1 2 Previous Next 23 Replies Latest reply: Jun 18, 2011 10:49 AM by Glen Mazza RSS

SAML Token Profile (WS-Security) using PL for JBoss WS

Anil Saldhana Master

I had requested Marcus to do some preliminary investigation into supporting the SAML Token Profile of WSS using PicketLink for JBoss WS.

 

We had an IRC chat with Marcus and Stefan which is copy/pasted here.

 

(09:27:40 AM) anil: marcus: ping luck with JBWS?
(09:29:23 AM) marcus: anil: sort of. i know we have to implement a handler so we get access to the soap message and extract the SAML assertion
(09:29:40 AM) anil: marcus: yeah.  did u figure out where?
(09:29:56 AM) marcus: anil: what i'm trying to understand now is what do they do with the username and password
(09:30:19 AM) anil: marcus: they send it to JAAS afaik
(09:30:33 AM) marcus: anil: so far i can see they have a SecurityAdaptor where they set thread local objects
(09:30:51 AM) marcus: anil: but i don't see how that goes into the callbackhandler
(09:31:03 AM) anil: marcus: to be honest, all I care is 1 handler that takes the security stuff and calls PL and moves on. 
(09:31:18 AM) anil: marcus: I see your point.
(09:31:21 AM) anil: marcus: let me think.
(09:32:07 AM) marcus: anil: sooner or later that should go into the invocation (in case of an ejb3 ws for example)
(09:32:23 AM) marcus: anil: i can't find that on the ws code yet
(09:32:55 AM) anil: marcus: I am rying to think how the CBH gets involved in web and ejb layer.
(09:33:09 AM) anil: marcus: jaassec mgr
(09:33:31 AM) anil: marcus: see if they have any injection of jaas sec mgr
(09:33:53 AM) marcus: anil: right.... but in ejb case we have an interceptor that retrieves username/credential from the invocation and call jaassecmgr
(09:34:20 AM) anil: marcus: u looking in the ws-security code that Jason Greene did. correct?
(09:34:33 AM) marcus: anil: yes
(09:35:03 AM) anil: marcus: http://anonsvn.jboss.org/repos/jbossws/stack/native/trunk/
(09:35:14 AM) anil: marcus: can u navigate to the code where this is and give me the link?
(09:36:48 AM) marcus: anil: http://anonsvn.jboss.org/repos/jbossws/stack/native/trunk/modules/core/src/main/java/org/jboss/ws/extensions/security/operation/ReceiveUsernameOperation.java
(09:36:53 AM) anil: ok
(09:37:04 AM) marcus: anil: see the process method. that's where they set username/credential
(09:37:32 AM) marcus: anil: we probably just need to set the credential as a SamlCredential
(09:37:46 AM) anil: marcus: I am looking at process() method.
(09:37:52 AM) anil: marcus: now let me get to the adaptor.
(09:38:14 AM) anil: marcus: my initial thought was to have the STS token as SamlCredential and handle in the LM.
(09:38:32 AM) anil: marcus: but we may need handlers to call the PL STS to get a token for example  for outbound calls.
(09:39:18 AM) anil: marcus: here is an example:    (username,pass) ->JBWS; JBWS(callSTS-use username/pass,  get token) ->Web
(09:39:20 AM) marcus: anil: the handler takes care of inbound and outbound calls
(09:39:42 AM) anil: marcus: but the WS layer should be calling STS for getting a token?
(09:39:56 AM) anil: marcus: wait.  the LM can do that.
(09:40:11 AM) anil: marcus: but we wont replace the original  (username,cred)  with (username,SAML)?
(09:41:07 AM) marcus: anil: stefan's implementation only validates the SamlCredential... the assertion contains the username
(09:42:08 AM) anil: marcus: u r missing my point.
(09:42:32 AM) anil: marcus: we can do the sts calling etc.   but we cannot replace the original security context (securityassociation, sca etc)  for what we do in LM.
(09:42:47 AM) stefan: marcus: we need to check if the server-side interceptors accept null usernames. If they do, then we can just send (null, SAML). If not, we will need to set the assertion subject as username
(09:43:15 AM) anil: marcus: I mean the LM can call sts, get a token.  But how can we replace the outbound security ctx with the new saml token
(09:44:34 AM) stefan: anil: I don't think we should be replacing things in WS. Either the person chooses to use username/pw or SAML. In the client side some piece of code needs to set the assertion in the SOAP header, it is the client's responsibility to get the assertion. We just validate the whole thing
(09:44:57 AM) marcus: stefan: that's what i thought too
(09:45:10 AM) marcus: anil: i don't think our handler should call sts to get a token
(09:45:17 AM) anil: marcus: stefan:  not the handlers.
(09:45:20 AM) marcus: anil: it should be provided by the client
(09:45:57 AM) anil: marcus: stefan: but it should be possible for a client to call an JBWS and configuration in LM (STSInitiatingLM)   to get a saml token for outbound calls
(09:46:27 AM) anil: marcus: stefan:  LM stack will look:   (usernamepasswordmodule), (stsinitiatingLM)
(09:46:32 AM) stefan: anil: yea, but in the Web layer we can use a Filter to replace the sec context, I don't think we can do that with web services
(09:48:23 AM) marcus: stefan: anil: http://anonsvn.jboss.org/repos/jbossws/stack/native/trunk/modules/core/src/main/java/org/jboss/ws/extensions/security/jaxws/WSSecurityHandler.java
(09:48:45 AM) stefan: anil, marcus: and I think using redirection is a better solution for Web apps (user is redirected to an STS wep app, authenticates there, receives the assertion and redirects the assertion to the Web container as part of the HTTP request. This is better than exchanging the token on the server side
(09:48:52 AM) marcus: stefan: anil: the handler have access to the soap message for outbound calls... we can add anything we want there
(09:49:27 AM) anil: marcus: I agree with ur approach.
(09:49:29 AM) stefan: marcus: there you go. So you can use this to add the assertion to the SOAP message.
(09:49:46 AM) anil: marcus: we can add the saml assertion into the soap header and handle it as an handler at the other end
(09:49:53 AM) anil: marcus: got it.  
(09:50:10 AM) anil: marcus: stefan: I am going to copy this conversation into a design thread. 
(09:50:39 AM) anil: marcus: see. wss has the saml token profile.  we need to use that. :)
(09:51:12 AM) marcus: anil: cool. i just need to figure out where that SecurityAdaptor comes into play :)
(09:52:52 AM) stefan: anil: marcus: true. The profile probably specifies how assertions should be added to the SOAP header. We also must consider signing part of the request message to prove possession of the token


(09:54:06 AM) stefan: anil: marcus: something similar is done by the X509 authentication they have in place. You can sign the SOAP message to prove possession of the private key that corresponds to the public key being sent.
(09:55:05 AM) anil: stefan: we just have to look at the saml token profile to get more info.


(09:58:33 AM) stefan: anil: marcus: I think adding something to SOAP and retrieving it/passing to JAAS on server-side is not that difficult. I feel we can have this simple scenario working in 1-2 weeks. Now, signing stuff to prove possession of the assertion and verifying the signature can be a bit more complicated. But as anil said, we need to look at the SAML profile and see what's in there
(10:06:11 AM) marcus: stefan: i think the signing part is already done in WS code

 

 

Additionally,  we have the JAX-WS handlers created by Daniel Bevenius.

 

 

(10:20:10 AM) stefan: anil: ESB? but he is calling a WS attaching the assertion in the SOAP payload
(10:26:13 AM) stefan: marcus: anil: I think we are losing track of things. If ESB has a handler to include assertions in the request, we should look into it
(10:27:39 AM) marcus: stefan: the user is adding the assertion to the payload... not ESB
(10:27:59 AM) anil: marcus: PL is included as tech preview in SOA-P 5
(10:28:05 AM) stefan: marcus: are you sure? he has a handler in there, didn't look into it 
(10:29:03 AM) stefan: marcus: this handler, to be more specific: <jws:handler-class>org.picketlink.identity.federation.core.wstrust.handlers.STSSaml20Handler</jws:handler-class>
(10:29:29 AM) marcus: stefan: looking...
(10:30:24 AM) stefan: marcus: anil: the point is, I don't really care if it is ESB code or not, the fact is that passing SAML assertions as part of the payload is already implemented - at least the client-side of it
(10:30:34 AM) anil: stefan: man.
(10:32:04 AM) anil: stefan: http://anonsvn.jboss.org/repos/picketlink/federation/trunk/picketlink-fed-core/src/main/java/org/picketlink/identity/federation/core/wstrust/handlers/STSSecurityHandler.java
(10:32:12 AM) anil: stefan: looks like he did jaxws handlers
(10:32:26 AM) anil: stefan: but not sure that really works with our JBWS native wss stuff.
(10:32:40 AM) stefan: anil: that's what I'm saying
(10:33:08 AM) stefan: anil: think we have tests for this?
(10:33:34 AM) anil: stefan: it should be in the esb project.
(10:34:46 AM) marcus: anil: stefan: i think that works yes... he is just not using JAAS
(10:34:55 AM) stefan: anil: looks like this handler validates the assertion directly, no JAAS involved. I wonder how useful this really is if it doesn't set any security context
(10:35:06 AM) stefan: marcus: exactly
(10:36:14 AM) stefan: marcus: but it just validates, no security context is set from what I'm seeing. This means the Web Service won't get anything when calling getUserPrincipal from WSContext
(10:43:58 AM) anil: stefan: marcus: I think we should add a ws test case for this handler and start progress from there.  Our integration test project can be used?
(10:45:28 AM) stefan: anil: marcus: probably. But we will need a new handler or one that extends the current handler to propagate the call to JAAS and let the server set the security context
  • 1. Re: SAML Token Profile (WS-Security) using PL for JBoss WS
    Daniel Bevenius Master

    Hi,

     

    sorry for the late entry into this thread...

     

    (10:34:46 AM) marcus: anil: stefan: i think that works yes... he is just not using JAAS
    (10:34:55 AM) stefan: anil: looks like this handler validates the assertion directly, no JAAS involved. I wonder how useful this really is if it doesn't set any security context
    (10:35:06 AM) stefan: marcus: exactly
    (10:36:14 AM) stefan: marcus: but it just validates, no security context is set from what I'm seeing. This means the Web Service won't get anything when calling getUserPrincipal from WSContext
    (10:43:58 AM) anil: stefan: marcus: I think we should add a ws test case for this handler and start progress from there.  Our integration test project can be used?
    (10:45:28 AM) stefan: anil: marcus: probably. But we will need a new handler or one that extends the current handler to propagate the call to JAAS and let the server set the security context

    This is correct that there is no setting of a security context in the WS-Handlers nor does the handler use JAAS.

    I'm not sure what has been decided here about moving forward, if you are going to modify the current handlers or simply write new ones, but if I can help with anything then please let me know. I could for example verify that the new handlers work with the JBoss ESB saml quickstart if nothing else.

     

    Regards,

     

    /Daniel

  • 2. Re: SAML Token Profile (WS-Security) using PL for JBoss WS
    Anil Saldhana Master

    Marcus has an example working for PicketLink STS with JBossWS.  He has the code ready. He will be writing a wiki post with the example code base on Wednesday.

  • 3. Re: SAML Token Profile (WS-Security) using PL for JBoss WS
    Marcus Moyses Novice

    Here is the article: http://community.jboss.org/wiki/SAMLWSIntegrationwithPicketLinkSTS

    If you could test it with ESB that would be great

  • 4. Re: SAML Token Profile (WS-Security) using PL for JBoss WS
    Daniel Bevenius Master

    Great, I'll try this out and post back to this thread.

     

    Regards,

     

    /Daniel

  • 5. Re: SAML Token Profile (WS-Security) using PL for JBoss WS
    Alessio Soldano Master

    Hi,

    I've been playing a bit with the sample in the article, and modified the picketlink-trust-jbossws-native classes a bit to actually make the project jbossws-stack agnostic (iow it would not depend on jbossws-native anymore, but on jbossws-common only). As a matter of fact, you're not leveraging jbossws native implementation stuff there except for very few minor things.

    Next step would be to prepare and try another client and endpoint using jbossws-cxf; it should be possible to re-use the modified picketlink-trust-jbossws project and just use the cxf means of configuring and endpoint/interceptor that runs before application handlers.

    Is there any chance I can commit to picketlink-trust-jbossws, or would you like patches for this?

     

    On a different topic, to build picketlink-trust-jbossws-native from sources I ended up building picketlink-federation, which in turns seems to require picketlink-seam. The latter builds here into org.jboss.picketlink:picketlink-seam:jar (I'm using mvn 2.2.1), while the artifact required by picketlink-federation is org.picketlink:picketlink-seam:jar (no "jboss" in the groupId). I patched this locally to complete the build, but I wonder if I'm missing something here...

  • 6. Re: SAML Token Profile (WS-Security) using PL for JBoss WS
    Marcus Moyses Novice

    If you can make it stack agnostic that would be excellent! I say go ahead and commit the changes necessary.

    We may want to change the project name then and remove the -native part

  • 7. Re: SAML Token Profile (WS-Security) using PL for JBoss WS
    Alessio Soldano Master

    OK, I've committed most of the changes I had in mind.

    ATM the picketlink-trust-jbossws (I've removed the -native from the name, see if you also want to svn move the sources to a different dir) is not using any stack specific thing. At the current status, the SAML2Handler can be used as any other standard JAXWS handler, meaning you can add it on both client and server side either programmatically (through BindingProvider:getBinding():getHandlerChain()) or using the @HandlerChain annotation.

    I've tested a modified version of the sample both with Native and CXF stack:

     

    package webservice.test;
     
    import java.net.URL;
    import java.util.List;
     
    import org.w3c.dom.Element;
     
    import javax.xml.namespace.QName;
    import javax.xml.ws.BindingProvider;
    import javax.xml.ws.Service;
    import javax.xml.ws.handler.Handler;
     
    import org.picketlink.identity.federation.api.wstrust.WSTrustClient.SecurityInfo;
    import org.picketlink.identity.federation.api.wstrust.WSTrustClient;
    import org.picketlink.identity.federation.core.wstrust.WSTrustException;
    import org.picketlink.identity.federation.core.wstrust.plugins.saml.SAMLUtil;
    import org.picketlink.trust.jbossws.SAML2Constants;
    import org.picketlink.trust.jbossws.handler.SAML2Handler;
     
    public class STSWSBasicClient {
     
        private static String username = "UserA";
        private static String password = "PassA";
        
        public static void main(String[] args) throws Exception {
            WSTrustClient client = new WSTrustClient("PicketLinkSTS", "PicketLinkSTSPort",
                    "http://localhost:8080/picketlink-sts-1.0.0/PicketLinkSTS",
                    new SecurityInfo(username, password));
            Element assertion = null;
            try {
                System.out.println("Invoking token service to get SAML assertion for " + username);
                assertion = client.issueToken(SAMLUtil.SAML2_TOKEN_TYPE);
                System.out.println("SAML assertion for " + username + " successfully obtained!");
            } catch (WSTrustException wse) {
                System.out.println("Unable to issue assertion: " + wse.getMessage());
                wse.printStackTrace();
                System.exit(1);
            }
     
            URL wsdl = new URL("http://127.0.0.1:8080/wstest/WSTestBean?wsdl");
            QName serviceName = new QName("http://test.webservice/", "WSTestBeanService");
            Service service = Service.create(wsdl, serviceName);
            WSTest port = service.getPort(new QName("http://test.webservice/", "WSTestBeanPort"), WSTest.class);
            BindingProvider bp = (BindingProvider)port;
            bp.getRequestContext().put(SAML2Constants.SAML2_ASSERTION_PROPERTY, assertion);
            List<Handler> handlers = bp.getBinding().getHandlerChain();
            handlers.add(new SAML2Handler());
            bp.getBinding().setHandlerChain(handlers);
     
            port.echo("Test");
        }
    }
    

     

     

    package webservice.test;
     
    import javax.annotation.Resource;
    import javax.ejb.Stateless;
    import javax.jws.HandlerChain;
    import javax.jws.WebMethod;
    import javax.jws.WebService;
    import javax.xml.ws.WebServiceContext;
    
    
    import org.jboss.ejb3.annotation.SecurityDomain;
     
    @Stateless
    @WebService
    @SecurityDomain("sts")
    @HandlerChain(file = "handlers.xml")
    public class WSTestBean implements WSTest {
        
        @Resource
        WebServiceContext wsCtx;
     
        @WebMethod
        public void echo(String echo) {
            System.out.println("WSTest: " + echo);
            System.out.println(wsCtx.getUserPrincipal());
        }
    }
    

     

    Here is the handlers.xml that needs to be close to the WSTestBean in the jar on server side:

     

    <?xml version="1.0" encoding="UTF-8"?>
    
    
    <handler-chains xmlns="http://java.sun.com/xml/ns/javaee"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xmlns:ns1="http://org.jboss.ws/jaxws/samples/logicalhandler"
      xsi:schemaLocation="http://java.sun.com/xml/ns/javaee javaee_web_services_1_2.xsd">
    
    
    
      <handler-chain>
        <handler>
          <handler-name>SAML2Handler</handler-name>
          <handler-class>org.picketlink.trust.jbossws.handler.SAML2Handler</handler-class>
        </handler>
      </handler-chain>
    
    
    </handler-chains>
    

     

    The difference of this approach is that the handler is at the same level of any other jaxws handler the user might want to add to the application, while handlers declared as post-handlers in the jbossws-native-endpoint/client xml are ensured to be always run before/after the user ones (depending on the message direction). This is most probably not an issue in this case though. In any case for the CXF client I'm going to find out how to properly install interceptors running similarly to jbossws-native post-handlers (I also need that for other reasons), so I'll let you know, but you should be ok for now.

     

    More generally, I assume future step would probably be to try achieving a more deep integration, using this in conjunction with sign/encrypt of the payload.. etc...

  • 8. Re: SAML Token Profile (WS-Security) using PL for JBoss WS
    Anil Saldhana Master

    Alessio/Marcus,  if the dependencies are just going to be JDK, then we can certainly move this code into the PL fed core. The STS is based on JAXWS anyway and that resides in the core.

     

    UPDATE:  Looks like there will be jbossws deps.  So the code stays in that particular project.

  • 9. Re: SAML Token Profile (WS-Security) using PL for JBoss WS
    Alessio Soldano Master

    I can most probably easily work on removing the jbossws-common dependency too by adding some further code in the SAML2Handler. However if we come to a solution for properly configuring ( in a stack agnostic way ) the handlers as "special" ones instead of standard user jaxws handlers (see above), that's still going to require something jbossws specific (jbossws-spi / jbossws-common stuff). So perhaps we can evaluate this again in future.

  • 10. Re: SAML Token Profile (WS-Security) using PL for JBoss WS
    Daniel Bevenius Master

    Hi,

     

    Sorry for the delay on this...other stuff cropped up this week:(

     

    I've been trying to get the security_saml quickstart working but ran into an issue. I get the following exception:

     

    15:06:35,079 INFO  [SamlHandler] samlCredential: SamlCredential[<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2001/04/xmlenc#" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#" ID="ID_8d356000-ed86-45d6-acd4-463afbd6fb89" IssueInstant="2010-10-22T13:06:32.001Z" Version="2.0"><Issuer>PicketLinkSTS</Issuer><Subject><NameID NameQualifier="urn:picketlink:identity-federation">UserA</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></Subject><Conditions NotBefore="2010-10-22T13:06:32.001Z" NotOnOrAfter="2010-10-22T15:06:32.001Z"><AudienceRestriction><Audience>http://security_saml/goodbyeworld</Audience></AudienceRestriction></Conditions><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/><dsig:Reference URI="#ID_8d356000-ed86-45d6-acd4-463afbd6fb89" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/><dsig:DigestValue xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">sEh7LcyN0luuYvLsXklmBWYwtt8=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>rKc6Jdyn5U9qTQhzT3WPhVAROLWLmMYXcqg19RGHFXZp+Kxk+z97UQ4vEhcAdJ3l41JI/DgPJUpM
    uu5L0VwM+KdKyAqM0JAc1aBm14o+VX6yOrA+gUok9dfL0Mp9hXdie6fJL2TpAOt8di9FwXCJrUk6
    41p8opjvdSYkzlhGzaQ=</dsig:SignatureValue><dsig:KeyInfo><dsig:KeyValue xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:RSAKeyValue xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Modulus xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">suGIyhVTbFvDwZdx8Av62zmP+aGOlsBN8WUE3eEEcDtOIZgO78SImMQGwB2C0eIVMhiLRzVPqoW1
    dCPAveTm653zHOmubaps1fY0lLJDSZbTbhjeYhoQmmaBro/tDpVw5lKJns2qVnMuRK19ju2dxpKw
    lYGGtrP5VQv00dfNPbs=</dsig:Modulus><dsig:Exponent xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">AQAB</dsig:Exponent></dsig:RSAKeyValue></dsig:KeyValue></dsig:KeyInfo></dsig:Signature></Assertion>]
    15:06:35,089 ERROR [HandlerChainExecutor] Exception during handler processing
    org.jboss.util.NotImplementedException: getTextContent
    at org.jboss.ws.core.soap.NodeImpl.getTextContent(NodeImpl.java:618)
    at org.picketlink.trust.jbossws.handler.SAML2Handler.handleInbound(SAML2Handler.java:94)
    at org.jboss.wsf.common.handler.GenericHandler.handleMessage(GenericHandler.java:53)
    at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:305)
    at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:142)
    at org.jboss.ws.core.jaxws.handler.HandlerDelegateJAXWS.callRequestHandlerChain(HandlerDelegateJAXWS.java:97)
    at org.jboss.ws.core.server.ServiceEndpointInvoker.callRequestHandlerChain(ServiceEndpointInvoker.java:125)
    at org.jboss.ws.core.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:200)
    at org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(RequestHandlerImpl.java:474)
    at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:295)
    at org.jboss.wsf.stack.jbws.RequestHandlerImpl.doPost(RequestHandlerImpl.java:205)
    at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:131)
    at org.jboss.soa.esb.actions.soap.NativeSOAPProcessor.process(NativeSOAPProcessor.java:108)
    at org.jboss.soa.esb.actions.soap.SOAPProcessor.process(SOAPProcessor.java:118)
    at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.processPipeline(ActionProcessingPipeline.java:649)
    at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.access$000(ActionProcessingPipeline.java:84)
    at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline$1.run(ActionProcessingPipeline.java:1021)
    at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline$1.run(ActionProcessingPipeline.java:1018)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAsPrivileged(Subject.java:454)
    at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.processPipeline(ActionProcessingPipeline.java:588)
    at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.process(ActionProcessingPipeline.java:433)
    at org.jboss.soa.esb.listeners.message.MessageAwareListener$TransactionalRunner.run(MessageAwareListener.java:540)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
    at java.lang.Thread.run(Thread.java:637)
    15:06:35,079 INFO  [SamlHandler] samlCredential: SamlCredential[<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2001/04/xmlenc#" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#" ID="ID_8d356000-ed86-45d6-acd4-463afbd6fb89" IssueInstant="2010-10-22T13:06:32.001Z" Version="2.0"><Issuer>PicketLinkSTS</Issuer><Subject><NameID NameQualifier="urn:picketlink:identity-federation">UserA</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/></Subject><Conditions NotBefore="2010-10-22T13:06:32.001Z" NotOnOrAfter="2010-10-22T15:06:32.001Z"><AudienceRestriction><Audience>http://security_saml/goodbyeworld</Audience></AudienceRestriction></Conditions><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/><dsig:Reference URI="#ID_8d356000-ed86-45d6-acd4-463afbd6fb89" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/><dsig:DigestValue xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">sEh7LcyN0luuYvLsXklmBWYwtt8=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue>rKc6Jdyn5U9qTQhzT3WPhVAROLWLmMYXcqg19RGHFXZp+Kxk+z97UQ4vEhcAdJ3l41JI/DgPJUpM
    uu5L0VwM+KdKyAqM0JAc1aBm14o+VX6yOrA+gUok9dfL0Mp9hXdie6fJL2TpAOt8di9FwXCJrUk6
    41p8opjvdSYkzlhGzaQ=</dsig:SignatureValue><dsig:KeyInfo><dsig:KeyValue xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:RSAKeyValue xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Modulus xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">suGIyhVTbFvDwZdx8Av62zmP+aGOlsBN8WUE3eEEcDtOIZgO78SImMQGwB2C0eIVMhiLRzVPqoW1
    dCPAveTm653zHOmubaps1fY0lLJDSZbTbhjeYhoQmmaBro/tDpVw5lKJns2qVnMuRK19ju2dxpKw
    lYGGtrP5VQv00dfNPbs=</dsig:Modulus><dsig:Exponent xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">AQAB</dsig:Exponent></dsig:RSAKeyValue></dsig:KeyValue></dsig:KeyInfo></dsig:Signature></Assertion>]
    15:06:35,089 ERROR [HandlerChainExecutor] Exception during handler processing
    org.jboss.util.NotImplementedException: getTextContent
     at org.jboss.ws.core.soap.NodeImpl.getTextContent(NodeImpl.java:618)
     at org.picketlink.trust.jbossws.handler.SAML2Handler.handleInbound(SAML2Handler.java:94)
     at org.jboss.wsf.common.handler.GenericHandler.handleMessage(GenericHandler.java:53)
     at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:305)
     at org.jboss.ws.core.jaxws.handler.HandlerChainExecutor.handleMessage(HandlerChainExecutor.java:142)
     at org.jboss.ws.core.jaxws.handler.HandlerDelegateJAXWS.callRequestHandlerChain(HandlerDelegateJAXWS.java:97)
     at org.jboss.ws.core.server.ServiceEndpointInvoker.callRequestHandlerChain(ServiceEndpointInvoker.java:125)
     at org.jboss.ws.core.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:200)
     at org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(RequestHandlerImpl.java:474)
     at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:295)
     at org.jboss.wsf.stack.jbws.RequestHandlerImpl.doPost(RequestHandlerImpl.java:205)
     at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:131)
     at org.jboss.soa.esb.actions.soap.NativeSOAPProcessor.process(NativeSOAPProcessor.java:108)
     at org.jboss.soa.esb.actions.soap.SOAPProcessor.process(SOAPProcessor.java:118)
     at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.processPipeline(ActionProcessingPipeline.java:649)
     at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.access$000(ActionProcessingPipeline.java:84)
     at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline$1.run(ActionProcessingPipeline.java:1021)
     at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline$1.run(ActionProcessingPipeline.java:1018)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.Subject.doAsPrivileged(Subject.java:454)
     at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.processPipeline(ActionProcessingPipeline.java:588)
     at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.process(ActionProcessingPipeline.java:433)
     at org.jboss.soa.esb.listeners.message.MessageAwareListener$TransactionalRunner.run(MessageAwareListener.java:540)
     at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
     at java.lang.Thread.run(Thread.java:637)
     
    
    

    I've run the example on both JBoss AS 5.1.0.GA and EAP 5.1.0.

    I added the following method just to get around this issue:

    private String getUsername(final Element nameID)
    {
           String username = nameID.getNodeValue();
           if (username == null)
           {
               final NodeList childNodes = nameID.getChildNodes();
               final int size = childNodes.getLength();
               for (int i = 0 ; i < size ;i++)
               {
                   final Node childNode = childNodes.item(i);
                   if (childNode.getNodeType() == Node.TEXT_NODE)
                   {
                       username = childNode.getNodeValue();
                   }
               }
           }
           return username;
    }
    

    If I don't add this and only use nameID.getNodeValue() the user name will be null in my case.

    Now when I run the example I get this error:

     

    15:52:39,736 INFO  [SamlHandler] samlCredential: SamlCredential[<Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ns2="http://www.w3.org/2001/04/xmlenc#" xmlns:ns3="http://www.w3.org/2000/09/xmldsig#" ID="ID_4168fb3d-70f5-4745-bd44-d7b731342385" IssueInstant="2010-10-22T13:52:38.086Z" Version="2.0"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">PicketLinkSTS</Issuer><Subject xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><NameID NameQualifier="urn:picketlink:identity-federation" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">UserA</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"/></Subject><Conditions NotBefore="2010-10-22T13:52:38.086Z" NotOnOrAfter="2010-10-22T15:52:38.086Z" xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><AudienceRestriction xmlns="urn:oasis:names:tc:SAML:2.0:assertion"><Audience xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://security_saml/goodbyeworld</Audience></AudienceRestriction></Conditions><dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:SignedInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#WithComments" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/><dsig:Reference URI="#ID_4168fb3d-70f5-4745-bd44-d7b731342385" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transforms xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"/><dsig:DigestValue xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">RCMqcGGUF8sS3nxdfyDknrVAP0w=</dsig:DigestValue></dsig:Reference></dsig:SignedInfo><dsig:SignatureValue xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">ZIjm6Gh8by2goFk5ZavL5/zLktKFn+x2QW12xiOFVeBPblGfEpRwrljgMtRTlJ5rOQkUbBQlY4JQ
    DmSxoiX+bQdBlUCce2N4hY6ngwY34fUa5f9J/IxV/nmhGeeTHcZUqZR2WJfRs4qnn/HG9AjFT/zZ
    rSOks2JM6kZk943tti0=</dsig:SignatureValue><dsig:KeyInfo xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:KeyValue xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:RSAKeyValue xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"><dsig:Modulus xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">suGIyhVTbFvDwZdx8Av62zmP+aGOlsBN8WUE3eEEcDtOIZgO78SImMQGwB2C0eIVMhiLRzVPqoW1
    dCPAveTm653zHOmubaps1fY0lLJDSZbTbhjeYhoQmmaBro/tDpVw5lKJns2qVnMuRK19ju2dxpKw
    lYGGtrP5VQv00dfNPbs=</dsig:Modulus><dsig:Exponent xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">AQAB</dsig:Exponent></dsig:RSAKeyValue></dsig:KeyValue></dsig:KeyInfo></dsig:Signature></Assertion>]
    15:52:39,809 INFO  [SAML2Handler] Username :UserA
    15:52:40,193 ERROR [SOAPFaultHelperJAXWS] SOAP request exception
    javax.ejb.EJBAccessException: Invalid User
         at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:161)
         at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
         at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
         at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
         at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
         at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
         at org.jboss.ejb3.core.context.CurrentInvocationContextInterceptor.invoke(CurrentInvocationContextInterceptor.java:47)
         at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
         at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
         at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
         at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86)
         at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
         at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:325)
         at org.jboss.ejb3.stateless.StatelessContainer.invokeEndpoint(StatelessContainer.java:693)
         at org.jboss.wsf.container.jboss50.invocation.InvocationHandlerEJB3.invoke(InvocationHandlerEJB3.java:106)
         at org.jboss.ws.core.server.ServiceEndpointInvoker.invoke(ServiceEndpointInvoker.java:240)
         at org.jboss.wsf.stack.jbws.RequestHandlerImpl.processRequest(RequestHandlerImpl.java:468)
         at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleRequest(RequestHandlerImpl.java:293)
         at org.jboss.wsf.stack.jbws.RequestHandlerImpl.doPost(RequestHandlerImpl.java:203)
         at org.jboss.wsf.stack.jbws.RequestHandlerImpl.handleHttpRequest(RequestHandlerImpl.java:129)
         at org.jboss.soa.esb.actions.soap.NativeSOAPProcessor.process(NativeSOAPProcessor.java:108)
         at org.jboss.soa.esb.actions.soap.SOAPProcessor.process(SOAPProcessor.java:118)
         at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.processPipeline(ActionProcessingPipeline.java:649)
         at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.access$000(ActionProcessingPipeline.java:84)
         at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline$1.run(ActionProcessingPipeline.java:1021)
         at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline$1.run(ActionProcessingPipeline.java:1018)
         at java.security.AccessController.doPrivileged(Native Method)
         at javax.security.auth.Subject.doAsPrivileged(Subject.java:454)
         at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.processPipeline(ActionProcessingPipeline.java:588)
         at org.jboss.soa.esb.listeners.message.ActionProcessingPipeline.process(ActionProcessingPipeline.java:433)
         at org.jboss.soa.esb.listeners.message.MessageAwareListener$TransactionalRunner.run(MessageAwareListener.java:540)
         at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
         at java.lang.Thread.run(Thread.java:637
    

     

    I know it is hard to say what is wrong without seeing the updated example but just wanted to hear if anyone has any ideas about areas I should look into?

     

    Thanks,

     

    /Daniel

  • 11. Re: SAML Token Profile (WS-Security) using PL for JBoss WS
    Anil Saldhana Master

    Marcus fixed 1 issue in the last 2 days. Try with the new code. It should be in the wiki article.

  • 12. Re: SAML Token Profile (WS-Security) using PL for JBoss WS
    Alessio Soldano Master

    Also please note I tested this with AS 6 trunk, I'll check with AS 5.1 too later, thanks for the report.

  • 14. Re: SAML Token Profile (WS-Security) using PL for JBoss WS
    Daniel Bevenius Master

    I'm building from https://svn.jboss.org/repos/picketlink/trust and I've updated today so I think I'm using the latest code for this but let me know if I'm not.

    I'll take another stab at this on Monday and also try with AS 6 trunk.

     

    Thanks,

     

    /Dan

1 2 Previous Next