You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2010/11/22 13:47:13 UTC
[jira] Resolved: (WSS-238) Switch to wsse:KeyIdentifier instead of
wsse:Reference for SAML references within SOAP:body EncryptedData elements.
[ https://issues.apache.org/jira/browse/WSS-238?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved WSS-238.
-------------------------------------
Resolution: Fixed
> Switch to wsse:KeyIdentifier instead of wsse:Reference for SAML references within SOAP:body EncryptedData elements.
> -------------------------------------------------------------------------------------------------------------------
>
> Key: WSS-238
> URL: https://issues.apache.org/jira/browse/WSS-238
> Project: WSS4J
> Issue Type: Improvement
> Components: WSS4J Core
> Affects Versions: 1.5.9
> Reporter: Glen Mazza
> Assignee: Colm O hEigeartaigh
> Fix For: 1.5.10, 1.6
>
> Attachments: EncryptedDataPatch.txt, patch238.txt, TestWSSecuritySAMLKeyIdentifier.java, wss-238-revised.patch, WSS238_CXFClient_ALWAYS.txt, WSS238_MetroClient_ALWAYS.txt, WSS238Results.txt
>
>
> Per CXF bug CXF-2894: http://tinyurl.com/23jx6cx
> Within the soap:body/EncryptedData/SecurityTokenReference element, Glassfish Metro is requiring wsse:KeyIdentifiers instead of wsse:Reference elements when referring to SAML Assertions. Metro appears correct because the SAML Token Profile does not define usage of wsse:Reference for SAML Assertions, only KeyIdentifier or EmbeddedReference. (Section 3.3 of SAML Token Profile of 1 Dec. 2004 pdf lines 250-272.)
> The attached patch will switch SecurityTokenReference from wsse:Reference to wsse:KeyIdentifier when handling SAML Assertions. I've confirmed Metro web service providers will now work with this patch. However, backwards compatibility issues with systems expecting the current wsse:Reference may need to be taken into account.
> WSS4J has another problem with not being able to decrypt SOAP responses that use wsse:KeyIdentifier instead of wsse:Reference for SAML Assertions. Namely, org.apache.ws.security.processor.ReferenceListProcessor's getKeyFromSecurityTokenReference() method will need changing to be able to work with SAML Assertions coming from a wsse:KeyIdentifier element instead of wsse:Reference. I was not immediately successful in getting this second part to work because I could not see how a SAMLTokenProcessor can be initialized from a KeyIdentifier instead of the Reference element within this method.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
Re: Does anyone who are using VB with WSS4J - running issue with
password's type in wss4j-1.5.9.jar with VB/.net generated username token
Posted by Colm O hEigeartaigh <co...@apache.org>.
Processing for WCF non-spec compliant Username Tokens was added as
part of WSS4J 1.5.8:
https://issues.apache.org/jira/browse/WSS-199
You need to set the configuration option
WSHandlerConstants.ALLOW_NAMESPACE_QUALIFIED_PASSWORD_TYPES to "true".
Colm.
On Tue, Nov 23, 2010 at 11:51 PM, George Stanchev <Gs...@serena.com> wrote:
> https://issues.apache.org/jira/browse/WSS-148
> https://issues.apache.org/jira/browse/WSS-151
>
> It’s a problem with the .NET client (as you have already figured it out). Not sure about a workaround though. There was a discussion about adding a "compatibility" switch (google "WSS-148 WCF interop issue: Namespace not honored incase of attributes." for related discussion) but I don't think anything was put in. Colm or Werner can confirm.
>
> Your best bet is to fix your client to send standard-conforming SOAP messages.
>
> George
>
> -----Original Message-----
> From: Wellen Lau [mailto:wellen.lau@oracle.com]
> Sent: Tuesday, November 23, 2010 4:28 PM
> To: dev@ws.apache.org
> Cc: jira@apache.org
> Subject: Does anyone who are using VB with WSS4J - running issue with password's type in wss4j-1.5.9.jar with VB/.net generated username token
>
>
> Hi All,
>
> Does anyone who are using VB with WSS4J - running issue with password's type in wss4j-1.5.9.jar with VB[using generated username token ?
>
> the SvcUtil.exe that I use to convert the wsdl.
> This is the command line that I use to run the svcutil
> SvcUtil /language:vb http://localhost/System.1.wsdl
>
>
>
> This piece code is generated from VB.
> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
> <s:Header>
> <o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:UsernameToken u:Id="uuid-8af81bba-cc2b-4591-b4db-7445e312f340-2"><o:Username>John</o:Username>
> <o:Password o:Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">John</o:Password></o:UsernameToken></o:Security>
> </s:Header>
> <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
> <XXXX_Parameters xmlns="http://xmlns.oracle.com/Enterprise/Tools/schemas/XXXX_Parameters.V1"/></s:Body></s:Envelope>
>
>
> The reason why WSS4J failed as invalid security token because of o:Type in the password attribute.
> <o:Password o:Type=?http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText?>. .
> It should be <o:Password Type=?http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText?>
>
> Any suggestion ?
>
> Thanks,
> WEllen.
> ~ Hope can be ignited by a spark of encouragement.
> Thankfulness finds something good in
> every circumstance.
>
> -
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
> For additional commands, e-mail: dev-help@ws.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
RE: Does anyone who are using VB with WSS4J - running issue with
password's type in wss4j-1.5.9.jar with VB/.net generated username token
Posted by George Stanchev <Gs...@serena.com>.
https://issues.apache.org/jira/browse/WSS-148
https://issues.apache.org/jira/browse/WSS-151
It’s a problem with the .NET client (as you have already figured it out). Not sure about a workaround though. There was a discussion about adding a "compatibility" switch (google "WSS-148 WCF interop issue: Namespace not honored incase of attributes." for related discussion) but I don't think anything was put in. Colm or Werner can confirm.
Your best bet is to fix your client to send standard-conforming SOAP messages.
George
-----Original Message-----
From: Wellen Lau [mailto:wellen.lau@oracle.com]
Sent: Tuesday, November 23, 2010 4:28 PM
To: dev@ws.apache.org
Cc: jira@apache.org
Subject: Does anyone who are using VB with WSS4J - running issue with password's type in wss4j-1.5.9.jar with VB/.net generated username token
Hi All,
Does anyone who are using VB with WSS4J - running issue with password's type in wss4j-1.5.9.jar with VB[using generated username token ?
the SvcUtil.exe that I use to convert the wsdl.
This is the command line that I use to run the svcutil
SvcUtil /language:vb http://localhost/System.1.wsdl
This piece code is generated from VB.
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:UsernameToken u:Id="uuid-8af81bba-cc2b-4591-b4db-7445e312f340-2"><o:Username>John</o:Username>
<o:Password o:Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">John</o:Password></o:UsernameToken></o:Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<XXXX_Parameters xmlns="http://xmlns.oracle.com/Enterprise/Tools/schemas/XXXX_Parameters.V1"/></s:Body></s:Envelope>
The reason why WSS4J failed as invalid security token because of o:Type in the password attribute.
<o:Password o:Type=?http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText?>. .
It should be <o:Password Type=?http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText?>
Any suggestion ?
Thanks,
WEllen.
~ Hope can be ignited by a spark of encouragement.
Thankfulness finds something good in
every circumstance.
-
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
Does anyone who are using VB with WSS4J - running issue with
password's type in wss4j-1.5.9.jar with VB/.net generated username token
Posted by Wellen Lau <we...@oracle.com>.
Hi All,
Does anyone who are using VB with WSS4J - running issue with password's type in wss4j-1.5.9.jar with VB[using generated username token ?
the SvcUtil.exe that I use to convert the wsdl.
This is the command line that I use to run the svcutil
SvcUtil /language:vb http://localhost/System.1.wsdl
This piece code is generated from VB.
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:UsernameToken u:Id="uuid-8af81bba-cc2b-4591-b4db-7445e312f340-2"><o:Username>John</o:Username>
<o:Password o:Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">John</o:Password></o:UsernameToken></o:Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<XXXX_Parameters xmlns="http://xmlns.oracle.com/Enterprise/Tools/schemas/XXXX_Parameters.V1"/></s:Body></s:Envelope>
The reason why WSS4J failed as invalid security token because of o:Type in the password attribute.
<o:Password o:Type=?http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText?>. .
It should be <o:Password Type=?http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText?>
Any suggestion ?
Thanks,
WEllen.
~ Hope can be ignited by a spark of encouragement.
Thankfulness finds something good in
every circumstance.
-
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org