You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by cxfnewbie <wa...@aero.org> on 2011/11/30 00:43:19 UTC
cxf and saml1.0
Hi,
I am new to CXF and am wondering if someone has any insight on how to add
saml 1.0 token using CXF. I tried creating a SAMLcallbackhandler, using
adding an wss4joutinterceptor with these properties.
org.apache.cxf.endpoint.Client client = ClientProxy.getClient(service);
org.apache.cxf.endpoint.Endpoint cxfEndpoint = client.getEndpoint();
Map<String, Object> outProps = new HashMap<String, Object>();
// configure properties
outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE);
outProps.put(WSHandlerConstants.USER, KEY_ALIAS);
outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
ClientCallbackHandler.class.getName());
outProps.put(WSHandlerConstants.SIG_PROP_FILE,
"client_sign.properties");
// outProps.put(WSHandlerConstants.SIG_ALGO,
// "http://www.w3c.org/2000/09/xmldsig#rsa-sha1");
outProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
outProps.put(WSHandlerConstants.SAML_CALLBACK_CLASS,
SAMLCallbackHandler.class.getName());
outProps.put(WSHandlerConstants.ACTION,
WSHandlerConstants.SAML_TOKEN_SIGNED);
outProps.put(WSHandlerConstants.SAML_PROP_FILE, "saml.properties");
WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
cxfEndpoint.getOutInterceptors().add(wssOut);
my saml.properties look like this
org.apache.ws.security.saml.issuer.cryptoProp.file=client_sign.properties
org.apache.ws.security.saml.issuer.key.name=myKey
org.apache.ws.security.saml.issuer.key.password=password
org.apache.ws.security.saml.issuer=CN=me, OU=CSD, O=some company, L=Los
angeles, ST=CA, C=US
org.apache.ws.security.saml.issuer.sendKeyValue=true
org.apache.ws.security.saml.issuer.signAssertion=true
org.apache.ws.security.saml.callback=client.SamlCallbackHandler
Right now I'm getting a nullpointerexception
java.lang.NullPointerException
at
org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:270)
at
org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:122)
at
org.apache.ws.security.action.SAMLTokenSignedAction.execute(SAMLTokenSignedAction.java:95)
at
org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:202)
at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOutInterceptor.java:52)
at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:260)
at
org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:136)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:535)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:465)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:368)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:321)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
at $Proxy30.getMap(Unknown Source)
at MapUser$1.run(MapUser.java:77)
at java.lang.Thread.run(Thread.java:662)
In my callbackhandler, I set the samlversion to 1.0 which I'm not sure will
even work.
Any suggestion is appreciated. Thanks.
Newbie
--
View this message in context: http://cxf.547215.n5.nabble.com/cxf-and-saml1-0-tp5034076p5034076.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: AW: cxf and saml1.0
Posted by lwallent <la...@llentin.dk>.
Hi,
Would you mind posting a simple example of your final solution?
Kind Regards
L
--
View this message in context: http://cxf.547215.n5.nabble.com/cxf-and-saml1-0-tp5034076p5124927.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: AW: cxf and saml1.0
Posted by cxfnewbie <wa...@aero.org>.
yes I got it! I wrote a custom action that overwrote the saml token unsigned
action. All it does is that it copies from the existing unsigned action,
right before it returns, I changed the updated xml doc with assertion from
1.1. to 1.0 The two are extremely similar with just minor differences
anyways.
Gotta love open source code so I can see how things work.
--
View this message in context: http://cxf.547215.n5.nabble.com/cxf-and-saml1-0-tp5034076p5060196.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: AW: cxf and saml1.0
Posted by cxfnewbie <wa...@aero.org>.
unfortunately i can't, i'm implementing a specific use case as part of the
requirement. I'm considering implementing my own custom saml action to
replace the provided saml action.
--
View this message in context: http://cxf.547215.n5.nabble.com/cxf-and-saml1-0-tp5034076p5056693.html
Sent from the cxf-user mailing list archive at Nabble.com.
AW: cxf and saml1.0
Posted by Oliver Wulff <ow...@talend.com>.
Hi
Maybe a complete different solution approach. Instead of extending this functionality into CXF itself you could delegate this to the STS component (running in a seperate VM) which has been introduced in CXF 2.5.
The STS allows you to implement custom security token provider and if needed custom security token validator.
At the time, where your security gateway is enhanced you only have to change the tokenType in the securitypolicy of your service.
Thanks
Oli
________________________________________
Von: cxfnewbie [wai.lam@aero.org]
Gesendet: Mittwoch, 7. Dezember 2011 01:39
Bis: users@cxf.apache.org
Betreff: Re: cxf and saml1.0
looking into the code some more, now I realize I just needed a space between
the two actions. So that is solved (yipee!). Still gotta figure out how to
change the saml token to a 1.0 token.
--
View this message in context: http://cxf.547215.n5.nabble.com/cxf-and-saml1-0-tp5034076p5054018.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: cxf and saml1.0
Posted by cxfnewbie <wa...@aero.org>.
looking into the code some more, now I realize I just needed a space between
the two actions. So that is solved (yipee!). Still gotta figure out how to
change the saml token to a 1.0 token.
--
View this message in context: http://cxf.547215.n5.nabble.com/cxf-and-saml1-0-tp5034076p5054018.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: cxf and saml1.0
Posted by cxfnewbie <wa...@aero.org>.
Sorry for taking so long to respond. I didn't realize there is a post. Yes
I'm sure I need to create SAML 1.0. We're testing against a really (super
duper) old security gateway and it only accepts 1.0. I traced through the
code and realized that 1.0, like you said is not supported. As a matter of
fact, when I set SAML to 1.0, Assertion.java simply ignores the request,
that is why I was getting all these null pointer exception, etc.
My plan right now is to change the interceptor so that it changes the 1.1
version to 1.0 since they look pretty alike anyways. However now I ran into
another problem, I can't set 2 actions, 1 for signature (for the whole
message) and 1 for saml. There can only be 1 action in each
WSS4jOutInterceptor and it always create a new header anyways. Is there no
other way around this other than to rewrite some of the WSS4JOutInterceptor
code? It seems that it must be rather common for people to create a SAML
and have the message and SAML be both signed.
Any suggestion?
--
View this message in context: http://cxf.547215.n5.nabble.com/cxf-and-saml1-0-tp5034076p5053973.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: cxf and saml1.0
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi,
Are you sure you need to create a SAML 1.0 token and not a SAML 1.1
token? 1.0 is not supported (afaik). What version of CXF are you
using?
Colm.
On Tue, Nov 29, 2011 at 11:43 PM, cxfnewbie <wa...@aero.org> wrote:
> Hi,
>
> I am new to CXF and am wondering if someone has any insight on how to add
> saml 1.0 token using CXF. I tried creating a SAMLcallbackhandler, using
> adding an wss4joutinterceptor with these properties.
>
> org.apache.cxf.endpoint.Client client = ClientProxy.getClient(service);
> org.apache.cxf.endpoint.Endpoint cxfEndpoint = client.getEndpoint();
>
> Map<String, Object> outProps = new HashMap<String, Object>();
> // configure properties
> outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.SIGNATURE);
> outProps.put(WSHandlerConstants.USER, KEY_ALIAS);
> outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
> ClientCallbackHandler.class.getName());
> outProps.put(WSHandlerConstants.SIG_PROP_FILE,
> "client_sign.properties");
> // outProps.put(WSHandlerConstants.SIG_ALGO,
> // "http://www.w3c.org/2000/09/xmldsig#rsa-sha1");
> outProps.put(WSHandlerConstants.SIG_KEY_ID, "DirectReference");
>
> outProps.put(WSHandlerConstants.SAML_CALLBACK_CLASS,
> SAMLCallbackHandler.class.getName());
> outProps.put(WSHandlerConstants.ACTION,
> WSHandlerConstants.SAML_TOKEN_SIGNED);
> outProps.put(WSHandlerConstants.SAML_PROP_FILE, "saml.properties");
>
> WSS4JOutInterceptor wssOut = new WSS4JOutInterceptor(outProps);
>
> cxfEndpoint.getOutInterceptors().add(wssOut);
>
>
> my saml.properties look like this
> org.apache.ws.security.saml.issuer.cryptoProp.file=client_sign.properties
> org.apache.ws.security.saml.issuer.key.name=myKey
> org.apache.ws.security.saml.issuer.key.password=password
> org.apache.ws.security.saml.issuer=CN=me, OU=CSD, O=some company, L=Los
> angeles, ST=CA, C=US
> org.apache.ws.security.saml.issuer.sendKeyValue=true
> org.apache.ws.security.saml.issuer.signAssertion=true
> org.apache.ws.security.saml.callback=client.SamlCallbackHandler
>
> Right now I'm getting a nullpointerexception
>
> java.lang.NullPointerException
> at
> org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:270)
> at
> org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:122)
> at
> org.apache.ws.security.action.SAMLTokenSignedAction.execute(SAMLTokenSignedAction.java:95)
> at
> org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:202)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOutInterceptor.java:52)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:260)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:136)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:535)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:465)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:368)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:321)
> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:88)
> at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134)
> at $Proxy30.getMap(Unknown Source)
> at MapUser$1.run(MapUser.java:77)
> at java.lang.Thread.run(Thread.java:662)
>
> In my callbackhandler, I set the samlversion to 1.0 which I'm not sure will
> even work.
>
> Any suggestion is appreciated. Thanks.
> Newbie
>
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/cxf-and-saml1-0-tp5034076p5034076.html
> Sent from the cxf-user mailing list archive at Nabble.com.
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com