You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by jego <je...@gmail.com> on 2020/01/22 08:27:17 UTC
SAML2 assertion signature check fails in Apache CXF service
Hello all,
I have the problem that a service client will send a SOAP message with an
embedded SAML2 assertion to a apache cxf based service.
The SAML2 assertion looks like:
The service will check the signature and fails with following error message:
The complete log is available here: saml-request.log
<http://cxf.547215.n5.nabble.com/file/t341896/saml-request.log>
My questions:
- How can I further debug this problem?
- It is possible to deactivate the signature check temporarly?
Thanks
Jens
--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
Re: SAML2 assertion signature check fails in Apache CXF service
Posted by jego <je...@gmail.com>.
To answer the question myself:
Having an empty URI means that the whole document must be checked.
https://stackoverflow.com/questions/29843071/xmldsig-do-i-have-to-specify-reference-uri-in-an-enveloped-signature
So in this case the client has to adapt the saml2 assertion...
--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
Re: SAML2 assertion signature check fails in Apache CXF service
Posted by jego <je...@gmail.com>.
Hi Colm,
thanks for your reply and sorry for the late response.
We are now seeing the root cause of the problem because the client sends us
an empty reference ID in the signature block.
I can only post parts of the SAML2-Assertion:
<saml2:Assertion ID="cc847542-81eb-4720-9068-d9de7d892dcd"
IssueInstant="2020-01-22T13:35:44Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>XXXX</saml2:Issuer>
<Signature
xmlns="http://www.w3.org/2000/09/xmldsig#"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<*Reference URI=""*>
<Transforms>
<Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>yk65BmkjJAF9MTQ927JPMNpoBbQ=</DigestValue>
</Reference>
</SignedInfo>
</KeyValue>
</KeyInfo>
</Signature>
The signature check in the used library (WSS4J + Santario?) of apache CXF
will now check the signature of the whole soap message instead of only saml
assertion because of the empty URI in tag reference. The digest of the whole
soap message will never be the same like the saml2 assertion. So it will
never work this way.
The reference URI must be the SAML Assertion ID
(cc847542-81eb-4720-9068-d9de7d892dcd) to have a correct scope right?
Do you have any idea if there is a configuration option, so that the
reference resolution will not work this way? Or is this just an invalid
signature in scope of a soap message?
We have checked the saml assertion standalone - the signature check with
other tools is successfull, so the signature itself is correct. The saml
assertion in context of a soap message will lead to an error...
We are using Apache CXF 3.3.4...
Thanks
Jens
--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
Re: SAML2 assertion signature check fails in Apache CXF service
Posted by Colm O hEigeartaigh <co...@apache.org>.
There's not really enough information there to help to debug. What version
of CXF are you using? If you're not using one of the latest versions, then
try upgrading to see if it fixes the problem. Apart from that, seeing the
complete request and associated log would help. Ultimately though, we might
need a test-case to help reproduce the issue.
Colm.
On Wed, Jan 22, 2020 at 9:44 AM jego <je...@gmail.com> wrote:
> The exception looks like:
>
> 2020-01-10 | 11:14:47.108 | jsse-nio-8448-exec-9 | ERROR |
> rrorValidationInterceptor | Unknown error occured for the soap message null
> org.apache.cxf.binding.soap.SoapFault: A security error was encountered
> when
> verifying the message
> at
>
> org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:234)
> at
>
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:376)
> at
>
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:212)
> at
>
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:92)
> at
>
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
> at
>
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> at
>
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
> at
>
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
> at
>
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
> at
>
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
> at
>
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216)
> at
>
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
> at
>
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
> at
>
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at
> org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at
>
> de.XXX.XXX.config.logging.TimeLoggingFilter.doFilter(TimeLoggingFilter.java:36)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at
> de.XXX.XXX.config.cleanup.CleanupFilter.doFilter(CleanupFilter.java:42)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at
>
> org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
> at
>
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at
>
> org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
> at
>
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at
>
> org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:128)
> at
>
> org.springframework.boot.web.servlet.support.ErrorPageFilter.access$000(ErrorPageFilter.java:66)
> at
>
> org.springframework.boot.web.servlet.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:103)
> at
>
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
> at
>
> org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:121)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at
>
> org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:108)
> at
>
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at
>
> org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
> at
>
> org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
> at
>
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
> at
>
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
> at
>
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
> at
>
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:528)
> at
>
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
> at
>
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
> at
>
> org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
> at
>
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
> at
> org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:798)
> at
>
> org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
> at
>
> org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:810)
> at
> org.apache.tomcat.util.net
> .NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
> at
> org.apache.tomcat.util.net
> .SocketProcessorBase.run(SocketProcessorBase.java:49)
> at
>
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> at
>
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> at
>
> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
> at java.lang.Thread.run(Thread.java:748)
> Caused by: org.apache.wss4j.common.ext.WSSecurityException: SAML signature
> validation failed
> at
>
> org.apache.wss4j.common.saml.SamlAssertionWrapper.verifySignature(SamlAssertionWrapper.java:655)
> at
>
> org.apache.wss4j.dom.processor.SAMLTokenProcessor.verifySignatureKeysAndAlgorithms(SAMLTokenProcessor.java:233)
> at
>
> org.apache.wss4j.dom.processor.SAMLTokenProcessor.handleToken(SAMLTokenProcessor.java:94)
> at
>
> org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340)
> at
>
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:320)
> ... 64 common frames omitted
> Caused by: org.opensaml.xmlsec.signature.support.SignatureException:
> Signature cryptographic validation not successful
> at
>
> org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl.validate(ApacheSantuarioSignatureValidationProviderImpl.java:79)
> at
>
> org.opensaml.xmlsec.signature.support.SignatureValidator.validate(SignatureValidator.java:54)
> at
>
> org.apache.wss4j.common.saml.SamlAssertionWrapper.verifySignature(SamlAssertionWrapper.java:653)
> ... 68 common frames omitted
>
>
>
>
> --
> Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
>
Re: SAML2 assertion signature check fails in Apache CXF service
Posted by jego <je...@gmail.com>.
The exception looks like:
2020-01-10 | 11:14:47.108 | jsse-nio-8448-exec-9 | ERROR |
rrorValidationInterceptor | Unknown error occured for the soap message null
org.apache.cxf.binding.soap.SoapFault: A security error was encountered when
verifying the message
at
org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:234)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:376)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:212)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:92)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:267)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:234)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:208)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:160)
at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:216)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:301)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:220)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:660)
at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:276)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at
de.XXX.XXX.config.logging.TimeLoggingFilter.doFilter(TimeLoggingFilter.java:36)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at de.XXX.XXX.config.cleanup.CleanupFilter.doFilter(CleanupFilter.java:42)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at
org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at
org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at
org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:128)
at
org.springframework.boot.web.servlet.support.ErrorPageFilter.access$000(ErrorPageFilter.java:66)
at
org.springframework.boot.web.servlet.support.ErrorPageFilter$1.doFilterInternal(ErrorPageFilter.java:103)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at
org.springframework.boot.web.servlet.support.ErrorPageFilter.doFilter(ErrorPageFilter.java:121)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at
org.springframework.boot.actuate.metrics.web.servlet.WebMvcMetricsFilter.doFilterInternal(WebMvcMetricsFilter.java:108)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at
org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
at
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:528)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at
org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at
org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:798)
at
org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:810)
at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
at
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: org.apache.wss4j.common.ext.WSSecurityException: SAML signature
validation failed
at
org.apache.wss4j.common.saml.SamlAssertionWrapper.verifySignature(SamlAssertionWrapper.java:655)
at
org.apache.wss4j.dom.processor.SAMLTokenProcessor.verifySignatureKeysAndAlgorithms(SAMLTokenProcessor.java:233)
at
org.apache.wss4j.dom.processor.SAMLTokenProcessor.handleToken(SAMLTokenProcessor.java:94)
at
org.apache.wss4j.dom.engine.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:340)
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:320)
... 64 common frames omitted
Caused by: org.opensaml.xmlsec.signature.support.SignatureException:
Signature cryptographic validation not successful
at
org.opensaml.xmlsec.signature.support.provider.ApacheSantuarioSignatureValidationProviderImpl.validate(ApacheSantuarioSignatureValidationProviderImpl.java:79)
at
org.opensaml.xmlsec.signature.support.SignatureValidator.validate(SignatureValidator.java:54)
at
org.apache.wss4j.common.saml.SamlAssertionWrapper.verifySignature(SamlAssertionWrapper.java:653)
... 68 common frames omitted
--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html