mace-opensaml-users - [JOS-5] fail to validate saml xml since missing excusive c14n schema
Subject: OpenSAML user discussion
List archive
- From: "Benjamin Coiffe" <>
- To: <>
- Subject: [JOS-5] fail to validate saml xml since missing excusive c14n schema
- Date: Fri, 29 Feb 2008 14:39:18 -0500
Title: [JOS-5] fail to validate saml xml since missing excusive c14n schema
Hi all,
I am using java opensaml 1.1b coupled with CXF. I implemented a Web service Client to connect to a web service deployed on a web logic server. The access to the web service is restricted by a SAML 1.0 Signed Sender Vouches policy. I configured my client to send exactly what is required but my request is rejected.
After investigation, I found out that the BinarySecurityToken of my outbound message is not signed. I could not find in the specs that this item needed to be signed as well??
In addition, apparently, their web service expects the xml statement: <exc14n:InclusiveNamespaces xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="" /> inside the Transform tag of references:
<d<dsig:Reference URI="#bst_0JnZMvllgkyetfly">
- <<dsig:Transforms>
- <<dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<<exc14n:InclusiveNamespaces xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="" />
</dsig:Transform>
</dsig:Transforms>
<<dsig:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<<dsig:DigestValue>l4eXHUQxS+5Z5B5Wm3jKhpBnIOU=</dsig:DigestValue>
</dsig:Reference>
Is that really needed and if it is, is it related to the bug JOS-5. If it is, how can I patch my opensaml? Basically, I am looking for a workaround.
Any help massively appreciated because I am a bit stuck right now.
Thanks,
Ps: just in case it could help, I copy past the signed soap message if it can be usefull.
--------------------------------------
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Header>
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" soap:mustUnderstand="1"><wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CertId-294">MIIBmDCCAQECBEe+Y3IwDQYJKoZIhvcNAQEEBQAwEzERMA8GA1UEAxMIaW40c2Vuc2UwHhcNMDgwMjIyMDU1MzU0WhcNMDgwNTIyMDU1MzU0WjATMREwDwYDVQQDEwhpbjRzZW5zZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAtve4kpLDKuSL+bChr1fw7YTioon+amozHy4VWMyUEnZcYaPyX+PZW0uu5vz2FBWEIFYvMerqmAO5egDlcy1BROfTXQGRNYHIVjV8W5jmkvPswz8ZuqwTk+bGLD8n7jkCYWTtGfzmvB2HZwrB6RrwU2l3dWm5FgYWZOmfj/OOQr8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQAQsk7C5O40vywf1ghircFy91pmAEKvZetOU/TqIDPcE6Rx6UtodTs5OgX2VdJc8V/kC6AjdISdhR5otaf8tte3gmp3sB2RqPDcq2yi6g9PW4Absnhy4R0QB5jOZOzgRHJ+yY83FIZUTahiMla7uycX/2O57aq3DJgRClQnF0fM8Q==</wsse:BinarySecurityToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#" Id="Signature-27234575">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#_916d365c39d4edadf7d3c3fbfc2aa7c5">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>jUS1OjjuEks6piIr1065MWOqaqk=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
iFNiuag7F2RNTIDxIYC1YXFpeKrGHyuwBd/llniYq4FFMCsf7fMI8ts206zzrWmcpxqnhDZuxib3
FaG1jZVQSoBqeo5eKHzZOT5SU+q3xZdT7ALur41ZTrenfCPUv/TxXLItmmrd15JzNu/dESEpi29j
XeIvAbiPwZ+Gi8+WhhM=
</ds:SignatureValue>
<ds:KeyInfo Id="KeyId-20989765">
<wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="STRId-31338033"><wsse:Reference URI="#CertId-294" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/></wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature><Assertion xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AssertionID="_916d365c39d4edadf7d3c3fbfc2aa7c5" IssueInstant="2008-02-29T19:04:05.789Z" Issuer="www.example.com" MajorVersion="1" MinorVersion="1" wsu:Id="_916d365c39d4edadf7d3c3fbfc2aa7c5"><Conditions NotBefore="2008-02-29T19:04:05.774Z" NotOnOrAfter="2008-02-29T19:09:05.774Z"/><AuthenticationStatement AuthenticationInstant="2008-02-29T19:04:05.774Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:unspecified"><Subject><NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQualifier="www.inforsense.com">in4sense</NameIdentifier><SubjectConfirmation><ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</ConfirmationMethod></SubjectConfirmation></Subject></AuthenticationStatement></Assertion></wsse:Security></soap:Header><soap:Body><ns1:GetDatabases xmlns:ns1="http://www.chemspider.com/"/></soap:Body></soap:Envelope>
--------------------------------------
- [JOS-5] fail to validate saml xml since missing excusive c14n schema, Benjamin Coiffe, 02/29/2008
- RE: [JOS-5] fail to validate saml xml since missing excusive c14n schema, Scott Cantor, 02/29/2008
- <Possible follow-up(s)>
- [JOS-5] fail to validate saml xml since missing excusive c14n schema, Benjamin Coiffe, 02/29/2008
Archive powered by MHonArc 2.6.16.