Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
-
Moderate
Description
CXF should be using the KeyIdentifier element when identifying SAML Assertions within wsse:SecurityTokenReference elements.
Issue and explanation in this thread:
http://cxf.547215.n5.nabble.com/Problem-using-SAML-token-profile-to-access-a-Metro-web-service-td1064848.html#a1064848
Attached zip contains a Metro web service and STS (intended for standalone Tomcat deployment), a working Metro client, and a complaining CXF one, all components Mavenized for easily compilation, deployment, and execution.
Instructions to host sample web service and STS from attachment:
1.) If necessary, to allow mvn tomcat:deploy to work in next step, set up Maven tomcat config:
Pale green "Maven only" section of Step #8 here has instructions:
http://www.jroller.com/gmazza/entry/web_service_tutorial#WFstep8
2.) From root directory, type mvn clean install tomcat:deploy
(can call tomcat:undeploy on subsequent runs)
Once done, confirm can see Metro web service WSDL from browser:
https://localhost:8443/doubleit/services/doubleit?wsdl
And confirm can see Metro STS WSDL:
http://localhost:8080/DoubleItSTS/DoubleItSTSService?wsdl
3.)
Place the 2.2 version of jaxws-api.jar (https://jax-ws.dev.java.net/) in the JDK_HOME/jre/lib/endorsed folder.
Once done, navigate to Metro client folder (/client-metro) and run mvn exec:exec
Confirm can see output of doubled number results (10 doubled is 20).
Wireshark results of the whole STS process w/Metro is here:
http://www.jroller.com/gmazza/entry/metro_wstrust_analysis
5.)
Remove 2.2 JAXWS-api.jar from endorsed folder.
Navigate to CXF client folder (/client-cxf) and run
mvn clean install exec:exec (need to build here, as client-cxf is not part of parent POM due to Metro dependencies.)
Should see this error message:
[INFO] Jul 14, 2010 8:00:46 AM org.apache.cxf.service.factory.ReflectionServiceFactoryBean buildServiceFromWSDL
[INFO] INFO: Creating Service
DoubleItService from WSDL: file:/work/workspace/DoubleItMetroWSTrust/client-cxf/src/main/resources/DoubleItService.wsdl
[INFO] Jul 14, 2010 8:00:48 AM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage
[INFO] WARNING: Request does not contain required Security header, but it's a fault.
---->[INFO] Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: unsupported directreference ValueType http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID<----
[INFO] at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:146)
[INFO] at $Proxy38.doubleIt(Unknown Source)
[INFO] at client.WSClient.doubleIt(WSClient.java:18)
[INFO] at client.WSClient.main(WSClient.java:11)
[INFO] Caused by: org.apache.cxf.binding.soap.SoapFault: unsupported directreference ValueType http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
[INFO] at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.unmarshalFault(Soap11FaultInInterceptor.java:75)
[INFO] at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:46)
[INFO] at org.apache.cxf.binding.soap.interceptor.Soap11FaultInInterceptor.handleMessage(Soap11FaultInInterceptor.java:35)
[INFO] at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:243)
If you can use Wireshark to trace localhost calls (always can on Linux, sometimes on Windows), can use Wireshark's Show TCP stream capability to get more of error message: http://www.jroller.com/gmazza/entry/soap_calls_over_wireshark