'[jira] [Closed] (WSS-519) SAML 2.0 - WSS4J is expecting SecurityTokenReference under KeyInfo in Ecry'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       woden-dev
Subject:    [jira] [Closed] (WSS-519) SAML 2.0 - WSS4J is expecting SecurityTokenReference under KeyInfo in Ecry
From:       "Erik Mocny (JIRA)" <jira () apache ! org>
Date:       2014-11-11 14:01:33
Message-ID: JIRA.12752977.1415171040000.469145.1415714493934 () Atlassian ! JIRA
[Download RAW message or body]


     [ https://issues.apache.org/jira/browse/WSS-519?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel \
]

Erik Mocny closed WSS-519.
--------------------------

Thanks, everything works as expected :)

> SAML 2.0 - WSS4J is expecting SecurityTokenReference under KeyInfo in \
>                 EcryptedAssertion element
> -----------------------------------------------------------------------------------------------
>  
> Key: WSS-519
> URL: https://issues.apache.org/jira/browse/WSS-519
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Affects Versions: 1.6.15, 1.6.16, 2.0.2, 1.6.17
> Environment: MS ADFS 2.0, CXF 3.0.2, CXF 2.7.11
> Reporter: Erik Mocny
> Assignee: Colm O hEigeartaigh
> Labels: encryptedassertion, saml, securitytokenreference, wss4j
> Fix For: 2.0.3
> 
> 
> Hi,
> we have a current setup ADFS 2.0 STS and on ESB CXF 2.7.11 whose dependency is \
> WSS4J 1.6.15. Currently everything works as expected but only for SAML 1.1 \
> TokenType. The problem resides in SAML 2.0 token response where for SAML 1.1 token \
> (important part of it) looks like:  {code:xml}
> <trust:RequestedSecurityToken>
> <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>  <X509Data>
> {code}
> For SAML 2.0, RSTR (just our part) looks like:
> {code:xml}
> <trust:RequestedSecurityToken>
> <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#">
> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p">
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> </e:EncryptionMethod>
> <KeyInfo>
> <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> {code}
> Please notice missing token referencing element: *SecurityTokenReference*
> WSS4J then while trying to decrypt SAML throws an exception:
> {noformat}
> 2014-11-05 07:24:03,655 [http-/127.0.0.1:8443-2] WARN  \
> (org.apache.cxf.phase.PhaseInterceptorChain): Interceptor for \
> {http://www.example.org/contract/DoubleIt}DoubleItService#{http://www.example.org/contract/DoubleIt}DoubleIt \
>                 has thrown exception, unwinding now
> org.apache.cxf.binding.soap.SoapFault: An error was discovered processing the \
> <wsse:Security> header.  at \
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:852) \
> ~[cxf-rt-ws-security-2.7.11.jar:2.7.11]  at \
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:327) \
> ~[cxf-rt-ws-security-2.7.11.jar:2.7.11]  at \
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:121) \
> ~[cxf-rt-ws-security-2.7.11.jar:2.7.11]  at \
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:106) \
> ~[cxf-rt-ws-security-2.7.11.jar:2.7.11]  at \
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) \
> ~[cxf-api-2.7.11.jar:2.7.11]  at \
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) \
> [cxf-api-2.7.11.jar:2.7.11]  at \
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:241) \
> [cxf-rt-transports-http-2.7.11.jar:2.7.11]  at \
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248) \
> [cxf-rt-transports-http-2.7.11.jar:2.7.11]  at \
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222) \
> [cxf-rt-transports-http-2.7.11.jar:2.7.11]  at \
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153) \
> [cxf-rt-transports-http-2.7.11.jar:2.7.11]  at \
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171) \
> [cxf-rt-transports-http-2.7.11.jar:2.7.11]  at \
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286) \
> [cxf-rt-transports-http-2.7.11.jar:2.7.11]  at \
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206) \
> [cxf-rt-transports-http-2.7.11.jar:2.7.11]  at \
> javax.servlet.http.HttpServlet.service(HttpServlet.java:754) \
> [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar!/:1.0.2.Final-redhat-1]  at \
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262) \
> [cxf-rt-transports-http-2.7.11.jar:2.7.11]  at \
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) \
> [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]  at \
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) \
> [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]  at \
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) \
> [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]  at \
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) \
> [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]  at \
> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) \
> [jboss-as-web-7.3.0.Final-redhat-14.jar!/:7.3.0.Final-redhat-14]  at \
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) \
> [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]  at \
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) \
> [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]  at \
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) \
> [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]  at \
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) \
> [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]  at \
> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) \
> [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]  at \
> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) \
> [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]  at \
> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) \
> [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]  at \
> java.lang.Thread.run(Thread.java:745) [na:1.7.0_60] Caused by: \
> org.apache.ws.security.WSSecurityException: General security error (Bad element, \
> expected "{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}SecurityTokenReference" \
> while got "{http://www.w3.org/2000/09/xmldsig#}X509Data")  at \
> org.apache.ws.security.message.token.SecurityTokenReference.<init>(SecurityTokenReference.java:93) \
> ~[wss4j-1.6.15.jar:1.6.15]  at \
> org.apache.ws.security.str.EncryptedKeySTRParser.parseSecurityTokenReference(EncryptedKeySTRParser.java:80) \
> ~[wss4j-1.6.15.jar:1.6.15]  at \
> org.apache.ws.security.processor.EncryptedKeyProcessor.getCertificatesFromEncryptedKey(EncryptedKeyProcessor.java:309) \
> ~[wss4j-1.6.15.jar:1.6.15]  at \
> org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:126) \
> ~[wss4j-1.6.15.jar:1.6.15]  at \
> org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:65) \
> ~[wss4j-1.6.15.jar:1.6.15]  at \
> org.apache.ws.security.processor.EncryptedDataProcessor.handleToken(EncryptedDataProcessor.java:113) \
> ~[wss4j-1.6.15.jar:1.6.15]  at \
> sk.dcom.poc.service.doubleit.security.EncryptedAssertionProcessor.handleToken(EncryptedAssertionProcessor.java:54) \
> ~[classes:na]  at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) \
> ~[wss4j-1.6.15.jar:1.6.15]  at \
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:270) \
>                 ~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
> 	... 26 common frames omitted
> {noformat}
> I've also tried CXF 3.0.2 which uses WSS4J 2.0.2 but the exception is there too.
> Tried then to change WSS4J versions only (1.6.16, 1.6.17) - we are locked at 2.7.11 \
> because of ESB, still same issue :/ Could you please give me some clues so I can \
> maybe manually handle it and correctly reference token for WSS4J decryption \
> process? (if there is any) Thanks for all your answers



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic