You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cxf.apache.org by Shwetank <sh...@imaginea.com> on 2012/04/11 15:40:03 UTC
Signing SAML assertions for OWSM policies
Hi
Pardon me if i break a rule or two of mailing-list directives.
I seek help on how to sign SAML 1.1 assertion with CXF 2.5.2 for
holder-of-key confirmation method:
a) an OWSM policy
wss10_saml_hok_token_with_message_protection_service_policy is applied
to a test service
b) the policy and wsdl look like following
<?xml version="1.0"?>
<definitions xmlns="http://schemas.xmlsoap.org/wsdl/"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:tns="http://owsm.test.wsa.bf.hs.com/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
name="POManagerService" targetNamespace="http://owsm.test.wsa.bf.hs.com/">
<wsp:Policy
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
wsu:Id="POManagerPort_Fault_Policy"/>
<wsp:Policy
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
wsu:Id="POManagerPort_Input_Policy">
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
<sp:Header Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
<sp:Header Name="fmw-context"
Namespace="http://xmlns.oracle.com/fmw/context/1.0"/>
</sp:SignedParts>
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
<sp:Header Name="fmw-context"
Namespace="http://xmlns.oracle.com/fmw/context/1.0"/>
</sp:EncryptedParts>
</wsp:Policy>
<wsp:Policy
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
wsu:Id="POManagerPort_Output_Policy">
<sp:SignedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedParts
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<sp:Body/>
</sp:EncryptedParts>
</wsp:Policy>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:oralgp="http://schemas.oracle.com/ws/2006/01/loggingpolicy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy"
xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy"
wsu:Id="wss10_saml_hok_token_with_message_protection_service_policy">
<sp:AsymmetricBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:SamlToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssSamlV11Token10/>
</wsp:Policy>
</sp:SamlToken>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy/>
</sp:Wss10>
</wsp:Policy>
<types>
<xsd:schema>
<xsd:import namespace="http://owsm.test.wsa.bf.hs.com/"
schemaLocation="http://server:7001/testwebservice/POManagerPort?xsd=1"/>
</xsd:schema>
</types>
<message name="createOrder">
<part name="parameters" element="tns:createOrder"/>
</message>
<message name="createOrderResponse">
<part name="parameters" element="tns:createOrderResponse"/>
</message>
<portType name="POManager">
<operation name="createOrder">
<input message="tns:createOrder"/>
<output message="tns:createOrderResponse"/>
</operation>
</portType>
<binding name="POManagerPortBinding" type="tns:POManager">
<soap:binding style="document"
transport="http://schemas.xmlsoap.org/soap/http"/>
<wsp:PolicyReference
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
URI="#wss10_saml_hok_token_with_message_protection_service_policy"
wsdl:required="false"/>
<operation name="createOrder">
<soap:operation soapAction=""/>
<input>
<soap:body use="literal"/>
<wsp:PolicyReference
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
URI="#POManagerPort_Input_Policy" wsdl:required="false"/>
</input>
<output>
<soap:body use="literal"/>
<wsp:PolicyReference
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
URI="#POManagerPort_Output_Policy" wsdl:required="false"/>
</output>
</operation>
</binding>
<service name="POManagerService">
<port name="POManagerPort" binding="tns:POManagerPortBinding">
<soap:address location="http://server:7001/testwebservice/POManagerPort"/>
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address xmlns:wsa="http://www.w3.org/2005/08/addressing">
http://server:7001/testwebservice/POManagerPort
</wsa:Address>
<wsid:Identity
xmlns:wsid="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
<dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:X509Data>
<dsig:X509Certificate>
................
</dsig:X509Certificate>
<dsig:X509IssuerSerial>
<dsig:X509IssuerName>
.........
</dsig:X509IssuerName>
<dsig:X509SerialNumber>-....</dsig:X509SerialNumber>
</dsig:X509IssuerSerial>
<dsig:X509SubjectName>
.......
</dsig:X509SubjectName>
</dsig:X509Data>
</dsig:KeyInfo>
</wsid:Identity>
</wsa:EndpointReference>
</port>
</service>
</definitions>
c) following is message generated by cxf2.5.2 for this policy
<?xml version="1.0"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
soap:mustUnderstand="1">
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
wsu:Id="BC59F58138560D687613341497540725">MIIB+DCCAaICCQCbeQ7C1MJrOTANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAkFQMQwwCgYDVQQHEwNIWUQxEDAOBgNVBAoTB3ByYW1hdGkxEDAOBgNVBAsTB3ByYW1hdGkxEjAQBgNVBAMTCXNvYWJwbS12bTEgMB4GCSqGSIb3DQEJARYRZW1haWxAcHJhbWF0aS5jb20wHhcNMTIwNDEwMTI1OTA0WhcNMTMwNDEwMTI1OTA0WjCBgjELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAkFQMQwwCgYDVQQHEwNIWUQxEDAOBgNVBAoTB3ByYW1hdGkxEDAOBgNVBAsTB3ByYW1hdGkxEjAQBgNVBAMTCXNvYWJwbS12bTEgMB4GCSqGSIb3DQEJARYRZW1haWxAcHJhbWF0aS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1ZwvGTS5gxDgGjoHuaqY9dh26un58rF3YFpuNY6F9JROBooMmbEWAWlvN+kjrEBhoQhTMbnwp8Sa+sPxOI+b8QIDAQABMA0GCSqGSIb3DQEBBQUAA0EAIlGPjJUTytuNsfeIy+dPFAT6XXN6sbiTTcFmhGUtP8q3XJRQCFlMKqFrWP/SVck8PPdH6fSO8EzOLLOYF5dkPQ==</wsse:BinarySecurityToken>
<wsu:Timestamp wsu:Id="TS-1">
<wsu:Created>2012-04-11T13:06:42.679Z</wsu:Created>
<wsu:Expires>2012-04-11T13:11:42.679Z</wsu:Expires>
</wsu:Timestamp>
<xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="EK-BC59F58138560D687613341497540724">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference>
<wsse:Reference URI="#BC59F58138560D687613341497540725"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>tUjFXfI6BPNO78XzWGThNnCvXloGK001IPwzMiEdz4XAuz86gaCCTJ5+KBVKTsMhGxXOVNaOWTeLo3VzMKYWPA==</xenc:CipherValue>
</xenc:CipherData>
<xenc:ReferenceList>
<xenc:DataReference URI="#ED-3"/>
</xenc:ReferenceList>
</xenc:EncryptedKey>
<saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
AssertionID="_BC59F58138560D687613341496647771"
IssueInstant="2012-04-11T13:07:44.551Z" Issuer="www.oracle.com"
MajorVersion="1" MinorVersion="1" xsi:type="saml1:AssertionType">
<saml1:Conditions NotBefore="2012-04-11T13:07:44.838Z"
NotOnOrAfter="2012-04-11T13:12:44.838Z"/>
<saml1:AttributeStatement>
<saml1:Subject>
<saml1:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="www.oracle.com">weblogic</saml1:NameIdentifier>
<saml1:SubjectConfirmation>
<saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml1:ConfirmationMethod>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>........................</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</saml1:SubjectConfirmation>
</saml1:Subject>
<saml1:Attribute AttributeName="subject-role"
AttributeNamespace="http://custom-ns">
<saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
xsi:type="xs:string">system-user</saml1:AttributeValue>
</saml1:Attribute>
</saml1:AttributeStatement>
</saml1:Assertion>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-2">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#TS-1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>/LPHR8sX+ptPaN8+iZYQxYwffG8=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#Id-26930486">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>ej9eQZSJOyVu6TgV8MO/exfxCeA=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>uBvdcZ7jkAty14s0tdMKGvI4z1lCbWDo2RQEWjJ9t6z9vASoB98l4NeshQz96JWDqpGFgb4wd93/f9ra0Y68xA==</ds:SignatureValue>
<ds:KeyInfo Id="KI-BC59F58138560D687613341497504882">
<wsse:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
wsu:Id="STR-BC59F58138560D687613341497504923">
<wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_BC59F58138560D687613341496647771</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soap:Header>
<soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="Id-26930486">
<xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
Id="ED-3" Type="http://www.w3.org/2001/04/xmlenc#Content">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
<wsse:Reference URI="#EK-BC59F58138560D687613341497540724"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>.............................</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</soap:Body>
</soap:Envelope>
d) and i receive following error from OWSM (oracle web services manager)
Policy compliance failure: Header/Element
NS=urn:oasis:names:tc:SAML:1.0:assertion; LocalName=Assertion must be signed
[WSM_PolicyName:
oracle/wss10_saml_hok_token_with_message_protection_service_policy] The
signed message elements or parts do not comply with the policy.
i seek help to understand which part of the message is not being
signed..and why..or how could i sign it.
am using the SamlCallbackHandler (supplied with tests) to add attributes
following is the callbackhandler code if that may help
///////////////////////////////////////////////////////////////////////////////
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (int i = 0; i < callbacks.length; i++)
if ((callbacks[i] instanceof SAMLCallback)) {
SAMLCallback callback = (SAMLCallback)callbacks[i];
if (this.saml2) {
callback.setSamlVersion(SAMLVersion.VERSION_20);
}
callback.setIssuer("www.oracle.com");
String subjectName = "weblogic";
String subjectQualifier = "www.oracle.com";
SubjectBean subjectBean = new SubjectBean(subjectName,
subjectQualifier, this.confirmationMethod);
if
(("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key".equals(this.confirmationMethod))
||
("urn:oasis:names:tc:SAML:1.0:cm:holder-of-key".equals(this.confirmationMethod)))
{
try
{
KeyInfoBean keyInfo = createKeyInfo();
subjectBean.setKeyInfo(keyInfo);
} catch (Exception ex) {
throw new IOException("Problem creating KeyInfo: " +
ex.getMessage());
}
}
callback.setSubject(subjectBean);
AttributeStatementBean attrBean = new AttributeStatementBean();
attrBean.setSubject(subjectBean);
AttributeBean attributeBean = new AttributeBean();
if (this.saml2) {
attributeBean.setQualifiedName("subject-role");
} else {
attributeBean.setSimpleName("subject-role");
attributeBean.setQualifiedName("http://custom-ns");
}
attributeBean.setAttributeValues(Collections.singletonList("system-user"));
attrBean.setSamlAttributes(Collections.singletonList(attributeBean));
callback.setAttributeStatementData(Collections.singletonList(attrBean));
}
}
protected KeyInfoBean createKeyInfo() throws Exception
{
Crypto crypto = CryptoFactory.getInstance("signature.properties");
CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
cryptoType.setAlias("myprivate");
X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
KeyInfoBean keyInfo = new KeyInfoBean();
keyInfo.setCertificate(certs[0]);
keyInfo.setCertIdentifer(KeyInfoBean.CERT_IDENTIFIER.X509_CERT);
return keyInfo;
}
//////////////////////////////////////////////////////////////////////////////
Re: Signing SAML assertions for OWSM policies
Posted by Colm O hEigeartaigh <co...@apache.org>.
Do you have a test-case that reproduces the problem? Several of the
tests in the link I sent you sign the SAML Assertion...
Colm.
On Thu, Apr 12, 2012 at 1:24 PM, shwetank <sh...@gmail.com> wrote:
> i've made sure that i follow all steps as-is, yet the problem persists.
> what does a signed assertion look like..as the server expects it be?
> what insight may i derive on reasons of this error..why would CXF not sign
> the message as the policy expects it to?
> is this a defect?
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Signing-SAML-assertions-for-OWSM-policies-tp5632914p5635486.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Signing SAML assertions for OWSM policies
Posted by shwetank <sh...@gmail.com>.
i've made sure that i follow all steps as-is, yet the problem persists.
what does a signed assertion look like..as the server expects it be?
what insight may i derive on reasons of this error..why would CXF not sign
the message as the policy expects it to?
is this a defect?
--
View this message in context: http://cxf.547215.n5.nabble.com/Signing-SAML-assertions-for-OWSM-policies-tp5632914p5635486.html
Sent from the cxf-dev mailing list archive at Nabble.com.
Re: Signing SAML assertions for OWSM policies
Posted by Colm O hEigeartaigh <co...@apache.org>.
As I said earlier:
>>> You need to set SecurityConstants.SELF_SIGN_SAML_ASSERTION to "true"
>>> in your configuration (and define the appropriate CallbackHandler and
>>> crypto property tags):
See here for some sample configuration:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/saml/client/client.xml?view=markup
The Test is here:
http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/saml/SamlTokenTest.java?view=markup
Colm.
On Thu, Apr 12, 2012 at 5:48 AM, Shwetank <sh...@imaginea.com> wrote:
> On 11-04-2012 21:19, Shwetank wrote:
>>
>> On 11-04-2012 19:33, Colm O hEigeartaigh wrote:
>>>
>>> You need to set SecurityConstants.SELF_SIGN_SAML_ASSERTION to "true"
>>> in your configuration (and define the appropriate CallbackHandler and
>>> crypto property tags):
>>>
>>>
>>> http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?view=markup
>>>
>>> Colm.
>>>
>>> On Wed, Apr 11, 2012 at 2:40 PM, Shwetank<sh...@imaginea.com>
>>> wrote:
>>>>
>>>> Hi
>>>>
>>>> Pardon me if i break a rule or two of mailing-list directives.
>>>> I seek help on how to sign SAML 1.1 assertion with CXF 2.5.2 for
>>>> holder-of-key confirmation method:
>>>>
>>>> a) an OWSM policy
>>>> wss10_saml_hok_token_with_message_protection_service_policy is applied
>>>> to a
>>>> test service
>>>> b) the policy and wsdl look like following
>>>>
>>>> <?xml version="1.0"?>
>>>> <definitions xmlns="http://schemas.xmlsoap.org/wsdl/"
>>>> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
>>>> xmlns:tns="http://owsm.test.wsa.bf.hs.com/"
>>>> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>>>> xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
>>>> name="POManagerService"
>>>> targetNamespace="http://owsm.test.wsa.bf.hs.com/">
>>>> <wsp:Policy
>>>>
>>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>>>> wsu:Id="POManagerPort_Fault_Policy"/>
>>>> <wsp:Policy
>>>>
>>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>>>> wsu:Id="POManagerPort_Input_Policy">
>>>> <sp:SignedParts
>>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>>> <sp:Body/>
>>>> <sp:Header Namespace="http://www.w3.org/2005/08/addressing"/>
>>>> <sp:Header
>>>> Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
>>>> <sp:Header Name="fmw-context"
>>>> Namespace="http://xmlns.oracle.com/fmw/context/1.0"/>
>>>> </sp:SignedParts>
>>>> <sp:EncryptedParts
>>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>>> <sp:Body/>
>>>> <sp:Header Name="fmw-context"
>>>> Namespace="http://xmlns.oracle.com/fmw/context/1.0"/>
>>>> </sp:EncryptedParts>
>>>> </wsp:Policy>
>>>> <wsp:Policy
>>>>
>>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>>>> wsu:Id="POManagerPort_Output_Policy">
>>>> <sp:SignedParts
>>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>>> <sp:Body/>
>>>> </sp:SignedParts>
>>>> <sp:EncryptedParts
>>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>>> <sp:Body/>
>>>> </sp:EncryptedParts>
>>>> </wsp:Policy>
>>>> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>>>> xmlns:oralgp="http://schemas.oracle.com/ws/2006/01/loggingpolicy"
>>>>
>>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>>> xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy"
>>>> xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy"
>>>> wsu:Id="wss10_saml_hok_token_with_message_protection_service_policy">
>>>> <sp:AsymmetricBinding
>>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>>> <wsp:Policy>
>>>> <sp:InitiatorToken>
>>>> <wsp:Policy>
>>>> <sp:SamlToken
>>>>
>>>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
>>>> <wsp:Policy>
>>>> <sp:WssSamlV11Token10/>
>>>> </wsp:Policy>
>>>> </sp:SamlToken>
>>>> </wsp:Policy>
>>>> </sp:InitiatorToken>
>>>> <sp:RecipientToken>
>>>> <wsp:Policy>
>>>> <sp:X509Token
>>>>
>>>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
>>>> <wsp:Policy>
>>>> <sp:WssX509V3Token10/>
>>>> </wsp:Policy>
>>>> </sp:X509Token>
>>>> </wsp:Policy>
>>>> </sp:RecipientToken>
>>>> <sp:AlgorithmSuite>
>>>> <wsp:Policy>
>>>> <sp:Basic128/>
>>>> </wsp:Policy>
>>>> </sp:AlgorithmSuite>
>>>> <sp:Layout>
>>>> <wsp:Policy>
>>>> <sp:Lax/>
>>>> </wsp:Policy>
>>>> </sp:Layout>
>>>> <sp:IncludeTimestamp/>
>>>> <sp:OnlySignEntireHeadersAndBody/>
>>>> </wsp:Policy>
>>>> </sp:AsymmetricBinding>
>>>> <sp:Wss10
>>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>>> <wsp:Policy/>
>>>> </sp:Wss10>
>>>> </wsp:Policy>
>>>> <types>
>>>> <xsd:schema>
>>>> <xsd:import namespace="http://owsm.test.wsa.bf.hs.com/"
>>>> schemaLocation="http://server:7001/testwebservice/POManagerPort?xsd=1"/>
>>>> </xsd:schema>
>>>> </types>
>>>> <message name="createOrder">
>>>> <part name="parameters" element="tns:createOrder"/>
>>>> </message>
>>>> <message name="createOrderResponse">
>>>> <part name="parameters" element="tns:createOrderResponse"/>
>>>> </message>
>>>> <portType name="POManager">
>>>> <operation name="createOrder">
>>>> <input message="tns:createOrder"/>
>>>> <output message="tns:createOrderResponse"/>
>>>> </operation>
>>>> </portType>
>>>> <binding name="POManagerPortBinding" type="tns:POManager">
>>>> <soap:binding style="document"
>>>> transport="http://schemas.xmlsoap.org/soap/http"/>
>>>> <wsp:PolicyReference
>>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>>>> URI="#wss10_saml_hok_token_with_message_protection_service_policy"
>>>> wsdl:required="false"/>
>>>> <operation name="createOrder">
>>>> <soap:operation soapAction=""/>
>>>> <input>
>>>> <soap:body use="literal"/>
>>>> <wsp:PolicyReference
>>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>>>> URI="#POManagerPort_Input_Policy" wsdl:required="false"/>
>>>> </input>
>>>> <output>
>>>> <soap:body use="literal"/>
>>>> <wsp:PolicyReference
>>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>>>> URI="#POManagerPort_Output_Policy" wsdl:required="false"/>
>>>> </output>
>>>> </operation>
>>>> </binding>
>>>> <service name="POManagerService">
>>>> <port name="POManagerPort" binding="tns:POManagerPortBinding">
>>>> <soap:address
>>>> location="http://server:7001/testwebservice/POManagerPort"/>
>>>> <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
>>>> <wsa:Address xmlns:wsa="http://www.w3.org/2005/08/addressing">
>>>> http://server:7001/testwebservice/POManagerPort
>>>> </wsa:Address>
>>>> <wsid:Identity
>>>> xmlns:wsid="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
>>>> <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
>>>> <dsig:X509Data>
>>>> <dsig:X509Certificate>
>>>> ................
>>>> </dsig:X509Certificate>
>>>> <dsig:X509IssuerSerial>
>>>> <dsig:X509IssuerName>
>>>> .........
>>>> </dsig:X509IssuerName>
>>>> <dsig:X509SerialNumber>-....</dsig:X509SerialNumber>
>>>> </dsig:X509IssuerSerial>
>>>> <dsig:X509SubjectName>
>>>> .......
>>>> </dsig:X509SubjectName>
>>>> </dsig:X509Data>
>>>> </dsig:KeyInfo>
>>>> </wsid:Identity>
>>>> </wsa:EndpointReference>
>>>> </port>
>>>> </service>
>>>> </definitions>
>>>>
>>>>
>>>>
>>>> c) following is message generated by cxf2.5.2 for this policy
>>>>
>>>> <?xml version="1.0"?>
>>>> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
>>>> <soap:Header>
>>>> <wsse:Security
>>>>
>>>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>>>>
>>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>>> soap:mustUnderstand="1">
>>>> <wsse:BinarySecurityToken
>>>>
>>>> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
>>>>
>>>> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
>>>>
>>>> wsu:Id="BC59F58138560D687613341497540725">MIIB+DCCAaICCQCbeQ7C1MJrOTANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAkFQMQwwCgYDVQQHEwNIWUQxEDAOBgNVBAoTB3ByYW1hdGkxEDAOBgNVBAsTB3ByYW1hdGkxEjAQBgNVBAMTCXNvYWJwbS12bTEgMB4GCSqGSIb3DQEJARYRZW1haWxAcHJhbWF0aS5jb20wHhcNMTIwNDEwMTI1OTA0WhcNMTMwNDEwMTI1OTA0WjCBgjELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAkFQMQwwCgYDVQQHEwNIWUQxEDAOBgNVBAoTB3ByYW1hdGkxEDAOBgNVBAsTB3ByYW1hdGkxEjAQBgNVBAMTCXNvYWJwbS12bTEgMB4GCSqGSIb3DQEJARYRZW1haWxAcHJhbWF0aS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1ZwvGTS5gxDgGjoHuaqY9dh26un58rF3YFpuNY6F9JROBooMmbEWAWlvN+kjrEBhoQhTMbnwp8Sa+sPxOI+b8QIDAQABMA0GCSqGSIb3DQEBBQUAA0EAIlGPjJUTytuNsfeIy+dPFAT6XXN6sbiTTcFmhGUtP8q3XJRQCFlMKqFrWP/SVck8PPdH6fSO8EzOLLOYF5dkPQ==</wsse:BinarySecurityToken>
>>>> <wsu:Timestamp wsu:Id="TS-1">
>>>> <wsu:Created>2012-04-11T13:06:42.679Z</wsu:Created>
>>>> <wsu:Expires>2012-04-11T13:11:42.679Z</wsu:Expires>
>>>> </wsu:Timestamp>
>>>> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>>>> Id="EK-BC59F58138560D687613341497540724">
>>>> <xenc:EncryptionMethod
>>>> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
>>>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>>> <wsse:SecurityTokenReference>
>>>> <wsse:Reference URI="#BC59F58138560D687613341497540725"
>>>>
>>>> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
>>>> </wsse:SecurityTokenReference>
>>>> </ds:KeyInfo>
>>>> <xenc:CipherData>
>>>>
>>>> <xenc:CipherValue>tUjFXfI6BPNO78XzWGThNnCvXloGK001IPwzMiEdz4XAuz86gaCCTJ5+KBVKTsMhGxXOVNaOWTeLo3VzMKYWPA==</xenc:CipherValue>
>>>> </xenc:CipherData>
>>>> <xenc:ReferenceList>
>>>> <xenc:DataReference URI="#ED-3"/>
>>>> </xenc:ReferenceList>
>>>> </xenc:EncryptedKey>
>>>> <saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>> AssertionID="_BC59F58138560D687613341496647771"
>>>> IssueInstant="2012-04-11T13:07:44.551Z" Issuer="www.oracle.com"
>>>> MajorVersion="1" MinorVersion="1" xsi:type="saml1:AssertionType">
>>>> <saml1:Conditions NotBefore="2012-04-11T13:07:44.838Z"
>>>> NotOnOrAfter="2012-04-11T13:12:44.838Z"/>
>>>> <saml1:AttributeStatement>
>>>> <saml1:Subject>
>>>> <saml1:NameIdentifier
>>>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
>>>> NameQualifier="www.oracle.com">weblogic</saml1:NameIdentifier>
>>>> <saml1:SubjectConfirmation>
>>>>
>>>> <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml1:ConfirmationMethod>
>>>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>>> <ds:X509Data>
>>>> <ds:X509Certificate>........................</ds:X509Certificate>
>>>> </ds:X509Data>
>>>> </ds:KeyInfo>
>>>> </saml1:SubjectConfirmation>
>>>> </saml1:Subject>
>>>> <saml1:Attribute AttributeName="subject-role"
>>>> AttributeNamespace="http://custom-ns">
>>>> <saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
>>>> xsi:type="xs:string">system-user</saml1:AttributeValue>
>>>> </saml1:Attribute>
>>>> </saml1:AttributeStatement>
>>>> </saml1:Assertion>
>>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-2">
>>>> <ds:SignedInfo>
>>>> <ds:CanonicalizationMethod
>>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>>> <ds:SignatureMethod
>>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>>> <ds:Reference URI="#TS-1">
>>>> <ds:Transforms>
>>>> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>>> </ds:Transforms>
>>>> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>>> <ds:DigestValue>/LPHR8sX+ptPaN8+iZYQxYwffG8=</ds:DigestValue>
>>>> </ds:Reference>
>>>> <ds:Reference URI="#Id-26930486">
>>>> <ds:Transforms>
>>>> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>>> </ds:Transforms>
>>>> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>>> <ds:DigestValue>ej9eQZSJOyVu6TgV8MO/exfxCeA=</ds:DigestValue>
>>>> </ds:Reference>
>>>> </ds:SignedInfo>
>>>>
>>>> <ds:SignatureValue>uBvdcZ7jkAty14s0tdMKGvI4z1lCbWDo2RQEWjJ9t6z9vASoB98l4NeshQz96JWDqpGFgb4wd93/f9ra0Y68xA==</ds:SignatureValue>
>>>> <ds:KeyInfo Id="KI-BC59F58138560D687613341497504882">
>>>> <wsse:SecurityTokenReference
>>>>
>>>> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
>>>>
>>>> wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
>>>> wsu:Id="STR-BC59F58138560D687613341497504923">
>>>> <wsse:KeyIdentifier
>>>>
>>>> ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_BC59F58138560D687613341496647771</wsse:KeyIdentifier>
>>>> </wsse:SecurityTokenReference>
>>>> </ds:KeyInfo>
>>>> </ds:Signature>
>>>> </wsse:Security>
>>>> </soap:Header>
>>>> <soap:Body
>>>>
>>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>>> wsu:Id="Id-26930486">
>>>> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>>>> Id="ED-3"
>>>> Type="http://www.w3.org/2001/04/xmlenc#Content">
>>>> <xenc:EncryptionMethod
>>>> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
>>>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>>> <wsse:SecurityTokenReference
>>>>
>>>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>>>>
>>>> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
>>>>
>>>> wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
>>>> <wsse:Reference URI="#EK-BC59F58138560D687613341497540724"/>
>>>> </wsse:SecurityTokenReference>
>>>> </ds:KeyInfo>
>>>> <xenc:CipherData>
>>>> <xenc:CipherValue>.............................</xenc:CipherValue>
>>>> </xenc:CipherData>
>>>> </xenc:EncryptedData>
>>>> </soap:Body>
>>>> </soap:Envelope>
>>>>
>>>>
>>>> d) and i receive following error from OWSM (oracle web services manager)
>>>>
>>>> Policy compliance failure: Header/Element
>>>> NS=urn:oasis:names:tc:SAML:1.0:assertion; LocalName=Assertion must be
>>>> signed
>>>> [WSM_PolicyName:
>>>> oracle/wss10_saml_hok_token_with_message_protection_service_policy] The
>>>> signed message elements or parts do not comply with the policy.
>>>>
>>>>
>>>> i seek help to understand which part of the message is not being
>>>> signed..and
>>>> why..or how could i sign it.
>>>> am using the SamlCallbackHandler (supplied with tests) to add attributes
>>>>
>>>> following is the callbackhandler code if that may help
>>>>
>>>>
>>>> ///////////////////////////////////////////////////////////////////////////////
>>>> public void handle(Callback[] callbacks) throws IOException,
>>>> UnsupportedCallbackException {
>>>> for (int i = 0; i< callbacks.length; i++)
>>>> if ((callbacks[i] instanceof SAMLCallback)) {
>>>> SAMLCallback callback = (SAMLCallback)callbacks[i];
>>>> if (this.saml2) {
>>>> callback.setSamlVersion(SAMLVersion.VERSION_20);
>>>> }
>>>> callback.setIssuer("www.oracle.com");
>>>> String subjectName = "weblogic";
>>>> String subjectQualifier = "www.oracle.com";
>>>>
>>>> SubjectBean subjectBean = new SubjectBean(subjectName,
>>>> subjectQualifier, this.confirmationMethod);
>>>>
>>>> if
>>>>
>>>> (("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key".equals(this.confirmationMethod))
>>>> ||
>>>>
>>>> ("urn:oasis:names:tc:SAML:1.0:cm:holder-of-key".equals(this.confirmationMethod)))
>>>> {
>>>> try
>>>> {
>>>> KeyInfoBean keyInfo = createKeyInfo();
>>>> subjectBean.setKeyInfo(keyInfo);
>>>> } catch (Exception ex) {
>>>> throw new IOException("Problem creating KeyInfo: " +
>>>> ex.getMessage());
>>>> }
>>>> }
>>>>
>>>> callback.setSubject(subjectBean);
>>>>
>>>> AttributeStatementBean attrBean = new AttributeStatementBean();
>>>> attrBean.setSubject(subjectBean);
>>>>
>>>> AttributeBean attributeBean = new AttributeBean();
>>>> if (this.saml2) {
>>>> attributeBean.setQualifiedName("subject-role");
>>>> } else {
>>>> attributeBean.setSimpleName("subject-role");
>>>> attributeBean.setQualifiedName("http://custom-ns");
>>>> }
>>>>
>>>>
>>>> attributeBean.setAttributeValues(Collections.singletonList("system-user"));
>>>>
>>>> attrBean.setSamlAttributes(Collections.singletonList(attributeBean));
>>>>
>>>>
>>>> callback.setAttributeStatementData(Collections.singletonList(attrBean));
>>>> }
>>>> }
>>>>
>>>> protected KeyInfoBean createKeyInfo() throws Exception
>>>> {
>>>> Crypto crypto = CryptoFactory.getInstance("signature.properties");
>>>>
>>>> CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
>>>> cryptoType.setAlias("myprivate");
>>>> X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
>>>>
>>>> KeyInfoBean keyInfo = new KeyInfoBean();
>>>> keyInfo.setCertificate(certs[0]);
>>>> keyInfo.setCertIdentifer(KeyInfoBean.CERT_IDENTIFIER.X509_CERT);
>>>>
>>>> return keyInfo;
>>>> }
>>>>
>>>>
>>>> //////////////////////////////////////////////////////////////////////////////
>>>>
>>>>
>>>
>>>
>> i did use that as well..but that would rather add a certificate to
>> Signature..and nothing else is the motive because we are claiming to use a
>> self signed certificate for sending message.
>> however, the problem here is with response not containing any certificate.
>> please help me understand what keystore/truststore configuration would it
>> require (if that is the problem at all). for now i have configured a custom
>> identity/trust using a certificate/private key which i generated adding
>> myself as a CA.
>> Please suggest what more would it need..
>>
>> thanks for replying!
>
>
>
> oops!!sorry!...no, the problem is not with " response not containing any
> certificate." ..i messed up another problem into this in last update.
> this is just about assertion not being signed.
>
>
> Policy compliance failure: Header/Element
> NS=urn:oasis:names:tc:SAML:1.0:assertion; LocalName=Assertion must be signed
>
> please suggest!
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Signing SAML assertions for OWSM policies
Posted by Shwetank <sh...@imaginea.com>.
On 11-04-2012 21:19, Shwetank wrote:
> On 11-04-2012 19:33, Colm O hEigeartaigh wrote:
>> You need to set SecurityConstants.SELF_SIGN_SAML_ASSERTION to "true"
>> in your configuration (and define the appropriate CallbackHandler and
>> crypto property tags):
>>
>> http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?view=markup
>>
>>
>> Colm.
>>
>> On Wed, Apr 11, 2012 at 2:40 PM, Shwetank<sh...@imaginea.com>
>> wrote:
>>> Hi
>>>
>>> Pardon me if i break a rule or two of mailing-list directives.
>>> I seek help on how to sign SAML 1.1 assertion with CXF 2.5.2 for
>>> holder-of-key confirmation method:
>>>
>>> a) an OWSM policy
>>> wss10_saml_hok_token_with_message_protection_service_policy is
>>> applied to a
>>> test service
>>> b) the policy and wsdl look like following
>>>
>>> <?xml version="1.0"?>
>>> <definitions xmlns="http://schemas.xmlsoap.org/wsdl/"
>>> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
>>> xmlns:tns="http://owsm.test.wsa.bf.hs.com/"
>>> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>>> xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
>>> name="POManagerService"
>>> targetNamespace="http://owsm.test.wsa.bf.hs.com/">
>>> <wsp:Policy
>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>>
>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>>> wsu:Id="POManagerPort_Fault_Policy"/>
>>> <wsp:Policy
>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>>
>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>>> wsu:Id="POManagerPort_Input_Policy">
>>> <sp:SignedParts
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <sp:Body/>
>>> <sp:Header Namespace="http://www.w3.org/2005/08/addressing"/>
>>> <sp:Header
>>> Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
>>> <sp:Header Name="fmw-context"
>>> Namespace="http://xmlns.oracle.com/fmw/context/1.0"/>
>>> </sp:SignedParts>
>>> <sp:EncryptedParts
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <sp:Body/>
>>> <sp:Header Name="fmw-context"
>>> Namespace="http://xmlns.oracle.com/fmw/context/1.0"/>
>>> </sp:EncryptedParts>
>>> </wsp:Policy>
>>> <wsp:Policy
>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>>
>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>>> wsu:Id="POManagerPort_Output_Policy">
>>> <sp:SignedParts
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <sp:Body/>
>>> </sp:SignedParts>
>>> <sp:EncryptedParts
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <sp:Body/>
>>> </sp:EncryptedParts>
>>> </wsp:Policy>
>>> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>>> xmlns:oralgp="http://schemas.oracle.com/ws/2006/01/loggingpolicy"
>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>>
>>> xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy"
>>> xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy"
>>> wsu:Id="wss10_saml_hok_token_with_message_protection_service_policy">
>>> <sp:AsymmetricBinding
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <wsp:Policy>
>>> <sp:InitiatorToken>
>>> <wsp:Policy>
>>> <sp:SamlToken
>>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
>>>
>>> <wsp:Policy>
>>> <sp:WssSamlV11Token10/>
>>> </wsp:Policy>
>>> </sp:SamlToken>
>>> </wsp:Policy>
>>> </sp:InitiatorToken>
>>> <sp:RecipientToken>
>>> <wsp:Policy>
>>> <sp:X509Token
>>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
>>>
>>> <wsp:Policy>
>>> <sp:WssX509V3Token10/>
>>> </wsp:Policy>
>>> </sp:X509Token>
>>> </wsp:Policy>
>>> </sp:RecipientToken>
>>> <sp:AlgorithmSuite>
>>> <wsp:Policy>
>>> <sp:Basic128/>
>>> </wsp:Policy>
>>> </sp:AlgorithmSuite>
>>> <sp:Layout>
>>> <wsp:Policy>
>>> <sp:Lax/>
>>> </wsp:Policy>
>>> </sp:Layout>
>>> <sp:IncludeTimestamp/>
>>> <sp:OnlySignEntireHeadersAndBody/>
>>> </wsp:Policy>
>>> </sp:AsymmetricBinding>
>>> <sp:Wss10
>>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>>> <wsp:Policy/>
>>> </sp:Wss10>
>>> </wsp:Policy>
>>> <types>
>>> <xsd:schema>
>>> <xsd:import namespace="http://owsm.test.wsa.bf.hs.com/"
>>> schemaLocation="http://server:7001/testwebservice/POManagerPort?xsd=1"/>
>>>
>>> </xsd:schema>
>>> </types>
>>> <message name="createOrder">
>>> <part name="parameters" element="tns:createOrder"/>
>>> </message>
>>> <message name="createOrderResponse">
>>> <part name="parameters" element="tns:createOrderResponse"/>
>>> </message>
>>> <portType name="POManager">
>>> <operation name="createOrder">
>>> <input message="tns:createOrder"/>
>>> <output message="tns:createOrderResponse"/>
>>> </operation>
>>> </portType>
>>> <binding name="POManagerPortBinding" type="tns:POManager">
>>> <soap:binding style="document"
>>> transport="http://schemas.xmlsoap.org/soap/http"/>
>>> <wsp:PolicyReference
>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>>> URI="#wss10_saml_hok_token_with_message_protection_service_policy"
>>> wsdl:required="false"/>
>>> <operation name="createOrder">
>>> <soap:operation soapAction=""/>
>>> <input>
>>> <soap:body use="literal"/>
>>> <wsp:PolicyReference
>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>>> URI="#POManagerPort_Input_Policy" wsdl:required="false"/>
>>> </input>
>>> <output>
>>> <soap:body use="literal"/>
>>> <wsp:PolicyReference
>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>>> URI="#POManagerPort_Output_Policy" wsdl:required="false"/>
>>> </output>
>>> </operation>
>>> </binding>
>>> <service name="POManagerService">
>>> <port name="POManagerPort" binding="tns:POManagerPortBinding">
>>> <soap:address
>>> location="http://server:7001/testwebservice/POManagerPort"/>
>>> <wsa:EndpointReference
>>> xmlns:wsa="http://www.w3.org/2005/08/addressing">
>>> <wsa:Address xmlns:wsa="http://www.w3.org/2005/08/addressing">
>>> http://server:7001/testwebservice/POManagerPort
>>> </wsa:Address>
>>> <wsid:Identity
>>> xmlns:wsid="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
>>> <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
>>> <dsig:X509Data>
>>> <dsig:X509Certificate>
>>> ................
>>> </dsig:X509Certificate>
>>> <dsig:X509IssuerSerial>
>>> <dsig:X509IssuerName>
>>> .........
>>> </dsig:X509IssuerName>
>>> <dsig:X509SerialNumber>-....</dsig:X509SerialNumber>
>>> </dsig:X509IssuerSerial>
>>> <dsig:X509SubjectName>
>>> .......
>>> </dsig:X509SubjectName>
>>> </dsig:X509Data>
>>> </dsig:KeyInfo>
>>> </wsid:Identity>
>>> </wsa:EndpointReference>
>>> </port>
>>> </service>
>>> </definitions>
>>>
>>>
>>>
>>> c) following is message generated by cxf2.5.2 for this policy
>>>
>>> <?xml version="1.0"?>
>>> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
>>> <soap:Header>
>>> <wsse:Security
>>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>>>
>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>>
>>> soap:mustUnderstand="1">
>>> <wsse:BinarySecurityToken
>>> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
>>>
>>> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
>>>
>>> wsu:Id="BC59F58138560D687613341497540725">MIIB+DCCAaICCQCbeQ7C1MJrOTANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAkFQMQwwCgYDVQQHEwNIWUQxEDAOBgNVBAoTB3ByYW1hdGkxEDAOBgNVBAsTB3ByYW1hdGkxEjAQBgNVBAMTCXNvYWJwbS12bTEgMB4GCSqGSIb3DQEJARYRZW1haWxAcHJhbWF0aS5jb20wHhcNMTIwNDEwMTI1OTA0WhcNMTMwNDEwMTI1OTA0WjCBgjELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAkFQMQwwCgYDVQQHEwNIWUQxEDAOBgNVBAoTB3ByYW1hdGkxEDAOBgNVBAsTB3ByYW1hdGkxEjAQBgNVBAMTCXNvYWJwbS12bTEgMB4GCSqGSIb3DQEJARYRZW1haWxAcHJhbWF0aS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1ZwvGTS5gxDgGjoHuaqY9dh26un58rF3YFpuNY6F9JROBooMmbEWAWlvN+kjrEBhoQhTMbnwp8Sa+sPxOI+b8QIDAQABMA0GCSqGSIb3DQEBBQUAA0EAIlGPjJUTytuNsfeIy+dPFAT6XXN6sbiTTcFmhGUtP8q3XJRQCFlMKqFrWP/SVck8PPdH6fSO8EzOLLOYF5dkPQ==</wsse:BinarySecurityToken>
>>>
>>> <wsu:Timestamp wsu:Id="TS-1">
>>> <wsu:Created>2012-04-11T13:06:42.679Z</wsu:Created>
>>> <wsu:Expires>2012-04-11T13:11:42.679Z</wsu:Expires>
>>> </wsu:Timestamp>
>>> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>>> Id="EK-BC59F58138560D687613341497540724">
>>> <xenc:EncryptionMethod
>>> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
>>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>> <wsse:SecurityTokenReference>
>>> <wsse:Reference URI="#BC59F58138560D687613341497540725"
>>> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
>>>
>>> </wsse:SecurityTokenReference>
>>> </ds:KeyInfo>
>>> <xenc:CipherData>
>>> <xenc:CipherValue>tUjFXfI6BPNO78XzWGThNnCvXloGK001IPwzMiEdz4XAuz86gaCCTJ5+KBVKTsMhGxXOVNaOWTeLo3VzMKYWPA==</xenc:CipherValue>
>>>
>>> </xenc:CipherData>
>>> <xenc:ReferenceList>
>>> <xenc:DataReference URI="#ED-3"/>
>>> </xenc:ReferenceList>
>>> </xenc:EncryptedKey>
>>> <saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>> AssertionID="_BC59F58138560D687613341496647771"
>>> IssueInstant="2012-04-11T13:07:44.551Z" Issuer="www.oracle.com"
>>> MajorVersion="1" MinorVersion="1" xsi:type="saml1:AssertionType">
>>> <saml1:Conditions NotBefore="2012-04-11T13:07:44.838Z"
>>> NotOnOrAfter="2012-04-11T13:12:44.838Z"/>
>>> <saml1:AttributeStatement>
>>> <saml1:Subject>
>>> <saml1:NameIdentifier
>>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
>>> NameQualifier="www.oracle.com">weblogic</saml1:NameIdentifier>
>>> <saml1:SubjectConfirmation>
>>> <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml1:ConfirmationMethod>
>>>
>>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>> <ds:X509Data>
>>> <ds:X509Certificate>........................</ds:X509Certificate>
>>> </ds:X509Data>
>>> </ds:KeyInfo>
>>> </saml1:SubjectConfirmation>
>>> </saml1:Subject>
>>> <saml1:Attribute AttributeName="subject-role"
>>> AttributeNamespace="http://custom-ns">
>>> <saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
>>> xsi:type="xs:string">system-user</saml1:AttributeValue>
>>> </saml1:Attribute>
>>> </saml1:AttributeStatement>
>>> </saml1:Assertion>
>>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-2">
>>> <ds:SignedInfo>
>>> <ds:CanonicalizationMethod
>>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>> <ds:SignatureMethod
>>> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>>> <ds:Reference URI="#TS-1">
>>> <ds:Transforms>
>>> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>> </ds:Transforms>
>>> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>> <ds:DigestValue>/LPHR8sX+ptPaN8+iZYQxYwffG8=</ds:DigestValue>
>>> </ds:Reference>
>>> <ds:Reference URI="#Id-26930486">
>>> <ds:Transforms>
>>> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>>> </ds:Transforms>
>>> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>>> <ds:DigestValue>ej9eQZSJOyVu6TgV8MO/exfxCeA=</ds:DigestValue>
>>> </ds:Reference>
>>> </ds:SignedInfo>
>>> <ds:SignatureValue>uBvdcZ7jkAty14s0tdMKGvI4z1lCbWDo2RQEWjJ9t6z9vASoB98l4NeshQz96JWDqpGFgb4wd93/f9ra0Y68xA==</ds:SignatureValue>
>>>
>>> <ds:KeyInfo Id="KI-BC59F58138560D687613341497504882">
>>> <wsse:SecurityTokenReference
>>> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
>>>
>>> wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
>>>
>>> wsu:Id="STR-BC59F58138560D687613341497504923">
>>> <wsse:KeyIdentifier
>>> ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_BC59F58138560D687613341496647771</wsse:KeyIdentifier>
>>>
>>> </wsse:SecurityTokenReference>
>>> </ds:KeyInfo>
>>> </ds:Signature>
>>> </wsse:Security>
>>> </soap:Header>
>>> <soap:Body
>>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>>>
>>> wsu:Id="Id-26930486">
>>> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>>> Id="ED-3"
>>> Type="http://www.w3.org/2001/04/xmlenc#Content">
>>> <xenc:EncryptionMethod
>>> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
>>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>>> <wsse:SecurityTokenReference
>>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>>>
>>> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
>>>
>>> wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
>>>
>>> <wsse:Reference URI="#EK-BC59F58138560D687613341497540724"/>
>>> </wsse:SecurityTokenReference>
>>> </ds:KeyInfo>
>>> <xenc:CipherData>
>>> <xenc:CipherValue>.............................</xenc:CipherValue>
>>> </xenc:CipherData>
>>> </xenc:EncryptedData>
>>> </soap:Body>
>>> </soap:Envelope>
>>>
>>>
>>> d) and i receive following error from OWSM (oracle web services
>>> manager)
>>>
>>> Policy compliance failure: Header/Element
>>> NS=urn:oasis:names:tc:SAML:1.0:assertion; LocalName=Assertion must
>>> be signed
>>> [WSM_PolicyName:
>>> oracle/wss10_saml_hok_token_with_message_protection_service_policy] The
>>> signed message elements or parts do not comply with the policy.
>>>
>>>
>>> i seek help to understand which part of the message is not being
>>> signed..and
>>> why..or how could i sign it.
>>> am using the SamlCallbackHandler (supplied with tests) to add
>>> attributes
>>>
>>> following is the callbackhandler code if that may help
>>>
>>> ///////////////////////////////////////////////////////////////////////////////
>>>
>>> public void handle(Callback[] callbacks) throws IOException,
>>> UnsupportedCallbackException {
>>> for (int i = 0; i< callbacks.length; i++)
>>> if ((callbacks[i] instanceof SAMLCallback)) {
>>> SAMLCallback callback = (SAMLCallback)callbacks[i];
>>> if (this.saml2) {
>>> callback.setSamlVersion(SAMLVersion.VERSION_20);
>>> }
>>> callback.setIssuer("www.oracle.com");
>>> String subjectName = "weblogic";
>>> String subjectQualifier = "www.oracle.com";
>>>
>>> SubjectBean subjectBean = new SubjectBean(subjectName,
>>> subjectQualifier, this.confirmationMethod);
>>>
>>> if
>>> (("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key".equals(this.confirmationMethod))
>>>
>>> ||
>>> ("urn:oasis:names:tc:SAML:1.0:cm:holder-of-key".equals(this.confirmationMethod)))
>>>
>>> {
>>> try
>>> {
>>> KeyInfoBean keyInfo = createKeyInfo();
>>> subjectBean.setKeyInfo(keyInfo);
>>> } catch (Exception ex) {
>>> throw new IOException("Problem creating KeyInfo: " +
>>> ex.getMessage());
>>> }
>>> }
>>>
>>> callback.setSubject(subjectBean);
>>>
>>> AttributeStatementBean attrBean = new AttributeStatementBean();
>>> attrBean.setSubject(subjectBean);
>>>
>>> AttributeBean attributeBean = new AttributeBean();
>>> if (this.saml2) {
>>> attributeBean.setQualifiedName("subject-role");
>>> } else {
>>> attributeBean.setSimpleName("subject-role");
>>> attributeBean.setQualifiedName("http://custom-ns");
>>> }
>>>
>>>
>>> attributeBean.setAttributeValues(Collections.singletonList("system-user"));
>>>
>>> attrBean.setSamlAttributes(Collections.singletonList(attributeBean));
>>>
>>>
>>> callback.setAttributeStatementData(Collections.singletonList(attrBean));
>>>
>>> }
>>> }
>>>
>>> protected KeyInfoBean createKeyInfo() throws Exception
>>> {
>>> Crypto crypto = CryptoFactory.getInstance("signature.properties");
>>>
>>> CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
>>> cryptoType.setAlias("myprivate");
>>> X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
>>>
>>> KeyInfoBean keyInfo = new KeyInfoBean();
>>> keyInfo.setCertificate(certs[0]);
>>> keyInfo.setCertIdentifer(KeyInfoBean.CERT_IDENTIFIER.X509_CERT);
>>>
>>> return keyInfo;
>>> }
>>>
>>> //////////////////////////////////////////////////////////////////////////////
>>>
>>>
>>>
>>
>>
> i did use that as well..but that would rather add a certificate to
> Signature..and nothing else is the motive because we are claiming to
> use a self signed certificate for sending message.
> however, the problem here is with response not containing any
> certificate.
> please help me understand what keystore/truststore configuration would
> it require (if that is the problem at all). for now i have configured
> a custom identity/trust using a certificate/private key which i
> generated adding myself as a CA.
> Please suggest what more would it need..
>
> thanks for replying!
oops!!sorry!...no, the problem is not with " response not containing any
certificate." ..i messed up another problem into this in last update.
this is just about assertion not being signed.
Policy compliance failure: Header/Element
NS=urn:oasis:names:tc:SAML:1.0:assertion; LocalName=Assertion must be
signed
please suggest!
Re: Signing SAML assertions for OWSM policies
Posted by Shwetank <sh...@imaginea.com>.
On 11-04-2012 19:33, Colm O hEigeartaigh wrote:
> You need to set SecurityConstants.SELF_SIGN_SAML_ASSERTION to "true"
> in your configuration (and define the appropriate CallbackHandler and
> crypto property tags):
>
> http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?view=markup
>
> Colm.
>
> On Wed, Apr 11, 2012 at 2:40 PM, Shwetank<sh...@imaginea.com> wrote:
>> Hi
>>
>> Pardon me if i break a rule or two of mailing-list directives.
>> I seek help on how to sign SAML 1.1 assertion with CXF 2.5.2 for
>> holder-of-key confirmation method:
>>
>> a) an OWSM policy
>> wss10_saml_hok_token_with_message_protection_service_policy is applied to a
>> test service
>> b) the policy and wsdl look like following
>>
>> <?xml version="1.0"?>
>> <definitions xmlns="http://schemas.xmlsoap.org/wsdl/"
>> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
>> xmlns:tns="http://owsm.test.wsa.bf.hs.com/"
>> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>> xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" name="POManagerService"
>> targetNamespace="http://owsm.test.wsa.bf.hs.com/">
>> <wsp:Policy
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>> wsu:Id="POManagerPort_Fault_Policy"/>
>> <wsp:Policy
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>> wsu:Id="POManagerPort_Input_Policy">
>> <sp:SignedParts
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> <sp:Body/>
>> <sp:Header Namespace="http://www.w3.org/2005/08/addressing"/>
>> <sp:Header Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
>> <sp:Header Name="fmw-context"
>> Namespace="http://xmlns.oracle.com/fmw/context/1.0"/>
>> </sp:SignedParts>
>> <sp:EncryptedParts
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> <sp:Body/>
>> <sp:Header Name="fmw-context"
>> Namespace="http://xmlns.oracle.com/fmw/context/1.0"/>
>> </sp:EncryptedParts>
>> </wsp:Policy>
>> <wsp:Policy
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>> wsu:Id="POManagerPort_Output_Policy">
>> <sp:SignedParts
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> <sp:Body/>
>> </sp:SignedParts>
>> <sp:EncryptedParts
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> <sp:Body/>
>> </sp:EncryptedParts>
>> </wsp:Policy>
>> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>> xmlns:oralgp="http://schemas.oracle.com/ws/2006/01/loggingpolicy"
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy"
>> xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy"
>> wsu:Id="wss10_saml_hok_token_with_message_protection_service_policy">
>> <sp:AsymmetricBinding
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> <wsp:Policy>
>> <sp:InitiatorToken>
>> <wsp:Policy>
>> <sp:SamlToken
>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
>> <wsp:Policy>
>> <sp:WssSamlV11Token10/>
>> </wsp:Policy>
>> </sp:SamlToken>
>> </wsp:Policy>
>> </sp:InitiatorToken>
>> <sp:RecipientToken>
>> <wsp:Policy>
>> <sp:X509Token
>> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
>> <wsp:Policy>
>> <sp:WssX509V3Token10/>
>> </wsp:Policy>
>> </sp:X509Token>
>> </wsp:Policy>
>> </sp:RecipientToken>
>> <sp:AlgorithmSuite>
>> <wsp:Policy>
>> <sp:Basic128/>
>> </wsp:Policy>
>> </sp:AlgorithmSuite>
>> <sp:Layout>
>> <wsp:Policy>
>> <sp:Lax/>
>> </wsp:Policy>
>> </sp:Layout>
>> <sp:IncludeTimestamp/>
>> <sp:OnlySignEntireHeadersAndBody/>
>> </wsp:Policy>
>> </sp:AsymmetricBinding>
>> <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
>> <wsp:Policy/>
>> </sp:Wss10>
>> </wsp:Policy>
>> <types>
>> <xsd:schema>
>> <xsd:import namespace="http://owsm.test.wsa.bf.hs.com/"
>> schemaLocation="http://server:7001/testwebservice/POManagerPort?xsd=1"/>
>> </xsd:schema>
>> </types>
>> <message name="createOrder">
>> <part name="parameters" element="tns:createOrder"/>
>> </message>
>> <message name="createOrderResponse">
>> <part name="parameters" element="tns:createOrderResponse"/>
>> </message>
>> <portType name="POManager">
>> <operation name="createOrder">
>> <input message="tns:createOrder"/>
>> <output message="tns:createOrderResponse"/>
>> </operation>
>> </portType>
>> <binding name="POManagerPortBinding" type="tns:POManager">
>> <soap:binding style="document"
>> transport="http://schemas.xmlsoap.org/soap/http"/>
>> <wsp:PolicyReference
>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>> URI="#wss10_saml_hok_token_with_message_protection_service_policy"
>> wsdl:required="false"/>
>> <operation name="createOrder">
>> <soap:operation soapAction=""/>
>> <input>
>> <soap:body use="literal"/>
>> <wsp:PolicyReference
>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>> URI="#POManagerPort_Input_Policy" wsdl:required="false"/>
>> </input>
>> <output>
>> <soap:body use="literal"/>
>> <wsp:PolicyReference
>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>> URI="#POManagerPort_Output_Policy" wsdl:required="false"/>
>> </output>
>> </operation>
>> </binding>
>> <service name="POManagerService">
>> <port name="POManagerPort" binding="tns:POManagerPortBinding">
>> <soap:address location="http://server:7001/testwebservice/POManagerPort"/>
>> <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
>> <wsa:Address xmlns:wsa="http://www.w3.org/2005/08/addressing">
>> http://server:7001/testwebservice/POManagerPort
>> </wsa:Address>
>> <wsid:Identity
>> xmlns:wsid="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
>> <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
>> <dsig:X509Data>
>> <dsig:X509Certificate>
>> ................
>> </dsig:X509Certificate>
>> <dsig:X509IssuerSerial>
>> <dsig:X509IssuerName>
>> .........
>> </dsig:X509IssuerName>
>> <dsig:X509SerialNumber>-....</dsig:X509SerialNumber>
>> </dsig:X509IssuerSerial>
>> <dsig:X509SubjectName>
>> .......
>> </dsig:X509SubjectName>
>> </dsig:X509Data>
>> </dsig:KeyInfo>
>> </wsid:Identity>
>> </wsa:EndpointReference>
>> </port>
>> </service>
>> </definitions>
>>
>>
>>
>> c) following is message generated by cxf2.5.2 for this policy
>>
>> <?xml version="1.0"?>
>> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
>> <soap:Header>
>> <wsse:Security
>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> soap:mustUnderstand="1">
>> <wsse:BinarySecurityToken
>> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
>> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
>> wsu:Id="BC59F58138560D687613341497540725">MIIB+DCCAaICCQCbeQ7C1MJrOTANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAkFQMQwwCgYDVQQHEwNIWUQxEDAOBgNVBAoTB3ByYW1hdGkxEDAOBgNVBAsTB3ByYW1hdGkxEjAQBgNVBAMTCXNvYWJwbS12bTEgMB4GCSqGSIb3DQEJARYRZW1haWxAcHJhbWF0aS5jb20wHhcNMTIwNDEwMTI1OTA0WhcNMTMwNDEwMTI1OTA0WjCBgjELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAkFQMQwwCgYDVQQHEwNIWUQxEDAOBgNVBAoTB3ByYW1hdGkxEDAOBgNVBAsTB3ByYW1hdGkxEjAQBgNVBAMTCXNvYWJwbS12bTEgMB4GCSqGSIb3DQEJARYRZW1haWxAcHJhbWF0aS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1ZwvGTS5gxDgGjoHuaqY9dh26un58rF3YFpuNY6F9JROBooMmbEWAWlvN+kjrEBhoQhTMbnwp8Sa+sPxOI+b8QIDAQABMA0GCSqGSIb3DQEBBQUAA0EAIlGPjJUTytuNsfeIy+dPFAT6XXN6sbiTTcFmhGUtP8q3XJRQCFlMKqFrWP/SVck8PPdH6fSO8EzOLLOYF5dkPQ==</wsse:BinarySecurityToken>
>> <wsu:Timestamp wsu:Id="TS-1">
>> <wsu:Created>2012-04-11T13:06:42.679Z</wsu:Created>
>> <wsu:Expires>2012-04-11T13:11:42.679Z</wsu:Expires>
>> </wsu:Timestamp>
>> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
>> Id="EK-BC59F58138560D687613341497540724">
>> <xenc:EncryptionMethod
>> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>> <wsse:SecurityTokenReference>
>> <wsse:Reference URI="#BC59F58138560D687613341497540725"
>> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
>> </wsse:SecurityTokenReference>
>> </ds:KeyInfo>
>> <xenc:CipherData>
>> <xenc:CipherValue>tUjFXfI6BPNO78XzWGThNnCvXloGK001IPwzMiEdz4XAuz86gaCCTJ5+KBVKTsMhGxXOVNaOWTeLo3VzMKYWPA==</xenc:CipherValue>
>> </xenc:CipherData>
>> <xenc:ReferenceList>
>> <xenc:DataReference URI="#ED-3"/>
>> </xenc:ReferenceList>
>> </xenc:EncryptedKey>
>> <saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> AssertionID="_BC59F58138560D687613341496647771"
>> IssueInstant="2012-04-11T13:07:44.551Z" Issuer="www.oracle.com"
>> MajorVersion="1" MinorVersion="1" xsi:type="saml1:AssertionType">
>> <saml1:Conditions NotBefore="2012-04-11T13:07:44.838Z"
>> NotOnOrAfter="2012-04-11T13:12:44.838Z"/>
>> <saml1:AttributeStatement>
>> <saml1:Subject>
>> <saml1:NameIdentifier
>> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
>> NameQualifier="www.oracle.com">weblogic</saml1:NameIdentifier>
>> <saml1:SubjectConfirmation>
>> <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml1:ConfirmationMethod>
>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>> <ds:X509Data>
>> <ds:X509Certificate>........................</ds:X509Certificate>
>> </ds:X509Data>
>> </ds:KeyInfo>
>> </saml1:SubjectConfirmation>
>> </saml1:Subject>
>> <saml1:Attribute AttributeName="subject-role"
>> AttributeNamespace="http://custom-ns">
>> <saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
>> xsi:type="xs:string">system-user</saml1:AttributeValue>
>> </saml1:Attribute>
>> </saml1:AttributeStatement>
>> </saml1:Assertion>
>> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-2">
>> <ds:SignedInfo>
>> <ds:CanonicalizationMethod
>> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>> <ds:Reference URI="#TS-1">
>> <ds:Transforms>
>> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> </ds:Transforms>
>> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <ds:DigestValue>/LPHR8sX+ptPaN8+iZYQxYwffG8=</ds:DigestValue>
>> </ds:Reference>
>> <ds:Reference URI="#Id-26930486">
>> <ds:Transforms>
>> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>> </ds:Transforms>
>> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>> <ds:DigestValue>ej9eQZSJOyVu6TgV8MO/exfxCeA=</ds:DigestValue>
>> </ds:Reference>
>> </ds:SignedInfo>
>> <ds:SignatureValue>uBvdcZ7jkAty14s0tdMKGvI4z1lCbWDo2RQEWjJ9t6z9vASoB98l4NeshQz96JWDqpGFgb4wd93/f9ra0Y68xA==</ds:SignatureValue>
>> <ds:KeyInfo Id="KI-BC59F58138560D687613341497504882">
>> <wsse:SecurityTokenReference
>> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
>> wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
>> wsu:Id="STR-BC59F58138560D687613341497504923">
>> <wsse:KeyIdentifier
>> ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_BC59F58138560D687613341496647771</wsse:KeyIdentifier>
>> </wsse:SecurityTokenReference>
>> </ds:KeyInfo>
>> </ds:Signature>
>> </wsse:Security>
>> </soap:Header>
>> <soap:Body
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>> wsu:Id="Id-26930486">
>> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-3"
>> Type="http://www.w3.org/2001/04/xmlenc#Content">
>> <xenc:EncryptionMethod
>> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
>> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>> <wsse:SecurityTokenReference
>> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
>> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
>> wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
>> <wsse:Reference URI="#EK-BC59F58138560D687613341497540724"/>
>> </wsse:SecurityTokenReference>
>> </ds:KeyInfo>
>> <xenc:CipherData>
>> <xenc:CipherValue>.............................</xenc:CipherValue>
>> </xenc:CipherData>
>> </xenc:EncryptedData>
>> </soap:Body>
>> </soap:Envelope>
>>
>>
>> d) and i receive following error from OWSM (oracle web services manager)
>>
>> Policy compliance failure: Header/Element
>> NS=urn:oasis:names:tc:SAML:1.0:assertion; LocalName=Assertion must be signed
>> [WSM_PolicyName:
>> oracle/wss10_saml_hok_token_with_message_protection_service_policy] The
>> signed message elements or parts do not comply with the policy.
>>
>>
>> i seek help to understand which part of the message is not being signed..and
>> why..or how could i sign it.
>> am using the SamlCallbackHandler (supplied with tests) to add attributes
>>
>> following is the callbackhandler code if that may help
>>
>> ///////////////////////////////////////////////////////////////////////////////
>> public void handle(Callback[] callbacks) throws IOException,
>> UnsupportedCallbackException {
>> for (int i = 0; i< callbacks.length; i++)
>> if ((callbacks[i] instanceof SAMLCallback)) {
>> SAMLCallback callback = (SAMLCallback)callbacks[i];
>> if (this.saml2) {
>> callback.setSamlVersion(SAMLVersion.VERSION_20);
>> }
>> callback.setIssuer("www.oracle.com");
>> String subjectName = "weblogic";
>> String subjectQualifier = "www.oracle.com";
>>
>> SubjectBean subjectBean = new SubjectBean(subjectName,
>> subjectQualifier, this.confirmationMethod);
>>
>> if
>> (("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key".equals(this.confirmationMethod))
>> ||
>> ("urn:oasis:names:tc:SAML:1.0:cm:holder-of-key".equals(this.confirmationMethod)))
>> {
>> try
>> {
>> KeyInfoBean keyInfo = createKeyInfo();
>> subjectBean.setKeyInfo(keyInfo);
>> } catch (Exception ex) {
>> throw new IOException("Problem creating KeyInfo: " +
>> ex.getMessage());
>> }
>> }
>>
>> callback.setSubject(subjectBean);
>>
>> AttributeStatementBean attrBean = new AttributeStatementBean();
>> attrBean.setSubject(subjectBean);
>>
>> AttributeBean attributeBean = new AttributeBean();
>> if (this.saml2) {
>> attributeBean.setQualifiedName("subject-role");
>> } else {
>> attributeBean.setSimpleName("subject-role");
>> attributeBean.setQualifiedName("http://custom-ns");
>> }
>>
>> attributeBean.setAttributeValues(Collections.singletonList("system-user"));
>> attrBean.setSamlAttributes(Collections.singletonList(attributeBean));
>>
>> callback.setAttributeStatementData(Collections.singletonList(attrBean));
>> }
>> }
>>
>> protected KeyInfoBean createKeyInfo() throws Exception
>> {
>> Crypto crypto = CryptoFactory.getInstance("signature.properties");
>>
>> CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
>> cryptoType.setAlias("myprivate");
>> X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
>>
>> KeyInfoBean keyInfo = new KeyInfoBean();
>> keyInfo.setCertificate(certs[0]);
>> keyInfo.setCertIdentifer(KeyInfoBean.CERT_IDENTIFIER.X509_CERT);
>>
>> return keyInfo;
>> }
>>
>> //////////////////////////////////////////////////////////////////////////////
>>
>>
>
>
i did use that as well..but that would rather add a certificate to
Signature..and nothing else is the motive because we are claiming to use
a self signed certificate for sending message.
however, the problem here is with response not containing any certificate.
please help me understand what keystore/truststore configuration would
it require (if that is the problem at all). for now i have configured a
custom identity/trust using a certificate/private key which i generated
adding myself as a CA.
Please suggest what more would it need..
thanks for replying!
Re: Signing SAML assertions for OWSM policies
Posted by Colm O hEigeartaigh <co...@apache.org>.
You need to set SecurityConstants.SELF_SIGN_SAML_ASSERTION to "true"
in your configuration (and define the appropriate CallbackHandler and
crypto property tags):
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/SecurityConstants.java?view=markup
Colm.
On Wed, Apr 11, 2012 at 2:40 PM, Shwetank <sh...@imaginea.com> wrote:
> Hi
>
> Pardon me if i break a rule or two of mailing-list directives.
> I seek help on how to sign SAML 1.1 assertion with CXF 2.5.2 for
> holder-of-key confirmation method:
>
> a) an OWSM policy
> wss10_saml_hok_token_with_message_protection_service_policy is applied to a
> test service
> b) the policy and wsdl look like following
>
> <?xml version="1.0"?>
> <definitions xmlns="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:tns="http://owsm.test.wsa.bf.hs.com/"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" name="POManagerService"
> targetNamespace="http://owsm.test.wsa.bf.hs.com/">
> <wsp:Policy
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> wsu:Id="POManagerPort_Fault_Policy"/>
> <wsp:Policy
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> wsu:Id="POManagerPort_Input_Policy">
> <sp:SignedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> <sp:Header Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Namespace="http://schemas.xmlsoap.org/ws/2004/08/addressing"/>
> <sp:Header Name="fmw-context"
> Namespace="http://xmlns.oracle.com/fmw/context/1.0"/>
> </sp:SignedParts>
> <sp:EncryptedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> <sp:Header Name="fmw-context"
> Namespace="http://xmlns.oracle.com/fmw/context/1.0"/>
> </sp:EncryptedParts>
> </wsp:Policy>
> <wsp:Policy
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> wsu:Id="POManagerPort_Output_Policy">
> <sp:SignedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> </sp:SignedParts>
> <sp:EncryptedParts
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <sp:Body/>
> </sp:EncryptedParts>
> </wsp:Policy>
> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> xmlns:oralgp="http://schemas.oracle.com/ws/2006/01/loggingpolicy"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:orawsp="http://schemas.oracle.com/ws/2006/01/policy"
> xmlns:orasp="http://schemas.oracle.com/ws/2006/01/securitypolicy"
> wsu:Id="wss10_saml_hok_token_with_message_protection_service_policy">
> <sp:AsymmetricBinding
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:SamlToken
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:WssSamlV11Token10/>
> </wsp:Policy>
> </sp:SamlToken>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Always">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy/>
> </sp:Wss10>
> </wsp:Policy>
> <types>
> <xsd:schema>
> <xsd:import namespace="http://owsm.test.wsa.bf.hs.com/"
> schemaLocation="http://server:7001/testwebservice/POManagerPort?xsd=1"/>
> </xsd:schema>
> </types>
> <message name="createOrder">
> <part name="parameters" element="tns:createOrder"/>
> </message>
> <message name="createOrderResponse">
> <part name="parameters" element="tns:createOrderResponse"/>
> </message>
> <portType name="POManager">
> <operation name="createOrder">
> <input message="tns:createOrder"/>
> <output message="tns:createOrderResponse"/>
> </operation>
> </portType>
> <binding name="POManagerPortBinding" type="tns:POManager">
> <soap:binding style="document"
> transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsp:PolicyReference
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> URI="#wss10_saml_hok_token_with_message_protection_service_policy"
> wsdl:required="false"/>
> <operation name="createOrder">
> <soap:operation soapAction=""/>
> <input>
> <soap:body use="literal"/>
> <wsp:PolicyReference
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> URI="#POManagerPort_Input_Policy" wsdl:required="false"/>
> </input>
> <output>
> <soap:body use="literal"/>
> <wsp:PolicyReference
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> URI="#POManagerPort_Output_Policy" wsdl:required="false"/>
> </output>
> </operation>
> </binding>
> <service name="POManagerService">
> <port name="POManagerPort" binding="tns:POManagerPortBinding">
> <soap:address location="http://server:7001/testwebservice/POManagerPort"/>
> <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
> <wsa:Address xmlns:wsa="http://www.w3.org/2005/08/addressing">
> http://server:7001/testwebservice/POManagerPort
> </wsa:Address>
> <wsid:Identity
> xmlns:wsid="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity">
> <dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
> <dsig:X509Data>
> <dsig:X509Certificate>
> ................
> </dsig:X509Certificate>
> <dsig:X509IssuerSerial>
> <dsig:X509IssuerName>
> .........
> </dsig:X509IssuerName>
> <dsig:X509SerialNumber>-....</dsig:X509SerialNumber>
> </dsig:X509IssuerSerial>
> <dsig:X509SubjectName>
> .......
> </dsig:X509SubjectName>
> </dsig:X509Data>
> </dsig:KeyInfo>
> </wsid:Identity>
> </wsa:EndpointReference>
> </port>
> </service>
> </definitions>
>
>
>
> c) following is message generated by cxf2.5.2 for this policy
>
> <?xml version="1.0"?>
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Header>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> soap:mustUnderstand="1">
> <wsse:BinarySecurityToken
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
> wsu:Id="BC59F58138560D687613341497540725">MIIB+DCCAaICCQCbeQ7C1MJrOTANBgkqhkiG9w0BAQUFADCBgjELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAkFQMQwwCgYDVQQHEwNIWUQxEDAOBgNVBAoTB3ByYW1hdGkxEDAOBgNVBAsTB3ByYW1hdGkxEjAQBgNVBAMTCXNvYWJwbS12bTEgMB4GCSqGSIb3DQEJARYRZW1haWxAcHJhbWF0aS5jb20wHhcNMTIwNDEwMTI1OTA0WhcNMTMwNDEwMTI1OTA0WjCBgjELMAkGA1UEBhMCSU4xCzAJBgNVBAgTAkFQMQwwCgYDVQQHEwNIWUQxEDAOBgNVBAoTB3ByYW1hdGkxEDAOBgNVBAsTB3ByYW1hdGkxEjAQBgNVBAMTCXNvYWJwbS12bTEgMB4GCSqGSIb3DQEJARYRZW1haWxAcHJhbWF0aS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1ZwvGTS5gxDgGjoHuaqY9dh26un58rF3YFpuNY6F9JROBooMmbEWAWlvN+kjrEBhoQhTMbnwp8Sa+sPxOI+b8QIDAQABMA0GCSqGSIb3DQEBBQUAA0EAIlGPjJUTytuNsfeIy+dPFAT6XXN6sbiTTcFmhGUtP8q3XJRQCFlMKqFrWP/SVck8PPdH6fSO8EzOLLOYF5dkPQ==</wsse:BinarySecurityToken>
> <wsu:Timestamp wsu:Id="TS-1">
> <wsu:Created>2012-04-11T13:06:42.679Z</wsu:Created>
> <wsu:Expires>2012-04-11T13:11:42.679Z</wsu:Expires>
> </wsu:Timestamp>
> <xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"
> Id="EK-BC59F58138560D687613341497540724">
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <wsse:SecurityTokenReference>
> <wsse:Reference URI="#BC59F58138560D687613341497540725"
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> <xenc:CipherData>
> <xenc:CipherValue>tUjFXfI6BPNO78XzWGThNnCvXloGK001IPwzMiEdz4XAuz86gaCCTJ5+KBVKTsMhGxXOVNaOWTeLo3VzMKYWPA==</xenc:CipherValue>
> </xenc:CipherData>
> <xenc:ReferenceList>
> <xenc:DataReference URI="#ED-3"/>
> </xenc:ReferenceList>
> </xenc:EncryptedKey>
> <saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> AssertionID="_BC59F58138560D687613341496647771"
> IssueInstant="2012-04-11T13:07:44.551Z" Issuer="www.oracle.com"
> MajorVersion="1" MinorVersion="1" xsi:type="saml1:AssertionType">
> <saml1:Conditions NotBefore="2012-04-11T13:07:44.838Z"
> NotOnOrAfter="2012-04-11T13:12:44.838Z"/>
> <saml1:AttributeStatement>
> <saml1:Subject>
> <saml1:NameIdentifier
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
> NameQualifier="www.oracle.com">weblogic</saml1:NameIdentifier>
> <saml1:SubjectConfirmation>
> <saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml1:ConfirmationMethod>
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:X509Data>
> <ds:X509Certificate>........................</ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </saml1:SubjectConfirmation>
> </saml1:Subject>
> <saml1:Attribute AttributeName="subject-role"
> AttributeNamespace="http://custom-ns">
> <saml1:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
> xsi:type="xs:string">system-user</saml1:AttributeValue>
> </saml1:Attribute>
> </saml1:AttributeStatement>
> </saml1:Assertion>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="SIG-2">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
> <ds:Reference URI="#TS-1">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>/LPHR8sX+ptPaN8+iZYQxYwffG8=</ds:DigestValue>
> </ds:Reference>
> <ds:Reference URI="#Id-26930486">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>ej9eQZSJOyVu6TgV8MO/exfxCeA=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>uBvdcZ7jkAty14s0tdMKGvI4z1lCbWDo2RQEWjJ9t6z9vASoB98l4NeshQz96JWDqpGFgb4wd93/f9ra0Y68xA==</ds:SignatureValue>
> <ds:KeyInfo Id="KI-BC59F58138560D687613341497504882">
> <wsse:SecurityTokenReference
> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
> wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1"
> wsu:Id="STR-BC59F58138560D687613341497504923">
> <wsse:KeyIdentifier
> ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID">_BC59F58138560D687613341496647771</wsse:KeyIdentifier>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> wsu:Id="Id-26930486">
> <xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="ED-3"
> Type="http://www.w3.org/2001/04/xmlenc#Content">
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <wsse:SecurityTokenReference
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
> wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey">
> <wsse:Reference URI="#EK-BC59F58138560D687613341497540724"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> <xenc:CipherData>
> <xenc:CipherValue>.............................</xenc:CipherValue>
> </xenc:CipherData>
> </xenc:EncryptedData>
> </soap:Body>
> </soap:Envelope>
>
>
> d) and i receive following error from OWSM (oracle web services manager)
>
> Policy compliance failure: Header/Element
> NS=urn:oasis:names:tc:SAML:1.0:assertion; LocalName=Assertion must be signed
> [WSM_PolicyName:
> oracle/wss10_saml_hok_token_with_message_protection_service_policy] The
> signed message elements or parts do not comply with the policy.
>
>
> i seek help to understand which part of the message is not being signed..and
> why..or how could i sign it.
> am using the SamlCallbackHandler (supplied with tests) to add attributes
>
> following is the callbackhandler code if that may help
>
> ///////////////////////////////////////////////////////////////////////////////
> public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException {
> for (int i = 0; i < callbacks.length; i++)
> if ((callbacks[i] instanceof SAMLCallback)) {
> SAMLCallback callback = (SAMLCallback)callbacks[i];
> if (this.saml2) {
> callback.setSamlVersion(SAMLVersion.VERSION_20);
> }
> callback.setIssuer("www.oracle.com");
> String subjectName = "weblogic";
> String subjectQualifier = "www.oracle.com";
>
> SubjectBean subjectBean = new SubjectBean(subjectName,
> subjectQualifier, this.confirmationMethod);
>
> if
> (("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key".equals(this.confirmationMethod))
> ||
> ("urn:oasis:names:tc:SAML:1.0:cm:holder-of-key".equals(this.confirmationMethod)))
> {
> try
> {
> KeyInfoBean keyInfo = createKeyInfo();
> subjectBean.setKeyInfo(keyInfo);
> } catch (Exception ex) {
> throw new IOException("Problem creating KeyInfo: " +
> ex.getMessage());
> }
> }
>
> callback.setSubject(subjectBean);
>
> AttributeStatementBean attrBean = new AttributeStatementBean();
> attrBean.setSubject(subjectBean);
>
> AttributeBean attributeBean = new AttributeBean();
> if (this.saml2) {
> attributeBean.setQualifiedName("subject-role");
> } else {
> attributeBean.setSimpleName("subject-role");
> attributeBean.setQualifiedName("http://custom-ns");
> }
>
> attributeBean.setAttributeValues(Collections.singletonList("system-user"));
> attrBean.setSamlAttributes(Collections.singletonList(attributeBean));
>
> callback.setAttributeStatementData(Collections.singletonList(attrBean));
> }
> }
>
> protected KeyInfoBean createKeyInfo() throws Exception
> {
> Crypto crypto = CryptoFactory.getInstance("signature.properties");
>
> CryptoType cryptoType = new CryptoType(CryptoType.TYPE.ALIAS);
> cryptoType.setAlias("myprivate");
> X509Certificate[] certs = crypto.getX509Certificates(cryptoType);
>
> KeyInfoBean keyInfo = new KeyInfoBean();
> keyInfo.setCertificate(certs[0]);
> keyInfo.setCertIdentifer(KeyInfoBean.CERT_IDENTIFIER.X509_CERT);
>
> return keyInfo;
> }
>
> //////////////////////////////////////////////////////////////////////////////
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com