Hello! We have a Metro STS server that accepts X09Tokens for authentication. We want to create a CXF Client that authenticate against the STS server with a X509 Token, then with the retrieved SAML token, call the Service Provider.
Starting from Glen Mazza's article: http://www.jroller.com/gmazza/entry/cxf_stsclient_metro_sts I have tried to change the UsernameToken authentication to X509Token. Do you have any idea if this can be accomplished? - X509Token authentication against STS? Here is my cxf client configuration: <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:jaxws="http://cxf.apache.org/jaxws"; xmlns:cxf="http://cxf.apache.org/core"; xmlns:p="http://cxf.apache.org/policy"; xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd";> <jaxws:client name="{http://www.osiam.org/contract/DoubleIt}DoubleItPort"; createdFromAPI="true"> <jaxws:features> <wsa:addressing xmlns:wsa="http://cxf.apache.org/ws/addressing"/> </jaxws:features> <jaxws:properties> <entry key="ws-security.sts.client"> <bean class="org.apache.cxf.ws.security.trust.STSClient"> <constructor-arg ref="cxf"/> <property name="wsdlLocation" value="OsiamSTSService.wsdl"/> <property name="serviceName" value="{http://tempuri.org/}OsiamSTSService"/> <property name="endpointName" value="{http://tempuri.org/}IOsiamSTSService_Port"/> <property name="properties"> <map> <entry key="ws-security.sts.token.username" value="mywsckey"/> <entry key="ws-security.username" value="mywsckey"/> <entry key="ws-security.callback-handler" value="client.UTCallbackHandler"/> <entry key="ws-security.encryption.properties" value="clientKeystore.properties"/> <entry key="ws-security.signature.properties" value="clientKeystore.properties"/> <entry key="ws-security.encryption.username" value="mywsckey"/> <entry key="ws-security.is-bsp-compliant" value="false"/> <entry key="ws-security.sts.applies-to" value="http://localhost:8080/osiam-sts-wsp/services/wsp"; /> </map> </property> </bean> </entry> </jaxws:properties> </jaxws:client> </beans> I have put in ws-security.username the name of the client's private key, in the ws-security.encryption.username properties the same key even i think it should be the server's public certificate. If i am puting the server public certificate then the UTCallbackHandler is asking for a password.... what password? With the above configuration i get an: WARNING: Interceptor for {http://www.osiam.org/contract/DoubleIt}DoubleItService#{http://www.osiam.org/contract/DoubleIt}DoubleIt has thrown exception, unwinding now org.apache.cxf.interceptor.Fault: General security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found: {null}null) at org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:372) at org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:117) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:161) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:88) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295) at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:537) at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:447) at org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:152) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295) at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73) at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124) at $Proxy25.doubleIt(Unknown Source) at client.WSClient.doubleIt(WSClient.java:41) at client.WSClient.main(WSClient.java:34) Caused by: org.apache.cxf.ws.policy.PolicyException: General security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found: {null}null) at org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295) at org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doEncryption(SymmetricBindingHandler.java:558) at org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:366) ... 21 more Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: General security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found: {null}null) at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:146) at $Proxy25.doubleIt(Unknown Source) at client.WSClient.doubleIt(WSClient.java:41) at client.WSClient.main(WSClient.java:34) Caused by: org.apache.cxf.ws.policy.PolicyException: General security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found: {null}null) at org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295) at org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doEncryption(SymmetricBindingHandler.java:558) at org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:366) at org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:117) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:161) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:88) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295) at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:537) at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:447) at org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:152) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295) at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73) at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124) ... 3 more There is another Glen Mazza's article: http://www.jroller.com/gmazza/entry/cxf_x509_profile Here is authenticating with the Service Provider directly with a X509Token by configuring an WSS4JOutInterceptor. I have no idea how to combine this 2 examples to make the STS call with x509 authentication. Has someone some experience related to this use case scenario? Thank you, Mihai
