Quantcast

Exception thrown in DefaultSecurityEnvironmentImpl.validateSAMLAssertion() is swallowed in HarnessUtil

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Exception thrown in DefaultSecurityEnvironmentImpl.validateSAMLAssertion() is swallowed in HarnessUtil

louis.ho
Hi,

I have been following the information on this page
(https://xwss.java.net/Securing_JAVASE6_WebServices.html) to implement
web service security using JAXWS  Handler's and XWSS 2.0 API's. It has
gone well generally, where signed and encrypted requests are all
properly handled and working. I have been trying to include SAML into
the mix and have started implementing the necessary callbacks to
validate the SAML assertions. That is where I notice a failed
validation in the callback handler does not fail the message
validation. Digging through the code, it looks like the exception
thrown from the DefaultSecurityEnvironmentImpl.validateSAMLAssertion()
is logged as a warning and swallowed in the HarnessUtil. What is the
reason for that? Is implementing the callbacks not the right approach?

On the same note, I notice the framework doesn't seem to do much
validation on the SAML assertion at all, be it an expired assertion, or
an absent of any assertion even. It feels like there's something
missing. Some pointers would be greatly appreciated.

Here's my wsse configuration for the client:
<xwss:SecurityConfiguration
xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
        <xwss:SAMLAssertion type='SV' />
</xwss:SecurityConfiguration>

And the server:
<xwss:SecurityConfiguration
xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
        <xwss:RequireSAMLAssertion type='SV'/>
</xwss:SecurityConfiguration>

And the logged warning with stacktrace (note that I'm throwing
RuntimeException to demonstrate the point):
11 Nov 2014 20:18:16,006 | 30393059    [ERROR] {http-nio-8080-exec-8}
(javax.enterprise.resource.xml.webservices.security) WSS0234: An Error
occurred while Validating SAML Assertion in Policy.
java.lang.RuntimeException: Failed validating SAML assertion
        at
com.ocetal.webservices.server.security.SecurityEnvironmentHandler.handl
e(SecurityEnvironmentHandler.java:237)
        at
com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.validateSAMLAs
sertion(DefaultSecurityEnvironmentImpl.java:1547)
        at
com.sun.xml.wss.impl.filter.ImportSamlAssertionFilter.process(ImportSam
lAssertionFilter.java:225)
        at
com.sun.xml.wss.impl.filter.AuthenticationTokenFilter.processSamlToken(
AuthenticationTokenFilter.java:119)
        at
com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:122)
        at
com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:278)
        at
com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec
ipient.java:1034)
        at
com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec
ipient.java:822)
        at
com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipien
t.java:261)
        at
com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWS
SProcessor2_0Impl.java:156)
        at
com.orchestral.foundation.webservices.server.impl.SecureSecurityContext
.verifyInboundMessage(SecureSecurityContext.java:57)
        at
com.orchestral.foundation.webservices.server.impl.WSServlet.parseSoapMe
ssage(WSServlet.java:359)
        at
com.orchestral.foundation.webservices.server.impl.WSServlet.processMess
age(WSServlet.java:215)
        at
com.orchestral.foundation.webservices.server.impl.WSServlet.doPost(WSSe
rvlet.java:180)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
ationFilterChain.java:305)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
terChain.java:210)
        at
com.orchestral.core.web.impl.ErrorLoggingFilter.doFilter(ErrorLoggingFi
lter.java:62)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
ationFilterChain.java:243)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
terChain.java:210)
        at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVal
ve.java:222)
        at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextVal
ve.java:123)
        at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticato
rBase.java:472)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.jav
a:171)
        at
com.orchestral.core.web.impl.session.SessionTracker.invoke(SessionTrack
er.java:289)
        at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:95
3)
        at
com.orchestral.core.web.impl.MonitorValve.invoke(MonitorValve.java:55)
        at
com.orchestral.core.web.impl.ErrorReportValve.invoke(ErrorReportValve.j
ava:62)
        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve
.java:118)
        at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
408)
        at
org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11
Processor.java:1023)
        at
org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Ab
stractProtocol.java:589)
        at
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.
java:1686)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
Source)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
Source)
        at java.lang.Thread.run(Unknown Source)
11 Nov 2014 20:18:16,008 | 30393061    [WARN ] {http-nio-8080-exec-8}
(javax.enterprise.resource.xml.webservices.security) Validation failed
for SAML Assertion
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Exception thrown in DefaultSecurityEnvironmentImpl.validateSAMLAssertion() is swallowed in HarnessUtil

kumarjayanti
that must be a bug. See if you can access the source code and actually make a fix.


On Nov 11, 2014, at 12:52 PM, [hidden email] wrote:

> Hi,
>
> I have been following the information on this page
> (https://xwss.java.net/Securing_JAVASE6_WebServices.html) to implement
> web service security using JAXWS  Handler's and XWSS 2.0 API's. It has
> gone well generally, where signed and encrypted requests are all
> properly handled and working. I have been trying to include SAML into
> the mix and have started implementing the necessary callbacks to
> validate the SAML assertions. That is where I notice a failed
> validation in the callback handler does not fail the message
> validation. Digging through the code, it looks like the exception
> thrown from the DefaultSecurityEnvironmentImpl.validateSAMLAssertion()
> is logged as a warning and swallowed in the HarnessUtil. What is the
> reason for that? Is implementing the callbacks not the right approach?
>
> On the same note, I notice the framework doesn't seem to do much
> validation on the SAML assertion at all, be it an expired assertion, or
> an absent of any assertion even. It feels like there's something
> missing. Some pointers would be greatly appreciated.
>
> Here's my wsse configuration for the client:
> <xwss:SecurityConfiguration
> xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
> <xwss:SAMLAssertion type='SV' />
> </xwss:SecurityConfiguration>
>
> And the server:
> <xwss:SecurityConfiguration
> xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
> <xwss:RequireSAMLAssertion type='SV'/>
> </xwss:SecurityConfiguration>
>
> And the logged warning with stacktrace (note that I'm throwing
> RuntimeException to demonstrate the point):
> 11 Nov 2014 20:18:16,006 | 30393059    [ERROR] {http-nio-8080-exec-8}
> (javax.enterprise.resource.xml.webservices.security) WSS0234: An Error
> occurred while Validating SAML Assertion in Policy.
> java.lang.RuntimeException: Failed validating SAML assertion
> at
> com.ocetal.webservices.server.security.SecurityEnvironmentHandler.handl
> e(SecurityEnvironmentHandler.java:237)
> at
> com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.validateSAMLAs
> sertion(DefaultSecurityEnvironmentImpl.java:1547)
> at
> com.sun.xml.wss.impl.filter.ImportSamlAssertionFilter.process(ImportSam
> lAssertionFilter.java:225)
> at
> com.sun.xml.wss.impl.filter.AuthenticationTokenFilter.processSamlToken(
> AuthenticationTokenFilter.java:119)
> at
> com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:122)
> at
> com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:278)
> at
> com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec
> ipient.java:1034)
> at
> com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec
> ipient.java:822)
> at
> com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipien
> t.java:261)
> at
> com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWS
> SProcessor2_0Impl.java:156)
> at
> com.orchestral.foundation.webservices.server.impl.SecureSecurityContext
> .verifyInboundMessage(SecureSecurityContext.java:57)
> at
> com.orchestral.foundation.webservices.server.impl.WSServlet.parseSoapMe
> ssage(WSServlet.java:359)
> at
> com.orchestral.foundation.webservices.server.impl.WSServlet.processMess
> age(WSServlet.java:215)
> at
> com.orchestral.foundation.webservices.server.impl.WSServlet.doPost(WSSe
> rvlet.java:180)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
> ationFilterChain.java:305)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
> terChain.java:210)
> at
> com.orchestral.core.web.impl.ErrorLoggingFilter.doFilter(ErrorLoggingFi
> lter.java:62)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
> ationFilterChain.java:243)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
> terChain.java:210)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVal
> ve.java:222)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextVal
> ve.java:123)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticato
> rBase.java:472)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.jav
> a:171)
> at
> com.orchestral.core.web.impl.session.SessionTracker.invoke(SessionTrack
> er.java:289)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:95
> 3)
> at
> com.orchestral.core.web.impl.MonitorValve.invoke(MonitorValve.java:55)
> at
> com.orchestral.core.web.impl.ErrorReportValve.invoke(ErrorReportValve.j
> ava:62)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve
> .java:118)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
> 408)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11
> Processor.java:1023)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Ab
> stractProtocol.java:589)
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.
> java:1686)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
> Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> Source)
> at java.lang.Thread.run(Unknown Source)
> 11 Nov 2014 20:18:16,008 | 30393061    [WARN ] {http-nio-8080-exec-8}
> (javax.enterprise.resource.xml.webservices.security) Validation failed
> for SAML Assertion

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Exception thrown in DefaultSecurityEnvironmentImpl.validateSAMLAssertion() is swallowed in HarnessUtil

louis.ho
Thanks for the information. Will try to contribute a fix. Can you point me to the instructions for submitting the fix and how we can build and run tests to make sure the fix won't break other stuff?

And I have a follow on question. Now that I have a SAML assertion in my request. I'm trying to sign the assertion with the message. I tried using the Sign and RequireSignature xwss configuration in the following way, which I know works on other message element like the SOAP-ENV:Body when SAML assertion is not part of the picture. But when I make the Assertion element as the SignatureTarget I get a "WSS1315: Signature Verification Failed" on the receiving end. Is my configuration for signing the SAML assertion valid? Or is there a specific way of doing it? Here is my client configuration:
<xwss:SecurityConfiguration xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
        <xwss:SAMLAssertion type='SV' />
        <xwss:Sign id='request_signature' includeTimestamp='false'>
                <xwss:X509Token keyReferenceType='Identifier' valueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' />
                <xwss:CanonicalizationMethod algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
                <xwss:SignatureMethod algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' />
                <xwss:SignatureTarget value='{urn:oasis:names:tc:SAML:2.0:assertion}Assertion'>
                        <xwss:DigestMethod algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
                        <xwss:Transform algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
                                <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </xwss:Transform>
                </xwss:SignatureTarget>
        </xwss:Sign>
</xwss:SecurityConfiguration>

And the server configuration:
<xwss:SecurityConfiguration xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
        <xwss:RequireSignature id='request_signature' requireTimestamp='false'>
                <xwss:X509Token keyReferenceType='Identifier' valueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' />
                <xwss:CanonicalizationMethod algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
                <xwss:SignatureMethod algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' />
                <xwss:SignatureTarget value='{urn:oasis:names:tc:SAML:2.0:assertion}Assertion'>
                        <xwss:DigestMethod algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
                        <xwss:Transform algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
                                <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </xwss:Transform>
                </xwss:SignatureTarget>
                <!--xwss:SignatureTarget type='xpath' value='.//SOAP-ENV:Body'>
                        <xwss:DigestMethod algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
                        <xwss:Transform algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
                                <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </xwss:Transform>
                </xwss:SignatureTarget-->
        </xwss:RequireSignature>
        <xwss:RequireSAMLAssertion type='SV'/>
</xwss:SecurityConfiguration>

And the error stacktrace:
12 Nov 2014 19:30:04,295 | 113901348   [ERROR] {http-nio-8080-exec-6} (com.sun.xml.wss.logging.impl.dsig) WSS1315: Signature Verification Failed
12 Nov 2014 19:30:04,295 | 113901348   [ERROR] {http-nio-8080-exec-6} (com.sun.xml.wss.logging.impl.dsig) WSS1338: Error occurred in verifying the signature
Error message was: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
        at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWSSProcessor2_0Impl.java:158)
        at com.orchestral.foundation.webservices.server.impl.SecureSecurityContext.verifyInboundMessage(SecureSecurityContext.java:57)
        at com.orchestral.foundation.webservices.server.impl.WSServlet.parseSoapMessage(WSServlet.java:359)
        at com.orchestral.foundation.webservices.server.impl.WSServlet.processMessage(WSServlet.java:215)
        at com.orchestral.foundation.webservices.server.impl.WSServlet.doPost(WSServlet.java:180)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
Caused by: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
        at com.sun.xml.wss.impl.dsig.SignatureProcessor.verify(SignatureProcessor.java:916)
        at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:638)
        at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:99)
        at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:278)
        at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:870)
        at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:822)
        at com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipient.java:261)
        at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWSSProcessor2_0Impl.java:156)
        ... 27 more
Caused by: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
        at com.sun.xml.wss.impl.SecurableSoapMessage.newSOAPFaultException(SecurableSoapMessage.java:349)
        at com.sun.xml.wss.impl.dsig.SignatureProcessor.verify(SignatureProcessor.java:831)
        ... 34 more



________________________________________
From: KumarJayanti <[hidden email]>
Sent: Tuesday, 11 November 2014 09:08 p.m.
To: [hidden email]
Subject: Re: Exception thrown in DefaultSecurityEnvironmentImpl.validateSAMLAssertion() is swallowed in HarnessUtil

that must be a bug. See if you can access the source code and actually make a fix.


On Nov 11, 2014, at 12:52 PM, [hidden email] wrote:

> Hi,
>
> I have been following the information on this page
> (https://xwss.java.net/Securing_JAVASE6_WebServices.html) to implement
> web service security using JAXWS  Handler's and XWSS 2.0 API's. It has
> gone well generally, where signed and encrypted requests are all
> properly handled and working. I have been trying to include SAML into
> the mix and have started implementing the necessary callbacks to
> validate the SAML assertions. That is where I notice a failed
> validation in the callback handler does not fail the message
> validation. Digging through the code, it looks like the exception
> thrown from the DefaultSecurityEnvironmentImpl.validateSAMLAssertion()
> is logged as a warning and swallowed in the HarnessUtil. What is the
> reason for that? Is implementing the callbacks not the right approach?
>
> On the same note, I notice the framework doesn't seem to do much
> validation on the SAML assertion at all, be it an expired assertion, or
> an absent of any assertion even. It feels like there's something
> missing. Some pointers would be greatly appreciated.
>
> Here's my wsse configuration for the client:
> <xwss:SecurityConfiguration
> xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
>       <xwss:SAMLAssertion type='SV' />
> </xwss:SecurityConfiguration>
>
> And the server:
> <xwss:SecurityConfiguration
> xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
>       <xwss:RequireSAMLAssertion type='SV'/>
> </xwss:SecurityConfiguration>
>
> And the logged warning with stacktrace (note that I'm throwing
> RuntimeException to demonstrate the point):
> 11 Nov 2014 20:18:16,006 | 30393059    [ERROR] {http-nio-8080-exec-8}
> (javax.enterprise.resource.xml.webservices.security) WSS0234: An Error
> occurred while Validating SAML Assertion in Policy.
> java.lang.RuntimeException: Failed validating SAML assertion
>       at
> com.ocetal.webservices.server.security.SecurityEnvironmentHandler.handl
> e(SecurityEnvironmentHandler.java:237)
>       at
> com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.validateSAMLAs
> sertion(DefaultSecurityEnvironmentImpl.java:1547)
>       at
> com.sun.xml.wss.impl.filter.ImportSamlAssertionFilter.process(ImportSam
> lAssertionFilter.java:225)
>       at
> com.sun.xml.wss.impl.filter.AuthenticationTokenFilter.processSamlToken(
> AuthenticationTokenFilter.java:119)
>       at
> com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:122)
>       at
> com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:278)
>       at
> com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec
> ipient.java:1034)
>       at
> com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec
> ipient.java:822)
>       at
> com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipien
> t.java:261)
>       at
> com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWS
> SProcessor2_0Impl.java:156)
>       at
> com.orchestral.foundation.webservices.server.impl.SecureSecurityContext
> .verifyInboundMessage(SecureSecurityContext.java:57)
>       at
> com.orchestral.foundation.webservices.server.impl.WSServlet.parseSoapMe
> ssage(WSServlet.java:359)
>       at
> com.orchestral.foundation.webservices.server.impl.WSServlet.processMess
> age(WSServlet.java:215)
>       at
> com.orchestral.foundation.webservices.server.impl.WSServlet.doPost(WSSe
> rvlet.java:180)
>       at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
>       at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
>       at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
> ationFilterChain.java:305)
>       at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
> terChain.java:210)
>       at
> com.orchestral.core.web.impl.ErrorLoggingFilter.doFilter(ErrorLoggingFi
> lter.java:62)
>       at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
> ationFilterChain.java:243)
>       at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
> terChain.java:210)
>       at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVal
> ve.java:222)
>       at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextVal
> ve.java:123)
>       at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticato
> rBase.java:472)
>       at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.jav
> a:171)
>       at
> com.orchestral.core.web.impl.session.SessionTracker.invoke(SessionTrack
> er.java:289)
>       at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:95
> 3)
>       at
> com.orchestral.core.web.impl.MonitorValve.invoke(MonitorValve.java:55)
>       at
> com.orchestral.core.web.impl.ErrorReportValve.invoke(ErrorReportValve.j
> ava:62)
>       at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve
> .java:118)
>       at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
> 408)
>       at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11
> Processor.java:1023)
>       at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Ab
> stractProtocol.java:589)
>       at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.
> java:1686)
>       at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
> Source)
>       at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> Source)
>       at java.lang.Thread.run(Unknown Source)
> 11 Nov 2014 20:18:16,008 | 30393061    [WARN ] {http-nio-8080-exec-8}
> (javax.enterprise.resource.xml.webservices.security) Validation failed
> for SAML Assertion

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Exception thrown in DefaultSecurityEnvironmentImpl.validateSAMLAssertion() is swallowed in HarnessUtil

louis.ho
Note that if I change the SignatureTarget to "{urn:oasis:names:tc:SAML:2.0:assertion}Subject" which is just the subject part of the assertion it works. I can't quite narrow down how the assertion element is different. Here's how my security header looks like:

<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" S:mustUnderstand="1">
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="request_signature">
        <ds:SignedInfo>
             <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                <InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse S"/>
            </ds:CanonicalizationMethod>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference URI="#XWSSGID-14157738042791726921059">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
                        <wsse:TransformationParameters>
                            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </wsse:TransformationParameters>
                    </ds:Transform>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>ML1aXLmNKueEmEZ0ZVrrJIU3kkE=</ds:DigestValue>
            </ds:Reference>
          </ds:SignedInfo>
        <ds:SignatureValue>fibpeYLZtC17YU67RhXons+VDYo7lQOGkuCXSOohjbwJjCSTvIdAOKD6fPP/rVDR93G1OBwmQX4C
olnA8QSdPzAQpNQoJwvyZtXpeQ2uXyzC8sFejQa+e+rv2TACKryU5aaKUmbWavZJozG0QbxTTBwk
qPXmcKnFcUEY3AMi+uQhs/FN0kGLT0L7Glyr2D3/q9alJbDJE8lnOAyZQ5EwqAq+7v9p1tJwwu1s
ZpU/5zGDdxCGQQq0GA93/2zM6KY93dWfva2PcnpjXSIVhzmscIGIkMArxxiOovUqwBADa5ALfJdS
wV6+Yvh92zbRTcc0xX0/5zmNu+hTBfQ+nOlxAg==</ds:SignatureValue>
        <ds:KeyInfo>
            <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1415773804278-116672087">
<wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">pcpAzzdpP3WTgeZbPjSZsZgDIRI=</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
        </ds:KeyInfo>
    </ds:Signature>
    <saml2:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="2c0fa348-8a78-4274-943e-04b233869a8c" IssueInstant="2014-11-12T19:30:04.275+13:00" Version="2.0" wsu:Id="XWSSGID-14157738042791726921059">
        <saml2:Issuer>issuer</saml2:Issuer>
        <saml2:Subject>
            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml2:NameID>
            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
        </saml2:Subject>
        <saml2:Conditions NotBefore="2014-11-12T18:30:04.275+13:00" NotOnOrAfter="2014-11-12T20:30:04.275+13:00"/>
        <saml2:AuthnStatement AuthnInstant="2014-11-12T18:30:04.275+13:00">
            <saml2:AuthnContext>
                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
            </saml2:AuthnContext>
        </saml2:AuthnStatement>
    </saml2:Assertion>
</wsse:Security>

________________________________________
From: Louis Ho <[hidden email]>
Sent: Wednesday, 12 November 2014 07:41 p.m.
To: [hidden email]
Subject: Re: Exception thrown in DefaultSecurityEnvironmentImpl.validateSAMLAssertion() is swallowed in HarnessUtil

Thanks for the information. Will try to contribute a fix. Can you point me to the instructions for submitting the fix and how we can build and run tests to make sure the fix won't break other stuff?

And I have a follow on question. Now that I have a SAML assertion in my request. I'm trying to sign the assertion with the message. I tried using the Sign and RequireSignature xwss configuration in the following way, which I know works on other message element like the SOAP-ENV:Body when SAML assertion is not part of the picture. But when I make the Assertion element as the SignatureTarget I get a "WSS1315: Signature Verification Failed" on the receiving end. Is my configuration for signing the SAML assertion valid? Or is there a specific way of doing it? Here is my client configuration:
<xwss:SecurityConfiguration xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
        <xwss:SAMLAssertion type='SV' />
        <xwss:Sign id='request_signature' includeTimestamp='false'>
                <xwss:X509Token keyReferenceType='Identifier' valueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' />
                <xwss:CanonicalizationMethod algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
                <xwss:SignatureMethod algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' />
                <xwss:SignatureTarget value='{urn:oasis:names:tc:SAML:2.0:assertion}Assertion'>
                        <xwss:DigestMethod algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
                        <xwss:Transform algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
                                <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </xwss:Transform>
                </xwss:SignatureTarget>
        </xwss:Sign>
</xwss:SecurityConfiguration>

And the server configuration:
<xwss:SecurityConfiguration xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
        <xwss:RequireSignature id='request_signature' requireTimestamp='false'>
                <xwss:X509Token keyReferenceType='Identifier' valueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' />
                <xwss:CanonicalizationMethod algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
                <xwss:SignatureMethod algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' />
                <xwss:SignatureTarget value='{urn:oasis:names:tc:SAML:2.0:assertion}Assertion'>
                        <xwss:DigestMethod algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
                        <xwss:Transform algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
                                <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </xwss:Transform>
                </xwss:SignatureTarget>
                <!--xwss:SignatureTarget type='xpath' value='.//SOAP-ENV:Body'>
                        <xwss:DigestMethod algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
                        <xwss:Transform algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
                                <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                        </xwss:Transform>
                </xwss:SignatureTarget-->
        </xwss:RequireSignature>
        <xwss:RequireSAMLAssertion type='SV'/>
</xwss:SecurityConfiguration>

And the error stacktrace:
12 Nov 2014 19:30:04,295 | 113901348   [ERROR] {http-nio-8080-exec-6} (com.sun.xml.wss.logging.impl.dsig) WSS1315: Signature Verification Failed
12 Nov 2014 19:30:04,295 | 113901348   [ERROR] {http-nio-8080-exec-6} (com.sun.xml.wss.logging.impl.dsig) WSS1338: Error occurred in verifying the signature
Error message was: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
        at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWSSProcessor2_0Impl.java:158)
        at com.orchestral.foundation.webservices.server.impl.SecureSecurityContext.verifyInboundMessage(SecureSecurityContext.java:57)
        at com.orchestral.foundation.webservices.server.impl.WSServlet.parseSoapMessage(WSServlet.java:359)
        at com.orchestral.foundation.webservices.server.impl.WSServlet.processMessage(WSServlet.java:215)
        at com.orchestral.foundation.webservices.server.impl.WSServlet.doPost(WSServlet.java:180)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
Caused by: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
        at com.sun.xml.wss.impl.dsig.SignatureProcessor.verify(SignatureProcessor.java:916)
        at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:638)
        at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:99)
        at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:278)
        at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:870)
        at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:822)
        at com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipient.java:261)
        at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWSSProcessor2_0Impl.java:156)
        ... 27 more
Caused by: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
        at com.sun.xml.wss.impl.SecurableSoapMessage.newSOAPFaultException(SecurableSoapMessage.java:349)
        at com.sun.xml.wss.impl.dsig.SignatureProcessor.verify(SignatureProcessor.java:831)
        ... 34 more



________________________________________
From: KumarJayanti <[hidden email]>
Sent: Tuesday, 11 November 2014 09:08 p.m.
To: [hidden email]
Subject: Re: Exception thrown in DefaultSecurityEnvironmentImpl.validateSAMLAssertion() is swallowed in HarnessUtil

that must be a bug. See if you can access the source code and actually make a fix.


On Nov 11, 2014, at 12:52 PM, [hidden email] wrote:

> Hi,
>
> I have been following the information on this page
> (https://xwss.java.net/Securing_JAVASE6_WebServices.html) to implement
> web service security using JAXWS  Handler's and XWSS 2.0 API's. It has
> gone well generally, where signed and encrypted requests are all
> properly handled and working. I have been trying to include SAML into
> the mix and have started implementing the necessary callbacks to
> validate the SAML assertions. That is where I notice a failed
> validation in the callback handler does not fail the message
> validation. Digging through the code, it looks like the exception
> thrown from the DefaultSecurityEnvironmentImpl.validateSAMLAssertion()
> is logged as a warning and swallowed in the HarnessUtil. What is the
> reason for that? Is implementing the callbacks not the right approach?
>
> On the same note, I notice the framework doesn't seem to do much
> validation on the SAML assertion at all, be it an expired assertion, or
> an absent of any assertion even. It feels like there's something
> missing. Some pointers would be greatly appreciated.
>
> Here's my wsse configuration for the client:
> <xwss:SecurityConfiguration
> xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
>       <xwss:SAMLAssertion type='SV' />
> </xwss:SecurityConfiguration>
>
> And the server:
> <xwss:SecurityConfiguration
> xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
>       <xwss:RequireSAMLAssertion type='SV'/>
> </xwss:SecurityConfiguration>
>
> And the logged warning with stacktrace (note that I'm throwing
> RuntimeException to demonstrate the point):
> 11 Nov 2014 20:18:16,006 | 30393059    [ERROR] {http-nio-8080-exec-8}
> (javax.enterprise.resource.xml.webservices.security) WSS0234: An Error
> occurred while Validating SAML Assertion in Policy.
> java.lang.RuntimeException: Failed validating SAML assertion
>       at
> com.ocetal.webservices.server.security.SecurityEnvironmentHandler.handl
> e(SecurityEnvironmentHandler.java:237)
>       at
> com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.validateSAMLAs
> sertion(DefaultSecurityEnvironmentImpl.java:1547)
>       at
> com.sun.xml.wss.impl.filter.ImportSamlAssertionFilter.process(ImportSam
> lAssertionFilter.java:225)
>       at
> com.sun.xml.wss.impl.filter.AuthenticationTokenFilter.processSamlToken(
> AuthenticationTokenFilter.java:119)
>       at
> com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:122)
>       at
> com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:278)
>       at
> com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec
> ipient.java:1034)
>       at
> com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec
> ipient.java:822)
>       at
> com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipien
> t.java:261)
>       at
> com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWS
> SProcessor2_0Impl.java:156)
>       at
> com.orchestral.foundation.webservices.server.impl.SecureSecurityContext
> .verifyInboundMessage(SecureSecurityContext.java:57)
>       at
> com.orchestral.foundation.webservices.server.impl.WSServlet.parseSoapMe
> ssage(WSServlet.java:359)
>       at
> com.orchestral.foundation.webservices.server.impl.WSServlet.processMess
> age(WSServlet.java:215)
>       at
> com.orchestral.foundation.webservices.server.impl.WSServlet.doPost(WSSe
> rvlet.java:180)
>       at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
>       at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
>       at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
> ationFilterChain.java:305)
>       at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
> terChain.java:210)
>       at
> com.orchestral.core.web.impl.ErrorLoggingFilter.doFilter(ErrorLoggingFi
> lter.java:62)
>       at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
> ationFilterChain.java:243)
>       at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
> terChain.java:210)
>       at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVal
> ve.java:222)
>       at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextVal
> ve.java:123)
>       at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticato
> rBase.java:472)
>       at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.jav
> a:171)
>       at
> com.orchestral.core.web.impl.session.SessionTracker.invoke(SessionTrack
> er.java:289)
>       at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:95
> 3)
>       at
> com.orchestral.core.web.impl.MonitorValve.invoke(MonitorValve.java:55)
>       at
> com.orchestral.core.web.impl.ErrorReportValve.invoke(ErrorReportValve.j
> ava:62)
>       at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve
> .java:118)
>       at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
> 408)
>       at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11
> Processor.java:1023)
>       at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Ab
> stractProtocol.java:589)
>       at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.
> java:1686)
>       at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
> Source)
>       at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> Source)
>       at java.lang.Thread.run(Unknown Source)
> 11 Nov 2014 20:18:16,008 | 30393061    [WARN ] {http-nio-8080-exec-8}
> (javax.enterprise.resource.xml.webservices.security) Validation failed
> for SAML Assertion

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Exception thrown in DefaultSecurityEnvironmentImpl.validateSAMLAssertion() is swallowed in HarnessUtil

kumarjayanti
Depending on which version of jars you are using there were some bugs in  STR-Transform

>  <ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">

and that could be the reason for the failure you are seeing. I am not part of the project anymore and so i cannot offer more help on this.

send a mail to : "[hidden email] Greb├íc" <[hidden email]>  to find out how you can contribute fixes to the project.

On Nov 12, 2014, at 12:24 PM, Louis Ho <[hidden email]> wrote:

> Note that if I change the SignatureTarget to "{urn:oasis:names:tc:SAML:2.0:assertion}Subject" which is just the subject part of the assertion it works. I can't quite narrow down how the assertion element is different. Here's how my security header looks like:
>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" S:mustUnderstand="1">
>    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="request_signature">
>        <ds:SignedInfo>
>             <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>                <InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse S"/>
>            </ds:CanonicalizationMethod>
>            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>            <ds:Reference URI="#XWSSGID-14157738042791726921059">
>                <ds:Transforms>
>                    <ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
>                        <wsse:TransformationParameters>
>                            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                        </wsse:TransformationParameters>
>                    </ds:Transform>
>                </ds:Transforms>
>                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>                <ds:DigestValue>ML1aXLmNKueEmEZ0ZVrrJIU3kkE=</ds:DigestValue>
>            </ds:Reference>
>          </ds:SignedInfo>
>        <ds:SignatureValue>fibpeYLZtC17YU67RhXons+VDYo7lQOGkuCXSOohjbwJjCSTvIdAOKD6fPP/rVDR93G1OBwmQX4C
> olnA8QSdPzAQpNQoJwvyZtXpeQ2uXyzC8sFejQa+e+rv2TACKryU5aaKUmbWavZJozG0QbxTTBwk
> qPXmcKnFcUEY3AMi+uQhs/FN0kGLT0L7Glyr2D3/q9alJbDJE8lnOAyZQ5EwqAq+7v9p1tJwwu1s
> ZpU/5zGDdxCGQQq0GA93/2zM6KY93dWfva2PcnpjXSIVhzmscIGIkMArxxiOovUqwBADa5ALfJdS
> wV6+Yvh92zbRTcc0xX0/5zmNu+hTBfQ+nOlxAg==</ds:SignatureValue>
>        <ds:KeyInfo>
>            <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1415773804278-116672087">
> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">pcpAzzdpP3WTgeZbPjSZsZgDIRI=</wsse:KeyIdentifier>
> </wsse:SecurityTokenReference>
>        </ds:KeyInfo>
>    </ds:Signature>
>    <saml2:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="2c0fa348-8a78-4274-943e-04b233869a8c" IssueInstant="2014-11-12T19:30:04.275+13:00" Version="2.0" wsu:Id="XWSSGID-14157738042791726921059">
>        <saml2:Issuer>issuer</saml2:Issuer>
>        <saml2:Subject>
>            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml2:NameID>
>            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
>        </saml2:Subject>
>        <saml2:Conditions NotBefore="2014-11-12T18:30:04.275+13:00" NotOnOrAfter="2014-11-12T20:30:04.275+13:00"/>
>        <saml2:AuthnStatement AuthnInstant="2014-11-12T18:30:04.275+13:00">
>            <saml2:AuthnContext>
>                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
>            </saml2:AuthnContext>
>        </saml2:AuthnStatement>
>    </saml2:Assertion>
> </wsse:Security>
>
> ________________________________________
> From: Louis Ho <[hidden email]>
> Sent: Wednesday, 12 November 2014 07:41 p.m.
> To: [hidden email]
> Subject: Re: Exception thrown in DefaultSecurityEnvironmentImpl.validateSAMLAssertion() is swallowed in HarnessUtil
>
> Thanks for the information. Will try to contribute a fix. Can you point me to the instructions for submitting the fix and how we can build and run tests to make sure the fix won't break other stuff?
>
> And I have a follow on question. Now that I have a SAML assertion in my request. I'm trying to sign the assertion with the message. I tried using the Sign and RequireSignature xwss configuration in the following way, which I know works on other message element like the SOAP-ENV:Body when SAML assertion is not part of the picture. But when I make the Assertion element as the SignatureTarget I get a "WSS1315: Signature Verification Failed" on the receiving end. Is my configuration for signing the SAML assertion valid? Or is there a specific way of doing it? Here is my client configuration:
> <xwss:SecurityConfiguration xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
>        <xwss:SAMLAssertion type='SV' />
>        <xwss:Sign id='request_signature' includeTimestamp='false'>
>                <xwss:X509Token keyReferenceType='Identifier' valueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' />
>                <xwss:CanonicalizationMethod algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
>                <xwss:SignatureMethod algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' />
>                <xwss:SignatureTarget value='{urn:oasis:names:tc:SAML:2.0:assertion}Assertion'>
>                        <xwss:DigestMethod algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
>                        <xwss:Transform algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
>                                <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                        </xwss:Transform>
>                </xwss:SignatureTarget>
>        </xwss:Sign>
> </xwss:SecurityConfiguration>
>
> And the server configuration:
> <xwss:SecurityConfiguration xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
>        <xwss:RequireSignature id='request_signature' requireTimestamp='false'>
>                <xwss:X509Token keyReferenceType='Identifier' valueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' />
>                <xwss:CanonicalizationMethod algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
>                <xwss:SignatureMethod algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' />
>                <xwss:SignatureTarget value='{urn:oasis:names:tc:SAML:2.0:assertion}Assertion'>
>                        <xwss:DigestMethod algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
>                        <xwss:Transform algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
>                                <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                        </xwss:Transform>
>                </xwss:SignatureTarget>
>                <!--xwss:SignatureTarget type='xpath' value='.//SOAP-ENV:Body'>
>                        <xwss:DigestMethod algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
>                        <xwss:Transform algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
>                                <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                        </xwss:Transform>
>                </xwss:SignatureTarget-->
>        </xwss:RequireSignature>
>        <xwss:RequireSAMLAssertion type='SV'/>
> </xwss:SecurityConfiguration>
>
> And the error stacktrace:
> 12 Nov 2014 19:30:04,295 | 113901348   [ERROR] {http-nio-8080-exec-6} (com.sun.xml.wss.logging.impl.dsig) WSS1315: Signature Verification Failed
> 12 Nov 2014 19:30:04,295 | 113901348   [ERROR] {http-nio-8080-exec-6} (com.sun.xml.wss.logging.impl.dsig) WSS1338: Error occurred in verifying the signature
> Error message was: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
> com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
>        at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWSSProcessor2_0Impl.java:158)
>        at com.orchestral.foundation.webservices.server.impl.SecureSecurityContext.verifyInboundMessage(SecureSecurityContext.java:57)
>        at com.orchestral.foundation.webservices.server.impl.WSServlet.parseSoapMessage(WSServlet.java:359)
>        at com.orchestral.foundation.webservices.server.impl.WSServlet.processMessage(WSServlet.java:215)
>        at com.orchestral.foundation.webservices.server.impl.WSServlet.doPost(WSServlet.java:180)
>        at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
>        at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
> Caused by: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
>        at com.sun.xml.wss.impl.dsig.SignatureProcessor.verify(SignatureProcessor.java:916)
>        at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:638)
>        at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:99)
>        at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:278)
>        at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:870)
>        at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:822)
>        at com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipient.java:261)
>        at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWSSProcessor2_0Impl.java:156)
>        ... 27 more
> Caused by: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
>        at com.sun.xml.wss.impl.SecurableSoapMessage.newSOAPFaultException(SecurableSoapMessage.java:349)
>        at com.sun.xml.wss.impl.dsig.SignatureProcessor.verify(SignatureProcessor.java:831)
>        ... 34 more
>
>
>
> ________________________________________
> From: KumarJayanti <[hidden email]>
> Sent: Tuesday, 11 November 2014 09:08 p.m.
> To: [hidden email]
> Subject: Re: Exception thrown in DefaultSecurityEnvironmentImpl.validateSAMLAssertion() is swallowed in HarnessUtil
>
> that must be a bug. See if you can access the source code and actually make a fix.
>
>
> On Nov 11, 2014, at 12:52 PM, [hidden email] wrote:
>
>> Hi,
>>
>> I have been following the information on this page
>> (https://xwss.java.net/Securing_JAVASE6_WebServices.html) to implement
>> web service security using JAXWS  Handler's and XWSS 2.0 API's. It has
>> gone well generally, where signed and encrypted requests are all
>> properly handled and working. I have been trying to include SAML into
>> the mix and have started implementing the necessary callbacks to
>> validate the SAML assertions. That is where I notice a failed
>> validation in the callback handler does not fail the message
>> validation. Digging through the code, it looks like the exception
>> thrown from the DefaultSecurityEnvironmentImpl.validateSAMLAssertion()
>> is logged as a warning and swallowed in the HarnessUtil. What is the
>> reason for that? Is implementing the callbacks not the right approach?
>>
>> On the same note, I notice the framework doesn't seem to do much
>> validation on the SAML assertion at all, be it an expired assertion, or
>> an absent of any assertion even. It feels like there's something
>> missing. Some pointers would be greatly appreciated.
>>
>> Here's my wsse configuration for the client:
>> <xwss:SecurityConfiguration
>> xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
>>      <xwss:SAMLAssertion type='SV' />
>> </xwss:SecurityConfiguration>
>>
>> And the server:
>> <xwss:SecurityConfiguration
>> xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
>>      <xwss:RequireSAMLAssertion type='SV'/>
>> </xwss:SecurityConfiguration>
>>
>> And the logged warning with stacktrace (note that I'm throwing
>> RuntimeException to demonstrate the point):
>> 11 Nov 2014 20:18:16,006 | 30393059    [ERROR] {http-nio-8080-exec-8}
>> (javax.enterprise.resource.xml.webservices.security) WSS0234: An Error
>> occurred while Validating SAML Assertion in Policy.
>> java.lang.RuntimeException: Failed validating SAML assertion
>>      at
>> com.ocetal.webservices.server.security.SecurityEnvironmentHandler.handl
>> e(SecurityEnvironmentHandler.java:237)
>>      at
>> com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.validateSAMLAs
>> sertion(DefaultSecurityEnvironmentImpl.java:1547)
>>      at
>> com.sun.xml.wss.impl.filter.ImportSamlAssertionFilter.process(ImportSam
>> lAssertionFilter.java:225)
>>      at
>> com.sun.xml.wss.impl.filter.AuthenticationTokenFilter.processSamlToken(
>> AuthenticationTokenFilter.java:119)
>>      at
>> com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:122)
>>      at
>> com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:278)
>>      at
>> com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec
>> ipient.java:1034)
>>      at
>> com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec
>> ipient.java:822)
>>      at
>> com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipien
>> t.java:261)
>>      at
>> com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWS
>> SProcessor2_0Impl.java:156)
>>      at
>> com.orchestral.foundation.webservices.server.impl.SecureSecurityContext
>> .verifyInboundMessage(SecureSecurityContext.java:57)
>>      at
>> com.orchestral.foundation.webservices.server.impl.WSServlet.parseSoapMe
>> ssage(WSServlet.java:359)
>>      at
>> com.orchestral.foundation.webservices.server.impl.WSServlet.processMess
>> age(WSServlet.java:215)
>>      at
>> com.orchestral.foundation.webservices.server.impl.WSServlet.doPost(WSSe
>> rvlet.java:180)
>>      at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
>>      at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
>>      at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
>> ationFilterChain.java:305)
>>      at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
>> terChain.java:210)
>>      at
>> com.orchestral.core.web.impl.ErrorLoggingFilter.doFilter(ErrorLoggingFi
>> lter.java:62)
>>      at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
>> ationFilterChain.java:243)
>>      at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
>> terChain.java:210)
>>      at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVal
>> ve.java:222)
>>      at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextVal
>> ve.java:123)
>>      at
>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticato
>> rBase.java:472)
>>      at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.jav
>> a:171)
>>      at
>> com.orchestral.core.web.impl.session.SessionTracker.invoke(SessionTrack
>> er.java:289)
>>      at
>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:95
>> 3)
>>      at
>> com.orchestral.core.web.impl.MonitorValve.invoke(MonitorValve.java:55)
>>      at
>> com.orchestral.core.web.impl.ErrorReportValve.invoke(ErrorReportValve.j
>> ava:62)
>>      at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve
>> .java:118)
>>      at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
>> 408)
>>      at
>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11
>> Processor.java:1023)
>>      at
>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Ab
>> stractProtocol.java:589)
>>      at
>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.
>> java:1686)
>>      at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
>> Source)
>>      at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
>> Source)
>>      at java.lang.Thread.run(Unknown Source)
>> 11 Nov 2014 20:18:16,008 | 30393061    [WARN ] {http-nio-8080-exec-8}
>> (javax.enterprise.resource.xml.webservices.security) Validation failed
>> for SAML Assertion
>

Loading...