Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
1.6.15, 1.6.16, 2.0.2, 1.6.17
-
MS ADFS 2.0, CXF 3.0.2, CXF 2.7.11
Description
Hi,
we have a current setup ADFS 2.0 STS and on ESB CXF 2.7.11 whose dependency is WSS4J 1.6.15.
Currently everything works as expected but only for SAML 1.1 TokenType.
The problem resides in SAML 2.0 token response where for SAML 1.1 token (important part of it) looks like:
<trust:RequestedSecurityToken> <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> </e:EncryptionMethod> <KeyInfo> <o:SecurityTokenReference xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"> <X509Data>
For SAML 2.0, RSTR (just our part) looks like:
<trust:RequestedSecurityToken> <EncryptedAssertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"> <xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#"> <e:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> </e:EncryptionMethod> <KeyInfo> <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
Please notice missing token referencing element: SecurityTokenReference
WSS4J then while trying to decrypt SAML throws an exception:
2014-11-05 07:24:03,655 [http-/127.0.0.1:8443-2] WARN (org.apache.cxf.phase.PhaseInterceptorChain): Interceptor for {http://www.example.org/contract/DoubleIt}DoubleItService#{http://www.example.org/contract/DoubleIt}DoubleIt has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: An error was discovered processing the <wsse:Security> header.
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:852) ~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:327) ~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:121) ~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:106) ~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) ~[cxf-api-2.7.11.jar:2.7.11]
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) [cxf-api-2.7.11.jar:2.7.11]
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:241) [cxf-rt-transports-http-2.7.11.jar:2.7.11]
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248) [cxf-rt-transports-http-2.7.11.jar:2.7.11]
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222) [cxf-rt-transports-http-2.7.11.jar:2.7.11]
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153) [cxf-rt-transports-http-2.7.11.jar:2.7.11]
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171) [cxf-rt-transports-http-2.7.11.jar:2.7.11]
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286) [cxf-rt-transports-http-2.7.11.jar:2.7.11]
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206) [cxf-rt-transports-http-2.7.11.jar:2.7.11]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar!/:1.0.2.Final-redhat-1]
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262) [cxf-rt-transports-http-2.7.11.jar:2.7.11]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.3.0.Final-redhat-14.jar!/:7.3.0.Final-redhat-14]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920) [jbossweb-7.2.2.Final-redhat-1.jar!/:7.2.2.Final-redhat-1]
at java.lang.Thread.run(Thread.java:745) [na:1.7.0_60]
Caused by: org.apache.ws.security.WSSecurityException: General security error (Bad element, expected "{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}SecurityTokenReference" while got "{http://www.w3.org/2000/09/xmldsig#}X509Data")
at org.apache.ws.security.message.token.SecurityTokenReference.<init>(SecurityTokenReference.java:93) ~[wss4j-1.6.15.jar:1.6.15]
at org.apache.ws.security.str.EncryptedKeySTRParser.parseSecurityTokenReference(EncryptedKeySTRParser.java:80) ~[wss4j-1.6.15.jar:1.6.15]
at org.apache.ws.security.processor.EncryptedKeyProcessor.getCertificatesFromEncryptedKey(EncryptedKeyProcessor.java:309) ~[wss4j-1.6.15.jar:1.6.15]
at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:126) ~[wss4j-1.6.15.jar:1.6.15]
at org.apache.ws.security.processor.EncryptedKeyProcessor.handleToken(EncryptedKeyProcessor.java:65) ~[wss4j-1.6.15.jar:1.6.15]
at org.apache.ws.security.processor.EncryptedDataProcessor.handleToken(EncryptedDataProcessor.java:113) ~[wss4j-1.6.15.jar:1.6.15]
at sk.dcom.poc.service.doubleit.security.EncryptedAssertionProcessor.handleToken(EncryptedAssertionProcessor.java:54) ~[classes:na]
at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396) ~[wss4j-1.6.15.jar:1.6.15]
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:270) ~[cxf-rt-ws-security-2.7.11.jar:2.7.11]
... 26 common frames omitted
I've also tried CXF 3.0.2 which uses WSS4J 2.0.2 but the exception is there too.
Tried then to change WSS4J versions only (1.6.16, 1.6.17) - we are locked at 2.7.11 because of ESB, still same issue :/
Could you please give me some clues so I can maybe manually handle it and correctly reference token for WSS4J decryption process? (if there is any)
Thanks for all your answers