Hi, Talend Service Factory's free examples package has a jaxws-ws-trust
example, which shows how to use both UT and X509 to make the STS call,
between a CXF client and the Metro STS. Please check the README for
more information.
http://www.talend.com/download.php#IF (Click on User Documentation and
Examples at the bottom).
HTH,
Glen
On 09/21/2011 07:35 AM, Mihai Vasilache wrote:
Hello!
We have a Metro STS server that accepts X09Tokens for authentication.
We want to create a CXF Client that authenticate against the STS server
with a X509 Token,
then with the retrieved SAML token, call the Service Provider.
Starting from Glen Mazza's article:
http://www.jroller.com/gmazza/entry/cxf_stsclient_metro_sts
I have tried to change the UsernameToken authentication to X509Token.
Do you have any idea if this can be accomplished? - X509Token
authentication against STS?
Here is my cxf client configuration:
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:jaxws="http://cxf.apache.org/jaxws";
xmlns:cxf="http://cxf.apache.org/core";
xmlns:p="http://cxf.apache.org/policy";
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd";>
<jaxws:client
name="{http://www.osiam.org/contract/DoubleIt}DoubleItPort";
createdFromAPI="true">
<jaxws:features>
<wsa:addressing
xmlns:wsa="http://cxf.apache.org/ws/addressing"/>
</jaxws:features>
<jaxws:properties>
<entry key="ws-security.sts.client">
<bean
class="org.apache.cxf.ws.security.trust.STSClient">
<constructor-arg ref="cxf"/>
<property name="wsdlLocation"
value="OsiamSTSService.wsdl"/>
<property name="serviceName"
value="{http://tempuri.org/}OsiamSTSService"/>
<property name="endpointName"
value="{http://tempuri.org/}IOsiamSTSService_Port"/>
<property name="properties">
<map>
<entry
key="ws-security.sts.token.username" value="mywsckey"/>
<entry key="ws-security.username"
value="mywsckey"/>
<entry
key="ws-security.callback-handler"
value="client.UTCallbackHandler"/>
<entry
key="ws-security.encryption.properties"
value="clientKeystore.properties"/>
<entry
key="ws-security.signature.properties"
value="clientKeystore.properties"/>
<entry
key="ws-security.encryption.username" value="mywsckey"/>
<entry
key="ws-security.is-bsp-compliant" value="false"/>
<entry
key="ws-security.sts.applies-to"
value="http://localhost:8080/osiam-sts-wsp/services/wsp"; />
</map>
</property>
</bean>
</entry>
</jaxws:properties>
</jaxws:client>
</beans>
I have put in ws-security.username the name of the client's private key,
in the ws-security.encryption.username properties the same key even i
think it should be the server's public certificate. If i am puting the
server public certificate then the UTCallbackHandler is asking for a
password.... what password?
With the above configuration i get an:
WARNING: Interceptor for
{http://www.osiam.org/contract/DoubleIt}DoubleItService#{http://www.osiam.org/contract/DoubleIt}DoubleIt
has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: General security error
(WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
{null}null)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:372)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:117)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:161)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:88)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
at
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:537)
at
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:447)
at
org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:152)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
at $Proxy25.doubleIt(Unknown Source)
at client.WSClient.doubleIt(WSClient.java:41)
at client.WSClient.main(WSClient.java:34)
Caused by: org.apache.cxf.ws.policy.PolicyException: General security
error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
{null}null)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doEncryption(SymmetricBindingHandler.java:558)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:366)
... 21 more
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: General
security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign
not found: {null}null)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:146)
at $Proxy25.doubleIt(Unknown Source)
at client.WSClient.doubleIt(WSClient.java:41)
at client.WSClient.main(WSClient.java:34)
Caused by: org.apache.cxf.ws.policy.PolicyException: General security
error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
{null}null)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doEncryption(SymmetricBindingHandler.java:558)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:366)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:117)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:161)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:88)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
at
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:537)
at
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:447)
at
org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:152)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
... 3 more
There is another Glen Mazza's article:
http://www.jroller.com/gmazza/entry/cxf_x509_profile
Here is authenticating with the Service Provider directly with a
X509Token by configuring an WSS4JOutInterceptor.
I have no idea how to combine this 2 examples to make the STS call with
x509 authentication.
Has someone some experience related to this use case scenario?
Thank you,
Mihai
--
Glen Mazza
Talend - http://www.talend.com/ai
Blog - http://www.jroller.com/gmazza
Twitter - glenmazza
