The SslContextToken part of the policy is a Microsoft-defined extension to the standard which is not widely (or at all?) supported by Java stacks. It provides a way for the client to get a server certificate at the time of setting up a connection, rather than having it in advance in a truststore (the normal scenario). This page discusses it in more detail, including telling the Microsoft developers how to turn it off in their configuration: http://webservices20.blogspot.com/2008/10/interoperability-gotcha-sslcontexttoken.html
As to implementing support for it in CXF, it's probably going to be fairly involved. AFAIK there's no existing case of runtime certificate negotiation you could use as the basis for your code, so you'd have to implement the negotiation part yourself, then add the server certificate to a truststore for use by the WSS4J security implementation code - but only for the duration of the secure conversation. - Dennis On 12/25/2010 08:35 AM, John Franey wrote: > On Thu, Dec 23, 2010 at 6:00 PM, Dennis Sosnoski <[email protected]> wrote: > > >> John, you might try downloading the sample code from the >> SymmetricBinding article referenced by Glen >> (http://www.ibm.com/developerworks/java/library/j-jws17/index.html) as a >> basis for trying your policy. First build and test the supplied sample >> using your CXF installation, then substitute your policy for the one in >> the sample code WSDL. Hopefully that could help you find the cause of >> the problems. >> >> >> > OK, using cxf 2.2.8, I make the policy substitution, and get this, with > scencr: > > [java] Dec 24, 2010 1:55:01 PM > org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl build > [java] WARNING: No assertion builder for type { > http://schemas.microsoft.com/ws/2005/07/securitypolicy}SslContextTokenregistered. > [java] Dec 24, 2010 1:55:02 PM > org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging > [java] WARNING: Interceptor for { > http://schemas.xmlsoap.org/ws/2005/02/trust/wsdl}SecurityTokenService#{http://schemas.xmlsoap.org/ws/2005/02/trust/wsdl}RequestSecurityTokenhas > thrown exception, unwinding now > [java] org.apache.cxf.interceptor.Fault: No signature token > [java] at > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:384) > > I interpret the first warning to mean an 'assertion builder' needs to be > implemented and registered for this type. Is this 'builder' a pluggable > component? How would I find out if a builder for this type already exists? > Is implementing a builder a complex task? Is this work reserved to cxf > developers or are users of the library expected to provide these as they > need? If I get one, or write one, how do I register it? Is it easier to > beg the service provider to change the policy and if so, how can I express > that in their terms (I am an alien to the .net environment)? > > I interpret the second warning to mean that I did not satisfy the > configuration requirement of the policy. In this case, it is missing its > signature token. I need to discover the name of this property, and how to > set it, and what value to set it to. > > So, I guess I have some digging through the cxf pages. Am I asking the > right questions? and do you expect the cxf web pages will give me answers? > > Thanks, > John > > > The comment from the article that "CXF was the only stack that worked > >> with the policy as written." only applied to the WS-SecureConversation >> policy shown in Listing 2. WS-SC configurations tend to be more >> failure-prone than regular WS-Security configurations, in my experience, >> since there are more "moving parts" involved in the operation. All three >> of the stacks I tried were able to handle the basic SymmetricBinding >> configuration. >> >> - Dennis >> >> Dennis M. Sosnoski >> Java SOA and Web Services Consulting <http://www.sosnoski.com/consult.html >> >>> >> Axis2/CXF/Metro SOA and Web Services Training >> <http://www.sosnoski.com/training.html> >> Web Services Jump-Start <http://www.sosnoski.com/jumpstart.html> >> >> >> On 12/24/2010 10:26 AM, Glen Mazza wrote: >> >>> If *could* be your service provider is not detecting the >>> SymmetricBinding tag because two additional libraries need to be >>> declared in your web.xml: >>> http://www.jroller.com/gmazza/entry/cxf_x509_profile_secpol (see the >>> section on |contextConfigLocation|, it will point you to a username >>> token article.) >>> >>> HTH, >>> Glen >>> >>> >>> >>> >>> On 23.12.2010 16:20, John Franey wrote: >>> >>>> Thanks. >>>> >>>> On Thu, Dec 23, 2010 at 4:01 PM, Glen Mazza<[email protected]> >>>> wrote: >>>> >>>> >>>>> On http://www.sosnoski.com/articles.html, I think you'll want the 2nd >>>>> article:WS-Security without client certificates< >>>>> http://www.ibm.com/developerworks/java/library/j-jws17/index.html> >>>>> >>>>> This statement from that article is why I am wanting to use CXF: >>>>> "CXF was >>>>> >>>> the only stack that worked with the policy as written." >>>> >>>> The policy I am consuming looks much like the ones in his article. >>>> So, I'm >>>> expecting success. I believe symmetric binding is supported. >>>> >>>> Should I conclude that the 'right wsdl' is enough to activate symmetric >>>> binding? or is there some other configuration needed? >>>> >>>> The message "SymmetricBinding not supported" implies the latter, I >>>> think. >>>> >>>> >>>> HTH, >>>> >>>>> Glen >>>>> >>>>> >>>>> >>>>> On 23.12.2010 15:32, John Franey wrote: >>>>> >>>>> >>>>>> I believe symmetric binding policy is supported in cxf 2.3.1, but >>>>>> this log >>>>>> message says no: >>>>>> >>>>>> [PolicyEngineImpl] Alternative { >>>>>> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}SymmetricBinding >>>>>> >> <http://schemas.xmlsoap.org/ws/2005/07/securitypolicy%7DSymmetricBinding >> >>> is >>> >>>>>> not >>>>>> supported >>>>>> >>>>>> I've been working over the cxf documentation for over a day. I am >>>>>> stumped. >>>>>> >>>>>> What do I have to do to turn on support for symmetric binding? >>>>>> >>>>>> I'm writing a client that will run in jbossws-cxf 3.4.0. >>>>>> >>>>>> Thanks, >>>>>> John >>>>>> >>>>>> >>>>>> >>>>> -- >>>>> >>>>> Glen Mazza >>>>> gmazza at apache dot org >>>>> http://www.jroller.com/gmazza >>>>> >>>>> >>> >>> >> >
