wsse:InvalidSecurity, why?

Hello,

The error:
···················································································································································
<faultcode>wsse:InvalidSecurity</faultcode>
<faultstring>ERROR: No security header found in the message</faultstring>
<ns2:exception class="javax.xml.ws.soap.SOAPFaultException" note="To disable this feature, set com.sun.xml.ws.fault.SOAPFaultBuilder.disableCaptureStackTrace system property to false">
···················································································································································





The client code:
···················································································································································
        // The request to the STS
        SOAPMessage reply = sc.call(requestMessageToSTS, stsdestination);

        SOAPPart sp1 = reply.getSOAPPart();
        SOAPEnvelope se1 = sp1.getEnvelope();
        SOAPBody bd1 = se1.getBody();
        SOAPElement assertion = (SOAPElement) bd1.getElementsByTagName("saml2:Assertion").item(0);
        // Cool, I am getting a valid SAML2 assertion

        // The request to the web service that is throwing the error
        SOAPMessage m2 = messageFactory.createMessage();
        SOAPPart sp2 = m2.getSOAPPart();
        SOAPEnvelope se2 = sp2.getEnvelope();

        se2.addNamespaceDeclaration("alf", "http://alf.me.org/");
        SOAPHeader sh2 = se2.getHeader();
        SOAPBody body2 = se2.getBody();
        sh2.addNamespaceDeclaration("wsse",
                "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd");
        SOAPElement secHeader = sh2.addChildElement("Security", "wsse");
        secHeader.addChildElement(assertion);
        body2.addChildElement("infor", "alf");

        SOAPMessage reply2 = sc.call(m2, webservicedestination);
        m2.writeTo(new FileOutputStream("data/RequestToService.xml"));
        reply2.writeTo(new FileOutputStream("data/ResponseFromService.xml"));
···················································································································································



The request sent to the service:
···················································································································································
<SOAP-ENV:Envelope>
<SOAP-ENV:Header>
<wsse:Security>
<saml2:Assertion ID="vvjeqi0935bm5vdplga1qs2idp" IssueInstant="2009-11-04T15:22:14Z" Version="2.0">
<saml2:Issuer>http://ellnet.lucasj.es/ExampleNif</saml2:Issuer>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">12345678S</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
</saml2:Subject>
<saml2:Conditions NotBefore="2009-11-04T15:17:14Z" NotOnOrAfter="2009-11-04T15:32:14Z"/>
<saml2:AuthnStatement AuthnInstant="2009-11-04T15:22:14Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:juntadeandalucia:cice:authn:nif</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
<saml2:AttributeStatement>
<saml2:Attribute Name="NifNie">
<saml2:AttributeValue>28806345S</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#vvjeqi0935bm5vdplga1qs2idp">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>BdDkislEn5QCZ5is7NwXDLKEb3Y=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
OQQGrtHY2Kyz8ta1ktNGib1ON2puk9LzEoanT9YAsPa7Xs8mMfgpd8nGuDx6w6WD32TAOUJPUwYd
gjBKWrGjM3c4s2FC2IvQJEol6Eg7/Nx2/1Zn7A93F/7kkwJmOShWjwXQV1R38xTP/1YgxbusynYk
j4wwdP3/Dd8siVzJN4Y=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:KeyValue>
<ds:RSAKeyValue>
<ds:Modulus>
nb3RRzyDyoXS3e+PQ2grDUlCs039YDH6iQtX799o5c13fLhRfYWc9lYS/mSAnr/JVlJMZmZh5GBu
Vyvd6igJFoN+zPaXqu9cpX2xKEaDXdjNkXgOCPE9xB4BWf7SrKWK8p79vdaFt+wz19xqXRD28s8J
0Dq2FNo1IUHUeXLnBQU=
</ds:Modulus>
<ds:Exponent>AQAB</ds:Exponent>
</ds:RSAKeyValue>
</ds:KeyValue>
</ds:KeyInfo>
</ds:Signature>
</saml2:Assertion>
</wsse:Security>
</SOAP-ENV:Header>

<SOAP-ENV:Body>
<alf:infor/>
</SOAP-ENV:Body>

</SOAP-ENV:Envelope>
···················································································································································



Yesterday, I was getting a certificate error, like the one here (old):
https://wsit.dev.java.net/issues/show_bug.cgi?id=697

But today I am getting the "No security header found in the message" error. I've been watching the traffic with a network monitoring tool and the sent request is exactly the same as the pasted (saved to disk) one.

I think that the request is complete, but ¿how could I check the requirements of the web service? I tried soapUI, but it doesn't generate (or at least I don't know how) the security part of the request.


Thanks,

Lucas J.
[Message sent by forum member 'o2t7' (lgonzalez@...)]

http://forums.java.net/jive/thread.jspa?messageID=370487

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Does the service wsdl has the policy?

You need to have at least Timestamp in the security header.

Why don't you use Metro for your client?
[Message sent by forum member 'jdg6688' (jiandong.guo@...)]

http://forums.java.net/jive/thread.jspa?messageID=370517

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Hello Jiadong,

·············································································
*** Does the service wsdl has the policy?
·············································································

I do think so, anyway I paste it to you here:

<ns1:Policy xmlns:ns1="http://schemas.xmlsoap.org/ws/2004/09/policy" wsu:Id="InforPortBindingPolicy">
<ns1:ExactlyOne>
<ns1:All>
<ns4:SymmetricBinding>
<ns1:Policy>
<ns1:ExactlyOne>
<ns1:All>
<ns4:AlgorithmSuite>
<ns1:Policy>
<ns1:ExactlyOne>
<ns1:All>
<ns4:Basic128Sha256/>
</ns1:All>
</ns1:ExactlyOne>
</ns1:Policy>
</ns4:AlgorithmSuite>
<ns4:IncludeTimestamp/>
<ns4:Layout>
<ns1:Policy>
<ns1:ExactlyOne>
<ns1:All>
<ns4:Lax/>
</ns1:All>
</ns1:ExactlyOne>
</ns1:Policy>
</ns4:Layout>
<ns4:OnlySignEntireHeadersAndBody/>
<ns4:ProtectionToken>
<ns1:Policy>
<ns1:ExactlyOne>
<ns1:All>
<ns4:IssuedToken ns4:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<ns1:Policy>
<ns1:ExactlyOne>
<ns1:All>
<ns4:RequireInternalReference/>
</ns1:All>
</ns1:ExactlyOne>
</ns1:Policy>
<ns4:Issuer>
<ns5:Address>
https://ellnet.myhost.es:8181/STS-CICE-war/STSManagerService
</ns5:Address>
<ns6:Metadata>
<ns7:Metadata>
<ns7:MetadataSection>
<ns7:MetadataReference>
<ns6:Address>
https://ellnet.myhost.es:8181/STS-CICE-war/STSManagerService/mex
</ns6:Address>
</ns7:MetadataReference>
</ns7:MetadataSection>
</ns7:Metadata>
</ns6:Metadata>
</ns4:Issuer>
<ns4:RequestSecurityTokenTemplate>
<ns8:KeySize>128</ns8:KeySize>
<ns9:KeyType>
http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
</ns9:KeyType>
<ns10:TokenType>
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
</ns10:TokenType>
</ns4:RequestSecurityTokenTemplate>
</ns4:IssuedToken>
</ns1:All>
</ns1:ExactlyOne>
</ns1:Policy>
</ns4:ProtectionToken>
</ns1:All>
</ns1:ExactlyOne>
</ns1:Policy>
</ns4:SymmetricBinding>
<ns11:Trust10>
<ns1:Policy>
<ns1:ExactlyOne>
<ns1:All>
<ns11:MustSupportIssuedTokens/>
<ns11:RequireClientEntropy/>
<ns11:RequireServerEntropy/>
</ns1:All>
</ns1:ExactlyOne>
</ns1:Policy>
</ns11:Trust10>
<ns12:Wss11>
<ns1:Policy>
<ns1:ExactlyOne>
<ns1:All>
<ns12:MustSupportRefEncryptedKey/>
<ns12:MustSupportRefIssuerSerial/>
<ns12:MustSupportRefThumbprint/>
</ns1:All>
</ns1:ExactlyOne>
</ns1:Policy>
</ns12:Wss11>
<ns13:UsingAddressing ns1:Optional="true"/>
</ns1:All>
</ns1:ExactlyOne>
</ns1:Policy>


The service itself is defined this way in the wdsl though:

    <service name="InforService">
      <port name="InforPort" binding="tns:InforPortBinding">
        <soap:address location="http://ellnet.myhost.es:8080/EmuAlfresco_direct/InforService"/>
      </port>
    </service>


·············································································
*** Why don't you use Metro for your client?
·············································································

Because I'm having problems to wsimport the wsdl from the STS. I can get the assertion "manually", but not through a metro powered.service client. I can wsimport other STS wsdl's, but not the one from the STS that has to return the SAML assertion.

To be precise, this is the output from the wsimport:

        wsimport-client-STSManagerService:
        Created dir: /EmuEco/build/generated/jax-wsCache/STSManagerService
        command line: wsimport -d /EmuEco/build/generated/jax-wsCache/STSManagerService -extension
+-Xnocompile -keep -s /mnt/data/svn_workcopies/STSClients2/EmuEco/build/generated/jax-wsCache/STSManagerService -catalog
+/EmuEco/catalog.xml -verbose
+/EmuEco/src/conf/xml-resources/web-service-references/STSManagerService/wsdl/localhost_8080/STS-CICE
+-war/STSManagerService.wsdl -wsdllocation http://localhost:8080/STS-CICE-war/STSManagerService?wsdl
        parsing WSDL...


        [WARNING] cos-nonambig: "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd":Created and
+WC[##other:"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"] (or elements from their substitution
+group) violate "Unique Particle Attribution". During validation against this schema, ambiguity would be created for those two particles.
          line 108 of http://localhost:8080/STS-CICE-war/STSManagerService?xsd=4

        [WARNING] cos-nonambig: "http://www.w3.org/2005/08/addressing":Address and
+WC[##other:"http://schemas.xmlsoap.org/ws/2005/02/trust"] (or elements from their substitution group) violate "Unique Particle
+Attribution". During validation against this schema, ambiguity would be created for those two particles.
          line 225 of http://localhost:8080/STS-CICE-war/STSManagerService?xsd=2

        [ERROR] SCD "~wsa:EndpointReferenceType" didnt match any schema component
          line 11 of http://dummy.pseudo-schema#schema2



I can get to wsimport it only if -Xno-addressing-databinding is specified in the wsimport and never in my development environment (debian lenny with sun-java6-jdk, netbeans6.7.1, the GlassFish version bundled with it, and the metro version that comes with GF).


····································································································
*** You need to have at least Timestamp in the security header.
····································································································

I'll try that and get back to you.


Thanks!
[Message sent by forum member 'o2t7' (lgonzalez@...)]

http://forums.java.net/jive/thread.jspa?messageID=370520

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

You don't need to wsimport STS wsdl.
Once the service has an IssuedToken policy assertion in the wsdl.

Metro enabled client will call the STS automatically with an internal
dispatch client:

see the sample
http://fisheye5.cenqua.com/browse/wsit/wsit/samples/ws-trust/basic

or here if you use Netbeans:

https://metro.dev.java.net/guide/Example_Applications.html#gfrls

Yes, you need time stamp with <ns4:IncludeTimestamp/>
in the wsdl.
[Message sent by forum member 'jdg6688' (jiandong.guo@...)]

http://forums.java.net/jive/thread.jspa?messageID=370527

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

····················································································································
*** Yes, you need time stamp with <ns4:IncludeTimestamp/> in the wsdl.
····················································································································

Cool. Indeed, I added the timestamp SOAPElement (as you adviced) directly from the STS reply and now the service "sees" the security header.

Now I'm getting "Missing encryption element", but the STS reply only includes the security header and the saml assertion within a RequestSecurityTokenResponse, in the body of the message.

I'll take a look to that link just now.

Thanks. ;·)
[Message sent by forum member 'o2t7' (lgonzalez@...)]

http://forums.java.net/jive/thread.jspa?messageID=370530

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

There must be some other policies requiring you to sign/encrypt part of the messages
to the service.
[Message sent by forum member 'jdg6688' (jiandong.guo@...)]

http://forums.java.net/jive/thread.jspa?messageID=370532

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

········································································································································
*** There must be some other policies requiring you to sign/encrypt part of the
messages to the service.
········································································································································

Could it be this one?:


<ns14:Policy wsu:Id="InforPortBinding_infor_Input_Policy">
  <ns14:ExactlyOne>
    <ns14:All>
      <ns15:EncryptedParts>
        <ns15:Body/>
      </ns15:EncryptedParts>
      <ns16:SignedParts>
        <ns16:Body/>
        <ns16:Header Namespace="http://www.w3.org/2005/08/addressing" Name="ReplyTo"/>
        <ns16:Header Namespace="http://www.w3.org/2005/08/addressing" Name="To"/>
        <ns16:Header Namespace="http://www.w3.org/2005/08/addressing" Name="From"/>
        <ns16:Header Namespace="http://www.w3.org/2005/08/addressing" Name="MessageID"/>
        <ns16:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>
        <ns16:Header Namespace="http://www.w3.org/2005/08/addressing" Name="Action"/>
        <ns16:Header Namespace="http://www.w3.org/2005/08/addressing" Name="RelatesTo"/>
        <ns16:Header Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm" Name="AckRequested"/>
        <ns16:Header Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm" Name="CreateSequence"/>
        <ns16:Header Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm" Name="Sequence"/>
        <ns16:Header Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm" Name="SequenceAcknowledgement"/>
      </ns16:SignedParts>
    </ns14:All>
  </ns14:ExactlyOne>
</ns14:Policy>


Greetings,

Lucas J.
[Message sent by forum member 'o2t7' (lgonzalez@...)]

http://forums.java.net/jive/thread.jspa?messageID=370536

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Yes. Also adressing is enabled, you need to add addressing header ...

So leave it to Metro
[Message sent by forum member 'jdg6688' (jiandong.guo@...)]

http://forums.java.net/jive/thread.jspa?messageID=370542

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Ok, here it is, this is what I am doing (with Netbeans and GlassFish):


At the beginning, I followed all the steps in
https://metro.dev.java.net/guide/Example_Applications.html#Example__STS_Issued_Token__STS_

Once I got that scenario working, then I tried to do the same but with the custom STS:
The web service and client are created. On the client, when adding the client (New -> Web Service Client) for the STS I got an error

      http://img196.imageshack.us/img196/6384/wsaerror.png

that prevented me from creating the client.

I added `xnoaddressingdatabinding true` to the wsimport options tab within the STS service "Edit Web Service Attributes" menu and then I got some warnings but got the code generated.

Now the problem is, I deploy the STS, then the service, and finally the client. When making the client the request, I get a

      javax.xml.ws.WebServiceException: Cannot secure request for {http://alf.me.org/}InforPort

and the following stack trace messages (in order, but without the "at ..." lines):

First:

     loaded WSIT configuration from file: file:/.../wsit-client.xml
     Unsupported Content-Type: application/soap+xml Supported ones are: [text/xml]
     com.sun.xml.ws.server.UnsupportedMediaException: Unsupported Content-Type:
     application/soap+xml Supported ones are: [text/xml]

Then:
     WSP1049: Loaded WSIT configuration from file: file:/.../wsit-client.xml
     SEC2004: Container-auth: wss: Error securing request
     javax.xml.ws.soap.SOAPFaultException:
        The "http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue" cannot be processed at the receiver


I believe that the second one has to do with the wsa error (the one in the image capture), while the first one has to do with the SOAP message version.

Anyway, this is the reason why I was trying to create the request directly by hand, since the STS dispatches valid SAML assertions (that are actually used to consume a second resource - servlet)


Thanks,

Lucas J.
[Message sent by forum member 'o2t7' (lgonzalez@...)]

http://forums.java.net/jive/thread.jspa?messageID=370580

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Sounds like the problem with the custom STS you have: like the
old versions of standard used, etc. Any exception thrown on the STS side.
[Message sent by forum member 'jdg6688' (jiandong.guo@...)]

http://forums.java.net/jive/thread.jspa?messageID=370740

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

Well, the security mechanism for the STS is Message Authentication over SSL with an Username authentication token.

With this security mechanism, the client doesn't send any saml assertion to the STS, while the STS looks for it within the request in order to sign it.

I've tried by all means, but I only could manually generating and sending it.

How should I do to make the wsit/metro enabled client include an [yet unsigned] saml assertion within the request to the STS?

Thanks,

Lucas J.
[Message sent by forum member 'o2t7' (lgonzalez@...)]

http://forums.java.net/jive/thread.jspa?messageID=370886

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...

It is not an Metro based STS?

What do you mean is that the client create an SAML assertion and send it to
your STS and whihc signs it and return back?

Does the STS support the ws-trust protocol?

If yes, where does the STS expect to find the SAML assertion?

There are some mechanism to pass on it in the body with either OnBehalfOf or
ActAs:

check the ping() in http://fisheye5.cenqua.com/browse/wsit/wsit/samples/ws-trust/delegate/src/fs/simple/server/FSImpl.java?r=1.2
[Message sent by forum member 'jdg6688' (jiandong.guo@...)]

http://forums.java.net/jive/thread.jspa?messageID=370903

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@...
For additional commands, e-mail: users-help@...