add SAML TOKEN to SOAP header

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

add SAML TOKEN to SOAP header

chaij
I need to insert a SAML token (xml) to the outgoing SOAP request and process the incoming SAML token as well.

How can I achieve this?

I am using camel cxf.

Thanks.
Reply | Threaded
Open this post in threaded view
|

Re: add SAML TOKEN to SOAP header

coheigea
When you are inserting the SAML token, do you also need to create it, or is
it obtained from a third-party (e.g. STS)? SAML tokens are included in the
security header of a SOAP request. With CXF you can use either
WS-SecurityPolicy or else manually configure WSS4J to add a SAML Token. In
either case, to create a SAML Token you use a special CallbackHandler
implementation that populates a set of beans with the required information,
and WSS4J takes care of parsing the beans + creating + inserting a SAML
Assertion.

Here is an example about how to use WS-SecurityPolicy with CXF to create a
SAML Token:

https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=tree;f=systests/ws-security-examples/src/test/java/org/apache/cxf/systest/wssec/examples/saml;h=316f3caa0e7cdb39e401ea273c47462011a0edaf;hb=refs/heads/2.7.x-fixes

If you already have a SAML Token as a DOM Element, you can set this on the
SAMLCallback Object in the CallbackHandler instead.

If you are not using WS-SecurityPolicy, you need to set up the
WSS4JOutInterceptor with the "actions" of either "SAMLTokenUnsigned" or
"SAMLTokenSigned" + specify a CallbackHandler to create/retrieve the
assertion. Here is a spring example (bottom client):

https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/action/client/client.xml;h=e0cac1dfe57bbfd2a89e250777cd68316da2aeb6;hb=refs/heads/2.7.x-fixes

There are not any tests that I am aware of in Camel itself showing how to
add SAML Tokens with camel-cxf. If you are having any difficulties let me
know + I will add some.

Colm.


On Sat, Mar 29, 2014 at 4:37 AM, chaij <[hidden email]> wrote:

> I need to insert a SAML token (xml) to the outgoing SOAP request and
> process
> the incoming SAML token as well.
>
> How can I achieve this?
>
> I am using camel cxf.
>
> Thanks.
>
>
>
> --
> View this message in context:
> http://camel.465427.n5.nabble.com/add-SAML-TOKEN-to-SOAP-header-tp5749520.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: add SAML TOKEN to SOAP header

chaij
I don't need to create a SAML token. I already have it in xml format.

I am not using WS-SecurityPolicy. I am using WSS4J to add a SAML token.

I will take a look the example in the second link.

Thanks!
Reply | Threaded
Open this post in threaded view
|

Re: add SAML TOKEN to SOAP header

coheigea
Here's an example of a CallbackHandler that shows how to set a SAML token
on the SAMLCallback Object:

https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob_plain;f=systests/ws-security/src/test/java/org/apache/cxf/systest/ws/saml/client/SamlElementCallbackHandler.java;hb=refs/heads/2.7.x-fixes

Colm.


On Mon, Mar 31, 2014 at 7:10 PM, chaij <[hidden email]> wrote:

> I don't need to create a SAML token. I already have it in xml format.
>
> I am not using WS-SecurityPolicy. I am using WSS4J to add a SAML token.
>
> I will take a look the example in the second link.
>
> Thanks!
>
>
>
> --
> View this message in context:
> http://camel.465427.n5.nabble.com/add-SAML-TOKEN-to-SOAP-header-tp5749520p5749574.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: add SAML TOKEN to SOAP header

chaij
Thanks! I am getting the following exception. How should I fix or debug it?

org.apache.cxf.binding.soap.SoapFault: SAML signature validation failed
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:790)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:336)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:95)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
        at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)[122:org.apache.cxf.cxf-api:2.7.7]
        at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)[122:org.apache.cxf.cxf-api:2.7.7]
        at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.serviceRequest(JettyHTTPDestination.java:355)[144:org.apache.cxf.cxf-rt-transports-http-jetty:2.7.7]
        at org.apache.cxf.transport.http_jetty.JettyHTTPDestination.doService(JettyHTTPDestination.java:319)[144:org.apache.cxf.cxf-rt-transports-http-jetty:2.7.7]
        at org.apache.cxf.transport.http_jetty.JettyHTTPHandler.handle(JettyHTTPHandler.java:72)[144:org.apache.cxf.cxf-rt-transports-http-jetty:2.7.7]
        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1040)[64:org.eclipse.jetty.server:7.6.8.v20121106]
        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:976)[64:org.eclipse.jetty.server:7.6.8.v20121106]
        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:135)[64:org.eclipse.jetty.server:7.6.8.v20121106]
        at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:255)[64:org.eclipse.jetty.server:7.6.8.v20121106]
        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:116)[64:org.eclipse.jetty.server:7.6.8.v20121106]
        at org.eclipse.jetty.server.Server.handle(Server.java:363)[64:org.eclipse.jetty.server:7.6.8.v20121106]
        at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:483)[64:org.eclipse.jetty.server:7.6.8.v20121106]
        at org.eclipse.jetty.server.AbstractHttpConnection.content(AbstractHttpConnection.java:931)[64:org.eclipse.jetty.server:7.6.8.v20121106]
        at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.content(AbstractHttpConnection.java:992)[64:org.eclipse.jetty.server:7.6.8.v20121106]
        at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:948)[60:org.eclipse.jetty.http:7.6.8.v20121106]
        at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)[60:org.eclipse.jetty.http:7.6.8.v20121106]
        at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)[64:org.eclipse.jetty.server:7.6.8.v20121106]
        at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:628)[59:org.eclipse.jetty.io:7.6.8.v20121106]
        at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)[59:org.eclipse.jetty.io:7.6.8.v20121106]
        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)[58:org.eclipse.jetty.util:7.6.8.v20121106]
        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)[58:org.eclipse.jetty.util:7.6.8.v20121106]
        at java.lang.Thread.run(Thread.java:662)[:1.6.0_29]
Caused by: org.apache.ws.security.WSSecurityException: SAML signature validation failed
        at org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:575)[159:org.apache.ws.security.wss4j:1.6.12]
        at org.apache.ws.security.processor.SAMLTokenProcessor.handleSAMLToken(SAMLTokenProcessor.java:180)[159:org.apache.ws.security.wss4j:1.6.12]
        at org.apache.ws.security.processor.SAMLTokenProcessor.handleToken(SAMLTokenProcessor.java:78)[159:org.apache.ws.security.wss4j:1.6.12]
        at org.apache.ws.security.WSSecurityEngine.processSecurityHeader(WSSecurityEngine.java:396)[159:org.apache.ws.security.wss4j:1.6.12]
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:279)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
        ... 23 more
Caused by: org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key
        at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:79)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
        at org.apache.ws.security.saml.ext.AssertionWrapper.verifySignature(AssertionWrapper.java:573)[159:org.apache.ws.security.wss4j:1.6.12]
        ... 27 more
Reply | Threaded
Open this post in threaded view
|

Re: add SAML TOKEN to SOAP header

chaij
This is caused by modifying the SAML Assertion token with pretty-print and saved. Once get pass this exception, I am now getting a different exception;

Caused by: org.opensaml.xml.validation.ValidationException: IssueInstant is required attribute
        at org.opensaml.saml2.core.validator.AssertionSchemaValidator.validateIssueInstant(AssertionSchemaValidator.java:91)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
        at org.opensaml.saml2.core.validator.AssertionSchemaValidator.validate(AssertionSchemaValidator.java:44)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
        at org.opensaml.saml2.core.validator.AssertionSchemaValidator.validate(AssertionSchemaValidator.java:32)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
        at org.opensaml.xml.validation.ValidatorSuite.performValidation(ValidatorSuite.java:169)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
        at org.opensaml.xml.validation.ValidatorSuite.performValidation(ValidatorSuite.java:152)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
        at org.opensaml.xml.validation.ValidatorSuite.validate(ValidatorSuite.java:83)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
        at org.apache.ws.security.validate.SamlAssertionValidator.validateAssertion(SamlAssertionValidator.java:189)[159:org.apache.ws.security.wss4j:1.6.12]
        ... 28 more
Reply | Threaded
Open this post in threaded view
|

Re: add SAML TOKEN to SOAP header

coheigea
As the error message says, "IssueInstant" is a required attribute of a SAML
2.0 assertion. Do you have control over the generation of the SAML token?
The SAML Token is technically invalid without this attribute. If not, then
an alternative is for you to extend the SamlAssertionValidator in WSS4J +
override the "validateAssertion" method, not to validate the received
assertion against the schemas. You can then plug this Validator into CXF
via a jax-ws property "ws-security.saml2.validator".

Colm.


On Fri, Apr 4, 2014 at 4:48 AM, chaij <[hidden email]> wrote:

> This is caused by modifying the SAML Assertion token with pretty-print and
> saved. Once get pass this exception, I am now getting a different
> exception;
>
> Caused by: org.opensaml.xml.validation.ValidationException: IssueInstant is
> required attribute
>         at
>
> org.opensaml.saml2.core.validator.AssertionSchemaValidator.validateIssueInstant(AssertionSchemaValidator.java:91)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
>         at
>
> org.opensaml.saml2.core.validator.AssertionSchemaValidator.validate(AssertionSchemaValidator.java:44)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
>         at
>
> org.opensaml.saml2.core.validator.AssertionSchemaValidator.validate(AssertionSchemaValidator.java:32)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
>         at
>
> org.opensaml.xml.validation.ValidatorSuite.performValidation(ValidatorSuite.java:169)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
>         at
>
> org.opensaml.xml.validation.ValidatorSuite.performValidation(ValidatorSuite.java:152)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
>         at
>
> org.opensaml.xml.validation.ValidatorSuite.validate(ValidatorSuite.java:83)[156:org.apache.servicemix.bundles.opensaml:2.5.3.1]
>         at
>
> org.apache.ws.security.validate.SamlAssertionValidator.validateAssertion(SamlAssertionValidator.java:189)[159:org.apache.ws.security.wss4j:1.6.12]
>         ... 28 more
>
>
>
> --
> View this message in context:
> http://camel.465427.n5.nabble.com/add-SAML-TOKEN-to-SOAP-header-tp5749520p5749761.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: add SAML TOKEN to SOAP header

chaij
I may not be able to change the SAML token. I will see if I can work around it.

I implemented this the validator class.

import org.apache.ws.security.WSSecurityException;
import org.apache.ws.security.saml.ext.AssertionWrapper;
import org.apache.ws.security.validate.SamlAssertionValidator;

public class SAMLValidator extends SamlAssertionValidator {
       
        private static Logger logger = Logger.getLogger(SAMLValidator.class);
       
        @Override
        protected void validateAssertion(AssertionWrapper assertion) throws WSSecurityException {
                // override the default behavior so that it will not validate against the SAML2 schema
                logger.info("SAMLVadlidator called to NOT validate against SAML2 schema");
        }

}


Added the configuration to the interceptor so that it can be plugged into the framework.

        <bean id="wss4jInInterceptor-ddc-service" class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
                <constructor-arg>
                        <map>
                                <entry key="action" value="${SECURITY_DDC_ACTION}" />
                                <entry key="signaturePropFile"
                                        value="cms-files/cms-trusted-crypto-client-${SECURITY_RUNTIME_ENV}.properties" />
                                <entry key="decryptionPropFile"
                                        value="cms-files/cms-trusted-crypto-client-${SECURITY_RUNTIME_ENV}.properties" />
                                <entry key="encryptionKeyTransportAlgorithm" value="${SECURITY_ENCRYPTION_KEY_TRANSPORT_ALGORITHM}" />
                                <entry key="signatureAlgorithm" value="${SECURITY_SIGNATURE_ALGORITHM}" />

                                <entry key="passwordCallbackRef" value-ref="keystoreCallbackHandler" />

                                <entry key="ws-security.saml2.validator" value-ref="samlValidator" />

                        </map>
                </constructor-arg>
        </bean>


But it didn't seem to get called. I didn't see any log in the log file and the same exception was thrown.

Did I use the wrong entry key?

Thanks!
Reply | Threaded
Open this post in threaded view
|

Re: add SAML TOKEN to SOAP header

coheigea
Hi,

Instead of passing "ws-security.saml2.validator" to the constructor map of
the WSS4JInInterceptor, could you instead add it as a jax-ws property of
the endpoint?

e.g.

<jaxws:properties>
    <entry key="ws-security.saml2.validator" value-ref="samlValidator" />
</jaxws:properties>

Colm.


On Fri, Apr 4, 2014 at 9:56 PM, chaij <[hidden email]> wrote:

> I may not be able to change the SAML token. I will see if I can work around
> it.
>
> I implemented this the validator class.
>
> import org.apache.ws.security.WSSecurityException;
> import org.apache.ws.security.saml.ext.AssertionWrapper;
> import org.apache.ws.security.validate.SamlAssertionValidator;
>
> public class SAMLValidator extends SamlAssertionValidator {
>
>         private static Logger logger =
> Logger.getLogger(SAMLValidator.class);
>
>         @Override
>         protected void validateAssertion(AssertionWrapper assertion) throws
> WSSecurityException {
>                 // override the default behavior so that it will not
> validate against the
> SAML2 schema
>                 logger.info("SAMLVadlidator called to NOT validate
> against SAML2 schema");
>         }
>
> }
>
>
> Added the configuration to the interceptor so that it can be plugged into
> the framework.
>
>         <bean id="wss4jInInterceptor-ddc-service"
> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
>                 <constructor-arg>
>                         <map>
>                                 <entry key="action"
> value="${SECURITY_DDC_ACTION}" />
>                                 <entry key="signaturePropFile"
>
>
> value="cms-files/cms-trusted-crypto-client-${SECURITY_RUNTIME_ENV}.properties"
> />
>                                 <entry key="decryptionPropFile"
>
>
> value="cms-files/cms-trusted-crypto-client-${SECURITY_RUNTIME_ENV}.properties"
> />
>                                 <entry
> key="encryptionKeyTransportAlgorithm"
> value="${SECURITY_ENCRYPTION_KEY_TRANSPORT_ALGORITHM}" />
>                                 <entry key="signatureAlgorithm"
> value="${SECURITY_SIGNATURE_ALGORITHM}"
> />
>
>                                 <entry key="passwordCallbackRef"
> value-ref="keystoreCallbackHandler" />
>
>                                 <entry key="ws-security.saml2.validator"
> value-ref="samlValidator" />
>
>                         </map>
>                 </constructor-arg>
>         </bean>
>
>
> But it didn't seem to get called. I didn't see any log in the log file and
> the same exception was thrown.
>
> Did I use the wrong entry key?
>
> Thanks!
>
>
>
>
> --
> View this message in context:
> http://camel.465427.n5.nabble.com/add-SAML-TOKEN-to-SOAP-header-tp5749520p5749827.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: add SAML TOKEN to SOAP header

chaij
That's it! I am able to get the validation disabled.
Then I ran into this interesting issue.

For client, wss4jOutInterceptor, I have to use SAMLTokenUnsigned action. If I use SAMLTokenSigned instead, I would get a null pointer exception like this:
java.lang.NullPointerException
        at org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:262)[159:org.apache.ws.security.wss4j:1.6.12]
        at org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:117)[159:org.apache.ws.security.wss4j:1.6.12]
        at org.apache.ws.security.action.SAMLTokenSignedAction.execute(SAMLTokenSignedAction.java:99)[159:org.apache.ws.security.wss4j:1.6.12]
        at org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:232)[159:org.apache.ws.security.wss4j:1.6.12]
        at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOutInterceptor.java:52)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
        at org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:260)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]

For the server, wss4jInInterceptor, I have to use action SAMLTokenSigned. Otherwise, I would get WSSecurityException.
21:16:16,817 | WARN  | p1389339194-1480 | ecurity.wss4j.WSS4JInInterceptor  362 | 162 - org.apache.cxf.cxf-rt-ws-security - 2.7.7 | Security processing failed (actions mismatch)
21:16:16,818 | WARN  | p1389339194-1480 | ecurity.wss4j.WSS4JInInterceptor  335 | 162 - org.apache.cxf.cxf-rt-ws-security - 2.7.7 |
org.apache.ws.security.WSSecurityException: An error was discovered processing the <wsse:Security> header
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.checkActions(WSS4JInInterceptor.java:363)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:290)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
        at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:95)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]


By looking at the wss4j interceptor code, on the server side, it looks for if there is signature in the Assertion to determine if it is Signed or Unsigned. But I don't know why exactly it is throwing NullPointer exception on the client side.

Thanks!
Reply | Threaded
Open this post in threaded view
|

Re: add SAML TOKEN to SOAP header

coheigea
Hi,

I've fixed the NPE in WSS4J. Yes, there is an asymmetry for the SAML case
between the outbound and inbound configurations. This is mainly for
historical reasons, not to break backwards compatibility with older
deployments. On the outbound side, the "Unsigned" action just creates a
SAML Token and adds it "as is" to the security header of the request.
However, if the configuration states to sign the assertion, the assertion
is internally signed. For the "Signed" SAML Action, it externally signs the
assertion. On the receiving side, the "Signed SAML Action" matches either
the internally or externally signed assertion use-cases.

Colm.


On Mon, Apr 7, 2014 at 8:47 PM, chaij <[hidden email]> wrote:

> That's it! I am able to get the validation disabled.
> Then I ran into this interesting issue.
>
> For client, wss4jOutInterceptor, I have to use SAMLTokenUnsigned action. If
> I use SAMLTokenSigned instead, I would get a null pointer exception like
> this:
> java.lang.NullPointerException
>         at
>
> org.apache.ws.security.saml.WSSecSignatureSAML.prepare(WSSecSignatureSAML.java:262)[159:org.apache.ws.security.wss4j:1.6.12]
>         at
>
> org.apache.ws.security.saml.WSSecSignatureSAML.build(WSSecSignatureSAML.java:117)[159:org.apache.ws.security.wss4j:1.6.12]
>         at
>
> org.apache.ws.security.action.SAMLTokenSignedAction.execute(SAMLTokenSignedAction.java:99)[159:org.apache.ws.security.wss4j:1.6.12]
>         at
>
> org.apache.ws.security.handler.WSHandler.doSenderAction(WSHandler.java:232)[159:org.apache.ws.security.wss4j:1.6.12]
>         at
>
> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor.access$200(WSS4JOutInterceptor.java:52)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
>         at
>
> org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor$WSS4JOutInterceptorInternal.handleMessage(WSS4JOutInterceptor.java:260)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
>
> For the server, wss4jInInterceptor, I have to use action SAMLTokenSigned.
> Otherwise, I would get WSSecurityException.
> 21:16:16,817 | WARN  | p1389339194-1480 | ecurity.wss4j.WSS4JInInterceptor
> 362 | 162 - org.apache.cxf.cxf-rt-ws-security - 2.7.7 | Security processing
> failed (actions mismatch)
> 21:16:16,818 | WARN  | p1389339194-1480 | ecurity.wss4j.WSS4JInInterceptor
> 335 | 162 - org.apache.cxf.cxf-rt-ws-security - 2.7.7 |
> org.apache.ws.security.WSSecurityException: An error was discovered
> processing the <wsse:Security> header
>         at
>
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.checkActions(WSS4JInInterceptor.java:363)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
>         at
>
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:290)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
>         at
>
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:95)[162:org.apache.cxf.cxf-rt-ws-security:2.7.7]
>
>
> By looking at the wss4j interceptor code, on the server side, it looks for
> if there is signature in the Assertion to determine if it is Signed or
> Unsigned. But I don't know why exactly it is throwing NullPointer exception
> on the client side.
>
> Thanks!
>
>
>
>
> --
> View this message in context:
> http://camel.465427.n5.nabble.com/add-SAML-TOKEN-to-SOAP-header-tp5749520p5749914.html
> Sent from the Camel - Users mailing list archive at Nabble.com.
>



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Reply | Threaded
Open this post in threaded view
|

Re: add SAML TOKEN to SOAP header

chaij
Thanks for your help. It makes sense.

Everything is working now!