Skip to main content

Interoperability issue between Metro 1.4 and Metro 2.1.1 when using SAML sender-vouches

Please note these java.net forums are being decommissioned and use the new and improved forums at https://community.oracle.com/community/java.
1 reply [Last post]
jchamberlain
Offline
Joined: 2006-08-02

Hello,

I have an existing service that is running using metro 1.4 and is

protected using SAML sender-vouches tokens. I started doing some

investigation on what it would take to move to metro 2.1.1 so we could

be current. I immediately ran into validation issues and was getting

WSS1721 errors. After a bunch of research and experimentation the only

way I have been able to get it to work is to disable streaming

security on both the client and server side.



Is there a known interop issue in doing this? Anyone else encountered

this and resolved it?



Below is the original policy before disabling streaming security:





Thanks in advance,



James





<wsp:Policy wsu:Id="SAML_SV_Policy">

<wsp:ExactlyOne>

<wsp:All>

<wsaws:UsingAddressing xmlns:wsaws="http://www.w3.org/2006/05/addressing/wsdl"/>

<sp:AsymmetricBinding>

<wsp:Policy>

<sp:InitiatorToken>

<wsp:Policy>

<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>

<wsp:Policy>

<sp:WssX509V3Token10/>

</wsp:Policy>

</sp:X509Token>

</wsp:Policy>

</sp:InitiatorToken>

<sp:RecipientToken>

<wsp:Policy>

<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>

<wsp:Policy>

<sp:RequireIssuerSerialReference/>

<sp:WssX509V3Token10/>

</wsp:Policy>

</sp:X509Token>

</wsp:Policy>

</sp:RecipientToken>

<sp:Layout>

<wsp:Policy>

<sp:Strict/>

</wsp:Policy>

</sp:Layout>

<sp:IncludeTimestamp/>

<sp:OnlySignEntireHeadersAndBody/>

<sp:AlgorithmSuite>

<wsp:Policy>

<sp:Basic128/>

</wsp:Policy>

</sp:AlgorithmSuite>

</wsp:Policy>

</sp:AsymmetricBinding>

<sp:Wss10>

<wsp:Policy>

<sp:MustSupportRefKeyIdentifier/>

<sp:MustSupportRefIssuerSerial/>

</wsp:Policy>

</sp:Wss10>

<sp:SignedSupportingTokens>

<wsp:Policy>

<sp:SamlToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>

<wsp:Policy>

<sp:WssSamlV11Token10/>

</wsp:Policy>

</sp:SamlToken>

</wsp:Policy>

</sp:SignedSupportingTokens>

<sc:KeyStore wspp:visibility="private" location="keystore.jks" type="JKS" storepass="com.KeystorePasswordCallbackHandler" alias="server-key"/>

<sc:TrustStore wspp:visibility="private" location="truststore.jks" type="JKS" storepass="com.TruststorePasswordCallbackHandler"/>

<sp:SignedParts>

<sp:Body/>

<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>

<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>

<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>

<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>

<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>

<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>

<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>

<sp:Header Name="AckRequested" Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm"/>

<sp:Header Name="SequenceAcknowledgement" Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm"/>

<sp:Header Name="Sequence" Namespace="http://schemas.xmlsoap.org/ws/2005/02/rm"/>

</sp:SignedParts>

</wsp:All>

</wsp:ExactlyOne>

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
jchamberlain
Offline
Joined: 2006-08-02

I'm still looking to solve the above issue. Nobody is having interop issues between Metro 1.4 and 2.x when streaming security is turned on and success when it is turned off?