Skip to main content

--> is not supported?

2 replies [Last post]
markus_franke
Offline
Joined: 2007-10-10

Specifying a sp:SAMLToken inside a sp:ProtectionToken causes an exception

11.01.2008 12:29:39 com.sun.xml.ws.transport.http.servlet.WSServletContextListener contextInitialized
SCHWERWIEGEND: WSSERVLET11: failed to parse runtime descriptor: java.lang.NullPointerException
java.lang.NullPointerException
at com.sun.xml.ws.security.impl.policyconv.BindingProcessor.addPrimaryTargets(BindingProcessor.java:188)
at com.sun.xml.ws.security.impl.policyconv.SymmetricBindingProcessor.process(SymmetricBindingProcessor.java:143)
at com.sun.xml.ws.security.impl.policyconv.XWSSPolicyGenerator.process(XWSSPolicyGenerator.java:173)
at com.sun.xml.ws.security.impl.policyconv.XWSSPolicyGenerator.process(XWSSPolicyGenerator.java:135)
at com.sun.xml.wss.jaxws.impl.SecurityPipeBase.constructPolicyHolder(SecurityPipeBase.java:1132)
at com.sun.xml.wss.jaxws.impl.SecurityServerPipe.addIncomingProtocolPolicy (SecurityServerPipe.java:656)

with detailed fault message

11.01.2008 12:29:37 com.sun.xml.ws.security.impl.policy.Constants log_invalid_assertion
assertion data {
namespace = 'http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'
prefix = 'sp'
local name = 'SAMLToken'
value = 'null'
attributes {
name = 'http://schemas.xmlsoap.org/ws/2005/07/securitypolicy:IncludeToken', value = 'http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient'
}
}
parameters {
Assertion {
assertion parameter data {
namespace = 'http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'
prefix = 'sp'
local name = 'Issuer'
value = 'null'
no attributes
}
parameters {
Assertion {
assertion parameter data {
namespace = 'http://schemas.xmlsoap.org/ws/2004/08/addressing'
prefix = 'wsa'
local name = 'Address'
value = 'http://localhost:8080/idp/sts'
no attributes
}
no parameters
no nested policy
} }
no nested policy
} }
nested policy {
id = 'null'
name = 'null'
vocabulary {
1. entry = 'http://schemas.xmlsoap.org/ws/2005/07/securitypolicy:RequireDerivedKeys'
}
assertion set {
Assertion {
assertion data {
namespace = 'http://schemas.xmlsoap.org/ws/2005/07/securitypolicy'
prefix = 'sp'
local name = 'RequireDerivedKeys'
value = 'null'
no attributes
}
no parameters
no nested policy
}
}
}
} is not supported under Token assertion.

Is it not supported by WS spec or by WSIT implementation?

Replacing SAMLToken with IssuedToken of type SAML works, so what is the difference between a SAML assertion retrieved by WS-Trust mechnisms and a SAML assertion retrieved by other means?

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
kumarjayanti
Offline
Joined: 2003-12-10

You can use a HOK SAML (containing public-key of the client) as an initiator token in AsymmetricBinding. That is what the NetBeans HOK mechanism will generate.

But you cannot use a SAML as a ProtectionToken in SymmetricBinding, because there is no way to tell the WSIT runtime what the Symmetric Secret Key would be. An IssuedToken works here because then the STS communicates to the WSIT Client runtime what the Symmetric Key would be.

markus_franke
Offline
Joined: 2007-10-10

Thanks.