq7b6kSBn2rPP9MG7bLkwZKa2S4mm3RReOJceeVp6k1STF8M9Pxf82EF4++BNNEuCH4XZcmICnsMjLb3zsfoc/+upZeV0CvOs8OyiyT7cbJA9m8ERRHvUVJjBpU4PjAwyPEV0XRascDl6pqGvq32S4Mm2VAU0fUo1V+WKUJIx9d9w7dbd5b5bwYUK/SIiyksyqekfcqqrRfsEZIuPWQwzQd14g9dSd7L514gkrZGY/JFbuhVvw==</e:CipherValue></e:CipherData></e:EncryptedKey></KeyInfo><xenc:CipherData><xenc:CipherValue>uhc3W5Cq4Rsfo9PUsnTj9B1FW/gslQIlQBCIsmUvbKvwxixNA/Yg62SuVU/Lc180Bf3hb2t7Mg/4sX20DT2pY9h49IPjn4CqdutRCc6TuRYmznPlHavRSO1X8Qz+r7xIQ0Ay4T22mWra9ZTrFcMXoRwrqeXYksfFuAQLWorkvLi3Q0lK1dGAsmHh1+Av717cKU4pC9K0y0N5O5/pajT1qHBvK+6haXw2yISfe6LgheitjxBzQ75lxlginxbkKAwx3mjev6HE8Ia0QqblprBUV235CYShgh5ZkONfctrmuaSKUTDyAl/Pi87KozQeSguIBOFQflJdDHhM53NK+4R800UILUNkT3uhSBwRxVo49ykUtC690yfz8eKKwIpfQuWia5UGa10FSm3i6PkHyTN4JB0YXuAAJ88AddgQqRvpCXIJ9Fuj3cTOJRQ3rnevkmBhGBHbVTaVEmg8bALwhcEbLSUvyjniJqSKbP5ttBya7ELfSegEnyaG+ttrkcqS+SnIwZi8XY1gAYuebRI2i00r5D7V58uoRQKl+hjH3L/Hn+EKQJQJIIRMXKX0G0gAstMzMKWZV749kh0eEY5cCyfVWTsyPFYL68OO6Q6t7LLcOics3tvW0tex8iPhs3N9C4FdcI3SngvRGRu82YAIvYLiXSm8IJDs6x3bLK/DWnaqy0B8oTGRMCxg+T8ftYHKKMC/HZ+QNfswLQJ7eMn6bjMMFApbX0IW5ozUaj6eVzKW3GUtQAVFDE+6VEZn/8Cju27mYHOZCESVHFLm7gCq/3FYjaunsEywNZ3Cj/P1uAP1JwnxqDMzuIyp1pNKNsLh3febPqWIiDTwUhF7jr5XGiA3PGIC9zKwNCdFOrSMfgNf+5DwqR8qBPeSTyAmO9fT6BYQkQ5gxV05Or0n6L2wFIrsKrZI7p+l2dkd8accl3va4NyWo6RQ8eOhn9Xu0TADAnUlHY/3BLC+LPDGFZmR9vXbHhBffEc8X41cvFat+ISnlWhXrmV2t9tgdzpyRXhgYyVjsZgn7QStBqocllYDCBuRs9HMPgv3c0PaAzYtPpQvJwNbtAMl9T4mXEzswGsIA2mTALjNRO1CpenLD+DIQPFQDz6ddLNQ47r6sqh9nNJcUyRAbvT6k7YkrErdCGJ/HZfDbq2wfyIb4wEFKOOTj4d8HO8jzHKQcbeLCv8CjomOFxqlKhBw4Ar+UfUQHOUJ8zjUZxXNdIt4Z0eqIjlPjd/uNroI99dmf/xE/Ym/iuiM3MRJ72Xh/nqSIoIRbt/JHvcDO/jZM4Jh0SW0vt30RompiCqa7FEX3APAzFQRQDGEOHl9/HrnmDkn/f5lqZNMQ65HqypfN627UXnRwNoHWGvyOXoqmi/be6gF8l0HpzodWtOlpOjZN4iLvUanpSzfLEISsE/2kfiyiNrgYC92A3PQY9QUXZutq88RPRvW8HIxl71BHFkCqx2n6+SKxF6aO78pUb/NzlAFP7wbI1qaB+1+Kw4Jc3e/vkVD/gdzNKQ+7ucGw4pqpCIoxrdF78lU1NFuCP/jVWTl7xP5lsVrirm98ruMTRBKsW3WP0JZP6H6th5zosUE1Gt1x2caaoY1dAZaIchFkU4yWUgvzOEJJijrdCmGDrlxmkA07Od4SIMBOukmMa2ClkKZgM2rw6Az+C4oesI54+ycGo9Y8l3eDS2c2wUZxrAvM5rmSbJValVeltBGEwZ/Y/qIdXTi71h9vXI4y19a/XF42pOzQVtSjJmbZ/mbxdxKJMoZ30x8KbjULv76VoPI74Jepiyo6IbWfT8I/FmuGldAxmHc6A2VaGqEIUiC1I5SM3HX7AtnwF9WU3tvHVTSGajFZtrL93ALB1movHM3KydXikn/+BlgyYfRJLclXJiTRDN3Cv7bLtSxG2yF9cbLPB29btzS9pZQPMF4PxjJ/7TG/TnPkBCTAS0AN/XWVTD4O3H3AEo0MfYePhpcqahpnfoYZPrOTQxy5c4G89I2SI+bE+AP9dHuJcrDZGPoRa5/MdjsY5PqNT+PUBrjkF2H6Nu7fqzjtf9yM7yDUK6Id2dw1l9+gitofuO42yPRfyTG6VVDZWycu194r3HYE+G1JyJuYdCUcoJphJOkWnje5zfxkGIIuGMJcNv+8Fsp92zVj3Fps7jCHytlcGh4QIAdtvN7HlGD2hkTq1FSWld2LHdAHwLkMjeUbqRnKJ9+FMx4C1ktQvrsBuCY30hmjO2CTxv5xbCEk2W3SqMBYZ0CcRReaZNsnL8tdmmPDZUiWWn0mj/NDfRzv6bi/LH2UjAiQX65gaOIfLMHnUqlCOS5bvrrSXWiBO071fqBCPriW8Zo8DNvuXPbR/dBmetF82F2HTFeVmLx+IspSPllvlRL+QeBD7E/eY1SAG2h0303J7QqfRML/D9eoH6u+3KW4umzLkSi4ZknqQDv0bJkdnqRmGsTcPyPhMxnaF+5LaMdDcCBSELBYX9REcKwE1aqjZelfXKRwJ990UyU7g5F9N7Pjj6JRfF+GXrOSFWO2NqgX6Ycc3mEcBOKpVr82J/IzTYTkAw0INNmuocubp0RzJnWMEzcaa1n6rw5UcpT2NkXhR7pSQz+4DC/LUSDxD31rSZ5sjae2LilRxk37NGmJ/ZVTJ+VO02kye85IoLlXRDRl2/mxCoDTlpfcxIXjQ9qmWip/6irZsQfCBBIieQ6lkq9WChBUbYdEKT7gIztlhiGNcrLEkXsccGo/U9iAbEWb/mMv8CvaZWgEYMQ3TCTbh5c96JmBs5J+UNbB5ROXkn5cZ/XhF8RdM4BSD88eW4h1cT8AtXCUPs1mzn93g2ARtb897YHTSbYJZJ1T9/qnyKx62cgYxfqya3CuWDxldY4co0gm6aHdXJfNKoaURIohWl9Rk/ydKXvJC3zEo/eN6yWinJIKgOVrK6MKd3z8Y2lv5gAJhXYJYR7mAUeBjOL7Tla1erfMq4aYCYMu2mggk/m6nHUj7Td1kMrCiz6XbCFZtY1mGOUkNEXSKFR+rz40yfjz/7saTm+s2icmu48x0JKlSphooBpVFT3UzLmSc+xUuIx2oe+WXUJIe7799ViWoY98Cdk0ccPFMTlS+1GE8aNTTUsvfR19Min00VRAuL9kkesyPLC+6Wr98NrtFjBCxUHG9KxCcCoxiEDjvFfDMj+esknXUmoyq7F4a19vIHglyz6VHRHtQ3lwBPxu/GXPI6nz1ytdW5ZAqnzecQGBwRmkvAvXTvR66TIvs5ZSSSd5kZI20nkdH0z3fw/wqoFAIH0FMXT27RgSE0Hjf7EMVYbHrXhqsYvnoLwNMwmtEDb+q6lOkDkuwGHRPJPQ91/EANKKp7wkp0yiwECoaNfT4Rqfnz4EWiZCw/46CYo5fJFsbHxc6NK3xswzN0jET8H4DNVqeomQJGFhMWSzWFJCUl48MWdsAU84B87QHy7z/LYSW61a5KQU7BZ1ewny4kfKS/Nz74L4KCD38yEna0nS6XeOHNFTmtiPPryjeL74L1a4Hpzes2kqGXrXpVaT6xW4nex5v1/O3cHk7fOdUZjA31CZKbMEW3J84/ejgHABEALtGcNZE2IV6HcB78fisnPszO9I0SnW6kElpDsVeN7s2gF8GO6/kOdLxLAuM2g+tonAK6sHKe/kY2Zp5/z9MdDGe03/IxdXxhwK+F7yeJMKGfgMmdwYREA/0/VzwnMBng3J5Re8owmU/DW/ofAMZRZeHmGHNoTx/yeVkUZ2KV0mUoAilyVCQ/+OlGzrlXBeoQ7otdYW0UaYiRP5qVYLi8X9p+cuibJLbiSWHLOs0yT9LVKxerOFnCf5Orj/vEeW5eKUzpMz7SC3WEwjN03RyQ3pOdmw1kazODmfuidK9jH6cw88WqC5SpNlsFmvyk9sYUEjRsdNSey21KoChTxHFrfVmkvIHoEFwM/ZVKQE7uGQ54bboZRDi7Dec2EuCFsBvS47RSI/daXyrZLO4PI7yHHyN52b1fhKE2sEyXlc67S0TcEEGPPHQWMkCcrqBqjL5XWfrBomKEQ5qCYcvhGUvmZuVK9TYfUzvTOME+fxOarxc8y12acxuCxS2whVudYFtamBEGqS+ECMYI/NkpNTkepZEUKZwz6YWgJVzTmvkMtL7NlVwPFRaJnBs8WLcsaovzhXAQ899jfzOFzBBWUoVVYxGYZgAMCBMf8nTmGYTwDePCWdzpOgAFPn4a0r2gCVhU37WeYzDJfYh7niyY/hC8SRGbt+UaXw8JGg93BOZnk4vs/8uTAxDhLz7RF8Zg/aLpIkM4iAYcrcXrGY1dlgnKI7+HbZlP4+CpiJOBRyW8WCUs9uK1MCZeQJ93/BqUEnduDa35LZ8xh5JMQywSGsKtnVrEYC6tzf+3XNK7JZJHhFcT7notzaLNfsxP86Sdkzir0mdCkWDfJ0KkKG9EDOfN2k1+WGus4fL0Lq8cQgbj+xaPKBlfmL/0roIWZ+qeSlrZuq51CWQhvA93l8j+zPpMPE+JWORI3mrpxy8BgHNxWm74huwHy3xr9BnQJOs+582JrClblN/yVY/OKu0SICLqnYiDceACI6kjuhZugmTIJdgYV5WePNO92h2k9SHyXppMFiZdwVOCTmJaFnq7Qjg2EBnS4EzY7kkVUTRDPR8bLvwsMneOs7bArW4ctLZygiDv3WWjS8a5q5pBoaOTlCJMhkNdyS8WhYEq7Bb3m5pGoH2N3XWCc4+XvvQlpKbbVv5HjuGxDokJ6NhTgeIi4AKoDAEBANxhbmi45hhSYcufgEF3BJzKlihDCzHyRy2yusRX6Ok2uX+VCNhRvF3z9kVoicduk01qLjyogY0LZpRGOJPFFnuqvr+lNy/JNx/UZM4d9cHHxrUzRK6dZxKbhamjbdqWWFoedleFwesAqfYaGvhWPuSwgJ3hTLdgOXn79oUdK0VADEuJfVz2A9Ls29Lz7GG51xM2jW1rYLBHVmI07IAmeTJwfpaA78e8P1R0BG2EjKgpAnLMnrvZjvS5mKUHHxSixF41PiEy2iX2TivpISQ7uefJvMZq2K0/NEZFtl/boqQPHZdKN97aIGalSfTVj4Lv4iHBZOBRteaDt7pS6U2zZQzscHDiJyillns1dmVrUiCAAjWx+tRo1Sc7TZF6ayizhWB6/DZyW7logWEYVbSXsU5synWJcGEZfT2ggBlwBt9/sRcAvJuHt3PhdNmIxeWw5qXXbuDQVszqYqMgp0nPIXJNvLLtNwrS/L94GSGNrBjgXgPPyMj3UInNlb1f7rsJc76TwHZ3n028TDRVT+v3ezjBdAnyQT6JmGb66M61520d+PDir1iAGggavVxSknrQCrAYNUFyVrMjRT6l/v9yfAD9YzVCr5WC0PjiUni5kMtexJt+g0j4e/Q7qxP3Qm9n7C7X0f1ZNZBEkyy/PYG7A+ui4M7qhtAW/vl1fm9MG9maCyKWg/4c/hPCvsJURopDIh2s5WleaW0L9GX1EyiNRXF0Kan5kph9r7MhLS7XyQ2yxlgLKaduRuhpqidPhrJi7XDp5eEp9YDr6GXNFPY6ug2yDD/QWaD/9uxM62/O9NJ24/ED9B7AyhgdaDB6vJfbCL22lOCtn3bmYSci+2DcAOvCjdpxoaknQ3lQK/qfrthAbB2cGR9wk5iifv7zPJ7BCm3H0JxGEHwQ/DLx3i1ZNkSUtLd2ZhzHio9iesilFC0wFQx3kl34ugaEeyTYdCoe0lycDdmNCG/nSc6ZA5nw6xnKiCQUx4GsDaC0hsLUwKL10rEOLKxdrx4b/s62ei/aOD76jHPMTnQF6q3o6uhpSGeXnZkXtFRFXX75gP4Yv1vvBT3Oyipqbze97bJYeoq2tVpVI3DQvw0ffZdeZJNUS+Qt9ejuYgds4Jp/BVHReonpEvam5EFdqe7Dqo5tygzxUDiX779UtryqCNc/19g7Hqmug3i5hxlsG8r9xuD7dPUUfTYGCBHke3/ql2CY3AP/5FRas35DCdu6fSt/7Ue2bFhAnfwTk5VeLi43if++pf/4fie9pwatbr/PSm2ZYyHHz42icWmUSCY9oYphntu1eewxPcuTm9JBfMusBQzSsxGrfsVhTm1lBulzOKk6acGLk5WBUiCHOqqiLEWlISb0crrrd/CmeVIbYeNVSRyosxAmE4g/gRFrHkfqLZiqMk7DWN28kPbMCkpsYfBrylNHcpKH5BA/YQ6x8pT6Fdv955T5Fp4qW0DKH9zsacF6E5Jn0P6QxRXMRulgtiYc/D0K8AZqht68f9innlctf79YSX27WhLkwyLA0ahIyzEAvquksGkYXKJH3ahgh2hKzVr7r6Nua6+aY97Hpo6FKmFASBrhPRbmjn2SNhCvN9ddGE5aaCQ+hlasl01j6XRZppXFyCWhEAQPiuRImsgofdyCvJnI3RGqVBMK3HHL8Fuu/1hvPOg9OrPQMUUaA9tqHZjeiIW4RTGJmp1YnalRVJTZRpHLTc89zPCmQzn58tjmnGG05XqIIsm1eabOryZLsUQZezby+tWuEbnhaApy2ryht+cT1Am5/Pl18L7YFWIioUGMi+tkSS5vDkrkouAtIUFzLOuVrJd670WRwk/BBf6HpHXag4H4vH3/8AYZZosEANYLOrxl39nGEVJlqUTbtgu4wTrd/smXm46z75/eCSkWTBcX9+lFB9cg+i6KNh8818RjTCQNJVODH7g9j7pI2dptuZdouWf5VPYtCdu3AvcyvGA4+oROKQOfWoTPTDAzCfAUl8xDJ0sZlhvScbL+UMW46OBwAm6UGm/hQYs/9qPQZEREFY9OU1SKkfDfETBkfCnPeD+Ua9CC+ndoCE71M+xNT3/6tXmBKOp4SOwW5R5gEHjCYqynWfhtgizxibzLGkT5VOIN0/zkMXRl23WAazTsuMXBIZlB5ZJTzFmbyz+KzXuC4krniznEE19XjYfPTogNFXlqeu7bCG1xIP4qZMJ2S28YyD55QgL3nYcBHr59ezvf4cLljM3TS+6kO2oulVoK3tt+BKuxFTJtaMmk/zMB7mE8aiQgGIyjYbvQ+rYCRC2Exf7qE6NbvC/CUSVN2A9wdo+uyiNaLWa29qm3E8HJIdWtYL1rAUFJqO+GAs2Nn1r+4RFTrVGgyLJCa8M7yUKX1K1OFQ231pUxazRKVwebTQkbDu9oeTyap5UprcPbjDMJnhUEvQtJGZOdxqGMp8HJBBWC0mj0h39QW6ESOsPz9aTST5M0v3AgWIUGPNbkoa/dFVP6flWcw8z+cvG/JS2rZS7S9qYhUgveOmZ1DucHKdMU7ORr4qGihzlyn+lV3+5PlcqWe11GHxHZ3q1Ip04FQkYqnZyskWmBqyxqmcAPb6UF+/xoMOlkKVWxAGUu4v0t3+p9uEAXpKNinlgHzWmZaVcG35FmM7apGN649/145+CHOPcgObSjCnP42r8Xpah0AZtecfu3rMfDm9FzvGdbaokMeTfzo1Iw/DsJQl10SOHwadVRagC5yNT3fpAMTdr3z4rIimCqLCJnxwpAbzw8Ygy+UnePTk2hJw+I8FMDGePQJa5f0Darz0anSTZdZSs6aqwcoC7B8I8Tn1bxk8BtGOnn838OEx4pzd/qdWQNT6O7tEzOmFjBGyWvn0LmL+V5L3dIagFqmJfl+AJPKbMas43OZo7gkjDz4cpjVKEgZC8bOkivvGeLHJX6+JvatUzLCoZC1wNcY7UPNPH5LxDwmAQhhSslUbl82g0rxKtL0ljBwTRbTq5wrIl/0n+4=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></trust:RequestedSecurityToken><trust:RequestedProofToken><trust:ComputedKey>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1</trust:ComputedKey></trust:RequestedProofToken><trust:RequestedAttachedReference><o:SecurityTokenReferencexmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><o:KeyIdentifier
ValueType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_aba9378e-32fd-4cc9-9c66-fa97408a506f</o:KeyIdentifier></o:SecurityTokenReference></trust:RequestedAttachedReference><trust:RequestedUnattachedReference><o:SecurityTokenReference
xmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><o:KeyIdentifier
ValueType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
">_aba9378e-32fd-4cc9-9c66-fa97408a506f</o:KeyIdentifier></o:SecurityTokenReference></trust:RequestedUnattachedReference><trust:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</trust:TokenType><trust:RequestType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType><trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType></trust:RequestSecurityTokenResponse></trust:RequestSecurityTokenResponseCollection></s:Body></s:Envelope<http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue%3c/trust:RequestType%3e%3ctrust:KeyType%3ehttp:/docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey%3c/trust:KeyType%3e%3c/trust:RequestSecurityTokenResponse%3e%3c/trust:RequestSecurityTokenResponseCollection%3e%3c/s:Body%3e%3c/s:Envelope>
>
--------------------------------------
Jun 8, 2012 5:48:27 PM
org.apache.cxf.services.DoubleItService.DoubleItPort.DoubleItPortType
INFO: Outbound Message
---------------------------
ID: 2
Address: https://wkengchoi.global.sdl.corp:8443/doubleit/services/doubleit
Encoding: UTF-8
Content-Type: text/xml
Headers: {Accept=[*/*], SOAPAction=[""]}
Payload: <soap:Envelope xmlns:soap="
http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><Action xmlns="
http://www.w3.org/2005/08/addressing" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-5072632">
http://www.example.org/contract/DoubleIt/DoubleItPortType/DoubleItRequest</Action><MessageIDxmlns="
http://www.w3.org/2005/08/addressing" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-4398493">urn:uuid:ae6dc6cd-2089-4a55-bb50-c88813870f40</MessageID><To
xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-2411726">
https://wkengchoi.global.sdl.corp:8443/doubleit/services/doubleit</To><ReplyToxmlns="
http://www.w3.org/2005/08/addressing" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-140013"><Address>
http://www.w3.org/2005/08/addressing/anonymous</Address></ReplyTo><wsse:Securityxmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="1"><wsu:Timestamp
wsu:Id="TS-3"><wsu:Created>2012-06-08T21:48:27.252Z</wsu:Created><wsu:Expires>2012-06-08T21:53:27.252Z</wsu:Expires></wsu:Timestamp><xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="
http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><KeyInfo xmlns="
http://www.w3.org/2000/09/xmldsig#"><e:EncryptedKey xmlns:e="
http://www.w3.org/2001/04/xmlenc#"><e:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"><DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/></e:EncryptionMethod><KeyInfo><o:SecurityTokenReference
xmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><X509Data><X509IssuerSerial><X509IssuerName>CN=servicecn,
OU=SCT, O=SDL, L=wakefield, S=massachusetts,
C=US</X509IssuerName><X509SerialNumber>14822468329318157300</X509SerialNumber></X509IssuerSerial></X509Data></o:SecurityTokenReference></KeyInfo><e:CipherData><e:CipherValue>b8jEnEjwmCDmJ3I+JBieKVNWwZvwlRWH+1Tz5WmczWc3RqATpVmkuozVTbFeAPrjq06imbc82MIY3nhso5qcJhU3iKvkPWJ47YVAlq7b6kSBn2rPP9MG7bLkwZKa2S4mm3RReOJceeVp6k1STF8M9Pxf82EF4++BNNEuCH4XZcmICnsMjLb3zsfoc/+upZeV0CvOs8OyiyT7cbJA9m8ERRHvUVJjBpU4PjAwyPEV0XRascDl6pqGvq32S4Mm2VAU0fUo1V+WKUJIx9d9w7dbd5b5bwYUK/SIiyksyqekfcqqrRfsEZIuPWQwzQd14g9dSd7L514gkrZGY/JFbuhVvw==</e:CipherValue></e:CipherData></e:EncryptedKey></KeyInfo><xenc:CipherData><xenc:CipherValue>uhc3W5Cq4Rsfo9PUsnTj9B1FW/gslQIlQBCIsmUvbKvwxixNA/Yg62SuVU/Lc180Bf3hb2t7Mg/4sX20DT2pY9h49IPjn4CqdutRCc6TuRYmznPlHavRSO1X8Qz+r7xIQ0Ay4T22mWra9ZTrFcMXoRwrqeXYksfFuAQLWorkvLi3Q0lK1dGAsmHh1+Av717cKU4pC9K0y0N5O5/pajT1qHBvK+6haXw2yISfe6LgheitjxBzQ75lxlginxbkKAwx3mjev6HE8Ia0QqblprBUV235CYShgh5ZkONfctrmuaSKUTDyAl/Pi87KozQeSguIBOFQflJdDHhM53NK+4R800UILUNkT3uhSBwRxVo49ykUtC690yfz8eKKwIpfQuWia5UGa10FSm3i6PkHyTN4JB0YXuAAJ88AddgQqRvpCXIJ9Fuj3cTOJRQ3rnevkmBhGBHbVTaVEmg8bALwhcEbLSUvyjniJqSKbP5ttBya7ELfSegEnyaG+ttrkcqS+SnIwZi8XY1gAYuebRI2i00r5D7V58uoRQKl+hjH3L/Hn+EKQJQJIIRMXKX0G0gAstMzMKWZV749kh0eEY5cCyfVWTsyPFYL68OO6Q6t7LLcOics3tvW0tex8iPhs3N9C4FdcI3SngvRGRu82YAIvYLiXSm8IJDs6x3bLK/DWnaqy0B8oTGRMCxg+T8ftYHKKMC/HZ+QNfswLQJ7eMn6bjMMFApbX0IW5ozUaj6eVzKW3GUtQAVFDE+6VEZn/8Cju27mYHOZCESVHFLm7gCq/3FYjaunsEywNZ3Cj/P1uAP1JwnxqDMzuIyp1pNKNsLh3febPqWIiDTwUhF7jr5XGiA3PGIC9zKwNCdFOrSMfgNf+5DwqR8qBPeSTyAmO9fT6BYQkQ5gxV05Or0n6L2wFIrsKrZI7p+l2dkd8accl3va4NyWo6RQ8eOhn9Xu0TADAnUlHY/3BLC+LPDGFZmR9vXbHhBffEc8X41cvFat+ISnlWhXrmV2t9tgdzpyRXhgYyVjsZgn7QStBqocllYDCBuRs9HMPgv3c0PaAzYtPpQvJwNbtAMl9T4mXEzswGsIA2mTALjNRO1CpenLD+DIQPFQDz6ddLNQ47r6sqh9nNJcUyRAbvT6k7YkrErdCGJ/HZfDbq2wfyIb4wEFKOOTj4d8HO8jzHKQcbeLCv8CjomOFxqlKhBw4Ar+UfUQHOUJ8zjUZxXNdIt4Z0eqIjlPjd/uNroI99dmf/xE/Ym/iuiM3MRJ72Xh/nqSIoIRbt/JHvcDO/jZM4Jh0SW0vt30RompiCqa7FEX3APAzFQRQDGEOHl9/HrnmDkn/f5lqZNMQ65HqypfN627UXnRwNoHWGvyOXoqmi/be6gF8l0HpzodWtOlpOjZN4iLvUanpSzfLEISsE/2kfiyiNrgYC92A3PQY9QUXZutq88RPRvW8HIxl71BHFkCqx2n6+SKxF6aO78pUb/NzlAFP7wbI1qaB+1+Kw4Jc3e/vkVD/gdzNKQ+7ucGw4pqpCIoxrdF78lU1NFuCP/jVWTl7xP5lsVrirm98ruMTRBKsW3WP0JZP6H6th5zosUE1Gt1x2caaoY1dAZaIchFkU4yWUgvzOEJJijrdCmGDrlxmkA07Od4SIMBOukmMa2ClkKZgM2rw6Az+C4oesI54+ycGo9Y8l3eDS2c2wUZxrAvM5rmSbJValVeltBGEwZ/Y/qIdXTi71h9vXI4y19a/XF42pOzQVtSjJmbZ/mbxdxKJMoZ30x8KbjULv76VoPI74Jepiyo6IbWfT8I/FmuGldAxmHc6A2VaGqEIUiC1I5SM3HX7AtnwF9WU3tvHVTSGajFZtrL93ALB1movHM3KydXikn/+BlgyYfRJLclXJiTRDN3Cv7bLtSxG2yF9cbLPB29btzS9pZQPMF4PxjJ/7TG/TnPkBCTAS0AN/XWVTD4O3H3AEo0MfYePhpcqahpnfoYZPrOTQxy5c4G89I2SI+bE+AP9dHuJcrDZGPoRa5/MdjsY5PqNT+PUBrjkF2H6Nu7fqzjtf9yM7yDUK6Id2dw1l9+gitofuO42yPRfyTG6VVDZWycu194r3HYE+G1JyJuYdCUcoJphJOkWnje5zfxkGIIuGMJcNv+8Fsp92zVj3Fps7jCHytlcGh4QIAdtvN7HlGD2hkTq1FSWld2LHdAHwLkMjeUbqRnKJ9+FMx4C1ktQvrsBuCY30hmjO2CTxv5xbCEk2W3SqMBYZ0CcRReaZNsnL8tdmmPDZUiWWn0mj/NDfRzv6bi/LH2UjAiQX65gaOIfLMHnUqlCOS5bvrrSXWiBO071fqBCPriW8Zo8DNvuXPbR/dBmetF82F2HTFeVmLx+IspSPllvlRL+QeBD7E/eY1SAG2h0303J7QqfRML/D9eoH6u+3KW4umzLkSi4ZknqQDv0bJkdnqRmGsTcPyPhMxnaF+5LaMdDcCBSELBYX9REcKwE1aqjZelfXKRwJ990UyU7g5F9N7Pjj6JRfF+GXrOSFWO2NqgX6Ycc3mEcBOKpVr82J/IzTYTkAw0INNmuocubp0RzJnWMEzcaa1n6rw5UcpT2NkXhR7pSQz+4DC/LUSDxD31rSZ5sjae2LilRxk37NGmJ/ZVTJ+VO02kye85IoLlXRDRl2/mxCoDTlpfcxIXjQ9qmWip/6irZsQfCBBIieQ6lkq9WChBUbYdEKT7gIztlhiGNcrLEkXsccGo/U9iAbEWb/mMv8CvaZWgEYMQ3TCTbh5c96JmBs5J+UNbB5ROXkn5cZ/XhF8RdM4BSD88eW4h1cT8AtXCUPs1mzn93g2ARtb897YHTSbYJZJ1T9/qnyKx62cgYxfqya3CuWDxldY4co0gm6aHdXJfNKoaURIohWl9Rk/ydKXvJC3zEo/eN6yWinJIKgOVrK6MKd3z8Y2lv5gAJhXYJYR7mAUeBjOL7Tla1erfMq4aYCYMu2mggk/m6nHUj7Td1kMrCiz6XbCFZtY1mGOUkNEXSKFR+rz40yfjz/7saTm+s2icmu48x0JKlSphooBpVFT3UzLmSc+xUuIx2oe+WXUJIe7799ViWoY98Cdk0ccPFMTlS+1GE8aNTTUsvfR19Min00VRAuL9kkesyPLC+6Wr98NrtFjBCxUHG9KxCcCoxiEDjvFfDMj+esknXUmoyq7F4a19vIHglyz6VHRHtQ3lwBPxu/GXPI6nz1ytdW5ZAqnzecQGBwRmkvAvXTvR66TIvs5ZSSSd5kZI20nkdH0z3fw/wqoFAIH0FMXT27RgSE0Hjf7EMVYbHrXhqsYvnoLwNMwmtEDb+q6lOkDkuwGHRPJPQ91/EANKKp7wkp0yiwECoaNfT4Rqfnz4EWiZCw/46CYo5fJFsbHxc6NK3xswzN0jET8H4DNVqeomQJGFhMWSzWFJCUl48MWdsAU84B87QHy7z/LYSW61a5KQU7BZ1ewny4kfKS/Nz74L4KCD38yEna0nS6XeOHNFTmtiPPryjeL74L1a4Hpzes2kqGXrXpVaT6xW4nex5v1/O3cHk7fOdUZjA31CZKbMEW3J84/ejgHABEALtGcNZE2IV6HcB78fisnPszO9I0SnW6kElpDsVeN7s2gF8GO6/kOdLxLAuM2g+tonAK6sHKe/kY2Zp5/z9MdDGe03/IxdXxhwK+F7yeJMKGfgMmdwYREA/0/VzwnMBng3J5Re8owmU/DW/ofAMZRZeHmGHNoTx/yeVkUZ2KV0mUoAilyVCQ/+OlGzrlXBeoQ7otdYW0UaYiRP5qVYLi8X9p+cuibJLbiSWHLOs0yT9LVKxerOFnCf5Orj/vEeW5eKUzpMz7SC3WEwjN03RyQ3pOdmw1kazODmfuidK9jH6cw88WqC5SpNlsFmvyk9sYUEjRsdNSey21KoChTxHFrfVmkvIHoEFwM/ZVKQE7uGQ54bboZRDi7Dec2EuCFsBvS47RSI/daXyrZLO4PI7yHHyN52b1fhKE2sEyXlc67S0TcEEGPPHQWMkCcrqBqjL5XWfrBomKEQ5qCYcvhGUvmZuVK9TYfUzvTOME+fxOarxc8y12acxuCxS2whVudYFtamBEGqS+ECMYI/NkpNTkepZEUKZwz6YWgJVzTmvkMtL7NlVwPFRaJnBs8WLcsaovzhXAQ899jfzOFzBBWUoVVYxGYZgAMCBMf8nTmGYTwDePCWdzpOgAFPn4a0r2gCVhU37WeYzDJfYh7niyY/hC8SRGbt+UaXw8JGg93BOZnk4vs/8uTAxDhLz7RF8Zg/aLpIkM4iAYcrcXrGY1dlgnKI7+HbZlP4+CpiJOBRyW8WCUs9uK1MCZeQJ93/BqUEnduDa35LZ8xh5JMQywSGsKtnVrEYC6tzf+3XNK7JZJHhFcT7notzaLNfsxP86Sdkzir0mdCkWDfJ0KkKG9EDOfN2k1+WGus4fL0Lq8cQgbj+xaPKBlfmL/0roIWZ+qeSlrZuq51CWQhvA93l8j+zPpMPE+JWORI3mrpxy8BgHNxWm74huwHy3xr9BnQJOs+582JrClblN/yVY/OKu0SICLqnYiDceACI6kjuhZugmTIJdgYV5WePNO92h2k9SHyXppMFiZdwVOCTmJaFnq7Qjg2EBnS4EzY7kkVUTRDPR8bLvwsMneOs7bArW4ctLZygiDv3WWjS8a5q5pBoaOTlCJMhkNdyS8WhYEq7Bb3m5pGoH2N3XWCc4+XvvQlpKbbVv5HjuGxDokJ6NhTgeIi4AKoDAEBANxhbmi45hhSYcufgEF3BJzKlihDCzHyRy2yusRX6Ok2uX+VCNhRvF3z9kVoicduk01qLjyogY0LZpRGOJPFFnuqvr+lNy/JNx/UZM4d9cHHxrUzRK6dZxKbhamjbdqWWFoedleFwesAqfYaGvhWPuSwgJ3hTLdgOXn79oUdK0VADEuJfVz2A9Ls29Lz7GG51xM2jW1rYLBHVmI07IAmeTJwfpaA78e8P1R0BG2EjKgpAnLMnrvZjvS5mKUHHxSixF41PiEy2iX2TivpISQ7uefJvMZq2K0/NEZFtl/boqQPHZdKN97aIGalSfTVj4Lv4iHBZOBRteaDt7pS6U2zZQzscHDiJyillns1dmVrUiCAAjWx+tRo1Sc7TZF6ayizhWB6/DZyW7logWEYVbSXsU5synWJcGEZfT2ggBlwBt9/sRcAvJuHt3PhdNmIxeWw5qXXbuDQVszqYqMgp0nPIXJNvLLtNwrS/L94GSGNrBjgXgPPyMj3UInNlb1f7rsJc76TwHZ3n028TDRVT+v3ezjBdAnyQT6JmGb66M61520d+PDir1iAGggavVxSknrQCrAYNUFyVrMjRT6l/v9yfAD9YzVCr5WC0PjiUni5kMtexJt+g0j4e/Q7qxP3Qm9n7C7X0f1ZNZBEkyy/PYG7A+ui4M7qhtAW/vl1fm9MG9maCyKWg/4c/hPCvsJURopDIh2s5WleaW0L9GX1EyiNRXF0Kan5kph9r7MhLS7XyQ2yxlgLKaduRuhpqidPhrJi7XDp5eEp9YDr6GXNFPY6ug2yDD/QWaD/9uxM62/O9NJ24/ED9B7AyhgdaDB6vJfbCL22lOCtn3bmYSci+2DcAOvCjdpxoaknQ3lQK/qfrthAbB2cGR9wk5iifv7zPJ7BCm3H0JxGEHwQ/DLx3i1ZNkSUtLd2ZhzHio9iesilFC0wFQx3kl34ugaEeyTYdCoe0lycDdmNCG/nSc6ZA5nw6xnKiCQUx4GsDaC0hsLUwKL10rEOLKxdrx4b/s62ei/aOD76jHPMTnQF6q3o6uhpSGeXnZkXtFRFXX75gP4Yv1vvBT3Oyipqbze97bJYeoq2tVpVI3DQvw0ffZdeZJNUS+Qt9ejuYgds4Jp/BVHReonpEvam5EFdqe7Dqo5tygzxUDiX779UtryqCNc/19g7Hqmug3i5hxlsG8r9xuD7dPUUfTYGCBHke3/ql2CY3AP/5FRas35DCdu6fSt/7Ue2bFhAnfwTk5VeLi43if++pf/4fie9pwatbr/PSm2ZYyHHz42icWmUSCY9oYphntu1eewxPcuTm9JBfMusBQzSsxGrfsVhTm1lBulzOKk6acGLk5WBUiCHOqqiLEWlISb0crrrd/CmeVIbYeNVSRyosxAmE4g/gRFrHkfqLZiqMk7DWN28kPbMCkpsYfBrylNHcpKH5BA/YQ6x8pT6Fdv955T5Fp4qW0DKH9zsacF6E5Jn0P6QxRXMRulgtiYc/D0K8AZqht68f9innlctf79YSX27WhLkwyLA0ahIyzEAvquksGkYXKJH3ahgh2hKzVr7r6Nua6+aY97Hpo6FKmFASBrhPRbmjn2SNhCvN9ddGE5aaCQ+hlasl01j6XRZppXFyCWhEAQPiuRImsgofdyCvJnI3RGqVBMK3HHL8Fuu/1hvPOg9OrPQMUUaA9tqHZjeiIW4RTGJmp1YnalRVJTZRpHLTc89zPCmQzn58tjmnGG05XqIIsm1eabOryZLsUQZezby+tWuEbnhaApy2ryht+cT1Am5/Pl18L7YFWIioUGMi+tkSS5vDkrkouAtIUFzLOuVrJd670WRwk/BBf6HpHXag4H4vH3/8AYZZosEANYLOrxl39nGEVJlqUTbtgu4wTrd/smXm46z75/eCSkWTBcX9+lFB9cg+i6KNh8818RjTCQNJVODH7g9j7pI2dptuZdouWf5VPYtCdu3AvcyvGA4+oROKQOfWoTPTDAzCfAUl8xDJ0sZlhvScbL+UMW46OBwAm6UGm/hQYs/9qPQZEREFY9OU1SKkfDfETBkfCnPeD+Ua9CC+ndoCE71M+xNT3/6tXmBKOp4SOwW5R5gEHjCYqynWfhtgizxibzLGkT5VOIN0/zkMXRl23WAazTsuMXBIZlB5ZJTzFmbyz+KzXuC4krniznEE19XjYfPTogNFXlqeu7bCG1xIP4qZMJ2S28YyD55QgL3nYcBHr59ezvf4cLljM3TS+6kO2oulVoK3tt+BKuxFTJtaMmk/zMB7mE8aiQgGIyjYbvQ+rYCRC2Exf7qE6NbvC/CUSVN2A9wdo+uyiNaLWa29qm3E8HJIdWtYL1rAUFJqO+GAs2Nn1r+4RFTrVGgyLJCa8M7yUKX1K1OFQ231pUxazRKVwebTQkbDu9oeTyap5UprcPbjDMJnhUEvQtJGZOdxqGMp8HJBBWC0mj0h39QW6ESOsPz9aTST5M0v3AgWIUGPNbkoa/dFVP6flWcw8z+cvG/JS2rZS7S9qYhUgveOmZ1DucHKdMU7ORr4qGihzlyn+lV3+5PlcqWe11GHxHZ3q1Ip04FQkYqnZyskWmBqyxqmcAPb6UF+/xoMOlkKVWxAGUu4v0t3+p9uEAXpKNinlgHzWmZaVcG35FmM7apGN649/145+CHOPcgObSjCnP42r8Xpah0AZtecfu3rMfDm9FzvGdbaokMeTfzo1Iw/DsJQl10SOHwadVRagC5yNT3fpAMTdr3z4rIimCqLCJnxwpAbzw8Ygy+UnePTk2hJw+I8FMDGePQJa5f0Darz0anSTZdZSs6aqwcoC7B8I8Tn1bxk8BtGOnn838OEx4pzd/qdWQNT6O7tEzOmFjBGyWvn0LmL+V5L3dIagFqmJfl+AJPKbMas43OZo7gkjDz4cpjVKEgZC8bOkivvGeLHJX6+JvatUzLCoZC1wNcY7UPNPH5LxDwmAQhhSslUbl82g0rxKtL0ljBwTRbTq5wrIl/0n+4=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData><xenc:ReferenceList
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:DataReference
URI="#ED-5"/></xenc:ReferenceList><ds:Signature xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"
Id="SIG-4"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="soap"/></ds:CanonicalizationMethod><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/><ds:Reference
URI="#Id-4298512"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList=""/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>t3LDRzUdBhq5VX+e0iM3wSwHOnU=</ds:DigestValue></ds:Reference><ds:Reference
URI="#Id-2411726"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="soap"/></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>y7JUT4Q1KmfItcgCxjz1WKWTLTk=</ds:DigestValue></ds:Reference><ds:Reference
URI="#Id-140013"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="soap"/></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>+jD3VupajEYRQsVqw+kryqxlSDs=</ds:DigestValue></ds:Reference><ds:Reference
URI="#Id-4398493"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="soap"/></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>P/PLmLS31k/oaQ66JmyNfJ4cazI=</ds:DigestValue></ds:Reference><ds:Reference
URI="#Id-5072632"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="soap"/></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>fCkGh594SOgGpQSUhX5DKCr5ayw=</ds:DigestValue></ds:Reference><ds:Reference
URI="#TS-3"><ds:Transforms><ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse
soap"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>VxVCuCKmFjq1/tcdtNTgDxcD/NY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>j4v/FashwYCnPnY7yjNmReAIuGY=</ds:SignatureValue><ds:KeyInfo
Id="KI-A3FD7C4B856BAE9A2713391921072671"><o:SecurityTokenReference xmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><o:KeyIdentifier
ValueType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_aba9378e-32fd-4cc9-9c66-fa97408a506f</o:KeyIdentifier></o:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soap:Header><soap:Body
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-4298512"><xenc:EncryptedData xmlns:xenc="
http://www.w3.org/2001/04/xmlenc#" Id="ED-5" Type="
http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><ds:KeyInfo xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"><o:SecurityTokenReference xmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><o:KeyIdentifier
ValueType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
">_aba9378e-32fd-4cc9-9c66-fa97408a506f</o:KeyIdentifier></o:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>cbqI7RA7wv4fp23szBIxaf3lGVeSC+4LiendL/E7HCDkhcZCUsgeB9pRyny8Vs/dy/qE3vHSAZoh6bUatqPlzhnsiFXmFRlJ/zVOOc8p6AOz0rAF207BOUr2UxNpliEH17TJxxIqmwTtOlWVbm70tMmK3CQgNE4KgGwD75Id1ISOh64T4BNkqp3DZlF94kqK</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope>
--------------------------------------
Jun 8, 2012 5:48:32 PM
org.apache.cxf.services.DoubleItService.DoubleItPort.DoubleItPortType
INFO: Inbound Message
----------------------------
ID: 2
Response-Code: 500
Encoding: UTF-8
Content-Type: text/xml;charset=UTF-8
Headers: {connection=[close], Content-Length=[359],
content-type=[text/xml;charset=UTF-8], Date=[Fri, 08 Jun 2012 21:48:32
GMT], Server=[Apache-Coyote/1.1]}
Payload: <soap:Envelope xmlns:soap="
http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcode
xmlns:ns1="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:InvalidSecurityToken</faultcode><faultstring>An
invalid security token was provided (Bad TokenType
"")</faultstring></soap:Fault></soap:Body></soap:Envelope>
--------------------------------------
Jun 8, 2012 5:48:32 PM org.apache.cxf.ws.addressing.soap.MAPCodec
restoreExchange
WARNING: Response message does not contain WS-Addressing properties. Not
correlating response.
Jun 8, 2012 5:48:32 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
handleMessage
WARNING: Request does not contain Security header, but it's a fault.
Jun 8, 2012 5:48:32 PM org.apache.cxf.ws.addressing.ContextUtils
retrieveMAPs
WARNING: WS-Addressing - failed to retrieve Message Addressing Properties
from context
Exception in thread "main" *javax.xml.ws.soap.SOAPFaultException*: An
invalid security token was provided (Bad TokenType "")
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(*
JaxWsClientProxy.java:156*)
at $Proxy26.doubleIt(Unknown Source)
at client.WSClient.doubleIt(*WSClient.java:18*)
at client.WSClient.main(*WSClient.java:11*)
Caused by: org.apache.cxf.binding.soap.SoapFault: An invalid security token
was provided (Bad TokenType "")
at
org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(
*Soap11FaultInInterceptor.java:75*)
at
org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(
*Soap11FaultInInterceptor.java:46*)
at
org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(
*Soap11FaultInInterceptor.java:35*)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
PhaseInterceptorChain.java:262*)
at
org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(*
AbstractFaultChainInitiatorObserver.java:113*)
at
org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(
*CheckFaultInterceptor.java:69*)
at
org.apache.cxf.binding.soap.interceptor.CheckFaultInterceptor.handleMessage(
*CheckFaultInterceptor.java:34*)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
PhaseInterceptorChain.java:262*)
at org.apache.cxf.endpoint.ClientImpl.onMessage(*ClientImpl.java:798*
)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(
*HTTPConduit.java:1679*)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(
*HTTPConduit.java:1532*)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(*
HTTPConduit.java:1440*)
at org.apache.cxf.io.CacheAndWriteOutputStream.postClose(*
CacheAndWriteOutputStream.java:47*)
at org.apache.cxf.io.CachedOutputStream.close(*
CachedOutputStream.java:187*)
at org.apache.cxf.transport.AbstractConduit.close(*
AbstractConduit.java:56*)
at org.apache.cxf.transport.http.HTTPConduit.close(*
HTTPConduit.java:658*)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(
*MessageSenderInterceptor.java:62*)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(*
PhaseInterceptorChain.java:262*)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(*ClientImpl.java:532*)
at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:464*)
at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:367*)
at org.apache.cxf.endpoint.ClientImpl.invoke(*ClientImpl.java:320*)
at org.apache.cxf.frontend.ClientProxy.invokeSync(*
ClientProxy.java:89*)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(*
JaxWsClientProxy.java:134*)
... 3 more
Server side log:
Jun 8, 2012 5:48:00 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8088"]
Jun 8, 2012 5:48:00 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8443"]
Jun 8, 2012 5:48:00 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-bio-8009"]
Jun 8, 2012 5:48:00 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 749 ms
Jun 8, 2012 5:48:00 PM org.apache.catalina.core.StandardService
startInternal
INFO: Starting service Catalina
Jun 8, 2012 5:48:00 PM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.27
Jun 8, 2012 5:48:00 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive C:\Program Files (x86)\Apache
Software Foundation\apache-tomcat-7.0.27\webapps\doubleit.war
Jun 8, 2012 5:48:01 PM org.springframework.web.context.ContextLoader
initWebApplicationContext
INFO: Root WebApplicationContext: initialization started
Jun 8, 2012 5:48:01 PM
org.springframework.context.support.AbstractApplicationContext
prepareRefresh
INFO: Refreshing Root WebApplicationContext: startup date [Fri Jun 08
17:48:01 EDT 2012]; root of context hierarchy
Jun 8, 2012 5:48:01 PM
org.springframework.beans.factory.xml.XmlBeanDefinitionReader
loadBeanDefinitions
INFO: Loading XML bean definitions from class path resource
[META-INF/cxf/cxf.xml]
Jun 8, 2012 5:48:01 PM
org.springframework.beans.factory.support.DefaultListableBeanFactory
preInstantiateSingletons
INFO: Pre-instantiating singletons in
org.springframework.beans.factory.support.DefaultListableBeanFactory@ab4b89:
defining beans
[cxf,org.apache.cxf.bus.spring.BusWiringBeanFactoryPostProcessor,org.apache.cxf.bus.spring.Jsr250BeanPostProcessor,org.apache.cxf.bus.spring.BusExtensionPostProcessor];
root of factory hierarchy
Jun 8, 2012 5:48:02 PM org.springframework.web.context.ContextLoader
initWebApplicationContext
INFO: Root WebApplicationContext: initialization completed in 762 ms
Jun 8, 2012 5:48:02 PM
org.springframework.context.support.AbstractApplicationContext
prepareRefresh
INFO: Refreshing Root WebApplicationContext: startup date [Fri Jun 08
17:48:02 EDT 2012]; parent: Root WebApplicationContext
Jun 8, 2012 5:48:02 PM
org.springframework.beans.factory.xml.XmlBeanDefinitionReader
loadBeanDefinitions
INFO: Loading XML bean definitions from URL
[jndi:/localhost/doubleit/WEB-INF/cxf-servlet.xml]
Jun 8, 2012 5:48:02 PM
org.springframework.beans.factory.support.DefaultListableBeanFactory
preInstantiateSingletons
INFO: Pre-instantiating singletons in
org.springframework.beans.factory.support.DefaultListableBeanFactory@360e46:
defining beans [logInbound,logOutbound,cxf,doubleit]; parent:
org.springframework.beans.factory.support.DefaultListableBeanFactory@ab4b89
Jun 8, 2012 5:48:02 PM
org.apache.cxf.service.factory.ReflectionServiceFactoryBean
buildServiceFromWSDL
INFO: Creating Service {
http://www.example.org/contract/DoubleIt}DoubleItService from WSDL:
WEB-INF/wsdl/DoubleIt.wsdl
Jun 8, 2012 5:48:04 PM org.apache.cxf.endpoint.ServerImpl initDestination
INFO: Setting the server's publish address to be /doubleit
Jun 8, 2012 5:48:04 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive C:\Program Files (x86)\Apache
Software Foundation\apache-tomcat-7.0.27\webapps\DoubleItSTS.war
Jun 8, 2012 5:48:04 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory C:\Program Files (x86)\Apache
Software Foundation\apache-tomcat-7.0.27\webapps\docs
Jun 8, 2012 5:48:04 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory C:\Program Files (x86)\Apache
Software Foundation\apache-tomcat-7.0.27\webapps\examples
Jun 8, 2012 5:48:04 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory C:\Program Files (x86)\Apache
Software Foundation\apache-tomcat-7.0.27\webapps\host-manager
Jun 8, 2012 5:48:04 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory C:\Program Files (x86)\Apache
Software Foundation\apache-tomcat-7.0.27\webapps\manager
Jun 8, 2012 5:48:04 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory C:\Program Files (x86)\Apache
Software Foundation\apache-tomcat-7.0.27\webapps\ROOT
Jun 8, 2012 5:48:04 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8088"]
Jun 8, 2012 5:48:04 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8443"]
Jun 8, 2012 5:48:04 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["ajp-bio-8009"]
Jun 8, 2012 5:48:04 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 3954 ms
Jun 8, 2012 5:48:27 PM
org.apache.cxf.services.DoubleItService.DoubleItPort.DoubleItPortType
INFO: Inbound Message
----------------------------
ID: 1
Address: https://wkengchoi.global.sdl.corp:8443/doubleit/services/doubleit
Encoding: UTF-8
Http-Method: POST
Content-Type: text/xml; charset=UTF-8
Headers: {Accept=[*/*], cache-control=[no-cache], connection=[keep-alive],
content-type=[text/xml; charset=UTF-8],
host=[wkengchoi.global.sdl.corp:8443], pragma=[no-cache], SOAPAction=[""],
transfer-encoding=[chunked], user-agent=[Apache CXF 2.6.2-SNAPSHOT]}
Payload: <soap:Envelope xmlns:soap="
http://schemas.xmlsoap.org/soap/envelope/"><soap:Header><Action xmlns="
http://www.w3.org/2005/08/addressing" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-5072632">
http://www.example.org/contract/DoubleIt/DoubleItPortType/DoubleItRequest</Action><MessageID
xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-4398493">urn:uuid:ae6dc6cd-2089-4a55-bb50-c88813870f40</MessageID><To
xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-2411726">
https://wkengchoi.global.sdl.corp:8443/doubleit/services/doubleit</To><ReplyTo
xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-140013"><Address>http://www.w3.org/2005/08/addressing/anonymous</Address></ReplyTo><wsse:Security
xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="1"><wsu:Timestamp
wsu:Id="TS-3"><wsu:Created>2012-06-08T21:48:27.252Z</wsu:Created><wsu:Expires>2012-06-08T21:53:27.252Z</wsu:Expires></wsu:Timestamp><xenc:EncryptedData
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Type="
http://www.w3.org/2001/04/xmlenc#Element"><xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><KeyInfo xmlns="
http://www.w3.org/2000/09/xmldsig#"><e:EncryptedKey xmlns:e="
http://www.w3.org/2001/04/xmlenc#"><e:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"><DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/></e:EncryptionMethod><KeyInfo><o:SecurityTokenReferencexmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><X509Data><X509IssuerSerial><X509IssuerName>CN=servicecn,
OU=SCT, O=SDL, L=wakefield, S=massachusetts,
C=US</X509IssuerName><X509SerialNumber>14822468329318157300</X509SerialNumber></X509IssuerSerial></X509Data></o:SecurityTokenReference></KeyInfo><e:CipherData><e:CipherValue>b8jEnEjwmCDmJ3I+JBieKVNWwZvwlRWH+1Tz5WmczWc3RqATpVmkuozVTbFeAPrjq06imbc82MIY3nhso5qcJhU3iKvkPWJ47YVAlq7b6kSBn2rPP9MG7bLkwZKa2S4mm3RReOJceeVp6k1STF8M9Pxf82EF4++BNNEuCH4XZcmICnsMjLb3zsfoc/+upZeV0CvOs8OyiyT7cbJA9m8ERRHvUVJjBpU4PjAwyPEV0XRascDl6pqGvq32S4Mm2VAU0fUo1V+WKUJIx9d9w7dbd5b5bwYUK/SIiyksyqekfcqqrRfsEZIuPWQwzQd14g9dSd7L514gkrZGY/JFbuhVvw==</e:CipherValue></e:CipherData></e:EncryptedKey></KeyInfo><xenc:CipherData><xenc:CipherValue>uhc3W5Cq4Rsfo9PUsnTj9B1FW/gslQIlQBCIsmUvbKvwxixNA/Yg62SuVU/Lc180Bf3hb2t7Mg/4sX20DT2pY9h49IPjn4CqdutRCc6TuRYmznPlHavRSO1X8Qz+r7xIQ0Ay4T22mWra9ZTrFcMXoRwrqeXYksfFuAQLWorkvLi3Q0lK1dGAsmHh1+Av717cKU4pC9K0y0N5O5/pajT1qHBvK+6haXw2yISfe6LgheitjxBzQ75lxlginxbkKAwx3mjev6HE8Ia0QqblprBUV235CYShgh5ZkONfctrmuaSKUTDyAl/Pi87KozQeSguIBOFQflJdDHhM53NK+4R800UILUNkT3uhSBwRxVo49ykUtC690yfz8eKKwIpfQuWia5UGa10FSm3i6PkHyTN4JB0YXuAAJ88AddgQqRvpCXIJ9Fuj3cTOJRQ3rnevkmBhGBHbVTaVEmg8bALwhcEbLSUvyjniJqSKbP5ttBya7ELfSegEnyaG+ttrkcqS+SnIwZi8XY1gAYuebRI2i00r5D7V58uoRQKl+hjH3L/Hn+EKQJQJIIRMXKX0G0gAstMzMKWZV749kh0eEY5cCyfVWTsyPFYL68OO6Q6t7LLcOics3tvW0tex8iPhs3N9C4FdcI3SngvRGRu82YAIvYLiXSm8IJDs6x3bLK/DWnaqy0B8oTGRMCxg+T8ftYHKKMC/HZ+QNfswLQJ7eMn6bjMMFApbX0IW5ozUaj6eVzKW3GUtQAVFDE+6VEZn/8Cju27mYHOZCESVHFLm7gCq/3FYjaunsEywNZ3Cj/P1uAP1JwnxqDMzuIyp1pNKNsLh3febPqWIiDTwUhF7jr5XGiA3PGIC9zKwNCdFOrSMfgNf+5DwqR8qBPeSTyAmO9fT6BYQkQ5gxV05Or0n6L2wFIrsKrZI7p+l2dkd8accl3va4NyWo6RQ8eOhn9Xu0TADAnUlHY/3BLC+LPDGFZmR9vXbHhBffEc8X41cvFat+ISnlWhXrmV2t9tgdzpyRXhgYyVjsZgn7QStBqocllYDCBuRs9HMPgv3c0PaAzYtPpQvJwNbtAMl9T4mXEzswGsIA2mTALjNRO1CpenLD+DIQPFQDz6ddLNQ47r6sqh9nNJcUyRAbvT6k7YkrErdCGJ/HZfDbq2wfyIb4wEFKOOTj4d8HO8jzHKQcbeLCv8CjomOFxqlKhBw4Ar+UfUQHOUJ8zjUZxXNdIt4Z0eqIjlPjd/uNroI99dmf/xE/Ym/iuiM3MRJ72Xh/nqSIoIRbt/JHvcDO/jZM4Jh0SW0vt30RompiCqa7FEX3APAzFQRQDGEOHl9/HrnmDkn/f5lqZNMQ65HqypfN627UXnRwNoHWGvyOXoqmi/be6gF8l0HpzodWtOlpOjZN4iLvUanpSzfLEISsE/2kfiyiNrgYC92A3PQY9QUXZutq88RPRvW8HIxl71BHFkCqx2n6+SKxF6aO78pUb/NzlAFP7wbI1qaB+1+Kw4Jc3e/vkVD/gdzNKQ+7ucGw4pqpCIoxrdF78lU1NFuCP/jVWTl7xP5lsVrirm98ruMTRBKsW3WP0JZP6H6th5zosUE1Gt1x2caaoY1dAZaIchFkU4yWUgvzOEJJijrdCmGDrlxmkA07Od4SIMBOukmMa2ClkKZgM2rw6Az+C4oesI54+ycGo9Y8l3eDS2c2wUZxrAvM5rmSbJValVeltBGEwZ/Y/qIdXTi71h9vXI4y19a/XF42pOzQVtSjJmbZ/mbxdxKJMoZ30x8KbjULv76VoPI74Jepiyo6IbWfT8I/FmuGldAxmHc6A2VaGqEIUiC1I5SM3HX7AtnwF9WU3tvHVTSGajFZtrL93ALB1movHM3KydXikn/+BlgyYfRJLclXJiTRDN3Cv7bLtSxG2yF9cbLPB29btzS9pZQPMF4PxjJ/7TG/TnPkBCTAS0AN/XWVTD4O3H3AEo0MfYePhpcqahpnfoYZPrOTQxy5c4G89I2SI+bE+AP9dHuJcrDZGPoRa5/MdjsY5PqNT+PUBrjkF2H6Nu7fqzjtf9yM7yDUK6Id2dw1l9+gitofuO42yPRfyTG6VVDZWycu194r3HYE+G1JyJuYdCUcoJphJOkWnje5zfxkGIIuGMJcNv+8Fsp92zVj3Fps7jCHytlcGh4QIAdtvN7HlGD2hkTq1FSWld2LHdAHwLkMjeUbqRnKJ9+FMx4C1ktQvrsBuCY30hmjO2CTxv5xbCEk2W3SqMBYZ0CcRReaZNsnL8tdmmPDZUiWWn0mj/NDfRzv6bi/LH2UjAiQX65gaOIfLMHnUqlCOS5bvrrSXWiBO071fqBCPriW8Zo8DNvuXPbR/dBmetF82F2HTFeVmLx+IspSPllvlRL+QeBD7E/eY1SAG2h0303J7QqfRML/D9eoH6u+3KW4umzLkSi4ZknqQDv0bJkdnqRmGsTcPyPhMxnaF+5LaMdDcCBSELBYX9REcKwE1aqjZelfXKRwJ990UyU7g5F9N7Pjj6JRfF+GXrOSFWO2NqgX6Ycc3mEcBOKpVr82J/IzTYTkAw0INNmuocubp0RzJnWMEzcaa1n6rw5UcpT2NkXhR7pSQz+4DC/LUSDxD31rSZ5sjae2LilRxk37NGmJ/ZVTJ+VO02kye85IoLlXRDRl2/mxCoDTlpfcxIXjQ9qmWip/6irZsQfCBBIieQ6lkq9WChBUbYdEKT7gIztlhiGNcrLEkXsccGo/U9iAbEWb/mMv8CvaZWgEYMQ3TCTbh5c96JmBs5J+UNbB5ROXkn5cZ/XhF8RdM4BSD88eW4h1cT8AtXCUPs1mzn93g2ARtb897YHTSbYJZJ1T9/qnyKx62cgYxfqya3CuWDxldY4co0gm6aHdXJfNKoaURIohWl9Rk/ydKXvJC3zEo/eN6yWinJIKgOVrK6MKd3z8Y2lv5gAJhXYJYR7mAUeBjOL7Tla1erfMq4aYCYMu2mggk/m6nHUj7Td1kMrCiz6XbCFZtY1mGOUkNEXSKFR+rz40yfjz/7saTm+s2icmu48x0JKlSphooBpVFT3UzLmSc+xUuIx2oe+WXUJIe7799ViWoY98Cdk0ccPFMTlS+1GE8aNTTUsvfR19Min00VRAuL9kkesyPLC+6Wr98NrtFjBCxUHG9KxCcCoxiEDjvFfDMj+esknXUmoyq7F4a19vIHglyz6VHRHtQ3lwBPxu/GXPI6nz1ytdW5ZAqnzecQGBwRmkvAvXTvR66TIvs5ZSSSd5kZI20nkdH0z3fw/wqoFAIH0FMXT27RgSE0Hjf7EMVYbHrXhqsYvnoLwNMwmtEDb+q6lOkDkuwGHRPJPQ91/EANKKp7wkp0yiwECoaNfT4Rqfnz4EWiZCw/46CYo5fJFsbHxc6NK3xswzN0jET8H4DNVqeomQJGFhMWSzWFJCUl48MWdsAU84B87QHy7z/LYSW61a5KQU7BZ1ewny4kfKS/Nz74L4KCD38yEna0nS6XeOHNFTmtiPPryjeL74L1a4Hpzes2kqGXrXpVaT6xW4nex5v1/O3cHk7fOdUZjA31CZKbMEW3J84/ejgHABEALtGcNZE2IV6HcB78fisnPszO9I0SnW6kElpDsVeN7s2gF8GO6/kOdLxLAuM2g+tonAK6sHKe/kY2Zp5/z9MdDGe03/IxdXxhwK+F7yeJMKGfgMmdwYREA/0/VzwnMBng3J5Re8owmU/DW/ofAMZRZeHmGHNoTx/yeVkUZ2KV0mUoAilyVCQ/+OlGzrlXBeoQ7otdYW0UaYiRP5qVYLi8X9p+cuibJLbiSWHLOs0yT9LVKxerOFnCf5Orj/vEeW5eKUzpMz7SC3WEwjN03RyQ3pOdmw1kazODmfuidK9jH6cw88WqC5SpNlsFmvyk9sYUEjRsdNSey21KoChTxHFrfVmkvIHoEFwM/ZVKQE7uGQ54bboZRDi7Dec2EuCFsBvS47RSI/daXyrZLO4PI7yHHyN52b1fhKE2sEyXlc67S0TcEEGPPHQWMkCcrqBqjL5XWfrBomKEQ5qCYcvhGUvmZuVK9TYfUzvTOME+fxOarxc8y12acxuCxS2whVudYFtamBEGqS+ECMYI/NkpNTkepZEUKZwz6YWgJVzTmvkMtL7NlVwPFRaJnBs8WLcsaovzhXAQ899jfzOFzBBWUoVVYxGYZgAMCBMf8nTmGYTwDePCWdzpOgAFPn4a0r2gCVhU37WeYzDJfYh7niyY/hC8SRGbt+UaXw8JGg93BOZnk4vs/8uTAxDhLz7RF8Zg/aLpIkM4iAYcrcXrGY1dlgnKI7+HbZlP4+CpiJOBRyW8WCUs9uK1MCZeQJ93/BqUEnduDa35LZ8xh5JMQywSGsKtnVrEYC6tzf+3XNK7JZJHhFcT7notzaLNfsxP86Sdkzir0mdCkWDfJ0KkKG9EDOfN2k1+WGus4fL0Lq8cQgbj+xaPKBlfmL/0roIWZ+qeSlrZuq51CWQhvA93l8j+zPpMPE+JWORI3mrpxy8BgHNxWm74huwHy3xr9BnQJOs+582JrClblN/yVY/OKu0SICLqnYiDceACI6kjuhZugmTIJdgYV5WePNO92h2k9SHyXppMFiZdwVOCTmJaFnq7Qjg2EBnS4EzY7kkVUTRDPR8bLvwsMneOs7bArW4ctLZygiDv3WWjS8a5q5pBoaOTlCJMhkNdyS8WhYEq7Bb3m5pGoH2N3XWCc4+XvvQlpKbbVv5HjuGxDokJ6NhTgeIi4AKoDAEBANxhbmi45hhSYcufgEF3BJzKlihDCzHyRy2yusRX6Ok2uX+VCNhRvF3z9kVoicduk01qLjyogY0LZpRGOJPFFnuqvr+lNy/JNx/UZM4d9cHHxrUzRK6dZxKbhamjbdqWWFoedleFwesAqfYaGvhWPuSwgJ3hTLdgOXn79oUdK0VADEuJfVz2A9Ls29Lz7GG51xM2jW1rYLBHVmI07IAmeTJwfpaA78e8P1R0BG2EjKgpAnLMnrvZjvS5mKUHHxSixF41PiEy2iX2TivpISQ7uefJvMZq2K0/NEZFtl/boqQPHZdKN97aIGalSfTVj4Lv4iHBZOBRteaDt7pS6U2zZQzscHDiJyillns1dmVrUiCAAjWx+tRo1Sc7TZF6ayizhWB6/DZyW7logWEYVbSXsU5synWJcGEZfT2ggBlwBt9/sRcAvJuHt3PhdNmIxeWw5qXXbuDQVszqYqMgp0nPIXJNvLLtNwrS/L94GSGNrBjgXgPPyMj3UInNlb1f7rsJc76TwHZ3n028TDRVT+v3ezjBdAnyQT6JmGb66M61520d+PDir1iAGggavVxSknrQCrAYNUFyVrMjRT6l/v9yfAD9YzVCr5WC0PjiUni5kMtexJt+g0j4e/Q7qxP3Qm9n7C7X0f1ZNZBEkyy/PYG7A+ui4M7qhtAW/vl1fm9MG9maCyKWg/4c/hPCvsJURopDIh2s5WleaW0L9GX1EyiNRXF0Kan5kph9r7MhLS7XyQ2yxlgLKaduRuhpqidPhrJi7XDp5eEp9YDr6GXNFPY6ug2yDD/QWaD/9uxM62/O9NJ24/ED9B7AyhgdaDB6vJfbCL22lOCtn3bmYSci+2DcAOvCjdpxoaknQ3lQK/qfrthAbB2cGR9wk5iifv7zPJ7BCm3H0JxGEHwQ/DLx3i1ZNkSUtLd2ZhzHio9iesilFC0wFQx3kl34ugaEeyTYdCoe0lycDdmNCG/nSc6ZA5nw6xnKiCQUx4GsDaC0hsLUwKL10rEOLKxdrx4b/s62ei/aOD76jHPMTnQF6q3o6uhpSGeXnZkXtFRFXX75gP4Yv1vvBT3Oyipqbze97bJYeoq2tVpVI3DQvw0ffZdeZJNUS+Qt9ejuYgds4Jp/BVHReonpEvam5EFdqe7Dqo5tygzxUDiX779UtryqCNc/19g7Hqmug3i5hxlsG8r9xuD7dPUUfTYGCBHke3/ql2CY3AP/5FRas35DCdu6fSt/7Ue2bFhAnfwTk5VeLi43if++pf/4fie9pwatbr/PSm2ZYyHHz42icWmUSCY9oYphntu1eewxPcuTm9JBfMusBQzSsxGrfsVhTm1lBulzOKk6acGLk5WBUiCHOqqiLEWlISb0crrrd/CmeVIbYeNVSRyosxAmE4g/gRFrHkfqLZiqMk7DWN28kPbMCkpsYfBrylNHcpKH5BA/YQ6x8pT6Fdv955T5Fp4qW0DKH9zsacF6E5Jn0P6QxRXMRulgtiYc/D0K8AZqht68f9innlctf79YSX27WhLkwyLA0ahIyzEAvquksGkYXKJH3ahgh2hKzVr7r6Nua6+aY97Hpo6FKmFASBrhPRbmjn2SNhCvN9ddGE5aaCQ+hlasl01j6XRZppXFyCWhEAQPiuRImsgofdyCvJnI3RGqVBMK3HHL8Fuu/1hvPOg9OrPQMUUaA9tqHZjeiIW4RTGJmp1YnalRVJTZRpHLTc89zPCmQzn58tjmnGG05XqIIsm1eabOryZLsUQZezby+tWuEbnhaApy2ryht+cT1Am5/Pl18L7YFWIioUGMi+tkSS5vDkrkouAtIUFzLOuVrJd670WRwk/BBf6HpHXag4H4vH3/8AYZZosEANYLOrxl39nGEVJlqUTbtgu4wTrd/smXm46z75/eCSkWTBcX9+lFB9cg+i6KNh8818RjTCQNJVODH7g9j7pI2dptuZdouWf5VPYtCdu3AvcyvGA4+oROKQOfWoTPTDAzCfAUl8xDJ0sZlhvScbL+UMW46OBwAm6UGm/hQYs/9qPQZEREFY9OU1SKkfDfETBkfCnPeD+Ua9CC+ndoCE71M+xNT3/6tXmBKOp4SOwW5R5gEHjCYqynWfhtgizxibzLGkT5VOIN0/zkMXRl23WAazTsuMXBIZlB5ZJTzFmbyz+KzXuC4krniznEE19XjYfPTogNFXlqeu7bCG1xIP4qZMJ2S28YyD55QgL3nYcBHr59ezvf4cLljM3TS+6kO2oulVoK3tt+BKuxFTJtaMmk/zMB7mE8aiQgGIyjYbvQ+rYCRC2Exf7qE6NbvC/CUSVN2A9wdo+uyiNaLWa29qm3E8HJIdWtYL1rAUFJqO+GAs2Nn1r+4RFTrVGgyLJCa8M7yUKX1K1OFQ231pUxazRKVwebTQkbDu9oeTyap5UprcPbjDMJnhUEvQtJGZOdxqGMp8HJBBWC0mj0h39QW6ESOsPz9aTST5M0v3AgWIUGPNbkoa/dFVP6flWcw8z+cvG/JS2rZS7S9qYhUgveOmZ1DucHKdMU7ORr4qGihzlyn+lV3+5PlcqWe11GHxHZ3q1Ip04FQkYqnZyskWmBqyxqmcAPb6UF+/xoMOlkKVWxAGUu4v0t3+p9uEAXpKNinlgHzWmZaVcG35FmM7apGN649/145+CHOPcgObSjCnP42r8Xpah0AZtecfu3rMfDm9FzvGdbaokMeTfzo1Iw/DsJQl10SOHwadVRagC5yNT3fpAMTdr3z4rIimCqLCJnxwpAbzw8Ygy+UnePTk2hJw+I8FMDGePQJa5f0Darz0anSTZdZSs6aqwcoC7B8I8Tn1bxk8BtGOnn838OEx4pzd/qdWQNT6O7tEzOmFjBGyWvn0LmL+V5L3dIagFqmJfl+AJPKbMas43OZo7gkjDz4cpjVKEgZC8bOkivvGeLHJX6+JvatUzLCoZC1wNcY7UPNPH5LxDwmAQhhSslUbl82g0rxKtL0ljBwTRbTq5wrIl/0n+4=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData><xenc:ReferenceList
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:DataReferenceURI="#ED-5"/></xenc:ReferenceList><ds:Signature
xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"
Id="SIG-4"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="soap"/></ds:CanonicalizationMethod><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/><ds:ReferenceURI="#Id-4298512"><ds:Transforms><ds:Transform
Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList=""/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>t3LDRzUdBhq5VX+e0iM3wSwHOnU=</ds:DigestValue></ds:Reference><ds:Reference<http://www.w3.org/2000/09/xmldsig#sha1%22/%3E%3Cds:DigestValue%3Et3LDRzUdBhq5VX+e0iM3wSwHOnU=%3C/ds:DigestValue%3E%3C/ds:Reference%3E%3Cds:Reference>URI="#Id-2411726"><ds:Transforms><ds:Transform
Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="soap"/></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>y7JUT4Q1KmfItcgCxjz1WKWTLTk=</ds:DigestValue></ds:Reference><ds:ReferenceURI="#Id-140013"><ds:Transforms><ds:Transform
Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="soap"/></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>+jD3VupajEYRQsVqw+kryqxlSDs=</ds:DigestValue></ds:Reference><ds:Reference<http://www.w3.org/2000/09/xmldsig#sha1%22/%3E%3Cds:DigestValue%3E+jD3VupajEYRQsVqw+kryqxlSDs=%3C/ds:DigestValue%3E%3C/ds:Reference%3E%3Cds:Reference>URI="#Id-4398493"><ds:Transforms><ds:Transform
Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="soap"/></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>P/PLmLS31k/oaQ66JmyNfJ4cazI=</ds:DigestValue></ds:Reference><ds:ReferenceURI="#Id-5072632"><ds:Transforms><ds:Transform
Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#"
PrefixList="soap"/></ds:Transform></ds:Transforms><ds:DigestMethod
Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>fCkGh594SOgGpQSUhX5DKCr5ayw=</ds:DigestValue></ds:Reference><ds:ReferenceURI="#TS-3"><ds:Transforms><ds:Transform
Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse
soap"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>VxVCuCKmFjq1/tcdtNTgDxcD/NY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>j4v/FashwYCnPnY7yjNmReAIuGY=</ds:SignatureValue><ds:KeyInfoId="KI-A3FD7C4B856BAE9A2713391921072671"><o:SecurityTokenReference
xmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><o:KeyIdentifierValueType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_aba9378e-32fd-4cc9-9c66-fa97408a506f</o:KeyIdentifier></o:SecurityTokenReference></ds:KeyInfo></ds:Signature></wsse:Security></soap:Header><soap:Bodyxmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-4298512"><xenc:EncryptedData xmlns:xenc="
http://www.w3.org/2001/04/xmlenc#" Id="ED-5" Type="
http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod Algorithm="
http://www.w3.org/2001/04/xmlenc#aes256-cbc"/><ds:KeyInfo xmlns:ds="
http://www.w3.org/2000/09/xmldsig#"><o:SecurityTokenReference xmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><o:KeyIdentifierValueType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_aba9378e-32fd-4cc9-9c66-fa97408a506f</o:KeyIdentifier></o:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>cbqI7RA7wv4fp23szBIxaf3lGVeSC+4LiendL/E7HCDkhcZCUsgeB9pRyny8Vs/dy/qE3vHSAZoh6bUatqPlzhnsiFXmFRlJ/zVOOc8p6AOz0rAF207BOUr2UxNpliEH17TJxxIqmwTtOlWVbm70tMmK3CQgNE4KgGwD75Id1ISOh64T4BNkqp3DZlF94kqK</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></soap:Body></soap:Envelope<http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID%22%3E_aba9378e-32fd-4cc9-9c66-fa97408a506f%3C/o:KeyIdentifier%3E%3C/o:SecurityTokenReference%3E%3C/ds:KeyInfo%3E%3Cxenc:CipherData%3E%3Cxenc:CipherValue%3EcbqI7RA7wv4fp23szBIxaf3lGVeSC+4LiendL/E7HCDkhcZCUsgeB9pRyny8Vs/dy/qE3vHSAZoh6bUatqPlzhnsiFXmFRlJ/zVOOc8p6AOz0rAF207BOUr2UxNpliEH17TJxxIqmwTtOlWVbm70tMmK3CQgNE4KgGwD75Id1ISOh64T4BNkqp3DZlF94kqK%3C/xenc:CipherValue%3E%3C/xenc:CipherData%3E%3C/xenc:EncryptedData%3E%3C/soap:Body%3E%3C/soap:Envelope>
>
--------------------------------------
Jun 8, 2012 5:48:32 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
handleMessage
WARNING:
org.apache.ws.security.WSSecurityException: An invalid security token was
provided (Bad TokenType "")
at
org.apache.ws.security.str.BSPEnforcer.checkSamlTokenBSPCompliance(BSPEnforcer.java:164)
at
org.apache.ws.security.str.SecurityTokenRefSTRParser.getSecretKeyFromAssertion(SecurityTokenRefSTRParser.java:282)
at
org.apache.ws.security.str.SecurityTokenRefSTRParser.processPreviousResult(SecurityTokenRefSTRParser.java:321)
at
org.apache.ws.security.str.SecurityTokenRefSTRParser.parseSecurityTokenReference(SecurityTokenRefSTRParser.java:100)
at
org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:164)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:100)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:60)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:289)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:97)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:122)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:211)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:193)
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:129)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:187)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:110)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:166)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
Jun 8, 2012 5:48:32 PM org.apache.cxf.phase.PhaseInterceptorChain
doDefaultLogging
WARNING: Interceptor for {
http://www.example.org/contract/DoubleIt}DoubleItService has thrown
exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: An invalid security token was
provided (Bad TokenType "")
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:780)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:357)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:97)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:122)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:211)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:193)
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:129)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:187)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:110)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:166)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
at
org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:662)
Caused by: org.apache.ws.security.WSSecurityException: An invalid security
token was provided (Bad TokenType "")
at
org.apache.ws.security.str.BSPEnforcer.checkSamlTokenBSPCompliance(BSPEnforcer.java:164)
at
org.apache.ws.security.str.SecurityTokenRefSTRParser.getSecretKeyFromAssertion(SecurityTokenRefSTRParser.java:282)
at
org.apache.ws.security.str.SecurityTokenRefSTRParser.processPreviousResult(SecurityTokenRefSTRParser.java:321)
at
org.apache.ws.security.str.SecurityTokenRefSTRParser.parseSecurityTokenReference(SecurityTokenRefSTRParser.java:100)
at
org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:164)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:100)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:60)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:289)
... 27 more
Jun 8, 2012 5:48:32 PM
org.apache.cxf.services.DoubleItService.DoubleItPort.DoubleItPortType
INFO: Outbound Message
---------------------------
ID: 1
Response-Code: 500
Encoding: UTF-8
Content-Type: text/xml
Headers: {}
Payload: <soap:Envelope xmlns:soap="
http://schemas.xmlsoap.org/soap/envelope/"><soap:Body><soap:Fault><faultcodexmlns:ns1="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">ns1:InvalidSecurityToken</faultcode><faultstring>Aninvalid
security token was provided (Bad TokenType
"")</faultstring></soap:Fault></soap:Body></soap:Envelope>
--------------------------------------
----------server side error messag---
Jun 8, 2012 3:17:32 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor
handleMessage
WARNING:
org.apache.ws.security.WSSecurityException: An invalid security token was
provided (Bad TokenType "")
at
org.apache.ws.security.str.BSPEnforcer.checkSamlTokenBSPCompliance(BSPEnforcer.java:164)
at
org.apache.ws.security.str.SecurityTokenRefSTRParser.getSecretKeyFromAssertion(SecurityTokenRefSTRParser.java:282)
at
org.apache.ws.security.str.SecurityTokenRefSTRParser.processPreviousResult(SecurityTokenRefSTRParser.java:321)
at
org.apache.ws.security.str.SecurityTokenRefSTRParser.parseSecurityTokenReference(SecurityTokenRefSTRParser.java:100)
at
org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:164)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:100)
at
org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:60)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:289)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:97)
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Gina Choi <gi...@gmail.com>.
Hi Colm,
Your fix passed ADFS2.0. Setting "sendRenewing" to "false" seem better
option since this does not limit STS capabilities.
I got back RSTR from ADFS2.0 and client generated SOAP request to Web
service, but web service failed during token validation.
I am not sure if it is something to do with X509Data from ADFS2.0.
<KeyInfo>
<o:SecurityTokenReference xmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
">
<X509Data>
<X509IssuerSerial>
<X509IssuerName>CN=servicecn, OU=SCT, O=SDL,
L=wakefield, S=massachusetts,
C=US</X509IssuerName>
<X509SerialNumber>
14822468329318157300</X509SerialNumber>
</X509IssuerSerial>
</X509Data>
</o:SecurityTokenReference>
</KeyInfo>
At the beginning I had email address in the service certificate issuer
field like bellow.
Alias name: myservicekey
Creation date: Apr 10, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: EMAILADDRESS=gchoi@sdl.com, CN=servicecn, OU=SCT, O=SDL,
L=wakefield, ST=massachusetts, C=US
Issuer: EMAILADDRESS=gchoi@sdl.com, CN=servicecn, OU=SCT, O=SDL,
L=wakefield, ST=massachusetts, C=US
Serial number: c8eea90bc902c540
Valid from: Tue Apr 10 10:40:33 EDT 2012 until: Fri Apr 08 10:40:33 EDT 2022
Certificate fingerprints:
MD5: B2:76:5C:F9:41:52:45:FE:6D:EC:54:FC:5E:A5:EF:6C
SHA1: 8F:1B:17:A0:AB:6F:8B:C6:02:65:7F:7E:E5:15:9C:79:AE:AE:01:D5
Signature algorithm name: SHA1withRSA
Version: 3
With that I was getting following exceptions.
Exception in thread "main" *javax.xml.ws.soap.SOAPFaultException*:
improperly specified input name: E=gchoi@sdl.com, CN=servicecn, OU=SCT,
O=SDL, L=wakefield, S=massachusetts, C=US
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(*
JaxWsClientProxy.java:156*)
at $Proxy26.doubleIt(Unknown Source)
I thought that this is bebause ADFS changes "EMAILADDRESS" to "E" and "ST"
to "T". So, I regenerated a service certificate without entering email
address, but I couldn't eliminate state field of "ST". I updated other
keystores accordingly. Now I am getting following error. One might be a
problem is serial number. ADFS2.0 sends decimal value of serial number
while service keystore has hex value. I am not sure if this is a bug, but I
needed a placeholder to attache all logs and files, so I opened CXF-4367(
https://issues.apache.org/jira/browse/CXF-4367) and added detailed
info(client log, service log etc.) there. Please let me know if you need
further informaiton.
org.apache.ws.security.WSSecurityException: The security token could not be
authenticated or authorized
at
org.apache.ws.security.validate.SignatureTrustValidator.validate(SignatureTrustValidator.java:83)
at
org.apache.ws.security.validate.SamlAssertionValidator.verifySignedAssertion(SamlAssertionValidator.java:121)
at
org.apache.ws.security.validate.SamlAssertionValidator.validate(SamlAssertionValidator.java:100)
at
org.apache.ws.security.processor.SAMLTokenProcessor.handleSAMLToken(SAMLTokenProcessor.java:118)
at
org.apache.ws.security.processor.SAMLTokenProcessor.handleToken(SAMLTokenProcessor.java:53)
at
org.apache.ws.security.processor.EncryptedDataProcessor.handleToken(EncryptedDataProcessor.java:175)
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:289)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:97)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:122)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:211)
Thanks.
Gina
> On Thu, Jun 7, 2012 at 6:29 AM, Colm O hEigeartaigh <co...@apache.org>wrote:
>
>>
>> I've merged a fix to trunk to allow the user to not send the
>> <wst:Renewing/> tag at all. You can do this by setting the property
>> "sendRenewing" to "false" on the STSClient. Setting "allowRenewing" to
>> "false" means that you are instructing the STS not to issue a token that
>> can be renewed, so they have different meanings. Let me know if this fixes
>> the problem.
>>
>> Colm.
>
>
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Gina Choi <gi...@gmail.com>.
Hi Colm,
Thanks for quick action. I really appreciated that. I couldn't wait to see
how does CXF work with ADFS2.0. Last time I checked out code from trunk,
but I had problem with running build. I will try again. If I don't have
luck today, what version of snapshot should I wait for?
Thanks.
Gina
On Thu, Jun 7, 2012 at 6:29 AM, Colm O hEigeartaigh <co...@apache.org>wrote:
>
> I've merged a fix to trunk to allow the user to not send the
> <wst:Renewing/> tag at all. You can do this by setting the property
> "sendRenewing" to "false" on the STSClient. Setting "allowRenewing" to
> "false" means that you are instructing the STS not to issue a token that
> can be renewed, so they have different meanings. Let me know if this fixes
> the problem.
>
> Colm.
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Colm O hEigeartaigh <co...@apache.org>.
I've merged a fix to trunk to allow the user to not send the
<wst:Renewing/> tag at all. You can do this by setting the property
"sendRenewing" to "false" on the STSClient. Setting "allowRenewing" to
"false" means that you are instructing the STS not to issue a token that
can be renewed, so they have different meanings. Let me know if this fixes
the problem.
Colm.
On Wed, Jun 6, 2012 at 5:50 PM, Gina Choi <gi...@gmail.com> wrote:
> Colm,
>
> If client set allowRenewing property as false, can we not include
> <Renewing> tag in the RST? It looks like currently <Renewing> tag is the
> only issue with ADFS.
>
> Thanks.
>
> Gina
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Gina Choi <gi...@gmail.com>.
Colm,
If client set allowRenewing property as false, can we not include
<Renewing> tag in the RST? It looks like currently <Renewing> tag is the
only issue with ADFS.
Thanks.
Gina
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Gina Choi <gi...@gmail.com>.
Now RST contains <wst:Renewing Allow="false"/>, but ADFS still doesn't like
it. It looks like that ADFS simply doesn't under stand <Renewing> tag.
I have done very same thing with Metro. Following is RST that Metro
generated for same situation. I was able to get back RSTR from ADFS2.0
using this RST.
---[HTTP request -
https://strts01.ams.dev/adfs/services/trust/13/usernamemixed]---
Accept: application/soap+xml, multipart/related
Content-Type: application/soap+xml; charset=utf-8;action="
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"
User-Agent: Metro/2.2 (branches/2.2-7015; 2012-02-20T20:31:25+0000)
JAXWS-RI/2.2.6 JAXWS/2.2 svn-revision#unknown
<?xml version='1.0' encoding='UTF-8'?><S:Envelope xmlns:S="
http://www.w3.org/2003/05/soap-envelope" xmlns:wsse11="
http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
wssecurity-secext-1.0.xsd" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ds="
http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:1.
0:assertion"><S:Header><To xmlns="
http://www.w3.org/2005/08/addressing">https://strts01.ams.dev/adfs/services/trust/13/usernamemixed</To><Actionxmlns="
http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</
Action><ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo><FaultTo xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</FaultTo><MessageID xmlns="
http://www.w3.org/2005/08/addressing">uuid:7973d55b-599a-4dca-b19a-b09f1b1d33f8</MessageID><wsse:SecurityS:mustUnderstand="true"><wsu:Timestamp
xmlns:ns16="
http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xm
lns:ns15="http://schemas.xmlsoap.org/soap/envelope/"
wsu:Id="_1"><wsu:Created>2012-05-03T13:28:40Z</wsu:Created><wsu:Expires>2012-05-03T13:33:40Z</wsu:Expires></wsu:Timestamp><wsse:UsernameToken
xmlns:ns16="http://docs.oasis-open.org/ws-sx/ws-securec
onversation/200512" xmlns:ns15="http://schemas.xmlsoap.org/soap/envelope/"
wsu:Id="uuid_ce954da0-8be0-4e0f-b5d2-37eccb7e8b80"><wsse:Username>GLOBAL\gchoi</wsse:Username><wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-user
name-token-profile-1.0#PasswordText">Today0001</wsse:Password></wsse:UsernameToken></wsse:Security></S:Header><S:Body><trust:RequestSecurityToken
xmlns:ns10="http://www.w3.org/2000/09/xmldsig#" xmlns:ns13="
http://www.w3.org/2001/10/xml-exc-c14n#" xml
ns:ns4="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
xmlns:ns5="http://docs.oasis-open.org/ws-sx/ws-trust/200512/" xmlns:ns9="
http://schemas.xmlsoap.org/ws/2006/02/addressingidentity" xmlns:sc="
http://docs.oasis-open.org/ws-sx/
ws-secureconversation/200512" xmlns:trust="
http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wsa="
http://www.w3.org/2005/08/addressing" xmlns:wsp="
http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="
http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><trust:RequestType>http://docs.oasis-open.org/ws-sx/ws
-
trust/200512/Issue</trust:RequestType><wsp:AppliesTo><wsa:EndpointReference><wsa:Address>
https://wkengchoi.global.sdl.corp:8443/doubleit/services/doubleit
</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><trust:SecondaryParameters><trust:TokenTyp
e>urn:oasis:names:tc:SAML:2.0:assertion</trust:TokenType><trust:KeyType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType><trust:KeySize>256</trust:KeySize></trust:SecondaryParameters><trust:Entropy><trust:BinarySecret
Type
="
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">el//qSeAtHGClOcpevZ24qDf3kjxuzMcoJ8lzjq2Fps=</trust:BinarySecret></trust:Entropy><trust:ComputedKeyAlgorithm>http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1</trust:ComputedKeyAlgorit
hm></trust:RequestSecurityToken></S:Body></S:Envelope>--------------------
Following is error message from ADFS2.0.
-------------- ADFS Error messag ---------------------------
The Federation Service encountered an error while processing the WS-Trust
request.
Request type: http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.SecurityTokenService.InvalidRequestException:
MSIS3137: The RequestSecurityTokenElement contained an unsupported WS-Trust
parameter: 'Renewing'.
at
Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.ValidateRequest(RequestSecurityToken
request)
at
Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal
principal, RequestSecurityToken request, AsyncCallback callback, Object
state)
at
Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext
dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at
Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext
dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at
Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract
contract, DispatchContext dispatchContext, MessageVersion messageVersion,
WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
serializationContext, AsyncCallback asyncCallback, Object asyncState)
at
Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message
requestMessage, WSTrustRequestSerializer requestSerializer,
WSTrustResponseSerializer responseSerializer, String requestAction, String
responseAction, String trustNamespace, AsyncCallback callback, Object state)
On Wed, Jun 6, 2012 at 12:17 PM, Colm O hEigeartaigh <co...@apache.org>wrote:
>
> > I have verified fix for CXF-4357 and added comment to it. Please let me
> know if I need to close this ticket. Thanks.
>
> No, it only closes after a release goes out that contains the fix.
>
>
> > Now client is able to send RST to STS, but STS(ADFS2.0) failed
> generating RSTR because of an empty <wst:Renewing>tag embedded inside
> > RST. ADFS does not support Token renewing. Why do we have Renewing tag
> inside issue request?
>
> The Renewing tag simply requests that an issued token that can be renewed.
> You could try setting the following property "allowRenewing" to "false" on
> the STSClient. That will send a request with "<wst:Renewing
> Allow="false/>". I'm not sure if ADFS 2.0 will reject this or not. Let me
> know if it works or not.
>
> Colm.
>
>
> On Wed, Jun 6, 2012 at 4:26 PM, Gina Choi <gi...@gmail.com> wrote:
>
>> Hi Colm,
>>
>> I have verified fix for CXF-4357 and added comment to it. Please let me
>> know if I need to close this ticket. Thanks.
>> Now client is able to send RST to STS, but STS(ADFS2.0) failed generating
>> RSTR because of an empty <wst:Renewing>tag embedded inside RST. ADFS does
>> not support Token renewing. Why do we have Renewing tag inside issue
>> request?
>>
>> Following is the RST generated by CXF and sent to ADFS2.0.
>>
>>
>> Payload: <soap:Envelope xmlns:soap="
>> http://www.w3.org/2003/05/soap-envelope"><soap:Header><Action xmlns="
>> http://www.w3.org/2005/08/addressing">
>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action><MessageIDxmlns="
>> http://www.w3.org/2005/08/addressing">urn:uuid:711a1518-8b69-49fc-a0b8-ac36eccb3400</MessageID><To
>> xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> wsu:Id="Id-24027959">
>> https://strts01.ams.dev/adfs/services/trust/13/usernamemixed</To><ReplyToxmlns="
>> http://www.w3.org/2005/08/addressing"><Address>
>> http://www.w3.org/2005/08/addressing/anonymous</Address></ReplyTo><wsse:Securityxmlns:wsse="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>> xmlns:wsu="
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> soap:mustUnderstand="true"><wsu:Timestamp
>> wsu:Id="TS-1"><wsu:Created>2012-06-06T14:19:05.547Z</wsu:Created><wsu:Expires>2012-06-06T14:24:05.547Z</wsu:Expires></wsu:Timestamp><wsse:UsernameToken
>> wsu:Id="UsernameToken-2"><wsse:Username>GLOBAL\gchoi</wsse:Username><wsse:Password
>> Type="<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText>
>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText%22%3Exxxxxx%3C/wsse:Password%3E%3C/wsse:UsernameToken%3E%3C/wsse:Security%3E%3C/soap:Header%3E%3Csoap:Body%3E%3Cwst:RequestSecurityToken><http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText%22%3Exxxxxx%3C/wsse:Password%3E%3C/wsse:UsernameToken%3E%3C/wsse:Security%3E%3C/soap:Header%3E%3Csoap:Body%3E%3Cwst:RequestSecurityToken>">xxxxxx</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><wst:RequestSecurityToken
>> xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wst:SecondaryParameters><t:TokenType
>> xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
>> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</t:TokenType><t:KeyTypexmlns:t="
>> http://docs.oasis-open.org/ws-sx/ws-trust/200512">
>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</t:KeyType><t:KeySizexmlns:t="
>> http://docs.oasis-open.org/ws-sx/ws-trust/200512
>> ">256</t:KeySize></wst:SecondaryParameters><wst:RequestType>
>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType><wsp:AppliesToxmlns:wsp="
>> http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference
>> xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>
>> https://wkengchoi.global.sdl.corp:8443/doubleit/services/doubleit</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:Entropy><wst:BinarySecretType="
>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce
>> ">hzeje+CdyWW3V2d6y12WbYZkrSLfMM6E+W4g6Gs+5VI=</wst:BinarySecret></wst:Entropy><wst:ComputedKeyAlgorithm>
>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1</wst:ComputedKeyAlgorithm><wst:Renewing/></wst:RequestSecurityToken></soap:Body></soap:Envelope
>> >
>>
>> On Tue, Jun 5, 2012 at 3:55 PM, Gina Choi <gi...@gmail.com> wrote:
>>
>>> Hi Colm,
>>>
>>> Thanks for the quick fix. I am planning to check it once your fix
>>> reflected to 2.6.2-SNAPSHOT.
>>>
>>> Gina
>>>
>>> On Tue, Jun 5, 2012 at 7:14 AM, Colm O hEigeartaigh <coheigea@apache.org
>>> > wrote:
>>>
>>>>
>>>> The NPE you were seeing is now fixed on trunk, if you want to test with
>>>> the latest CXF 2.6.2-SNAPSHOT code. You will need to make sure that the WSC
>>>> has a keystore with a private key to support the KeyValueToken policy.
>>>>
>>>> Colm.
>>>>
>>>>
>>>>
>>>>
>>>> On Tue, Jun 5, 2012 at 10:14 AM, Colm O hEigeartaigh <
>>>> coheigea@apache.org> wrote:
>>>>
>>>>>
>>>>> Is the client successfully invoking on the STS? In other words, is
>>>>> this error occurring when the client is sending a message to the STS or to
>>>>> the WSP?
>>>>>
>>>>> Colm
>>>>
>>>>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Colm O hEigeartaigh <co...@apache.org>.
> I have verified fix for CXF-4357 and added comment to it. Please let me
know if I need to close this ticket. Thanks.
No, it only closes after a release goes out that contains the fix.
> Now client is able to send RST to STS, but STS(ADFS2.0) failed generating
RSTR because of an empty <wst:Renewing>tag embedded inside
> RST. ADFS does not support Token renewing. Why do we have Renewing tag
inside issue request?
The Renewing tag simply requests that an issued token that can be renewed.
You could try setting the following property "allowRenewing" to "false" on
the STSClient. That will send a request with "<wst:Renewing
Allow="false/>". I'm not sure if ADFS 2.0 will reject this or not. Let me
know if it works or not.
Colm.
On Wed, Jun 6, 2012 at 4:26 PM, Gina Choi <gi...@gmail.com> wrote:
> Hi Colm,
>
> I have verified fix for CXF-4357 and added comment to it. Please let me
> know if I need to close this ticket. Thanks.
> Now client is able to send RST to STS, but STS(ADFS2.0) failed generating
> RSTR because of an empty <wst:Renewing>tag embedded inside RST. ADFS does
> not support Token renewing. Why do we have Renewing tag inside issue
> request?
>
> Following is the RST generated by CXF and sent to ADFS2.0.
>
>
> Payload: <soap:Envelope xmlns:soap="
> http://www.w3.org/2003/05/soap-envelope"><soap:Header><Action xmlns="
> http://www.w3.org/2005/08/addressing">
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action><MessageIDxmlns="
> http://www.w3.org/2005/08/addressing">urn:uuid:711a1518-8b69-49fc-a0b8-ac36eccb3400</MessageID><To
> xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="Id-24027959">
> https://strts01.ams.dev/adfs/services/trust/13/usernamemixed</To><ReplyToxmlns="
> http://www.w3.org/2005/08/addressing"><Address>
> http://www.w3.org/2005/08/addressing/anonymous</Address></ReplyTo><wsse:Securityxmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> soap:mustUnderstand="true"><wsu:Timestamp
> wsu:Id="TS-1"><wsu:Created>2012-06-06T14:19:05.547Z</wsu:Created><wsu:Expires>2012-06-06T14:24:05.547Z</wsu:Expires></wsu:Timestamp><wsse:UsernameToken
> wsu:Id="UsernameToken-2"><wsse:Username>GLOBAL\gchoi</wsse:Username><wsse:Password
> Type="<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText%22%3Exxxxxx%3C/wsse:Password%3E%3C/wsse:UsernameToken%3E%3C/wsse:Security%3E%3C/soap:Header%3E%3Csoap:Body%3E%3Cwst:RequestSecurityToken><http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText%22%3Exxxxxx%3C/wsse:Password%3E%3C/wsse:UsernameToken%3E%3C/wsse:Security%3E%3C/soap:Header%3E%3Csoap:Body%3E%3Cwst:RequestSecurityToken>">xxxxxx</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><wst:RequestSecurityToken
> xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wst:SecondaryParameters><t:TokenType
> xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</t:TokenType><t:KeyTypexmlns:t="
> http://docs.oasis-open.org/ws-sx/ws-trust/200512">
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</t:KeyType><t:KeySizexmlns:t="
> http://docs.oasis-open.org/ws-sx/ws-trust/200512
> ">256</t:KeySize></wst:SecondaryParameters><wst:RequestType>
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType><wsp:AppliesToxmlns:wsp="
> http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference
> xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>
> https://wkengchoi.global.sdl.corp:8443/doubleit/services/doubleit</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:Entropy><wst:BinarySecretType="
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce
> ">hzeje+CdyWW3V2d6y12WbYZkrSLfMM6E+W4g6Gs+5VI=</wst:BinarySecret></wst:Entropy><wst:ComputedKeyAlgorithm>
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1</wst:ComputedKeyAlgorithm><wst:Renewing/></wst:RequestSecurityToken></soap:Body></soap:Envelope
> >
>
> On Tue, Jun 5, 2012 at 3:55 PM, Gina Choi <gi...@gmail.com> wrote:
>
>> Hi Colm,
>>
>> Thanks for the quick fix. I am planning to check it once your fix
>> reflected to 2.6.2-SNAPSHOT.
>>
>> Gina
>>
>> On Tue, Jun 5, 2012 at 7:14 AM, Colm O hEigeartaigh <co...@apache.org>wrote:
>>
>>>
>>> The NPE you were seeing is now fixed on trunk, if you want to test with
>>> the latest CXF 2.6.2-SNAPSHOT code. You will need to make sure that the WSC
>>> has a keystore with a private key to support the KeyValueToken policy.
>>>
>>> Colm.
>>>
>>>
>>>
>>>
>>> On Tue, Jun 5, 2012 at 10:14 AM, Colm O hEigeartaigh <
>>> coheigea@apache.org> wrote:
>>>
>>>>
>>>> Is the client successfully invoking on the STS? In other words, is this
>>>> error occurring when the client is sending a message to the STS or to the
>>>> WSP?
>>>>
>>>> Colm
>>>
>>>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Problem with loading Apache CXF STS with UT authentication
Posted by Gina Choi <gi...@gmail.com>.
Hi Colm,
I have verified fix for CXF-4357 and added comment to it. Please let me
know if I need to close this ticket. Thanks.
Now client is able to send RST to STS, but STS(ADFS2.0) failed generating
RSTR because of an empty <wst:Renewing>tag embedded inside RST. ADFS does
not support Token renewing. Why do we have Renewing tag inside issue
request?
Following is the RST generated by CXF and sent to ADFS2.0.
Payload: <soap:Envelope
xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><Action
xmlns="http://www.w3.org/2005/08/addressing">
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action><MessageIDxmlns="
http://www.w3.org/2005/08/addressing">urn:uuid:711a1518-8b69-49fc-a0b8-ac36eccb3400</MessageID><To
xmlns="http://www.w3.org/2005/08/addressing" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-24027959">
https://strts01.ams.dev/adfs/services/trust/13/usernamemixed</To><ReplyToxmlns="
http://www.w3.org/2005/08/addressing"><Address>
http://www.w3.org/2005/08/addressing/anonymous</Address></ReplyTo><wsse:Securityxmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="true"><wsu:Timestamp
wsu:Id="TS-1"><wsu:Created>2012-06-06T14:19:05.547Z</wsu:Created><wsu:Expires>2012-06-06T14:24:05.547Z</wsu:Expires></wsu:Timestamp><wsse:UsernameToken
wsu:Id="UsernameToken-2"><wsse:Username>GLOBAL\gchoi</wsse:Username><wsse:Password
Type="<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText>
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">xxxxxx</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><wst:RequestSecurityToken><http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">xxxxxx</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><wst:RequestSecurityToken>">xxxxxx</wsse:Password></wsse:UsernameToken></wsse:Security></soap:Header><soap:Body><wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"><wst:SecondaryParameters><t:TokenType
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</t:TokenType><t:KeyTypexmlns:t="
http://docs.oasis-open.org/ws-sx/ws-trust/200512">
http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</t:KeyType><t:KeySizexmlns:t="
http://docs.oasis-open.org/ws-sx/ws-trust/200512
">256</t:KeySize></wst:SecondaryParameters><wst:RequestType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType><wsp:AppliesToxmlns:wsp="
http://schemas.xmlsoap.org/ws/2004/09/policy"><wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>
https://wkengchoi.global.sdl.corp:8443/doubleit/services/doubleit</wsa:Address></wsa:EndpointReference></wsp:AppliesTo><wst:Entropy><wst:BinarySecretType="
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce
">hzeje+CdyWW3V2d6y12WbYZkrSLfMM6E+W4g6Gs+5VI=</wst:BinarySecret></wst:Entropy><wst:ComputedKeyAlgorithm>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1</wst:ComputedKeyAlgorithm><wst:Renewing/></wst:RequestSecurityToken></soap:Body></soap:Envelope
>
On Tue, Jun 5, 2012 at 3:55 PM, Gina Choi <gi...@gmail.com> wrote:
> Hi Colm,
>
> Thanks for the quick fix. I am planning to check it once your fix
> reflected to 2.6.2-SNAPSHOT.
>
> Gina
>
> On Tue, Jun 5, 2012 at 7:14 AM, Colm O hEigeartaigh <co...@apache.org>wrote:
>
>>
>> The NPE you were seeing is now fixed on trunk, if you want to test with
>> the latest CXF 2.6.2-SNAPSHOT code. You will need to make sure that the WSC
>> has a keystore with a private key to support the KeyValueToken policy.
>>
>> Colm.
>>
>>
>>
>>
>> On Tue, Jun 5, 2012 at 10:14 AM, Colm O hEigeartaigh <coheigea@apache.org
>> > wrote:
>>
>>>
>>> Is the client successfully invoking on the STS? In other words, is this
>>> error occurring when the client is sending a message to the STS or to the
>>> WSP?
>>>
>>> Colm
>>
>>