'[jira] [Commented] (WSS-497) Support for SAML 2.0 EncryptedAssertion Element'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       xmlrpc-user
Subject:    [jira] [Commented] (WSS-497) Support for SAML 2.0 EncryptedAssertion Element
From:       "M Kidd (JIRA)" <jira () apache ! org>
Date:       2014-04-25 14:21:15
Message-ID: JIRA.12709788.1398178383993.181020.1398435675887 () arcas
[Download RAW message or body]


    [ https://issues.apache.org/jira/browse/WSS-497?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13981050#comment-13981050 \
] 

M Kidd commented on WSS-497:
----------------------------

Pulled down the 1.6.16.SNAPSHOT;  Had to add the org.slf4j dependancy to the JBoss \
module.xml for wss4j to resolve ClassNotFound issues.

Solution works.  Thanks for the upgrade!

> Support for SAML 2.0 EncryptedAssertion Element
> -----------------------------------------------
> 
> Key: WSS-497
> URL: https://issues.apache.org/jira/browse/WSS-497
> Project: WSS4J
> Issue Type: New Feature
> Components: WSS4J Core
> Affects Versions: 1.6.9, 1.6.13
> Environment: JBoss AS 7.1.3, JBoss EAP 6.1.0
> Reporter: M Kidd
> Assignee: Colm O hEigeartaigh
> Labels: features
> Fix For: 2.0.0, 1.6.16
> 
> 
> WSS4J cannot locate an Assertion via a SecurityTokenReference KeyIdentifier id when \
> the Assertion is encrypted as an EncryptedAssertion element. {quote}
> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
> <soap:Header>
> <Action xmlns="http://www.w3.org/2005/08/addressing">ActionXXXX</Action>
> <MessageID xmlns="http://www.w3.org/2005/08/addressing">urn:uuid:f718f460-58a5-4aa5-a0ae-7e2a6d9dea8a</MessageID>
>  <To xmlns="http://www.w3.org/2005/08/addressing">https://xxxx:1234/catalog/xxxService-v1.0</To>
>  <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
> <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
> </ReplyTo>
> <wsse:Security soap:mustUnderstand="true" \
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" \
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
>  <wsu:Timestamp wsu:Id="TS-127">
> <wsu:Created>2014-04-22T13:00:42.301Z</wsu:Created>
> <wsu:Expires>2014-04-22T13:05:42.301Z</wsu:Expires>
> </wsu:Timestamp>
> <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" \
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:EncryptionMethod \
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> <KeyInfo \
> xmlns="http://www.w3.org/2000/09/xmldsig#"> <e:EncryptedKey \
> xmlns:e="http://www.w3.org/2001/04/xmlenc#"> <e:EncryptionMethod \
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> <DigestMethod \
> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference \
> xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
>  <X509Data>
> <X509IssuerSerial>
> <X509IssuerName>.....</X509IssuerName>
> <X509SerialNumber>12345678</X509SerialNumber>
> </X509IssuerSerial>
> </X509Data>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>***MASKED***</e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> <xenc:CipherData>***MASKED***</xenc:CipherData>
> </xenc:EncryptedData>
> </EncryptedAssertion>
> <ds:Signature Id="SIG-128" xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> <ec:InclusiveNamespaces PrefixList="soap" \
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:CanonicalizationMethod>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
> <ds:Reference URI="#TS-127">
> <ds:Transforms>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
> <ec:InclusiveNamespaces PrefixList="wsse soap" \
> xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transform>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>/wED0P+e1Hl79GX3yuHw/p/J2Vo=</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>Wgp/uzeawdu8oh8bDObXIsXrTUw=</ds:SignatureValue>
> <ds:KeyInfo Id="KI-1603634465EB6A36DC1398171642303115">
> <SecurityTokenReference \
> b:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0" \
> xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" \
> xmlns:b="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"> \
> <KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">_004e1ddf-d719-436b-bfb9-e833f482e4eb</KeyIdentifier>
>  </SecurityTokenReference>
> </ds:KeyInfo>
> </ds:Signature>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> </soap:Body>
> </soap:Envelope>
> {quote}
> When the SecurityTokenReference is being parsed, it takes the KeyIdentifier value \
> and looks for the associated Assertion id.  If it cannot locate the Assertion, it \
> currently falls back on invoking the CallbackHandler, seeking the SECRET_KEY. At \
> some point prior to that parsing, I believe it should decrypt EncryptedAssertion \
> elements, using the loaded certificates from the configured keystore, so the \
> existing Assertion search logic can locate these Assertions. Stack Trace:
> org.apache.ws.security.WSSecurityException: General security error (SAML token \
> security failure) at \
> org.apache.ws.security.saml.SAMLUtil.getAssertionFromKeyIdentifier(SAMLUtil.java:127) \
> [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2] at \
> org.apache.ws.security.str.SignatureSTRParser.parseSAMLKeyIdentifier(SignatureSTRParser.java:353) \
> [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2] at \
> org.apache.ws.security.str.SignatureSTRParser.parseSecurityTokenReference(SignatureSTRParser.java:217) \
> [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2] at \
> org.apache.ws.security.processor.SignatureProcessor.handleToken(SignatureProcessor.java:169) \
> [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2] at \
> org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) \
> [wss4j-1.6.9-redhat-2.jar:1.6.9-redhat-2] at \
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:277) \
> [cxf-rt-ws-security-2.6.6-redhat-3.jar:2.6.6-redhat-3]



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic