Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-3156

Have web service client cache SAML tokens used in SOAP calls

    XMLWordPrintableJSON

Details

    • Wish
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 2.3.2
    • None
    • None
    • Advanced

    Description

      Metro web service providers (and perhaps others) return references to SAML Tokens provided by the client during the SOAP call, but do not return the tokens themselves (nor is apparent that they should.) Presently Metro clients but not CXF clients can process these responses. A CXF client attempting to process a Metro response (sample one here[1]) returns this error, saying it cannot find the token:

      [INFO] Nov 29, 2010 3:14:33 PM org.apache.cxf.service.factory.ReflectionServiceFactoryBean buildServiceFromWSDL
      [INFO] INFO: Creating Service

      {http://www.example.org/contract/DoubleIt}

      DoubleItService from WSDL: file:/media/NewDriveExt3/soperawork/DoubleItMetroWSTrust/client-cxf/src/main/resources/DoubleItService.wsdl
      [INFO] Nov 29, 2010 3:14:34 PM org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl build
      [INFO] WARNING: No assertion builder for type

      {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}

      RequireInternalReference registered.
      [INFO] Nov 29, 2010 3:14:35 PM org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor handleMessage
      [INFO] WARNING:
      [INFO] org.apache.ws.security.WSSecurityException: Referenced security token could not be retrieved (Reference "#uuid-88b8189f-9616-48f4-9ea8-ac2b7703baed")
      [INFO] at org.apache.ws.security.message.token.SecurityTokenReference.getKeyIdentifierTokenElement(SecurityTokenReference.java:200)
      [INFO] at org.apache.ws.security.processor.ReferenceListProcessor.getKeyFromSecurityTokenReference(ReferenceListProcessor.java:356)
      [INFO] at org.apache.ws.security.processor.ReferenceListProcessor.decryptDataRefEmbedded(ReferenceListProcessor.java:162)
      [INFO] at org.apache.ws.security.processor.ReferenceListProcessor.handleReferenceList(ReferenceListProcessor.java:113)
      [INFO] at org.apache.ws.security.processor.ReferenceListProcessor.handleToken(ReferenceListProcessor.java:76)
      [INFO] at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:328)
      [INFO] at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:245)
      [INFO] at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:208)
      [INFO] at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:78)
      [INFO] at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:247)
      [INFO] at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:733)
      [INFO] at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:2201)
      [INFO] at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:2071)
      [INFO] at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1925)
      [INFO] at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
      [INFO] at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:662)
      [INFO] at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
      [INFO] at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:247)
      [INFO] at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:516)
      [INFO] at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313)
      [INFO] at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:265)
      [INFO] at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
      [INFO] at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
      [INFO] at $Proxy24.doubleIt(Unknown Source)
      [INFO] at client.WSClient.doubleIt(WSClient.java:17)
      [INFO] at client.WSClient.main(WSClient.java:11)
      [INFO] Nov 29, 2010 3:14:35 PM org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging
      [INFO] WARNING: Interceptor for

      {http://www.example.org/contract/DoubleIt}

      DoubleItService#

      {http://www.example.org/contract/DoubleIt}

      DoubleIt has thrown exception, unwinding now
      [INFO] org.apache.cxf.binding.soap.SoapFault: Referenced security token could not be retrieved (Reference "#uuid-88b8189f-9616-48f4-9ea8-ac2b7703baed")
      [INFO] at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:597)
      [INFO] at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:268)
      [INFO] at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:78)
      [INFO] at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:247)
      [INFO] at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:733)
      [INFO] at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:2201)
      [INFO] at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:2071)
      [INFO] at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1925)
      [INFO] at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
      [INFO] at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:662)
      [INFO] at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
      [INFO] at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:247)
      [INFO] at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:516)
      [INFO] at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:313)
      [INFO] at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:265)
      [INFO] at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
      [INFO] at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
      [INFO] at $Proxy24.doubleIt(Unknown Source)
      [INFO] at client.WSClient.doubleIt(WSClient.java:17)
      [INFO] at client.WSClient.main(WSClient.java:11)

      Part of the problem MAY be that Metro prefixes the Assertion key with a "#" indicating the token is within the message body. A bug report has been sent to them on this issue[2], however I believe CXF would presently fail even if the "#" was not there, as the client-side storage/retrieval of SAML tokens is not yet in place.

      [1] https://issues.apache.org/jira/secure/attachment/12460040/WSS238Results.txt
      [2] http://java.net/jira/browse/WSIT-1490

      Attachments

        Activity

          People

            coheigea Colm O hEigeartaigh
            gmazza Glen Mazza
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: