Passing SAML Tokens to Webservice
Hi All
I have to create a webservice client which passes
Username token, SAML1.1 , 2 , X509 Tokens.
My experience runs low on webservices.
Kindly point to some documents, which specifies
the way to incorporate these token to the webservice call.
Thanks in advance.
Shaan
One method to accomplish this is to leverage an STS to issue security tokens. These security tokens can then be placed into the WS-Security headers of the SOAP requests generated by your web service client. Ping Identity has a product called PingTrust. It is an STS that can issue SAML 1.x, SAML 2.0 and custom tokens, and validate SAML 1.x, SAML 2.0, UserName/Password, Kerberos, X.509 and custom tokens. The product includes SDK;s and JAX-RPC security interceptors that can be used by the application developer to integrate with PingTrust.
Similar Messages
-
SAML token in webservice proxy
Hi,
I've a custom security provider which provides me a SAML token. I also have a webservice proxy which needs to use the token. How do I configure the webservice proxy to use this token? I know that WS-Security supports SAML tokens. But I'm unable to figure out how to set this up in the webservice proxy.
Any help is greatly appreciated.
Thanks,
Anand.I was able to write a custom handler that added the token as a ws-security header.
-
How to pass credentials/saml token exchange to the sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication
Identity provider here is Oracle identity provider
harika kakkireniHi,
The following materials for your reference:
Consuming List.asmx on a claims based sharepoint site
http://social.technet.microsoft.com/Forums/sharepoint/en-US/f965c1ee-4017-4066-ad0f-a4f56cd0e8da/consuming-listasmx-on-a-claims-based-sharepoint-site?forum=sharepointcustomizationprevious
Sharepoint Claims based authentication and Single Sign on
http://social.technet.microsoft.com/Forums/sharepoint/en-US/2dfc1fdc-abc0-4fad-a414-302f52c1178b/sharepoint-claims-based-authentication-and-single-sign-on?forum=sharepointadminprevious
Sharepoint Claim Based Authentication Web Service issuehttp://social.msdn.microsoft.com/Forums/office/en-US/dd4cc581-863c-439f-938f-948809dd18db/sharepoint-claim-based-authentication-web-service-issue?forum=sharepointgeneralprevious
Best Regards
Dennis Guo
TechNet Community Support -
Invalid security error when invoking secure webservice using SAML tokens
I have deployed a JAX-WS webservice using a stateless session bean to wl 10.3.2 that uses a custom policy. The service deploys fine, but weblogic returns an HTTP error 500 with a SOAP fault. The fault states wsse:InvalidSecurity. The webservice security policy reqires SAML holder of key assertions and attributes. I have tried everything from running weblogic with Metro 1.5 to configuring SAML Identity Asserter Providers, etc with no luck. I even tried using the built in SAML 2.0 assymetric holder of key policy. What am I doing wrong? The XML of interest is attached.
Thanks;
-Dave.
*[Sample message from client]*
<?xml version="1.0" encoding="UTF-8"?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#">
<S:Header>
<To xmlns="http://www.w3.org/2005/08/addressing">https://localhost:7002/NHINAdapterDocQuerySecured/AdapterDocQuerySecured</To>
<Action xmlns="http://www.w3.org/2005/08/addressing">urn:gov:hhs:fha:nhinc:adapterdocquerysecured:RespondingGateway_CrossGatewayQueryRequestMessage</Action>
<ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
<MessageID xmlns="http://www.w3.org/2005/08/addressing">uuid:fec656f8-a2be-4129-8412-34d9453e7cb2</MessageID>
<wsse:Security S:mustUnderstand="1">
<wsu:Timestamp xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns16="http://www.w3.org/2003/05/soap-envelope" wsu:Id="_1">
<wsu:Created>2010-02-24T21:38:56Z</wsu:Created>
<wsu:Expires>2010-02-24T21:43:56Z</wsu:Expires>
</wsu:Timestamp>
<saml2:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="96cdfb70-91a3-4baf-9da1-3ff07d249926" IssueInstant="2010-02-24T21:38:56.671Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAML User,OU=SU,O=SAML User,L=Los Angeles,ST=CA,C=US</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">UID=kskagerb*DoD</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml2:SubjectConfirmationData>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>iwGksKFK2ZYDxftMa093TajW7V9TwHW7NiyT6bJ2p38zBwpehwMJ1ZO9V0hFihcz/BZ2MvQ1WA1l0KhUBSR/bMiu6WmZ0bJPjvXx41ewGw5YzTL2RbT1U2XXBHtPHjbkH5jqK5zk67F/NM26v+hw0fSZiqM1BAFp9F73hMHsNrc=</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:AuthnStatement AuthnInstant="2009-04-16T13:15:39.000Z" SessionIndex="987">
<saml2:SubjectLocality Address="158.147.185.168" DNSName="cs.myharris.net"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:subject-id">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">Karl S Skagerberg</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">InternalTest2</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">2.16.840.1.113883.4.349</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:nhin:names:saml:homeCommunityId">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">2.16.840.1.113883.4.349</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xacml:2.0:subject:role">
<saml2:AttributeValue>
<hl7:Role xmlns:hl7="urn:hl7-org:v3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" code="307969004" codeSystem="2.16.840.1.113883.6.96" codeSystemName="SNOMED_CT" displayName="Public Health" xsi:type="hl7:CE"/>
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse">
<saml2:AttributeValue>
<hl7:PurposeForUse xmlns:hl7="urn:hl7-org:v3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" code="TREATMENT" codeSystem="2.16.840.1.113883.3.18.7.1" codeSystemName="nhin-purpose" displayName="Use or disclosure of Psychotherapy Notes" xsi:type="hl7:CE"/>
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xacml:2.0:resource:resource-id">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">500000000^^^&1.1&ISO</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
<saml2:AuthzDecisionStatement Decision="Permit" Resource="https://158.147.185.168:8181/SamlReceiveService/SamlProcessWS">
<saml2:Action Namespace="urn:nhin:names:hl7:rbac:4.00:operation">EXECUTE</saml2:Action>
<saml2:Evidence>
<saml2:Assertion ID="40df7c0a-ff3e-4b26-baeb-f2910f6d05a9" IssueInstant="2009-04-16T13:10:39.093Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAML User,OU=Harris,O=HITS,L=Melbourne,ST=FL,C=US</saml2:Issuer>
<saml2:Conditions NotBefore="2009-04-16T13:10:39.093Z" NotOnOrAfter="2010-12-31T12:00:00.000Z"/>
<saml2:AttributeStatement>
<saml2:Attribute Name="AccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">Claim-Ref-1234</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="InstanceAccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">Claim-Instance-1</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2:Evidence>
</saml2:AuthzDecisionStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#96cdfb70-91a3-4baf-9da1-3ff07d249926">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>VnukKqb4Bt1KWDKfy8SDfk1Hp2s=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>DUwjh/H3XSfUG250rTlLdihstDXY1+qkY9GaY81Iu7Ag4MgoGvGBrGjZOJ7YnssPdrqUGiURxf6k
IBH7vaeXk24XvXP3F85WP9nBm+2M4BvGTplgOmAo0yuwze+90FvwILzFNmmX/tvy3QKTDHlh1rEx
/Jqfm6q/56WW1suAbRY=</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>iwGksKFK2ZYDxftMa093TajW7V9TwHW7NiyT6bJ2p38zBwpehwMJ1ZO9V0hFihcz/BZ2MvQ1WA1l
0KhUBSR/bMiu6WmZ0bJPjvXx41ewGw5YzTL2RbT1U2XXBHtPHjbkH5jqK5zk67F/NM26v+hw0fSZ
iqM1BAFp9F73hMHsNrc=</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
</saml2:Assertion>
<ds:Signature xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns16="http://www.w3.org/2003/05/soap-envelope" Id="_2">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="wsse S"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="wsu wsse S"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>oo99UrPhAcwla4Qbkdd9jAPn0cE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>ds4vqts8uCdJcNGo0uTPzId5UBX+GVrdztQPv823c1Zy9ZZGSfQC/GsBPM/EMbFInDPFsyT4e1QYZMCzmqLYnifWHlDQJb7oMJBokafavAqZda1B55Zzh3TSm6BqKWtB/DX17d6rLx/HPiLNZ9qsBfuGn3aTlUCpNsYA8ObBtp8=</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">96cdfb70-91a3-4baf-9da1-3ff07d249926</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S:Header>
<S:Body>
<ns3:AdhocQueryRequest xmlns:ns2="urn:gov:hhs:fha:nhinc:gateway:samltokendata" xmlns:ns3="urn:oasis:names:tc:ebxml-regrep:xsd:query:3.0" xmlns:ns4="urn:oasis:names:tc:ebxml-regrep:xsd:rim:3.0" xmlns:ns5="urn:oasis:names:tc:ebxml-regrep:xsd:rs:3.0" xmlns:ns6="urn:oasis:names:tc:ebxml-regrep:xsd:lcm:3.0" maxResults="-1" startIndex="0" federated="false">
<ns3:ResponseOption returnComposedObjects="true" returnType="LeafClass"/>
<ns4:AdhocQuery home="urn:oid:2.16.840.1.113883.4.349" id="urn:uuid:14d4debf-8f97-4251-9a74-a90016b0af0d">
<ns4:Slot name="$XDSDocumentEntryStatus">
<ns4:ValueList>
<ns4:Value>('urn:oasis:names:tc:ebxml-regrep:StatusType:Approved')</ns4:Value>
</ns4:ValueList>
</ns4:Slot>
<ns4:Slot name="$XDSDocumentEntryPatientId">
<ns4:ValueList>
<ns4:Value>'1012581676V377802^^^&2.16.840.1.113883.4.349&ISO'</ns4:Value>
</ns4:ValueList>
</ns4:Slot>
</ns4:AdhocQuery>
</ns3:AdhocQueryRequest>
</S:Body>
</S:Envelope>
*[Response from server:]*
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Body>
<env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>wsse:InvalidSecurity</faultcode>
<faultstring>weblogic.xml.crypto.api.MarshalException: weblogic.xml.dom.marshal.MarshalException: Failed to unmarshal {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}SecurityTokenReference, no SecurityTokenReference factory found for {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}KeyIdentifier ValueType: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
*[webservice WSDL]*
<?xml version="1.0" encoding="UTF-8"?>
<!--
Adapter Document Query WSDL
-->
<definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns="http://schemas.xmlsoap.org/wsdl/"
xmlns:tns="urn:gov:hhs:fha:nhinc:adapterdocquerysecured"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:query="urn:oasis:names:tc:ebxml-regrep:xsd:query:3.0"
xmlns:plnk="http://docs.oasis-open.org/wsbpel/2.0/plnktype"
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
xmlns:wsaws="http://www.w3.org/2005/08/addressing"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
xmlns:sc="http://schemas.sun.com/2006/03/wss/server"
xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
xmlns:vprop="http://docs.oasis-open.org/wsbpel/2.0/varprop"
xmlns:sxnmp="http://www.sun.com/wsbpel/2.0/process/executable/SUNExtension/NMProperty"
name="AdapterDocQuerySecured"
targetNamespace="urn:gov:hhs:fha:nhinc:adapterdocquerysecured">
<documentation>Adapter Document Query</documentation>
<types>
<xsd:schema>
<xsd:import namespace="urn:oasis:names:tc:ebxml-regrep:xsd:query:3.0"
schemaLocation="../schemas/ebRS/query.xsd"/>
<xsd:import namespace="urn:gov:hhs:fha:nhinc:gateway:samltokendata"
schemaLocation="../schemas/nhinc/gateway/SamlTokenData.xsd"/>
</xsd:schema>
</types>
<message name="RespondingGateway_CrossGatewayQueryRequestMessage">
<part name="body"
element="query:AdhocQueryRequest"/>
</message>
<message name="RespondingGateway_CrossGatewayQueryResponseMessage">
<part name="body"
element="query:AdhocQueryResponse"/>
</message>
<portType name="AdapterDocQuerySecuredPortType">
<operation name="RespondingGateway_CrossGatewayQuery">
<input name="RespondingGateway_CrossGatewayQueryRequest"
message="tns:RespondingGateway_CrossGatewayQueryRequestMessage"
wsaw:Action="urn:gov:hhs:fha:nhinc:adapterdocquerysecured:RespondingGateway_CrossGatewayQueryRequestMessage"/>
<output name="RespondingGateway_CrossGatewayQueryResponse"
message="tns:RespondingGateway_CrossGatewayQueryResponseMessage"
wsaw:Action="urn:gov:hhs:fha:nhinc:adapterdocquerysecured:RespondingGateway_CrossGatewayQueryResponseMessage"/>
</operation>
</portType>
<binding name="AdapterDocQuerySecuredBindingSoap11" type="tns:AdapterDocQuerySecuredPortType">
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
<wsp:PolicyReference URI="#RespondingGateway_Query_Binding_SoapPolicy"/>
<operation name="RespondingGateway_CrossGatewayQuery">
<soap:operation soapAction="urn:RespondingGateway_CrossGatewayQuery"/>
<input name="RespondingGateway_CrossGatewayQueryRequest">
<soap:body use="literal"/>
<wsp:PolicyReference URI="#RespondingGateway_Query_Binding_Soap_Input_Policy"/>
</input>
<output name="RespondingGateway_CrossGatewayQueryResponse">
<soap:body use="literal"/>
<wsp:PolicyReference URI="#RespondingGateway_Query_Binding_Soap_Output_Policy"/>
</output>
</operation>
</binding>
<service name="AdapterDocQuerySecured">
<port name="AdapterDocQuerySecuredPortSoap11"
binding="tns:AdapterDocQuerySecuredBindingSoap11">
<soap:address
location="https://localhost:7002/NHINAdapterDocQuerySecured" />
</port>
</service>
<!-- Define action property on each receiving message -->
<vprop:property name="action" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:action"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>action</vprop:query>
</vprop:propertyAlias>
<!-- Define resource property on each receiving message -->
<vprop:property name="resource" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:resource"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>resource</vprop:query>
</vprop:propertyAlias>
<!-- Define purposeForUseRoleCode property on each receiving message -->
<vprop:property name="purposeForUseRoleCode" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:purposeForUseRoleCode"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>purposeForUseRoleCode</vprop:query>
</vprop:propertyAlias>
<!-- Define purposeForUseCodeSystem property on each receiving message -->
<vprop:property name="purposeForUseCodeSystem" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:purposeForUseCodeSystem"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>purposeForUseCodeSystem</vprop:query>
</vprop:propertyAlias>
<!-- Define purposeForUseCodeSystemName property on each receiving message -->
<vprop:property name="purposeForUseCodeSystemName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:purposeForUseCodeSystemName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>purposeForUseCodeSystemName</vprop:query>
</vprop:propertyAlias>
<!-- Define purposeForUseDisplayName property on each receiving message -->
<vprop:property name="purposeForUseDisplayName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:purposeForUseDisplayName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>purposeForUseDisplayName</vprop:query>
</vprop:propertyAlias>
<!-- Define userFirstName property on each receiving message -->
<vprop:property name="userFirstName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userFirstName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userFirstName</vprop:query>
</vprop:propertyAlias>
<!-- Define userMiddleName property on each receiving message -->
<vprop:property name="userMiddleName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userMiddleName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userMiddleName</vprop:query>
</vprop:propertyAlias>
<!-- Define userLastName property on each receiving message -->
<vprop:property name="userLastName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userLastName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userLastName</vprop:query>
</vprop:propertyAlias>
<!-- Define userName property on each receiving message -->
<vprop:property name="userName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userName</vprop:query>
</vprop:propertyAlias>
<!-- Define userOrganization property on each receiving message -->
<vprop:property name="userOrganization" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userOrganization"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userOrganization</vprop:query>
</vprop:propertyAlias>
<!-- Define userRoleCode property on each receiving message -->
<vprop:property name="userRoleCode" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userRoleCode"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userRoleCode</vprop:query>
</vprop:propertyAlias>
<!-- Define userRoleCodeSystem property on each receiving message -->
<vprop:property name="userRoleCodeSystem" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userRoleCodeSystem"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userRoleCodeSystem</vprop:query>
</vprop:propertyAlias>
<!-- Define userRoleCodeSystemName property on each receiving message -->
<vprop:property name="userRoleCodeSystemName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userRoleCodeSystemName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userRoleCodeSystemName</vprop:query>
</vprop:propertyAlias>
<!-- Define userRoleCodeDisplayName property on each receiving message -->
<vprop:property name="userRoleCodeDisplayName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userRoleCodeDisplayName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userRoleCodeDisplayName</vprop:query>
</vprop:propertyAlias>
<!-- Define expirationDate property on each receiving message -->
<vprop:property name="expirationDate" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:expirationDate"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>expirationDate</vprop:query>
</vprop:propertyAlias>
<!-- Define signDate property on each receiving message -->
<vprop:property name="signDate" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:signDate"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>signDate</vprop:query>
</vprop:propertyAlias>
<!-- Define contentReference property on each receiving message -->
<vprop:property name="contentReference" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:contentReference"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>contentReference</vprop:query>
</vprop:propertyAlias>
<!-- Define content property on each receiving message -->
<vprop:property name="content" type="xsd:base64Binary"/>
<vprop:propertyAlias propertyName="tns:content"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>content</vprop:query>
</vprop:propertyAlias>
<wsp:Policy wsu:Id="RespondingGateway_Query_Binding_SoapPolicy">
<wsp:ExactlyOne>
<wsp:All>
<wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl"/>
<sc:KeyStore wspp:visibility="private"
aliasSelector="gov.hhs.fha.nhinc.callback.KeyStoreServerAliasSelector"
callbackHandler="gov.hhs.fha.nhinc.callback.KeyStoreCallbackHandler"/>
<sc:TrustStore wspp:visibility="private"
callbackHandler="gov.hhs.fha.nhinc.callback.TrustStoreCallbackHandler"/>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken>
<wsp:Policy>
<sp:RequireClientCertificate/>
</wsp:Policy>
</sp:HttpsToken>
</wsp:Policy>
</sp:TransportToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens>
<wsp:Policy>
<sp:SamlToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssSamlV20Token11/>
</wsp:Policy>
</sp:SamlToken>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:RequireSignatureConfirmation/>
</wsp:Policy>
</sp:Wss11>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="RespondingGateway_Query_Binding_Soap_Input_Policy">
<wsp:ExactlyOne>
<wsp:All>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="RespondingGateway_Query_Binding_Soap_Output_Policy">
<wsp:ExactlyOne>
<wsp:All>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<plnk:partnerLinkType name="AdapterDocQuerySecured">
<!-- A partner link type is automatically generated when a new port type is added.
Partner link types are used by BPEL processes. In a BPEL process, a partner
link represents the interaction between the BPEL process and a partner service.
Each partner link is associated with a partner link type. A partner link type
characterizes the conversational relationship between two services. The
partner link type can have one or two roles.-->
<plnk:role name="AdapterDocQuerySecuredPortTypeRole"
portType="tns:AdapterDocQuerySecuredPortType"/>
</plnk:partnerLinkType>
</definitions>
Edited by: dvazquez1027 on Feb 25, 2010 5:10 PM
Edited by: dvazquez1027 on Feb 25, 2010 5:22 PMHi
yes, I had the same issue and I found a solution.
You need to request a patch for BUG 9212862 (already corrected in WLS 10.3.3) and do the follwing:
javax.xml.ws.BindingProvider provider = (javax.xml.ws.BindingProvider)port;
java.util.Map context = provider.getRequestContext();
context.put(weblogic.wsee.jaxrpc.WLStub.POLICY_COMPATIBILITY_PREFERENCE, weblogic.wsee.jaxrpc.WLStub.POLICY_COMPATIBILITY_MSFT);
This will cause the SecurityMessageArchitect class of WLS to not send the SecurityTokenReference in the Soap security header.
Please note that is evidently a non-comformity to the specs of microsoft:
Please give a look at
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf (8.3 Signing Tokens)
and also at:
http://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf
(3.4 Identifying and Referencing Security Tokens)
A SAML key identifier reference MUST be used for all (local and remote) references to SAML 1.1
assertions. [...]
All conformant implementations MUST be able to process SAML assertion references occurring in a
<wsse:Security> header or in a header element other than a signature to acquire the corresponding
assertion. A conformant implementation MUST be able to process any such reference independent of the
confirmation method of the referenced assertion.
It follows that the .NET 3.5 is a non conformat implementation: I would gladly know which is the position of Microsoft on that.
ciao
carlo -
Getting Invalid SAML token error while trying to access wls9.2 webservice
Hi,
I am using wss4j at the client side as SAML token issuer to add saml assertion to the soap envelop whose target is a webservice deployed in a aqua logic service bus 2.6. But at the server side i.e wls9.2, i am getting following exception
weblogic.xml.crypto.wss.SecurityTokenValidateResult@326f6a[status: false][msg The SAML token is not valid.]</faultstring></soapenv:Fault></soapenv:Body></soapenv:Envelope>
weblogic.xml.crypto.wss.WSSecurityException: Security token failed to validate. weblogic.xml.crypto.wss.SecurityTokenValidateResult@326f6a[status: false][msg The SAML token is not valid.]
at weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSecurityToken(SecurityImpl.java:476)
at weblogic.xml.crypto.wss.SecurityImpl.unmarshal(SecurityImpl.java:392)
This error seems to be coming during unmarshalling of soap envelop which is run before request goes to SAML Identity Assertion provider V1. Certificates are properly configured at both client and server side so it seems that generated SAML assertion is not compliant with weblogic 9.2 unmarshalling process.
Has anyone got any solution for this problem. I am not exactly looking for full SSO configuration at the weblogic side so I have not set any credential mapper (which is also a saml issuer). Nor have i done any setting related with SSO on weblogic.
Any idea will really be helpful in this regard.
Thanks.In what version of Oracle?
I see a couple of problems assuming you are working with a currently supported version:
1. Never grant CONNECT to anyone: Ever. Grant CREATE SESSION.
2. GRANT CREATE TABLE to AQ;
Go to Morgan's Library at www.psoug.org and look at AQ Demo 1. You should have no problem cutting and pasting your way to where you are trying to go. -
Using Saml token profile 1.1 with WLS 10.3
Hi All
I am a Student from IITB. I am trying use message-level authentication for webservices using SAML Token Profile 1.1 on weblogic 10.3. I have done the necessary configuration but I am getting an error
"Unable to add Security Token for Identity ". I Started the SamlCredMapper Debug flag on from the console and saw the logs and I saw that everything is going fine untill at one place it
gives this error
<Debug> <SecuritySAMLCredMap> ' *<1245866312123> <BEA-000000> *<SAMLCredentialMapperV2: getCredentialInternal(): InvalidParameterException while validating parameters: weblogic.security.service.InvalidParameterException: Unable to generate SAML Assertion: No partner ID or target resource>**
I do not know how to fix this problem. Please Tell me if anyone has any idea about it.
Thanks
regards,
Sanyam
//The Logs are as follows
<Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310425> <BEA-000000> <SAMLCredentialMapperV2: getCredentialInternal(): initiator = Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("ssouser")
>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310425> <BEA-000000> <SAMLCredentialMapperV2: getCredentialInternal(): resource = (null)>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310426> <BEA-000000> <SAMLRPConfigManager.findPartnerInTargetMap():Searching with key 'sender-vouches:http://usmumsanygoyal1:7001/SSOTryService/SSOTestHelloWorld'>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310426> <BEA-000000> <SAMLRPConfigManager.findPartnerInTargetMap():Found partner 'rp_00001'>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310436> <BEA-000000> <SAMLNameMapperCache.getNameMapper: Not found name mapper in the cache, try to create one>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310437> <BEA-000000> <SAMLNameMapperCache.getNameMapper: create SAMLNameMapperImpl name mapper>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310439> <BEA-000000> <SAMLNameMapperImpl: mapSubject: No valid WLSGroup pricipals found in Subject, continuing>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310439> <BEA-000000> <SAMLNameMapperImpl: mapSubject: Mapped subject: qualifier: null, name: ssouser, groups: []>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310440> <BEA-000000> <SAMLCreateAssertion: Mapped subject 'Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("ssouser")
' to: username='ssouser',qualifier='null',format='urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310442> <BEA-000000> <SAMLCreateAssertion: No context or subject attribute were mapped>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310442> <BEA-000000> <SAMLCreateAssertion: Groups attribute statement requested but name mapper returned no groups -- groups attribute statement will not be generated>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310445> <BEA-000000> <SAMLCreateAssertion: Creating sender-vouches assertion>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310445> <BEA-000000> <SAMLCreateAssertion: Assertion IS signed>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310445> <BEA-000000> <SAMLCreateAssertion: KeyInfo IS NOT supplied>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310445> <BEA-000000> <SAMLCreateAssertion: AttrStmtInfo IS NOT supplied>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310460> <BEA-000000> <SAMLCreateAssertion: Created SAMLSubject for 'ssouser'>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310460> <BEA-000000> <SAMLCreateAssertion: Created SAMLSubject>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310475> <BEA-000000> <SAMLCreateAssertion: SAMLCreateAssertion: Cloning SAMLSubject>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310476> <BEA-000000> <SAMLCreateAssertion: SAMLCreateAssertion: Created SAMLAuthenticationStatement>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310484> <BEA-000000> <SAMLCreateAssertion: SAMLCreateAssertion: Signing assertion, keyinfo is included>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLLib> <[ACTIVE] : '1' for queue: ' <1245866310508> <BEA-000000> <SAMLSignedObject.sign(): algorithm 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLLib> <[ACTIVE] : '1' for queue: ' <1245866310509> <BEA-000000> <SAMLSignedObject.sign(): reference '#b21cfea8d3c90fee97a3100a59b0005e'>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLLib> <[ACTIVE] : '1' for queue: ' <1245866310509> <BEA-000000> <SAMLSignedObject.sign(): InclusiveNamespaces '#default saml samlp ds dsig code kind rw typens'>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLLib> <[ACTIVE] : '1' for queue: ' <1245866310542> <BEA-000000> <SAMLSignedObject.sign(): adding certificates>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLLib> <[ACTIVE] : '1' for queue: ' <1245866310556> <BEA-000000> <SAMLSignedObject.sign(): signing object>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLLib> <[ACTIVE] : '1' for queue: ' <1245866310706> <BEA-000000> <SAMLSignedObject.sign(): completed>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310706> <BEA-000000> <SAMLCreateAssertion: SAMLCreateAssertion: Signed assertion>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310706> <BEA-000000> <SAMLCreateAssertion: SAMLCreateAssertion: Created SAMLAssertion>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310706> <BEA-000000> <SAMLCreateAssertion: Returning assertion>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310706> <BEA-000000> <SAMLCredentialMapperV2: getCredentialInternal(): Returning non-null credential>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311896> <BEA-000000> <SAMLIdentityAsserter: assertIdentity() called>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311897> <BEA-000000> <SAMLIdentityAsserter: SAMLIdentityAsserter: tokenType is 'SAML.Assertion.DOM'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311903> <BEA-000000> <SAMLAssertion: Assertion passed basic validity check>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311905> <BEA-000000> <SAMLAssertion: Target for assertion is: 'http://usmumsanygoyal1:7001/SSOTryService/SSOTestHelloWorld'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311905> <BEA-000000> <SAMLAssertion: Assertion issuer is: 'http://usmumsanygoyal1:7001/'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311906> <BEA-000000> <SAMLAssertion: Assertion subject confirmation method is: 'urn:oasis:names:tc:SAML:1.0:cm:sender-vouches'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311907> <BEA-000000> <SAMLAPConfigManager.findPartnerInTargetMap():Searching with key 'sender-vouches:http://usmumsanygoyal1:7001/&http://usmumsanygoyal1:7001/SSOTryService/SSOTestHelloWorld'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311907> <BEA-000000> <SAMLAPConfigManager.findPartnerInTargetMap():Found partner 'ap_00001'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311907> <BEA-000000> <SAMLAssertion: Found asserting party 'ap_00001'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311907> <BEA-000000> <SAMLAssertion: Assertion is signed>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLLib> ' <1245866311908> <BEA-000000> <SAMLTrustManager: Looking for certificate alias 'testalias'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLLib> ' <1245866311930> <BEA-000000> <SAMLTrustManager: Certificate was found>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLLib> ' <1245866311937> <BEA-000000> <SAMLSignedObject.verify(): key supplied>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLLib> ' <1245866311963> <BEA-000000> <SAMLSignedObject.verify(): obtained signed info>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLLib> ' <1245866311963> <BEA-000000> <SAMLSignedObject.verify(): validating signature>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLLib> ' <1245866311970> <BEA-000000> <SAMLSignedObject.verify(): completed>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311970> <BEA-000000> <SAMLAssertion: Signature verified using trusted certificate>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311977> <BEA-000000> <Got signing certificate for signed object: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311977> <BEA-000000> <SAMLAssertion: Assertion subject confirmation method is: 'urn:oasis:names:tc:SAML:1.0:cm:sender-vouches'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311977> <BEA-000000> <SAMLAssertion: Verified subject confirmation method>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311978> <BEA-000000> <SAMLAssertion: Assertion issuer is 'http://usmumsanygoyal1:7001/'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311978> <BEA-000000> <SAMLAssertion: Assertion issuer verified>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311980> <BEA-000000> <SAMLAssertion: Assertion contains NotBefore condition>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311980> <BEA-000000> <SAMLAssertion: Assertion contains NotOnOrAfter condition>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311980> <BEA-000000> <SAMLAssertion: NotBefore condition satisfied>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311980> <BEA-000000> <SAMLAssertion: NotOnOrAfter condition satisfied>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311981> <BEA-000000> <SAMLAssertion: Assertion has AudienceRestrictionCondition>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311981> <BEA-000000> <SAMLAssertion: Found matching audience 'http://usmumsanygoyal1:7001/'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311981> <BEA-000000> <SAMLAssertion: AudienceRestriction condition satisfied (matching audience)>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311981> <BEA-000000> <SAMLAssertion: Assertion has DoNotCache condition>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311981> <BEA-000000> <SAMLAssertion: Assertion conditions verified>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311986> <BEA-000000> <SAMLAssertion: Found subject for name: 'ssouser'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311987> <BEA-000000> <SAMLNameMapperCache.getNameMapper: Not found name mapper in the cache, try to create one>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311987> <BEA-000000> <SAMLNameMapperCache.getNameMapper: create SAMLNameMapperImpl name mapper>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311987> <BEA-000000> <SAMLAssertion: Looking for AttributeName 'Groups'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311987> <BEA-000000> <SAMLAssertion: Looking for AttributeNamespace 'urn:bea:security:saml:groups'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311987> <BEA-000000> <SAMLAssertion: ProcessGroups is true but did not find expected groups attribute statement>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311988> <BEA-000000> <SAMLNameMapperCache.getNameMapper: Found name mapper in the cache>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311988> <BEA-000000> <SAMLNameMapperImpl: mapNameInfo: returning name: ssouser>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311989> <BEA-000000> <SAMLNameMapperImpl: mapGroupInfo: returning groups: null>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311989> <BEA-000000> <SAMLIACallbackHandler: SAMLIACallbackHandler(true, ssouser, null)>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311996> <BEA-000000> <SAMLIACallbackHandler: callback[0]: NameCallback: setName(ssouser)>
####<Jun 24, 2009 11:28:32 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866312002> <BEA-000000> <SAMLIACallbackHandler: callback[0]: NameCallback: setName(ssouser)>
####<Jun 24, 2009 11:28:32 PM IST> <Debug> <SecuritySAMLCredMap> ' <1245866312122> <BEA-000000> <SAMLCredentialMapperV2: getCredentials: Subject initiator>
####<Jun 24, 2009 11:28:32 PM IST> <Debug> <SecuritySAMLCredMap> ' <1245866312122> <BEA-000000> <SAMLCredentialMapperV2: getCredentials(Subject): getCredentialInternal() called>
_####<Jun 24, 2009 11:28:32 PM IST> <Debug> <SecuritySAMLCredMap> ' *<1245866312123> <BEA-000000> **<SAMLCredentialMapperV2: getCredentialInternal(): InvalidParameterException while validating parameters: weblogic.security.service.InvalidParameterException: Unable to generate SAML Assertion: No partner ID or target resource>**_*Client Side
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:credential-mapper xsi:type="wls:saml-credential-mapper-v2Type">
<sec:name>SAMLCredentialMapper</sec:name>
<wls:issuer-uri>www.bea.com/demoSAML</wls:issuer-uri>
<wls:name-qualifier>bea.com</wls:name-qualifier>
<wls:signing-key-alias>testalias</wls:signing-key-alias>
<wls:default-time-to-live-delta>-30</wls:default-time-to-live-delta>
<wls:signing-key-pass-phrase-encrypted>{3DES}dOC15C42IEzCnN/klGIdyQ==</wls:signing-key-pass-phrase-encrypted>
</sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:key-store xsi:type="wls:default-key-storeType">
<sec:name>keystore</sec:name>
</sec:key-store>
<sec:name>myrealm</sec:name>
</realm>
Server side
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:saml-identity-asserter-v2Type">
<sec:name>SAMLIdentityAsserter</sec:name>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:name>myrealm</sec:name>
</realm>
Sanyam -
Hi I do have a basic setup installed;
when request for a webservice comes, the gateway intercepts the request, applies some security policies and passes on the request to the webservice , which inturn is intercepted by the ServerAgent and applies some security policies on the reqeust and after this once satisfied the request gets passed on to the webservice for processing.
I need to insert SaML vouches token at the gateway and get it verified at the ServerAgent so that the request for the webservice can be processed.
So could anyone of you tell me how to do this so that the required thing is accomplished.
Is there any owsm guru who can get me through this.
Thanks ManosOn the Request pipeleine template, after you do your initial security steps, you can then add Insert SAML Sender vouches token profile.
Thanks
Ram -
Hi All,
I have a SP2013 environment which authenticate users using ADFS 2.0 via Windows AD. We have two separate clients, Portal and Mobile. Portal users Passive Federation where as Mobile client uses Active Authentication with usernamemixed endpoint in ADFS.
I have an AD property which stores Unicode characters. In Active Authentication via Mobile, for a user who has a Unicode value in the AD property, I can get the SAML token successfully from ADFS.
Ex : <saml:AttributeValue>español</saml:AttributeValue>
However, when I post this SAML token to SharePoint _trust endpoint, I'm getting an error "500 Internal Server error". However for the same user, if I change the AD property value from "español" to "English" then I can get the FedAuth
cookie successfully from the _trust endpoint.
Also, for the same user, If I logged in via Portal which uses Passive Federation, then it's working fine.
Really appreciate your thoughts on this.
SupunHi Supun,
As you mentioned, the issue only happens in Active authentication. Would you please let me know which mobile client your users are using for the Active authentication, is it a custom one? Please be noted if you use a mobile browser, the authentication will
also be Passive.
In Passive mode authentication, STS also uses POST to pass the security token to the relaying party. I'd like to know what kind of tool you are using to post a SAML token to SharePoint endpoint as impersonation of an Active authentication. Since the Active
authentication flow is quite complex, I also suggest you to check the event log in your ADFS server, and try to find more information about the issue.
Thanks,
Reken Liu
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected] -
SAML token not understood (weblogic 10.3)
I'm trying to call my webservice with a SAML sender-vouches, and keep getting an error message. This used to work when running in Weblogic 9.2.3 (but we are in the process of upgrading to Weblogic 10.3).
(This is running from alsb 2.6)
My request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
</soap:Header>
<soapenv:Body>
<saml:TestRequest xmlns:saml="http://saml.webservice.namespace.model">
<saml:Call>string</saml:Call>
</saml:TestRequest>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<saml:Assertion AssertionID="d08c0548d758b52dbebfdb327e60a201" IssueInstant="2009-11-24T15:16:20.192Z" Issuer="http://www.sparebank1.no" MajorVersion="1" MinorVersion="1" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
<saml:Conditions NotBefore="2009-11-24T15:16:10.192Z" NotOnOrAfter="2009-11-24T15:18:10.192Z">
<saml:DoNotCacheCondition/>
</saml:Conditions>
<saml:AuthenticationStatement AuthenticationInstant="2009-11-24T15:16:20.192Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">
<saml:Subject>
<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="sparebank1.no">supermann</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:sender-vouches
</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#d08c0548d758b52dbebfdb327e60a201">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transform>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>KWkdUKb1gfftG4XchDnrmZmKbEc=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>
uRvZvXqmLlxj/wXSaG7zwLATsRCwPND++4zUHQZB2o6KPeDNR89f02t/CnLDsrbjGr9Y4JgXmGSkmMK+eP0JdY/q9CiOekhpJJ9RhZupE1ldoIPzLqc8nLUC3lHJUrKCchnuKmxg76V7I3TWFCvqYMz2pFiNdm6n8Fq2xgxtjRc=
</dsig:SignatureValue>
</dsig:Signature>
</saml:Assertion>
</wsse:Security>
</soap:Header>
<soapenv:Body>
<saml:TestRequest xmlns:saml="http://saml.webservice.namespace.model">
<saml:Call>string</saml:Call>
</saml:TestRequest>
</soapenv:Body>
</soapenv:Envelope>
Response:
The invocation resulted in an error: Internal Server Error.
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Body>
<SOAP-ENV:Fault xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<faultstring>
MustUnderstand headers:[{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood
</faultstring>
<faultcode>SOAP-ENV:MustUnderstand</faultcode>
</SOAP-ENV:Fault>
</S:Body>
</S:Envelope>
My policy file:
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wssp="http://www.bea.com/wls90/security/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
wsu:Id="amartaSaml">
<wssp:Identity>
<wssp:SupportedTokens>
<wssp:SecurityToken
TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID">
<wssp:Claims>
<wssp:ConfirmationMethod>sender-vouches</wssp:ConfirmationMethod>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:SupportedTokens>
</wssp:Identity>
</wsp:Policy>
java file:
@WebService( serviceName="SamlService", portName="SamlPort", endpointInterface="namespace.webservice.saml.SamlServiceImplPort", targetNamespace="http://saml.webservice.namespace", wsdlLocation="/wsdl/saml.wsdl" )
public class SamlServiceImpl implements SamlServiceImplPort
@RolesAllowed( {
@SecurityRole(role = "sb1.life.customer.employer"),
@SecurityRole(role = "sb1.life.customer.individual"),
@SecurityRole(role = "sb1.life.customer.authorizedparty"),
@SecurityRole(role = "sb1.life.distributor.change"),
@SecurityRole(role = "sb1.life.distributor.read"),
@SecurityRole(role = "sb1.life.distributor.expert") })
@Policy(uri = "policy:sb1life-ws-policy.xml", direction = Policy.Direction.inbound)
public TestResponse getCall( TestRequest parameter )
TestResponse response = new TestResponse();
response.setResponse( "Hello " + parameter.getCall() );
return response;
One thing that got changed was that in WLS 9.2.3 we deployed the services as EAR, while now we are just deploying them as WAR. Don't know if that makes a difference. Also, the domain template for creating the weblogic domain is different.
I looked in Google, and there seems to be a "common" problem with SAML, but I couldn't find a Weblogic specific solution.
Thank you,
JohnThis is not currently supported in 10.3 because JAX-WS only supports SAML2.0 on WLS 10.3 whilst OSB 10.3 can only generate SAML 1.1 tokens.
from support :
"JAX-WS as implemented in WLS 10.3 does not support deprecated SAML policy (but SAML 2.0).
On the other hand OSB 10.3 is not supporting new SAML policy (you cannot import SAML 2.0 policy)."
Two solutions/workarounds:
1. Create a JAX-RPC WebService using the SAML-policy you have in place
2. Use OSB on the response-domain, create a proxy with policy and wsdl...
Adjust the endpoints in asserter and mapper -
Exception: "Could not validate SAML Token"
We have an evaluation system setup that we are using to generate PDF from PS. We're connecting via the EJB client, and typically have had no problems. Until today. At some point today we began seeing exceptions being thrown on the client:
Caused by: com.adobe.idp.um.api.UMException | [com.adobe.idp.um.api.impl.AuthenticationManagerImpl] errorCode:16421 errorCodeHEX:0x4025 message:Could not validate SAML Token --- Assertion has expired and hence not valid for user [administrator@DefaultDom]. Its valid till time [Tue Feb 04 10:58:45 MST 2014] was found to be before the current time [Tue Feb 04 16:04:41 MST 2014]
Simply bouncing the app server where the client code is running solved the problem, however we'd like to better understand what is going on and why. Nothing that I can find in the docs seems to indicate the cause/solution, and possible solutions have links that appear to no longer function: http://cookbooks.adobe.com/post_Renewing_the_context_to_handle_session_expiry-16410.html
Any suggestions and/or insight would be greatly appreciated. Thanks!PROBLEM
Using the same instance of ServiceClientFactory to remotely invoke the services exposed by the LiveCycle container can lead to
exception related to assertion expiry
Solution
To handle the timeout use the ThrowHandler mechanism provided by the ServiceClientFactory framework
Detailed explanation
LiveCycle provides a client sdk for java based client to invoke its services remotely.
An invocation involves Creation of a ServiceClientFactory instance Setting the user credential in thefactory instance Pass that factory to a service client or use that to create InvocationRequest directly
Use the client to make the actual request.
For more details refer to Invoking
LiveCycle ES Using the Java API .
A ServiceClientFactory instance once created is valid for a ceratin
period of time which is by default 120 min. if the same instance is used to invoke beyond this period then it would lead to an exception stating that
the session has expired [com.adobe.idp.um.api.impl.AuthenticationManagerImpl]
errorCode:16421 errorCodeHEX:0x4025 message:Could not validate SAML
Token --- Assertion has expired and hence not valid for user
[administrator@DefaultDom]. Its valid till time [Thu Oct 22
17:07:53 IST
2009] was found to be before the current time [Thu Oct
22 17:58:18 IST 2009]
This is not an issue if the ServiceClientFactory instance is used for short duration. However if you are going to perform a long
running task like converting large number of documents to pdf ,applying policies to them etc then it would be an issue.
Session Expiry
Before fxing the issue some info on what is session expiry.
When you use a ServiceClientFactory instance to invoke the service following fow happens
You set the credentials in the properties and invoke theservice
LiveCycle on server side validates the credentials and issues a Context. It is sort of a ticket which can be reused later instead of the actual credentials.
Upon receiving the response from the server the ServiceClientFactory instance deletes its own copy of credentials and instead stores the Context For later invocations this Context instance is passed instead of the user credentials
This whole fow is done to ensure that user's credentials are not sent for each remote call thus improving the security.
For more information on Context refer to
User Identity in LiveCycle .
Solution
To fx this issue you would have to re authenticate to LiveCycle and get the Context reissued. the best way to do that is to make use of the ThrowHandler provided by the ServiceClientFactory framework
STEP1 - Create a Throwhandler
* This ThrowHandler caches the user credentials and uses them
to refresh the Context in the
* ServiceClientFactory upon expiry.
private static class SimpleTimeoutThrowHandler implements
ThrowHandler {
private String username;
private String password;
public SimpleTimeoutThrowHandler(String username, String
password) {
this.username = username;
this.password = password;
public boolean handleThrowable(Throwable t, ServiceClient
sc,
ServiceClientFactory scf, MessageDispatcher md,
InvocationRequest ir, int numTries) throws
DSCException {
if(timeoutError(t)){
//The call to AuthenticationManager do not require
authentication so the default properties
//are suffcient
AuthenticationManager am =
new
AuthenticationManagerServiceClient(ServiceClientFactory.createInstance (getDefaultProperties()));
AuthResult ar = null;
try {
ar =
am.authenticate(username,password.getBytes());
} catch (UMException e) {
throw new IllegalStateException(e);
Context ctx = new Context();
ctx.initPrincipal(ar);
//Refresh the ServiceClientFactory instance with
the new context
scf.setContext(ctx);
logger.info("Refreshed the context associated with
ServiceCLientFactory");
//Now tell SCF to try the invocation again
return true;
//Check so that we do not wrap the exception again
if(t instanceof DSCException)
throw (DSCException)t;
if(t instanceof RuntimeException)
throw (RuntimeException)t;
// how is it possible to get this far?
throw new IllegalStateException(t);
private boolean timeoutError(Throwable t) {
if(!(t.getCause() instanceof UMException)){
return false;
UMException ue = (UMException) t.getCause();
//Check that UMException is due to the
assertion/context expiry
if(UMConstants.ErrorCodes.E_TOKEN_INVALID ==
ue.getErrCode()){
return true;
return false;
This ThrowHandler would be invoked by the ServiceClientFactory upon receiving any exception. The handler would then determine if its a timeout related exception and then would refresh the Context associated with the factory instance and tells it to retry the invocation.
STEP - 2 Register the handler
ServiceClientFactory.installThrowHandler(new
SimpleTimeoutThrowHandler(username, password));
Note: The handler should be registered only once in the application
STEP 3 - Perform your invocation
Following sample would try to apply policies on all the fles present in a directory
Properties p = getDefaultProperties();
p.setProperty(DSC_CREDENTIAL_USERNAME, username);
p.setProperty(DSC_CREDENTIAL_PASSWORD, password);
ServiceClientFactory scf =
ServiceClientFactory.createInstance(p);
//Now do some long running operation
String inputDirName ="path-to-input-dir";
String outDirName = "path-to-out-dir";
String policyName = "the-policy-name";
File inDir = new File(inputDirName);
File outDir = new File(outDirName);
RightsManagementClient rmClient = new
RightsManagementClient(scf);
DocumentManager docManager = rmClient.getDocumentManager();
//Iterate over all the pdf in the inDir and apply the
policies. If this takes a
for(File pdfFile : inDir.listFiles()){
Document inDoc = new Document(pdfFile, false);
Document securedDoc = docManager.applyPolicy(inDoc,
pdfFile.getName(), null, policyName, null, null);
securedDoc.copyToFile(new
File(outDir,pdfFile.getName()));
Now the invocation would complete even if it takes a long time. if any session expiry occurs then our ThrowHandler would take care of that.
here's a sample:
TimeOutSample.zip -
SAML Token Profile Policies Issues
Hi all
i want to secure a Web service using SAML Token Profile Policies. I am using Wssp1.2-2007-Saml2.0-SenderVouches-Wss1.1.xml Policy.
I have Configured SAML 2.0 Identity Assertion Provider in my WebLogic Server. And added Identity Provider partner.
I gave the Issues as http://com.example.idp/AssertingParty
Below is the Soap Request Which i send to my Webservice.
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_15931837d93e95e7e7ffbaa038ad4942"
IssueInstant="2013-04-26T15:20:24.021Z" Version="2.0">
<saml:Issuer>http://com.example.idp/AssertingParty</saml:Issuer>
<saml:Subject>
<saml:NameID Format="NameID">weblogic_sp</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
</saml:Subject>
<saml:Conditions NotBefore="2013-04-26T15:24:14.021Z" NotOnOrAfter="2013-04-26T15:50:24.021Z"/>
<saml:AuthnStatement>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="Roles">
<saml:AttributeValue>Administrators</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</wsse:Security>
</env:Header>
<env:Body/>
</env:Envelope>
I am Getting the below error.
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Body>
<env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>wsse:InvalidSecurityToken</faultcode>
<faultstring>Invalid SAML token on CCS?Invalid SAML token when samlAsst= null</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
I turned on the Verbose in the Weblogic server and Got the Below log when i invoke the Web Service.
<WSEE:24>Created<SoapMessageContext.<init>:48>
<WSEE:24>set Message called: [email protected]36368<SoapMessageContext.setMessage:65>
<WSEE:24>Parsed header {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security: <name={http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security> <role=null> <mustUnderstand=true><SoapMsgHeaders.parseHeaders:202>
<WSEE:24>set Message called: [email protected]36368<SoapMessageContext.setMessage:65>
<WSEE:24>Parsed header {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security: <name={http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security> <role=null> <mustUnderstand=true><SoapMsgHeaders.parseHeaders:202>
<WSEE:24>tokenType: null, cred: [saml:Assertion: null], privkey: null<SAMLCredentialImpl.<init>:107>
<WSEE:24>Class of cred is: class com.sun.xml.internal.messaging.saaj.soap.impl.ElementImpl<SAMLCredentialImpl.<init>:108>
<WSEE:24>Instantiating SAMLAssertionInfoFactory<SAMLCredentialImpl.<init>:113>
<WSEE:24>Getting SAMLAssertionInfo from DOM Element of CSS<SAMLCredentialImpl.<init>:141>
<WSEE:24>Got erroron on SAMLAssertionInfo from DOM Element of CSS, msg =[Security:098517]Failed to get SAML assertion info: Unable to construct SAML 1.1/2.0 Schema object, can not perform validation.<SAMLCredentialImpl.<init>:152>
Please let me if i am doing any thing wrong.
Thanks
RanjithHi all
i want to secure a Web service using SAML Token Profile Policies. I am using Wssp1.2-2007-Saml2.0-SenderVouches-Wss1.1.xml Policy.
I have Configured SAML 2.0 Identity Assertion Provider in my WebLogic Server. And added Identity Provider partner.
I gave the Issues as http://com.example.idp/AssertingParty
Below is the Soap Request Which i send to my Webservice.
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_15931837d93e95e7e7ffbaa038ad4942"
IssueInstant="2013-04-26T15:20:24.021Z" Version="2.0">
<saml:Issuer>http://com.example.idp/AssertingParty</saml:Issuer>
<saml:Subject>
<saml:NameID Format="NameID">weblogic_sp</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
</saml:Subject>
<saml:Conditions NotBefore="2013-04-26T15:24:14.021Z" NotOnOrAfter="2013-04-26T15:50:24.021Z"/>
<saml:AuthnStatement>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="Roles">
<saml:AttributeValue>Administrators</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</wsse:Security>
</env:Header>
<env:Body/>
</env:Envelope>
I am Getting the below error.
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Body>
<env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>wsse:InvalidSecurityToken</faultcode>
<faultstring>Invalid SAML token on CCS?Invalid SAML token when samlAsst= null</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
I turned on the Verbose in the Weblogic server and Got the Below log when i invoke the Web Service.
<WSEE:24>Created<SoapMessageContext.<init>:48>
<WSEE:24>set Message called: [email protected]36368<SoapMessageContext.setMessage:65>
<WSEE:24>Parsed header {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security: <name={http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security> <role=null> <mustUnderstand=true><SoapMsgHeaders.parseHeaders:202>
<WSEE:24>set Message called: [email protected]36368<SoapMessageContext.setMessage:65>
<WSEE:24>Parsed header {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security: <name={http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security> <role=null> <mustUnderstand=true><SoapMsgHeaders.parseHeaders:202>
<WSEE:24>tokenType: null, cred: [saml:Assertion: null], privkey: null<SAMLCredentialImpl.<init>:107>
<WSEE:24>Class of cred is: class com.sun.xml.internal.messaging.saaj.soap.impl.ElementImpl<SAMLCredentialImpl.<init>:108>
<WSEE:24>Instantiating SAMLAssertionInfoFactory<SAMLCredentialImpl.<init>:113>
<WSEE:24>Getting SAMLAssertionInfo from DOM Element of CSS<SAMLCredentialImpl.<init>:141>
<WSEE:24>Got erroron on SAMLAssertionInfo from DOM Element of CSS, msg =[Security:098517]Failed to get SAML assertion info: Unable to construct SAML 1.1/2.0 Schema object, can not perform validation.<SAMLCredentialImpl.<init>:152>
Please let me if i am doing any thing wrong.
Thanks
Ranjith -
Hi all,
is there any way to use SAML token with OBPM?
I need to invoke webservice from OSB and it needs authentication.
So, i want to provide SAML Token to authenticate.
I just want to know how to configure SAML token in OBPM. is it supported?
With Regards,
Wai Phyo
Edited by: waiphyo on May 25, 2010 5:36 PMIn the data control palette under the collection that represents the child you should see a node of operations - in there you should see next/previous - drag those onto the page to get the scrolling through the records going on.
-
Can I secure a "http" transport type and "Text" messaging proxy service using SAML tokens?
I am reading SAML is applicable only for wsdl webservices.Is this true?
Please guide me on using SAML for http/text proxy services if that is possible.
Thanks.any help..
-
Propogating SAML tokens from OSB to BPEL and the reverse
Hi
Is there a way to propogate SAML tokens from OSB to BPEL and vise-versa. There are lots of references on using OWSM policies. Can I achieve passing tokens and asserting without them?
Thanks
SumanStarting from 11gR1 (11.1.1.3) Release, we have new feature to start transaction. OSB proxy can be configured to start a transaction.Refer to message flow transaction http://download.oracle.com/docs/cd/E14571_01/relnotes.1111/e10132/osb.htm#CJACHEHJ
So with this feature, all we need a create a proxy say HTTP and enable this feature. OSB will start a transaction before your pipeline is invoked. Let me know if you need clarification.
Manoj
Edited by: Manoj Neelapu on Jun 22, 2010 8:39 AM
Edited by: Manoj Neelapu on Jun 22, 2010 8:39 AM -
Could not retrieve the doc with the passed obsolete token(Error: RWI 00323)
Error using WebService API via Tomcat and .NET framework 2.0. Am storing ReportEngine and Session instance memory as suggested but still get this error. How can I reset tokens or increase token limit so this error does not occur.
Inner Exception
Type : BusinessObjects.DSWS.DSWSException, BusinessObjects.DSWS, Version=11.5.4100.0, Culture=neutral, PublicKeyToken=692fbea5521e1304
Message : getDocumentInformation exception (Error: RWI 00323)
Source : DSWS Web Service Consumer
Help link :
ID : R1
WebServiceID :
Operation : reportengine.dsws.businessobjects.com/getDocumentInformation
CallStackTrace : com.businessobjects.rebean.wi.ConfigurationException: Could not retrieve the document with the passed obsolete token. (Error: RWI 00323)
at com.businessobjects.rebean.wi.ReportEngineImpl.getDocumentFromStorageToken(ReportEngineImpl.java:461)
at com.businessobjects.rebean.wi.occa.WebiReportEngine.getDocumentFromStorageToken(WebiReportEngine.java:239)
at com.businessobjects.dsws.WebIntelligenceReportEngineManager.openDocument(Unknown Source)
at com.businessobjects.dsws.wsb.reportengine.WebIntelligenceReportEngineSoapImpl.getDocumentInformation(Unknown Source)
at com.businessobjects.dsws.reportengine.ReportEngineSoapImpl.getDocumentInformation(Unknown Source)
at com.businessobjects.dsws.reportengine.ReportEngineSoapSkeleton.getDocumentInformation(Unknown Source)
at sun.reflect.GeneratedMethodAccessor166.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.apache.axis.providers.java.RPCProvider.invokeMethod(RPCProvider.java:402)
at org.apache.axis.providers.java.RPCProvider.processMessage(RPCProvider.java:309)
at org.apache.axis.providers.java.JavaProvider.invoke(JavaProvider.java:333)
at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:71)
at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:150)
at org.apache.axis.SimpleChain.invoke(SimpleChain.java:120)
at org.apache.axis.handlers.soap.SOAPService.invoke(SOAPService.java:481)
at org.apache.axis.server.AxisServer.invoke(AxisServer.java:323)
at org.apache.axis.transport.http.AxisServlet.doPost(AxisServlet.java:854)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
at org.apache.axis.transport.http.AxisServletBase.service(AxisServletBase.java:339)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
at com.businessobjects.dsws.wsc.common.axis.FlashFilter.doFilter(Unknown Source)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:186)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:198)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:152)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705)
at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
at java.lang.Thread.run(Thread.java:534)
Caused by: com.businessobjects.rebean.internal.util.storage.InternalStorageException: token:we00100000e9816b1c411b is probably too old, could not be found in token history...
at com.businessobjects.rebean.internal.util.storage.ClusterStorageManager.retrieveObject(ClusterStorageManager.java:380)
at com.businessobjects.rebean.wi.ReportEngineImpl.getDocumentFromStorageToken(ReportEngineImpl.java:449)
... 47 more
CauseID : RWI 00323
CauseMessage : Could not retrieve the document with the passed obsolete token. (Error: RWI 00323)
CauseDetail :
CauseException : com.businessobjects.rebean.wi.ConfigurationException
Data : System.Collections.ListDictionaryInternal
TargetSite : BusinessObjects.DSWS.ReportEngine.DocumentInformation GetDocumentInformation(System.String, BusinessObjects.DSWS.ReportEngine.RetrieveMustFillInfo, BusinessObjects.DSWS.ReportEngine.Action[], BusinessObjects.DSWS.ReportEngine.Navigate, BusinessObjects.DSWS.ReportEngine.RetrieveData)
Stack Trace : at BusinessObjects.DSWS.ReportEngine.ReportEngine.GetDocumentInformation(String documentReference, RetrieveMustFillInfo retrieveMustFillInfo, Action[] actions, Navigate navigate, RetrieveData retrieveData)
ThanksYou can reclaim storage token stack space by sending Close action to any document you're done with.
You can increase the storage token stack space by editing the Web Services Provider app dswsbobje.war, the file WEB-INF\classes\webi.properties. Look inside that file for the storaget token stack size setting.
Sincerely,
Ted Ueda
Maybe you are looking for
-
Table does not exist in system after DB Connect
Hi Everyone, I must extract data from a oracle db. I create a source system with DB Connect and it's connect successful. Later, i create a datasource for that source system. but it show the table does not exist in system. I'm sure the table is corre
-
Lion wont install. My hard drive is thinks it's time machine.
I can't install lion because it says that my hard drive is used for time machine backups. What can I do?
-
InDesign crashes when printing
Using InDesignCS2 4.0 on a MacBookPro OS 10.6.8. InDesign crashes when I hit "print" on all documents, so it looks like it's not corrupt data in the document. As a workaround, I can export to a pdf and print, but now need to add printer's marks, whic
-
Libretto U100 looses often connection to the Wlan hub
Hi I am having problem with my wireless network card. I am often loosing connection with the hub. I read on another forum that it maybe a good idea to update the drivers. I have never done this before and I want to ensure I do it correctly. Can you p
-
Using OPatch for OIM patches - do you need write privs to ORACLE_HOME
We are in the process of installing OIM and have reached the post configuration step, which requires us to install a patch. http://download.oracle.com/docs/cd/E17904_01/install.1111/e12002/oidonly009.htm#CDDGCDBB We are in a separate group that the D