Sign Tokens according to OASIS specification
Hi all,
Can someone help me with this - how to sign binary token reference according to part "8.3 Signing Tokens" in the http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf specification?
According to the specification the request should look like this:
<wsse:SecurityTokenReference wsu:Id="Str1">
</wsse:SecurityTokenReference>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig #">
<ds:SignedInfo>
<ds:Reference URI="#Str1">
<ds:Transforms>
<ds:Transform Algorithm="...#STR-Transform">
<wsse:TransformationParameters>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
</wsse:TransformationParameters>
</ds:Transform>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue></ds:SignatureValue>
</ds:Signature>
Is this possible to be done with WSS4J and how (or any other tool)?
Any examples of such requests or code which creates them?
Thanks,
Ivo
In JWSDP 1.6/2.0 look at the sample configuration files under api-sample
<JWSDP-Install-DIR>/xws-security/samples/api-sample/config.
The signature target element under the sign configuration element would look
something like this.
<xwss:SignatureTarget enforce="true" type="uri" value="#22">
<xwss:Transform algorithm="http://docs.oasis-open.org/wss/2004/0
1/oasis-200401-wss-soap-message-security-1.0#STR-Transform">
<xwss:AlgorithmParameter name="CanonicalizationMethod" value
="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</xwss:Transform>
</xwss:SignatureTarget>
HTH
Venu
Similar Messages
-
How to create an online program according to the specification mentioned be
Create an online program according to the specifications mentioned below.
Initial screen: 9000
Screen 9000: next screen = 9001
As you are creating this online program, try to identify each component you are creating: radio buttons, check boxes, frames, and pushbuttons.
The u201CInstructoru201D input/output template should be 30-length character field. The u201CEvaluationu201D input/output template should be a scrollable field with a defined length of 60 characters and a visible length of 30 characters. The u2018Submit Evaluationu2019 pushbutton should have an icon and be assigned the function code u201CEVALu201D. The radio button group should have only one selected as shown in screen below.There must be something fundamentally wrong with you.
Previous posts by have been blocked yet you still continue to post nonsense. I suspect this time round though your account will be deleted.
Calling all moderators! Show this guy the door please and not to return. -
Restriction of Time-dependent data (Cost Center) according to a specific role
Dear experts,
Has some one of you implemented a functionality to restrict Time-dependent data (for example, Cost Center) edition, according to a specific role assigned to an End user?
I imagine it is possible, but we should develop an User-exit in order to get this goal.
Let your comments here if possible, so that I can argue with my End user. I will try to give you points if you help me with this query.
Thanks & Kind Regards,
Daniel.Hello All!
We have talked to Authorizations specialist and he indicated a customizing transaction in FI-AA module called ANSICHT (IMG -> Financial Accounting -> Asset Accounting -> Preparing for Production Startup -> Authorization Management -> Process Asset Views). In this customizing, it is possible to edit an existing asset view and turn on/off fields according to the company needs.
Afterwards, you should request some adjustment in the roles that contain the A_A_VIEW authorization object.
I am considering this question as "assumed answered'.
Regards,
Daniel -
I'v posted this thread in the [SOA Suite forum|http://forums.oracle.com/forums/thread.jspa?threadID=912083&tstart=0] in the first place, but maybe this forum is a better places, for this question.
We're experiencing a lot of inconveniences using the "SAML - Verify WSS 1.0 Token" validation step in WSM. We've configured the SAML verifier to "allow signed assertions only" in order to achieve our security goals. Before a client is allowed access to a protected web service, the client must request an identity provider to get a signed saml assertion and attach this security token to the web service security header. In order to access the protected web services we'll like to use WSM to verify that the saml assertion:
1. Is issued by a specific identity provider (no problem)
2. That the conditions in the assertion is valid (no problem)
3. That the assertion i signed by a trusted certificate (problem)
4. That the signature of the assertion is valid in proportion to the signed context of the assertion (problem)
The inconveniences starts when we expect that the "SAML - Verify WSS 1.0 Token" validation step, validates the signatures of the assertion, before using it. But it seems, that this isn't the purpose of the verifier. When the saml token verifier is configured with "allow signed assertions only", then the client receives a "SAML token verification failed". This seems reasonably, but if we just add an empty ds:Signature element inside the wsse:Security element, then the client is granted access:
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<ds:Signature Id="Signature-11551252" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"></ds:Signature>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" MajorVersion="1" MinorVersion="1" AssertionID="nakbhwl3Qz8mPC00cL1bUg22" Issuer="https://credentials.com/idp" IssueInstant="2009-06-09T11:05:40Z">
</saml:Assertion>
</wsse:Security>
I find this behavior very strange. Also, if i do some manual changes in the saml assertion issued and signed by the identity provider, this is allowed too, even though the signature is invalidated. Event if I remove the ds:Signature from the assertion, but keeps the empty ds:Signature below the wsse:Security element, the client is granted access.
In the documentation of the "SAML - Verify WSS 1.0 Token", i found this quotation:
"Verifies the SAML token according to the Web Services Security SAML Token Profile 1.0 (WSS STP 1.0) standard."
But I don't find this statement true. Our assertions is issued with confirmation method "sender-voches":
<saml:SubjectConfirmation>
<saml:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml:ConfirmationMethod>
</saml:SubjectConfirmation>
I interpret the spec as, a receiver MUST NOT accept assertions containing a "sender-vouches" confirmation method unless the assertions and soap message content being vouches for are protected by an attesting entity who is trusted by the receiver. This is absolute not the case in our tests. The assertion isn't protected at all. The empty ds:Signature element in the wsse:Security element doesn't protect any thing and even when we totally remove the ds:Signature tag in the assertion, we're granted access.
It seems like the purpose of the "SAML - Verify WSS 1.0 Token" step isn't to validate the confidentiality of the saml assertions and only grant access if the saml assertions is correct. It is possible to freely change the tokens and then be granted access. I think we need some more steps in WSM before the saml validation step, but I don't know which.
We'll like to know if any one knows how to use this "SAML - Verify WSS 1.0 Token" step, to achieve a secure access to protected service. Do we need some pre/post step to achieve a satisfying level of security, do we need to make our own custom step or just used another security product?
Regard
Jacob
Edited by: wmjaboj on 2009-06-10 01:42hi jacob
looks like you have successfully configured the client side ; I am struggling in that itself. I am calling a secure web-service and I want to use saml token profile 1.1. I am using wls 10.3 and I am getting an error Unable to add signature .
Can you help me with the configuration at the client side ?
Thanks
Regards
Sanyam -
Signing a soap message seems to not work in jwsdp14
I'm trying to sign a soap message according to the latest oasis specifications (http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf) using the libraries provided with jwsdp14 (mainly xmlsec.jar).
As far as I know, there is not yet documention/example about this specific issue.
The following is the code I have to sign a soap message: it seems to work fine because the signed soap message respects the above specifications... but what I notice is that the digest and the signature values it contains are always the same, I mean: if i change the source soap message, the signed soap message in output is always the same!
Any clue??
import com.sun.org.apache.xml.security.Init;
import com.sun.org.apache.xml.security.signature.XMLSignature;
import com.sun.org.apache.xml.security.transforms.Transforms;
import com.sun.org.apache.xml.security.utils.Constants;
import com.sun.xml.wss.*;
import com.sun.xml.wss.reference.DirectReference;
import org.w3c.dom.Document;
import javax.xml.soap.SOAPHeader;
import javax.xml.soap.SOAPMessage;
import javax.xml.soap.SOAPBody;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
public class Main {
public static void main(String[] args) {
// The file from which we will load the sample SOAP message
String fileName = "F:\\SampleSoapMessage.xml";
// Store the WSSE signed message here
String signatureFileName = "F:\\SignedSampleSoapMessage.xml";
try {
// Initialize the apache libraries
Init.init();
// Obtain security elements from the keystore
PrivateKey privateKey = MySecurityUtils.getPrivateKey();
X509Certificate cert = MySecurityUtils.getCertificate();
// Obtain a sample SOAPMessage from a file
FileInputStream fis = new FileInputStream(new File(fileName));
Document doc = XMLUtil.toDOMDocument(fis);
SOAPMessage message = MyFileUtils.getMessageFromFile(doc);
SOAPHeader header = message.getSOAPHeader();
SOAPBody body = message.getSOAPBody();
// Set the wsu:Id attribute to the Body
XMLUtil.setWsuIdAttr(body, "MyId");
// Create a WSSE context for the SOAP message
SecurableSoapMessage sssm = new SecurableSoapMessage(message);
// Create a security header for the message (<wsse:Security>)
SecurityHeader sh = sssm.findOrCreateSecurityHeader();
// Insert the certificate (<wsse:BinarySecurityToken>)
X509SecurityToken stoken = new X509SecurityToken(header.getOwnerDocument(), cert, "X509TokenRef");
sh.insertHeaderBlock(stoken);
// Insert the keyinfo referring to the certificate (<ds:KeyInfo>)
KeyInfoHeaderBlock kihb = new KeyInfoHeaderBlock(header.getOwnerDocument());
SecurityTokenReference secTR = new SecurityTokenReference(header.getOwnerDocument());
DirectReference dirRef = new DirectReference();
dirRef.setURI("#X509TokenRef");
secTR.setReference(dirRef);
kihb.addSecurityTokenReference(secTR);
//sh.insertHeaderBlock(kihb);
// Insert the Signature block (<ds:Signature>)
SignatureHeaderBlock shb = new SignatureHeaderBlock(header.getOwnerDocument(), XMLSignature.ALGO_ID_SIGNATURE_RSA);
Transforms transforms = new Transforms(header.getOwnerDocument());
transforms.addTransform(Transforms.TRANSFORM_C14N_EXCL_OMIT_COMMENTS);
shb.addSignedInfoReference("#MyId", transforms, Constants.ALGO_ID_DIGEST_SHA1);
shb.addChildElement(kihb.getAsSoapElement());
sh.insertHeaderBlock(shb);
// Digest all References (#MyId) in the SignedInfo, calculate the signature value
// and set it in the SignatureValue Element
shb.sign(privateKey);
// Add the signature data to the header element
header.addChildElement(sh.getAsSoapElement());
// Save the signed SOAP message
FileOutputStream fos = new FileOutputStream(new File(signatureFileName));
message.writeTo(fos);
message.writeTo(System.out);
} catch (Exception exc) {
exc.printStackTrace();
System.out.println("An error has occurred : " + exc.toString());
PS: Classes MySecurityUtils and MyFileUtils are not included since they have nothing interesting.
The sample input sopa message is:
<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<Intestazione>
</Intestazione>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
and the output signed sample message is:
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
<SOAP-ENV:Header>
<wsse:Security SOAP-ENV:mustUnderstand="1" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#MyId">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>2jmj7l5rSw0yVb/vlWAYkK/YBwk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
YdKNSPWnx630AYeZ6AXVco1b0RMo8C3WWbziq7C009gg4nhknEZmH0ds78y328SgAlAAVR6Swwok
HE3OWgL8TZ1Ks0IimmmDd8/XIb2KlfiqnUNtTjGjUn9FLQEv/CMbmrCr7EO9rf/N+0cyAyGzrKo5
ieEQhtZy9uZAKh2mrmM=
</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="#X509TokenRef"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo></ds:Signature><wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="X509TokenRef">MIIDITCCAsugAwIBAgIQIdu5EMFuQntM5IBOMeFcETANBgkqhkiG9w0BAQUFADCBqTEWMBQGA1UE
ChMNVmVyaVNpZ24sIEluYzFHMEUGA1UECxM+d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1Rl
c3RDUFMgSW5jb3JwLiBCeSBSZWYuIExpYWIuIExURC4xRjBEBgNVBAsTPUZvciBWZXJpU2lnbiBh
dXRob3JpemVkIHRlc3Rpbmcgb25seS4gTm8gYXNzdXJhbmNlcyAoQylWUzE5OTcwHhcNMDQwODA1
MDAwMDAwWhcNMDQwODE5MjM1OTU5WjBhMQswCQYDVQQGEwJJVDENMAsGA1UECBMEUk9NQTENMAsG
A1UEBxQEcm9tYTEOMAwGA1UEChQFaXNzcGExDjAMBgNVBAsUBWNoaWVmMRQwEgYDVQQDFAt3d3cu
dGVzdC5pdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtIsomDk9VthgMorPmG0dAwqLtTBi
U69liwopwrnAbtzIiO56R9yh4tXvG9+QWtEFRcDHVwWi9YdaHQFCvjymnNYDUHkpJsWp11nIAfOA
k+d9v1YDje4S6oba7tsIJSEkUu7LQ888Q3cGt/KUaEu6b0lZJ5zY9slK0onUPeTB3e8CAwEAAaOB
0TCBzjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDBCBgNVHR8EOzA5MDegNaAzhjFodHRwOi8vY3Js
LnZlcmlzaWduLmNvbS9TZWN1cmVTZXJ2ZXJUZXN0aW5nQ0EuY3JsMFEGA1UdIARKMEgwRgYKYIZI
AYb4RQEHFTA4MDYGCCsGAQUFBwIBFipodHRwOi8vd3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5
L1Rlc3RDUFMwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA0EA
Y66OqTOpHcpNUPlD4A38s8bPIIjrf+C+Wv08lUj+DGN5pm+gBWdbWEGaQmqU8fPPtGrQnHz2NAUr
ZmLaEw/qKw==</wsse:BinarySecurityToken></wsse:Security></SOAP-ENV:Header>
<SOAP-ENV:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="MyId">
<aTag>
<aChild>a value</aChild>
</aTag>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
NOTE: Check the value of <ds:SignatureValue> and <ds:DigestValue>: they never change even if I change the body of the source message.Quoting Farrukh's reply to this question on java.net -
I can share some examples of how I have used JWSDP 1.4 and XML DSIG API to sign and verify a "standalone" soap message with and without mime attachments.
Please see the following Utility class written for the freebXML Registry project [1] for an example of how to do what you seek:
http://cvs.sourceforge.net/viewcvs.py/ebxmlrr/omar/src/java/org/freebxml/omar/common/security/SecurityUtil.java?view=markup
See methods signSOAPMessage(...), signPayload(...), verifySOAPMessage(...) and verifyPayloadSignature(...)
What you are trying to do is definitely doable and has been done with JWSDP 1.4. In my experience XML DSIG API met my needs very well.
Best of luck.
[1] freebXML Registry Project:
http://ebxmlrr.sourceforge.net
--------------------------------------------------------------------------------- -
Single Sign-on with Multiple Servlets and JSPs
I am in the midst of attempting to logically tie together a number of our
web applications under a single sign-on "umbrella". What we want is the
following: for any n applications a user may have access rights for up to n
of them. Once signed in, she has rights to visit any app to which she has
permissions as long as her session is valid. Unfortunately, I'm having
trouble seeing how to make this work given the documentation that I have.
I've read thru the newsgroup in search of a solution, but I haven't seen
anything geared toward this specific approach.
Currently, each "application" (servlet) has a list of valid users via ACLs
(we've implemented a RealmExtender, so we're not going via props file
entries), and we let the browser pop-up window enforce the sign-on. This
has worked exactly as we wish (single sign-on, etc.), for testing, but we'd
really rather have our own form-based sign-on for production.
To that end, we've done the following:
1) implemented a JSP form-based sign-on (basically ripped off from the
example provided by BEA), which does a "ServletAuthentication.weak()" check
to confirm identity.
2) placed the following code (essentially) within the service() method of
our servlet superclass, which I thought would force another check. My
intention is to disallow the user from "jumping into" an app thru a
shortcut, and thereby bypassing security.
HttpSession session = request.getSession(true);
if (session.isNew()) {
response.sendRedirect(welcomeURL);
However, we can't get the form-based approach to mimic the functionality of
the default browser pop-up: the sign-in doesn't seem to "follow" the user
the way it did with the pop-up. Instead, when I come in thru our login
page, the browser pop-up is still appearing when I click the link for an
app for which to which I have permissions.
Is the default browser pop-up doing something different that I should know
about? Seems like this should be simple to do, but it's surprisingly subtle
(or maybe I'm just clueless).
TIA
Well, if you want to hear my personal opinion:
better stick to the cookie specification (http://wp.netscape.com/newsref/std/cookie_spec.html) and accept the constraint that cookies will only be send to domains that tail-match the domain-constraint specified in the set-cookie http response.
Although this specification is not an official internet standard most browsers are implementing the cookie mechanism according to this specification.
Unfortenately there's no option to specify that a cookie should be send to a list of servers and/or sub-domains.
However one physical server can have multiple (FQDN) hostnames. So if you intend to send the cookie to a group of servers the best approach is to create a new (DNS) (sub-)domain exclusively for those servers.
Theoretically (and also practically) it is possible to set cookies for multiple domains (by using a webservice that will set cookies on request of a caller). But that approach is dangerous:
(1) not the server but the http client is defining the content of the cookie (= part of the http server response)
(2) (unintended) many servers can obtain the cookie which will be send to all servers that reside in all (tail-matching sub-)domains; although most likely only one or two servers of each domain are intended recipients
Regards, Wolfgang -
Invalid security error when invoking secure webservice using SAML tokens
I have deployed a JAX-WS webservice using a stateless session bean to wl 10.3.2 that uses a custom policy. The service deploys fine, but weblogic returns an HTTP error 500 with a SOAP fault. The fault states wsse:InvalidSecurity. The webservice security policy reqires SAML holder of key assertions and attributes. I have tried everything from running weblogic with Metro 1.5 to configuring SAML Identity Asserter Providers, etc with no luck. I even tried using the built in SAML 2.0 assymetric holder of key policy. What am I doing wrong? The XML of interest is attached.
Thanks;
-Dave.
*[Sample message from client]*
<?xml version="1.0" encoding="UTF-8"?>
<S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#">
<S:Header>
<To xmlns="http://www.w3.org/2005/08/addressing">https://localhost:7002/NHINAdapterDocQuerySecured/AdapterDocQuerySecured</To>
<Action xmlns="http://www.w3.org/2005/08/addressing">urn:gov:hhs:fha:nhinc:adapterdocquerysecured:RespondingGateway_CrossGatewayQueryRequestMessage</Action>
<ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
<MessageID xmlns="http://www.w3.org/2005/08/addressing">uuid:fec656f8-a2be-4129-8412-34d9453e7cb2</MessageID>
<wsse:Security S:mustUnderstand="1">
<wsu:Timestamp xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns16="http://www.w3.org/2003/05/soap-envelope" wsu:Id="_1">
<wsu:Created>2010-02-24T21:38:56Z</wsu:Created>
<wsu:Expires>2010-02-24T21:43:56Z</wsu:Expires>
</wsu:Timestamp>
<saml2:Assertion xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:xs="http://www.w3.org/2001/XMLSchema" ID="96cdfb70-91a3-4baf-9da1-3ff07d249926" IssueInstant="2010-02-24T21:38:56.671Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAML User,OU=SU,O=SAML User,L=Los Angeles,ST=CA,C=US</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">UID=kskagerb*DoD</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml2:SubjectConfirmationData>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>iwGksKFK2ZYDxftMa093TajW7V9TwHW7NiyT6bJ2p38zBwpehwMJ1ZO9V0hFihcz/BZ2MvQ1WA1l0KhUBSR/bMiu6WmZ0bJPjvXx41ewGw5YzTL2RbT1U2XXBHtPHjbkH5jqK5zk67F/NM26v+hw0fSZiqM1BAFp9F73hMHsNrc=</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:AuthnStatement AuthnInstant="2009-04-16T13:15:39.000Z" SessionIndex="987">
<saml2:SubjectLocality Address="158.147.185.168" DNSName="cs.myharris.net"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:subject-id">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">Karl S Skagerberg</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">InternalTest2</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:organization-id">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">2.16.840.1.113883.4.349</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:nhin:names:saml:homeCommunityId">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">2.16.840.1.113883.4.349</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xacml:2.0:subject:role">
<saml2:AttributeValue>
<hl7:Role xmlns:hl7="urn:hl7-org:v3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" code="307969004" codeSystem="2.16.840.1.113883.6.96" codeSystemName="SNOMED_CT" displayName="Public Health" xsi:type="hl7:CE"/>
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xspa:1.0:subject:purposeofuse">
<saml2:AttributeValue>
<hl7:PurposeForUse xmlns:hl7="urn:hl7-org:v3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" code="TREATMENT" codeSystem="2.16.840.1.113883.3.18.7.1" codeSystemName="nhin-purpose" displayName="Use or disclosure of Psychotherapy Notes" xsi:type="hl7:CE"/>
</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="urn:oasis:names:tc:xacml:2.0:resource:resource-id">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">500000000^^^&1.1&ISO</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
<saml2:AuthzDecisionStatement Decision="Permit" Resource="https://158.147.185.168:8181/SamlReceiveService/SamlProcessWS">
<saml2:Action Namespace="urn:nhin:names:hl7:rbac:4.00:operation">EXECUTE</saml2:Action>
<saml2:Evidence>
<saml2:Assertion ID="40df7c0a-ff3e-4b26-baeb-f2910f6d05a9" IssueInstant="2009-04-16T13:10:39.093Z" Version="2.0">
<saml2:Issuer Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName">CN=SAML User,OU=Harris,O=HITS,L=Melbourne,ST=FL,C=US</saml2:Issuer>
<saml2:Conditions NotBefore="2009-04-16T13:10:39.093Z" NotOnOrAfter="2010-12-31T12:00:00.000Z"/>
<saml2:AttributeStatement>
<saml2:Attribute Name="AccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">Claim-Ref-1234</saml2:AttributeValue>
</saml2:Attribute>
<saml2:Attribute Name="InstanceAccessConsentPolicy" NameFormat="http://www.hhs.gov/healthit/nhin">
<saml2:AttributeValue xmlns:ns6="http://www.w3.org/2001/XMLSchema-instance" xmlns:ns7="http://www.w3.org/2001/XMLSchema" ns6:type="ns7:string">Claim-Instance-1</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</saml2:Evidence>
</saml2:AuthzDecisionStatement>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#96cdfb70-91a3-4baf-9da1-3ff07d249926">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>VnukKqb4Bt1KWDKfy8SDfk1Hp2s=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>DUwjh/H3XSfUG250rTlLdihstDXY1+qkY9GaY81Iu7Ag4MgoGvGBrGjZOJ7YnssPdrqUGiURxf6k
IBH7vaeXk24XvXP3F85WP9nBm+2M4BvGTplgOmAo0yuwze+90FvwILzFNmmX/tvy3QKTDHlh1rEx
/Jqfm6q/56WW1suAbRY=</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>iwGksKFK2ZYDxftMa093TajW7V9TwHW7NiyT6bJ2p38zBwpehwMJ1ZO9V0hFihcz/BZ2MvQ1WA1l
0KhUBSR/bMiu6WmZ0bJPjvXx41ewGw5YzTL2RbT1U2XXBHtPHjbkH5jqK5zk67F/NM26v+hw0fSZ
iqM1BAFp9F73hMHsNrc=</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
</saml2:Assertion>
<ds:Signature xmlns:ns17="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns16="http://www.w3.org/2003/05/soap-envelope" Id="_2">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="wsse S"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_1">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<exc14n:InclusiveNamespaces PrefixList="wsu wsse S"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>oo99UrPhAcwla4Qbkdd9jAPn0cE=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>ds4vqts8uCdJcNGo0uTPzId5UBX+GVrdztQPv823c1Zy9ZZGSfQC/GsBPM/EMbFInDPFsyT4e1QYZMCzmqLYnifWHlDQJb7oMJBokafavAqZda1B55Zzh3TSm6BqKWtB/DX17d6rLx/HPiLNZ9qsBfuGn3aTlUCpNsYA8ObBtp8=</ds:SignatureValue>
<ds:KeyInfo>
<wsse:SecurityTokenReference wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
<wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">96cdfb70-91a3-4baf-9da1-3ff07d249926</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</S:Header>
<S:Body>
<ns3:AdhocQueryRequest xmlns:ns2="urn:gov:hhs:fha:nhinc:gateway:samltokendata" xmlns:ns3="urn:oasis:names:tc:ebxml-regrep:xsd:query:3.0" xmlns:ns4="urn:oasis:names:tc:ebxml-regrep:xsd:rim:3.0" xmlns:ns5="urn:oasis:names:tc:ebxml-regrep:xsd:rs:3.0" xmlns:ns6="urn:oasis:names:tc:ebxml-regrep:xsd:lcm:3.0" maxResults="-1" startIndex="0" federated="false">
<ns3:ResponseOption returnComposedObjects="true" returnType="LeafClass"/>
<ns4:AdhocQuery home="urn:oid:2.16.840.1.113883.4.349" id="urn:uuid:14d4debf-8f97-4251-9a74-a90016b0af0d">
<ns4:Slot name="$XDSDocumentEntryStatus">
<ns4:ValueList>
<ns4:Value>('urn:oasis:names:tc:ebxml-regrep:StatusType:Approved')</ns4:Value>
</ns4:ValueList>
</ns4:Slot>
<ns4:Slot name="$XDSDocumentEntryPatientId">
<ns4:ValueList>
<ns4:Value>'1012581676V377802^^^&2.16.840.1.113883.4.349&ISO'</ns4:Value>
</ns4:ValueList>
</ns4:Slot>
</ns4:AdhocQuery>
</ns3:AdhocQueryRequest>
</S:Body>
</S:Envelope>
*[Response from server:]*
<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Body>
<env:Fault xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<faultcode>wsse:InvalidSecurity</faultcode>
<faultstring>weblogic.xml.crypto.api.MarshalException: weblogic.xml.dom.marshal.MarshalException: Failed to unmarshal {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}SecurityTokenReference, no SecurityTokenReference factory found for {http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd}KeyIdentifier ValueType: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID</faultstring>
</env:Fault>
</env:Body>
</env:Envelope>
*[webservice WSDL]*
<?xml version="1.0" encoding="UTF-8"?>
<!--
Adapter Document Query WSDL
-->
<definitions xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns="http://schemas.xmlsoap.org/wsdl/"
xmlns:tns="urn:gov:hhs:fha:nhinc:adapterdocquerysecured"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:query="urn:oasis:names:tc:ebxml-regrep:xsd:query:3.0"
xmlns:plnk="http://docs.oasis-open.org/wsbpel/2.0/plnktype"
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
xmlns:wsaws="http://www.w3.org/2005/08/addressing"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
xmlns:sc="http://schemas.sun.com/2006/03/wss/server"
xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
xmlns:vprop="http://docs.oasis-open.org/wsbpel/2.0/varprop"
xmlns:sxnmp="http://www.sun.com/wsbpel/2.0/process/executable/SUNExtension/NMProperty"
name="AdapterDocQuerySecured"
targetNamespace="urn:gov:hhs:fha:nhinc:adapterdocquerysecured">
<documentation>Adapter Document Query</documentation>
<types>
<xsd:schema>
<xsd:import namespace="urn:oasis:names:tc:ebxml-regrep:xsd:query:3.0"
schemaLocation="../schemas/ebRS/query.xsd"/>
<xsd:import namespace="urn:gov:hhs:fha:nhinc:gateway:samltokendata"
schemaLocation="../schemas/nhinc/gateway/SamlTokenData.xsd"/>
</xsd:schema>
</types>
<message name="RespondingGateway_CrossGatewayQueryRequestMessage">
<part name="body"
element="query:AdhocQueryRequest"/>
</message>
<message name="RespondingGateway_CrossGatewayQueryResponseMessage">
<part name="body"
element="query:AdhocQueryResponse"/>
</message>
<portType name="AdapterDocQuerySecuredPortType">
<operation name="RespondingGateway_CrossGatewayQuery">
<input name="RespondingGateway_CrossGatewayQueryRequest"
message="tns:RespondingGateway_CrossGatewayQueryRequestMessage"
wsaw:Action="urn:gov:hhs:fha:nhinc:adapterdocquerysecured:RespondingGateway_CrossGatewayQueryRequestMessage"/>
<output name="RespondingGateway_CrossGatewayQueryResponse"
message="tns:RespondingGateway_CrossGatewayQueryResponseMessage"
wsaw:Action="urn:gov:hhs:fha:nhinc:adapterdocquerysecured:RespondingGateway_CrossGatewayQueryResponseMessage"/>
</operation>
</portType>
<binding name="AdapterDocQuerySecuredBindingSoap11" type="tns:AdapterDocQuerySecuredPortType">
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
<wsp:PolicyReference URI="#RespondingGateway_Query_Binding_SoapPolicy"/>
<operation name="RespondingGateway_CrossGatewayQuery">
<soap:operation soapAction="urn:RespondingGateway_CrossGatewayQuery"/>
<input name="RespondingGateway_CrossGatewayQueryRequest">
<soap:body use="literal"/>
<wsp:PolicyReference URI="#RespondingGateway_Query_Binding_Soap_Input_Policy"/>
</input>
<output name="RespondingGateway_CrossGatewayQueryResponse">
<soap:body use="literal"/>
<wsp:PolicyReference URI="#RespondingGateway_Query_Binding_Soap_Output_Policy"/>
</output>
</operation>
</binding>
<service name="AdapterDocQuerySecured">
<port name="AdapterDocQuerySecuredPortSoap11"
binding="tns:AdapterDocQuerySecuredBindingSoap11">
<soap:address
location="https://localhost:7002/NHINAdapterDocQuerySecured" />
</port>
</service>
<!-- Define action property on each receiving message -->
<vprop:property name="action" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:action"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>action</vprop:query>
</vprop:propertyAlias>
<!-- Define resource property on each receiving message -->
<vprop:property name="resource" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:resource"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>resource</vprop:query>
</vprop:propertyAlias>
<!-- Define purposeForUseRoleCode property on each receiving message -->
<vprop:property name="purposeForUseRoleCode" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:purposeForUseRoleCode"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>purposeForUseRoleCode</vprop:query>
</vprop:propertyAlias>
<!-- Define purposeForUseCodeSystem property on each receiving message -->
<vprop:property name="purposeForUseCodeSystem" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:purposeForUseCodeSystem"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>purposeForUseCodeSystem</vprop:query>
</vprop:propertyAlias>
<!-- Define purposeForUseCodeSystemName property on each receiving message -->
<vprop:property name="purposeForUseCodeSystemName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:purposeForUseCodeSystemName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>purposeForUseCodeSystemName</vprop:query>
</vprop:propertyAlias>
<!-- Define purposeForUseDisplayName property on each receiving message -->
<vprop:property name="purposeForUseDisplayName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:purposeForUseDisplayName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>purposeForUseDisplayName</vprop:query>
</vprop:propertyAlias>
<!-- Define userFirstName property on each receiving message -->
<vprop:property name="userFirstName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userFirstName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userFirstName</vprop:query>
</vprop:propertyAlias>
<!-- Define userMiddleName property on each receiving message -->
<vprop:property name="userMiddleName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userMiddleName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userMiddleName</vprop:query>
</vprop:propertyAlias>
<!-- Define userLastName property on each receiving message -->
<vprop:property name="userLastName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userLastName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userLastName</vprop:query>
</vprop:propertyAlias>
<!-- Define userName property on each receiving message -->
<vprop:property name="userName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userName</vprop:query>
</vprop:propertyAlias>
<!-- Define userOrganization property on each receiving message -->
<vprop:property name="userOrganization" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userOrganization"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userOrganization</vprop:query>
</vprop:propertyAlias>
<!-- Define userRoleCode property on each receiving message -->
<vprop:property name="userRoleCode" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userRoleCode"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userRoleCode</vprop:query>
</vprop:propertyAlias>
<!-- Define userRoleCodeSystem property on each receiving message -->
<vprop:property name="userRoleCodeSystem" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userRoleCodeSystem"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userRoleCodeSystem</vprop:query>
</vprop:propertyAlias>
<!-- Define userRoleCodeSystemName property on each receiving message -->
<vprop:property name="userRoleCodeSystemName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userRoleCodeSystemName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userRoleCodeSystemName</vprop:query>
</vprop:propertyAlias>
<!-- Define userRoleCodeDisplayName property on each receiving message -->
<vprop:property name="userRoleCodeDisplayName" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:userRoleCodeDisplayName"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>userRoleCodeDisplayName</vprop:query>
</vprop:propertyAlias>
<!-- Define expirationDate property on each receiving message -->
<vprop:property name="expirationDate" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:expirationDate"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>expirationDate</vprop:query>
</vprop:propertyAlias>
<!-- Define signDate property on each receiving message -->
<vprop:property name="signDate" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:signDate"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>signDate</vprop:query>
</vprop:propertyAlias>
<!-- Define contentReference property on each receiving message -->
<vprop:property name="contentReference" type="xsd:string"/>
<vprop:propertyAlias propertyName="tns:contentReference"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>contentReference</vprop:query>
</vprop:propertyAlias>
<!-- Define content property on each receiving message -->
<vprop:property name="content" type="xsd:base64Binary"/>
<vprop:propertyAlias propertyName="tns:content"
messageType="tns:RespondingGateway_CrossGatewayQueryRequestMessage" part="body"
sxnmp:nmProperty="org.glassfish.openesb.outbound.custom.properties">
<vprop:query>content</vprop:query>
</vprop:propertyAlias>
<wsp:Policy wsu:Id="RespondingGateway_Query_Binding_SoapPolicy">
<wsp:ExactlyOne>
<wsp:All>
<wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl"/>
<sc:KeyStore wspp:visibility="private"
aliasSelector="gov.hhs.fha.nhinc.callback.KeyStoreServerAliasSelector"
callbackHandler="gov.hhs.fha.nhinc.callback.KeyStoreCallbackHandler"/>
<sc:TrustStore wspp:visibility="private"
callbackHandler="gov.hhs.fha.nhinc.callback.TrustStoreCallbackHandler"/>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken>
<wsp:Policy>
<sp:RequireClientCertificate/>
</wsp:Policy>
</sp:HttpsToken>
</wsp:Policy>
</sp:TransportToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens>
<wsp:Policy>
<sp:SamlToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssSamlV20Token11/>
</wsp:Policy>
</sp:SamlToken>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:RequireSignatureConfirmation/>
</wsp:Policy>
</sp:Wss11>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="RespondingGateway_Query_Binding_Soap_Input_Policy">
<wsp:ExactlyOne>
<wsp:All>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="RespondingGateway_Query_Binding_Soap_Output_Policy">
<wsp:ExactlyOne>
<wsp:All>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<plnk:partnerLinkType name="AdapterDocQuerySecured">
<!-- A partner link type is automatically generated when a new port type is added.
Partner link types are used by BPEL processes. In a BPEL process, a partner
link represents the interaction between the BPEL process and a partner service.
Each partner link is associated with a partner link type. A partner link type
characterizes the conversational relationship between two services. The
partner link type can have one or two roles.-->
<plnk:role name="AdapterDocQuerySecuredPortTypeRole"
portType="tns:AdapterDocQuerySecuredPortType"/>
</plnk:partnerLinkType>
</definitions>
Edited by: dvazquez1027 on Feb 25, 2010 5:10 PM
Edited by: dvazquez1027 on Feb 25, 2010 5:22 PMHi
yes, I had the same issue and I found a solution.
You need to request a patch for BUG 9212862 (already corrected in WLS 10.3.3) and do the follwing:
javax.xml.ws.BindingProvider provider = (javax.xml.ws.BindingProvider)port;
java.util.Map context = provider.getRequestContext();
context.put(weblogic.wsee.jaxrpc.WLStub.POLICY_COMPATIBILITY_PREFERENCE, weblogic.wsee.jaxrpc.WLStub.POLICY_COMPATIBILITY_MSFT);
This will cause the SecurityMessageArchitect class of WLS to not send the SecurityTokenReference in the Soap security header.
Please note that is evidently a non-comformity to the specs of microsoft:
Please give a look at
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0.pdf (8.3 Signing Tokens)
and also at:
http://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf
(3.4 Identifying and Referencing Security Tokens)
A SAML key identifier reference MUST be used for all (local and remote) references to SAML 1.1
assertions. [...]
All conformant implementations MUST be able to process SAML assertion references occurring in a
<wsse:Security> header or in a header element other than a signature to acquire the corresponding
assertion. A conformant implementation MUST be able to process any such reference independent of the
confirmation method of the referenced assertion.
It follows that the .NET 3.5 is a non conformat implementation: I would gladly know which is the position of Microsoft on that.
ciao
carlo -
Single Sign-On with multiple shops in E-Commerce 7
I have more than one shop and everything is working fine.
Right now I want to do a single sign on.
I have it working in a previous version. e-commerce v4
I'm developing in e-commerce v7.
The class PrepareLoginAction.java exists.
The action "/preparelogin" exists in the file config_user.xml, but never used.
Can anyone know why or how I can use PrepareLoginAction in v7.
Any help will be much appreciated.
Thanks in advance.Well, if you want to hear my personal opinion:
better stick to the cookie specification (http://wp.netscape.com/newsref/std/cookie_spec.html) and accept the constraint that cookies will only be send to domains that tail-match the domain-constraint specified in the set-cookie http response.
Although this specification is not an official internet standard most browsers are implementing the cookie mechanism according to this specification.
Unfortenately there's no option to specify that a cookie should be send to a list of servers and/or sub-domains.
However one physical server can have multiple (FQDN) hostnames. So if you intend to send the cookie to a group of servers the best approach is to create a new (DNS) (sub-)domain exclusively for those servers.
Theoretically (and also practically) it is possible to set cookies for multiple domains (by using a webservice that will set cookies on request of a caller). But that approach is dangerous:
(1) not the server but the http client is defining the content of the cookie (= part of the http server response)
(2) (unintended) many servers can obtain the cookie which will be send to all servers that reside in all (tail-matching sub-)domains; although most likely only one or two servers of each domain are intended recipients
Regards, Wolfgang -
OBIEE 11G with Single Sign-On and Active Directory
Hi guys,
Release Version: Oracle Business Intelligence 11.1.1.5.0
Patch applied: 11.1.1.5.0 BP3 (Patch 13832750)
OBIEE Server operating system: Windows Server 2008 SP2 (32-bits Operating System).
We are trying to configure Single Sign-On according to TechNote_WNA_SSO_AD_V4.0.doc.
Our krb5login.conf:
com.sun.security.jgss.krb5.initiate {
com.sun.security.auth.module.Krb5LoginModule required
principal="[email protected]"
keyTab=cgdkobi2.keytab
useKeyTab=true
storeKey=true
debug=true
com.sun.security.jgss.krb5.accept {
com.sun.security.auth.module.Krb5LoginModule required
principal="[email protected]"
keyTab=cgdkobi2.keytab
useKeyTab=true
storeKey=true
debug=true
We generate de keytab file:
C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.24\bin\ktab.exe -k cgdkobi2.keytab -a [email protected]
Password for [email protected]:XXXXXXX
Done!
Service key for [email protected] is saved in cgdkobi2.keytab
C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\kinit -k -t cgdkobi2.keytab cgdkobi2
New ticket is stored in cache file C:\Users\cgdkobi2\krb5cc_cgdkobi2
C:\OracleBI11g\user_projects\domains\bifoundation_domain>C:\OracleBI11g\jrockit_160_24_D1.1.2-4\bin\klist -k -t cgdkobi2.keytab
Key tab: cgdkobi2.keytab, 1 entry found.
[1] Service principal: [email protected]
KVNO: 1
Time stamp: Mar 15, 2013 10:34
C:\OracleBI11g\user_projects\domains\bifoundation_domain>klist
Current LogonId is 0:0x406163f5
Cached Tickets: (0)
We re-start the services and logon into analytics web and SSO doesn't work but there's not an error. It runs successfully with and Active Directoy user and password. Seems like SSO wasn't enabled, but I checked is enabled.
Any suggestion?
Thanks in advancedFollow the posts : OBI 11.1.1.6.SSO and You are not currently signed in to Oracle BI Server" for OBIEE 11.1.1.6 SSO do the troubleshooting mentioned there.
Also check your logs for error like the one below:
[2012-03-09T16:42:36.000-05:00] [OBIPS] [NOTIFICATION:1] [] [saw.securitysubsystem.checkauthentication.runimpl] [ecid: 6c98b5cce1f24814:2a613331:135f95fbdff:-8000-0000000000005b7a,0:1:1] [tid: 5932] Authentication Failure.
Odbc driver returned an error (SQLDriverConnectW).
State: 08004. Code: 10018. [NQODBC] [SQL_STATE: 08004] [nQSError: 10018] Access for the requested connection is refused.
[nQSError: 43113] Message returned from OBIS.
[nQSError: 13039] The impersonator does not exist in the BI Security Service. (08004)[[
If you are getting this when you login to OBIEE : You are not currently signed in to Oracle BI Server"
then you need to apply this patch : 13553428 QA:BLK:DELIVER TO CORP. OID LDAP USERS FAILED WITH IMPERSONATOR DOES'NT EXIST. 11.1.1.6.0 Generic Platform (American English) General Oracle BI Suite EE Apr 5, 2012 799.4 KB
Let us know the updates. Hope this helps. Mark if it does.!
Thanks,
SVS -
How do I get specific font to ALWAYS appear in text field whether user has font on computer or not?
I am designing a simple form to be used as template for OTHER people to type up room signs. We would like the signs to be in a specific font that is not generally loaded on the average computer, and we do not want to have to distribute fonts to a gazillion people. My thought was to create a LiveCycle from, whereby the room user could type their name and title in the text fields on the form, and in theory, it would appear in the font I chose for the text field. I have tried various things, but it always gets substituted by the user's computer.
Tried: Choosing "rich text" for field format in Object palette; choosing "Embed fonts" in "Save Options"; tried static form, tried dynamic form. It could be that my test user has such an old version of Reader that it just CANNOT work.
Thanks!The restrictions are listed as "normal." And it does appear as embedded when I go to the document properties, though it didn't until I used it for the text on the form (as apposed to just using in the text fields.) And when another user opens the form, the text appears in the specified font, but once they type in the text field, it defaults to different font.
BTW, it is an Open Type Font, if that makes any difference. -
Thunderbird 31.3.0
Win7 Enterprise, SP1 (all patches, corporate maintained)
ActivClient x64 - 7.0.2.403
I just got a new machine from corporate. The old one had ActivClient 6.2.0.133 and I had it working there. With my cert card inserted, TB can see the certs on the card. It lists them in the "Your Certificates" tab in the cert manager. And in the account settings, security section it lets me pick certs for digital signing and encryption. But when I try to use them to sign or decrypt an email it doesn't work. It does let me encrypt an email which others can read. I've checked about:config and it matches what I picked in account settings.
When I try to decrypt it gives me the boilerplate:
" Thunderbird cannot decrypt this message
The sender encrypted this message to you using one of your digital certificates, however Thunderbird was not able to find this certificate and corresponding private key.
Possible solutions:
If you have a smartcard, please insert it now.
If you are using a new machine, or if you are using a new Thunderbird profile, you will need to restore your certificate and private key from a backup. Certificate backups usually end in ".p12"."
If I try to sign it says "Sending of message failed. Unable to sign message. Please check that the certificates specified in Mail & Newsgroups Account Settings for this mail account are valid and trusted for mail." TB only lets me pick the cert named "Digital Signature" for use in the first place! And the cert's properties according to TB are "This certificate has been verified for the following uses: SSL Client Certificate, Email Signer Certificate". So TB knows it is good for signing. I'm out of things to try at this point.
Thanks for the help.I've found a bit more information. When I'm trying to sign an email and check the cert info from the compose message window->security->view the cert that TB is trying to use, it is using the wrong cert and not the one I selected! No wonder it doesn't work! It is using a cert only specified for "Email Recipient Certificate" instead of the one I selected in account settings that is for "Signing, Non-repudiation" according to account settings and "SSL Client Certificate" + "Email Signer Certificate" according to the certificate manager.
This pretty clearly seems like a bug. I've never submitted a bug to TB before. Can I get some help doing that? I'm not a SW developer of any kind. This is completely breaking my ability to use TB. Half of my email traffic is encrypted. -
Different selection in a single query according to an ID
Hi
I'm looking for a way to perform different selections in a single query according to a specific value:
Here is the first selection:
select g.*,gf.*,gs.*
FROM graphs g
LEFT JOIN graph_frames gf on g.graph_id = gf.graph_id
LEFT JOIN graph_sets gs on gf.frame_id = gs.frame_id
WHERE g.graph_id = :IDHere is the second selection:
SELECT gg.graph_id, gg.graph_name
FROM generic_graphs gg
INNER JOIN generic_graph_frames ggf on gg.graph_id = ggf.graph_id
INNER JOIN generic_graph_sets ggs on ggf.frame_id = ggs.frame_id
WHERE gg.graph_id = :IDNow, the ID cannot be in both the tables and I want to perform that in a single query, UNION cannot be applied since the tables are different.
Any ideas?
Edited by: BluShadow on 14-Sep-2011 09:09
added {noformat}{noformat} tags. Please read {message:id=9360002} and learn to do this yourself.Example of consolidating the columns...
SQL> ed
Wrote file afiedt.buf
1 with t as (select &id as id from dual)
2 select e.empno, e.ename, e.job, e.mgr, d.deptno, d.dname, d.loc
3 from (select * from emp cross join t where empno = t.id) e
4 full outer join
5 (select * from dept cross join t where deptno = t.id) d
6* on (1=1)
SQL> /
Enter value for id: 7521
old 1: with t as (select &id as id from dual)
new 1: with t as (select 7521 as id from dual)
EMPNO ENAME JOB MGR DEPTNO DNAME LOC
7521 WARD SALESMAN 7698
SQL> /
Enter value for id: 10
old 1: with t as (select &id as id from dual)
new 1: with t as (select 10 as id from dual)
EMPNO ENAME JOB MGR DEPTNO DNAME LOC
10 ACCOUNTING NEW YORK
SQL>Though, this would be considered poor design because you are trying to query two disperate things, so they should be treated differently. i.e. in my example, I should already know if I'm querying an employee or a department beforehand. -
Can I assume that Windows will be able to handle my physical interface device if I follow the "Device Class Definition for Physical Interface Devices" specification while writing the firmware?
I'm trying to develop a device which handles rumble output from applications such as games. Applications would include e.g. racing games or simulators. I'm hesitant to just clone Xbox 360 Gamepad or Sidewinder USB reports. I'd like to correctly declare my
device as something on its own while still making use of already implemented OS-specific drivers. The purpose of the mentioned specification is exactly that as far as I can tell. I wasn't able to find concrete information about its level of support though.
The "USB device class drivers included in Windows" page (sorry I'm not allowed to post links yet..) seems to link to WinUSB which I'm not sure what to do with.Thanks for your response. Well if everything was implemented at that time and it's still available it should be fine since the specification document's last version is dated 1999. I was just hoping there would be any form of documentation whether it's
supported and by which degree so I don't go through the trouble of figuring out how the firmware should be written according to the specification just to find out there is no OS driver implementation for it which would render my work more or less useless.
So I suppose I'm forced to go the trial and error path? -
[kinda urgent] Is that possible signing without digital ID?
Hello!
I want to ask two questions. Those things might similar to each other, which may concerning signing without Digital ID.
First one is that we want to get sign right away right on the place(maybe without Digital ID). Probably a pad or something, such the device we use when taking bills with credit card, would be connected to the computer. Is that possible or at least sounds probable? and if it is, please let me know how.
Not only that, I wanna ask u one more thing. It is using pdf file with table pc, such as I-PAD. hmm.. giving an example, let's say I read a dynamic forms with I-pad, and I want to sign without Digital ID thing, specifically 'on the pad'. is that possible? like the former one, if it is, please tell me how to do it.
The former one is more important and the fact whether possible or not is the first priority.
In case the information is not specific enough, just comment about that, I am gonna add more detail.
kinda in a hurry, Please help me.
Any comment would be appreciated!!
virtuodo123The PDF format supports many types of "Electronic" signatures, including signatures created using a signature pad. Acrobat and Reader (with a reader extended form) have the ability to sign PDF documents using Digital IDs (x509 digital certificates) out of the box. Other types of signatures are supported using third party plugins.
For more info, check out http://www.adobe.com/security/partners/index.html
Regards
Steve -
HR Form Editor, How to Make a Rule to change - value to no sign
Dear All,
I am making a pay slip in HR Form Editor and in a window i am displaying wage type text and values, values are negative but I want then to be displayed with No sign.
Can some one explain to me how to eliminate a sign of wage type vales in a window by using a rule or any other methord.
Regards.Hi,
create a new 'line layout' for your specific form and have the value for conversion set to '19 - No +/- sign'.
Of course the specific WT should be linked to this new 'line layout' under step 'Window'
Have fun.
Wilfred.
Maybe you are looking for
-
How can i take the full page off and go back to the regular page
When I go to my to my web pages, I have a full screen. That means I can't see my toolbar.. I would like to see my toolbar at the top at all time.. Can you please help me... Also, I am having trouble with popups all the time.. I downloaded the Ad-bloc
-
Custom order of priority queue
I am a novice in Java. I intend to use a priority queue which holds objects. The objects have a string and two integers. I have to order the priority queue based on one of the integer. I write syntax according to my understanding please correct me. P
-
Change a white ipad to a black ipad
i am not sure if this is the right place to ask this question. so here it is, i just got a white new ipad as a gift from my uncle. i havn't open it. can i just walk in to apple retail store and replace with a black one? (and there is no way to find t
-
Why won't my NT/P3 system seem my GPIB card?
It doesn't appear to be using a IRQ already assigned, the jumpers are right, and it works in another machine running NT just fine. Any ideas? I'm using the default memory location (0x2c0), and have tried de-selecting DMA. The CPU is a P3 HPVectraVL 5
-
10.4.11 update - slow+ unnamed folders on desktop
Hi - I just did an update to 10.4.11 on my G4 - machine is now running a bit slower, but more worryingly I am getting unnamed folders on my desktop that duplicate the HD and desktop files in them. Any ideas what is happening, or what I should do? is