Hi Colm,
Below is my cxf config client & policy def in the wsdl. The result is that STS
token is included in the message is not signed by the client. Am I missing some
policy assertion?
I'm getting the error: " Caused by: org.apache.cxf.binding.soap.SoapFault: An
error was discovered processing the <wsse:Security> header"
But when I look at the message sent, there's no signature that the service
expects. When I do all this programmatically with action SAML_TOKEN_SIGNED, it
works fine with the message signed.
-----------
Client config:
<jaxws:client
xmlns:ns1="http://webservice.sap.com";
id="samlTokenClient"
serviceClass="com.sap.webservice.QueryServiceInterfaceConfigGenPortType"
serviceName="ns1:QueryServiceInterfaceConfigGen"
endpointName="ns1:QueryServiceInterfaceConfigGenPortSoap11"
address="http://localhost:9101/sourcing/services/QueryServiceService.Soap11Endpoint";
wsdlLocation="C:/temp/QueryServiceService-policy.xml">
<jaxws:properties>
<entry key="ws-security.signature.properties"
value="wss40_client.properties" />
<entry key="ws-security.callback-handler"
value="com.sap.cxftest.client.ClientPasswordCallback"/>
<entry key="ws-security.sts.client">
<bean
class="org.apache.cxf.ws.security.trust.STSClient">
<constructor-arg ref="cxf" />
<property name="requiresEntropy"
value="false" />
<property name="wsdlLocation"
value="<STS Endpoint>" />
<property name="serviceName"
value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512}STS"; />
<property name="endpointName"
value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512}UT"; />
<property name="tokenType"
value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"/>
<property name="keyType"
value="http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey"/>
<property name="properties">
<map>
<entry
key="ws-security.username" value="buyer44" />
<entry
key="ws-security.password" value="password1" />
<!-- <entry
key="ws-security.username" value="wsclient"/ -->
<entry
key="ws-security.signature.properties" value="wss40_client.properties" />
<entry
key="ws-security.encryption.properties" value="wss40_sts.properties" />
<entry
key="ws-security.encryption.username" value="sts" />
<entry
key="ws-security.sts.token.properties" value="wss40_sts.properties" />
<entry
key="ws-security.sts.token.username" value="sts" />
</map>
</property>
</bean>
</entry>
</jaxws:properties>
</jaxws:client>
-----------
Policy in WSDL:
<wsp:Policy wsu:Id="SAML2Token"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:ExactlyOne>
<wsp:All>
<!--wsam:Addressing wsp:Optional="false">
<wsp:Policy/> </wsam:Addressing -->
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:IssuedToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<sp:RequestSecurityTokenTemplate>
<t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
<t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
<!--t:KeySize>256</t:KeySize-->
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireInternalReference />
</wsp:Policy>
</sp:IssuedToken>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
<wsp:Policy>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:SignedParts
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
</sp:SignedParts>
<sp:OnlySignEntireHeadersAndBody />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
<!-- To use the
export grade encryption that comes bundled in the
JDK,
comment out the above Basic256 algorithm and uncomment the below Basic128. -->
<!--
<sp:Basic128 /> -->
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsdl:types>
-----------
-Vinay
-----Original Message-----
From: Colm O hEigeartaigh [mailto:[email protected]]
Sent: Thursday, August 18, 2011 7:17 AM
To: [email protected]
Subject: Re: InitiatorSignatureToken
What does the full policy look like? That fragment looks ok to me.
What error are you getting? Also, what version of CXF are you using?
Colm.
On Wed, Aug 17, 2011 at 10:36 PM, Penmatsa, Vinay
<[email protected]> wrote:
> Hi,
> I'm unable to define the correct policy for SAML_TOKEN_SIGNED. The following
> gets the STS token and includes it in the request, but now I need sign the
> message.
>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:IssuedToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
> <sp:RequestSecurityTokenTemplate>
>
> <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
>
> <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
> </sp:RequestSecurityTokenTemplate>
> <wsp:Policy>
> <sp:RequireInternalReference />
> <wsp:Policy>
> </sp:IssuedToken>
> </wsp:Policy>
> </sp:InitiatorToken>
>
> I think I've to use InitiatorSignatureToken, but not sure how.
>
>
> Thanks,
> Vinay
>
>
--
Colm O hEigeartaigh
http://coheigea.blogspot.com/
Talend - http://www.talend.com
