You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Dan Taylor (JIRA)" <ji...@apache.org> on 2012/06/13 21:22:43 UTC
[jira] [Created] (WSS-393) WSS4J is not handling KeyIdentifier
inside SecurityTokenReference inside a KeyInfo
Dan Taylor created WSS-393:
------------------------------
Summary: WSS4J is not handling KeyIdentifier inside SecurityTokenReference inside a KeyInfo
Key: WSS-393
URL: https://issues.apache.org/jira/browse/WSS-393
Project: WSS4J
Issue Type: Bug
Components: WSS4J Core
Affects Versions: 1.6.6
Environment: .NET client, .NET STS, Java service, Windows 7.0
Reporter: Dan Taylor
Assignee: Colm O hEigeartaigh
Fix For: 1.6.7
We have a .NET client using a .NET STS for authentication and authorization to our java service. The .NET STS puts a SecurityTokenReference inside a KeyInfo element, with a KeyIdentifier inside the STR. This causes an exception to be thrown: General security error (SAML token security failure).
>From debugging into the WSS4J source in the SAMLUtil.getCredentialFromKeyInfo method, keyInfoElement.getFirstChild() returns the SecurityTokenReference element. Inside this element is the KeyIdentifier element, which isn't handled anywhere inside this method.
>From the WS-Security 1.1 (Web Services Security: SOAP Message Security 1.1) standard:
Section 7.1: “All compliant implementations MUST be able to process a <wsse:SecurityTokenReference> element. This element can also be used as a direct child element of <ds:KeyInfo> to indicate a hint to retrieve the key information from a security token placed somewhere else. In particular, it is RECOMMENDED, when using XML Signature and XML Encryption, that a <wsse:SecurityTokenReference> element be placed inside a <ds:KeyInfo> to reference the security token used for the signature or encryption.”
>From the Web Services Security X.509 Certificate Token Profile 1.1) standard:
Section 3.2: “In order to ensure a consistent processing model across all the token types supported by WSS: SOAP Message Security, the <wsse:SecurityTokenReference> element SHALL be used to specify all references to X.509 token types in signature or encryption elements that comply with this profile.”
Sample SAMLToken:
<saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c" Issuer="sts" IssueInstant="2012-06-13T18:08:07.710Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
<saml:Conditions NotBefore="2012-06-13T18:08:07.710Z" NotOnOrAfter="2012-06-14T04:08:07.710Z"></saml:Conditions>
<saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2012-06-13T18:08:07.713Z">
<saml:Subject>
<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
</e:EncryptionMethod>
<KeyInfo>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
</e:EncryptionMethod>
<KeyInfo>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="roles" AttributeNamespace="http://schemas.merge.com/icc/claims">
<saml:AttributeValue>User</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
</e:EncryptionMethod>
<KeyInfo>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>test@merge.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
<e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
<e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
</e:EncryptionMethod>
<KeyInfo>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
<e:CipherData>
<e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
</e:CipherData>
</e:EncryptedKey>
</KeyInfo>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Attribute AttributeName="privatepersonalidentitfier" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
<saml:AttributeValue>55</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
<Reference URI="#SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
<DigestValue>jzWAgfaALhUvXFSppZhviEw6cOs=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>tUgZygu5219bov276dy9YgS3BSdpgT2vd03MD44Ckd1EWV2u5o0Z2weycrVBH/7rbJB9F18mBHRUv4nve/1E0GI3Hqn4Ios0fOcNI2qsP9ETdv2PLoQU8S2gyupMQ4IEKPFjqdyXQP2nJduWLBVQgOAJcP+PCDyH2gWrTb/YJ1I=</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</saml:Assertion>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Commented] (WSS-393) WSS4J is not handling KeyIdentifier
inside SecurityTokenReference inside a KeyInfo
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13395769#comment-13395769 ]
Colm O hEigeartaigh commented on WSS-393:
-----------------------------------------
Could you attach the failing stacktrace using the latest SNAPSHOT code?
Colm.
> WSS4J is not handling KeyIdentifier inside SecurityTokenReference inside a KeyInfo
> ----------------------------------------------------------------------------------
>
> Key: WSS-393
> URL: https://issues.apache.org/jira/browse/WSS-393
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.6.6
> Environment: .NET client, .NET STS, Java service, Windows 7.0
> Reporter: Dan Taylor
> Assignee: Colm O hEigeartaigh
> Labels: KeyIdentifier, KeyInfo, SecurityTokenReference
> Fix For: 1.6.7
>
>
> We have a .NET client using a .NET STS for authentication and authorization to our java service. The .NET STS puts a SecurityTokenReference inside a KeyInfo element, with a KeyIdentifier inside the STR. This causes an exception to be thrown: General security error (SAML token security failure).
> From debugging into the WSS4J source in the SAMLUtil.getCredentialFromKeyInfo method, keyInfoElement.getFirstChild() returns the SecurityTokenReference element. Inside this element is the KeyIdentifier element, which isn't handled anywhere inside this method.
> From the WS-Security 1.1 (Web Services Security: SOAP Message Security 1.1) standard:
> Section 7.1: “All compliant implementations MUST be able to process a <wsse:SecurityTokenReference> element. This element can also be used as a direct child element of <ds:KeyInfo> to indicate a hint to retrieve the key information from a security token placed somewhere else. In particular, it is RECOMMENDED, when using XML Signature and XML Encryption, that a <wsse:SecurityTokenReference> element be placed inside a <ds:KeyInfo> to reference the security token used for the signature or encryption.”
> From the Web Services Security X.509 Certificate Token Profile 1.1) standard:
> Section 3.2: “In order to ensure a consistent processing model across all the token types supported by WSS: SOAP Message Security, the <wsse:SecurityTokenReference> element SHALL be used to specify all references to X.509 token types in signature or encryption elements that comply with this profile.”
> Sample SAMLToken:
> <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c" Issuer="sts" IssueInstant="2012-06-13T18:08:07.710Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml:Conditions NotBefore="2012-06-13T18:08:07.710Z" NotOnOrAfter="2012-06-14T04:08:07.710Z"></saml:Conditions>
> <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2012-06-13T18:08:07.713Z">
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> </saml:AuthenticationStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="roles" AttributeNamespace="http://schemas.merge.com/icc/claims">
> <saml:AttributeValue>User</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml:AttributeValue>test@merge.com</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="privatepersonalidentitfier" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml:AttributeValue>55</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
> <Reference URI="#SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> <DigestValue>jzWAgfaALhUvXFSppZhviEw6cOs=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>tUgZygu5219bov276dy9YgS3BSdpgT2vd03MD44Ckd1EWV2u5o0Z2weycrVBH/7rbJB9F18mBHRUv4nve/1E0GI3Hqn4Ios0fOcNI2qsP9ETdv2PLoQU8S2gyupMQ4IEKPFjqdyXQP2nJduWLBVQgOAJcP+PCDyH2gWrTb/YJ1I=</SignatureValue>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> </Signature>
> </saml:Assertion>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Closed] (WSS-393) WSS4J is not handling KeyIdentifier
inside SecurityTokenReference inside a KeyInfo
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed WSS-393.
-----------------------------------
> WSS4J is not handling KeyIdentifier inside SecurityTokenReference inside a KeyInfo
> ----------------------------------------------------------------------------------
>
> Key: WSS-393
> URL: https://issues.apache.org/jira/browse/WSS-393
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.6.6
> Environment: .NET client, .NET STS, Java service, Windows 7.0
> Reporter: Dan Taylor
> Assignee: Colm O hEigeartaigh
> Labels: KeyIdentifier, KeyInfo, SecurityTokenReference
> Fix For: 1.6.7
>
>
> We have a .NET client using a .NET STS for authentication and authorization to our java service. The .NET STS puts a SecurityTokenReference inside a KeyInfo element, with a KeyIdentifier inside the STR. This causes an exception to be thrown: General security error (SAML token security failure).
> From debugging into the WSS4J source in the SAMLUtil.getCredentialFromKeyInfo method, keyInfoElement.getFirstChild() returns the SecurityTokenReference element. Inside this element is the KeyIdentifier element, which isn't handled anywhere inside this method.
> From the WS-Security 1.1 (Web Services Security: SOAP Message Security 1.1) standard:
> Section 7.1: “All compliant implementations MUST be able to process a <wsse:SecurityTokenReference> element. This element can also be used as a direct child element of <ds:KeyInfo> to indicate a hint to retrieve the key information from a security token placed somewhere else. In particular, it is RECOMMENDED, when using XML Signature and XML Encryption, that a <wsse:SecurityTokenReference> element be placed inside a <ds:KeyInfo> to reference the security token used for the signature or encryption.”
> From the Web Services Security X.509 Certificate Token Profile 1.1) standard:
> Section 3.2: “In order to ensure a consistent processing model across all the token types supported by WSS: SOAP Message Security, the <wsse:SecurityTokenReference> element SHALL be used to specify all references to X.509 token types in signature or encryption elements that comply with this profile.”
> Sample SAMLToken:
> <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c" Issuer="sts" IssueInstant="2012-06-13T18:08:07.710Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml:Conditions NotBefore="2012-06-13T18:08:07.710Z" NotOnOrAfter="2012-06-14T04:08:07.710Z"></saml:Conditions>
> <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2012-06-13T18:08:07.713Z">
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> </saml:AuthenticationStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="roles" AttributeNamespace="http://schemas.merge.com/icc/claims">
> <saml:AttributeValue>User</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml:AttributeValue>test@merge.com</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="privatepersonalidentitfier" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml:AttributeValue>55</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
> <Reference URI="#SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> <DigestValue>jzWAgfaALhUvXFSppZhviEw6cOs=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>tUgZygu5219bov276dy9YgS3BSdpgT2vd03MD44Ckd1EWV2u5o0Z2weycrVBH/7rbJB9F18mBHRUv4nve/1E0GI3Hqn4Ios0fOcNI2qsP9ETdv2PLoQU8S2gyupMQ4IEKPFjqdyXQP2nJduWLBVQgOAJcP+PCDyH2gWrTb/YJ1I=</SignatureValue>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> </Signature>
> </saml:Assertion>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Commented] (WSS-393) WSS4J is not handling KeyIdentifier
inside SecurityTokenReference inside a KeyInfo
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13294915#comment-13294915 ]
Colm O hEigeartaigh commented on WSS-393:
-----------------------------------------
I've committed a potential fix for this issue. Could you grab the latest 1.6.7-SNAPSHOT code and let me know if it works or not?
Colm.
> WSS4J is not handling KeyIdentifier inside SecurityTokenReference inside a KeyInfo
> ----------------------------------------------------------------------------------
>
> Key: WSS-393
> URL: https://issues.apache.org/jira/browse/WSS-393
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.6.6
> Environment: .NET client, .NET STS, Java service, Windows 7.0
> Reporter: Dan Taylor
> Assignee: Colm O hEigeartaigh
> Labels: KeyIdentifier, KeyInfo, SecurityTokenReference
> Fix For: 1.6.7
>
>
> We have a .NET client using a .NET STS for authentication and authorization to our java service. The .NET STS puts a SecurityTokenReference inside a KeyInfo element, with a KeyIdentifier inside the STR. This causes an exception to be thrown: General security error (SAML token security failure).
> From debugging into the WSS4J source in the SAMLUtil.getCredentialFromKeyInfo method, keyInfoElement.getFirstChild() returns the SecurityTokenReference element. Inside this element is the KeyIdentifier element, which isn't handled anywhere inside this method.
> From the WS-Security 1.1 (Web Services Security: SOAP Message Security 1.1) standard:
> Section 7.1: “All compliant implementations MUST be able to process a <wsse:SecurityTokenReference> element. This element can also be used as a direct child element of <ds:KeyInfo> to indicate a hint to retrieve the key information from a security token placed somewhere else. In particular, it is RECOMMENDED, when using XML Signature and XML Encryption, that a <wsse:SecurityTokenReference> element be placed inside a <ds:KeyInfo> to reference the security token used for the signature or encryption.”
> From the Web Services Security X.509 Certificate Token Profile 1.1) standard:
> Section 3.2: “In order to ensure a consistent processing model across all the token types supported by WSS: SOAP Message Security, the <wsse:SecurityTokenReference> element SHALL be used to specify all references to X.509 token types in signature or encryption elements that comply with this profile.”
> Sample SAMLToken:
> <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c" Issuer="sts" IssueInstant="2012-06-13T18:08:07.710Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml:Conditions NotBefore="2012-06-13T18:08:07.710Z" NotOnOrAfter="2012-06-14T04:08:07.710Z"></saml:Conditions>
> <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2012-06-13T18:08:07.713Z">
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> </saml:AuthenticationStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="roles" AttributeNamespace="http://schemas.merge.com/icc/claims">
> <saml:AttributeValue>User</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml:AttributeValue>test@merge.com</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="privatepersonalidentitfier" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml:AttributeValue>55</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
> <Reference URI="#SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> <DigestValue>jzWAgfaALhUvXFSppZhviEw6cOs=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>tUgZygu5219bov276dy9YgS3BSdpgT2vd03MD44Ckd1EWV2u5o0Z2weycrVBH/7rbJB9F18mBHRUv4nve/1E0GI3Hqn4Ios0fOcNI2qsP9ETdv2PLoQU8S2gyupMQ4IEKPFjqdyXQP2nJduWLBVQgOAJcP+PCDyH2gWrTb/YJ1I=</SignatureValue>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> </Signature>
> </saml:Assertion>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Commented] (WSS-393) WSS4J is not handling KeyIdentifier
inside SecurityTokenReference inside a KeyInfo
Posted by "Dan Taylor (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13396980#comment-13396980 ]
Dan Taylor commented on WSS-393:
--------------------------------
Hi Colm,
Please find the stack trace with the latest SNAPSHOT code below.
Thanks,
Dan
Jun 19, 2012 2:45:57 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage
WARNING:
org.apache.ws.security.WSSecurityException: General security error (SAML token security failure)
at org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:546)
at org.apache.ws.security.processor.SAMLTokenProcessor.handleSAMLToken(SAMLTokenProcessor.java:109)
at org.apache.ws.security.processor.SAMLTokenProcessor.handleToken(SAMLTokenProcessor.java:53)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:249)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:85)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:123)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:207)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:193)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:126)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:185)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:108)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:164)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:405)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:964)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:515)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
Jun 19, 2012 2:45:57 PM org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging
WARNING: Interceptor for {http://merge.com/icc/services/mergedemo/}MergeDemoService has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: General security error (SAML token security failure)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:643)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:308)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:85)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:123)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:207)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:193)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:126)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:185)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:108)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:164)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:304)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:224)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:100)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:929)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:405)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:964)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:515)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:302)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:722)
Caused by: org.apache.ws.security.WSSecurityException: General security error (SAML token security failure)
at org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:546)
at org.apache.ws.security.processor.SAMLTokenProcessor.handleSAMLToken(SAMLTokenProcessor.java:109)
at org.apache.ws.security.processor.SAMLTokenProcessor.handleToken(SAMLTokenProcessor.java:53)
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:249)
... 27 more
Jun 19, 2012 2:45:57 PM org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInter
nal handleMessage
INFO: class org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInternalapplicati
on/soap+xml
> WSS4J is not handling KeyIdentifier inside SecurityTokenReference inside a KeyInfo
> ----------------------------------------------------------------------------------
>
> Key: WSS-393
> URL: https://issues.apache.org/jira/browse/WSS-393
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.6.6
> Environment: .NET client, .NET STS, Java service, Windows 7.0
> Reporter: Dan Taylor
> Assignee: Colm O hEigeartaigh
> Labels: KeyIdentifier, KeyInfo, SecurityTokenReference
> Fix For: 1.6.7
>
>
> We have a .NET client using a .NET STS for authentication and authorization to our java service. The .NET STS puts a SecurityTokenReference inside a KeyInfo element, with a KeyIdentifier inside the STR. This causes an exception to be thrown: General security error (SAML token security failure).
> From debugging into the WSS4J source in the SAMLUtil.getCredentialFromKeyInfo method, keyInfoElement.getFirstChild() returns the SecurityTokenReference element. Inside this element is the KeyIdentifier element, which isn't handled anywhere inside this method.
> From the WS-Security 1.1 (Web Services Security: SOAP Message Security 1.1) standard:
> Section 7.1: “All compliant implementations MUST be able to process a <wsse:SecurityTokenReference> element. This element can also be used as a direct child element of <ds:KeyInfo> to indicate a hint to retrieve the key information from a security token placed somewhere else. In particular, it is RECOMMENDED, when using XML Signature and XML Encryption, that a <wsse:SecurityTokenReference> element be placed inside a <ds:KeyInfo> to reference the security token used for the signature or encryption.”
> From the Web Services Security X.509 Certificate Token Profile 1.1) standard:
> Section 3.2: “In order to ensure a consistent processing model across all the token types supported by WSS: SOAP Message Security, the <wsse:SecurityTokenReference> element SHALL be used to specify all references to X.509 token types in signature or encryption elements that comply with this profile.”
> Sample SAMLToken:
> <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c" Issuer="sts" IssueInstant="2012-06-13T18:08:07.710Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml:Conditions NotBefore="2012-06-13T18:08:07.710Z" NotOnOrAfter="2012-06-14T04:08:07.710Z"></saml:Conditions>
> <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2012-06-13T18:08:07.713Z">
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> </saml:AuthenticationStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="roles" AttributeNamespace="http://schemas.merge.com/icc/claims">
> <saml:AttributeValue>User</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml:AttributeValue>test@merge.com</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="privatepersonalidentitfier" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml:AttributeValue>55</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
> <Reference URI="#SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> <DigestValue>jzWAgfaALhUvXFSppZhviEw6cOs=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>tUgZygu5219bov276dy9YgS3BSdpgT2vd03MD44Ckd1EWV2u5o0Z2weycrVBH/7rbJB9F18mBHRUv4nve/1E0GI3Hqn4Ios0fOcNI2qsP9ETdv2PLoQU8S2gyupMQ4IEKPFjqdyXQP2nJduWLBVQgOAJcP+PCDyH2gWrTb/YJ1I=</SignatureValue>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> </Signature>
> </saml:Assertion>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Commented] (WSS-393) WSS4J is not handling KeyIdentifier
inside SecurityTokenReference inside a KeyInfo
Posted by "Dan Taylor (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13397634#comment-13397634 ]
Dan Taylor commented on WSS-393:
--------------------------------
Hi Colm,
As with WSS-394, the newest update works perfectly.
Thanks for your help,
Dan.
> WSS4J is not handling KeyIdentifier inside SecurityTokenReference inside a KeyInfo
> ----------------------------------------------------------------------------------
>
> Key: WSS-393
> URL: https://issues.apache.org/jira/browse/WSS-393
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.6.6
> Environment: .NET client, .NET STS, Java service, Windows 7.0
> Reporter: Dan Taylor
> Assignee: Colm O hEigeartaigh
> Labels: KeyIdentifier, KeyInfo, SecurityTokenReference
> Fix For: 1.6.7
>
>
> We have a .NET client using a .NET STS for authentication and authorization to our java service. The .NET STS puts a SecurityTokenReference inside a KeyInfo element, with a KeyIdentifier inside the STR. This causes an exception to be thrown: General security error (SAML token security failure).
> From debugging into the WSS4J source in the SAMLUtil.getCredentialFromKeyInfo method, keyInfoElement.getFirstChild() returns the SecurityTokenReference element. Inside this element is the KeyIdentifier element, which isn't handled anywhere inside this method.
> From the WS-Security 1.1 (Web Services Security: SOAP Message Security 1.1) standard:
> Section 7.1: “All compliant implementations MUST be able to process a <wsse:SecurityTokenReference> element. This element can also be used as a direct child element of <ds:KeyInfo> to indicate a hint to retrieve the key information from a security token placed somewhere else. In particular, it is RECOMMENDED, when using XML Signature and XML Encryption, that a <wsse:SecurityTokenReference> element be placed inside a <ds:KeyInfo> to reference the security token used for the signature or encryption.”
> From the Web Services Security X.509 Certificate Token Profile 1.1) standard:
> Section 3.2: “In order to ensure a consistent processing model across all the token types supported by WSS: SOAP Message Security, the <wsse:SecurityTokenReference> element SHALL be used to specify all references to X.509 token types in signature or encryption elements that comply with this profile.”
> Sample SAMLToken:
> <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c" Issuer="sts" IssueInstant="2012-06-13T18:08:07.710Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml:Conditions NotBefore="2012-06-13T18:08:07.710Z" NotOnOrAfter="2012-06-14T04:08:07.710Z"></saml:Conditions>
> <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2012-06-13T18:08:07.713Z">
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> </saml:AuthenticationStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="roles" AttributeNamespace="http://schemas.merge.com/icc/claims">
> <saml:AttributeValue>User</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml:AttributeValue>test@merge.com</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="privatepersonalidentitfier" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml:AttributeValue>55</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
> <Reference URI="#SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> <DigestValue>jzWAgfaALhUvXFSppZhviEw6cOs=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>tUgZygu5219bov276dy9YgS3BSdpgT2vd03MD44Ckd1EWV2u5o0Z2weycrVBH/7rbJB9F18mBHRUv4nve/1E0GI3Hqn4Ios0fOcNI2qsP9ETdv2PLoQU8S2gyupMQ4IEKPFjqdyXQP2nJduWLBVQgOAJcP+PCDyH2gWrTb/YJ1I=</SignatureValue>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> </Signature>
> </saml:Assertion>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Commented] (WSS-393) WSS4J is not handling KeyIdentifier
inside SecurityTokenReference inside a KeyInfo
Posted by "Dan Taylor (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13295256#comment-13295256 ]
Dan Taylor commented on WSS-393:
--------------------------------
Hi Colm,
I'll do this first thing June 15th, out of commission today due to unforeseen circumstances. Thanks for the quick reply though.
Dan.
> WSS4J is not handling KeyIdentifier inside SecurityTokenReference inside a KeyInfo
> ----------------------------------------------------------------------------------
>
> Key: WSS-393
> URL: https://issues.apache.org/jira/browse/WSS-393
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.6.6
> Environment: .NET client, .NET STS, Java service, Windows 7.0
> Reporter: Dan Taylor
> Assignee: Colm O hEigeartaigh
> Labels: KeyIdentifier, KeyInfo, SecurityTokenReference
> Fix For: 1.6.7
>
>
> We have a .NET client using a .NET STS for authentication and authorization to our java service. The .NET STS puts a SecurityTokenReference inside a KeyInfo element, with a KeyIdentifier inside the STR. This causes an exception to be thrown: General security error (SAML token security failure).
> From debugging into the WSS4J source in the SAMLUtil.getCredentialFromKeyInfo method, keyInfoElement.getFirstChild() returns the SecurityTokenReference element. Inside this element is the KeyIdentifier element, which isn't handled anywhere inside this method.
> From the WS-Security 1.1 (Web Services Security: SOAP Message Security 1.1) standard:
> Section 7.1: “All compliant implementations MUST be able to process a <wsse:SecurityTokenReference> element. This element can also be used as a direct child element of <ds:KeyInfo> to indicate a hint to retrieve the key information from a security token placed somewhere else. In particular, it is RECOMMENDED, when using XML Signature and XML Encryption, that a <wsse:SecurityTokenReference> element be placed inside a <ds:KeyInfo> to reference the security token used for the signature or encryption.”
> From the Web Services Security X.509 Certificate Token Profile 1.1) standard:
> Section 3.2: “In order to ensure a consistent processing model across all the token types supported by WSS: SOAP Message Security, the <wsse:SecurityTokenReference> element SHALL be used to specify all references to X.509 token types in signature or encryption elements that comply with this profile.”
> Sample SAMLToken:
> <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c" Issuer="sts" IssueInstant="2012-06-13T18:08:07.710Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml:Conditions NotBefore="2012-06-13T18:08:07.710Z" NotOnOrAfter="2012-06-14T04:08:07.710Z"></saml:Conditions>
> <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2012-06-13T18:08:07.713Z">
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> </saml:AuthenticationStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="roles" AttributeNamespace="http://schemas.merge.com/icc/claims">
> <saml:AttributeValue>User</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml:AttributeValue>test@merge.com</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="privatepersonalidentitfier" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml:AttributeValue>55</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
> <Reference URI="#SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> <DigestValue>jzWAgfaALhUvXFSppZhviEw6cOs=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>tUgZygu5219bov276dy9YgS3BSdpgT2vd03MD44Ckd1EWV2u5o0Z2weycrVBH/7rbJB9F18mBHRUv4nve/1E0GI3Hqn4Ios0fOcNI2qsP9ETdv2PLoQU8S2gyupMQ4IEKPFjqdyXQP2nJduWLBVQgOAJcP+PCDyH2gWrTb/YJ1I=</SignatureValue>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> </Signature>
> </saml:Assertion>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Resolved] (WSS-393) WSS4J is not handling KeyIdentifier
inside SecurityTokenReference inside a KeyInfo
Posted by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-393?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved WSS-393.
-------------------------------------
Resolution: Fixed
> WSS4J is not handling KeyIdentifier inside SecurityTokenReference inside a KeyInfo
> ----------------------------------------------------------------------------------
>
> Key: WSS-393
> URL: https://issues.apache.org/jira/browse/WSS-393
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.6.6
> Environment: .NET client, .NET STS, Java service, Windows 7.0
> Reporter: Dan Taylor
> Assignee: Colm O hEigeartaigh
> Labels: KeyIdentifier, KeyInfo, SecurityTokenReference
> Fix For: 1.6.7
>
>
> We have a .NET client using a .NET STS for authentication and authorization to our java service. The .NET STS puts a SecurityTokenReference inside a KeyInfo element, with a KeyIdentifier inside the STR. This causes an exception to be thrown: General security error (SAML token security failure).
> From debugging into the WSS4J source in the SAMLUtil.getCredentialFromKeyInfo method, keyInfoElement.getFirstChild() returns the SecurityTokenReference element. Inside this element is the KeyIdentifier element, which isn't handled anywhere inside this method.
> From the WS-Security 1.1 (Web Services Security: SOAP Message Security 1.1) standard:
> Section 7.1: “All compliant implementations MUST be able to process a <wsse:SecurityTokenReference> element. This element can also be used as a direct child element of <ds:KeyInfo> to indicate a hint to retrieve the key information from a security token placed somewhere else. In particular, it is RECOMMENDED, when using XML Signature and XML Encryption, that a <wsse:SecurityTokenReference> element be placed inside a <ds:KeyInfo> to reference the security token used for the signature or encryption.”
> From the Web Services Security X.509 Certificate Token Profile 1.1) standard:
> Section 3.2: “In order to ensure a consistent processing model across all the token types supported by WSS: SOAP Message Security, the <wsse:SecurityTokenReference> element SHALL be used to specify all references to X.509 token types in signature or encryption elements that comply with this profile.”
> Sample SAMLToken:
> <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c" Issuer="sts" IssueInstant="2012-06-13T18:08:07.710Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml:Conditions NotBefore="2012-06-13T18:08:07.710Z" NotOnOrAfter="2012-06-14T04:08:07.710Z"></saml:Conditions>
> <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2012-06-13T18:08:07.713Z">
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> </saml:AuthenticationStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="roles" AttributeNamespace="http://schemas.merge.com/icc/claims">
> <saml:AttributeValue>User</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml:AttributeValue>test@merge.com</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="privatepersonalidentitfier" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml:AttributeValue>55</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
> <Reference URI="#SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> <DigestValue>jzWAgfaALhUvXFSppZhviEw6cOs=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>tUgZygu5219bov276dy9YgS3BSdpgT2vd03MD44Ckd1EWV2u5o0Z2weycrVBH/7rbJB9F18mBHRUv4nve/1E0GI3Hqn4Ios0fOcNI2qsP9ETdv2PLoQU8S2gyupMQ4IEKPFjqdyXQP2nJduWLBVQgOAJcP+PCDyH2gWrTb/YJ1I=</SignatureValue>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> </Signature>
> </saml:Assertion>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[jira] [Commented] (WSS-393) WSS4J is not handling KeyIdentifier
inside SecurityTokenReference inside a KeyInfo
Posted by "Dan Taylor (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WSS-393?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13295857#comment-13295857 ]
Dan Taylor commented on WSS-393:
--------------------------------
Hi Colm,
>From our testing, this didn't actually make a difference to the service. We will debug into this either later today (Friday) or on Monday and provide more details about what is failing.
Thanks,
Dan.
> WSS4J is not handling KeyIdentifier inside SecurityTokenReference inside a KeyInfo
> ----------------------------------------------------------------------------------
>
> Key: WSS-393
> URL: https://issues.apache.org/jira/browse/WSS-393
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.6.6
> Environment: .NET client, .NET STS, Java service, Windows 7.0
> Reporter: Dan Taylor
> Assignee: Colm O hEigeartaigh
> Labels: KeyIdentifier, KeyInfo, SecurityTokenReference
> Fix For: 1.6.7
>
>
> We have a .NET client using a .NET STS for authentication and authorization to our java service. The .NET STS puts a SecurityTokenReference inside a KeyInfo element, with a KeyIdentifier inside the STR. This causes an exception to be thrown: General security error (SAML token security failure).
> From debugging into the WSS4J source in the SAMLUtil.getCredentialFromKeyInfo method, keyInfoElement.getFirstChild() returns the SecurityTokenReference element. Inside this element is the KeyIdentifier element, which isn't handled anywhere inside this method.
> From the WS-Security 1.1 (Web Services Security: SOAP Message Security 1.1) standard:
> Section 7.1: “All compliant implementations MUST be able to process a <wsse:SecurityTokenReference> element. This element can also be used as a direct child element of <ds:KeyInfo> to indicate a hint to retrieve the key information from a security token placed somewhere else. In particular, it is RECOMMENDED, when using XML Signature and XML Encryption, that a <wsse:SecurityTokenReference> element be placed inside a <ds:KeyInfo> to reference the security token used for the signature or encryption.”
> From the Web Services Security X.509 Certificate Token Profile 1.1) standard:
> Section 3.2: “In order to ensure a consistent processing model across all the token types supported by WSS: SOAP Message Security, the <wsse:SecurityTokenReference> element SHALL be used to specify all references to X.509 token types in signature or encryption elements that comply with this profile.”
> Sample SAMLToken:
> <saml:Assertion MajorVersion="1" MinorVersion="1" AssertionID="SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c" Issuer="sts" IssueInstant="2012-06-13T18:08:07.710Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
> <saml:Conditions NotBefore="2012-06-13T18:08:07.710Z" NotOnOrAfter="2012-06-14T04:08:07.710Z"></saml:Conditions>
> <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified" AuthenticationInstant="2012-06-13T18:08:07.713Z">
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> </saml:AuthenticationStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="roles" AttributeNamespace="http://schemas.merge.com/icc/claims">
> <saml:AttributeValue>User</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="emailaddress" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml:AttributeValue>test@merge.com</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <saml:AttributeStatement>
> <saml:Subject>
> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName">test@merge.com</saml:NameIdentifier>
> <saml:SubjectConfirmation>
> <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>CCm84q35YgGkr5AzbOgaW700IThPHQU07cJqW7tMtDy97sI3La9KPb7gFYyk0cswqVBxRpp6Z3tdwM4+RvVPQinCPYHZ9iwc2s2z8iimZZVryk7qbBWg9TvlNgwt1WmWog2oF8XKU34VEKB6KLCyh/eK20Dk22rRQvfWApoI3SQ=</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> </saml:SubjectConfirmation>
> </saml:Subject>
> <saml:Attribute AttributeName="privatepersonalidentitfier" AttributeNamespace="http://schemas.xmlsoap.org/ws/2005/05/identity/claims">
> <saml:AttributeValue>55</saml:AttributeValue>
> </saml:Attribute>
> </saml:AttributeStatement>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
> <SignedInfo>
> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></CanonicalizationMethod>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"></SignatureMethod>
> <Reference URI="#SamlSecurityToken-02c44f88-607f-4d46-ab2e-b8049904ff9c">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"></Transform>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"></Transform>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"></DigestMethod>
> <DigestValue>jzWAgfaALhUvXFSppZhviEw6cOs=</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>tUgZygu5219bov276dy9YgS3BSdpgT2vd03MD44Ckd1EWV2u5o0Z2weycrVBH/7rbJB9F18mBHRUv4nve/1E0GI3Hqn4Ios0fOcNI2qsP9ETdv2PLoQU8S2gyupMQ4IEKPFjqdyXQP2nJduWLBVQgOAJcP+PCDyH2gWrTb/YJ1I=</SignatureValue>
> <KeyInfo>
> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <o:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1">TzX5OGaS9Ftsw1t+eGyfBmJblWc=</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> </Signature>
> </saml:Assertion>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org