Exception thrown in DefaultSecurityEnvironmentImpl
|
|||||||||||
![]()
Re: Exception thrown in DefaultSecurityEnvironmentImpl
|
that must be a bug. See if you can access the source code and actually make a fix.
On Nov 11, 2014, at 12:52 PM, [hidden email] wrote: > Hi, > > I have been following the information on this page > (https://xwss.java.net/Securing_JAVASE6_WebServices.html) to implement > web service security using JAXWS Handler's and XWSS 2.0 API's. It has > gone well generally, where signed and encrypted requests are all > properly handled and working. I have been trying to include SAML into > the mix and have started implementing the necessary callbacks to > validate the SAML assertions. That is where I notice a failed > validation in the callback handler does not fail the message > validation. Digging through the code, it looks like the exception > thrown from the DefaultSecurityEnvironmentImpl.validateSAMLAssertion() > is logged as a warning and swallowed in the HarnessUtil. What is the > reason for that? Is implementing the callbacks not the right approach? > > On the same note, I notice the framework doesn't seem to do much > validation on the SAML assertion at all, be it an expired assertion, or > an absent of any assertion even. It feels like there's something > missing. Some pointers would be greatly appreciated. > > Here's my wsse configuration for the client: > <xwss:SecurityConfiguration > xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'> > <xwss:SAMLAssertion type='SV' /> > </xwss:SecurityConfiguration> > > And the server: > <xwss:SecurityConfiguration > xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'> > <xwss:RequireSAMLAssertion type='SV'/> > </xwss:SecurityConfiguration> > > And the logged warning with stacktrace (note that I'm throwing > RuntimeException to demonstrate the point): > 11 Nov 2014 20:18:16,006 | 30393059 [ERROR] {http-nio-8080-exec-8} > (javax.enterprise.resource.xml.webservices.security) WSS0234: An Error > occurred while Validating SAML Assertion in Policy. > java.lang.RuntimeException: Failed validating SAML assertion > at > com.ocetal.webservices.server.security.SecurityEnvironmentHandler.handl > e(SecurityEnvironmentHandler.java:237) > at > com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.validateSAMLAs > sertion(DefaultSecurityEnvironmentImpl.java:1547) > at > com.sun.xml.wss.impl.filter.ImportSamlAssertionFilter.process(ImportSam > lAssertionFilter.java:225) > at > com.sun.xml.wss.impl.filter.AuthenticationTokenFilter.processSamlToken( > AuthenticationTokenFilter.java:119) > at > com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:122) > at > com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:278) > at > com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec > ipient.java:1034) > at > com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec > ipient.java:822) > at > com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipien > t.java:261) > at > com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWS > SProcessor2_0Impl.java:156) > at > com.orchestral.foundation.webservices.server.impl.SecureSecurityContext > .verifyInboundMessage(SecureSecurityContext.java:57) > at > com.orchestral.foundation.webservices.server.impl.WSServlet.parseSoapMe > ssage(WSServlet.java:359) > at > com.orchestral.foundation.webservices.server.impl.WSServlet.processMess > age(WSServlet.java:215) > at > com.orchestral.foundation.webservices.server.impl.WSServlet.doPost(WSSe > rvlet.java:180) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:647) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic > ationFilterChain.java:305) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil > terChain.java:210) > at > com.orchestral.core.web.impl.ErrorLoggingFilter.doFilter(ErrorLoggingFi > lter.java:62) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic > ationFilterChain.java:243) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil > terChain.java:210) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVal > ve.java:222) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextVal > ve.java:123) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticato > rBase.java:472) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.jav > a:171) > at > com.orchestral.core.web.impl.session.SessionTracker.invoke(SessionTrack > er.java:289) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:95 > 3) > at > com.orchestral.core.web.impl.MonitorValve.invoke(MonitorValve.java:55) > at > com.orchestral.core.web.impl.ErrorReportValve.invoke(ErrorReportValve.j > ava:62) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve > .java:118) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java: > 408) > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11 > Processor.java:1023) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Ab > stractProtocol.java:589) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint. > java:1686) > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown > Source) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown > Source) > at java.lang.Thread.run(Unknown Source) > 11 Nov 2014 20:18:16,008 | 30393061 [WARN ] {http-nio-8080-exec-8} > (javax.enterprise.resource.xml.webservices.security) Validation failed > for SAML Assertion |
Thanks for the information. Will try to contribute a fix. Can you point me to the instructions for submitting the fix and how we can build and run tests to make sure the fix won't break other stuff?
And I have a follow on question. Now that I have a SAML assertion in my request. I'm trying to sign the assertion with the message. I tried using the Sign and RequireSignature xwss configuration in the following way, which I know works on other message element like the SOAP-ENV:Body when SAML assertion is not part of the picture. But when I make the Assertion element as the SignatureTarget I get a "WSS1315: Signature Verification Failed" on the receiving end. Is my configuration for signing the SAML assertion valid? Or is there a specific way of doing it? Here is my client configuration: <xwss:SecurityConfiguration xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'> <xwss:SAMLAssertion type='SV' /> <xwss:Sign id='request_signature' includeTimestamp='false'> <xwss:X509Token keyReferenceType='Identifier' valueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' /> <xwss:CanonicalizationMethod algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <xwss:SignatureMethod algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <xwss:SignatureTarget value='{urn:oasis:names:tc:SAML:2.0:assertion}Assertion'> <xwss:DigestMethod algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/> <xwss:Transform algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"> <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/> </xwss:Transform> </xwss:SignatureTarget> </xwss:Sign> </xwss:SecurityConfiguration> And the server configuration: <xwss:SecurityConfiguration xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'> <xwss:RequireSignature id='request_signature' requireTimestamp='false'> <xwss:X509Token keyReferenceType='Identifier' valueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' /> <xwss:CanonicalizationMethod algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <xwss:SignatureMethod algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <xwss:SignatureTarget value='{urn:oasis:names:tc:SAML:2.0:assertion}Assertion'> <xwss:DigestMethod algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/> <xwss:Transform algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"> <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/> </xwss:Transform> </xwss:SignatureTarget> <!--xwss:SignatureTarget type='xpath' value='.//SOAP-ENV:Body'> <xwss:DigestMethod algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/> <xwss:Transform algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"> <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/> </xwss:Transform> </xwss:SignatureTarget--> </xwss:RequireSignature> <xwss:RequireSAMLAssertion type='SV'/> </xwss:SecurityConfiguration> And the error stacktrace: 12 Nov 2014 19:30:04,295 | 113901348 [ERROR] {http-nio-8080-exec-6} (com.sun.xml.wss.logging.impl.dsig) WSS1315: Signature Verification Failed 12 Nov 2014 19:30:04,295 | 113901348 [ERROR] {http-nio-8080-exec-6} (com.sun.xml.wss.logging.impl.dsig) WSS1338: Error occurred in verifying the signature Error message was: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWSSProcessor2_0Impl.java:158) at com.orchestral.foundation.webservices.server.impl.SecureSecurityContext.verifyInboundMessage(SecureSecurityContext.java:57) at com.orchestral.foundation.webservices.server.impl.WSServlet.parseSoapMessage(WSServlet.java:359) at com.orchestral.foundation.webservices.server.impl.WSServlet.processMessage(WSServlet.java:215) at com.orchestral.foundation.webservices.server.impl.WSServlet.doPost(WSServlet.java:180) at javax.servlet.http.HttpServlet.service(HttpServlet.java:647) at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) Caused by: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header at com.sun.xml.wss.impl.dsig.SignatureProcessor.verify(SignatureProcessor.java:916) at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:638) at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:99) at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:278) at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:870) at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:822) at com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipient.java:261) at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWSSProcessor2_0Impl.java:156) ... 27 more Caused by: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header at com.sun.xml.wss.impl.SecurableSoapMessage.newSOAPFaultException(SecurableSoapMessage.java:349) at com.sun.xml.wss.impl.dsig.SignatureProcessor.verify(SignatureProcessor.java:831) ... 34 more ________________________________________ From: KumarJayanti <[hidden email]> Sent: Tuesday, 11 November 2014 09:08 p.m. To: [hidden email] Subject: Re: Exception thrown in DefaultSecurityEnvironmentImpl.validateSAMLAssertion() is swallowed in HarnessUtil that must be a bug. See if you can access the source code and actually make a fix. On Nov 11, 2014, at 12:52 PM, [hidden email] wrote: > Hi, > > I have been following the information on this page > (https://xwss.java.net/Securing_JAVASE6_WebServices.html) to implement > web service security using JAXWS Handler's and XWSS 2.0 API's. It has > gone well generally, where signed and encrypted requests are all > properly handled and working. I have been trying to include SAML into > the mix and have started implementing the necessary callbacks to > validate the SAML assertions. That is where I notice a failed > validation in the callback handler does not fail the message > validation. Digging through the code, it looks like the exception > thrown from the DefaultSecurityEnvironmentImpl.validateSAMLAssertion() > is logged as a warning and swallowed in the HarnessUtil. What is the > reason for that? Is implementing the callbacks not the right approach? > > On the same note, I notice the framework doesn't seem to do much > validation on the SAML assertion at all, be it an expired assertion, or > an absent of any assertion even. It feels like there's something > missing. Some pointers would be greatly appreciated. > > Here's my wsse configuration for the client: > <xwss:SecurityConfiguration > xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'> > <xwss:SAMLAssertion type='SV' /> > </xwss:SecurityConfiguration> > > And the server: > <xwss:SecurityConfiguration > xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'> > <xwss:RequireSAMLAssertion type='SV'/> > </xwss:SecurityConfiguration> > > And the logged warning with stacktrace (note that I'm throwing > RuntimeException to demonstrate the point): > 11 Nov 2014 20:18:16,006 | 30393059 [ERROR] {http-nio-8080-exec-8} > (javax.enterprise.resource.xml.webservices.security) WSS0234: An Error > occurred while Validating SAML Assertion in Policy. > java.lang.RuntimeException: Failed validating SAML assertion > at > com.ocetal.webservices.server.security.SecurityEnvironmentHandler.handl > e(SecurityEnvironmentHandler.java:237) > at > com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.validateSAMLAs > sertion(DefaultSecurityEnvironmentImpl.java:1547) > at > com.sun.xml.wss.impl.filter.ImportSamlAssertionFilter.process(ImportSam > lAssertionFilter.java:225) > at > com.sun.xml.wss.impl.filter.AuthenticationTokenFilter.processSamlToken( > AuthenticationTokenFilter.java:119) > at > com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:122) > at > com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:278) > at > com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec > ipient.java:1034) > at > com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec > ipient.java:822) > at > com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipien > t.java:261) > at > com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWS > SProcessor2_0Impl.java:156) > at > com.orchestral.foundation.webservices.server.impl.SecureSecurityContext > .verifyInboundMessage(SecureSecurityContext.java:57) > at > com.orchestral.foundation.webservices.server.impl.WSServlet.parseSoapMe > ssage(WSServlet.java:359) > at > com.orchestral.foundation.webservices.server.impl.WSServlet.processMess > age(WSServlet.java:215) > at > com.orchestral.foundation.webservices.server.impl.WSServlet.doPost(WSSe > rvlet.java:180) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:647) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic > ationFilterChain.java:305) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil > terChain.java:210) > at > com.orchestral.core.web.impl.ErrorLoggingFilter.doFilter(ErrorLoggingFi > lter.java:62) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic > ationFilterChain.java:243) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil > terChain.java:210) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVal > ve.java:222) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextVal > ve.java:123) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticato > rBase.java:472) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.jav > a:171) > at > com.orchestral.core.web.impl.session.SessionTracker.invoke(SessionTrack > er.java:289) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:95 > 3) > at > com.orchestral.core.web.impl.MonitorValve.invoke(MonitorValve.java:55) > at > com.orchestral.core.web.impl.ErrorReportValve.invoke(ErrorReportValve.j > ava:62) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve > .java:118) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java: > 408) > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11 > Processor.java:1023) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Ab > stractProtocol.java:589) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint. > java:1686) > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown > Source) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown > Source) > at java.lang.Thread.run(Unknown Source) > 11 Nov 2014 20:18:16,008 | 30393061 [WARN ] {http-nio-8080-exec-8} > (javax.enterprise.resource.xml.webservices.security) Validation failed > for SAML Assertion |
Note that if I change the SignatureTarget to "{urn:oasis:names:tc:SAML:2.0:assertion}Subject" which is just the subject part of the assertion it works. I can't quite narrow down how the assertion element is different. Here's how my security header looks like:
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" S:mustUnderstand="1"> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="request_signature"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> <InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse S"/> </ds:CanonicalizationMethod> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#XWSSGID-14157738042791726921059"> <ds:Transforms> <ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"> <wsse:TransformationParameters> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </wsse:TransformationParameters> </ds:Transform> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>ML1aXLmNKueEmEZ0ZVrrJIU3kkE=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>fibpeYLZtC17YU67RhXons+VDYo7lQOGkuCXSOohjbwJjCSTvIdAOKD6fPP/rVDR93G1OBwmQX4C olnA8QSdPzAQpNQoJwvyZtXpeQ2uXyzC8sFejQa+e+rv2TACKryU5aaKUmbWavZJozG0QbxTTBwk qPXmcKnFcUEY3AMi+uQhs/FN0kGLT0L7Glyr2D3/q9alJbDJE8lnOAyZQ5EwqAq+7v9p1tJwwu1s ZpU/5zGDdxCGQQq0GA93/2zM6KY93dWfva2PcnpjXSIVhzmscIGIkMArxxiOovUqwBADa5ALfJdS wV6+Yvh92zbRTcc0xX0/5zmNu+hTBfQ+nOlxAg==</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1415773804278-116672087"> <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">pcpAzzdpP3WTgeZbPjSZsZgDIRI=</wsse:KeyIdentifier> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> <saml2:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="2c0fa348-8a78-4274-943e-04b233869a8c" IssueInstant="2014-11-12T19:30:04.275+13:00" Version="2.0" wsu:Id="XWSSGID-14157738042791726921059"> <saml2:Issuer>issuer</saml2:Issuer> <saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/> </saml2:Subject> <saml2:Conditions NotBefore="2014-11-12T18:30:04.275+13:00" NotOnOrAfter="2014-11-12T20:30:04.275+13:00"/> <saml2:AuthnStatement AuthnInstant="2014-11-12T18:30:04.275+13:00"> <saml2:AuthnContext> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> </saml2:AuthnContext> </saml2:AuthnStatement> </saml2:Assertion> </wsse:Security> ________________________________________ From: Louis Ho <[hidden email]> Sent: Wednesday, 12 November 2014 07:41 p.m. To: [hidden email] Subject: Re: Exception thrown in DefaultSecurityEnvironmentImpl.validateSAMLAssertion() is swallowed in HarnessUtil Thanks for the information. Will try to contribute a fix. Can you point me to the instructions for submitting the fix and how we can build and run tests to make sure the fix won't break other stuff? And I have a follow on question. Now that I have a SAML assertion in my request. I'm trying to sign the assertion with the message. I tried using the Sign and RequireSignature xwss configuration in the following way, which I know works on other message element like the SOAP-ENV:Body when SAML assertion is not part of the picture. But when I make the Assertion element as the SignatureTarget I get a "WSS1315: Signature Verification Failed" on the receiving end. Is my configuration for signing the SAML assertion valid? Or is there a specific way of doing it? Here is my client configuration: <xwss:SecurityConfiguration xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'> <xwss:SAMLAssertion type='SV' /> <xwss:Sign id='request_signature' includeTimestamp='false'> <xwss:X509Token keyReferenceType='Identifier' valueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' /> <xwss:CanonicalizationMethod algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <xwss:SignatureMethod algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <xwss:SignatureTarget value='{urn:oasis:names:tc:SAML:2.0:assertion}Assertion'> <xwss:DigestMethod algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/> <xwss:Transform algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"> <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/> </xwss:Transform> </xwss:SignatureTarget> </xwss:Sign> </xwss:SecurityConfiguration> And the server configuration: <xwss:SecurityConfiguration xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'> <xwss:RequireSignature id='request_signature' requireTimestamp='false'> <xwss:X509Token keyReferenceType='Identifier' valueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' /> <xwss:CanonicalizationMethod algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> <xwss:SignatureMethod algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> <xwss:SignatureTarget value='{urn:oasis:names:tc:SAML:2.0:assertion}Assertion'> <xwss:DigestMethod algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/> <xwss:Transform algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"> <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/> </xwss:Transform> </xwss:SignatureTarget> <!--xwss:SignatureTarget type='xpath' value='.//SOAP-ENV:Body'> <xwss:DigestMethod algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/> <xwss:Transform algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"> <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/> </xwss:Transform> </xwss:SignatureTarget--> </xwss:RequireSignature> <xwss:RequireSAMLAssertion type='SV'/> </xwss:SecurityConfiguration> And the error stacktrace: 12 Nov 2014 19:30:04,295 | 113901348 [ERROR] {http-nio-8080-exec-6} (com.sun.xml.wss.logging.impl.dsig) WSS1315: Signature Verification Failed 12 Nov 2014 19:30:04,295 | 113901348 [ERROR] {http-nio-8080-exec-6} (com.sun.xml.wss.logging.impl.dsig) WSS1338: Error occurred in verifying the signature Error message was: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWSSProcessor2_0Impl.java:158) at com.orchestral.foundation.webservices.server.impl.SecureSecurityContext.verifyInboundMessage(SecureSecurityContext.java:57) at com.orchestral.foundation.webservices.server.impl.WSServlet.parseSoapMessage(WSServlet.java:359) at com.orchestral.foundation.webservices.server.impl.WSServlet.processMessage(WSServlet.java:215) at com.orchestral.foundation.webservices.server.impl.WSServlet.doPost(WSServlet.java:180) at javax.servlet.http.HttpServlet.service(HttpServlet.java:647) at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) Caused by: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header at com.sun.xml.wss.impl.dsig.SignatureProcessor.verify(SignatureProcessor.java:916) at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:638) at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:99) at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:278) at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:870) at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:822) at com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipient.java:261) at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWSSProcessor2_0Impl.java:156) ... 27 more Caused by: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header at com.sun.xml.wss.impl.SecurableSoapMessage.newSOAPFaultException(SecurableSoapMessage.java:349) at com.sun.xml.wss.impl.dsig.SignatureProcessor.verify(SignatureProcessor.java:831) ... 34 more ________________________________________ From: KumarJayanti <[hidden email]> Sent: Tuesday, 11 November 2014 09:08 p.m. To: [hidden email] Subject: Re: Exception thrown in DefaultSecurityEnvironmentImpl.validateSAMLAssertion() is swallowed in HarnessUtil that must be a bug. See if you can access the source code and actually make a fix. On Nov 11, 2014, at 12:52 PM, [hidden email] wrote: > Hi, > > I have been following the information on this page > (https://xwss.java.net/Securing_JAVASE6_WebServices.html) to implement > web service security using JAXWS Handler's and XWSS 2.0 API's. It has > gone well generally, where signed and encrypted requests are all > properly handled and working. I have been trying to include SAML into > the mix and have started implementing the necessary callbacks to > validate the SAML assertions. That is where I notice a failed > validation in the callback handler does not fail the message > validation. Digging through the code, it looks like the exception > thrown from the DefaultSecurityEnvironmentImpl.validateSAMLAssertion() > is logged as a warning and swallowed in the HarnessUtil. What is the > reason for that? Is implementing the callbacks not the right approach? > > On the same note, I notice the framework doesn't seem to do much > validation on the SAML assertion at all, be it an expired assertion, or > an absent of any assertion even. It feels like there's something > missing. Some pointers would be greatly appreciated. > > Here's my wsse configuration for the client: > <xwss:SecurityConfiguration > xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'> > <xwss:SAMLAssertion type='SV' /> > </xwss:SecurityConfiguration> > > And the server: > <xwss:SecurityConfiguration > xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'> > <xwss:RequireSAMLAssertion type='SV'/> > </xwss:SecurityConfiguration> > > And the logged warning with stacktrace (note that I'm throwing > RuntimeException to demonstrate the point): > 11 Nov 2014 20:18:16,006 | 30393059 [ERROR] {http-nio-8080-exec-8} > (javax.enterprise.resource.xml.webservices.security) WSS0234: An Error > occurred while Validating SAML Assertion in Policy. > java.lang.RuntimeException: Failed validating SAML assertion > at > com.ocetal.webservices.server.security.SecurityEnvironmentHandler.handl > e(SecurityEnvironmentHandler.java:237) > at > com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.validateSAMLAs > sertion(DefaultSecurityEnvironmentImpl.java:1547) > at > com.sun.xml.wss.impl.filter.ImportSamlAssertionFilter.process(ImportSam > lAssertionFilter.java:225) > at > com.sun.xml.wss.impl.filter.AuthenticationTokenFilter.processSamlToken( > AuthenticationTokenFilter.java:119) > at > com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:122) > at > com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:278) > at > com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec > ipient.java:1034) > at > com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec > ipient.java:822) > at > com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipien > t.java:261) > at > com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWS > SProcessor2_0Impl.java:156) > at > com.orchestral.foundation.webservices.server.impl.SecureSecurityContext > .verifyInboundMessage(SecureSecurityContext.java:57) > at > com.orchestral.foundation.webservices.server.impl.WSServlet.parseSoapMe > ssage(WSServlet.java:359) > at > com.orchestral.foundation.webservices.server.impl.WSServlet.processMess > age(WSServlet.java:215) > at > com.orchestral.foundation.webservices.server.impl.WSServlet.doPost(WSSe > rvlet.java:180) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:647) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic > ationFilterChain.java:305) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil > terChain.java:210) > at > com.orchestral.core.web.impl.ErrorLoggingFilter.doFilter(ErrorLoggingFi > lter.java:62) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic > ationFilterChain.java:243) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil > terChain.java:210) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVal > ve.java:222) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextVal > ve.java:123) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticato > rBase.java:472) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.jav > a:171) > at > com.orchestral.core.web.impl.session.SessionTracker.invoke(SessionTrack > er.java:289) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:95 > 3) > at > com.orchestral.core.web.impl.MonitorValve.invoke(MonitorValve.java:55) > at > com.orchestral.core.web.impl.ErrorReportValve.invoke(ErrorReportValve.j > ava:62) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve > .java:118) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java: > 408) > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11 > Processor.java:1023) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Ab > stractProtocol.java:589) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint. > java:1686) > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown > Source) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown > Source) > at java.lang.Thread.run(Unknown Source) > 11 Nov 2014 20:18:16,008 | 30393061 [WARN ] {http-nio-8080-exec-8} > (javax.enterprise.resource.xml.webservices.security) Validation failed > for SAML Assertion |
Depending on which version of jars you are using there were some bugs in STR-Transform
> <ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"> and that could be the reason for the failure you are seeing. I am not part of the project anymore and so i cannot offer more help on this. send a mail to : "[hidden email] Grebác" <[hidden email]> to find out how you can contribute fixes to the project. On Nov 12, 2014, at 12:24 PM, Louis Ho <[hidden email]> wrote: > Note that if I change the SignatureTarget to "{urn:oasis:names:tc:SAML:2.0:assertion}Subject" which is just the subject part of the assertion it works. I can't quite narrow down how the assertion element is different. Here's how my security header looks like: > > <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" S:mustUnderstand="1"> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="request_signature"> > <ds:SignedInfo> > <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"> > <InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse S"/> > </ds:CanonicalizationMethod> > <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <ds:Reference URI="#XWSSGID-14157738042791726921059"> > <ds:Transforms> > <ds:Transform Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"> > <wsse:TransformationParameters> > <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </wsse:TransformationParameters> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <ds:DigestValue>ML1aXLmNKueEmEZ0ZVrrJIU3kkE=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue>fibpeYLZtC17YU67RhXons+VDYo7lQOGkuCXSOohjbwJjCSTvIdAOKD6fPP/rVDR93G1OBwmQX4C > olnA8QSdPzAQpNQoJwvyZtXpeQ2uXyzC8sFejQa+e+rv2TACKryU5aaKUmbWavZJozG0QbxTTBwk > qPXmcKnFcUEY3AMi+uQhs/FN0kGLT0L7Glyr2D3/q9alJbDJE8lnOAyZQ5EwqAq+7v9p1tJwwu1s > ZpU/5zGDdxCGQQq0GA93/2zM6KY93dWfva2PcnpjXSIVhzmscIGIkMArxxiOovUqwBADa5ALfJdS > wV6+Yvh92zbRTcc0xX0/5zmNu+hTBfQ+nOlxAg==</ds:SignatureValue> > <ds:KeyInfo> > <wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1415773804278-116672087"> > <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">pcpAzzdpP3WTgeZbPjSZsZgDIRI=</wsse:KeyIdentifier> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > </ds:Signature> > <saml2:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="2c0fa348-8a78-4274-943e-04b233869a8c" IssueInstant="2014-11-12T19:30:04.275+13:00" Version="2.0" wsu:Id="XWSSGID-14157738042791726921059"> > <saml2:Issuer>issuer</saml2:Issuer> > <saml2:Subject> > <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">admin</saml2:NameID> > <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/> > </saml2:Subject> > <saml2:Conditions NotBefore="2014-11-12T18:30:04.275+13:00" NotOnOrAfter="2014-11-12T20:30:04.275+13:00"/> > <saml2:AuthnStatement AuthnInstant="2014-11-12T18:30:04.275+13:00"> > <saml2:AuthnContext> > <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> > </saml2:AuthnContext> > </saml2:AuthnStatement> > </saml2:Assertion> > </wsse:Security> > > ________________________________________ > From: Louis Ho <[hidden email]> > Sent: Wednesday, 12 November 2014 07:41 p.m. > To: [hidden email] > Subject: Re: Exception thrown in DefaultSecurityEnvironmentImpl.validateSAMLAssertion() is swallowed in HarnessUtil > > Thanks for the information. Will try to contribute a fix. Can you point me to the instructions for submitting the fix and how we can build and run tests to make sure the fix won't break other stuff? > > And I have a follow on question. Now that I have a SAML assertion in my request. I'm trying to sign the assertion with the message. I tried using the Sign and RequireSignature xwss configuration in the following way, which I know works on other message element like the SOAP-ENV:Body when SAML assertion is not part of the picture. But when I make the Assertion element as the SignatureTarget I get a "WSS1315: Signature Verification Failed" on the receiving end. Is my configuration for signing the SAML assertion valid? Or is there a specific way of doing it? Here is my client configuration: > <xwss:SecurityConfiguration xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'> > <xwss:SAMLAssertion type='SV' /> > <xwss:Sign id='request_signature' includeTimestamp='false'> > <xwss:X509Token keyReferenceType='Identifier' valueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' /> > <xwss:CanonicalizationMethod algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> > <xwss:SignatureMethod algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> > <xwss:SignatureTarget value='{urn:oasis:names:tc:SAML:2.0:assertion}Assertion'> > <xwss:DigestMethod algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/> > <xwss:Transform algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"> > <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </xwss:Transform> > </xwss:SignatureTarget> > </xwss:Sign> > </xwss:SecurityConfiguration> > > And the server configuration: > <xwss:SecurityConfiguration xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'> > <xwss:RequireSignature id='request_signature' requireTimestamp='false'> > <xwss:X509Token keyReferenceType='Identifier' valueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' /> > <xwss:CanonicalizationMethod algorithm='http://www.w3.org/2001/10/xml-exc-c14n#' /> > <xwss:SignatureMethod algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1' /> > <xwss:SignatureTarget value='{urn:oasis:names:tc:SAML:2.0:assertion}Assertion'> > <xwss:DigestMethod algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/> > <xwss:Transform algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"> > <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </xwss:Transform> > </xwss:SignatureTarget> > <!--xwss:SignatureTarget type='xpath' value='.//SOAP-ENV:Body'> > <xwss:DigestMethod algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/> > <xwss:Transform algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform"> > <xwss:AlgorithmParameter name="CanonicalizationMethod" value="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </xwss:Transform> > </xwss:SignatureTarget--> > </xwss:RequireSignature> > <xwss:RequireSAMLAssertion type='SV'/> > </xwss:SecurityConfiguration> > > And the error stacktrace: > 12 Nov 2014 19:30:04,295 | 113901348 [ERROR] {http-nio-8080-exec-6} (com.sun.xml.wss.logging.impl.dsig) WSS1315: Signature Verification Failed > 12 Nov 2014 19:30:04,295 | 113901348 [ERROR] {http-nio-8080-exec-6} (com.sun.xml.wss.logging.impl.dsig) WSS1338: Error occurred in verifying the signature > Error message was: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header > com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header > at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWSSProcessor2_0Impl.java:158) > at com.orchestral.foundation.webservices.server.impl.SecureSecurityContext.verifyInboundMessage(SecureSecurityContext.java:57) > at com.orchestral.foundation.webservices.server.impl.WSServlet.parseSoapMessage(WSServlet.java:359) > at com.orchestral.foundation.webservices.server.impl.WSServlet.processMessage(WSServlet.java:215) > at com.orchestral.foundation.webservices.server.impl.WSServlet.doPost(WSServlet.java:180) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:647) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) > Caused by: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header > at com.sun.xml.wss.impl.dsig.SignatureProcessor.verify(SignatureProcessor.java:916) > at com.sun.xml.wss.impl.filter.SignatureFilter.process(SignatureFilter.java:638) > at com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:99) > at com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:278) > at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:870) > at com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRecipient.java:822) > at com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipient.java:261) > at com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWSSProcessor2_0Impl.java:156) > ... 27 more > Caused by: com.sun.xml.wss.impl.WssSoapFaultException: Invalid Security Header > at com.sun.xml.wss.impl.SecurableSoapMessage.newSOAPFaultException(SecurableSoapMessage.java:349) > at com.sun.xml.wss.impl.dsig.SignatureProcessor.verify(SignatureProcessor.java:831) > ... 34 more > > > > ________________________________________ > From: KumarJayanti <[hidden email]> > Sent: Tuesday, 11 November 2014 09:08 p.m. > To: [hidden email] > Subject: Re: Exception thrown in DefaultSecurityEnvironmentImpl.validateSAMLAssertion() is swallowed in HarnessUtil > > that must be a bug. See if you can access the source code and actually make a fix. > > > On Nov 11, 2014, at 12:52 PM, [hidden email] wrote: > >> Hi, >> >> I have been following the information on this page >> (https://xwss.java.net/Securing_JAVASE6_WebServices.html) to implement >> web service security using JAXWS Handler's and XWSS 2.0 API's. It has >> gone well generally, where signed and encrypted requests are all >> properly handled and working. I have been trying to include SAML into >> the mix and have started implementing the necessary callbacks to >> validate the SAML assertions. That is where I notice a failed >> validation in the callback handler does not fail the message >> validation. Digging through the code, it looks like the exception >> thrown from the DefaultSecurityEnvironmentImpl.validateSAMLAssertion() >> is logged as a warning and swallowed in the HarnessUtil. What is the >> reason for that? Is implementing the callbacks not the right approach? >> >> On the same note, I notice the framework doesn't seem to do much >> validation on the SAML assertion at all, be it an expired assertion, or >> an absent of any assertion even. It feels like there's something >> missing. Some pointers would be greatly appreciated. >> >> Here's my wsse configuration for the client: >> <xwss:SecurityConfiguration >> xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'> >> <xwss:SAMLAssertion type='SV' /> >> </xwss:SecurityConfiguration> >> >> And the server: >> <xwss:SecurityConfiguration >> xmlns:xwss='http://java.sun.com/xml/ns/xwss/config'> >> <xwss:RequireSAMLAssertion type='SV'/> >> </xwss:SecurityConfiguration> >> >> And the logged warning with stacktrace (note that I'm throwing >> RuntimeException to demonstrate the point): >> 11 Nov 2014 20:18:16,006 | 30393059 [ERROR] {http-nio-8080-exec-8} >> (javax.enterprise.resource.xml.webservices.security) WSS0234: An Error >> occurred while Validating SAML Assertion in Policy. >> java.lang.RuntimeException: Failed validating SAML assertion >> at >> com.ocetal.webservices.server.security.SecurityEnvironmentHandler.handl >> e(SecurityEnvironmentHandler.java:237) >> at >> com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.validateSAMLAs >> sertion(DefaultSecurityEnvironmentImpl.java:1547) >> at >> com.sun.xml.wss.impl.filter.ImportSamlAssertionFilter.process(ImportSam >> lAssertionFilter.java:225) >> at >> com.sun.xml.wss.impl.filter.AuthenticationTokenFilter.processSamlToken( >> AuthenticationTokenFilter.java:119) >> at >> com.sun.xml.wss.impl.HarnessUtil.processWSSPolicy(HarnessUtil.java:122) >> at >> com.sun.xml.wss.impl.HarnessUtil.processDeep(HarnessUtil.java:278) >> at >> com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec >> ipient.java:1034) >> at >> com.sun.xml.wss.impl.SecurityRecipient.processMessagePolicy(SecurityRec >> ipient.java:822) >> at >> com.sun.xml.wss.impl.SecurityRecipient.validateMessage(SecurityRecipien >> t.java:261) >> at >> com.sun.xml.wss.impl.misc.XWSSProcessor2_0Impl.verifyInboundMessage(XWS >> SProcessor2_0Impl.java:156) >> at >> com.orchestral.foundation.webservices.server.impl.SecureSecurityContext >> .verifyInboundMessage(SecureSecurityContext.java:57) >> at >> com.orchestral.foundation.webservices.server.impl.WSServlet.parseSoapMe >> ssage(WSServlet.java:359) >> at >> com.orchestral.foundation.webservices.server.impl.WSServlet.processMess >> age(WSServlet.java:215) >> at >> com.orchestral.foundation.webservices.server.impl.WSServlet.doPost(WSSe >> rvlet.java:180) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:647) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:728) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic >> ationFilterChain.java:305) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil >> terChain.java:210) >> at >> com.orchestral.core.web.impl.ErrorLoggingFilter.doFilter(ErrorLoggingFi >> lter.java:62) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic >> ationFilterChain.java:243) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil >> terChain.java:210) >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVal >> ve.java:222) >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextVal >> ve.java:123) >> at >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticato >> rBase.java:472) >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.jav >> a:171) >> at >> com.orchestral.core.web.impl.session.SessionTracker.invoke(SessionTrack >> er.java:289) >> at >> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:95 >> 3) >> at >> com.orchestral.core.web.impl.MonitorValve.invoke(MonitorValve.java:55) >> at >> com.orchestral.core.web.impl.ErrorReportValve.invoke(ErrorReportValve.j >> ava:62) >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve >> .java:118) >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java: >> 408) >> at >> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11 >> Processor.java:1023) >> at >> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(Ab >> stractProtocol.java:589) >> at >> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint. >> java:1686) >> at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown >> Source) >> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown >> Source) >> at java.lang.Thread.run(Unknown Source) >> 11 Nov 2014 20:18:16,008 | 30393061 [WARN ] {http-nio-8080-exec-8} >> (javax.enterprise.resource.xml.webservices.security) Validation failed >> for SAML Assertion > |
Free forum by Nabble | Edit this page |