You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@camel.apache.org by Colm O hEigeartaigh <co...@apache.org> on 2014/04/01 11:34:53 UTC
Re: add SAML TOKEN to SOAP header
Here's an example of a CallbackHandler that shows how to set a SAML token
on the SAMLCallback Object:
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob_plain;f=systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlElementCallbackHandler.java;hb=refs/heads/2.7.x-fixes
Colm.
On Mon, Mar 31, 2014 at 7:10 PM, chaij <ji...@indigoarc.com> wrote:
> I don't need to create a SAML token. I already have it in xml format.
>
> I am not using WS-SecurityPolicy. I am using WSS4J to add a SAML token.
>
> I will take a look the example in the second link.
>
> Thanks!
>
>
>
> --
> View this message in context:
> http://camel.465427.n5.nabble.com/add-SAML-TOKEN-to-SOAP-header-tp5749520p5749574.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: add SAML TOKEN to SOAP header
Posted by chaij <ji...@indigoarc.com>.
Thanks for your help. It makes sense.
Everything is working now!
--
View this message in context: http://camel.465427.n5.nabble.com/add-SAML-TOKEN-to-SOAP-header-tp5749520p5750087.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: add SAML TOKEN to SOAP header
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi,
I've fixed the NPE in WSS4J. Yes, there is an asymmetry for the SAML case
between the outbound and inbound configurations. This is mainly for
historical reasons, not to break backwards compatibility with older
deployments. On the outbound side, the "Unsigned" action just creates a
SAML Token and adds it "as is" to the security header of the request.
However, if the configuration states to sign the assertion, the assertion
is internally signed. For the "Signed" SAML Action, it externally signs the
assertion. On the receiving side, the "Signed SAML Action" matches either
the internally or externally signed assertion use-cases.
Colm.
On Mon, Apr 7, 2014 at 8:47 PM, chaij <ji...@indigoarc.com> wrote:
> That's it! I am able to get the validation disabled.
> Then I ran into this interesting issue.
>
> For client, wss4jOutInterceptor, I have to use SAMLTokenUnsigned action. If
> I use SAMLTokenSigned instead, I would get a null pointer exception like
> this:
> java.lang.NullPointerException
> at
>
> org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:262)[159:org.apache.ws.security.wss4j:1.6.12]
> at
>
> org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:117)[159:org.apache.ws.security.wss4j:1.6.12]
> at
>
> org.apache.ws.security.action.SAMLTokenSignedAction.execute(SAMLTokenSignedAction.java:99)[159:org.apache.ws.security.wss4j:1.6.12]
> at
>
> org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:232)[159:org.apache.ws.security.wss4j:1.6.12]
> at
>
> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOutInterceptor.java:52)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
> at
>
> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:260)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
>
> For the server, wss4jInInterceptor, I have to use action SAMLTokenSigned.
> Otherwise, I would get WSSecurityException.
> 21:16:16,817 | WARN | p1389339194-1480 | ecurity.wss4j.WSS4JInInterceptor
> 362 | 162 - org.apache.cxf.cxf-rt-ws-security - 2.7.7 | Security processing
> failed (actions mismatch)
> 21:16:16,818 | WARN | p1389339194-1480 | ecurity.wss4j.WSS4JInInterceptor
> 335 | 162 - org.apache.cxf.cxf-rt-ws-security - 2.7.7 |
> org.apache.ws.security.WSSecurityException: An error was discovered
> processing the <wsse:Security> header
> at
>
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.checkActions(WSS4JInInterceptor.java:363)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
> at
>
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:290)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
> at
>
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:95)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
>
>
> By looking at the wss4j interceptor code, on the server side, it looks for
> if there is signature in the Assertion to determine if it is Signed or
> Unsigned. But I don't know why exactly it is throwing NullPointer exception
> on the client side.
>
> Thanks!
>
>
>
>
> --
> View this message in context:
> http://camel.465427.n5.nabble.com/add-SAML-TOKEN-to-SOAP-header-tp5749520p5749914.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: add SAML TOKEN to SOAP header
Posted by chaij <ji...@indigoarc.com>.
That's it! I am able to get the validation disabled.
Then I ran into this interesting issue.
For client, wss4jOutInterceptor, I have to use SAMLTokenUnsigned action. If
I use SAMLTokenSigned instead, I would get a null pointer exception like
this:
java.lang.NullPointerException
at
org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:262)[159:org.apache.ws.security.wss4j:1.6.12]
at
org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:117)[159:org.apache.ws.security.wss4j:1.6.12]
at
org.apache.ws.security.action.SAMLTokenSignedAction.execute(SAMLTokenSignedAction.java:99)[159:org.apache.ws.security.wss4j:1.6.12]
at
org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:232)[159:org.apache.ws.security.wss4j:1.6.12]
at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOutInterceptor.java:52)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:260)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
For the server, wss4jInInterceptor, I have to use action SAMLTokenSigned.
Otherwise, I would get WSSecurityException.
21:16:16,817 | WARN | p1389339194-1480 | ecurity.wss4j.WSS4JInInterceptor
362 | 162 - org.apache.cxf.cxf-rt-ws-security - 2.7.7 | Security processing
failed (actions mismatch)
21:16:16,818 | WARN | p1389339194-1480 | ecurity.wss4j.WSS4JInInterceptor
335 | 162 - org.apache.cxf.cxf-rt-ws-security - 2.7.7 |
org.apache.ws.security.WSSecurityException: An error was discovered
processing the <wsse:Security> header
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.checkActions(WSS4JInInterceptor.java:363)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:290)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:95)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
By looking at the wss4j interceptor code, on the server side, it looks for
if there is signature in the Assertion to determine if it is Signed or
Unsigned. But I don't know why exactly it is throwing NullPointer exception
on the client side.
Thanks!
--
View this message in context: http://camel.465427.n5.nabble.com/add-SAML-TOKEN-to-SOAP-header-tp5749520p5749914.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: add SAML TOKEN to SOAP header
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi,
Instead of passing "ws-security.saml2.validator" to the constructor map of
the WSS4JInInterceptor, could you instead add it as a jax-ws property of
the endpoint?
e.g.
<jaxws:properties>
<entry key="ws-security.saml2.validator" value-ref="samlValidator" />
</jaxws:properties>
Colm.
On Fri, Apr 4, 2014 at 9:56 PM, chaij <ji...@indigoarc.com> wrote:
> I may not be able to change the SAML token. I will see if I can work around
> it.
>
> I implemented this the validator class.
>
> import org.apache.ws.security.WSSecurityException;
> import org.apache.ws.security.saml.ext.AssertionWrapper;
> import org.apache.ws.security.validate.SamlAssertionValidator;
>
> public class SAMLValidator extends SamlAssertionValidator {
>
> private static Logger logger =
> Logger.getLogger(SAMLValidator.class);
>
> @Override
> protected void validateAssertion(AssertionWrapper assertion) throws
> WSSecurityException {
> // override the default behavior so that it will not
> validate against the
> SAML2 schema
> logger.info("SAMLVadlidator called to NOT validate
> against SAML2 schema");
> }
>
> }
>
>
> Added the configuration to the interceptor so that it can be plugged into
> the framework.
>
> <bean id="wss4jInInterceptor-ddc-service"
> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
> <constructor-arg>
> <map>
> <entry key="action"
> value="${SECURITY_DDC_ACTION}" />
> <entry key="signaturePropFile"
>
>
> value="cms-files/cms-trusted-crypto-client-${SECURITY_RUNTIME_ENV}.properties"
> />
> <entry key="decryptionPropFile"
>
>
> value="cms-files/cms-trusted-crypto-client-${SECURITY_RUNTIME_ENV}.properties"
> />
> <entry
> key="encryptionKeyTransportAlgorithm"
> value="${SECURITY_ENCRYPTION_KEY_TRANSPORT_ALGORITHM}" />
> <entry key="signatureAlgorithm"
> value="${SECURITY_SIGNATURE_ALGORITHM}"
> />
>
> <entry key="passwordCallbackRef"
> value-ref="keystoreCallbackHandler" />
>
> <entry key="ws-security.saml2.validator"
> value-ref="samlValidator" />
>
> </map>
> </constructor-arg>
> </bean>
>
>
> But it didn't seem to get called. I didn't see any log in the log file and
> the same exception was thrown.
>
> Did I use the wrong entry key?
>
> Thanks!
>
>
>
>
> --
> View this message in context:
> http://camel.465427.n5.nabble.com/add-SAML-TOKEN-to-SOAP-header-tp5749520p5749827.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: add SAML TOKEN to SOAP header
Posted by chaij <ji...@indigoarc.com>.
I may not be able to change the SAML token. I will see if I can work around
it.
I implemented this the validator class.
import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.validate.SamlAssertionValidator;
public class SAMLValidator extends SamlAssertionValidator {
private static Logger logger = Logger.getLogger(SAMLValidator.class);
@Override
protected void validateAssertion(AssertionWrapper assertion) throws
WSSecurityException {
// override the default behavior so that it will not validate against the
SAML2 schema
logger.info("SAMLVadlidator called to NOT validate against SAML2 schema");
}
}
Added the configuration to the interceptor so that it can be plugged into
the framework.
<bean id="wss4jInInterceptor-ddc-service"
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="${SECURITY_DDC_ACTION}" />
<entry key="signaturePropFile"
value="cms-files/cms-trusted-crypto-client-${SECURITY_RUNTIME_ENV}.properties"
/>
<entry key="decryptionPropFile"
value="cms-files/cms-trusted-crypto-client-${SECURITY_RUNTIME_ENV}.properties"
/>
<entry key="encryptionKeyTransportAlgorithm"
value="${SECURITY_ENCRYPTION_KEY_TRANSPORT_ALGORITHM}" />
<entry key="signatureAlgorithm" value="${SECURITY_SIGNATURE_ALGORITHM}"
/>
<entry key="passwordCallbackRef" value-ref="keystoreCallbackHandler" />
<entry key="ws-security.saml2.validator" value-ref="samlValidator" />
</map>
</constructor-arg>
</bean>
But it didn't seem to get called. I didn't see any log in the log file and
the same exception was thrown.
Did I use the wrong entry key?
Thanks!
--
View this message in context: http://camel.465427.n5.nabble.com/add-SAML-TOKEN-to-SOAP-header-tp5749520p5749827.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: add SAML TOKEN to SOAP header
Posted by Colm O hEigeartaigh <co...@apache.org>.
As the error message says, "IssueInstant" is a required attribute of a SAML
2.0 assertion. Do you have control over the generation of the SAML token?
The SAML Token is technically invalid without this attribute. If not, then
an alternative is for you to extend the SamlAssertionValidator in WSS4J +
override the "validateAssertion" method, not to validate the received
assertion against the schemas. You can then plug this Validator into CXF
via a jax-ws property "ws-security.saml2.validator".
Colm.
On Fri, Apr 4, 2014 at 4:48 AM, chaij <ji...@indigoarc.com> wrote:
> This is caused by modifying the SAML Assertion token with pretty-print and
> saved. Once get pass this exception, I am now getting a different
> exception;
>
> Caused by: org.opensaml.xml.validation.ValidationException: IssueInstant is
> required attribute
> at
>
> org.opensaml.saml2.core.validator.AssertionSchemaValidator.validateIssueInstant(AssertionSchemaValidator.java:91)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
> at
>
> org.opensaml.saml2.core.validator.AssertionSchemaValidator.validate(AssertionSchemaValidator.java:44)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
> at
>
> org.opensaml.saml2.core.validator.AssertionSchemaValidator.validate(AssertionSchemaValidator.java:32)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
> at
>
> org.opensaml.xml.validation.ValidatorSuite.performValidation(ValidatorSuite.java:169)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
> at
>
> org.opensaml.xml.validation.ValidatorSuite.performValidation(ValidatorSuite.java:152)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
> at
>
> org.opensaml.xml.validation.ValidatorSuite.validate(ValidatorSuite.java:83)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
> at
>
> org.apache.ws.security.validate.SamlAssertionValidator.validateAssertion(SamlAssertionValidator.java:189)[159:org.apache.ws.security.wss4j:1.6.12]
> ... 28 more
>
>
>
> --
> View this message in context:
> http://camel.465427.n5.nabble.com/add-SAML-TOKEN-to-SOAP-header-tp5749520p5749761.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: add SAML TOKEN to SOAP header
Posted by chaij <ji...@indigoarc.com>.
This is caused by modifying the SAML Assertion token with pretty-print and
saved. Once get pass this exception, I am now getting a different exception;
Caused by: org.opensaml.xml.validation.ValidationException: IssueInstant is
required attribute
at
org.opensaml.saml2.core.validator.AssertionSchemaValidator.validateIssueInstant(AssertionSchemaValidator.java:91)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
at
org.opensaml.saml2.core.validator.AssertionSchemaValidator.validate(AssertionSchemaValidator.java:44)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
at
org.opensaml.saml2.core.validator.AssertionSchemaValidator.validate(AssertionSchemaValidator.java:32)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
at
org.opensaml.xml.validation.ValidatorSuite.performValidation(ValidatorSuite.java:169)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
at
org.opensaml.xml.validation.ValidatorSuite.performValidation(ValidatorSuite.java:152)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
at
org.opensaml.xml.validation.ValidatorSuite.validate(ValidatorSuite.java:83)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
at
org.apache.ws.security.validate.SamlAssertionValidator.validateAssertion(SamlAssertionValidator.java:189)[159:org.apache.ws.security.wss4j:1.6.12]
... 28 more
--
View this message in context: http://camel.465427.n5.nabble.com/add-SAML-TOKEN-to-SOAP-header-tp5749520p5749761.html
Sent from the Camel - Users mailing list archive at Nabble.com.
Re: add SAML TOKEN to SOAP header
Posted by chaij <ji...@indigoarc.com>.
Thanks! I am getting the following exception. How should I fix or debug it?
org.apache.cxf.binding.soap.SoapFault: SAML signature validation failed
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:790)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:336)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:95)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)[122:org.apache.cxf.cxf-api:2.7.7]
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)[122:org.apache.cxf.cxf-api:2.7.7]
at
org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:355)[144:org.apache.cxf.cxf-rt-transports-http-jetty:2.7.7]
at
org.apache.cxf.transport.http_jetty.JettyHTTPDestination.doService(JettyHTTPDestination.java:319)[144:org.apache.cxf.cxf-rt-transports-http-jetty:2.7.7]
at
org.apache.cxf.transport.http_jetty.JettyHTTPHandler.handle(JettyHTTPHandler.java:72)[144:org.apache.cxf.cxf-rt-transports-http-jetty:2.7.7]
at
org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1040)[64:org.eclipse.jetty.server:7.6.8.v20121106]
at
org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:976)[64:org.eclipse.jetty.server:7.6.8.v20121106]
at
org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)[64:org.eclipse.jetty.server:7.6.8.v20121106]
at
org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:255)[64:org.eclipse.jetty.server:7.6.8.v20121106]
at
org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)[64:org.eclipse.jetty.server:7.6.8.v20121106]
at
org.eclipse.jetty.server.Server.handle(Server.java:363)[64:org.eclipse.jetty.server:7.6.8.v20121106]
at
org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:483)[64:org.eclipse.jetty.server:7.6.8.v20121106]
at
org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:931)[64:org.eclipse.jetty.server:7.6.8.v20121106]
at
org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:992)[64:org.eclipse.jetty.server:7.6.8.v20121106]
at
org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:948)[60:org.eclipse.jetty.http:7.6.8.v20121106]
at
org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)[60:org.eclipse.jetty.http:7.6.8.v20121106]
at
org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)[64:org.eclipse.jetty.server:7.6.8.v20121106]
at
org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:628)[59:org.eclipse.jetty.io:7.6.8.v20121106]
at
org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)[59:org.eclipse.jetty.io:7.6.8.v20121106]
at
org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)[58:org.eclipse.jetty.util:7.6.8.v20121106]
at
org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)[58:org.eclipse.jetty.util:7.6.8.v20121106]
at java.lang.Thread.run(Thread.java:662)[:1.6.0_29]
Caused by: org.apache.ws.security.WSSecurityException: SAML signature
validation failed
at
org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:575)[159:org.apache.ws.security.wss4j:1.6.12]
at
org.apache.ws.security.processor.SAMLTokenProcessor.handleSAMLToken(SAMLTokenProcessor.java:180)[159:org.apache.ws.security.wss4j:1.6.12]
at
org.apache.ws.security.processor.SAMLTokenProcessor.handleToken(SAMLTokenProcessor.java:78)[159:org.apache.ws.security.wss4j:1.6.12]
at
org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)[159:org.apache.ws.security.wss4j:1.6.12]
at
org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:279)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
... 23 more
Caused by: org.opensaml.xml.validation.ValidationException: Signature did
not validate against the credential's key
at
org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:79)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
at
org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:573)[159:org.apache.ws.security.wss4j:1.6.12]
... 27 more
--
View this message in context: http://camel.465427.n5.nabble.com/add-SAML-TOKEN-to-SOAP-header-tp5749520p5749746.html
Sent from the Camel - Users mailing list archive at Nabble.com.