2

Last year I made JAX-WS client for a web service in this link

This webservice use a STS service to get SAML token and use it to access main webservice. I use wsdl2java of apache cxf to generate JAX-WS client for this webservice. Everything was just fine.

Recently they have updated their STS service endpoint. This new STS service endpoint. Which has different signature and digest algorithm. It has some extra element in request body.

I tried to modify current code so that it support new STS service. But my code is sending same RequestSecurityToken request.I mean it does not adopt for new requirement. I tried to adopt this but I could not do that.

New STS service required http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 as new signature method and http://www.w3.org/2001/04/xmlenc#sha256 as new digest algorithm. Plus it required following element in request body:

    <tr:ActAs xmlns:tr="http://docs.oasis-open.org/ws-sx/ws-trust/200802">
<v13:RelationshipToken xmlns:v13="http://vanguard.business.gov.au/2016/03" ID="1bc9a44e-dccd-49e2-8f29-40d7b1257325">
<v13:Relationship v13:Type="OSPfor">
<v13:Attribute v13:Name="SSID" v13:Value="1234567895"/>
</v13:Relationship>
<v13:FirstParty v13:Scheme="uri://abr.gov.au/ABN" v13:Value="27809366375"/>
<v13:SecondParty v13:Scheme="uri://abr.gov.au/ABN" v13:Value="89567587874"/>
</v13:RelationshipToken>
</tr:ActAs>

Plus there are minor differences here. I have two ways now I think:

  1. If I can change old code to STS client send request with those value. which I tried and not succeeded.
  2. They provide some code which support fetching SAML assertion token and proof token from STS client. If I can put SAML assertion token into my JAX-WS client directly then this problem is also solved.

Any help or suggestion will be appreciated to us

Sabbir Ahmed Sourove
  • 505
  • 1
  • 5
  • 14
  • How were you able to solve the issue? Have you chose any other implementation/protocol apart from apache cxf like apache axis? Can you write the steps/changes you made to implement the new version - STS v 1.3? Thanks – Junaid Jan 18 '20 at 11:09
  • @junaid Yeah. I was able to solve that problem. Sorry I just see your question.let me know if you still that solution :D :D – Sabbir Ahmed Sourove Jan 27 '20 at 10:39
  • Till now unable to solve the issue. It would be great if you post whole solution with in-depth details (wherever is possible) as an answer. – Junaid Jan 27 '20 at 13:06
  • Actually for their actual wsdl does not work for java reason it can not recognizes encryption algorithm written in wsdl. So I need to modify that wsdl little bit and then use it. That's all. – Sabbir Ahmed Sourove Jan 27 '20 at 14:56
  • Can you share the modified wsdl? Or what changes you did - in an answer? And you used wsdl2java (CXF) for java code generation? – Junaid Jan 27 '20 at 16:38
  • actually there are two part: 1) to get token from STS. 2) use that token to send request to USI service of Australia (my case). For part 1 I used modified wsdl. you need to put sha256 in algorithm suite of STS wsdl as it stop accepting sha1. For part 2 you need use apache cxf to convert USI wsdl into java code. Sorry I can not share my code directly as I am bound to terms and condition for the company I work for. But I try to put enough information so that you can complete. Colm O hEigeartaigh is one of security expert apache cxf. His answer is very hard to understand but very useful. – Sabbir Ahmed Sourove Jan 28 '20 at 07:59
  • Will you please take a look into this - https://stackoverflow.com/questions/60052573/an-error-occurred-when-verifying-security-for-the-message-saml-token – Junaid Feb 06 '20 at 15:47

2 Answers2

1

The SHA-256 digest algorithm is normally set by using an AlgorithmSuite policy that requires it (e.g. Basic256Sha256). I see in the policy they are still using "Basic256" however. CXF allows you to configure RSA-SHA256 via some configuration properties (see for example 'ws-security.asymmetric.signature.algorithm' here http://cxf.apache.org/docs/ws-securitypolicy.html). You can set ActAs Object/Element on the STSClient directly.

Colm O hEigeartaigh
  • 1,882
  • 1
  • 12
  • 7
  • I am not sure how to put ActAs Element in the client code.If you can give some more details way with example that will be great. And now I am overwriting default JAX-WS code to achieve this target. I mean that I am trying to overwrite their code. – Sabbir Ahmed Sourove May 30 '17 at 12:24
  • See this configuration: https://github.com/apache/cxf/blob/master/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/username_actas/cxf-client.xml - the "actAs" property refers to a class https://github.com/apache/cxf/blob/master/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java - this adds in a UsernameToken Element into "ActAs" – Colm O hEigeartaigh May 31 '17 at 17:30
  • Thanks for your suggestion. I will test that. – Sabbir Ahmed Sourove Jun 01 '17 at 04:21
  • I just wanted to thank you for you answer. It took me some time to understand your answer. I needed to change AlgorithmSuite policity. Yeah ActAs can be set directly as element but to set that as element. I need to change some internal of class rt.jar to set element directly. But yes that was achievable. I should thank you earlier. But I missed that. It is not everyday while anyone get answer in stackoverflow from scholar like you. :) :) – Sabbir Ahmed Sourove Jan 28 '20 at 08:02
  • @SabbirAhmedSourove, you changed the `AlgorithmSuite` policy for vanguard-STS wsdl or USI wsdl? And what algorithm(s) you used? – Junaid Jan 28 '20 at 08:15
  • I changed from vanguard-STS only. Though it should be changed via USI wsdl too by issueToken element but as we are pointing STS client directly I changed vanguard-STS only as it overrides USI wsdl issuedToken. – Sabbir Ahmed Sourove Jan 28 '20 at 08:37
  • I used SHA256withRSA in AlgorithmSuite – Sabbir Ahmed Sourove Jan 28 '20 at 08:43
  • Will you guys please take a look into https://stackoverflow.com/questions/60052573/an-error-occurred-when-verifying-security-for-the-message-saml-token ? – Junaid Feb 04 '20 at 08:33
0

I was receiving "An error occurred when verifying security for the message". Two changes that I had to make to resolve this while using Metro 2.3.1 -

  1. In the STS wsdl, need to mention the signature algorithm like this ---

    sp:AlgorithmSuite signatureAlgorithm="SHA256withRSA"

  2. In the USI wsdl, need to change the AlgorithmSuite to Basic256 from Basic256Sha256Rsa15

Mosharaf Hossain
  • 11
  • 2