Peter Palaga created CXF-8967:
---------------------------------
Summary: Body and elements not signed with
security.enable.streaming = true
Key: CXF-8967
URL: https://issues.apache.org/jira/browse/CXF-8967
Project: CXF
Issue Type: Bug
Affects Versions: 4.0.3
Reporter: Peter Palaga
This might have a similar cause like CXF-8940.
I am unfortunately not sure at all how to reproduce this with plain CXF. If a
test is required to demonstrate the issue, I'd be thankful for pointing me to
an existing test I could adapt.
I am able to reproduce this with quarkus-cxf - here are the steps to reproduce:
{code}
git clone g...@github.com:ppalaga/quarkus-cxf.git
cd quarkus-cxf
git reset --hard 0f68c3d30aedc1688771636866f353a59be904d4
mvn clean install -DskipTests -Dquarkus.build.skip
cd integration-tests/ws-security-policy
mvn clean test -Dtest=UsernameTokenSecurityPolicyStaxTest#helloSaml1
...
2023-12-25 12:46:31,093 INFO [org.apa.cxf.ser.Sam.REQ_OUT] (executor-thread-1)
REQ_OUT
Address: https://localhost:8444/services/helloSaml1
HttpMethod: POST
Content-Type: text/xml
ExchangeId: 1e62cc69-2a90-413d-97a4-b88bbd61d7b8
ServiceName: Saml1PolicyHelloService
PortName: Saml1PolicyHelloServicePort
PortTypeName: Saml1PolicyHelloService
Headers: {SOAPAction="", Accept=*/*, Connection=Keep-Alive}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soap:mustUnderstand="1">
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<wsu:Created>2023-12-25T11:46:31.087Z</wsu:Created>
<wsu:Expires>2023-12-25T11:51:31.087Z</wsu:Expires>
</wsu:Timestamp>
<saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
AssertionID="_307cbcf8-4a7d-45a6-a4dc-b46929693b35"
IssueInstant="2023-12-25T11:46:31.068Z" Issuer="sts" MajorVersion="1"
MinorVersion="1" xsi:type="saml1:AssertionType">
<saml1:Conditions NotBefore="2023-12-25T11:46:31.070Z"
NotOnOrAfter="2023-12-25T11:51:31.070Z"/>
<saml1:AttributeStatement>
<saml1:Subject>
<saml1:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="www.mock-sts.com">uid=sts-client,o=mock-sts.com</saml1:NameIdentifier>
<saml1:SubjectConfirmation>
<saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml1:ConfirmationMethod>
</saml1:SubjectConfirmation>
</saml1:Subject>
<saml1:Attribute AttributeName="subject-role"
AttributeNamespace="http://custom-ns";>
<saml1:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xsi:type="xsd:string">system-user</saml1:AttributeValue>
</saml1:Attribute>
</saml1:AttributeStatement>
</saml1:Assertion>
</wsse:Security>
</soap:Header>
<soap:Body>
<ns2:hello xmlns:ns2="http://policy.security.it.cxf.quarkiverse.io/";>
<arg0>random saml person</arg0>
</ns2:hello>
</soap:Body>
</soap:Envelope>
2023-12-25 12:46:31,300 INFO [org.ehc.cor.EhcacheManager] (executor-thread-2)
Cache 'ws-security.timestamp.cache.instance-1259045699' created in
EhcacheManager.
2023-12-25 12:46:31,311 INFO [org.ehc.cor.EhcacheManager] (executor-thread-2)
Cache 'ws-security.saml.cache.instance-1259045699' created in EhcacheManager.
2023-12-25 12:46:31,393 INFO [org.ehc.cor.EhcacheManager] (executor-thread-2)
Cache 'org.apache.cxf.ws.security.tokenstore.TokenStore-1259045699' created in
EhcacheManager.
2023-12-25 12:46:31,414 WARN [org.apa.cxf.pha.PhaseInterceptorChain]
(executor-thread-2) Interceptor for
{http://policy.security.it.cxf.quarkiverse.io/}Saml1PolicyHelloServiceImpl has
thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: Error
reading XMLStreamReader: org.apache.wss4j.common.ext.WSSecurityException: SAML
proof-of-possession of the private/secret key failed
at
org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor.handleMessage(StartBodyInterceptor.java:67)
at
org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor.handleMessage(StartBodyInterceptor.java:38)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:265)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:233)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:207)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:159)
at io.quarkiverse.cxf.transport.CxfHandler.process(CxfHandler.java:241)
at io.quarkiverse.cxf.transport.CxfHandler.handle(CxfHandler.java:178)
at io.quarkiverse.cxf.transport.CxfHandler.handle(CxfHandler.java:47)
at
io.vertx.ext.web.impl.BlockingHandlerDecorator.lambda$handle$0(BlockingHandlerDecorator.java:48)
at
io.vertx.core.impl.ContextBase.lambda$executeBlocking$1(ContextBase.java:180)
at io.vertx.core.impl.ContextInternal.dispatch(ContextInternal.java:277)
at
io.vertx.core.impl.ContextBase.lambda$internalExecuteBlocking$2(ContextBase.java:199)
at
io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
at
org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1512)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at
org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at
io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: javax.xml.stream.XMLStreamException:
org.apache.wss4j.common.ext.WSSecurityException: SAML proof-of-possession of
the private/secret key failed
at
org.apache.xml.security.stax.impl.XMLSecurityStreamReader.next(XMLSecurityStreamReader.java:99)
at
org.apache.wss4j.stax.impl.WSSecurityStreamReader.next(WSSecurityStreamReader.java:45)
at
org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor.handleMessage(StartBodyInterceptor.java:60)
... 21 more
Caused by: org.apache.wss4j.common.ext.WSSecurityException: SAML
proof-of-possession of the private/secret key failed
at
org.apache.wss4j.stax.impl.processor.input.SAMLTokenInputHandler$SAMLTokenVerifierInputProcessor.checkPossessionOfKey(SAMLTokenInputHandler.java:724)
at
org.apache.wss4j.stax.impl.processor.input.SAMLTokenInputHandler$SAMLTokenVerifierInputProcessor.processEvent(SAMLTokenInputHandler.java:603)
at
org.apache.xml.security.stax.impl.InputProcessorChainImpl.processEvent(InputProcessorChainImpl.java:192)
at
org.apache.wss4j.policy.stax.enforcer.PolicyInputProcessor.processEvent(PolicyInputProcessor.java:104)
at
org.apache.xml.security.stax.impl.InputProcessorChainImpl.processEvent(InputProcessorChainImpl.java:192)
at
org.apache.xml.security.stax.impl.XMLSecurityStreamReader.next(XMLSecurityStreamReader.java:81)
... 23 more
{code}
Expected: the {{REQ_OUT}} message shown above should have signature and some
other security related elements. It should work the same like with the DOM
stack:
{code}
mvn clean test -Dtest=UsernameTokenSecurityPolicyTest#helloSaml1
...
2023-12-25 12:47:52,678 INFO [org.apa.cxf.ser.Sam.REQ_OUT] (executor-thread-1)
REQ_OUT
Address: https://localhost:8444/services/helloSaml1
HttpMethod: POST
Content-Type: text/xml
ExchangeId: daf2cdf0-ec9b-4e81-8c0c-d0eb30b64a13
ServiceName: Saml1PolicyHelloService
PortName: Saml1PolicyHelloServicePort
PortTypeName: Saml1PolicyHelloService
Headers: {SOAPAction="", Accept=*/*, Connection=Keep-Alive}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
soap:mustUnderstand="1">
<wsse:BinarySecurityToken
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="X509-74c1bd0a-0411-4ae9-822f-8aed0411be08">MIIDejCCAmKgAwIBAgIUZOzZTlVB6/beB7jY10wg/OCEjT0wDQYJKoZIhvcNAQELBQAwSDETMBEGA1UECgwKYXBhY2hlLm9yZzEhMB8GA1UECwwYZW5nIChOT1QgRk9SIFBST0RVQ1RJT04pMQ4wDAYDVQQDDAVjeGZjYTAgFw0yMzEyMjUxMTQ3NDNaGA8yMDUxMDUxMjExNDc0M1owSDETMBEGA1UECgwKYXBhY2hlLm9yZzEhMB8GA1UECwwYZW5nIChOT1QgRk9SIFBST0RVQ1RJT04pMQ4wDAYDVQQDDAVhbGljZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALM2nDESOH5K8ZxfyJGEPj/A+0/P5+9C9vh8eSLLzQ56Rkd/Jvmh7+VYlZAP7DN0NVv8vPRwKCBa1HndUYvWa29W4Vux28LNBdY8/oblGeC6AwseXxP0njgVijl+z9K5LClGfBX5vQaYbHmZYOJCKoaO6phIXbug9z9jPeHtx3Y8Pv2R9U8LNKOBg9PpVxCaP1jMp39ba1LSHWExf6yeBSL4LQVW5w7PHBBiwCE9S2cIy6hplkKn3TfTNJRFBnzIejRtzEPyeadvywb/tTIhUypYBUUGFlXy55BwzqaHgBsXj9ng+lKc4K1zYAglvz73ueATVMFfaOklEhf8rUSGR7ECAwEAAaNaMFgwHwYDVR0jBBgwFoAUaZHQQI7njEO1V9LMGJy1IZos5KAwCQYDVR0TBAIwADALBgNVHQ8EBAMCBPAwHQYDVR0OBBYEFCuD+AooDO0fLSodtd5Xhz7dY54TMA0GCSqGSIb3DQEBCwUAA4IBAQCde7Erxxbj4Thba0dG/1oWFYLZgcOvBZOFHcdDwr8fV3i/M/qjlhCK+Be7r6cq+rg5gOZjo5OvumHd1SCkgRf57wraDsuJ/BCUuL6HJ9oZn7d0HGkdIDcqRdnMQEo+1N7yX5ohoHRdAZBQ8P64+KFl778KCo1FGIo2soocA+Nu4KadCOIUUNOrRIcvRpUVwcz+s/+QxIN41LMDR3xLmZPkf8DDiXUMtWdcUZmsaNI+D+XPuPgz4Qw2QAEipfz3RPaquRTPVK3Q3c7HE4FNl8aBBBLftBhIAHiSoX0Z6KXWIyGEqZEkCM1lA4jxdaveHmmymgA57WW2eohEVb+dMhbt</wsse:BinarySecurityToken>
<wsu:Timestamp wsu:Id="TS-a7888ebf-0a03-485d-a4e0-67b7e26d4379">
<wsu:Created>2023-12-25T11:47:52.312Z</wsu:Created>
<wsu:Expires>2023-12-25T11:52:52.312Z</wsu:Expires>
</wsu:Timestamp>
<saml1:Assertion xmlns:saml1="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
AssertionID="_9115cf6b-f4b6-4728-a85d-04de8f1489e4"
IssueInstant="2023-12-25T11:47:52.525Z" Issuer="sts" MajorVersion="1"
MinorVersion="1" xsi:type="saml1:AssertionType">
<saml1:Conditions NotBefore="2023-12-25T11:47:52.526Z"
NotOnOrAfter="2023-12-25T11:52:52.526Z"/>
<saml1:AttributeStatement>
<saml1:Subject>
<saml1:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="www.mock-sts.com">uid=sts-client,o=mock-sts.com</saml1:NameIdentifier>
<saml1:SubjectConfirmation>
<saml1:ConfirmationMethod>urn:oasis:names:tc:SAML:1.0:cm:sender-vouches</saml1:ConfirmationMethod>
</saml1:SubjectConfirmation>
</saml1:Subject>
<saml1:Attribute AttributeName="subject-role"
AttributeNamespace="http://custom-ns";>
<saml1:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xsi:type="xsd:string">system-user</saml1:AttributeValue>
</saml1:Attribute>
</saml1:AttributeStatement>
</saml1:Assertion>
<wsse:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
wsu:Id="STR-d2b2c0e9-b7b6-411f-994a-7096afeaea0a">
<wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID";>_9115cf6b-f4b6-4728-a85d-04de8f1489e4</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
<wsse:SecurityTokenReference
xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
wsu:Id="STR-8a8dc10a-f244-4b77-a679-d41fa68c971e">
<wsse:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID";>_9115cf6b-f4b6-4728-a85d-04de8f1489e4</wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="SIG-d124a707-3ad6-4e4a-900d-0bf5ebd35dee">
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="soap"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#TS-a7888ebf-0a03-485d-a4e0-67b7e26d4379">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="wsse soap"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>qbZmn6wMr917PmaAx7f1po3OEpw=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_94b5f1aa-3ea2-4742-8a03-6455612918b7">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>ghlTlxu8FaGQq7x1YMGhPmXPsoc=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#STR-8a8dc10a-f244-4b77-a679-d41fa68c971e">
<ds:Transforms>
<ds:Transform
Algorithm="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#STR-Transform";>
<wsse:TransformationParameters>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</wsse:TransformationParameters>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>eXP+srJSSN3KcEZWYzArD87w12c=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#X509-74c1bd0a-0411-4ae9-822f-8aed0411be08">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="soap"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>28TAIWWt6j4zw7YFbcJLfxS36kQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>NjkNaCptM1jjYRKZycvYoIyeZolGwOaNg1z52y/vx1oz5eG+Yas/Qz1BLzcLRkCCttupoYFjlpHeiYmf7AsRnoJFgQPsp6lvWIOj0yCCypmJ+dqhtOdo8gz/VvY/0SM+G7z2LG45HQnN+7wyPyhbZ89DOGpNNj1yFiqMgQJsN2pmuSXzE6HEu94lrAgy0gExZeeRfNA9ETLwB0QW9PNjKQbfQtThIWJObjdJE0bhrxMqVThSD3Ccw8P6QVtU/F6rw8QoUf7cpFVPJ/lDE+hqBIQLkFudbeqg3R/PzubU7Bksn0ihVIKVuXzbkYNq1d9XgLaESMRvmc6aRtiZBFQEkg==</ds:SignatureValue>
<ds:KeyInfo Id="KI-facbfb94-d9d1-41ad-97c0-07570607f954">
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="STR-71d5c38d-3711-440e-84f8-f500ae8fb025">
<wsse:Reference URI="#X509-74c1bd0a-0411-4ae9-822f-8aed0411be08"
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soap:Header>
<soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="_94b5f1aa-3ea2-4742-8a03-6455612918b7">
<ns2:hello xmlns:ns2="http://policy.security.it.cxf.quarkiverse.io/";>
<arg0>random saml person</arg0>
</ns2:hello>
</soap:Body>
</soap:Envelope>
{code}
It fails in the same way with {{Version.SAML_20}}:
{code}
mvn clean test -Dtest=UsernameTokenSecurityPolicyStaxTest#helloSaml2
...
2023-12-25 12:54:29,644 INFO [org.apa.cxf.ser.Sam.REQ_OUT] (executor-thread-1)
REQ_OUT
Address: https://localhost:8444/services/helloSaml2
HttpMethod: POST
Content-Type: text/xml
ExchangeId: f2e41731-6a37-4f1a-be78-64cefc393d2e
ServiceName: Saml2PolicyHelloService
PortName: Saml2PolicyHelloServicePort
PortTypeName: Saml2PolicyHelloService
Headers: {SOAPAction="", Accept=*/*, Connection=Keep-Alive}
Payload: <soap:Envelope
xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
soap:mustUnderstand="1">
<wsu:Timestamp
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<wsu:Created>2023-12-25T11:54:29.638Z</wsu:Created>
<wsu:Expires>2023-12-25T11:59:29.638Z</wsu:Expires>
</wsu:Timestamp>
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
ID="_47ac5044-c17b-4603-b657-8836fc34fa5d"
IssueInstant="2023-12-25T11:54:29.621Z" Version="2.0"
xsi:type="saml2:AssertionType">
<saml2:Issuer>sts</saml2:Issuer>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="www.mock-sts.com">uid=sts-client,o=mock-sts.com</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:sender-vouches"/>
</saml2:Subject>
<saml2:Conditions NotBefore="2023-12-25T11:54:29.623Z"
NotOnOrAfter="2023-12-25T11:59:29.623Z"/>
<saml2:AttributeStatement>
<saml2:Attribute Name="subject-role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
<saml2:AttributeValue xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xsi:type="xsd:string">system-user</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
</saml2:Assertion>
</wsse:Security>
</soap:Header>
<soap:Body>
<ns2:hello xmlns:ns2="http://policy.security.it.cxf.quarkiverse.io/";>
<arg0>random saml person</arg0>
</ns2:hello>
</soap:Body>
</soap:Envelope>
2023-12-25 12:54:29,843 INFO [org.ehc.cor.EhcacheManager] (executor-thread-2)
Cache 'ws-security.timestamp.cache.instance-1791157116' created in
EhcacheManager.
2023-12-25 12:54:29,854 INFO [org.ehc.cor.EhcacheManager] (executor-thread-2)
Cache 'ws-security.saml.cache.instance-1791157116' created in EhcacheManager.
2023-12-25 12:54:29,937 INFO [org.ehc.cor.EhcacheManager] (executor-thread-2)
Cache 'org.apache.cxf.ws.security.tokenstore.TokenStore-1791157116' created in
EhcacheManager.
2023-12-25 12:54:29,959 WARN [org.apa.cxf.pha.PhaseInterceptorChain]
(executor-thread-2) Interceptor for
{http://policy.security.it.cxf.quarkiverse.io/}Saml2PolicyHelloServiceImpl has
thrown exception, unwinding now: org.apache.cxf.binding.soap.SoapFault: Error
reading XMLStreamReader: org.apache.wss4j.common.ext.WSSecurityException: SAML
proof-of-possession of the private/secret key failed
at
org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor.handleMessage(StartBodyInterceptor.java:67)
at
org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor.handleMessage(StartBodyInterceptor.java:38)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:307)
at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:265)
at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:233)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:207)
at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:159)
at io.quarkiverse.cxf.transport.CxfHandler.process(CxfHandler.java:241)
at io.quarkiverse.cxf.transport.CxfHandler.handle(CxfHandler.java:178)
at io.quarkiverse.cxf.transport.CxfHandler.handle(CxfHandler.java:47)
at
io.vertx.ext.web.impl.BlockingHandlerDecorator.lambda$handle$0(BlockingHandlerDecorator.java:48)
at
io.vertx.core.impl.ContextBase.lambda$executeBlocking$1(ContextBase.java:180)
at io.vertx.core.impl.ContextInternal.dispatch(ContextInternal.java:277)
at
io.vertx.core.impl.ContextBase.lambda$internalExecuteBlocking$2(ContextBase.java:199)
at
io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:582)
at
org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1512)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at
org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at
io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: javax.xml.stream.XMLStreamException:
org.apache.wss4j.common.ext.WSSecurityException: SAML proof-of-possession of
the private/secret key failed
at
org.apache.xml.security.stax.impl.XMLSecurityStreamReader.next(XMLSecurityStreamReader.java:99)
at
org.apache.wss4j.stax.impl.WSSecurityStreamReader.next(WSSecurityStreamReader.java:45)
at
org.apache.cxf.binding.soap.interceptor.StartBodyInterceptor.handleMessage(StartBodyInterceptor.java:60)
... 21 more
Caused by: org.apache.wss4j.common.ext.WSSecurityException: SAML
proof-of-possession of the private/secret key failed
at
org.apache.wss4j.stax.impl.processor.input.SAMLTokenInputHandler$SAMLTokenVerifierInputProcessor.checkPossessionOfKey(SAMLTokenInputHandler.java:724)
at
org.apache.wss4j.stax.impl.processor.input.SAMLTokenInputHandler$SAMLTokenVerifierInputProcessor.processEvent(SAMLTokenInputHandler.java:603)
at
org.apache.xml.security.stax.impl.InputProcessorChainImpl.processEvent(InputProcessorChainImpl.java:192)
at
org.apache.wss4j.policy.stax.enforcer.PolicyInputProcessor.processEvent(PolicyInputProcessor.java:104)
at
org.apache.xml.security.stax.impl.InputProcessorChainImpl.processEvent(InputProcessorChainImpl.java:192)
at
org.apache.xml.security.stax.impl.XMLSecurityStreamReader.next(XMLSecurityStreamReader.java:81)
... 23 more
{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
