How can I modify the AlgorithmSuite on a request?

[einxald]

I have a sample request which looks like:

IUSIService usiService = new USIService(new URL(...)).getWS2007FederationHttpBindingIUSIService();

((WSBindingProvider) usiService).getRequestContext().put(CERTIFICATE_PROPERTY, ...);
((WSBindingProvider) usiService).getRequestContext().put(PRIVATEKEY_PROPERTY, ...);
((WSBindingProvider) usiService).getRequestContext().put(STS_NAMESPACE, "http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice");
((WSBindingProvider) usiService).getRequestContext().put(STS_PORT_NAME, "S007SecurityTokenServiceEndpoint");
((WSBindingProvider) usiService).getRequestContext().put(STS_SERVICE_NAME, "SecurityTokenService");
((WSBindingProvider) usiService).getRequestContext().put(STS_ENDPOINT, ...);
((WSBindingProvider) usiService).getRequestContext().put(STS_WSDL_LOCATION, STSConfig.class.getResource("/META-INF/wsdl/STS-1.3.wsdl").toString());

VerifyUSIType data = new VerifyUSIType();
data.setOrgCode("970002");
data.setUSI("BNGH7C75FN");
data.setFirstName("Maryam");
data.setFamilyName("Fredrick");
data.setDateOfBirth(Dates.asXML("25/05/1966"));

usiService.verifyUSI(data);

Which fails during the because the STS returns a token with the wrong encryption.

A solution they recommended was:

changes the AlgorithmSuite on the STS binding to SecurityAlgorithmSuite.Basic256Sha256Rsa15

which seems to be a fix catered to a .NET implementation.

Is there an equivalent of this that I can do for this request?

[naveinaustin]

Hi @einxald, I was also trying to upgrade my Java Code with the latest USI service and was getting "An error occurred when verifying security for the message." I am also stuck at this and am not able to proceed. The documentation says to use Basic256Sha256Rsa15 but I am not able to figure it out. If you have made any progress could you help me with the solution?

[einxald]

Hi @naveinaustin. You can only change the AlgorithmSuite by modifying the WSDL before it is loaded. And despite the USI's WSDL declaring the AlgorithmSuite of Basic256Sha256Rsa15, they are still using Basic256.

What I did was save their WSDL locally, change the declared AlgorithmSuite to Basic256, then make the request use that WSDL instead. Hope that helps!

[naveinaustin]

@einxald I did the same as well but it only worked with Vanguard v1.2. I could not get it working with Vanguard v1.3. Did you face the same issue? Are you also moving to M2M and did you try it?

[einxald]

@naveinaustin What I have currently is a working USI v3 + VANGuard v1.3 implementation against the test environment. Currently in the process of migrating to M2M.

[naveinaustin]

When I use VANGuard v1.3 - https://thirdparty.authentication.business.gov.au/R3.0/vanguard/S007v1.3/Service.svc it still uses sp:Basic256Sha256Rsa15. How did you overcome this? I was not able to get it working from my local.

[einxald]

Change it to Basic256 and it should work.

[naveinaustin]

@einxald I tried downloading the services.svc file but could not make my java program pick it from there. I am using

requestContext.put(STSIssuedTokenConfiguration.STS_ENDPOINT,
                "https://thirdparty.authentication.business.gov.au/R3.0/vanguard/S007v1.3/Service.svc"); 

but for some reason it tries to pick it from some URL if I specify a local file name within the WAR

[naveinaustin]

@einxald do you have a sample I could see?

[einxald]

The AlgorithmSuite changes should be done to the USI WSDL and not the VANGuard one.

[naveinaustin]

Hi, It would be great if you could help. I could setup a zoom meeting if it is possible for you. @einxald

Thanks,

On Mon, Feb 10, 2020 at 9:12 PM DJ Marcaida notifications@github.com wrote:

If you want I can take a look at what you have.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/javaee/metro/issues/53?email_source=notifications&email_token=AATFVPO2RDODTLFXXAUTB2TRCFYVPA5CNFSM4KDSKTN2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELI7IDI#issuecomment-584184845, or unsubscribe https://github.com/notifications/unsubscribe-auth/AATFVPOUJQDLV3TQN2RWTWTRCFYVPANCNFSM4KDSKTNQ .

[naveinaustin]

@einxald was wondering if you are available?

[einxald]

@naveinaustin Let's do it on Friday if that's okay.

[naveinaustin]

Yeah sure thanks.

[einxald]

@naveinaustin On what email address can I contact you?

[naveinaustin]

my email: naveinaustin@gmail.com

On Thu, Feb 13, 2020 at 10:43 AM DJ Marcaida notifications@github.com wrote:

@naveinaustin https://github.com/naveinaustin On what email address can I contact you?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/javaee/metro/issues/53?email_source=notifications&email_token=AATFVPMN7IY4JJMOQYC5JVLRCTJHZA5CNFSM4KDSKTN2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOELTNVQQ#issuecomment-585554626, or unsubscribe https://github.com/notifications/unsubscribe-auth/AATFVPM3MW3JMTJQAO44QZ3RCTJHZANCNFSM4KDSKTNQ .

[einxald]

If you still need help I'm free now

[scmoriarty]

Hi @naveinaustin, I'm having exactly the same problem. I tried your suggestion (local copy of WSDL, modify the Algo to Basic256), but no luck. My context props are same as yours: requestContext.put("certificate", certificate); requestContext.put("privatekey", privateKey); requestContext.put("sts-endpoint", "https://thirdparty.authentication.business.gov.au/R3.0/vanguard/S007v1.3/Service.svc"); requestContext.put("sts-namespace", "http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice"); requestContext.put("sts-wsdlLocation", "https://thirdparty.authentication.business.gov.au/R3.0/vanguard/S007v1.3/Service.svc"); requestContext.put("sts-service-name", "SecurityTokenService"); requestContext.put("sts-port-name", "S007SecurityTokenServiceEndpoint");

Are you using the (modified) com.sun.xml.ws.security.opt.impl.outgoing.SecurityHeader.class ?

Any help would be greatly appreciated Stephen

[scmoriarty]

Actually, @naveinaustin, my previous question was for @einxald, but happy for any help.

[einxald]

@scmoriarty STS_WSDL_LOCATION should be the URL of the WSDL of the STS in String.

[scmoriarty]

@einxald thanks very much for your response. I made the change, but still getting the standard "An error occurred when verifying security for the message.". I had issues before with the USI v2 security, which were resolved by modifying the com.sun.xml.ws.security.opt.impl.outgoing.SecurityHeader.class, the encrypted headers were not in the correct order. Now I notice there are no encrypted headers being sent only BinarySecurityToken and Signature. Are you sending the same headers?

[einxald]

@scmoriarty You still need to have that SecurityHeader class override, yes.

[scmoriarty]

Thanks, still no luck. Could you send me your local USI and STS wsdl files, please?

[einxald]

Here's what I'm using: WSDLs.zip

[scmoriarty]

Hi @einxald, thanks again. I had similar, but still no luck. Can I ask you to see if anything obviously wrong with my security header. I'm getting the "InvaldSecurity" error which supposedly indicates a skew clock but I can't see how.

`<?xml version='1.0' encoding='UTF-8'?> <S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#">

https://thirdparty.authentication.business.gov.au/R3.0/vanguard/S007v1.3/Service.svc

    <Action xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action>
    <ReplyTo xmlns="http://www.w3.org/2005/08/addressing">
        <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
    </ReplyTo>
    <MessageID xmlns="http://www.w3.org/2005/08/addressing">uuid:cadf9d72-54c3-44fe-80f3-33a41eed99a6</MessageID>
    <wsse:Security S:mustUnderstand="true">
        <wsu:Timestamp
                wsu:Id="_1">
            <wsu:Created>2020-02-24T01:36:22Z</wsu:Created>
            <wsu:Expires>2020-02-24T01:41:22Z</wsu:Expires>
        </wsu:Timestamp>
        <wsse:BinarySecurityToken ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
                                  EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
                                  wsu:Id="uuid_5fd948e1-0c06-40a3-af56-143d4a58a32d">
            MIIEHTCCAwWg ... TQ==
        </wsse:BinarySecurityToken>
        <ds:Signature
                Id="_2">
            <ds:SignedInfo>
                <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                    <exc14n:InclusiveNamespaces PrefixList="wsse S"/>
                </ds:CanonicalizationMethod>
                <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
                <ds:Reference URI="#_1">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <exc14n:InclusiveNamespaces PrefixList="wsu wsse S"/>
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <ds:DigestValue>FZHY8kJ+Si+PV  ...  WO2W60pVc=</ds:DigestValue>
                </ds:Reference>
                <ds:Reference URI="#_5002">
                    <ds:Transforms>
                        <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
                            <exc14n:InclusiveNamespaces PrefixList="S"/>
                        </ds:Transform>
                    </ds:Transforms>
                    <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
                    <ds:DigestValue>NFIt9wkeG4UI  ...  Ga7WcVE7E5U=</ds:DigestValue>
                </ds:Reference>
            </ds:SignedInfo>
            <ds:SignatureValue>
                DnA8THB5M5FJEjfJJhl1  ...  ufFMZwScAo=
            </ds:SignatureValue>
            <ds:KeyInfo>
                <wsse:SecurityTokenReference>
                    <wsse:Reference URI="#uuid_5fd948e1-0c06-40a3-af56-143d4a58a32d"
                                    ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
                </wsse:SecurityTokenReference>
            </ds:KeyInfo>
        </ds:Signature>
    </wsse:Security>
</S:Header>
<S:Body>
    <trust:RequestSecurityToken
            xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wsa="http://www.w3.org/2005/08/addressing"
            xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
            xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
            xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
        <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
        <wsp:AppliesTo>
            <wsa:EndpointReference>
                <wsa:Address>https://3tp.portal.usi.gov.au/Service/BatchCreateService.svc</wsa:Address>
            </wsa:EndpointReference>
        </wsp:AppliesTo>
        <trust:Lifetime>
            <wsu:Created>2020-02-24T01:36:22.268Z</wsu:Created>
            <wsu:Expires>2020-02-24T03:16:22.268Z</wsu:Expires>
        </trust:Lifetime>
    </trust:RequestSecurityToken>
</S:Body>

</S:Envelope>`

[einxald]

@scmoriarty You have a typo on the endpoint. <wsa:Address>https://3tp.portal.usi.gov.au/Service/BatchCreateService.svc</wsa:Address>

3tp should be 3pt.

Probably not necessary at the moment. But you'll want to declare KeySize and KeyType on your request. There are also some Claims that you'll need to add later on.

[scmoriarty]

@einxald I think I've hit a brick wall, but thanks for your help.

[einxald]

@scmoriarty Is it still not working? I might be able to help better if you have somewhere we can chat realtime. GitHub comments is a bit slow

[scmoriarty]

Agreed, are you on skype?

On Mon, Feb 24, 2020 at 2:25 PM DJ Marcaida notifications@github.com wrote:

@scmoriarty https://github.com/scmoriarty Is it still not working? I might be able to help better if you have somewhere we can chat realtime. GitHub comments is a bit slow

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/javaee/metro/issues/53?email_source=notifications&email_token=ABCQMKP4UC6WAZ5UYUMCVTLREM425A5CNFSM4KDSKTN2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEMWRAEQ#issuecomment-590155794, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCQMKN7MLFMBCDMUUNJ4LDREM425ANCNFSM4KDSKTNQ .

-- Stephen m: 0487 487 007 e: stephen.c.moriarty@gmail.com

[einxald]

Not really. Maybe a Google Meet instead? Or Discord if you have that?

[scmoriarty]

Google Meet is ok.

What's your username and best time for you to chat?

Stephen

On Tue, Feb 25, 2020 at 12:24 AM DJ Marcaida notifications@github.com wrote:

Not really. Maybe a Google Meet instead? Or Discord if you have that?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/javaee/metro/issues/53?email_source=notifications&email_token=ABCQMKIVHFZIV4QFYQFLISTREPDAZA5CNFSM4KDSKTN2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEMXYS6A#issuecomment-590317944, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCQMKPVPFIKP6X34GD5QHLREPDAZANCNFSM4KDSKTNQ .

-- Stephen m: 0487 487 007 e: stephen.c.moriarty@gmail.com

[einxald]

Let's try tomorrow. Having internet connection issues right now.

[einxald]

My connection just got fixed. Want to do the meet now?

[scmoriarty]

Sorry I was offline yesterday afternoon/evening.

I can do pretty much anytime today.

Thanks Stephen

On Tue, Feb 25, 2020 at 5:54 PM DJ Marcaida notifications@github.com wrote:

My connection just got fixed. Want to do the meet now?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/javaee/metro/issues/53?email_source=notifications&email_token=ABCQMKLXMP673XTWTEJZCDDRES6CJA5CNFSM4KDSKTN2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEM2ZCEQ#issuecomment-590713106, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCQMKPECERDHLYA3MDMMHLRES6CJANCNFSM4KDSKTNQ .

-- Stephen m: 0487 487 007 e: stephen.c.moriarty@gmail.com

[einxald]

lol. woops. I can't create a Google Meet meeting apparently. Can you? Then I'll just join in.

[scmoriarty]

OK, no worries, ok to start now?

On Wed, Feb 26, 2020 at 12:08 PM DJ Marcaida notifications@github.com wrote:

lol. woops. I can't create a Google Meeting apparently. Can you? Then I'll just join in.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/javaee/metro/issues/53?email_source=notifications&email_token=ABCQMKJHQAIBHL2OESBKGMLREW6HPA5CNFSM4KDSKTN2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEM6LLIY#issuecomment-591181219, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCQMKPIWXE6SB5MMNOZNUTREW6HPANCNFSM4KDSKTNQ .

-- Stephen m: 0487 487 007 e: stephen.c.moriarty@gmail.com

[scmoriarty]

I'll stay online for the next 90 mins.

Join link: https://meet.google.com/tyh-cnvy-zhm

On Wed, Feb 26, 2020 at 2:14 PM Stephen Moriarty < stephen.c.moriarty@gmail.com> wrote:

OK, no worries, ok to start now?

On Wed, Feb 26, 2020 at 12:08 PM DJ Marcaida notifications@github.com wrote:

lol. woops. I can't create a Google Meeting apparently. Can you? Then I'll just join in.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/javaee/metro/issues/53?email_source=notifications&email_token=ABCQMKJHQAIBHL2OESBKGMLREW6HPA5CNFSM4KDSKTN2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEM6LLIY#issuecomment-591181219, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCQMKPIWXE6SB5MMNOZNUTREW6HPANCNFSM4KDSKTNQ .

-- Stephen m: 0487 487 007 e: stephen.c.moriarty@gmail.com

-- Stephen m: 0487 487 007 e: stephen.c.moriarty@gmail.com

[einxald]

Oh man. Sorry we had a bug that I had to work on. Can you send me what you have currently then I'll have a look? Really sorry I missed the meeting.

[scmoriarty]

Ha, no worries. I appreciate the intention.

Ok, so rather than sending the whole project, I've pasted: my test class, the xml response form the test class, pom.xml.

Firstly, I've used apache cfx to create webservice clients for both or the WSDLs you provided. Then I just created a simple test to call the 3pt STS. With the trustFactory.createClaims(claimsType) line commented out it runs but, I still get the "InvalidSecurity" error. Apart form the RequestSecurityToken element, the only thing I can see different from my request and the sample I was sent by USI is the created/expires timestamps. Mine don't have milliseconds, but I understand this shouldn't be a problem.

My current questions are:

1. Are you using the STS webservvice client or building your own?
2. How do I add the JAXBContext to the service context. Tries online for ages found nothing, so I'm probably approaching it incorrectly.
3. Can you send your equivalent of my code below, please?

Thanks again Stephen

  SecurityTokenService securityTokenService = new SecurityTokenService();
  IWSTrust13Sync iwsTrust13Sync =

securityTokenService.getS007SecurityTokenServiceEndpoint(); Map<String, Object> requestContext = ((WSBindingProvider)iwsTrust13Sync).getRequestContext();

  requestContext.put(XWSSConstants.CERTIFICATE_PROPERTY, certificate);
  requestContext.put(XWSSConstants.PRIVATEKEY_PROPERTY, privateKey);
  requestContext.put(STSIssuedTokenConfiguration.STS_ENDPOINT,

"https://thirdparty.authentication.business.gov.au/R3.0/vanguard/S007v1.3/Service.svc"); requestContext.put(STSIssuedTokenConfiguration.STS_NAMESPACE, "http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice"); requestContext.put(STSIssuedTokenConfiguration.STS_WSDL_LOCATION, "file:/C:/Users/Stephen/IdeaProjects/auskey/src/main/resources/META-INF/wsdl/STS-1.3.wsdl"); requestContext.put(STSIssuedTokenConfiguration.STS_SERVICE_NAME, "SecurityTokenService"); requestContext.put(STSIssuedTokenConfiguration.STS_PORT_NAME, "S007SecurityTokenServiceEndpoint"); requestContext.put(STSIssuedTokenConfiguration.APPLIES_TO, "https://3pt.portal.usi.gov.au/Service/BatchCreateService.svc"); requestContext.put(BindingProviderProperties.REQUEST_TIMEOUT, 600000); requestContext.put(BindingProviderProperties.CONNECT_TIMEOUT, 600000);

  AttributedURI endpointAddress = new AttributedURI();
  endpointAddress.setValue("https://3pt.portal.usi.gov.au/Service/BatchCreateService.svc");
  EndpointReference endpointReference = new EndpointReference();
  endpointReference.setAddress(endpointAddress);
  AppliesTo appliesTo = new AppliesTo();
  appliesTo.getAny().add(endpointReference);

  com.sun.xml.ws.security.trust.impl.wssx.bindings.ObjectFactory

trustFactory = new com.sun.xml.ws.security.trust.impl.wssx.bindings.ObjectFactory();

  ClaimsType claimsType = new ClaimsType();

  claimsType.setDialect("http://schemas.xmlsoap.org/ws/2005/05/identity");
  claimsType.getAny().add("http://vanguard.ebusiness.gov.au/2008/06/identity/claims/abn");
  claimsType.getAny().add("http://vanguard.ebusiness.gov.au/2008/06/identity/claims/credentialtype");
  claimsType.getAny().add("http://vanguard.ebusiness.gov.au/2008/06/identity/claims/samlsubjectid");

  RequestSecurityTokenType requestSecurityTokenType = new

RequestSecurityTokenType(); requestSecurityTokenType.getAny().add(trustFactory.createTokenType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0")); requestSecurityTokenType.getAny().add(trustFactory.createRequestType("http://schemas.xmlsoap.org/ws/2005/02/trust/Issue")); requestSecurityTokenType.getAny().add(trustFactory.createKeySize(256L)); requestSecurityTokenType.getAny().add(trustFactory.createKeyType("http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey")); requestSecurityTokenType.getAny().add(trustFactory.createEncryptWith("http://www.w3.org/2001/04/xmlenc#aes256-cbc")); requestSecurityTokenType.getAny().add(trustFactory.createSignWith("http://www.w3.org/2000/09/xmldsig#hmac-sha1")); requestSecurityTokenType.getAny().add(trustFactory.createCanonicalizationAlgorithm("http://www.w3.org/2001/10/xml-exc-c14n#")); requestSecurityTokenType.getAny().add(trustFactory.createComputedKeyAlgorithm("http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1")); requestSecurityTokenType.getAny().add(trustFactory.createEncryptionAlgorithm("http://www.w3.org/2001/04/xmlenc#aes256-cbc")); requestSecurityTokenType.getAny().add(trustFactory.createKeyWrapAlgorithm("http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p")); // requestSecurityTokenType.getAny().add(trustFactory.createClaims(claimsType)); //<<--- This fails, due to "javax.xml.bind.JAXBException: com.sun.xml.ws.security.trust.impl.wssx.bindings.ClaimsType is not known to this context"

  RequestSecurityTokenResponseCollectionType

requestSecurityTokenResponseCollectionType = iwsTrust13Sync.trust13Issue(requestSecurityTokenType); RequestSecurityTokenResponseType requestSecurityTokenResponseType = requestSecurityTokenResponseCollectionType.getRequestSecurityTokenResponse().get(0);

  System.out.println(requestSecurityTokenResponseType.getAny());

Response:

<?xml version='1.0' encoding='UTF-8'?> <S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"> <To xmlns="http://www.w3.org/2005/08/addressing" wsu:Id="_5002">https://thirdparty.authentication.business.gov.au/R3.0/vanguard/S007v1.3/Service.svc <Action xmlns="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue

http://www.w3.org/2005/08/addressing/anonymous

    <MessageID

xmlns="http://www.w3.org/2005/08/addressing">uuid:41643d54-26c7-41a1-9b4f-4562c09b1068

2020-02-26T21:13:42Z 2020-02-26T21:18:42Z MIIEHTCCAwWgAwIBAgIDBAe8MA0GCSqGSIb3DQEBCwUAMIGFMQswCQYDVQQGEwJBVTElMCMGA1UEChMcQXVzdHJhbGlhbiBCdXNpbmVzcyBSZWdpc3RlcjEgMB4GA1UECxMXQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxLTArBgNVBAMTJFRlc3QgQXVzdHJhbGlhbiBCdXNpbmVzcyBSZWdpc3RlciBDQTAeFw0xODExMjgwNDIwMzBaFw0yMDAzMjkwNDIwMzBaMDoxCzAJBgNVBAYTAkFVMRQwEgYDVQQKEwsxMjMwMDAwMDA1OTEVMBMGA1UEAxMMVGVzdERldmljZTAzMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDzrq2dX5FDm/T3AQ9NN4DwLrv3OxmGBaFzhGOq3C8Hvdk3v6D02MnUq6NlTFcHlFsF0tBD0YU8HHUNiJ+MMg3ZnW8w5uqFP9CpTDPSzLzLrFCHq6QmOXKviv0IcJA4G4cJ7ysHcPOKsxmwC/6qNPyUI590r2Wr74iWyCWliRIA7wIDAQABo4IBYjCCAV4wDAYDVR0TAQH/BAIwADCB5AYDVR0gBIHcMIHZMIHWBgkqJAGXOWUBCAEwgcgwgaYGCCsGAQUFBwICMIGZGoGWVXNlIHRoaXMgY2VydGlmaWNhdGUgb25seSBmb3IgdGhlIHB1cnBvc2UgcGVybWl0dGVkIGluIHRoZSBhcHBsaWNhYmxlIENlcnRpZmljYXRlIFBvbGljeS4gTGltaXRlZCBsaWFiaWxpdHkgYXBwbGllcyAtIHJlZmVyIHRvIHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kuMB0GCCsGAQUFBwIBFhF3d3cudGVzdGFicmNhLmNvbTAXBgYqJAGCTQEEDRYLMTIzMDAwMDAwNTkwDgYDVR0PAQH/BAQDAgTwMB8GA1UdIwQYMBaAFIl9rmp4ImmE7AdpVMbA9GOX4c9OMB0GA1UdDgQWBBTXsfXydY3F9HwycPqBW3Px/3Vu7jANBgkqhkiG9w0BAQsFAAOCAQEAMWK/kEPTpuYTCS+vxwoXQwMRP36RQI/PYqRrli4R/LyAghPPoRPa6klEuW30Eo4WnKt68J8R2hJ3VNuzP1zObpWf98OFBnbkd8pmAMvFBTzOqsyRzas3LFeskhZPUs1pW02ZQ3koxwdGMddBw3pCi7kaSOyY+T/C7NynQrsXYMjWm+NuvuvZMTXGJo7WXiwP7omk+6CqJ09P7/jUAN2ZxsrBYfWnQeM9HX9egiJH+pxBYvRNYGjNmyImrsB3jEjaab/wBLrCMYyTByQMfbClE5+JmRx8pq8M5/b/AlpYb5EEIvYHYs1gCW0bfQs3CejhH8nst8Zq6g5I+aR3dN1zTQ== epvh+s9CXmO58KrzJR8taunQq4MBuPGbdqzRTdOVONU= NFIt9wkeG4UI7vHo2gK9dGId1xL3ha3GGa7WcVE7E5U= 4NIcAcneuQnWPlEVoiLfrBT8GZk9hIGXdlkQjSyEqthBmMXduvCyauqrsLw3kzcX1mIfC1CbzhL8HL2PIsLwFIA9fO/m5RAYEPFrH0F0rwiV14zQxvNRJCeDnL44YhcW75N2QCpnHHKSNvQ88KykeRotwtKwIjdVzZSMyxWEgQ0= http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 http://schemas.xmlsoap.org/ws/2005/02/trust/Issue 256 http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey http://www.w3.org/2001/04/xmlenc#aes256-cbc http://www.w3.org/2000/09/xmldsig#hmac-sha1 http://www.w3.org/2001/10/xml-exc-c14n# http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1 http://www.w3.org/2001/04/xmlenc#aes256-cbc http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p *pom.xml* org.springframework.boot spring-boot-starter-web-services abrakm abrakm 1.0 auskey-dep auskey-dep 1.1 webservices-rt-auskey webservices-rt-auskey 1.0 org.glassfish.metro webservices-api 2.4.3 org.glassfish.metro webservices-extra 2.4.3 On Wed, Feb 26, 2020 at 9:40 PM DJ Marcaida wrote: > Oh man. Sorry we had a bug that I had to work on. Can you send me what you > have currently then I'll have a look? Really sorry I missed the meeting. > > — > You are receiving this because you were mentioned. > Reply to this email directly, view it on GitHub > , > or unsubscribe > > . > -- Stephen m: 0487 487 007 e: stephen.c.moriarty@gmail.com

[einxald]

@scmoriarty Can I have your email as well? I'll respond to you there. I think we've been taking too much space here to be honest.

[scmoriarty]

stephen.c.moriarty@gmail.com

On Thu, Feb 27, 2020 at 9:59 AM DJ Marcaida notifications@github.com wrote:

@scmoriarty https://github.com/scmoriarty Can I have your email as well? I'll respond to you there. I think we've been taking too much space here to be honest.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/javaee/metro/issues/53?email_source=notifications&email_token=ABCQMKKHJI4ZELH2QZSIQXDRE3X6LA5CNFSM4KDSKTN2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOENCHEPQ#issuecomment-591688254, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABCQMKM742WDQWPMLL55K4LRE3X6LANCNFSM4KDSKTNQ .

-- Stephen m: 0487 487 007 e: stephen.c.moriarty@gmail.com

[tirthoguha]

Hi @einxald and others , any chance any of you can help me out with this. Will really appreciate any assistance. Been stuck with this.

I'm using metro 2.4.3 and using local WSDL with Basic256 - for USISERVICE (https://3pt.portal.usi.gov.au/Service/BatchCreateService.svc) & Basic256Sha256 with signatureAlgorithm="SHA256withRSA" for STS1.3 (https://thirdparty.authentication.business.gov.au/R3.0/vanguard/S007v1.3/service.svc) AlgorithmSuite respectively.

Calling the USI service directly - using STSIssuedTokenFeature (below code).

The same implementation below works for USISERVICE 1.2 (didn't have to call STS separately or manually build tokens or claims)

I get a valid response from vanguard however get http 500 from USISERVICE 1.3 with message "a:InvalidSecurity An error occurred when verifying security for the message."

private STSIssuedTokenFeature getSTSIssuedTokenFeature() { String STS_WSDL_LOCATION = "/META-INF/STS-1.3.wsdl"; URL stsWsdl = USISoapGatewayImpl.class.getResource(STS_WSDL_LOCATION); DefaultSTSIssuedTokenConfiguration stsIssuedTokenConfiguration = new DefaultSTSIssuedTokenConfiguration( STSIssuedTokenConfiguration.PROTOCOL_13, this.getStsEndpoint(), stsWsdl.toString(), this.getStsServiceName(), this.getStsPortName(), "http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice"); stsIssuedTokenConfiguration.setTokenType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"); STSIssuedTokenFeature stsIssuedTokenFeature = new STSIssuedTokenFeature(stsIssuedTokenConfiguration); return stsIssuedTokenFeature; }

String USI_WSDL_LOCATION = "/META-INF/BatchCreateService.wsdl"; URL usiWsdl = USISoapGatewayImpl.class.getResource(USI_WSDL_LOCATION); USIService service = new USIService(usiWsdl); STSIssuedTokenFeature stsIssueTokenFeature = getSTSIssuedTokenFeature(); IUSIService endpoint = service.getWS2007FederationHttpBindingIUSIService(new WebServiceFeature[] {stsIssueTokenFeature}); setupRequestContext(endpoint, certificate, privateKey);

private void setupRequestContext(IUSIService endpoint, X509Certificate certificate, PrivateKey privateKey) { String STS_WSDL_LOCATION = "/META-INF/STS-1.3.wsdl"; URL stsWsdl = USISoapGatewayImpl.class.getResource(STS_WSDL_LOCATION); String USI_WSDL_LOCATION = "/META-INF/BatchCreateService.wsdl"; URL usiWsdl = USISoapGatewayImpl.class.getResource(USI_WSDL_LOCATION); Map<String, Object> requestContext = ((BindingProvider) endpoint).getRequestContext(); requestContext.put(XWSSConstants.CERTIFICATE_PROPERTY, certificate); requestContext.put(XWSSConstants.PRIVATEKEY_PROPERTY, privateKey); requestContext.put(XWSSConstants.PASSWORD_PROPERTY, this.getKeystorePassword()); requestContext.put(STSIssuedTokenConfiguration.STS_ENDPOINT, this.getStsEndpoint()); requestContext.put(STSIssuedTokenConfiguration.STS_NAMESPACE, "http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice"); requestContext.put(STSIssuedTokenConfiguration.STS_WSDL_LOCATION, stsWsdl.toString()); requestContext.put(STSIssuedTokenConfiguration.STS_SERVICE_NAME, this.getStsServiceName()); requestContext.put(STSIssuedTokenConfiguration.STS_PORT_NAME, this.getStsPortName()); requestContext.put(BindingProviderProperties.REQUEST_TIMEOUT, RequestTimeout); requestContext.put(BindingProviderProperties.CONNECT_TIMEOUT, ConnectionTimeout); }

[PetrShchukin]

Hi, in order to change a key algorithm you can do: 1) Download source code for metro 2) Create folder com/sun/xml/wss/impl/misc 3) Copy SecurityUtil.java class 4) Change getKeyAlgo method

That fixes your algorithm with STS. Speaking of USI they have a wrong wsdl, you need to download it manually and change to

[tirthoguha]

Got it working with Metro 2.3.1. To Connect to USI Service V3 - Modify AlgorithmSuite for STS wsdl and add signatureAlgorithm attribute (like below) - supply modified wsdl in requestContext using STSIssuedTokenConfiguration.STS_WSDL_LOCATION.

`

` Modify AlgorithmSuite for USI wsdl - as suggested above from Basic256Sha256Rsa15 to Basic256. Also need to make sure for the USI request the Signature Assertion must be after the Encrypted Assertion. Thank you.

[tirthoguha]

Hi @einxald, When using M2M service returns the below error upon using Software Provider's Machine Credential. STS request was successful with SSID, first party and second party ABN in ActAS. However request to USI is failing.

3010 AusKey is not a DEVICE key.

[einxald]

@tirthoguha You're most likely missing the claims. You need the add the these claims in your request:

http://vanguard.ebusiness.gov.au/2008/06/identity/claims/abn
http://vanguard.ebusiness.gov.au/2008/06/identity/claims/credentialtype
http://vanguard.ebusiness.gov.au/2008/06/identity/claims/samlsubjectid

If anyone has any further questions, send me an email at marcaidadj@gmail.com. We've been taking too much space in the Metro repo. Good luck, guys.