Exception thrown in DefaultSecurityEnvironmentImpl.validateSAMLAssertion() is swallowed in HarnessUtil

> Hi,
>
> I have been following the information on this page
> (https://xwss.java.net/Securing_JAVASE6_WebServices.html) to implement
> web service security using JAXWS  Handler's and XWSS 2.0 API's. It has
> gone well generally, where signed and encrypted requests are all
> properly handled and working. I have been trying to include SAML into
> the mix and have started implementing the necessary callbacks to
> validate the SAML assertions. That is where I notice a failed
> validation in the callback handler does not fail the message
> validation. Digging through the code, it looks like the exception
> thrown from the DefaultSecurityEnvironmentImpl.validateSAMLAssertion()
> is logged as a warning and swallowed in the HarnessUtil. What is the
> reason for that? Is implementing the callbacks not the right approach?
>
> On the same note, I notice the framework doesn't seem to do much
> validation on the SAML assertion at all, be it an expired assertion, or
> an absent of any assertion even. It feels like there's something
> missing. Some pointers would be greatly appreciated.
>
> Here's my wsse configuration for the client:
> <xwss:SecurityConfiguration
> xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
> <xwss:SAMLAssertion type='SV' />
> </xwss:SecurityConfiguration>
>
> And the server:
> <xwss:SecurityConfiguration
> xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
> <xwss:RequireSAMLAssertion type='SV'/>
> </xwss:SecurityConfiguration>
>
> And the logged warning with stacktrace (note that I'm throwing
> RuntimeException to demonstrate the point):
> 11 Nov 2014 20:18:16,006 | 30393059    [ERROR] {http-nio-8080-exec-8}
> (javax.enterprise.resource.xml.webservices.security) WSS0234: An Error
> occurred while Validating SAML Assertion in Policy.
> java.lang.RuntimeException: Failed validating SAML assertion
> at
> com.ocetal.webservices.server.security.SecurityEnvironmentHandler.handl
> e(SecurityEnvironmentHandler.java:237)
> at
> com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.validateSAMLAs
> sertion(DefaultSecurityEnvironmentImpl.java:1547)
> at
> com.sun.xml.wss.impl.filter.ImportSamlAssertionFilter.process(ImportSam
> lAssertionFilter.java:225)
> at
> com.sun.xml.wss.impl.filter.AuthenticationTokenFilter.processSamlToken(
> AuthenticationTokenFilter.java:119)
> at
> com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:122)
> at
> com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:278)
> at
> com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec
> ipient.java:1034)
> at
> com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec
> ipient.java:822)
> at
> com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipien
> t.java:261)
> at
> com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWS
> SProcessor2_0Impl.java:156)
> at
> com.orchestral.foundation.webservices.server.impl.SecureSecurityContext
> .verifyInboundMessage(SecureSecurityContext.java:57)
> at
> com.orchestral.foundation.webservices.server.impl.WSServlet.parseSoapMe
> ssage(WSServlet.java:359)
> at
> com.orchestral.foundation.webservices.server.impl.WSServlet.processMess
> age(WSServlet.java:215)
> at
> com.orchestral.foundation.webservices.server.impl.WSServlet.doPost(WSSe
> rvlet.java:180)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
> ationFilterChain.java:305)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
> terChain.java:210)
> at
> com.orchestral.core.web.impl.ErrorLoggingFilter.doFilter(ErrorLoggingFi
> lter.java:62)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
> ationFilterChain.java:243)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
> terChain.java:210)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVal
> ve.java:222)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextVal
> ve.java:123)
> at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticato
> rBase.java:472)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.jav
> a:171)
> at
> com.orchestral.core.web.impl.session.SessionTracker.invoke(SessionTrack
> er.java:289)
> at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:95
> 3)
> at
> com.orchestral.core.web.impl.MonitorValve.invoke(MonitorValve.java:55)
> at
> com.orchestral.core.web.impl.ErrorReportValve.invoke(ErrorReportValve.j
> ava:62)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve
> .java:118)
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
> 408)
> at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11
> Processor.java:1023)
> at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Ab
> stractProtocol.java:589)
> at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.
> java:1686)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
> Source)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> Source)
> at java.lang.Thread.run(Unknown Source)
> 11 Nov 2014 20:18:16,008 | 30393061    [WARN ] {http-nio-8080-exec-8}
> (javax.enterprise.resource.xml.webservices.security) Validation failed
> for SAML Assertion

> Hi,
>
> I have been following the information on this page
> (https://xwss.java.net/Securing_JAVASE6_WebServices.html) to implement
> web service security using JAXWS  Handler's and XWSS 2.0 API's. It has
> gone well generally, where signed and encrypted requests are all
> properly handled and working. I have been trying to include SAML into
> the mix and have started implementing the necessary callbacks to
> validate the SAML assertions. That is where I notice a failed
> validation in the callback handler does not fail the message
> validation. Digging through the code, it looks like the exception
> thrown from the DefaultSecurityEnvironmentImpl.validateSAMLAssertion()
> is logged as a warning and swallowed in the HarnessUtil. What is the
> reason for that? Is implementing the callbacks not the right approach?
>
> On the same note, I notice the framework doesn't seem to do much
> validation on the SAML assertion at all, be it an expired assertion, or
> an absent of any assertion even. It feels like there's something
> missing. Some pointers would be greatly appreciated.
>
> Here's my wsse configuration for the client:
> <xwss:SecurityConfiguration
> xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
>       <xwss:SAMLAssertion type='SV' />
> </xwss:SecurityConfiguration>
>
> And the server:
> <xwss:SecurityConfiguration
> xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
>       <xwss:RequireSAMLAssertion type='SV'/>
> </xwss:SecurityConfiguration>
>
> And the logged warning with stacktrace (note that I'm throwing
> RuntimeException to demonstrate the point):
> 11 Nov 2014 20:18:16,006 | 30393059    [ERROR] {http-nio-8080-exec-8}
> (javax.enterprise.resource.xml.webservices.security) WSS0234: An Error
> occurred while Validating SAML Assertion in Policy.
> java.lang.RuntimeException: Failed validating SAML assertion
>       at
> com.ocetal.webservices.server.security.SecurityEnvironmentHandler.handl
> e(SecurityEnvironmentHandler.java:237)
>       at
> com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.validateSAMLAs
> sertion(DefaultSecurityEnvironmentImpl.java:1547)
>       at
> com.sun.xml.wss.impl.filter.ImportSamlAssertionFilter.process(ImportSam
> lAssertionFilter.java:225)
>       at
> com.sun.xml.wss.impl.filter.AuthenticationTokenFilter.processSamlToken(
> AuthenticationTokenFilter.java:119)
>       at
> com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:122)
>       at
> com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:278)
>       at
> com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec
> ipient.java:1034)
>       at
> com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec
> ipient.java:822)
>       at
> com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipien
> t.java:261)
>       at
> com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWS
> SProcessor2_0Impl.java:156)
>       at
> com.orchestral.foundation.webservices.server.impl.SecureSecurityContext
> .verifyInboundMessage(SecureSecurityContext.java:57)
>       at
> com.orchestral.foundation.webservices.server.impl.WSServlet.parseSoapMe
> ssage(WSServlet.java:359)
>       at
> com.orchestral.foundation.webservices.server.impl.WSServlet.processMess
> age(WSServlet.java:215)
>       at
> com.orchestral.foundation.webservices.server.impl.WSServlet.doPost(WSSe
> rvlet.java:180)
>       at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
>       at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
>       at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
> ationFilterChain.java:305)
>       at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
> terChain.java:210)
>       at
> com.orchestral.core.web.impl.ErrorLoggingFilter.doFilter(ErrorLoggingFi
> lter.java:62)
>       at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
> ationFilterChain.java:243)
>       at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
> terChain.java:210)
>       at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVal
> ve.java:222)
>       at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextVal
> ve.java:123)
>       at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticato
> rBase.java:472)
>       at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.jav
> a:171)
>       at
> com.orchestral.core.web.impl.session.SessionTracker.invoke(SessionTrack
> er.java:289)
>       at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:95
> 3)
>       at
> com.orchestral.core.web.impl.MonitorValve.invoke(MonitorValve.java:55)
>       at
> com.orchestral.core.web.impl.ErrorReportValve.invoke(ErrorReportValve.j
> ava:62)
>       at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve
> .java:118)
>       at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
> 408)
>       at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11
> Processor.java:1023)
>       at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Ab
> stractProtocol.java:589)
>       at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.
> java:1686)
>       at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
> Source)
>       at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> Source)
>       at java.lang.Thread.run(Unknown Source)
> 11 Nov 2014 20:18:16,008 | 30393061    [WARN ] {http-nio-8080-exec-8}
> (javax.enterprise.resource.xml.webservices.security) Validation failed
> for SAML Assertion

> Hi,
>
> I have been following the information on this page
> (https://xwss.java.net/Securing_JAVASE6_WebServices.html) to implement
> web service security using JAXWS  Handler's and XWSS 2.0 API's. It has
> gone well generally, where signed and encrypted requests are all
> properly handled and working. I have been trying to include SAML into
> the mix and have started implementing the necessary callbacks to
> validate the SAML assertions. That is where I notice a failed
> validation in the callback handler does not fail the message
> validation. Digging through the code, it looks like the exception
> thrown from the DefaultSecurityEnvironmentImpl.validateSAMLAssertion()
> is logged as a warning and swallowed in the HarnessUtil. What is the
> reason for that? Is implementing the callbacks not the right approach?
>
> On the same note, I notice the framework doesn't seem to do much
> validation on the SAML assertion at all, be it an expired assertion, or
> an absent of any assertion even. It feels like there's something
> missing. Some pointers would be greatly appreciated.
>
> Here's my wsse configuration for the client:
> <xwss:SecurityConfiguration
> xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
>       <xwss:SAMLAssertion type='SV' />
> </xwss:SecurityConfiguration>
>
> And the server:
> <xwss:SecurityConfiguration
> xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
>       <xwss:RequireSAMLAssertion type='SV'/>
> </xwss:SecurityConfiguration>
>
> And the logged warning with stacktrace (note that I'm throwing
> RuntimeException to demonstrate the point):
> 11 Nov 2014 20:18:16,006 | 30393059    [ERROR] {http-nio-8080-exec-8}
> (javax.enterprise.resource.xml.webservices.security) WSS0234: An Error
> occurred while Validating SAML Assertion in Policy.
> java.lang.RuntimeException: Failed validating SAML assertion
>       at
> com.ocetal.webservices.server.security.SecurityEnvironmentHandler.handl
> e(SecurityEnvironmentHandler.java:237)
>       at
> com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.validateSAMLAs
> sertion(DefaultSecurityEnvironmentImpl.java:1547)
>       at
> com.sun.xml.wss.impl.filter.ImportSamlAssertionFilter.process(ImportSam
> lAssertionFilter.java:225)
>       at
> com.sun.xml.wss.impl.filter.AuthenticationTokenFilter.processSamlToken(
> AuthenticationTokenFilter.java:119)
>       at
> com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:122)
>       at
> com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:278)
>       at
> com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec
> ipient.java:1034)
>       at
> com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec
> ipient.java:822)
>       at
> com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipien
> t.java:261)
>       at
> com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWS
> SProcessor2_0Impl.java:156)
>       at
> com.orchestral.foundation.webservices.server.impl.SecureSecurityContext
> .verifyInboundMessage(SecureSecurityContext.java:57)
>       at
> com.orchestral.foundation.webservices.server.impl.WSServlet.parseSoapMe
> ssage(WSServlet.java:359)
>       at
> com.orchestral.foundation.webservices.server.impl.WSServlet.processMess
> age(WSServlet.java:215)
>       at
> com.orchestral.foundation.webservices.server.impl.WSServlet.doPost(WSSe
> rvlet.java:180)
>       at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
>       at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
>       at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
> ationFilterChain.java:305)
>       at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
> terChain.java:210)
>       at
> com.orchestral.core.web.impl.ErrorLoggingFilter.doFilter(ErrorLoggingFi
> lter.java:62)
>       at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
> ationFilterChain.java:243)
>       at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
> terChain.java:210)
>       at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVal
> ve.java:222)
>       at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextVal
> ve.java:123)
>       at
> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticato
> rBase.java:472)
>       at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.jav
> a:171)
>       at
> com.orchestral.core.web.impl.session.SessionTracker.invoke(SessionTrack
> er.java:289)
>       at
> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:95
> 3)
>       at
> com.orchestral.core.web.impl.MonitorValve.invoke(MonitorValve.java:55)
>       at
> com.orchestral.core.web.impl.ErrorReportValve.invoke(ErrorReportValve.j
> ava:62)
>       at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve
> .java:118)
>       at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
> 408)
>       at
> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11
> Processor.java:1023)
>       at
> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Ab
> stractProtocol.java:589)
>       at
> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.
> java:1686)
>       at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
> Source)
>       at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
> Source)
>       at java.lang.Thread.run(Unknown Source)
> 11 Nov 2014 20:18:16,008 | 30393061    [WARN ] {http-nio-8080-exec-8}
> (javax.enterprise.resource.xml.webservices.security) Validation failed
> for SAML Assertion

> Note that if I change the SignatureTarget to "{urn:oasis:names:tc:SAML:2.0:assertion}Subject" which is just the subject part of the assertion it works. I can't quite narrow down how the assertion element is different. Here's how my security header looks like:
>
> <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" S:mustUnderstand="1">
>    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="request_signature">
>        <ds:SignedInfo>
>             <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
>                <InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse S"/>
>            </ds:CanonicalizationMethod>
>            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
>            <ds:Reference URI="#XWSSGID-14157738042791726921059">
>                <ds:Transforms>
>                    <ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
>                        <wsse:TransformationParameters>
>                            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                        </wsse:TransformationParameters>
>                    </ds:Transform>
>                </ds:Transforms>
>                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
>                <ds:DigestValue>ML1aXLmNKueEmEZ0ZVrrJIU3kkE=</ds:DigestValue>
>            </ds:Reference>
>          </ds:SignedInfo>
>        <ds:SignatureValue>fibpeYLZtC17YU67RhXons+VDYo7lQOGkuCXSOohjbwJjCSTvIdAOKD6fPP/rVDR93G1OBwmQX4C
> olnA8QSdPzAQpNQoJwvyZtXpeQ2uXyzC8sFejQa+e+rv2TACKryU5aaKUmbWavZJozG0QbxTTBwk
> qPXmcKnFcUEY3AMi+uQhs/FN0kGLT0L7Glyr2D3/q9alJbDJE8lnOAyZQ5EwqAq+7v9p1tJwwu1s
> ZpU/5zGDdxCGQQq0GA93/2zM6KY93dWfva2PcnpjXSIVhzmscIGIkMArxxiOovUqwBADa5ALfJdS
> wV6+Yvh92zbRTcc0xX0/5zmNu+hTBfQ+nOlxAg==</ds:SignatureValue>
>        <ds:KeyInfo>
>            <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1415773804278-116672087">
> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">pcpAzzdpP3WTgeZbPjSZsZgDIRI=</wsse:KeyIdentifier>
> </wsse:SecurityTokenReference>
>        </ds:KeyInfo>
>    </ds:Signature>
>    <saml2:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="2c0fa348-8a78-4274-943e-04b233869a8c" IssueInstant="2014-11-12T19:30:04.275+13:00" Version="2.0" wsu:Id="XWSSGID-14157738042791726921059">
>        <saml2:Issuer>issuer</saml2:Issuer>
>        <saml2:Subject>
>            <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml2:NameID>
>            <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
>        </saml2:Subject>
>        <saml2:Conditions NotBefore="2014-11-12T18:30:04.275+13:00" NotOnOrAfter="2014-11-12T20:30:04.275+13:00"/>
>        <saml2:AuthnStatement AuthnInstant="2014-11-12T18:30:04.275+13:00">
>            <saml2:AuthnContext>
>                <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
>            </saml2:AuthnContext>
>        </saml2:AuthnStatement>
>    </saml2:Assertion>
> </wsse:Security>
>
> ________________________________________
> From: Louis Ho <[hidden email]>
> Sent: Wednesday, 12 November 2014 07:41 p.m.
> To: [hidden email]
> Subject: Re: Exception thrown in DefaultSecurityEnvironmentImpl.validateSAMLAssertion() is swallowed in HarnessUtil
>
> Thanks for the information. Will try to contribute a fix. Can you point me to the instructions for submitting the fix and how we can build and run tests to make sure the fix won't break other stuff?
>
> And I have a follow on question. Now that I have a SAML assertion in my request. I'm trying to sign the assertion with the message. I tried using the Sign and RequireSignature xwss configuration in the following way, which I know works on other message element like the SOAP-ENV:Body when SAML assertion is not part of the picture. But when I make the Assertion element as the SignatureTarget I get a "WSS1315: Signature Verification Failed" on the receiving end. Is my configuration for signing the SAML assertion valid? Or is there a specific way of doing it? Here is my client configuration:
> <xwss:SecurityConfiguration xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
>        <xwss:SAMLAssertion type='SV' />
>        <xwss:Sign id='request_signature' includeTimestamp='false'>
>                <xwss:X509Token keyReferenceType='Identifier' valueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' />
>                <xwss:CanonicalizationMethod algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
>                <xwss:SignatureMethod algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' />
>                <xwss:SignatureTarget value='{urn:oasis:names:tc:SAML:2.0:assertion}Assertion'>
>                        <xwss:DigestMethod algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
>                        <xwss:Transform algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
>                                <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                        </xwss:Transform>
>                </xwss:SignatureTarget>
>        </xwss:Sign>
> </xwss:SecurityConfiguration>
>
> And the server configuration:
> <xwss:SecurityConfiguration xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
>        <xwss:RequireSignature id='request_signature' requireTimestamp='false'>
>                <xwss:X509Token keyReferenceType='Identifier' valueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' />
>                <xwss:CanonicalizationMethod algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' />
>                <xwss:SignatureMethod algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' />
>                <xwss:SignatureTarget value='{urn:oasis:names:tc:SAML:2.0:assertion}Assertion'>
>                        <xwss:DigestMethod algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
>                        <xwss:Transform algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
>                                <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                        </xwss:Transform>
>                </xwss:SignatureTarget>
>                <!--xwss:SignatureTarget type='xpath' value='.//SOAP-ENV:Body'>
>                        <xwss:DigestMethod algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
>                        <xwss:Transform algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
>                                <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/>
>                        </xwss:Transform>
>                </xwss:SignatureTarget-->
>        </xwss:RequireSignature>
>        <xwss:RequireSAMLAssertion type='SV'/>
> </xwss:SecurityConfiguration>
>
> And the error stacktrace:
> 12 Nov 2014 19:30:04,295 | 113901348   [ERROR] {http-nio-8080-exec-6} (com.sun.xml.wss.logging.impl.dsig) WSS1315: Signature Verification Failed
> 12 Nov 2014 19:30:04,295 | 113901348   [ERROR] {http-nio-8080-exec-6} (com.sun.xml.wss.logging.impl.dsig) WSS1338: Error occurred in verifying the signature
> Error message was: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
> com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
>        at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWSSProcessor2_0Impl.java:158)
>        at com.orchestral.foundation.webservices.server.impl.SecureSecurityContext.verifyInboundMessage(SecureSecurityContext.java:57)
>        at com.orchestral.foundation.webservices.server.impl.WSServlet.parseSoapMessage(WSServlet.java:359)
>        at com.orchestral.foundation.webservices.server.impl.WSServlet.processMessage(WSServlet.java:215)
>        at com.orchestral.foundation.webservices.server.impl.WSServlet.doPost(WSServlet.java:180)
>        at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
>        at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
> Caused by: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
>        at com.sun.xml.wss.impl.dsig.SignatureProcessor.verify(SignatureProcessor.java:916)
>        at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:638)
>        at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:99)
>        at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:278)
>        at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:870)
>        at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:822)
>        at com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipient.java:261)
>        at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWSSProcessor2_0Impl.java:156)
>        ... 27 more
> Caused by: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header
>        at com.sun.xml.wss.impl.SecurableSoapMessage.newSOAPFaultException(SecurableSoapMessage.java:349)
>        at com.sun.xml.wss.impl.dsig.SignatureProcessor.verify(SignatureProcessor.java:831)
>        ... 34 more
>
>
>
> ________________________________________
> From: KumarJayanti <[hidden email]>
> Sent: Tuesday, 11 November 2014 09:08 p.m.
> To: [hidden email]
> Subject: Re: Exception thrown in DefaultSecurityEnvironmentImpl.validateSAMLAssertion() is swallowed in HarnessUtil
>
> that must be a bug. See if you can access the source code and actually make a fix.
>
>
> On Nov 11, 2014, at 12:52 PM, [hidden email] wrote:
>
>> Hi,
>>
>> I have been following the information on this page
>> (https://xwss.java.net/Securing_JAVASE6_WebServices.html) to implement
>> web service security using JAXWS  Handler's and XWSS 2.0 API's. It has
>> gone well generally, where signed and encrypted requests are all
>> properly handled and working. I have been trying to include SAML into
>> the mix and have started implementing the necessary callbacks to
>> validate the SAML assertions. That is where I notice a failed
>> validation in the callback handler does not fail the message
>> validation. Digging through the code, it looks like the exception
>> thrown from the DefaultSecurityEnvironmentImpl.validateSAMLAssertion()
>> is logged as a warning and swallowed in the HarnessUtil. What is the
>> reason for that? Is implementing the callbacks not the right approach?
>>
>> On the same note, I notice the framework doesn't seem to do much
>> validation on the SAML assertion at all, be it an expired assertion, or
>> an absent of any assertion even. It feels like there's something
>> missing. Some pointers would be greatly appreciated.
>>
>> Here's my wsse configuration for the client:
>> <xwss:SecurityConfiguration
>> xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
>>      <xwss:SAMLAssertion type='SV' />
>> </xwss:SecurityConfiguration>
>>
>> And the server:
>> <xwss:SecurityConfiguration
>> xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'>
>>      <xwss:RequireSAMLAssertion type='SV'/>
>> </xwss:SecurityConfiguration>
>>
>> And the logged warning with stacktrace (note that I'm throwing
>> RuntimeException to demonstrate the point):
>> 11 Nov 2014 20:18:16,006 | 30393059    [ERROR] {http-nio-8080-exec-8}
>> (javax.enterprise.resource.xml.webservices.security) WSS0234: An Error
>> occurred while Validating SAML Assertion in Policy.
>> java.lang.RuntimeException: Failed validating SAML assertion
>>      at
>> com.ocetal.webservices.server.security.SecurityEnvironmentHandler.handl
>> e(SecurityEnvironmentHandler.java:237)
>>      at
>> com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.validateSAMLAs
>> sertion(DefaultSecurityEnvironmentImpl.java:1547)
>>      at
>> com.sun.xml.wss.impl.filter.ImportSamlAssertionFilter.process(ImportSam
>> lAssertionFilter.java:225)
>>      at
>> com.sun.xml.wss.impl.filter.AuthenticationTokenFilter.processSamlToken(
>> AuthenticationTokenFilter.java:119)
>>      at
>> com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:122)
>>      at
>> com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:278)
>>      at
>> com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec
>> ipient.java:1034)
>>      at
>> com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec
>> ipient.java:822)
>>      at
>> com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipien
>> t.java:261)
>>      at
>> com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWS
>> SProcessor2_0Impl.java:156)
>>      at
>> com.orchestral.foundation.webservices.server.impl.SecureSecurityContext
>> .verifyInboundMessage(SecureSecurityContext.java:57)
>>      at
>> com.orchestral.foundation.webservices.server.impl.WSServlet.parseSoapMe
>> ssage(WSServlet.java:359)
>>      at
>> com.orchestral.foundation.webservices.server.impl.WSServlet.processMess
>> age(WSServlet.java:215)
>>      at
>> com.orchestral.foundation.webservices.server.impl.WSServlet.doPost(WSSe
>> rvlet.java:180)
>>      at javax.servlet.http.HttpServlet.service(HttpServlet.java:647)
>>      at javax.servlet.http.HttpServlet.service(HttpServlet.java:728)
>>      at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
>> ationFilterChain.java:305)
>>      at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
>> terChain.java:210)
>>      at
>> com.orchestral.core.web.impl.ErrorLoggingFilter.doFilter(ErrorLoggingFi
>> lter.java:62)
>>      at
>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
>> ationFilterChain.java:243)
>>      at
>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
>> terChain.java:210)
>>      at
>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVal
>> ve.java:222)
>>      at
>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextVal
>> ve.java:123)
>>      at
>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticato
>> rBase.java:472)
>>      at
>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.jav
>> a:171)
>>      at
>> com.orchestral.core.web.impl.session.SessionTracker.invoke(SessionTrack
>> er.java:289)
>>      at
>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:95
>> 3)
>>      at
>> com.orchestral.core.web.impl.MonitorValve.invoke(MonitorValve.java:55)
>>      at
>> com.orchestral.core.web.impl.ErrorReportValve.invoke(ErrorReportValve.j
>> ava:62)
>>      at
>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve
>> .java:118)
>>      at
>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
>> 408)
>>      at
>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11
>> Processor.java:1023)
>>      at
>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Ab
>> stractProtocol.java:589)
>>      at
>> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.
>> java:1686)
>>      at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
>> Source)
>>      at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
>> Source)
>>      at java.lang.Thread.run(Unknown Source)
>> 11 Nov 2014 20:18:16,008 | 30393061    [WARN ] {http-nio-8080-exec-8}
>> (javax.enterprise.resource.xml.webservices.security) Validation failed
>> for SAML Assertion
>