tag:blogger.com,1999:blog-7391783704166348052.post5700888984713250260..comments2024-03-15T22:26:58.542-07:00Comments on Open Source Security: WS-Trust sample in Talend Service Factory 2.4.0Colm O hEigeartaighhttp://www.blogger.com/profile/10711987281965801793noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-7391783704166348052.post-39357323766301901782011-05-18T07:11:32.217-07:002011-05-18T07:11:32.217-07:00Hi,
CXF-3524 only apples to when derived keys are...Hi,<br /><br />CXF-3524 only apples to when derived keys are used with the symmetric binding. If this corresponds to your use-case, then it sounds like this could be the problem. <br /><br />If not, then it could be the case that the client is not proving to the service provider that it knows the key referred to in the assertion. It must do this by either using 2-way TLS for the TransportBinding case, or else signing some portion of the message using the same key.<br /><br />If none of the above scenarios sound like the cause, then it might be a bug, so I would suggest creating a JIRA in CXF, attaching the requests, security policy of the endpoint, etc.<br /><br />Colm.Colm O hEigeartaighhttps://www.blogger.com/profile/10711987281965801793noreply@blogger.comtag:blogger.com,1999:blog-7391783704166348052.post-54788872370101684212011-05-17T02:56:46.181-07:002011-05-17T02:56:46.181-07:00Hello,
First of all, thanks a lot for this artic...Hello, <br /><br />First of all, thanks a lot for this article! I am in the process of evaluating WS-Trust and SAML for security purposes and this post is very informative.<br /><br />I have attempted to reproduce this scenario using JBOSSWS-CXF and Picketlink as a STS. After several attempts I managed to retrieve a SAML assertion from the STS, and send the request to the service. <br />However, the server fails with a "{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IssuedToken: Assertion fails holder-of-key requirements" error. <br />I think this is correct because the service request does not use the secret key for any holder-of-key task.<br /><br />I have also found your bug report at CXF, which looks potentially related:<br />https://issues.apache.org/jira/browse/CXF-3524<br /><br />Is that also my problem, or there might be some additional part that I am doing wrong? I haven't properly tested the provided Talend examples, but in this context I am required to use only the previously mentioned frameworks and servers.Folyhttps://www.blogger.com/profile/13422573807521682050noreply@blogger.comtag:blogger.com,1999:blog-7391783704166348052.post-48781389425321327692011-05-11T19:27:45.224-07:002011-05-11T19:27:45.224-07:00Very interesting example.
I ran into the followi...Very interesting example. <br /><br />I ran into the following security exception when running the client:<br /><br />org.apache.xml.security.encryption.XMLEncryptionException: Illegal key size or default parameters<br /><br />Since the policy key size is 256, the default policy files that come with the JDK are limited to 128. It requires patching JDK with Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files from Oracle (http://www.oracle.com/technetwork/java/javase/downloads/index.html). Copying two jar files from the JCE distribution (local_policy.jar and US_export_policy.jar) to $JAVA_HOME/jre/lib/security fixed the problem for me.<br /><br />-ArulArulhttps://www.blogger.com/profile/12730935288238299811noreply@blogger.com