We're sending emails. We're sending thousands of emails per day because we have our customers who'd like to be informed by us (and we do have their consents ;) ).
And we've just enabled DMARC with p=none to see what will happen. And here it comes:
<?xml version="1.0"?>
<feedback>
<report_metadata>
<org_name>Yahoo! Inc.</org_name>
<email>postmaster#dmarc.yahoo.com</email>
<report_id>report.id.here</report_id>
<date_range>
<begin>1545350400</begin>
<end>1545436799</end>
</date_range>
</report_metadata>
<policy_published>
<domain>our-email-domain.tld</domain>
<adkim>r</adkim>
<aspf>r</aspf>
<p>none</p>
<pct>100</pct>
</policy_published>
<record>
<row>
<source_ip>209.85.221.48</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>our-email-domain.tld</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>gmail.com</domain>
<result>neutral</result>
</dkim>
<spf>
<domain>gmail.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>212.227.15.3</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>our-email-domain.tld</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>srs.web.de</domain>
<result>neutral</result>
</dkim>
<spf>
<domain>srs.web.de</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>212.227.15.3</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>our-email-domain.tld</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>web.de</domain>
<result>neutral</result>
</dkim>
<spf>
<domain>web.de</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>OUR.MX.IP</source_ip>
<count>175</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>our-email-domain.tld</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>our-email-domain.tld</domain>
<result>neutral</result>
</dkim>
<spf>
<domain>our-email-domain.tld</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
<record>
<row>
<source_ip>77.238.176.162</source_ip>
<count>1</count>
<policy_evaluated>
<disposition>none</disposition>
<dkim>pass</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
<identifiers>
<header_from>our-email-domain.tld</header_from>
</identifiers>
<auth_results>
<dkim>
<domain>our-email-domain.tld</domain>
<result>neutral</result>
</dkim>
<spf>
<domain>our-email-domain.tld</domain>
<result>softfail</result>
</spf>
</auth_results>
</record>
</feedback>
This is a report from Yahoo, and I see pretty similar reports from Google and many other ESPs.
209.85.221.48 - Google forwarding email to Yahoo ?
212.227.15.3 - web.de forwarded to Yahoo twice from different hosts ??
77.238.176.162 - Yahoo host forwarded to another Yahoo host ???
What will happen to all of these emails when I turn p=quarantine?
I can understand if one wants to receive emails from all his maiboxes in one. What I can't understand - why ESPs analyze DKIM/SPF when transferring messages between their own hosts? Policies supposed to fail in this case and recipient will receive it in Spam in case of p=quarantine, no?
To answer your specific questions:
Yes, that seems right.
Yes, that seems right.
Yes, that seems right.
There are many examples of when these situations occur. Simple forwarding rules to receive your work email in your personal email box is one. Another one is when your company (as the recipient) uses GSuite and uses Groups (distribution lists) to forward emails to their final destination, the users. Google will report on this in DMARC as well.
Another common case is when external email security filters forward inbound emails to an email server that checks for DMARC compliance and sends reports.
What will happen to all of these emails when I turn p=quarantine?
Generally, DMARC will pass when either SPF or DKIM generate a pass result in alignment with the Header.From domain, found in the <identifiers> node in the XML report. Those results are listed in the <policy_evaluated> node.
In all of your examples, the <policy_evaluated> results show a DKIM Pass result, so it should pass DMARC. However, in your examples all of the DKIM evaluations in the <auth_results> node show a neutral result for DKIM, including the one sent from your MX record IP address.
RFC 7601 states the following on a neutral result for DKIM:
neutral: The message was signed, but the signature or signatures
contained syntax errors or were not otherwise able to be
processed. This result is also used for other failures not
covered elsewhere in this list.
This could be a specific issue with Yahoo's DKIM checker, but best to check the DKIM status in Google's (and others) DMARC reports as well.
Final advice: Go check the DKIM results in other DMARC reports before moving to p=quarantine.
Related
My application is sending a SAML request to ADFS, which prompts me to log in to the AD, and my application is getting a SAML response back. However, it does not contain a Name ID.
In the Claims rules I set up these two:
Send LDAP Attributes as Claims
LDAP Attribute: E-Mail-Addresses
Outgoing Claim Type: E-Mail Address
Attribute Store: Active Directory
Transform an Incoming Claim
Incoming Claim Type: E-Mail Address
Outgoing Claim Type: Name ID
Outgoing Name ID Format: Email
Pass through all claim values
I assume that when I am prompted to enter my email address, that this email address is added to the incoming claim?
Why isn't it transforming it and sending it back? I think there should be a "NameID" node in the Subject?
Response XML:
<samlp:Response ID="_e7eae5c5-abf6-4f8f-a869-95ecc373410a" Version="2.0" IssueInstant="2023-01-16T15:55:47.323Z" Destination="https://localhost:8443/rrdefenceweb/services/ui/authenticateSaml" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="iddd342818-ac09-40cc-9c79-12e61dab8165"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://adfs.adfstest.com/adfs/services/trust
</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<Assertion ID="_196d47b3-d764-4a73-a136-2cd8cbd2a905" IssueInstant="2023-01-16T15:55:47.323Z" Version="2.0"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>http://adfs.adfstest.com/adfs/services/trust</Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
<ds:Reference URI="#_196d47b3-d764-4a73-a136-2cd8cbd2a905">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
<ds:DigestValue>Y2uhE7CuNU4iI4r8N6nRMGhzV8icSjUrxrInhXZzFoQ=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>JVE8Pk2CDVmIoXCLxr1zITlOaOublJY5nwF9kxBA+T80KYI97N36DwcGIN2pJN4KjPbQfR/LHHXVXmaEzBoA5kZ2Bii3r49qlDWi1eujfDL8lY/GLiUNuZCALRqPpS2f6TKeKucECQVgqE5WMVHeULjLBOQI41alEfHqnGVABQLoKhB8LSBeJU2f65hapKG0Q2ffmr+BunxH+Srfz5oBF+pScQwtsrP/Kr4SD4DvmLz/xCEyKNqzaDT+WNwZ9MN2Rjtx3hOiS/YBjJ9CqUYGdxAglEg7yu3uzQ4UsqM4MlZSBY5lPtTa16qYSwq2NgM6sQrMAo5BVsLz3kIfJlulOg==</ds:SignatureValue>
<KeyInfo
xmlns="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIC3jCCAcagAwIBAgIQRiRqmG8/OKBIVDkoSvTPcDANBgkqhkiG9w0BAQsFADArMSkwJwYDVQQDEyBBREZTIFNpZ25pbmcgLSBhZGZzLmFkZnN0ZXN0LmNvbTAeFw0yMzAxMDkxODQ1MzdaFw0yNDAxMDkxODQ1MzdaMCsxKTAnBgNVBAMTIEFERlMgU2lnbmluZyAtIGFkZnMuYWRmc3Rlc3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/C6v11/9nwR6JpY2Q0H+Q/DE4jXi7y7h/KXdlBS/ktnCUoesRcgmyTdzoU0+DK7hZXZ+V4qk2KYYcRlikiL9nGkLkA+wIIAdrKLZzraD+H+TCAYLyVY21oUGUg2oD8WqibwtutJejX+9ATJ9xCBu+xX2VDXUmQEyTqNYIj98/XAiob+eQbCfDQuoadLRo5UfM/9jOaRUHmVo9xdP58d7egKpSfhungYA3Kilc6Lu38QywnxYQlq2KpZ67SJr3cuERc1wOUzTcgKcVdvv+sUBQ5uj01SYAUX+snhgjr8/w9+13AVoTiyTbEmjW+lK3e26Rb4QQ2P/ZGmGpIz3hLyMAQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCtQ+9sAWwPJmNN6TUEqqUV068u98Yk22cNqrwKx3HMrZKcj2jBQ5+4zCzYtPRt4dToapYeWIsMVasb4yQ+BT7y8dPaeHRezCUwvRpDGBroQYL0BFVyxE1P4tM7OZR5bV+zGMT857Nvm+0uSHzMJGrjGFa91ZgazDAEdIgQ96x/I48CrftPzhUkLWZgW2xNv1Z4DdgO7ImjvB49dNQuwv0aiZOiL2xuPj/FcQpqklu/VL3aKFiS4TL0cPEdJVE7KHtkBqT6Uje4xuWBAXHOfKCJ6gIbE9I9WyQ6bPSRNqDhQV9povM56Yob8g7Nhva/486Xd4kwzm6gzh4M24LywZgW</ds:X509Certificate>
</ds:X509Data>
</KeyInfo>
</ds:Signature>
<Subject>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="iddd342818-ac09-40cc-9c79-12e61dab8165" NotOnOrAfter="2023-01-16T16:00:47.323Z" Recipient="https://localhost:8443/rrdefenceweb/services/ui/authenticateSaml" />
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2023-01-16T15:55:47.323Z" NotOnOrAfter="2023-01-16T16:55:47.323Z">
<AudienceRestriction>
<Audience>https://localhost:8443/rrdefenceweb</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2023-01-16T10:53:40.791Z">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
</samlp:Response>
Federation XML:
https://adfs.adfstest.com/federationmetadata/2007-06/federationmetadata.xml
It was because in the Active Directory, my user did not have an Email Address set (even though my login name was in an email format, it is a separate field that needs setting).
Answer worked out thanks to this:
Why is ADFS not returning an email claim?
We have a WildFly 10 instance configured with ActiveMQ Artemis.
After the server is running for weeks We have found this error on putting a message in a queue:
WARN [com.arjuna.ats.jta] (default task-39) ARJUNA016061: TransactionImple.enlistResource - XAResource.start returned: XAException.XAER_RMFAIL for < formatId=131077, gtrid_length=29, bqual_length=36, tx_uid=0:ffff0a4809a7:12ad14f2:613b6c2b:8c8976c, node_name=1, branch_uid=0:ffff0a4809a7:12ad14f2:613b6c2b:8c89779, subordinatenodename=null, eis_name=java:/JmsXA NodeId:560e8de4-ccea-11eb-a9ec-014175cacf74 >: javax.transaction.xa.XAException
at org.apache.activemq.artemis.ra.ActiveMQRAXAResource.start(ActiveMQRAXAResource.java:85)
at org.apache.activemq.artemis.service.extensions.xa.ActiveMQXAResourceWrapperImpl.start(ActiveMQXAResourceWrapperImpl.java:121)
at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.enlistResource(TransactionImple.java:662)
at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.enlistResource(TransactionImple.java:423)
...
Caused by: ActiveMQConnectionTimedOutException[errorType=CONNECTION_TIMEDOUT message=AMQ119014: Timed out after waiting 30,000 ms for response when sending packet 44]
at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:398)
at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:304)
at org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQSessionContext.simpleRollback(ActiveMQSessionContext.java:299)
at org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.rollback(ClientSessionImpl.java:542)
at org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.rollback(ClientSessionImpl.java:513)
at org.apache.activemq.artemis.core.client.impl.ClientSessionImpl.resetIfNeeded(ClientSessionImpl.java:594)
at org.apache.activemq.artemis.ra.ActiveMQRAXAResource.start(ActiveMQRAXAResource.java:80)
... 131 more
This error appears on each operation on the queues until the server is restarted.
The exception was logged by a local client (a war deployed in the application server itself). The local client sends messages, there are remote consumers consuming them. When the error occurred the as load was not higher than usual. I did not collect a thread dump I can try to collect them if the error occurs again.
The subsystem configuration is:
<subsystem xmlns="urn:jboss:domain:messaging-activemq:1.0">
<server name="default">
<management jmx-enabled="true" />
<security enabled="false" />
<bindings-directory
path="/data/activemq/bindings" />
<journal-directory path="/data/activemq/journal" />
<large-messages-directory
path="/data/activemq/largemessages" />
<paging-directory path="/data/activemq/pages" />
<security-setting name="#">
<role name="guest" delete-non-durable-queue="true"
create-non-durable-queue="true" consume="true" send="true" />
</security-setting>
<address-setting name="#"
message-counter-history-day-limit="10" page-size-bytes="2097152"
max-size-bytes="104857600" max-delivery-attempts="-1"
redelivery-delay="300000" expiry-address="jms.queue.ExpiryQueue"
dead-letter-address="jms.queue.DLQ" />
<address-setting
name="jms.queue.queue1" max-delivery-attempts="-1"
expiry-address="jms.queue.ExpiryQueue"
dead-letter-address="jms.queue.DLQ" redelivery-delay="120000" />
<http-connector name="http-connector"
endpoint="http-acceptor" socket-binding="messaging" />
<http-connector name="http-connector-throughput"
endpoint="http-acceptor-throughput" socket-binding="messaging">
<param name="batch-delay" value="50" />
</http-connector>
<in-vm-connector name="in-vm" server-id="0" />
<http-acceptor name="http-acceptor"
http-listener="default" />
<http-acceptor name="http-acceptor-throughput"
http-listener="default">
<param name="batch-delay" value="50" />
<param name="direct-deliver" value="false" />
</http-acceptor>
<in-vm-acceptor name="in-vm" server-id="0" />
<jms-queue name="ExpiryQueue"
entries="java:/jms/queue/ExpiryQueue" />
<jms-queue name="DLQ" entries="java:/jms/queue/DLQ" />
<jms-queue name="queue1"
entries="queue1 queue/queue1 jms/queue/queue1 java:jboss/exported/queue1" />
<!--
...
--->
<jms-queue name="queueN"
entries="queueN queue/queueN jms/queue/queueN java:jboss/exported/queueN" />
<connection-factory name="InVmConnectionFactory"
entries="java:/ConnectionFactory" connectors="in-vm" />
<connection-factory
name="RemoteConnectionFactory"
failover-on-initial-connection="true" reconnect-attempts="-1"
block-on-acknowledge="true" consumer-window-size="0"
client-failure-check-period="10000" ha="true"
entries="java:jboss/exported/jms/RemoteConnectionFactory"
connectors="http-connector" />
<pooled-connection-factory
name="activemq-ra" transaction="xa"
entries="java:/JmsXA java:jboss/DefaultJMSConnectionFactory"
connectors="in-vm" />
</server>
</subsystem>
Is there any configuration error? Can anyone suggest a solution for this error?
WildFly 10.1.0 was released in August 2016 and it uses ActiveMQ Artemis 1.1.0 which was release in October 2015, nearly 6 years ago now. WildFly is up to version 25 now and ActiveMQ Artemis is at 2.18.0 now. I strongly encourage you to upgrade to a later release of WildFly or even use the latest release of ActiveMQ Artemis standalone (i.e. not embedded in WildFly).
Even if a bug is identified in 1.1.0 there will be no bug-fix release for this version. In order to get any kind of fix you will be forced to upgrade to the latest version unless you back-port the fix and build it yourself. It's worth noting that many hundreds of bugs have been fixed in ActiveMQ Artemis since 1.1.0 was released. Your issue could very well be among them.
We need to setup ADFS as a service provider. So, we tried to send saml response to ADFS. We configured stubs for claims provider, RPT and created certs. We try to send saml to adfs/ls/IdpinitiatedSignon.aspx with RelayState.
Here is Saml Response example.
<samlp:Response ID="_6bcc31a5-fcc2-46a6-a84d-0df2cb5bed17" Version="2.0" IssueInstant="2019-03-27T12:37:34.839Z" Destination="https://srv2012-test-dc.testdomain.com/adfs/ls/idpinitiatedsignon.aspx" InResponseTo="_728ac076-7b14-4ce2-8efb-ed5c8c9b85f3" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">anthem.cn.com</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<Assertion ID="_eeaaab87-0fcc-4ec1-93d3-ed623b27130c" IssueInstant="2019-03-27T12:37:41.843Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>anthem.cn.com</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_eeaaab87-0fcc-4ec1-93d3-ed623b27130c">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>MkByT8QpjpBFszlr74Rx0IZNewk=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>AYhBtCEl4CrsgsuWMaLEDP...</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MII...</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<Subject>
<NameID>VALERA</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData InResponseTo="_728ac076-7b14-4ce2-8efb-ed5c8c9b85f3" NotBefore="2019-03-27T12:32:34.839Z" NotOnOrAfter="2019-03-27T13:37:34.847Z"/>
</SubjectConfirmation>
</Subject>
<Conditions>
<AudienceRestriction>
<Audience>https://beta3dev.test.com/</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2019-03-27T12:37:41.843Z" SessionIndex="_56b775bf-32a7-4f35-a370-d707a653a5aa">
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
<AttributeStatement>
<Attribute Name="FirstName">
<AttributeValue>valera</AttributeValue>
</Attribute>
</AttributeStatement>
</Assertion>
</samlp:Response>
It seems to be valid, we checked by online validators, but ADFS throws exception:
Microsoft.IdentityServer.Web.UnsupportedSamlResponseException: MSIS7029: The SAML response has content that is not supported.
So, The question is: What's wrong with saml?
P.S. Actually, we don't know how an idp intiated scenario works. Maybe there is some minimum pack of claims or we can't login because we don't have working stubs. It will be nice to get some more info about this dataflow.
Ok, it's working now.
There is no request in IdP initiated scenario, so we removed all InResponseTo attributes.
AuthnContext changed to PasswordProtectedTransport.
Name Id can be included but there should be no NotBefore attribute.
I have to do RequestSecurityToken request with certificate signature and timestamp with SoapUI to get security token to use it in other requests, but I have problem to implement it correctly.
Here are correct request, with different application, but with same certificate:
<o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2016-10-24T14:35:54.851Z</u:Created>
<u:Expires>2016-10-24T14:40:54.851Z</u:Expires>
</u:Timestamp>
<o:BinarySecurityToken u:Id="uuid-e5fff67c-e3ce-4c63-86da-9661adfd6e0c-2" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">...MIIFgTCCBGmgAwIBAgIKOePZb(shortened)...</o:BinarySecurityToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>tsLKDNU0lJ5SB1p75WGVjd7LMHc=</DigestValue>
</Reference>
<Reference URI="#_1">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>4QwJS9rCbZb1B3DcR37qnuJgSl4=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>...gmAXzaf8hhj44/M0Q(shortened)...</SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference URI="#uuid-e5fff67c-e3ce-4c63-86da-9661adfd6e0c-2"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
In SoapUI, in WSS config I add as keystore my certificate and made outgoing configuration, where are make timestmap and signature. In Signature, I configure it as binary security token, choose my keystore, alias and password. I have experimented with methods, but most closer result to correct one was this:
<wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="TS-6EB3E416E924850AA51477473502423447">
<u:Created>2016-10-26T09:18:22.423Z</u:Created>
<u:Expires>2016-10-26T09:23:22.423Z</u:Expires>
</u:Timestamp>
<wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" u:Id="X509-6EB3E416E924850AA51477473502407442">...CCBGmgAwIBAgIKOeP(shortened)..." xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#id-6EB3E416E924850AA51477473502408445">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>ylZ7mgRanKsz3pYpbSXtE3FoVcc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>...PwHLpHxINEYUGoCM+Tsz9ucg(shortened)...</ds:SignatureValue>
<ds:KeyInfo Id="KI-6EB3E416E924850AA51477473502407443">
<wsse:SecurityTokenReference u:Id="STR-6EB3E416E924850AA51477473502407444">
<wsse:Reference URI="#X509-6EB3E416E924850AA51477473502407442" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
On this request, i have response with error message
An error occurred when verifying security for the message.
One of differences what I see, is that in correct request there are two references with different URI, than in SoapUI request, but I can't figure out, how to simulate correct request in SoapUI. I would be glad to get some recommendation, maybe someone had the similar problem.
from default soapui only signs the soap-body element.
but you can add each other element from the "Parts:" configuration.
add the following (ID, Name, Namespace, Encode) in the Parts table:
First entry to sign timestamp content
leave ID empty
Timestamp
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Element
Second entry to sign body content
leave ID empty
Body
http://schemas.xmlsoap.org/soap/envelope/
Element
and soapui will sign the timestamp and body element.
remark: the Timestamp needs to be added before the "Signature" in the list of WSS-Entries.
for my Thesis I'm integrating Bonita BPM into a Mule SOA.
To start a new case or process-instance in Bonita I have to call the Bonita REST. First I have to authenticate with that Bonita REST. And here starts my problem.
The authentication works like "You have to call the loginservice and put the responding cookie in all future request".
How could this be done inside a mule flow ? Some articles told me that copy-properties propertyName="JSESSIONID" should do that. But this does not work.
Does anybody have a idea ?
Further heres my flow and the related print messages:
PRINT1 : CopyPropertiesTransformer: Property value for is null, no property will be copied
PRINT 2 : LoggerMessageProcessor: {Set-Cookie=JSESSIONID=F60114E3ECB450A62171E3D63EAC3E4D; Path=/bonita/; HttpOnly}
PRINT 3 : Response code 401 mapped as failure. Message payload is of type: BufferInputStream
<http:request-config name="bos" host="localhost"
port="8080" basePath="/bonita" doc:name="bos-connection" />
<flow name="sendOrderFlow">
<http:listener config-ref="HTTP_Listener_Configuration"
path="/" doc:name="HTTP" />
<http:request config-ref="bos" path="loginservice"
method="GET" followRedirects="false" doc:name="bos-login">
<http:request-builder>
<http:query-param paramName="username" value="walter.bates" />
<http:query-param paramName="password" value="bpm" />
</http:request-builder>
</http:request>
<copy-properties propertyName="JSESSIONID" /> <!-- PRINT 1 HERE -->
<logger message="#[headers:INBOUND:Set-Cookie]" level="INFO" /> <!-- PRINT 2 HERE -->
<http:request config-ref="bos"
path="API/bpm/process" method="GET" followRedirects="false" doc:name="bos-listAvailableProcesses">
<http:request-builder>
<http:query-param paramName="p" value="0" />
</http:request-builder>
</http:request>
Additionally to JSESSIONID you also need to include X-Bonita-API-Token in HTTP header. The value of this header is provide as a cookie sent with the answer to the authentication (i.e. the call to loginservice).