SAML Token Profile Policies Issues
Hi all
i want to secure a Web service using SAML Token Profile Policies. I am using Wssp1.2-2007-Saml2.0-SenderVouches-Wss1.1.xml Policy.
I have Configured SAML 2.0 Identity Assertion Provider in my WebLogic Server. And added Identity Provider partner.
I gave the Issues as http://com.example.idp/AssertingParty
Below is the Soap Request Which i send to my Webservice.
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_15931837d93e95e7e7ffbaa038ad4942"
IssueInstant="2013-04-26T15:20:24.021Z" Version="2.0">
<saml:Issuer>http://com.example.idp/AssertingParty</saml:Issuer>
<saml:Subject>
<saml:NameID Format="NameID">weblogic_sp</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
</saml:Subject>
<saml:Conditions NotBefore="2013-04-26T15:24:14.021Z" NotOnOrAfter="2013-04-26T15:50:24.021Z"/>
<saml:AuthnStatement>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="Roles">
<saml:AttributeValue>Administrators</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</wsse:Security>
</env:Header>
<env:Body/>
</env:Envelope>
I am Getting the below error.
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Body>
<env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>wsse:InvalidSecurityToken</faultcode>
<faultstring>Invalid SAML token on CCS?Invalid SAML token when samlAsst= null</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
I turned on the Verbose in the Weblogic server and Got the Below log when i invoke the Web Service.
<WSEE:24>Created<SoapMessageContext.<init>:48>
<WSEE:24>set Message called: [email protected]36368<SoapMessageContext.setMessage:65>
<WSEE:24>Parsed header {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security: <name={http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security> <role=null> <mustUnderstand=true><SoapMsgHeaders.parseHeaders:202>
<WSEE:24>set Message called: [email protected]36368<SoapMessageContext.setMessage:65>
<WSEE:24>Parsed header {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security: <name={http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security> <role=null> <mustUnderstand=true><SoapMsgHeaders.parseHeaders:202>
<WSEE:24>tokenType: null, cred: [saml:Assertion: null], privkey: null<SAMLCredentialImpl.<init>:107>
<WSEE:24>Class of cred is: class com.sun.xml.internal.messaging.saaj.soap.impl.ElementImpl<SAMLCredentialImpl.<init>:108>
<WSEE:24>Instantiating SAMLAssertionInfoFactory<SAMLCredentialImpl.<init>:113>
<WSEE:24>Getting SAMLAssertionInfo from DOM Element of CSS<SAMLCredentialImpl.<init>:141>
<WSEE:24>Got erroron on SAMLAssertionInfo from DOM Element of CSS, msg =[Security:098517]Failed to get SAML assertion info: Unable to construct SAML 1.1/2.0 Schema object, can not perform validation.<SAMLCredentialImpl.<init>:152>
Please let me if i am doing any thing wrong.
Thanks
Ranjith
Hi all
i want to secure a Web service using SAML Token Profile Policies. I am using Wssp1.2-2007-Saml2.0-SenderVouches-Wss1.1.xml Policy.
I have Configured SAML 2.0 Identity Assertion Provider in my WebLogic Server. And added Identity Provider partner.
I gave the Issues as http://com.example.idp/AssertingParty
Below is the Soap Request Which i send to my Webservice.
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_15931837d93e95e7e7ffbaa038ad4942"
IssueInstant="2013-04-26T15:20:24.021Z" Version="2.0">
<saml:Issuer>http://com.example.idp/AssertingParty</saml:Issuer>
<saml:Subject>
<saml:NameID Format="NameID">weblogic_sp</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
</saml:Subject>
<saml:Conditions NotBefore="2013-04-26T15:24:14.021Z" NotOnOrAfter="2013-04-26T15:50:24.021Z"/>
<saml:AuthnStatement>
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="Roles">
<saml:AttributeValue>Administrators</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</wsse:Security>
</env:Header>
<env:Body/>
</env:Envelope>
I am Getting the below error.
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Body>
<env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>wsse:InvalidSecurityToken</faultcode>
<faultstring>Invalid SAML token on CCS?Invalid SAML token when samlAsst= null</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
I turned on the Verbose in the Weblogic server and Got the Below log when i invoke the Web Service.
<WSEE:24>Created<SoapMessageContext.<init>:48>
<WSEE:24>set Message called: [email protected]36368<SoapMessageContext.setMessage:65>
<WSEE:24>Parsed header {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security: <name={http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security> <role=null> <mustUnderstand=true><SoapMsgHeaders.parseHeaders:202>
<WSEE:24>set Message called: [email protected]36368<SoapMessageContext.setMessage:65>
<WSEE:24>Parsed header {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security: <name={http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security> <role=null> <mustUnderstand=true><SoapMsgHeaders.parseHeaders:202>
<WSEE:24>tokenType: null, cred: [saml:Assertion: null], privkey: null<SAMLCredentialImpl.<init>:107>
<WSEE:24>Class of cred is: class com.sun.xml.internal.messaging.saaj.soap.impl.ElementImpl<SAMLCredentialImpl.<init>:108>
<WSEE:24>Instantiating SAMLAssertionInfoFactory<SAMLCredentialImpl.<init>:113>
<WSEE:24>Getting SAMLAssertionInfo from DOM Element of CSS<SAMLCredentialImpl.<init>:141>
<WSEE:24>Got erroron on SAMLAssertionInfo from DOM Element of CSS, msg =[Security:098517]Failed to get SAML assertion info: Unable to construct SAML 1.1/2.0 Schema object, can not perform validation.<SAMLCredentialImpl.<init>:152>
Please let me if i am doing any thing wrong.
Thanks
Ranjith
Similar Messages
-
Using Saml token profile 1.1 with WLS 10.3
Hi All
I am a Student from IITB. I am trying use message-level authentication for webservices using SAML Token Profile 1.1 on weblogic 10.3. I have done the necessary configuration but I am getting an error
"Unable to add Security Token for Identity ". I Started the SamlCredMapper Debug flag on from the console and saw the logs and I saw that everything is going fine untill at one place it
gives this error
<Debug> <SecuritySAMLCredMap> ' *<1245866312123> <BEA-000000> *<SAMLCredentialMapperV2: getCredentialInternal(): InvalidParameterException while validating parameters: weblogic.security.service.InvalidParameterException: Unable to generate SAML Assertion: No partner ID or target resource>**
I do not know how to fix this problem. Please Tell me if anyone has any idea about it.
Thanks
regards,
Sanyam
//The Logs are as follows
<Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310425> <BEA-000000> <SAMLCredentialMapperV2: getCredentialInternal(): initiator = Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("ssouser")
>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310425> <BEA-000000> <SAMLCredentialMapperV2: getCredentialInternal(): resource = (null)>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310426> <BEA-000000> <SAMLRPConfigManager.findPartnerInTargetMap():Searching with key 'sender-vouches:http://usmumsanygoyal1:7001/SSOTryService/SSOTestHelloWorld'>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310426> <BEA-000000> <SAMLRPConfigManager.findPartnerInTargetMap():Found partner 'rp_00001'>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310436> <BEA-000000> <SAMLNameMapperCache.getNameMapper: Not found name mapper in the cache, try to create one>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310437> <BEA-000000> <SAMLNameMapperCache.getNameMapper: create SAMLNameMapperImpl name mapper>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310439> <BEA-000000> <SAMLNameMapperImpl: mapSubject: No valid WLSGroup pricipals found in Subject, continuing>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310439> <BEA-000000> <SAMLNameMapperImpl: mapSubject: Mapped subject: qualifier: null, name: ssouser, groups: []>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310440> <BEA-000000> <SAMLCreateAssertion: Mapped subject 'Subject: 1
Principal = class weblogic.security.principal.WLSUserImpl("ssouser")
' to: username='ssouser',qualifier='null',format='urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310442> <BEA-000000> <SAMLCreateAssertion: No context or subject attribute were mapped>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310442> <BEA-000000> <SAMLCreateAssertion: Groups attribute statement requested but name mapper returned no groups -- groups attribute statement will not be generated>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310445> <BEA-000000> <SAMLCreateAssertion: Creating sender-vouches assertion>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310445> <BEA-000000> <SAMLCreateAssertion: Assertion IS signed>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310445> <BEA-000000> <SAMLCreateAssertion: KeyInfo IS NOT supplied>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310445> <BEA-000000> <SAMLCreateAssertion: AttrStmtInfo IS NOT supplied>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310460> <BEA-000000> <SAMLCreateAssertion: Created SAMLSubject for 'ssouser'>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310460> <BEA-000000> <SAMLCreateAssertion: Created SAMLSubject>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310475> <BEA-000000> <SAMLCreateAssertion: SAMLCreateAssertion: Cloning SAMLSubject>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310476> <BEA-000000> <SAMLCreateAssertion: SAMLCreateAssertion: Created SAMLAuthenticationStatement>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310484> <BEA-000000> <SAMLCreateAssertion: SAMLCreateAssertion: Signing assertion, keyinfo is included>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLLib> <[ACTIVE] : '1' for queue: ' <1245866310508> <BEA-000000> <SAMLSignedObject.sign(): algorithm 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLLib> <[ACTIVE] : '1' for queue: ' <1245866310509> <BEA-000000> <SAMLSignedObject.sign(): reference '#b21cfea8d3c90fee97a3100a59b0005e'>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLLib> <[ACTIVE] : '1' for queue: ' <1245866310509> <BEA-000000> <SAMLSignedObject.sign(): InclusiveNamespaces '#default saml samlp ds dsig code kind rw typens'>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLLib> <[ACTIVE] : '1' for queue: ' <1245866310542> <BEA-000000> <SAMLSignedObject.sign(): adding certificates>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLLib> <[ACTIVE] : '1' for queue: ' <1245866310556> <BEA-000000> <SAMLSignedObject.sign(): signing object>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLLib> <[ACTIVE] : '1' for queue: ' <1245866310706> <BEA-000000> <SAMLSignedObject.sign(): completed>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310706> <BEA-000000> <SAMLCreateAssertion: SAMLCreateAssertion: Signed assertion>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310706> <BEA-000000> <SAMLCreateAssertion: SAMLCreateAssertion: Created SAMLAssertion>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310706> <BEA-000000> <SAMLCreateAssertion: Returning assertion>
####<Jun 24, 2009 11:28:30 PM IST> <Debug> <SecuritySAMLCredMap> <[ACTIVE] : '1' for queue: ' <1245866310706> <BEA-000000> <SAMLCredentialMapperV2: getCredentialInternal(): Returning non-null credential>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311896> <BEA-000000> <SAMLIdentityAsserter: assertIdentity() called>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311897> <BEA-000000> <SAMLIdentityAsserter: SAMLIdentityAsserter: tokenType is 'SAML.Assertion.DOM'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311903> <BEA-000000> <SAMLAssertion: Assertion passed basic validity check>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311905> <BEA-000000> <SAMLAssertion: Target for assertion is: 'http://usmumsanygoyal1:7001/SSOTryService/SSOTestHelloWorld'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311905> <BEA-000000> <SAMLAssertion: Assertion issuer is: 'http://usmumsanygoyal1:7001/'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311906> <BEA-000000> <SAMLAssertion: Assertion subject confirmation method is: 'urn:oasis:names:tc:SAML:1.0:cm:sender-vouches'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311907> <BEA-000000> <SAMLAPConfigManager.findPartnerInTargetMap():Searching with key 'sender-vouches:http://usmumsanygoyal1:7001/&http://usmumsanygoyal1:7001/SSOTryService/SSOTestHelloWorld'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311907> <BEA-000000> <SAMLAPConfigManager.findPartnerInTargetMap():Found partner 'ap_00001'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311907> <BEA-000000> <SAMLAssertion: Found asserting party 'ap_00001'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311907> <BEA-000000> <SAMLAssertion: Assertion is signed>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLLib> ' <1245866311908> <BEA-000000> <SAMLTrustManager: Looking for certificate alias 'testalias'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLLib> ' <1245866311930> <BEA-000000> <SAMLTrustManager: Certificate was found>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLLib> ' <1245866311937> <BEA-000000> <SAMLSignedObject.verify(): key supplied>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLLib> ' <1245866311963> <BEA-000000> <SAMLSignedObject.verify(): obtained signed info>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLLib> ' <1245866311963> <BEA-000000> <SAMLSignedObject.verify(): validating signature>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLLib> ' <1245866311970> <BEA-000000> <SAMLSignedObject.verify(): completed>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311970> <BEA-000000> <SAMLAssertion: Signature verified using trusted certificate>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311977> <BEA-000000> <Got signing certificate for signed object: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311977> <BEA-000000> <SAMLAssertion: Assertion subject confirmation method is: 'urn:oasis:names:tc:SAML:1.0:cm:sender-vouches'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311977> <BEA-000000> <SAMLAssertion: Verified subject confirmation method>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311978> <BEA-000000> <SAMLAssertion: Assertion issuer is 'http://usmumsanygoyal1:7001/'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311978> <BEA-000000> <SAMLAssertion: Assertion issuer verified>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311980> <BEA-000000> <SAMLAssertion: Assertion contains NotBefore condition>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311980> <BEA-000000> <SAMLAssertion: Assertion contains NotOnOrAfter condition>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311980> <BEA-000000> <SAMLAssertion: NotBefore condition satisfied>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311980> <BEA-000000> <SAMLAssertion: NotOnOrAfter condition satisfied>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311981> <BEA-000000> <SAMLAssertion: Assertion has AudienceRestrictionCondition>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311981> <BEA-000000> <SAMLAssertion: Found matching audience 'http://usmumsanygoyal1:7001/'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311981> <BEA-000000> <SAMLAssertion: AudienceRestriction condition satisfied (matching audience)>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311981> <BEA-000000> <SAMLAssertion: Assertion has DoNotCache condition>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311981> <BEA-000000> <SAMLAssertion: Assertion conditions verified>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311986> <BEA-000000> <SAMLAssertion: Found subject for name: 'ssouser'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311987> <BEA-000000> <SAMLNameMapperCache.getNameMapper: Not found name mapper in the cache, try to create one>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311987> <BEA-000000> <SAMLNameMapperCache.getNameMapper: create SAMLNameMapperImpl name mapper>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311987> <BEA-000000> <SAMLAssertion: Looking for AttributeName 'Groups'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311987> <BEA-000000> <SAMLAssertion: Looking for AttributeNamespace 'urn:bea:security:saml:groups'>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311987> <BEA-000000> <SAMLAssertion: ProcessGroups is true but did not find expected groups attribute statement>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311988> <BEA-000000> <SAMLNameMapperCache.getNameMapper: Found name mapper in the cache>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311988> <BEA-000000> <SAMLNameMapperImpl: mapNameInfo: returning name: ssouser>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311989> <BEA-000000> <SAMLNameMapperImpl: mapGroupInfo: returning groups: null>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311989> <BEA-000000> <SAMLIACallbackHandler: SAMLIACallbackHandler(true, ssouser, null)>
####<Jun 24, 2009 11:28:31 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866311996> <BEA-000000> <SAMLIACallbackHandler: callback[0]: NameCallback: setName(ssouser)>
####<Jun 24, 2009 11:28:32 PM IST> <Debug> <SecuritySAMLAtn> ' <1245866312002> <BEA-000000> <SAMLIACallbackHandler: callback[0]: NameCallback: setName(ssouser)>
####<Jun 24, 2009 11:28:32 PM IST> <Debug> <SecuritySAMLCredMap> ' <1245866312122> <BEA-000000> <SAMLCredentialMapperV2: getCredentials: Subject initiator>
####<Jun 24, 2009 11:28:32 PM IST> <Debug> <SecuritySAMLCredMap> ' <1245866312122> <BEA-000000> <SAMLCredentialMapperV2: getCredentials(Subject): getCredentialInternal() called>
_####<Jun 24, 2009 11:28:32 PM IST> <Debug> <SecuritySAMLCredMap> ' *<1245866312123> <BEA-000000> **<SAMLCredentialMapperV2: getCredentialInternal(): InvalidParameterException while validating parameters: weblogic.security.service.InvalidParameterException: Unable to generate SAML Assertion: No partner ID or target resource>**_*Client Side
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:credential-mapper xsi:type="wls:saml-credential-mapper-v2Type">
<sec:name>SAMLCredentialMapper</sec:name>
<wls:issuer-uri>www.bea.com/demoSAML</wls:issuer-uri>
<wls:name-qualifier>bea.com</wls:name-qualifier>
<wls:signing-key-alias>testalias</wls:signing-key-alias>
<wls:default-time-to-live-delta>-30</wls:default-time-to-live-delta>
<wls:signing-key-pass-phrase-encrypted>{3DES}dOC15C42IEzCnN/klGIdyQ==</wls:signing-key-pass-phrase-encrypted>
</sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:key-store xsi:type="wls:default-key-storeType">
<sec:name>keystore</sec:name>
</sec:key-store>
<sec:name>myrealm</sec:name>
</realm>
Server side
<realm>
<sec:authentication-provider xsi:type="wls:default-authenticatorType"></sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:default-identity-asserterType">
<sec:active-type>AuthenticatedUser</sec:active-type>
</sec:authentication-provider>
<sec:authentication-provider xsi:type="wls:saml-identity-asserter-v2Type">
<sec:name>SAMLIdentityAsserter</sec:name>
</sec:authentication-provider>
<sec:role-mapper xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-role-mapperType"></sec:role-mapper>
<sec:authorizer xmlns:xac="http://www.bea.com/ns/weblogic/90/security/xacml" xsi:type="xac:xacml-authorizerType"></sec:authorizer>
<sec:adjudicator xsi:type="wls:default-adjudicatorType"></sec:adjudicator>
<sec:credential-mapper xsi:type="wls:default-credential-mapperType"></sec:credential-mapper>
<sec:cert-path-provider xsi:type="wls:web-logic-cert-path-providerType"></sec:cert-path-provider>
<sec:cert-path-builder>WebLogicCertPathProvider</sec:cert-path-builder>
<sec:name>myrealm</sec:name>
</realm>
Sanyam -
Invalid security error when invoking secure webservice using SAML tokens
I have deployed a JAX-WS webservice using a stateless session bean to wl 10.3.2 that uses a custom policy. The service deploys fine, but weblogic returns an HTTP error 500 with a SOAP fault. The fault states wsse:InvalidSecurity. The webservice security policy reqires SAML holder of key assertions and attributes. I have tried everything from running weblogic with Metro 1.5 to configuring SAML Identity Asserter Providers, etc with no luck. I even tried using the built in SAML 2.0 assymetric holder of key policy. What am I doing wrong? The XML of interest is attached.
Thanks;
-Dave.
*[Sample message from client]*
<?xml version="1.0" encoding="UTF-8"?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#">
<S:Header>
<To xmlns="http://www.w3.org/2005/08/addressing">https://localhost:7002/NHINAdapterDocQuerySecured/AdapterDocQuerySecured</To>
<Action xmlns="http://www.w3.org/2005/08/addressing">urn:gov:hhs:fha:nhinc:adapterdocquerysecured:RespondingGateway_CrossGatewayQueryRequestMessage</Action>
<ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
<MessageID xmlns="http://www.w3.org/2005/08/addressing">uuid:fec656f8-a2be-4129-8412-34d9453e7cb2</MessageID>
<wsse:Security S:mustUnderstand="1">
<wsu:Timestamp xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns16="http://www.w3.org/2003/05/soap-envelope" wsu:Id="_1">
<wsu:Created>2010-02-24T21:38:56Z</wsu:Created>
<wsu:Expires>2010-02-24T21:43:56Z</wsu:Expires>
</wsu:Timestamp>
<saml2:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="96cdfb70-91a3-4baf-9da1-3ff07d249926" IssueInstant="2010-02-24T21:38:56.671Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAML User,OU=SU,O=SAML User,L=Los Angeles,ST=CA,C=US</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">UID=kskagerb*DoD</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml2:SubjectConfirmationData>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>iwGksKFK2ZYDxftMa093TajW7V9TwHW7NiyT6bJ2p38zBwpehwMJ1ZO9V0hFihcz/BZ2MvQ1WA1l0KhUBSR/bMiu6WmZ0bJPjvXx41ewGw5YzTL2RbT1U2XXBHtPHjbkH5jqK5zk67F/NM26v+hw0fSZiqM1BAFp9F73hMHsNrc=</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:AuthnStatement AuthnInstant="2009-04-16T13:15:39.000Z" SessionIndex="987">
<saml2:SubjectLocality Address="158.147.185.168" DNSName="cs.myharris.net"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:subject-id">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">Karl S Skagerberg</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">InternalTest2</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">2.16.840.1.113883.4.349</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:nhin:names:saml:homeCommunityId">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">2.16.840.1.113883.4.349</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xacml:2.0:subject:role">
<saml2:AttributeValue>
<hl7:Role xmlns:hl7="urn:hl7-org:v3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" code="307969004" codeSystem="2.16.840.1.113883.6.96" codeSystemName="SNOMED_CT" displayName="Public Health" xsi:type="hl7:CE"/>
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse">
<saml2:AttributeValue>
<hl7:PurposeForUse xmlns:hl7="urn:hl7-org:v3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" code="TREATMENT" codeSystem="2.16.840.1.113883.3.18.7.1" codeSystemName="nhin-purpose" displayName="Use or disclosure of Psychotherapy Notes" xsi:type="hl7:CE"/>
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xacml:2.0:resource:resource-id">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">500000000^^^&1.1&ISO</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
<saml2:AuthzDecisionStatement Decision="Permit" Resource="https://158.147.185.168:8181/SamlReceiveService/SamlProcessWS">
<saml2:Action Namespace="urn:nhin:names:hl7:rbac:4.00:operation">EXECUTE</saml2:Action>
<saml2:Evidence>
<saml2:Assertion ID="40df7c0a-ff3e-4b26-baeb-f2910f6d05a9" IssueInstant="2009-04-16T13:10:39.093Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAML User,OU=Harris,O=HITS,L=Melbourne,ST=FL,C=US</saml2:Issuer>
<saml2:Conditions NotBefore="2009-04-16T13:10:39.093Z" NotOnOrAfter="2010-12-31T12:00:00.000Z"/>
<saml2:AttributeStatement>
<saml2:Attribute Name="AccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">Claim-Ref-1234</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="InstanceAccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">Claim-Instance-1</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2:Evidence>
</saml2:AuthzDecisionStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#96cdfb70-91a3-4baf-9da1-3ff07d249926">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>VnukKqb4Bt1KWDKfy8SDfk1Hp2s=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>DUwjh/H3XSfUG250rTlLdihstDXY1+qkY9GaY81Iu7Ag4MgoGvGBrGjZOJ7YnssPdrqUGiURxf6k
IBH7vaeXk24XvXP3F85WP9nBm+2M4BvGTplgOmAo0yuwze+90FvwILzFNmmX/tvy3QKTDHlh1rEx
/Jqfm6q/56WW1suAbRY=</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>iwGksKFK2ZYDxftMa093TajW7V9TwHW7NiyT6bJ2p38zBwpehwMJ1ZO9V0hFihcz/BZ2MvQ1WA1l
0KhUBSR/bMiu6WmZ0bJPjvXx41ewGw5YzTL2RbT1U2XXBHtPHjbkH5jqK5zk67F/NM26v+hw0fSZ
iqM1BAFp9F73hMHsNrc=</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
</saml2:Assertion>
<ds:Signature xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns16="http://www.w3.org/2003/05/soap-envelope" Id="_2">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="wsse S"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="wsu wsse S"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>oo99UrPhAcwla4Qbkdd9jAPn0cE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>ds4vqts8uCdJcNGo0uTPzId5UBX+GVrdztQPv823c1Zy9ZZGSfQC/GsBPM/EMbFInDPFsyT4e1QYZMCzmqLYnifWHlDQJb7oMJBokafavAqZda1B55Zzh3TSm6BqKWtB/DX17d6rLx/HPiLNZ9qsBfuGn3aTlUCpNsYA8ObBtp8=</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">96cdfb70-91a3-4baf-9da1-3ff07d249926</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S:Header>
<S:Body>
<ns3:AdhocQueryRequest xmlns:ns2="urn:gov:hhs:fha:nhinc:gateway:samltokendata" xmlns:ns3="urn:oasis:names:tc:ebxml-regrep:xsd:query:3.0" xmlns:ns4="urn:oasis:names:tc:ebxml-regrep:xsd:rim:3.0" xmlns:ns5="urn:oasis:names:tc:ebxml-regrep:xsd:rs:3.0" xmlns:ns6="urn:oasis:names:tc:ebxml-regrep:xsd:lcm:3.0" maxResults="-1" startIndex="0" federated="false">
<ns3:ResponseOption returnComposedObjects="true" returnType="LeafClass"/>
<ns4:AdhocQuery home="urn:oid:2.16.840.1.113883.4.349" id="urn:uuid:14d4debf-8f97-4251-9a74-a90016b0af0d">
<ns4:Slot name="$XDSDocumentEntryStatus">
<ns4:ValueList>
<ns4:Value>('urn:oasis:names:tc:ebxml-regrep:StatusType:Approved')</ns4:Value>
</ns4:ValueList>
</ns4:Slot>
<ns4:Slot name="$XDSDocumentEntryPatientId">
<ns4:ValueList>
<ns4:Value>'1012581676V377802^^^&2.16.840.1.113883.4.349&ISO'</ns4:Value>
</ns4:ValueList>
</ns4:Slot>
</ns4:AdhocQuery>
</ns3:AdhocQueryRequest>
</S:Body>
</S:Envelope>
*[Response from server:]*
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Body>
<env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>wsse:InvalidSecurity</faultcode>
<faultstring>weblogic.xml.crypto.api.MarshalException: weblogic.xml.dom.marshal.MarshalException: Failed to unmarshal {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}SecurityTokenReference, no SecurityTokenReference factory found for {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}KeyIdentifier ValueType: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
*[webservice WSDL]*
<?xml version="1.0" encoding="UTF-8"?>
<!--
Adapter Document Query WSDL
-->
<definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns="http://schemas.xmlsoap.org/wsdl/"
xmlns:tns="urn:gov:hhs:fha:nhinc:adapterdocquerysecured"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:query="urn:oasis:names:tc:ebxml-regrep:xsd:query:3.0"
xmlns:plnk="http://docs.oasis-open.org/wsbpel/2.0/plnktype"
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
xmlns:wsaws="http://www.w3.org/2005/08/addressing"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
xmlns:sc="http://schemas.sun.com/2006/03/wss/server"
xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
xmlns:vprop="http://docs.oasis-open.org/wsbpel/2.0/varprop"
xmlns:sxnmp="http://www.sun.com/wsbpel/2.0/process/executable/SUNExtension/NMProperty"
name="AdapterDocQuerySecured"
targetNamespace="urn:gov:hhs:fha:nhinc:adapterdocquerysecured">
<documentation>Adapter Document Query</documentation>
<types>
<xsd:schema>
<xsd:import namespace="urn:oasis:names:tc:ebxml-regrep:xsd:query:3.0"
schemaLocation="../schemas/ebRS/query.xsd"/>
<xsd:import namespace="urn:gov:hhs:fha:nhinc:gateway:samltokendata"
schemaLocation="../schemas/nhinc/gateway/SamlTokenData.xsd"/>
</xsd:schema>
</types>
<message name="RespondingGateway_CrossGatewayQueryRequestMessage">
<part name="body"
element="query:AdhocQueryRequest"/>
</message>
<message name="RespondingGateway_CrossGatewayQueryResponseMessage">
<part name="body"
element="query:AdhocQueryResponse"/>
</message>
<portType name="AdapterDocQuerySecuredPortType">
<operation name="RespondingGateway_CrossGatewayQuery">
<input name="RespondingGateway_CrossGatewayQueryRequest"
message="tns:RespondingGateway_CrossGatewayQueryRequestMessage"
wsaw:Action="urn:gov:hhs:fha:nhinc:adapterdocquerysecured:RespondingGateway_CrossGatewayQueryRequestMessage"/>
<output name="RespondingGateway_CrossGatewayQueryResponse"
message="tns:RespondingGateway_CrossGatewayQueryResponseMessage"
wsaw:Action="urn:gov:hhs:fha:nhinc:adapterdocquerysecured:RespondingGateway_CrossGatewayQueryResponseMessage"/>
</operation>
</portType>
<binding name="AdapterDocQuerySecuredBindingSoap11" type="tns:AdapterDocQuerySecuredPortType">
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
<wsp:PolicyReference URI="#RespondingGateway_Query_Binding_SoapPolicy"/>
<operation name="RespondingGateway_CrossGatewayQuery">
<soap:operation soapAction="urn:RespondingGateway_CrossGatewayQuery"/>
<input name="RespondingGateway_CrossGatewayQueryRequest">
<soap:body use="literal"/>
<wsp:PolicyReference URI="#RespondingGateway_Query_Binding_Soap_Input_Policy"/>
</input>
<output name="RespondingGateway_CrossGatewayQueryResponse">
<soap:body use="literal"/>
<wsp:PolicyReference URI="#RespondingGateway_Query_Binding_Soap_Output_Policy"/>
</output>
</operation>
</binding>
<service name="AdapterDocQuerySecured">
<port name="AdapterDocQuerySecuredPortSoap11"
binding="tns:AdapterDocQuerySecuredBindingSoap11">
<soap:address
location="https://localhost:7002/NHINAdapterDocQuerySecured" />
</port>
</service>
<!-- Define action property on each receiving message -->
<vprop:property name="action" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:action"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>action</vprop:query>
</vprop:propertyAlias>
<!-- Define resource property on each receiving message -->
<vprop:property name="resource" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:resource"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>resource</vprop:query>
</vprop:propertyAlias>
<!-- Define purposeForUseRoleCode property on each receiving message -->
<vprop:property name="purposeForUseRoleCode" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:purposeForUseRoleCode"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>purposeForUseRoleCode</vprop:query>
</vprop:propertyAlias>
<!-- Define purposeForUseCodeSystem property on each receiving message -->
<vprop:property name="purposeForUseCodeSystem" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:purposeForUseCodeSystem"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>purposeForUseCodeSystem</vprop:query>
</vprop:propertyAlias>
<!-- Define purposeForUseCodeSystemName property on each receiving message -->
<vprop:property name="purposeForUseCodeSystemName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:purposeForUseCodeSystemName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>purposeForUseCodeSystemName</vprop:query>
</vprop:propertyAlias>
<!-- Define purposeForUseDisplayName property on each receiving message -->
<vprop:property name="purposeForUseDisplayName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:purposeForUseDisplayName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>purposeForUseDisplayName</vprop:query>
</vprop:propertyAlias>
<!-- Define userFirstName property on each receiving message -->
<vprop:property name="userFirstName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userFirstName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userFirstName</vprop:query>
</vprop:propertyAlias>
<!-- Define userMiddleName property on each receiving message -->
<vprop:property name="userMiddleName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userMiddleName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userMiddleName</vprop:query>
</vprop:propertyAlias>
<!-- Define userLastName property on each receiving message -->
<vprop:property name="userLastName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userLastName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userLastName</vprop:query>
</vprop:propertyAlias>
<!-- Define userName property on each receiving message -->
<vprop:property name="userName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userName</vprop:query>
</vprop:propertyAlias>
<!-- Define userOrganization property on each receiving message -->
<vprop:property name="userOrganization" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userOrganization"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userOrganization</vprop:query>
</vprop:propertyAlias>
<!-- Define userRoleCode property on each receiving message -->
<vprop:property name="userRoleCode" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userRoleCode"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userRoleCode</vprop:query>
</vprop:propertyAlias>
<!-- Define userRoleCodeSystem property on each receiving message -->
<vprop:property name="userRoleCodeSystem" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userRoleCodeSystem"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userRoleCodeSystem</vprop:query>
</vprop:propertyAlias>
<!-- Define userRoleCodeSystemName property on each receiving message -->
<vprop:property name="userRoleCodeSystemName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userRoleCodeSystemName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userRoleCodeSystemName</vprop:query>
</vprop:propertyAlias>
<!-- Define userRoleCodeDisplayName property on each receiving message -->
<vprop:property name="userRoleCodeDisplayName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userRoleCodeDisplayName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userRoleCodeDisplayName</vprop:query>
</vprop:propertyAlias>
<!-- Define expirationDate property on each receiving message -->
<vprop:property name="expirationDate" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:expirationDate"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>expirationDate</vprop:query>
</vprop:propertyAlias>
<!-- Define signDate property on each receiving message -->
<vprop:property name="signDate" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:signDate"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>signDate</vprop:query>
</vprop:propertyAlias>
<!-- Define contentReference property on each receiving message -->
<vprop:property name="contentReference" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:contentReference"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>contentReference</vprop:query>
</vprop:propertyAlias>
<!-- Define content property on each receiving message -->
<vprop:property name="content" type="xsd:base64Binary"/>
<vprop:propertyAlias propertyName="tns:content"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>content</vprop:query>
</vprop:propertyAlias>
<wsp:Policy wsu:Id="RespondingGateway_Query_Binding_SoapPolicy">
<wsp:ExactlyOne>
<wsp:All>
<wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl"/>
<sc:KeyStore wspp:visibility="private"
aliasSelector="gov.hhs.fha.nhinc.callback.KeyStoreServerAliasSelector"
callbackHandler="gov.hhs.fha.nhinc.callback.KeyStoreCallbackHandler"/>
<sc:TrustStore wspp:visibility="private"
callbackHandler="gov.hhs.fha.nhinc.callback.TrustStoreCallbackHandler"/>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken>
<wsp:Policy>
<sp:RequireClientCertificate/>
</wsp:Policy>
</sp:HttpsToken>
</wsp:Policy>
</sp:TransportToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens>
<wsp:Policy>
<sp:SamlToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssSamlV20Token11/>
</wsp:Policy>
</sp:SamlToken>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:RequireSignatureConfirmation/>
</wsp:Policy>
</sp:Wss11>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="RespondingGateway_Query_Binding_Soap_Input_Policy">
<wsp:ExactlyOne>
<wsp:All>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="RespondingGateway_Query_Binding_Soap_Output_Policy">
<wsp:ExactlyOne>
<wsp:All>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<plnk:partnerLinkType name="AdapterDocQuerySecured">
<!-- A partner link type is automatically generated when a new port type is added.
Partner link types are used by BPEL processes. In a BPEL process, a partner
link represents the interaction between the BPEL process and a partner service.
Each partner link is associated with a partner link type. A partner link type
characterizes the conversational relationship between two services. The
partner link type can have one or two roles.-->
<plnk:role name="AdapterDocQuerySecuredPortTypeRole"
portType="tns:AdapterDocQuerySecuredPortType"/>
</plnk:partnerLinkType>
</definitions>
Edited by: dvazquez1027 on Feb 25, 2010 5:10 PM
Edited by: dvazquez1027 on Feb 25, 2010 5:22 PMHi
yes, I had the same issue and I found a solution.
You need to request a patch for BUG 9212862 (already corrected in WLS 10.3.3) and do the follwing:
javax.xml.ws.BindingProvider provider = (javax.xml.ws.BindingProvider)port;
java.util.Map context = provider.getRequestContext();
context.put(weblogic.wsee.jaxrpc.WLStub.POLICY_COMPATIBILITY_PREFERENCE, weblogic.wsee.jaxrpc.WLStub.POLICY_COMPATIBILITY_MSFT);
This will cause the SecurityMessageArchitect class of WLS to not send the SecurityTokenReference in the Soap security header.
Please note that is evidently a non-comformity to the specs of microsoft:
Please give a look at
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf (8.3 Signing Tokens)
and also at:
http://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf
(3.4 Identifying and Referencing Security Tokens)
A SAML key identifier reference MUST be used for all (local and remote) references to SAML 1.1
assertions. [...]
All conformant implementations MUST be able to process SAML assertion references occurring in a
<wsse:Security> header or in a header element other than a signature to acquire the corresponding
assertion. A conformant implementation MUST be able to process any such reference independent of the
confirmation method of the referenced assertion.
It follows that the .NET 3.5 is a non conformat implementation: I would gladly know which is the position of Microsoft on that.
ciao
carlo -
SAML token not understood (weblogic 10.3)
I'm trying to call my webservice with a SAML sender-vouches, and keep getting an error message. This used to work when running in Weblogic 9.2.3 (but we are in the process of upgrading to Weblogic 10.3).
(This is running from alsb 2.6)
My request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
</soap:Header>
<soapenv:Body>
<saml:TestRequest xmlns:saml="http://saml.webservice.namespace.model">
<saml:Call>string</saml:Call>
</saml:TestRequest>
</soapenv:Body>
</soapenv:Envelope>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<wsse:Security soap:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<saml:Assertion AssertionID="d08c0548d758b52dbebfdb327e60a201" IssueInstant="2009-11-24T15:16:20.192Z" Issuer="http://www.sparebank1.no" MajorVersion="1" MinorVersion="1" xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol">
<saml:Conditions NotBefore="2009-11-24T15:16:10.192Z" NotOnOrAfter="2009-11-24T15:18:10.192Z">
<saml:DoNotCacheCondition/>
</saml:Conditions>
<saml:AuthenticationStatement AuthenticationInstant="2009-11-24T15:16:20.192Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified">
<saml:Subject>
<saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="sparebank1.no">supermann</saml:NameIdentifier>
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>
urn:oasis:names:tc:SAML:1.0:cm:sender-vouches
</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
</saml:Subject>
</saml:AuthenticationStatement>
<dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
<dsig:SignedInfo>
<dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<dsig:Reference URI="#d08c0548d758b52dbebfdb327e60a201">
<dsig:Transforms>
<dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</dsig:Transform>
</dsig:Transforms>
<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<dsig:DigestValue>KWkdUKb1gfftG4XchDnrmZmKbEc=</dsig:DigestValue>
</dsig:Reference>
</dsig:SignedInfo>
<dsig:SignatureValue>
uRvZvXqmLlxj/wXSaG7zwLATsRCwPND++4zUHQZB2o6KPeDNR89f02t/CnLDsrbjGr9Y4JgXmGSkmMK+eP0JdY/q9CiOekhpJJ9RhZupE1ldoIPzLqc8nLUC3lHJUrKCchnuKmxg76V7I3TWFCvqYMz2pFiNdm6n8Fq2xgxtjRc=
</dsig:SignatureValue>
</dsig:Signature>
</saml:Assertion>
</wsse:Security>
</soap:Header>
<soapenv:Body>
<saml:TestRequest xmlns:saml="http://saml.webservice.namespace.model">
<saml:Call>string</saml:Call>
</saml:TestRequest>
</soapenv:Body>
</soapenv:Envelope>
Response:
The invocation resulted in an error: Internal Server Error.
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/">
<S:Body>
<SOAP-ENV:Fault xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<faultstring>
MustUnderstand headers:[{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}Security] are not understood
</faultstring>
<faultcode>SOAP-ENV:MustUnderstand</faultcode>
</SOAP-ENV:Fault>
</S:Body>
</S:Envelope>
My policy file:
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wssp="http://www.bea.com/wls90/security/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wls="http://www.bea.com/wls90/security/policy/wsee#part"
wsu:Id="amartaSaml">
<wssp:Identity>
<wssp:SupportedTokens>
<wssp:SecurityToken
TokenType="http://docs.oasis-open.org/wss/2004/01/oasis-2004-01-saml-token-profile-1.0#SAMLAssertionID">
<wssp:Claims>
<wssp:ConfirmationMethod>sender-vouches</wssp:ConfirmationMethod>
</wssp:Claims>
</wssp:SecurityToken>
</wssp:SupportedTokens>
</wssp:Identity>
</wsp:Policy>
java file:
@WebService( serviceName="SamlService", portName="SamlPort", endpointInterface="namespace.webservice.saml.SamlServiceImplPort", targetNamespace="http://saml.webservice.namespace", wsdlLocation="/wsdl/saml.wsdl" )
public class SamlServiceImpl implements SamlServiceImplPort
@RolesAllowed( {
@SecurityRole(role = "sb1.life.customer.employer"),
@SecurityRole(role = "sb1.life.customer.individual"),
@SecurityRole(role = "sb1.life.customer.authorizedparty"),
@SecurityRole(role = "sb1.life.distributor.change"),
@SecurityRole(role = "sb1.life.distributor.read"),
@SecurityRole(role = "sb1.life.distributor.expert") })
@Policy(uri = "policy:sb1life-ws-policy.xml", direction = Policy.Direction.inbound)
public TestResponse getCall( TestRequest parameter )
TestResponse response = new TestResponse();
response.setResponse( "Hello " + parameter.getCall() );
return response;
One thing that got changed was that in WLS 9.2.3 we deployed the services as EAR, while now we are just deploying them as WAR. Don't know if that makes a difference. Also, the domain template for creating the weblogic domain is different.
I looked in Google, and there seems to be a "common" problem with SAML, but I couldn't find a Weblogic specific solution.
Thank you,
JohnThis is not currently supported in 10.3 because JAX-WS only supports SAML2.0 on WLS 10.3 whilst OSB 10.3 can only generate SAML 1.1 tokens.
from support :
"JAX-WS as implemented in WLS 10.3 does not support deprecated SAML policy (but SAML 2.0).
On the other hand OSB 10.3 is not supporting new SAML policy (you cannot import SAML 2.0 policy)."
Two solutions/workarounds:
1. Create a JAX-RPC WebService using the SAML-policy you have in place
2. Use OSB on the response-domain, create a proxy with policy and wsdl...
Adjust the endpoints in asserter and mapper -
I'v posted this thread in the [SOA Suite forum|http://forums.oracle.com/forums/thread.jspa?threadID=912083&tstart=0] in the first place, but maybe this forum is a better places, for this question.
We're experiencing a lot of inconveniences using the "SAML - Verify WSS 1.0 Token" validation step in WSM. We've configured the SAML verifier to "allow signed assertions only" in order to achieve our security goals. Before a client is allowed access to a protected web service, the client must request an identity provider to get a signed saml assertion and attach this security token to the web service security header. In order to access the protected web services we'll like to use WSM to verify that the saml assertion:
1. Is issued by a specific identity provider (no problem)
2. That the conditions in the assertion is valid (no problem)
3. That the assertion i signed by a trusted certificate (problem)
4. That the signature of the assertion is valid in proportion to the signed context of the assertion (problem)
The inconveniences starts when we expect that the "SAML - Verify WSS 1.0 Token" validation step, validates the signatures of the assertion, before using it. But it seems, that this isn't the purpose of the verifier. When the saml token verifier is configured with "allow signed assertions only", then the client receives a "SAML token verification failed". This seems reasonably, but if we just add an empty ds:Signature element inside the wsse:Security element, then the client is granted access:
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<ds:Signature Id="Signature-11551252" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"></ds:Signature>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="nakbhwl3Qz8mPC00cL1bUg22" Issuer="https://credentials.com/idp" IssueInstant="2009-06-09T11:05:40Z">
</saml:Assertion>
</wsse:Security>
I find this behavior very strange. Also, if i do some manual changes in the saml assertion issued and signed by the identity provider, this is allowed too, even though the signature is invalidated. Event if I remove the ds:Signature from the assertion, but keeps the empty ds:Signature below the wsse:Security element, the client is granted access.
In the documentation of the "SAML - Verify WSS 1.0 Token", i found this quotation:
"Verifies the SAML token according to the Web Services Security SAML Token Profile 1.0 (WSS STP 1.0) standard."
But I don't find this statement true. Our assertions is issued with confirmation method "sender-voches":
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
I interpret the spec as, a receiver MUST NOT accept assertions containing a "sender-vouches" confirmation method unless the assertions and soap message content being vouches for are protected by an attesting entity who is trusted by the receiver. This is absolute not the case in our tests. The assertion isn't protected at all. The empty ds:Signature element in the wsse:Security element doesn't protect any thing and even when we totally remove the ds:Signature tag in the assertion, we're granted access.
It seems like the purpose of the "SAML - Verify WSS 1.0 Token" step isn't to validate the confidentiality of the saml assertions and only grant access if the saml assertions is correct. It is possible to freely change the tokens and then be granted access. I think we need some more steps in WSM before the saml validation step, but I don't know which.
We'll like to know if any one knows how to use this "SAML - Verify WSS 1.0 Token" step, to achieve a secure access to protected service. Do we need some pre/post step to achieve a satisfying level of security, do we need to make our own custom step or just used another security product?
Regard
Jacob
Edited by: wmjaboj on 2009-06-10 01:42hi jacob
looks like you have successfully configured the client side ; I am struggling in that itself. I am calling a secure web-service and I want to use saml token profile 1.1. I am using wls 10.3 and I am getting an error Unable to add signature .
Can you help me with the configuration at the client side ?
Thanks
Regards
Sanyam -
OWSM: Setting up SAML token verification with Novell Access manager
Hello,
We are trying to set-up communication between an OWSM gateway and a Novell Accces Manager to do the following:
All requests to our services should be secured using Web Services Security SAML Token Profile 1.0. OWSM will validate this token using the SAML – Verify WSS 1.0 Token step. The assertion will be issued by a Novell Access Manager. Are we right that OWSM needs to communicate with the Novell Access Manager for this? In that case Novell requires us to deliver metadata to establish a trust relation between the Identity Provider (Novell) and the Service Provider (OWSM). This metadata should look something like this:
odysseus:/var/opt/novell/tomcat4/webapps/nidp # cat application.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE application PUBLIC '-//Sun Microsystems, Inc.//DTD J2EE Application 1.2//EN' 'http://java.sun.com/j2ee/dtds/application_1_2.dtd'>
<application>
<display-name>NIDPJ2EEApp</display-name>
<description>Novell Identity Provider</description>
<module>
<web>
<web-uri>nidp.war</web-uri>
<context-root>nidp</context-root>
</web>
</module>
</application>
However I cannot find anything on this in the OWSM documentation.To answer my own question. We found 4 application.xml files which seem to contain the metadata in the folders ccore, coreman, gateway and policymanager of $AS_HOME/owsm/config/.
-
Exception: "Could not validate SAML Token"
We have an evaluation system setup that we are using to generate PDF from PS. We're connecting via the EJB client, and typically have had no problems. Until today. At some point today we began seeing exceptions being thrown on the client:
Caused by: com.adobe.idp.um.api.UMException | [com.adobe.idp.um.api.impl.AuthenticationManagerImpl] errorCode:16421 errorCodeHEX:0x4025 message:Could not validate SAML Token --- Assertion has expired and hence not valid for user [administrator@DefaultDom]. Its valid till time [Tue Feb 04 10:58:45 MST 2014] was found to be before the current time [Tue Feb 04 16:04:41 MST 2014]
Simply bouncing the app server where the client code is running solved the problem, however we'd like to better understand what is going on and why. Nothing that I can find in the docs seems to indicate the cause/solution, and possible solutions have links that appear to no longer function: http://cookbooks.adobe.com/post_Renewing_the_context_to_handle_session_expiry-16410.html
Any suggestions and/or insight would be greatly appreciated. Thanks!PROBLEM
Using the same instance of ServiceClientFactory to remotely invoke the services exposed by the LiveCycle container can lead to
exception related to assertion expiry
Solution
To handle the timeout use the ThrowHandler mechanism provided by the ServiceClientFactory framework
Detailed explanation
LiveCycle provides a client sdk for java based client to invoke its services remotely.
An invocation involves Creation of a ServiceClientFactory instance Setting the user credential in thefactory instance Pass that factory to a service client or use that to create InvocationRequest directly
Use the client to make the actual request.
For more details refer to Invoking
LiveCycle ES Using the Java API .
A ServiceClientFactory instance once created is valid for a ceratin
period of time which is by default 120 min. if the same instance is used to invoke beyond this period then it would lead to an exception stating that
the session has expired [com.adobe.idp.um.api.impl.AuthenticationManagerImpl]
errorCode:16421 errorCodeHEX:0x4025 message:Could not validate SAML
Token --- Assertion has expired and hence not valid for user
[administrator@DefaultDom]. Its valid till time [Thu Oct 22
17:07:53 IST
2009] was found to be before the current time [Thu Oct
22 17:58:18 IST 2009]
This is not an issue if the ServiceClientFactory instance is used for short duration. However if you are going to perform a long
running task like converting large number of documents to pdf ,applying policies to them etc then it would be an issue.
Session Expiry
Before fxing the issue some info on what is session expiry.
When you use a ServiceClientFactory instance to invoke the service following fow happens
You set the credentials in the properties and invoke theservice
LiveCycle on server side validates the credentials and issues a Context. It is sort of a ticket which can be reused later instead of the actual credentials.
Upon receiving the response from the server the ServiceClientFactory instance deletes its own copy of credentials and instead stores the Context For later invocations this Context instance is passed instead of the user credentials
This whole fow is done to ensure that user's credentials are not sent for each remote call thus improving the security.
For more information on Context refer to
User Identity in LiveCycle .
Solution
To fx this issue you would have to re authenticate to LiveCycle and get the Context reissued. the best way to do that is to make use of the ThrowHandler provided by the ServiceClientFactory framework
STEP1 - Create a Throwhandler
* This ThrowHandler caches the user credentials and uses them
to refresh the Context in the
* ServiceClientFactory upon expiry.
private static class SimpleTimeoutThrowHandler implements
ThrowHandler {
private String username;
private String password;
public SimpleTimeoutThrowHandler(String username, String
password) {
this.username = username;
this.password = password;
public boolean handleThrowable(Throwable t, ServiceClient
sc,
ServiceClientFactory scf, MessageDispatcher md,
InvocationRequest ir, int numTries) throws
DSCException {
if(timeoutError(t)){
//The call to AuthenticationManager do not require
authentication so the default properties
//are suffcient
AuthenticationManager am =
new
AuthenticationManagerServiceClient(ServiceClientFactory.createInstance (getDefaultProperties()));
AuthResult ar = null;
try {
ar =
am.authenticate(username,password.getBytes());
} catch (UMException e) {
throw new IllegalStateException(e);
Context ctx = new Context();
ctx.initPrincipal(ar);
//Refresh the ServiceClientFactory instance with
the new context
scf.setContext(ctx);
logger.info("Refreshed the context associated with
ServiceCLientFactory");
//Now tell SCF to try the invocation again
return true;
//Check so that we do not wrap the exception again
if(t instanceof DSCException)
throw (DSCException)t;
if(t instanceof RuntimeException)
throw (RuntimeException)t;
// how is it possible to get this far?
throw new IllegalStateException(t);
private boolean timeoutError(Throwable t) {
if(!(t.getCause() instanceof UMException)){
return false;
UMException ue = (UMException) t.getCause();
//Check that UMException is due to the
assertion/context expiry
if(UMConstants.ErrorCodes.E_TOKEN_INVALID ==
ue.getErrCode()){
return true;
return false;
This ThrowHandler would be invoked by the ServiceClientFactory upon receiving any exception. The handler would then determine if its a timeout related exception and then would refresh the Context associated with the factory instance and tells it to retry the invocation.
STEP - 2 Register the handler
ServiceClientFactory.installThrowHandler(new
SimpleTimeoutThrowHandler(username, password));
Note: The handler should be registered only once in the application
STEP 3 - Perform your invocation
Following sample would try to apply policies on all the fles present in a directory
Properties p = getDefaultProperties();
p.setProperty(DSC_CREDENTIAL_USERNAME, username);
p.setProperty(DSC_CREDENTIAL_PASSWORD, password);
ServiceClientFactory scf =
ServiceClientFactory.createInstance(p);
//Now do some long running operation
String inputDirName ="path-to-input-dir";
String outDirName = "path-to-out-dir";
String policyName = "the-policy-name";
File inDir = new File(inputDirName);
File outDir = new File(outDirName);
RightsManagementClient rmClient = new
RightsManagementClient(scf);
DocumentManager docManager = rmClient.getDocumentManager();
//Iterate over all the pdf in the inDir and apply the
policies. If this takes a
for(File pdfFile : inDir.listFiles()){
Document inDoc = new Document(pdfFile, false);
Document securedDoc = docManager.applyPolicy(inDoc,
pdfFile.getName(), null, policyName, null, null);
securedDoc.copyToFile(new
File(outDir,pdfFile.getName()));
Now the invocation would complete even if it takes a long time. if any session expiry occurs then our ThrowHandler would take care of that.
here's a sample:
TimeOutSample.zip -
Hi I do have a basic setup installed;
when request for a webservice comes, the gateway intercepts the request, applies some security policies and passes on the request to the webservice , which inturn is intercepted by the ServerAgent and applies some security policies on the reqeust and after this once satisfied the request gets passed on to the webservice for processing.
I need to insert SaML vouches token at the gateway and get it verified at the ServerAgent so that the request for the webservice can be processed.
So could anyone of you tell me how to do this so that the required thing is accomplished.
Is there any owsm guru who can get me through this.
Thanks ManosOn the Request pipeleine template, after you do your initial security steps, you can then add Insert SAML Sender vouches token profile.
Thanks
Ram -
How to pass credentials/saml token exchange to the sharepoint web service ex:lists.asmx when sharepoint has single sign on with claims based authentication
Identity provider here is Oracle identity provider
harika kakkireniHi,
The following materials for your reference:
Consuming List.asmx on a claims based sharepoint site
http://social.technet.microsoft.com/Forums/sharepoint/en-US/f965c1ee-4017-4066-ad0f-a4f56cd0e8da/consuming-listasmx-on-a-claims-based-sharepoint-site?forum=sharepointcustomizationprevious
Sharepoint Claims based authentication and Single Sign on
http://social.technet.microsoft.com/Forums/sharepoint/en-US/2dfc1fdc-abc0-4fad-a414-302f52c1178b/sharepoint-claims-based-authentication-and-single-sign-on?forum=sharepointadminprevious
Sharepoint Claim Based Authentication Web Service issuehttp://social.msdn.microsoft.com/Forums/office/en-US/dd4cc581-863c-439f-938f-948809dd18db/sharepoint-claim-based-authentication-web-service-issue?forum=sharepointgeneralprevious
Best Regards
Dennis Guo
TechNet Community Support -
Hi All,
I have a SP2013 environment which authenticate users using ADFS 2.0 via Windows AD. We have two separate clients, Portal and Mobile. Portal users Passive Federation where as Mobile client uses Active Authentication with usernamemixed endpoint in ADFS.
I have an AD property which stores Unicode characters. In Active Authentication via Mobile, for a user who has a Unicode value in the AD property, I can get the SAML token successfully from ADFS.
Ex : <saml:AttributeValue>español</saml:AttributeValue>
However, when I post this SAML token to SharePoint _trust endpoint, I'm getting an error "500 Internal Server error". However for the same user, if I change the AD property value from "español" to "English" then I can get the FedAuth
cookie successfully from the _trust endpoint.
Also, for the same user, If I logged in via Portal which uses Passive Federation, then it's working fine.
Really appreciate your thoughts on this.
SupunHi Supun,
As you mentioned, the issue only happens in Active authentication. Would you please let me know which mobile client your users are using for the Active authentication, is it a custom one? Please be noted if you use a mobile browser, the authentication will
also be Passive.
In Passive mode authentication, STS also uses POST to pass the security token to the relaying party. I'd like to know what kind of tool you are using to post a SAML token to SharePoint endpoint as impersonation of an Active authentication. Since the Active
authentication flow is quite complex, I also suggest you to check the event log in your ADFS server, and try to find more information about the issue.
Thanks,
Reken Liu
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected] -
Failing to Validate SAML Token : while setting WSRP security using SAML
Hi All,
I am trying to configure SAML on WLP 10.2 consumer domain along with WLS 10.2 producer domain ( extended domain to use as WSRP producer ) on single machine. I followed the steps as per the bea edocs - http://edocs.bea.com/wlp/docs92/federation/Chap-Security-SAML.html , which talks about how easy its to configure SAML with WSRP. But i am stuck at this point where the TransportException says the SAML token is not valid , stacktrace below:
Error invoking portlet "Cportlet"
The source of this error is:
*com.bea.wsrp.faults.TransportException: Security token failed to validate. weblogic.xml.crypto.wss.SecurityTokenValidateResult@1e5d6b9[status: false][msg The SAML token is not valid.] at com.bea.wsrp.faults.FaultInstanceFactory.getException(FaultInstanceFactory.java:94) at com.bea.wsrp.proxy.ProxyBase.raiseFault(ProxyBase.java:768) at com.bea.wsrp.proxy.ProxyBase.invoke(ProxyBase.java:478) at $Proxy110.getMarkup(Unknown Source) at com.bea.wsrp.consumer.markup.GetMarkupService.invoke(GetMarkupService.java:44) at com.bea.wsrp.consumer.markup.GetMarkupService.invoke(GetMarkupService.java:27) at com.bea.wsrp.consumer.markup.AbstractMarkupService.invoke(AbstractMarkupService.java:85) at com.bea.wsrp.consumer.markup.AbstractMarkupService.invoke(AbstractMarkupService.java:68) at com.bea.wsrp.consumer.markup.AbstractMarkupService.invoke(AbstractMarkupService.java:61) at com.bea.wsrp.consumer.markup.MarkupServicesFacade.invoke(MarkupServicesFacade.java:44) at com.bea.wsrp.consumer.controls.ProxyPortletContent.invokeGetMarkup(ProxyPortletContent.java:664) at com.bea.wsrp.consumer.controls.ProxyPortletContent.beginRender(ProxyPortletContent.java:316) at com.bea.netuix.servlets.controls.application.laf.ContentControlRenderer.beginRender(ContentControlRenderer.java:48) at com.bea.netuix.nf.ControlLifecycle$7.visit(ControlLifecycle.java:481) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:518) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:220) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:395) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:352) at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:326) at com.bea.netuix.nf.UIControl.render(UIControl.java:582) at com.bea.netuix.servlets.controls.PresentationContext.render(PresentationContext.java:486) at com.bea.netuix.servlets.util.RenderToolkit.renderChild(RenderToolkit.java:146) at com.bea.netuix.servlets.jsp.taglib.skeleton.Child.doTag(Child.java:63) at jsp_servlet._framework._skeletons._bighorn.__flowlayout._jspService(__flowlayout.java:192) at weblogic.servlet.jsp.JspBase.service(JspBase.java:34) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:226) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:124) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:283) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:175) at weblogic.servlet.internal.RequestDispatcherImpl.invokeServlet(RequestDispatcherImpl.java:528) at weblogic.servlet.internal.RequestDispatcherImpl.include(RequestDispatcherImpl.java:454) at com.bea.netuix.servlets.controls.application.laf.JspTools.renderJsp(JspTools.java:130) at com.bea.netuix.servlets.controls.application.laf.JspControlRenderer.beginRender(JspControlRenderer.java:72) at com.bea.netuix.servlets.controls.application.laf.PresentationControlRenderer.beginRender(PresentationControlRenderer.java:65) at com.bea.netuix.nf.ControlLifecycle$7.visit(ControlLifecycle.java:481) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:518) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walkRecursiveRender(ControlTreeWalker.java:529) at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:220) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:395) at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361) at com.bea.netuix.nf.Lifecycle.runOutbound(Lifecycle.java:208) at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:162) at com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java:388) at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:258) at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:199) at com.bea.netuix.servlets.manager.SingleFileServlet.service(SingleFileServlet.java:251) at com.bea.netuix.servlets.manager.PortalServlet.service(PortalServlet.java:686) at javax.servlet.http.HttpServlet.service(HttpServlet.java:820) at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:226) at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:124) at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:283) at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42) at com.bea.portal.tools.servlet.http.HttpContextFilter.doFilter(HttpContextFilter.java:60) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42) at com.bea.p13n.servlets.PortalServletFilter.doFilter(PortalServletFilter.java:336) at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42) at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3393) at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321) at weblogic.security.service.SecurityManager.runAs(Unknown Source) at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2140) at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2046) at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1366) at weblogic.work.ExecuteThread.execute(ExecuteThread.java:200) at weblogic.work.ExecuteThread.run(ExecuteThread.java:172)*
Have tried a lot of different things but no luck proceeding further. Configured all the producer domain as per the link mentioned above., reconfigured the consumer again. Also tested by crearting a new keystore, but all this does not help me proceed further.
Any help is greatly appreciated.
Thanks in Advance.
MauryaI am also facing the same kind of issue. see the error message below. Please help me to kill this error.
\com.bea.wsrp.faults.TransportException: Security token failed to validate. weblogic.xml.crypto.wss.SecurityTokenValidateResult@1423066[status: false][msg The SAML token is not valid.]
at com.bea.wsrp.proxy.ProxyBase.raiseFault(ProxyBase.java:578)
at com.bea.wsrp.proxy.ProxyBase.invoke(ProxyBase.java:464)
at $Proxy118.getServiceDescription(Unknown Source)
at com.bea.wsrp.client.ProducerAgentImpl.getServiceDescription(ProducerAgentImpl.java:93)
at com.bea.wsrp.client.ProducerAgentImpl.getServiceDescription(ProducerAgentImpl.java:55)
at com.bea.jsptools.portal.helpers.wsrp.ProducerRegistryControlImpl.getServiceDescription(ProducerRegistryControlImpl.java:205)
at com.bea.jsptools.portal.helpers.wsrp.ProducerRegistryControlBean.getServiceDescription(ProducerRegistryControlBean.java:133)
at com.bea.jsptools.portal.helpers.wsrp.AddProducerHelper.getProducerForWsdl(AddProducerHelper.java:704)
at com.bea.jsptools.portal.helpers.wsrp.AddProducerHelper.access$100(AddProducerHelper.java:61)
at com.bea.jsptools.portal.helpers.wsrp.AddProducerHelper$FindProducers.producerWsdl(AddProducerHelper.java:249)
at com.bea.jsptools.portal.helpers.wsrp.AddProducerHelper$FindProducers.run(AddProducerHelper.java:235)
at portalTools.definitions.portletProducers.wizard.AddProducerWizardController.runAction(AddProducerWizardController.java:566)
at portalTools.definitions.portletProducers.wizard.AddProducerWizardController.doIfValid(AddProducerWizardController.java:542)
at portalTools.definitions.portletProducers.wizard.AddProducerWizardController.selectProducerAction(AddProducerWizardController.java:172)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.beehive.netui.pageflow.FlowController.invokeActionMethod(FlowController.java:878)
at org.apache.beehive.netui.pageflow.FlowController.getActionMethodForward(FlowController.java:808)
at org.apache.beehive.netui.pageflow.FlowController.internalExecute(FlowController.java:477)
at org.apache.beehive.netui.pageflow.PageFlowController.internalExecute(PageFlowController.java:305)
at org.apache.beehive.netui.pageflow.FlowController.execute(FlowController.java:335)
at org.apache.beehive.netui.pageflow.internal.FlowControllerAction.execute(FlowControllerAction.java:51)
at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:419)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.access$201(PageFlowRequestProcessor.java:95)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor$ActionRunner.execute(PageFlowRequestProcessor.java:2042)
at org.apache.beehive.netui.pageflow.interceptor.action.internal.ActionInterceptors.wrapAction(ActionInterceptors.java:90)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processActionPerform(PageFlowRequestProcessor.java:2114)
at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:224)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.processInternal(PageFlowRequestProcessor.java:554)
at org.apache.beehive.netui.pageflow.PageFlowRequestProcessor.process(PageFlowRequestProcessor.java:851)
at org.apache.beehive.netui.pageflow.AutoRegisterActionServlet.process(AutoRegisterActionServlet.java:630)
at org.apache.beehive.netui.pageflow.PageFlowActionServlet.process(PageFlowActionServlet.java:157)
at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:414)
at org.apache.beehive.netui.pageflow.PageFlowUtils.strutsLookup(PageFlowUtils.java:1169)
at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.executeAction(ScopedContentCommonSupport.java:688)
at com.bea.portlet.adapter.scopedcontent.ScopedContentCommonSupport.processActionInternal(ScopedContentCommonSupport.java:144)
at com.bea.portlet.adapter.scopedcontent.PageFlowStubImpl.processAction(PageFlowStubImpl.java:107)
at com.bea.portlet.adapter.NetuiActionHandler.raiseScopedAction(NetuiActionHandler.java:99)
at com.bea.netuix.servlets.controls.content.NetuiContent.raiseScopedAction(NetuiContent.java:180)
at com.bea.netuix.servlets.controls.content.NetuiContent.raiseScopedAction(NetuiContent.java:168)
at com.bea.netuix.servlets.controls.content.NetuiContent.handlePostbackData(NetuiContent.java:222)
at com.bea.netuix.nf.ControlLifecycle$2.visit(ControlLifecycle.java:178)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:351)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walkRecursive(ControlTreeWalker.java:361)
at com.bea.netuix.nf.ControlTreeWalker.walk(ControlTreeWalker.java:128)
at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:361)
at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:339)
at com.bea.netuix.nf.Lifecycle.processLifecycles(Lifecycle.java:330)
at com.bea.netuix.nf.Lifecycle.runInbound(Lifecycle.java:162)
at com.bea.netuix.nf.Lifecycle.run(Lifecycle.java:137)
at com.bea.netuix.servlets.manager.UIServlet.runLifecycle(UIServlet.java:370)
at com.bea.netuix.servlets.manager.UIServlet.doPost(UIServlet.java:229)
at com.bea.netuix.servlets.manager.UIServlet.service(UIServlet.java:183)
at com.bea.netuix.servlets.manager.SingleFileServlet.service(SingleFileServlet.java:221)
at com.bea.netuix.servlets.manager.PortalServlet.service(PortalServlet.java:600)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:223)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:283)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
at com.bea.jsptools.servlet.PagedResultServiceFilter.doFilter(PagedResultServiceFilter.java:82)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
at com.bea.p13n.servlets.PortalServletFilter.doFilter(PortalServletFilter.java:251)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:42)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3243)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2003)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:1909)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1359)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:181) -
Getting Invalid SAML token error while trying to access wls9.2 webservice
Hi,
I am using wss4j at the client side as SAML token issuer to add saml assertion to the soap envelop whose target is a webservice deployed in a aqua logic service bus 2.6. But at the server side i.e wls9.2, i am getting following exception
weblogic.xml.crypto.wss.SecurityTokenValidateResult@326f6a[status: false][msg The SAML token is not valid.]</faultstring></soapenv:Fault></soapenv:Body></soapenv:Envelope>
weblogic.xml.crypto.wss.WSSecurityException: Security token failed to validate. weblogic.xml.crypto.wss.SecurityTokenValidateResult@326f6a[status: false][msg The SAML token is not valid.]
at weblogic.xml.crypto.wss.SecurityImpl.unmarshalAndProcessSecurityToken(SecurityImpl.java:476)
at weblogic.xml.crypto.wss.SecurityImpl.unmarshal(SecurityImpl.java:392)
This error seems to be coming during unmarshalling of soap envelop which is run before request goes to SAML Identity Assertion provider V1. Certificates are properly configured at both client and server side so it seems that generated SAML assertion is not compliant with weblogic 9.2 unmarshalling process.
Has anyone got any solution for this problem. I am not exactly looking for full SSO configuration at the weblogic side so I have not set any credential mapper (which is also a saml issuer). Nor have i done any setting related with SSO on weblogic.
Any idea will really be helpful in this regard.
Thanks.In what version of Oracle?
I see a couple of problems assuming you are working with a currently supported version:
1. Never grant CONNECT to anyone: Ever. Grant CREATE SESSION.
2. GRANT CREATE TABLE to AQ;
Go to Morgan's Library at www.psoug.org and look at AQ Demo 1. You should have no problem cutting and pasting your way to where you are trying to go. -
Propogating SAML tokens from OSB to BPEL and the reverse
Hi
Is there a way to propogate SAML tokens from OSB to BPEL and vise-versa. There are lots of references on using OWSM policies. Can I achieve passing tokens and asserting without them?
Thanks
SumanStarting from 11gR1 (11.1.1.3) Release, we have new feature to start transaction. OSB proxy can be configured to start a transaction.Refer to message flow transaction http://download.oracle.com/docs/cd/E14571_01/relnotes.1111/e10132/osb.htm#CJACHEHJ
So with this feature, all we need a create a proxy say HTTP and enable this feature. OSB will start a transaction before your pipeline is invoked. Let me know if you need clarification.
Manoj
Edited by: Manoj Neelapu on Jun 22, 2010 8:39 AM
Edited by: Manoj Neelapu on Jun 22, 2010 8:39 AM -
Problems with JAX-WS when using security (e.g. username token profile)
Hello,
I am deploying a web service on weblogic 11g (10.3.1) with this policy:
@Policy(uri = "policy:Wssp1.2-2007-Https-UsernameToken-Plain.xml",attachToWsdl=true)
I have another web application as client which is using a JAX-WS SOAP handler to communicate with web service
and everything works fine when my client is deployed on tomcat 6 (JRE 6) (anthentication goes through)
The handleMessage() method of my handler is posted here :
public boolean handleMessage(SOAPMessageContext context) {
m_logger.debug("UserNameTokenHandler handleMessage() called");
Boolean outboundProperty = (Boolean) context.get (MessageContext.MESSAGE_OUTBOUND_PROPERTY);
SOAPMessage message =context.getMessage();
if (outboundProperty.booleanValue()) {
m_logger.debug("\n (client protocol handler) Outbound message:");
try {
SOAPEnvelope envelope = context.getMessage().getSOAPPart().getEnvelope();
SOAPHeader header = envelope.getHeader();
if (header == null ) {
header = envelope.addHeader();
SOAPElement security = header.addChildElement("Security", "wsse", WSSE_NAMESPACE);
SOAPElement usernameToken = security.addChildElement("UsernameToken", "wsse");
usernameToken.addAttribute(new QName("xmlns:wsu"), WSU_NAMESPACE);
SOAPElement username = usernameToken.addChildElement("Username", "wsse");
username.addTextNode(user);
SOAPElement password = usernameToken.addChildElement("Password", "wsse");
password.addTextNode(pass);
} catch (Exception e) {
m_logger.error("Failed to add username token profile security", e);
} else {
m_logger.debug("\n (client protocol handler) Inbound message:");
return true;
but when I deploy the same client on weblogic server it fails to communicate with my web service with this error:
javax.xml.ws.soap.SOAPFaultException: Unable to add security token for identity, token uri =http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken
I noticed Weblogic has some packages to handle security like:
weblogic.wsee.security.unt.ClientUNTCredentialProvider
weblogic.xml.crypto.wss.provider.CredentialProvider
weblogic.xml.crypto.wss.WSSecurityContext
So I added another mechanism using weblogic package to add username password to SOAP header
Map<String, Object> request = ((BindingProvider) proxy).getRequestContext();
if (connectInfo.get("username") != null && connectInfo.get("password") != null) {
List<CredentialProvider> credProviders = new ArrayList<CredentialProvider>();
//client side UsernameToken credential provider
CredentialProvider cp = new ClientUNTCredentialProvider((String)connectInfo.get("username"),
(String)connectInfo.get("password"));
credProviders.add(cp);
request.put(WSSecurityContext.CREDENTIAL_PROVIDER_LIST, credProviders);
This seems to be ok but only for weblogic.
I don't want to have one client for deploying on weblogic and another one for JAX-WS
I suppose weblogic follows the standard and should support the original approach.
Is this an incompatibly issue or am i missing somethingIn one of WLP Pageflows, I invoke a SOA BPEL WebService that needs Security Header like the way you have. I have my own Handler class and I call the below private method in handleMessage(...) and so far it is working fine. Security Header is adding fine.
One difference I could see in your method and my method is when we create SOAPElement for "Security" Tag, at the time of creation itself, I pass the third argument also that is the namespace. I remember vaguely, when I used code like yours, like first instantiate with only 2 args. Then set the namespace. It did not work. So I used the API, that takes the namespace as third argument.
So try something like below. This is a working code snipped deployed on WLP 10.3 (WLP is on top of WLS 10.3).
Thanks
Ravi Jegga
private void setSOAPSecurityHeader(SOAPEnvelope soapEnvelope) throws Exception {
try {
//soapEnvelope.addNamespaceDeclaration("soap", "http://schemas.xmlsoap.org/soap/envelope/");
soapEnvelope.addNamespaceDeclaration("wsu", "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd");
SOAPHeader header = soapEnvelope.addHeader();
String namespace = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
SOAPElement securityElement = header.addHeaderElement(soapEnvelope.createName("Security", "wsse", namespace));
securityElement.addNamespaceDeclaration("", namespace);
//securityElement.addNamespaceDeclaration("env", "http://schemas.xmlsoap.org/soap/envelope/");
SOAPElement usernameTokenElement = securityElement.addChildElement(soapEnvelope.createName("UsernameToken", "wsse", namespace));
usernameTokenElement.addNamespaceDeclaration("", namespace);
SOAPElement usernameElement = usernameTokenElement.addChildElement(soapEnvelope.createName("Username"));
SOAPElement passwordElement = usernameTokenElement.addChildElement(soapEnvelope.createName("Password"));
// For Testing Purposes only hardcoded this username and password values. Later on this may be set dynamically
usernameElement.setValue("xxxxxxx");
passwordElement.setValue("yyyyyyy");
//SOAPBody soapBody = soapEnvelope.getBody();
//SOAPHeader soapHeader = soapEnvelope.getHeader();
} catch (Exception e) {
// Handle This error in the main method that is calling this private method. So just return the Exception as it is...
throw e;
} -
Step-by-step Configuration of weblogic 9 as SAML token generator
Hi all,
Is there a online help where i can find a step by step guide to configure weblogic 9 as SAML token Source site?
http://e-docs.bea.com/wls/docs91/secmanage/saml.html
and http://e-docs.bea.com/wls/docs91/secintro/concepts.html and http://e-docs.bea.com/wls/docs91/secintro/archtect.html didnt help me much. It didnt explain the meaning of all the input fields in the admin console which are needed to configure weblogic as saml token generator.
PeaceI'm having the same issues - have you figured this out or received assistance?
Maybe you are looking for
-
How to get the index of the word at current cursor position in the word?
Dear All I am implementing a spell checker of my native language in Word. Whenever I run spell checker it start from the first word. How can I make it to start from the current cursor position? How can I get the index of the word at the current curso
-
P4N Diamond (blackscreen boot bios?)
I just put together a brand new comp. All parts are new. -P4N Diamond MB -650W powersupplu -1gb Corsair XMS2 6400 (800mhz) -WD Raptor 74gig SATA 10000rpm -EVGA 7800 GTX -Pentium D 830 Me and my friend put it all together and then connected everythin
-
I am using Encore CS4 to create my DVD layout of a homemovie. The songs I am using for the DVD menus are skipping. These songs DO NOT skip on my computer when I listen to them with Windows Media Player or Media Monkey. The same songs DO NOT skip when
-
see above ?
-
Hi, I have installed and configured RDS 2012 on a test lab setup, created a W7 gold image in a Hyper v 2012 R2. Sysprep it but when I go to create virtual desktop collection I can not find the find the template in the virtual desktop template. Colle