Hi Glen,
Thank you very much for your answer.
I've tried your jaxws-ws-trust example.
You are using an <sp:AsymmetricBinding> with no
<sp:SignedEncryptedSupportingTokens> for the X509Token authentication
use-case. My tests are working if i am configuring in this way.
If I add a:
<sp:SignedEncryptedSupportingTokens>
<wsp:Policy>
<wsp:ExactlyOne>
<wsp:All wsu:Id="X509TokenPolicyAlternative">
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:WssX509V3Token10/>
<sp:RequireIssuerSerialReference/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</sp:SignedEncryptedSupportingTokens>
to the STS server wsdl, and not in the client's copy, then the server is
validating the certificate (enters in the validator) and throws a:
Caused by: com.sun.xml.wss.XWSSecurityException: Policy verification
error:Missing target BinarySecurityToken for Signature
at
com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl.resolveAndVerifyTargets(TargetResolverImpl.java:115)
at
com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.checkTargets(MessagePolicyVerifier.java:454)
at
com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.processPrimaryPolicy(MessagePolicyVerifier.java:341)
at
com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:146)
The server expects something else if i add an
SignedEncryptedSupportingTokens.
However if i add this SignedEncryptedSupportingTokens in the client's
copy, the client is throwing an exception, and the call to STS does not
happen:
Caused by: org.apache.cxf.ws.policy.PolicyException: General security
error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
{null}null)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler.doEncryption(AsymmetricBindingHandler.java:374)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler.doSignBeforeEncrypt(AsymmetricBindingHandler.java:168)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler.handleBinding(AsymmetricBindingHandler.java:96)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:164)
......
Do you have any idea what the CXF client wants more?
I've saw that you are using 2 endpoints in your examples, one for each
authentication type. In fact i want to use a single endpoint with 2
alternatives. I manage to cheat metro to accept it. I've post an answer
to Metro mailing list:
http://markmail.org/search/?q=list%3Anet.java.dev.metro.users#query:list
%3Anet.java.dev.metro.users+page:1+mid:3757ci3ob27otl7r+state:results
The problem with the Metro client is that is always picking the first
alternative, while CXF doesn't know how to handle
<sp:SignedEncryptedSupportingTokens>
...
<sp:X509Token/>
...
</sp:SignedEncryptedSupportingTokens>
or i don't know to configure it.
Thank you,
Mihai
On Wed, 2011-09-21 at 08:44 -0400, Glen Mazza wrote:
> Hi, Talend Service Factory's free examples package has a jaxws-ws-trust
> example, which shows how to use both UT and X509 to make the STS call,
> between a CXF client and the Metro STS. Please check the README for
> more information.
>
> http://www.talend.com/download.php#IF (Click on User Documentation and
> Examples at the bottom).
>
> HTH,
> Glen
>
>
> On 09/21/2011 07:35 AM, Mihai Vasilache wrote:
> > Hello!
> >
> > We have a Metro STS server that accepts X09Tokens for authentication.
> > We want to create a CXF Client that authenticate against the STS server
> > with a X509 Token,
> > then with the retrieved SAML token, call the Service Provider.
> >
> > Starting from Glen Mazza's article:
> > http://www.jroller.com/gmazza/entry/cxf_stsclient_metro_sts
> > I have tried to change the UsernameToken authentication to X509Token.
> >
> > Do you have any idea if this can be accomplished? - X509Token
> > authentication against STS?
> >
> > Here is my cxf client configuration:
> >
> > <beans xmlns="http://www.springframework.org/schema/beans";
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> > xmlns:jaxws="http://cxf.apache.org/jaxws";
> > xmlns:cxf="http://cxf.apache.org/core";
> > xmlns:p="http://cxf.apache.org/policy";
> > xsi:schemaLocation="
> > http://www.springframework.org/schema/beans
> > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
> > http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
> > http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
> > http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd";>
> >
> > <jaxws:client
> > name="{http://www.osiam.org/contract/DoubleIt}DoubleItPort";
> > createdFromAPI="true">
> > <jaxws:features>
> > <wsa:addressing
> > xmlns:wsa="http://cxf.apache.org/ws/addressing"/>
> > </jaxws:features>
> >
> > <jaxws:properties>
> > <entry key="ws-security.sts.client">
> > <bean
> > class="org.apache.cxf.ws.security.trust.STSClient">
> > <constructor-arg ref="cxf"/>
> > <property name="wsdlLocation"
> > value="OsiamSTSService.wsdl"/>
> > <property name="serviceName"
> > value="{http://tempuri.org/}OsiamSTSService"/>
> > <property name="endpointName"
> > value="{http://tempuri.org/}IOsiamSTSService_Port"/>
> > <property name="properties">
> > <map>
> > <entry
> > key="ws-security.sts.token.username" value="mywsckey"/>
> > <entry
> > key="ws-security.username" value="mywsckey"/>
> > <entry
> > key="ws-security.callback-handler"
> > value="client.UTCallbackHandler"/>
> > <entry
> > key="ws-security.encryption.properties"
> > value="clientKeystore.properties"/>
> > <entry
> > key="ws-security.signature.properties"
> > value="clientKeystore.properties"/>
> > <entry
> > key="ws-security.encryption.username" value="mywsckey"/>
> > <entry
> > key="ws-security.is-bsp-compliant" value="false"/>
> > <entry
> > key="ws-security.sts.applies-to"
> > value="http://localhost:8080/osiam-sts-wsp/services/wsp"; />
> > </map>
> > </property>
> > </bean>
> > </entry>
> > </jaxws:properties>
> > </jaxws:client>
> > </beans>
> >
> > I have put in ws-security.username the name of the client's private key,
> > in the ws-security.encryption.username properties the same key even i
> > think it should be the server's public certificate. If i am puting the
> > server public certificate then the UTCallbackHandler is asking for a
> > password.... what password?
> >
> > With the above configuration i get an:
> >
> > WARNING: Interceptor for
> > {http://www.osiam.org/contract/DoubleIt}DoubleItService#{http://www.osiam.org/contract/DoubleIt}DoubleIt
> > has thrown exception, unwinding now
> > org.apache.cxf.interceptor.Fault: General security error
> > (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
> > {null}null)
> > at
> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:372)
> > at
> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:117)
> > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:161)
> > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:88)
> > at
> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
> > at
> > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:537)
> > at
> > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:447)
> > at
> > org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:152)
> > at
> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
> > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
> > at
> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
> > at $Proxy25.doubleIt(Unknown Source)
> > at client.WSClient.doubleIt(WSClient.java:41)
> > at client.WSClient.main(WSClient.java:34)
> > Caused by: org.apache.cxf.ws.policy.PolicyException: General security
> > error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
> > {null}null)
> > at
> > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295)
> > at
> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doEncryption(SymmetricBindingHandler.java:558)
> > at
> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:366)
> > ... 21 more
> > Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: General
> > security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign
> > not found: {null}null)
> > at
> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:146)
> > at $Proxy25.doubleIt(Unknown Source)
> > at client.WSClient.doubleIt(WSClient.java:41)
> > at client.WSClient.main(WSClient.java:34)
> > Caused by: org.apache.cxf.ws.policy.PolicyException: General security
> > error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
> > {null}null)
> > at
> > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295)
> > at
> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doEncryption(SymmetricBindingHandler.java:558)
> > at
> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:366)
> > at
> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:117)
> > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:161)
> > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:88)
> > at
> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
> > at
> > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:537)
> > at
> > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:447)
> > at
> > org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:152)
> > at
> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
> > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
> > at
> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
> > ... 3 more
> >
> >
> > There is another Glen Mazza's article:
> > http://www.jroller.com/gmazza/entry/cxf_x509_profile
> >
> > Here is authenticating with the Service Provider directly with a
> > X509Token by configuring an WSS4JOutInterceptor.
> > I have no idea how to combine this 2 examples to make the STS call with
> > x509 authentication.
> > Has someone some experience related to this use case scenario?
> >
> > Thank you,
> > Mihai
> >
>
>
