You are viewing a plain text version of this content. The canonical link for it is here.

Posted to wss4j-dev@ws.apache.org by Andrea Poli <ap...@link.it> on 2010/05/04 15:36:23 UTC

WSS-146

I see https://issues.apache.org/jira/browse/WSS-146
I applied the patch successfully.
I have tested it, too.

I did the following tests (both for SAML 1.1 and for SAML 2.0):
1. SAMLUnsigned
2. SAMLSigned with confirmationMethod=senderVouches and 
xml.signature.spec=wss
3. SAMLSigned with confirmationMethod=keyHolder and xml.signature.spec=wss
4. SAMLSigned with confirmationMethod=senderVouches and 
xml.signature.spec=saml
5. SAMLSigned with confirmationMethod=keyHolder and xml.signature.spec=saml

You found the configurations of the tests attached.
Only the tests 1,2,4 have perfectly succeeded.
The tests 3 and 5 fail. These tests contain a configuration: 
confirmationMethod=keyHolder

NOTE: After having modified the sources with the patch 
wss4j-1.5.8-saml.patch (https://issues.apache.org/jira/browse/WSS-146) I 
have modified again them.
You found the patch attached: wss4j-1.5.8-saml-ext.patch

Can you confirm me that this last patch correctly works?

Could you suggest me a solution for the tests with 
confirmationMethod=keyHolder ?

Andrea.

RE: WSS-146

Posted by Martin Gainty <mg...@hotmail.com>.

so here is the code
        if ("senderVouches"
                .equals(properties.getProperty("org.apache.ws.security.saml.confirmationMethod"))) {
            confirmationMethods[0] = SAMLSubject.CONF_SENDER_VOUCHES;
        } else if (
                "keyHolder".equals(properties.getProperty("org.apache.ws.security.saml.confirmationMethod"))) { //YES
            confirmationMethods[0] = SAMLSubject.CONF_HOLDER_KEY;
            senderVouches = false;
        } 
    /**  Holder of Key Confirmation Method Identifier */
    public final static String CONF_HOLDER_KEY = "urn:oasis:names:tc:SAML:1.0:cm:holder-of-key";

which means you will need to supply not only the confirmation method but also the EncryptedKey,EncryptionMethod..the DigestMethod..x509Data and cipherData and EncryptedKey
<saml:SubjectConfirmation>
      <saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:holder-of-key</saml:ConfirmationMethod> 
          <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
             <enc:EncryptedKey xmlns:enc="http://www.w3.org/2001/04/xmlenc#">
             <enc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
          <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
             </enc:EncryptionMethod>
          <ds:KeyInfo>
            <ds:X509Data>
              <ds:X509Certificate>MIIB3 . . . vO3bdg</ds:X509Certificate>
            </ds:X509Data>
          </ds:KeyInfo>
     <enc:CipherData>
         <enc:CipherValue>P5Kb . . . rOTvII</enc:CipherValue> 
            </enc:CipherData>
            </enc:EncryptedKey>
     </ds:KeyInfo>
</saml:SubjectConfirmation>http://publib.boulder.ibm.com/infocenter/wasinfo/v7r0/index.jsp?topic=/com.ibm.websphere.express.doc/info/exp/ae/cwbs_samltokenprofilespec.html

Martin Gainty 
______________________________________________ 
Verzicht und Vertraulichkeitanmerkung
 
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.





> Date: Tue, 4 May 2010 15:36:23 +0200
> From: apoli@link.it
> To: wss4j-dev@ws.apache.org
> Subject: WSS-146
> 
> I see https://issues.apache.org/jira/browse/WSS-146
> I applied the patch successfully.
> I have tested it, too.
> 
> I did the following tests (both for SAML 1.1 and for SAML 2.0):
> 1. SAMLUnsigned
> 2. SAMLSigned with confirmationMethod=senderVouches and 
> xml.signature.spec=wss
> 3. SAMLSigned with confirmationMethod=keyHolder and xml.signature.spec=wss
> 4. SAMLSigned with confirmationMethod=senderVouches and 
> xml.signature.spec=saml
> 5. SAMLSigned with confirmationMethod=keyHolder and xml.signature.spec=saml
> 
> You found the configurations of the tests attached.
> Only the tests 1,2,4 have perfectly succeeded.
> The tests 3 and 5 fail. These tests contain a configuration: 
> confirmationMethod=keyHolder
> 
> NOTE: After having modified the sources with the patch 
> wss4j-1.5.8-saml.patch (https://issues.apache.org/jira/browse/WSS-146) I 
> have modified again them.
> You found the patch attached: wss4j-1.5.8-saml-ext.patch
> 
> Can you confirm me that this last patch correctly works?
> 
> Could you suggest me a solution for the tests with 
> confirmationMethod=keyHolder ?
> 
> Andrea.
> 
 		 	   		  
_________________________________________________________________
The New Busy think 9 to 5 is a cute idea. Combine multiple calendars with Hotmail. 
http://www.windowslive.com/campaign/thenewbusy?tile=multicalendar&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_5