|
»
How to RST/Validate
|
View:
New views
10 Messages
—
Rating Filter:
Alert me
|
 |
How to RST/Validate
by metro-3
::
Rate this Message:
Hi,
I try to validate a SAML token from my STS against my STS, but the answer is always "not valid". The DefaultSAMLTokenProvider.isValidToken(...) tries to assertion.verifySignature(...), which leads to isValid = false; My client code // get the token DefaultSTSIssuedTokenConfiguration config = new DefaultSTSIssuedTokenConfiguration("...", "..."); config.setProtocol(STSIssuedTokenConfiguration.PROTOCOL_13); config.setTokenType("urn:oasis:names:tc:SAML:2.0:assertion"); IssuedTokenManager manager = IssuedTokenManager.getInstance(); IssuedTokenContext ctx = manager.createIssuedTokenContext(config, "..."); manager.getIssuedToken(ctx); Token issuedToken = ctx.getSecurityToken(); SAMLAssertionFactory samlFac = SAMLAssertionFactory.newInstance(SAMLAssertionFactory.SAML2_0); Assertion tmpAssertion = samlFac.createAssertion((Element)issuedToken.getTokenValue()); // validate the token ctx.setTarget(tmpAssertion); manager.validateIssuedToken(ctx); Status status = (Status)ctx.getOtherProperties().get(IssuedTokenContext.STATUS); System.out.println("Status=" + status.isValid()); What's wrong? Best Regards, Andreas [Message sent by forum member 'andreasnagel' (sun@...)] http://forums.java.net/jive/thread.jspa?messageID=369650 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: How to RST/Validate
by metro-3
::
Rate this Message:
JAXB could change the assertion to break the signature.
Try: > Token issuedToken = ctx.getSecurityToken(); > // validate the token ctx.setTarget(new GenericToken((Element)issuedToken.getTokenValue())); > manager.validateIssuedToken(ctx); > Status status = > (Status)ctx.getOtherProperties().get(IssuedTokenContex > t.STATUS); > System.out.println("Status=" + status.isValid()); [Message sent by forum member 'jdg6688' (jiandong.guo@...)] http://forums.java.net/jive/thread.jspa?messageID=369694 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: How to RST/Validate
by metro-3
::
Rate this Message:
Thanks for your answer.
I tried your suggestion, but without success. I attached the SAML token that is send in the RST/Validate. Perhaps you can see some error in the token? Best Regards, Andreas [Message sent by forum member 'andreasnagel' (sun@...)] http://forums.java.net/jive/thread.jspa?messageID=369926 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: How to RST/Validate
by metro-3
::
Rate this Message:
can you post this message in the original form (not being prettied)?
[Message sent by forum member 'jdg6688' (jiandong.guo@...)] http://forums.java.net/jive/thread.jspa?messageID=369943 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: How to RST/Validate
by metro-3
::
Rate this Message:
Sure. Now, I have attached a text file containing request and response
[Message sent by forum member 'andreasnagel' (sun@...)] http://forums.java.net/jive/thread.jspa?messageID=369953 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: How to RST/Validate
by metro-3
::
Rate this Message:
Can you try with the latest nightly for Metro 2.0 to see if it works for you?
https://metro.dev.java.net/servlets/ProjectDocumentList?expandFolder=7638&folderID=10314 [Message sent by forum member 'jdg6688' (jiandong.guo@...)] http://forums.java.net/jive/thread.jspa?messageID=370012 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: How to RST/Validate
by metro-3
::
Rate this Message:
The nightly build works as expected. Great job. Thanks.
Now, I want to save the token to disk, manipulate it to break the signature and then use it to authenticate at a service. Can you point me into the right direction, how to do that? Regards, Andreas [Message sent by forum member 'andreasnagel' (sun@...)] http://forums.java.net/jive/thread.jspa?messageID=370161 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: How to RST/Validate
by metro-3
::
Rate this Message:
> The nightly build works as expected. Great job.
> Thanks. Great! Thank you for confirming this. > Now, I want to save the token to disk, manipulate it > to break the signature and then use it to > authenticate at a service. Can you provide more details? Where do you want to store the token: client, service, sts? > > Can you point me into the right direction, how to do > that? > Depending on the use case, any of the following helps: token caching and sharing: http://blogs.sun.com/trustjdg/entry/token_caching_and_sharing token delegation: http://blogs.sun.com/trustjdg/entry/actas_and_credential_delegation token propogation: https://wsit.dev.java.net/source/browse/wsit/wsit/samples/ws-trust/propagate/ Regards, Jiandong [Message sent by forum member 'jdg6688' (jiandong.guo@...)] http://forums.java.net/jive/thread.jspa?messageID=370219 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: How to RST/Validate
by metro-3
::
Rate this Message:
My goal ist to write a test case that simulates a [i]bad client[/i] or a [i]man-in-the-middle[/i] attack. The issued SAML token should be changed by the [i]bad client[/i] or [i]on-the-wire[/i] and the service may not accept the manipulated token.
Metro does so much under the hood. This is good, but on the other hand, it is not easy to step in between. The easiest way seems to get the SAML token on the client, save it to disk or byte[], change it, and call a @WebMethod with the changed token. In the meantime, I tried to use the SamlCallbackHandler, but I stuck with this idea, because I have to change the WSDL to use a SamlToken policy. And this makes the test too far away from the original use case. Maybe, I can use the [i]HttpTransportPipe[/i] to manipulate the SAML token? Regards, Andreas [Message sent by forum member 'andreasnagel' (sun@...)] http://forums.java.net/jive/thread.jspa?messageID=370270 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
|
|
Re: How to RST/Validate
by Jiandong Guo
::
Rate this Message:
Hi Andreas,
You can plug in an Handler for this: http://weblogs.java.net/blog/ramapulavarthi/archive/2007/12/extend_your_web.html metro@... wrote: > My goal ist to write a test case that simulates a [i]bad client[/i] or a [i]man-in-the-middle[/i] attack. The issued SAML token should be changed by the [i]bad client[/i] or [i]on-the-wire[/i] and the service may not accept the manipulated token. > > Metro does so much under the hood. This is good, but on the other hand, it is not easy to step in between. > > The easiest way seems to get the SAML token on the client, save it to disk or byte[], change it, and call a @WebMethod with the changed token. > > In the meantime, I tried to use the SamlCallbackHandler, but I stuck with this idea, because I have to change the WSDL to use a SamlToken policy. And this makes the test too far away from the original use case. > > Maybe, I can use the [i]HttpTransportPipe[/i] to manipulate the SAML token? > > Regards, > Andreas > [Message sent by forum member 'andreasnagel' (sun@...)] > > http://forums.java.net/jive/thread.jspa?messageID=370270 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@... > For additional commands, e-mail: users-help@... > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@... For additional commands, e-mail: users-help@... |
| Free embeddable forum powered by Nabble | Forum Help |
