Working with CXF STS- STS client example I followed the example at https://web-gmazza.rhcloud.com/blog/entry/cxf-sts-tutorial and my sample code is at https://github.com/sampleref/CXFSecurity for reference. On debugging I found error as below at STS provider
<<||2014-07-13 18:26:50,286||http-apr-8080-exec-3|DEBUG|org.apache.ws.security.processor.UsernameTokenProcessor:50||||>> Found UsernameToken list element
<<||2014-07-13 18:26:50,287||http-apr-8080-exec-3|DEBUG|org.apache.ws.security.validate.UsernameTokenValidator:78||||>> UsernameToken user alice
<<||2014-07-13 18:26:50,287||http-apr-8080-exec-3|DEBUG|org.apache.ws.security.validate.UsernameTokenValidator:79||||>> UsernameToken password type http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
<<||2014-07-13 18:26:50,287||http-apr-8080-exec-3|DEBUG|org.apache.ws.security.processor.SignatureProcessor:115||||>> Found signature element
<<||2014-07-13 18:26:50,288||http-apr-8080-exec-3|DEBUG|org.apache.ws.security.processor.SignatureProcessor:380||||>> Verify XML Signature
<<||2014-07-13 18:26:50,292||http-apr-8080-exec-3|DEBUG|org.apache.ws.security.processor.SignatureProcessor:428||||>> XML Signature verification has failed
<<||2014-07-13 18:26:50,292||http-apr-8080-exec-3|DEBUG|org.apache.ws.security.processor.SignatureProcessor:431||||>> Signature Validation check: false
Please provide some inputs, Its really important working for me with this. I posted more detailed error from STS Client at
CXF STS client throws Request does not contain Security header/Response message does not contain WS-Addressing properties
The problem is that you are not supplying the password for the private key in the STS. So for example, adding the following to the StsPasswordCallbackHandler makes the decryption work:
x509Passwords.put("stskeyalias", "stskeypassword");
You also need to remove the BouncyCastle dependency from the STS pom.
Colm.
I think the issues, https://issues.apache.org/jira/browse/CXF-5679 and https://issues.apache.org/jira/browse/CXF-5724 were creating problems. I used CXF version 3.0.0 and able to get SAML assertion now
Thanks
Related
With a Spring Boot client configured in the DMZ and Spring Security OAuth configured using:
issuer-uri: https://authentication_server/auth/realms/my-realm
I get this error from Spring Security:
The Issuer "https://external_url/auth/realms/my-realm" provided in the configuration metadata did not match the requested issuer "https://authentication_server/auth/realms/my-realm
From this post I have learned that I need to specify authorization-uri, token-uri and jwk-set-uri instead of issuer-uri, and then it also works.
authorization-uri: https://external_url/auth/realms/my-realm/protocol/openid-connect/auth
token-uri: https://authentication_server/auth/realms/my-realm/protocol/openid-connect/token
jwk-set-uri: https://authentication_server/auth/realms/my-realm/protocol/openid-connect/certs
(I do not get why Spring Security cannot auto-configure with the same values from the issuer-uri when it works setting the values individually)
Now the problem is that logout stops working. When using issuer-uri the OAuth is auto-configured and end_session_endpoint is fetched from the answer, but when specifying each setting there is no way to specify the end_session_endpoint.
Is this an outstanding issue in Spring Security OAuth, or do I need to configure it differently?
I had to make a work around for this. With little time I started by copying the existing OidcClientInitiatedLogoutSuccessHandler which I already were using in configuring LogoutRedirectUri.
I simply copied the class and changed the implementation of the method endSessionEndpoint() to return the URI which is returned by our OAuth server as end_session_endpoint.
This issue is tracked in spring-security GitHub.
Probable fix will be allowing to add "Additional attributes for ClientRegistration and ProviderDetails".
I have a spring boot v.5+ application which uses spring security saml.
When an idp initiated SingleLogout Request is called i get an error saying :
org.springframework.security.saml.SAMLStatusException: LogoutRequest is required to be signed by the entity policy
Is there an option to disable signing of LogoutRequest in my service provider?
I was facing the same issue. I tried to tweak the default value of requireLogoutRequestSigned property (from default true to false) in Table 7.2. Extended metadata settings of my SP and it worked for me. I'm using MetadataGenerator bean to configure this setting in spring-boot v2.1.1.RELEASE and spring-security-saml2-core v1.0.3.RELEASE.
While accessing a HTTPS service I am facing the below issue :
Error:
..Certification authentication failed</TITLE>
...
An attempt to authenticate with a client certificate failed.
A valid client certificate is required to make this connection.
I am using Spring RestTemplate excahnge API :
restTemplate.exchange(reqInfo.getUrl(),HttpMethod.GET,requestEntity,String.class);
I tried 2 methods to provide the trustStore but still the error persists:
1.) Passing as arguments :
java -cp -Djavax.net.ssl.trustStore="trustStore.jks"
-Djavax.net.ssl.trustStorePassword="pwd" Test
2.) Setting the property
System.setProperty("javax.net.ssl.trustStore","path to truststore");
System.setProperty("javax.net.ssl.trustStorePassword","pwd");
Also I tried with simple Java code using HTTPclient then it works fine but with SPring RestTemplate none of option is working , am i missing something here ?
Note : If I do curl of that URL I get the same error as truststore is not provided . Hence I am assuming that this issue is due to TrustStore.
Finally I was able to solve the above issue .
While building the SSL context I did not load the key store ( although I was passing it via arguments) due to which I was getting Certification authentication failed as the Key store was not available .
Below code fixed the issue : (added loadKeyMaterial )
sslcontext = SSLContexts.custom().loadTrustMaterial(trustStore, new TrustSelfSignedStrategy())
.loadKeyMaterial(keyStore, keyStorePwd).build();
Working with CXF-STS I came across exceptions as <<||2014-07-14 21:51:14,125||http-apr-8080-exec-8|DEBUG|org.apache.ws.security.processor.SignatureProcessor:428||||>> XML Signature verification has failed <<||2014-07-14 21:51:14,127||http-apr-8080-exec-8|DEBUG|org.apache.ws.security.processor.SignatureProcessor:431||||>> Signature Validation check: false
As discussed at post, CXF STS Usernametoken symmetric binding XML Signature verification has failed
https://issues.apache.org/jira/browse/CXF-5679
https://issues.apache.org/jira/browse/CXF-5679
So assuming it was fixed for version 3.0.0 I moved to it. Now on start up I am facing the error as
... 25 more
Caused by: org.apache.cxf.service.factory.ServiceConstructionException
at org.apache.cxf.frontend.ServerFactoryBean.create(ServerFactoryBean.java:176)
at org.apache.cxf.jaxws.JaxWsServerFactoryBean.create(JaxWsServerFactoryBean.java:211)
at org.apache.cxf.jaxws.EndpointImpl.getServer(EndpointImpl.java:456)
at org.apache.cxf.jaxws.EndpointImpl.doPublish(EndpointImpl.java:334)
... 34 more
Caused by: org.apache.cxf.BusException: No DestinationFactory was found for the namespace http://schemas.xmlsoap.org/soap/http.
at org.apache.cxf.bus.managers.DestinationFactoryManagerImpl.getDestinationFactory(DestinationFactoryManagerImpl.java:122)
at org.apache.cxf.endpoint.ServerImpl.initDestination(ServerImpl.java:88)
at org.apache.cxf.endpoint.ServerImpl.<init>(ServerImpl.java:72)
at org.apache.cxf.frontend.ServerFactoryBean.create(ServerFactoryBean.java:160)
I am unable to figure out how can I really work with CXF STS example. Please provide some good example references to work with CXF STS in UsernameToken with Encryption Scenario
Thanks
This was becuase my project was having CAMEL-CXF dependencies which contain CXF 2.7 as embedded. It might have created the conflicts with new CXF 3.0.0 version. So removing them from classpath resolved the problem
Thanks
Can WSS4J be configured to retrieve private and public keys using XKMS instead of keystores?
This is an example keystore configuration:
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.password=storepassword
org.apache.ws.security.crypto.merlin.keystore.alias=serverx509v1
org.apache.ws.security.crypto.merlin.keystore.file=keystore/server-keystore.jks
Is there a similar setup for using XKMS, or would I need to create a custom implementation of org.apache.ws.security.components.crypto.Crypto for retrieving keys using XKMS?
For the record, the answer is "yes". Apache CXF ships with a WSS4J Crypto implementation that can be used to perform locate + validate calls to an XKMS service to retrieve + validate X.509 Certificates when used with WS-Security. See here for more information:
http://cxf.apache.org/docs/xml-key-management-service-xkms.html
Colm.