Skip to main content

SAML-XACML Profile - Token as SupportingToken

1 reply [Last post]
flo_
Offline
Joined: 2009-06-11
Points: 0

Hi,

I have a service that is protected by a SecurityContextToken using a X509Token as ProtectionToken. For the methodcall the client must send a SAMLToken with a xacml-policy profile. The input-Policy looks like this:

<br />
<wsp:Policy><br />
        wsu:Id="Kommunikationsdienst-Input-Policy"><br />
        <wsp:ExactlyOne><br />
            <wsp:All><br />
                <sp:SignedParts><br />
                    .. signed parts ...<br />
                </sp:SignedParts><br />
                <sp:SupportingTokens><br />
                    <wsp:Policy><br />
                        <wsp:ExactlyOne><br />
                            <wsp:All><br />
                                <sp:SamlToken<br />
                                    sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/securitypolicy/IncludeToken/AlwaysToRecipient" wsp:Optional="false"><br />
                                    <wsp:Policy><br />
                                        <sp:WssSamlV20Token11 /><br />
                                    </wsp:Policy><br />
                                </sp:SamlToken><br />
                            </wsp:All><br />
                        </wsp:ExactlyOne><br />
                    </wsp:Policy><br />
                </sp:SupportingTokens><br />
            </wsp:All><br />
        </wsp:ExactlyOne><br />
    </wsp:Policy><br />

Inside the SAMLCallbackhandler I create my SAMLToken with the opensaml library because my SAML-profile needs the /Assertion/Statement - element with the xsi:type=XACMLPolicyStatementType and set it with callback.setAssertionElement(). The SAMLToken looks like this
<br />
<?xml version="1.0" encoding="UTF-8"?><br />
<saml2:Assertion<br />
    xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"<br />
    ID="uuid-391d6da4-3e03-44d4-97be-1bf8b107a45b"<br />
    IssueInstant="2011-02-15T11:45:32.061Z"<br />
    Version="2.0"><br />
    <saml2:Issuer><br />
   ... Issuer ...<br />
   </saml2:Issuer><br />
    <saml2:Conditions><br />
        ...Conditions...<br />
    </saml2:Conditions><br />
    <saml2:Statement<br />
        xmlns:xacml-saml="urn:oasis:names:tc:xacml:2.0:profile:saml2.0:v2:schema:assertion"<br />
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"<br />
        xsi:type="xacml-saml:XACMLPolicyStatementType"><br />
        <xacml:PolicySet<br />
            xmlns:xacml="urn:oasis:names:tc:xacml:2.0:policy:schema:os"<br />
            ... PolicySet ...<br />
        </xacml:PolicySet><br />
    </saml2:Statement><br />
</saml2:Assertion><br />

The Webservice call fails with:

[#|2011-02-15T11:05:04.632+0100|SEVERE|glassfish3.1|com.sun.xml.wss.jaxws.impl|_ThreadID=19;_ThreadName=Thread-1;|WSSTUBE0025: Error in Verifying Security in the Inbound Message.
com.sun.xml.wss.impl.PolicyViolationException: com.sun.xml.wss.XWSSecurityException: com.sun.xml.wss.XWSSecurityException: Policy Verification error:SAML Token not found in message but occurs in configured policy

In the incoming message is no SAMLToken. If I omit the saml:Statement element every thing works fine and in the inbound message there is the SAMLToken. I think the problem is that the Statement Element is declared as abstract in the SAML schema. If I create the SAMLAssertion with opensaml, marshall it as DOM-Element and convert it with the com.sun.xml.wss.saml.SAMLAssertionFactory to a com.sun.xml.wss.saml.Assertion it fails with:

com.sun.xml.wss.saml.SAMLException: javax.xml.bind.UnmarshalException: Unable to create an instance of com.sun.xml.wss.saml.internal.saml20.jaxb20.StatementAbstractType
- with linked exception:
[java.lang.InstantiationException]

I think inside wsit or metro it fails with the same Exception and simple omits the SAMLAssertion. When I declare the SAMLToken as SignedSupportingToken there is a SignatureReference for this Token in the SOAP-Message but no Signature and no SAMLToken.

Any idea how I can use this SAML-Profile with wsit? Maybe intercept the webservice call, place the SAMLAssertion and sign it...

Best regards,

Flo

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
flo_
Offline
Joined: 2009-06-11
Points: 0

Hi,

I finally solved my problem. In com.sun.xml.wss.impl.filter.ExportSamlAssertionFilter I found this line of code

<br />
else {<br />
            try {<br />
                if (System.getProperty("com.sun.xml.wss.saml.binding.jaxb") == null) {<br />
                    if (assertionElement.getAttributeNode("ID") != null) {<br />
                        _assertion = (Assertion) com.sun.xml.wss.saml.assertion.saml20.jaxb20.Assertion.fromElement(assertionElement);<br />
                    } else {<br />
                        _assertion = (Assertion) com.sun.xml.wss.saml.assertion.saml11.jaxb20.Assertion.fromElement(assertionElement);<br />
                    }<br />
                } else {<br />
                    _assertion = (Assertion) com.sun.xml.wss.saml.assertion.saml11.jaxb10.Assertion.fromElement(assertionElement);<br />
                }<br />
            } catch (SAMLException ex) {<br />
                //ignore<br />
            }<br />
        }<br />

Debug told me that the UnmarshalException gets called but wsit ignores the assertion and did not put it into the SOAP-Request.
I generate with JAXB the stubs for access_control-xacml-2.0-saml-assertion-schema-os.xsd and access_control-xacml-2.0-policy-schema-os.xsd and put the class files in an xacml subdirectory in com.sun.xml.wss.saml.internal.saml20.jaxb20 in the webservice-rt.jar. Further I need to add the @XMLSeeAlso annotation for the class StatementAbstractType pointing to xacml/XACMLPolicyStatementType.class

Now the request contains my SAML-XACML Assertion.

Best regards,
Flo