Hi,
Thank you very much. That seems to fix the issue with generating the signature.
But within the signature, the <SecurityTokenReference> is missing the
"TokenType" attribute. How can I get this?
I think the expected attribute is
wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";
---
<ds:KeyInfo Id="KI-FD02F514C2D45C835B13136725987011">
<ns5:SecurityTokenReference
xmlns:ns5="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<ns5:KeyIdentifier
ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID";>A-WS-2e366482-38f7-4aa5-b0bd-9f2363fcb5b5</ns5:KeyIdentifier>
</ns5:SecurityTokenReference>
</ds:KeyInfo>
---
-Vinay
-----Original Message-----
From: Daniel Kulp [mailto:[email protected]]
Sent: Thursday, August 18, 2011 9:25 AM
To: [email protected]
Cc: Colm O hEigeartaigh
Subject: Re: InitiatorSignatureToken
On Thursday, August 18, 2011 1:43:09 PM Colm O hEigeartaigh wrote:
> Could you try it with CXF 2.4.1? I may have fixed a bug related to this.
>
Actually, try 2.4.2 if you can. If you are going to attempt an upgrade,
jump to the latest. :-)
Dan
> Colm.
>
> On Thu, Aug 18, 2011 at 1:31 PM, Penmatsa, Vinay <[email protected]>
wrote:
> > CXF 2.4.0
> >
> >
> > -Vinay
> >
> >
> > -----Original Message-----
> > From: Colm O hEigeartaigh [mailto:[email protected]]
> > Sent: Thursday, August 18, 2011 8:29 AM
> > To: [email protected]
> > Subject: Re: InitiatorSignatureToken
> >
> > What version of CXF are you using?
> >
> > Colm.
> >
> > On Thu, Aug 18, 2011 at 12:53 PM, Penmatsa, Vinay
> >
> > <[email protected]> wrote:
> >> Hi Colm,
> >> Below is my cxf config client & policy def in the wsdl. The result is
> >> that STS token is included in the message is not signed by the
> >> client. Am I missing some policy assertion? I'm getting the error: "
> >> Caused by: org.apache.cxf.binding.soap.SoapFault: An error was
> >> discovered processing the <wsse:Security> header" But when I look at
> >> the message sent, there's no signature that the service expects. When
> >> I do all this programmatically with action SAML_TOKEN_SIGNED, it
> >> works fine with the message signed.
> >>
> >> -----------
> >> Client config:
> >>
> >> <jaxws:client
> >> xmlns:ns1="http://webservice.sap.com";
> >> id="samlTokenClient"
> >>
> >> serviceClass="com.sap.webservice.QueryServiceInterfaceConfigGenPortT
> >> ype" serviceName="ns1:QueryServiceInterfaceConfigGen"
> >> endpointName="ns1:QueryServiceInterfaceConfigGenPortSoap11"
> >> address="http://localhost:9101/sourcing/services/QueryServiceService.
> >> Soap11Endpoint" wsdlLocation="C:/temp/QueryServiceService-policy.xml">
> >>
> >> <jaxws:properties>
> >> <entry key="ws-security.signature.properties"
> >> value="wss40_client.properties" /> <entry
> >> key="ws-security.callback-handler"
> >> value="com.sap.cxftest.client.ClientPasswordCallback"/>
> >>
> >> <entry key="ws-security.sts.client">
> >> <bean
> >> class="org.apache.cxf.ws.security.trust.STSClient"> <constructor-arg
> >> ref="cxf" /> <property name="requiresEntropy" value="false" />
> >> <property name="wsdlLocation" value="<STS Endpoint>" /> <property
> >> name="serviceName"
> >> value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512}STS"; />
> >> <property name="endpointName"
> >> value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512}UT"; />
> >> <property name="tokenType"
> >> value="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.
> >> 1#SAMLV2.0"/> <property name="keyType"
> >> value="http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey"/>
> >> <property name="properties"> <map>
> >> <entry
> >> key="ws-security.username" value="buyer44" /> <entry
> >> key="ws-security.password" value="password1" /> <!-- <entry
> >> key="ws-security.username" value="wsclient"/ -->
> >>
> >> <entry
> >> key="ws-security.signature.properties"
> >> value="wss40_client.properties" /> <entry
> >> key="ws-security.encryption.properties" value="wss40_sts.properties"
> >> /> <entry key="ws-security.encryption.username" value="sts" /> <entry
> >> key="ws-security.sts.token.properties" value="wss40_sts.properties"
> >> /> <entry key="ws-security.sts.token.username" value="sts" /> </map>
> >> </property>
> >> </bean>
> >> </entry>
> >> </jaxws:properties>
> >>
> >> </jaxws:client>
> >>
> >> -----------
> >> Policy in WSDL:
> >>
> >> <wsp:Policy wsu:Id="SAML2Token"
> >>
> >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-w
> >> ssecurity-utility-1.0.xsd"
> >> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
> >> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> >> <wsp:ExactlyOne>
> >> <wsp:All>
> >> <!--wsam:Addressing
> >> wsp:Optional="false"> <wsp:Policy/> </wsam:Addressing -->
> >> <sp:AsymmetricBinding>
> >> <wsp:Policy>
> >> <sp:InitiatorToken>
> >> <wsp:Policy>
> >> <sp:IssuedToken
> >> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2
> >> 00702/IncludeToken/AlwaysToRecipient">
> >> <sp:RequestSecurityTokenTemplate>
> >> <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-prof
> >> ile-1.1#SAMLV2.0</t:TokenType>
> >> <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey
> >> </t:KeyType> <!--t:KeySize>256</t:KeySize-->
> >> </sp:RequestSecurityTokenTemplate> <wsp:Policy>
> >> <sp:RequireInternalReference /> </wsp:Policy> </sp:IssuedToken>
> >> </wsp:Policy>
> >> </sp:InitiatorToken>
> >> <sp:RecipientToken>
> >> <wsp:Policy>
> >> <sp:X509Token
> >> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/2
> >> 00702/IncludeToken/Never"> <wsp:Policy>
> >>
> >> <sp:WssX509V3Token10/>
> >> </wsp:Policy>
> >> </sp:X509Token>
> >> </wsp:Policy>
> >> </sp:RecipientToken>
> >> <sp:Layout>
> >> <wsp:Policy>
> >> <sp:Lax
> >> /> </wsp:Policy> </sp:Layout>
> >> <sp:SignedParts
> >> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> >> </sp:SignedParts> <sp:OnlySignEntireHeadersAndBody />
> >> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256 /> <!-- To use the
> >> export grade encryption that comes bundled in the JDK, comment out
> >> the above Basic256 algorithm and uncomment the below Basic128. -->
> >> <!-- <sp:Basic128 /> --> </wsp:Policy> </sp:AlgorithmSuite>
> >> </wsp:Policy>
> >> </sp:AsymmetricBinding>
> >> </wsp:All>
> >> </wsp:ExactlyOne>
> >> </wsp:Policy>
> >> <wsdl:types>
> >> -----------
> >>
> >>
> >> -Vinay
> >>
> >>
> >> -----Original Message-----
> >> From: Colm O hEigeartaigh [mailto:[email protected]]
> >> Sent: Thursday, August 18, 2011 7:17 AM
> >> To: [email protected]
> >> Subject: Re: InitiatorSignatureToken
> >>
> >> What does the full policy look like? That fragment looks ok to me.
> >> What error are you getting? Also, what version of CXF are you using?
> >>
> >> Colm.
> >>
> >> On Wed, Aug 17, 2011 at 10:36 PM, Penmatsa, Vinay
> >>
> >> <[email protected]> wrote:
> >>> Hi,
> >>> I'm unable to define the correct policy for SAML_TOKEN_SIGNED. The
> >>> following gets the STS token and includes it in the request, but
> >>> now I need sign the message.
> >>>
> >>> <sp:InitiatorToken>
> >>> <wsp:Policy>
> >>> <sp:IssuedToken
> >>> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy
> >>> /200702/IncludeToken/AlwaysToRecipient">
> >>> <sp:RequestSecurityTokenTemplate>
> >>>
> >>> <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-p
> >>> rofile-1.1#SAMLV2.0</t:TokenType>
> >>> <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicK
> >>> ey</t:KeyType> </sp:RequestSecurityTokenTemplate>
> >>> <wsp:Policy>
> >>> <sp:RequireInternalReference />
> >>> <wsp:Policy>
> >>> </sp:IssuedToken>
> >>> </wsp:Policy>
> >>> </sp:InitiatorToken>
> >>>
> >>> I think I've to use InitiatorSignatureToken, but not sure how.
> >>>
> >>>
> >>> Thanks,
> >>> Vinay
> >>
> >> --
> >> Colm O hEigeartaigh
> >>
> >> http://coheigea.blogspot.com/
> >> Talend - http://www.talend.com
> >
> > --
> > Colm O hEigeartaigh
> >
> > http://coheigea.blogspot.com/
> > Talend - http://www.talend.com
--
Daniel Kulp
[email protected]
http://dankulp.com/blog
Talend - http://www.talend.com
