Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-1221

WSSAgent can not sign request if security mechanism 'X509Token' and Signing Reference Type 'KeyIdentifier Reference' is configured in Web Service Client profile

    XMLWordPrintable

    Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 10.0.0-EA, 10.0.0
    • 9.5.5, 10.0.1, 10.1.0-Xpress
    • JAX-WS WSS Agent nightly build running in Tomcat 6.0.3x, OpenAM 10-EA running in Tomcat 6.0.3x, Metro 2.2, JAX-WS 2.2, SecureStockService sample from WSS Agent distribution.
    • Rank:
      1|hzn8rz:

      Description

      Web Service Client profile:

      UserCredential=UserName:test|UserPassword:test
      EncryptionAlgorithm=AES
      isRequestHeaderEncrypt=false
      forceUserAuthn=false
      includeMemberships=false
      isPassThroughSecurityToken=false
      SecurityMech=urn:sun:wss:security:null:X509Token
      DnsClaim=wsc
      isResponseEncrypt=false
      publicKeyAlias=test
      sunIdentityServerDeviceStatus=Active
      keepSecurityHeaders=true
      EncryptionStrength=128
      isRequestSign=true
      useDefaultStore=true
      userpassword=

      {SHA-1}

      W6ph5Mm5Pz8GgiULbPgzG37mj9g=
      isRequestEncrypt=false
      privateKeyAlias=test
      SignedElements=Body
      AttributeNamespace=http://www.sun.com
      SigningRefType=KeyIdentifierRef
      isResponseSign=true

      When hitting the 'GetQuote' button the following exception is thrown ...

      Mar 29, 2012 2:29:01 PM com.sun.identity.wssagents.jaxws.client.ClientHandler handleMessage
      SEVERE: ClientHandler.secureRequest failed :
      com.sun.identity.wss.security.SecurityException: Unable to sign.
      at com.sun.identity.wss.security.handler.SecureSOAPMessage.signWithBinaryToken(SecureSOAPMessage.java:838)
      at com.sun.identity.wss.security.handler.SecureSOAPMessage.sign(SecureSOAPMessage.java:671)
      at com.sun.identity.wss.security.handler.SOAPRequestHandler.secureRequest(SOAPRequestHandler.java:787)
      at com.sun.identity.wssagents.jaxws.client.ClientHandler.handleMessage(ClientHandler.java:122)
      at com.sun.identity.wssagents.jaxws.client.ClientHandler.handleMessage(ClientHandler.java:49)
      at com.sun.xml.ws.handler.HandlerProcessor.callHandleMessage(HandlerProcessor.java:297)
      at com.sun.xml.ws.handler.HandlerProcessor.callHandlersRequest(HandlerProcessor.java:138)
      at com.sun.xml.ws.handler.ClientSOAPHandlerTube.callHandlersOnRequest(ClientSOAPHandlerTube.java:140)
      at com.sun.xml.ws.handler.HandlerTube.processRequest(HandlerTube.java:127)
      at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:961)
      at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
      at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
      at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:775)
      at com.sun.xml.ws.client.Stub.process(Stub.java:429)
      at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:168)
      at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)
      at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:102)
      at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:151)
      at $Proxy38.getStockQuote(Unknown Source)
      at com.sun.stockquote.GetQuote.getStockQuote(Unknown Source)
      at com.sun.stockquote.GetQuote.processRequest(Unknown Source)
      at com.sun.stockquote.GetQuote.doGet(Unknown Source)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at com.sun.identity.wssagents.jaxws.client.ClientFilter.doFilter(ClientFilter.java:88)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
      at java.lang.Thread.run(Thread.java:619)

      libSAML debug logs shows ...

      libSAML:03/29/2012 02:29:01:322 PM CEST: Thread[http-8080-1,5,main]
      KeyTable size = 1
      libSAML:03/29/2012 02:29:01:323 PM CEST: Thread[http-8080-1,5,main]
      SAMLUtils.generated ID is: s8c29bf51ea8caa7beaf84a59d258c4a79961210e
      libSAML:03/29/2012 02:29:01:328 PM CEST: Thread[http-8080-1,5,main]
      SAMLUtils.generated ID is: sd609b8945b555aaf41d35435f98866e8f9747fd8
      libSAML:03/29/2012 02:29:01:328 PM CEST: Thread[http-8080-1,5,main]
      SAMLUtils.generated ID is: s2bd43eb65d7dbeb12e219ba8bac374cd498e14a1
      libSAML:03/29/2012 02:29:01:335 PM CEST: Thread[http-8080-1,5,main]
      KeyTable size = 1
      libSAML:03/29/2012 02:29:01:338 PM CEST: Thread[http-8080-1,5,main]
      WSSSignatureProvider.signWithWSSToken: Document to be signed : <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><ns2:QuoteRequest xmlns:ns2="http://sun.com/stockquote.xsd"><Symbol>JAVA</Symbol></ns2:QuoteRequest></S:Body></S:Envelope>
      libSAML:03/29/2012 02:29:01:341 PM CEST: Thread[http-8080-1,5,main]
      ERROR: WSSSignatureProvider: signWithBinaryTokenProfile Exception:
      java.lang.NullPointerException
      at com.sun.identity.wss.xmlsig.WSSSignatureProvider.signWithBinarySecurityToken(WSSSignatureProvider.java:453)
      at com.sun.identity.wss.xmlsig.WSSSignatureProvider.signWithBinarySecurityToken(WSSSignatureProvider.java:364)
      at com.sun.identity.saml.xmlsig.XMLSignatureManager.signWithBinarySecurityToken(XMLSignatureManager.java:506)
      at com.sun.identity.wss.security.handler.SecureSOAPMessage.signWithBinaryToken(SecureSOAPMessage.java:828)
      at com.sun.identity.wss.security.handler.SecureSOAPMessage.sign(SecureSOAPMessage.java:671)
      at com.sun.identity.wss.security.handler.SOAPRequestHandler.secureRequest(SOAPRequestHandler.java:787)
      at com.sun.identity.wssagents.jaxws.client.ClientHandler.handleMessage(ClientHandler.java:122)
      at com.sun.identity.wssagents.jaxws.client.ClientHandler.handleMessage(ClientHandler.java:49)
      at com.sun.xml.ws.handler.HandlerProcessor.callHandleMessage(HandlerProcessor.java:297)
      at com.sun.xml.ws.handler.HandlerProcessor.callHandlersRequest(HandlerProcessor.java:138)
      at com.sun.xml.ws.handler.ClientSOAPHandlerTube.callHandlersOnRequest(ClientSOAPHandlerTube.java:140)
      at com.sun.xml.ws.handler.HandlerTube.processRequest(HandlerTube.java:127)
      at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:961)
      at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
      at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
      at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:775)
      at com.sun.xml.ws.client.Stub.process(Stub.java:429)
      at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:168)
      at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)
      at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:102)
      at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:151)
      at $Proxy38.getStockQuote(Unknown Source)
      at com.sun.stockquote.GetQuote.getStockQuote(Unknown Source)
      at com.sun.stockquote.GetQuote.processRequest(Unknown Source)
      at com.sun.stockquote.GetQuote.doGet(Unknown Source)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at com.sun.identity.wssagents.jaxws.client.ClientFilter.doFilter(ClientFilter.java:88)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
      at java.lang.Thread.run(Thread.java:619)

      WebServiceSecurity debug log shows ...

      WebServicesSecurity:03/29/2012 02:29:01:196 PM CEST: Thread[http-8080-1,5,main]
      SOAPRequestHandler.Init map:
      WebServicesSecurity:03/29/2012 02:29:01:207 PM CEST: Thread[http-8080-1,5,main]
      SOAPRequestHandler.secureRequest: Provider configuration from shared map is null
      WebServicesSecurity:03/29/2012 02:29:01:207 PM CEST: Thread[http-8080-1,5,main]
      AgentProvider: name = StockServicetype = WSCAgent
      WebServicesSecurity:03/29/2012 02:29:01:279 PM CEST: Thread[http-8080-1,5,main]
      AgentProvider.init Provider configuration:

      {privateKeyAlias=[test], KerberosServicePrincipal=[], KeyStorePassword=[], isRequestSign=[true], DetectMessageReplay=[], useDefaultStore=[true], NameIDMapper=[], EncryptionStrength=[128], SignedElements=[Body], isVerifyKrbSignature=[], publicKeyAlias=[test], serviceType=[], isResponseSign=[true], SigningRefType=[KeyIdentifierRef], DnsClaim=[wsc], AttributeNamespace=[http://www.sun.com], privateKeyType=[], keepSecurityHeaders=[true], KerberosDomainServer=[], forceUserAuthn=[false], EncryptionAlgorithm=[AES], KeyStoreFile=[], isRequestEncrypt=[false], TokenConversionType=[], authenticationChain=[], KerberosDomain=[], SecurityMech=[urn:sun:wss:security:null:X509Token], includeMemberships=[false], isRequestHeaderEncrypt=[false], SAMLAttributeMapping=[], KerberosTicketCacheDir=[], UserCredential=[UserName:test|UserPassword:test], WSPEndpoint=[], WSPProxyEndpoint=[], KerberosKeyTabFile=[], KeyPassword=[], DetectUserTokenReplay=[], isPassThroughSecurityToken=[false], STS=[], Discovery=[], isResponseEncrypt=[false]}

      WebServicesSecurity:03/29/2012 02:29:01:279 PM CEST: Thread[http-8080-1,5,main]
      AgentProvider: name = StockServicetype = WSCAgent
      WebServicesSecurity:03/29/2012 02:29:01:319 PM CEST: Thread[http-8080-1,5,main]
      AgentProvider.init Provider configuration:

      {privateKeyAlias=[test], KerberosServicePrincipal=[], KeyStorePassword=[], isRequestSign=[true], DetectMessageReplay=[], useDefaultStore=[true], NameIDMapper=[], EncryptionStrength=[128], SignedElements=[Body], isVerifyKrbSignature=[], publicKeyAlias=[test], serviceType=[], isResponseSign=[true], SigningRefType=[KeyIdentifierRef], DnsClaim=[wsc], AttributeNamespace=[http://www.sun.com], privateKeyType=[], keepSecurityHeaders=[true], KerberosDomainServer=[], forceUserAuthn=[false], EncryptionAlgorithm=[AES], KeyStoreFile=[], isRequestEncrypt=[false], TokenConversionType=[], authenticationChain=[], KerberosDomain=[], SecurityMech=[urn:sun:wss:security:null:X509Token], includeMemberships=[false], isRequestHeaderEncrypt=[false], SAMLAttributeMapping=[], KerberosTicketCacheDir=[], UserCredential=[UserName:test|UserPassword:test], WSPEndpoint=[], WSPProxyEndpoint=[], KerberosKeyTabFile=[], KeyPassword=[], DetectUserTokenReplay=[], isPassThroughSecurityToken=[false], STS=[], Discovery=[], isResponseEncrypt=[false]}

      WebServicesSecurity:03/29/2012 02:29:01:320 PM CEST: Thread[http-8080-1,5,main]
      SOAPRequestHandler.secureRequest: Generate security tokens locally
      WebServicesSecurity:03/29/2012 02:29:01:320 PM CEST: Thread[http-8080-1,5,main]
      getSecurityToken: SecurityMechanism URI : urn:sun:wss:security:null:X509Token
      WebServicesSecurity:03/29/2012 02:29:01:323 PM CEST: Thread[http-8080-1,5,main]
      SOAPRequestHandler.getSecurityToken:: creating X509 token
      WebServicesSecurity:03/29/2012 02:29:01:326 PM CEST: Thread[http-8080-1,5,main]
      SecureSOAPMessage.Input SOAP message : <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><ns2:QuoteRequest xmlns:ns2="http://sun.com/stockquote.xsd"><Symbol>JAVA</Symbol></ns2:QuoteRequest></S:Body></S:Envelope>
      WebServicesSecurity:03/29/2012 02:29:01:328 PM CEST: Thread[http-8080-1,5,main]
      SecureSOAPMessage.Input SOAP message After normalization: <S:Envelope xmlns:S="http://schemas.xmlsoap.org/soap/envelope/"><S:Body><ns2:QuoteRequest xmlns:ns2="http://sun.com/stockquote.xsd"><Symbol>JAVA</Symbol></ns2:QuoteRequest></S:Body></S:Envelope>
      WebServicesSecurity:03/29/2012 02:29:01:328 PM CEST: Thread[http-8080-1,5,main]
      SecureSOAPMessage.addSecurityHeader:: preparing the security header
      WebServicesSecurity:03/29/2012 02:29:01:342 PM CEST: Thread[http-8080-1,5,main]
      ERROR: SecureSOAPMessage.signWithBinaryToken:: Signature Exception.
      com.sun.identity.saml.xmlsig.XMLSignatureException
      at com.sun.identity.wss.xmlsig.WSSSignatureProvider.signWithBinarySecurityToken(WSSSignatureProvider.java:548)
      at com.sun.identity.wss.xmlsig.WSSSignatureProvider.signWithBinarySecurityToken(WSSSignatureProvider.java:364)
      at com.sun.identity.saml.xmlsig.XMLSignatureManager.signWithBinarySecurityToken(XMLSignatureManager.java:506)
      at com.sun.identity.wss.security.handler.SecureSOAPMessage.signWithBinaryToken(SecureSOAPMessage.java:828)
      at com.sun.identity.wss.security.handler.SecureSOAPMessage.sign(SecureSOAPMessage.java:671)
      at com.sun.identity.wss.security.handler.SOAPRequestHandler.secureRequest(SOAPRequestHandler.java:787)
      at com.sun.identity.wssagents.jaxws.client.ClientHandler.handleMessage(ClientHandler.java:122)
      at com.sun.identity.wssagents.jaxws.client.ClientHandler.handleMessage(ClientHandler.java:49)
      at com.sun.xml.ws.handler.HandlerProcessor.callHandleMessage(HandlerProcessor.java:297)
      at com.sun.xml.ws.handler.HandlerProcessor.callHandlersRequest(HandlerProcessor.java:138)
      at com.sun.xml.ws.handler.ClientSOAPHandlerTube.callHandlersOnRequest(ClientSOAPHandlerTube.java:140)
      at com.sun.xml.ws.handler.HandlerTube.processRequest(HandlerTube.java:127)
      at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:961)
      at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:910)
      at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:873)
      at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:775)
      at com.sun.xml.ws.client.Stub.process(Stub.java:429)
      at com.sun.xml.ws.client.sei.SEIStub.doProcess(SEIStub.java:168)
      at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:119)
      at com.sun.xml.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:102)
      at com.sun.xml.ws.client.sei.SEIStub.invoke(SEIStub.java:151)
      at $Proxy38.getStockQuote(Unknown Source)
      at com.sun.stockquote.GetQuote.getStockQuote(Unknown Source)
      at com.sun.stockquote.GetQuote.processRequest(Unknown Source)
      at com.sun.stockquote.GetQuote.doGet(Unknown Source)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at com.sun.identity.wssagents.jaxws.client.ClientFilter.doFilter(ClientFilter.java:88)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
      at java.lang.Thread.run(Thread.java:619)

        Attachments

          Activity

            People

            bthalmayr Bernhard Thalmayr
            bthalmayr Bernhard Thalmayr
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: