You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by St...@faa.gov on 2015/06/18 19:30:42 UTC
checkAudienceRestrictions
I'm having a problem with new validation that occurs for SAML tokens. Here is the exception I am getting when a token containing an audience restriction is received:
org.apache.cxf.binding.soap.SoapFault: A security error was encountered when verifying the message
at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:211)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:329)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:184)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:93)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)
at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.doService(JettyHTTPDestination.java:234)
at org.apache.cxf.transport.http_jetty.JettyHTTPHandler.handle(JettyHTTPHandler.java:70)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1129)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1065)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.wss4j.common.ext.WSSecurityException: SAML token security failure
at org.apache.wss4j.common.saml.SamlAssertionWrapper.checkAudienceRestrictions(SamlAssertionWrapper.java:922)
at org.apache.wss4j.dom.validate.SamlAssertionValidator.checkConditions(SamlAssertionValidator.java:223)
at org.apache.wss4j.dom.validate.SamlAssertionValidator.validate(SamlAssertionValidator.java:109)
at org.apache.wss4j.dom.processor.SAMLTokenProcessor.handleSAMLToken(SAMLTokenProcessor.java:162)
at org.apache.wss4j.dom.processor.SAMLTokenProcessor.handleToken(SAMLTokenProcessor.java:90)
at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:430)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:280)
... 19 more
Obviously, the audience restriction in the assertion isn't in the list that checkAudienceRestrictions() is checking. But I haven't configured anything in that list, so shouldn't it be empty? Or is it picking up the endpoint name or something during initialization? Is there a way I can configure it to what I want, or if not, disable the check? I haven't seen anything in the migration guides or in the new configuration tags, but I could be missing it for sure.
Stephen W. Chappell
RE: checkAudienceRestrictions
Posted by St...@faa.gov.
I think I answered my own question; I needed to set ws-security.validate.audience-restriction to false on the server endpoint, per Colm's blog entry at http://coheigea.blogspot.com/2015/02/new-saml-validation-changes-in-apache.html.
Thanx,
Stephen W. Chappell
-----Original Message-----
From: Chappell, Stephen CTR (FAA)
Sent: Thursday, June 18, 2015 1:31 PM
To: users@cxf.apache.org
Subject: checkAudienceRestrictions
I'm having a problem with new validation that occurs for SAML tokens. Here is the exception I am getting when a token containing an audience restriction is received:
org.apache.cxf.binding.soap.SoapFault: A security error was encountered when verifying the message
at org.apache.cxf.ws.security.wss4j.WSS4JUtils.createSoapFault(WSS4JUtils.java:211)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:329)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:184)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:93)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:251)
at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.doService(JettyHTTPDestination.java:234)
at org.apache.cxf.transport.http_jetty.JettyHTTPHandler.handle(JettyHTTPHandler.java:70)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1129)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1065)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)
at org.eclipse.jetty.server.Server.handle(Server.java:499)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)
at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.wss4j.common.ext.WSSecurityException: SAML token security failure
at org.apache.wss4j.common.saml.SamlAssertionWrapper.checkAudienceRestrictions(SamlAssertionWrapper.java:922)
at org.apache.wss4j.dom.validate.SamlAssertionValidator.checkConditions(SamlAssertionValidator.java:223)
at org.apache.wss4j.dom.validate.SamlAssertionValidator.validate(SamlAssertionValidator.java:109)
at org.apache.wss4j.dom.processor.SAMLTokenProcessor.handleSAMLToken(SAMLTokenProcessor.java:162)
at org.apache.wss4j.dom.processor.SAMLTokenProcessor.handleToken(SAMLTokenProcessor.java:90)
at org.apache.wss4j.dom.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:430)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessageInternal(WSS4JInInterceptor.java:280)
... 19 more
Obviously, the audience restriction in the assertion isn't in the list that checkAudienceRestrictions() is checking. But I haven't configured anything in that list, so shouldn't it be empty? Or is it picking up the endpoint name or something during initialization? Is there a way I can configure it to what I want, or if not, disable the check? I haven't seen anything in the migration guides or in the new configuration tags, but I could be missing it for sure.
Stephen W. Chappell