Hello again.
It is somebody using X509Token authentication because i don't know if
this is a CXF bug or i am mission something in CXF configuration?
I've found in
org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder
this code:
} else if (token instanceof X509Token) {
//We have to use a cert
//Prepare X509 signature
WSSecSignature sig = getSignatureBuilder(suppTokens,
token, endorse);
Element bstElem = sig.getBinarySecurityTokenElement();
if (bstElem != null) {
sig.prependBSTElementToHeader(secHeader);
}
if (suppTokens.isEncryptedToken()) {
encryptedTokensIdList.add(sig.getBSTTokenId());
}
ret.put(token, sig);
} else if (token instanceof KeyValueToken) {
WSSecSignature sig = getSignatureBuilder(suppTokens,
token, endorse);
if (suppTokens.isEncryptedToken()) {
encryptedTokensIdList.add(sig.getBSTTokenId());
}
ret.put(token, sig);
} else if (token instanceof SamlToken) {
AssertionWrapper assertionWrapper =
addSamlToken((SamlToken)token);
if (assertionWrapper != null) {
addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart()));
ret.put(token, assertionWrapper);
}
}
after sig.prependBSTElementToHeader(secHeader), the sig.getBSTTokenId()
becomes null causing:
org.apache.cxf.ws.policy.PolicyException: General security error
(WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
{null}null)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler.doEncryption(AsymmetricBindingHandler.java:374)
The token id is still accessible from bstElem.
Mihai
On Thu, 2011-09-22 at 16:13 +0300, Mihai Vasilache wrote:
> Hi Glen,
>
> Thank you very much for your answer.
> I've tried your jaxws-ws-trust example.
> You are using an <sp:AsymmetricBinding> with no
> <sp:SignedEncryptedSupportingTokens> for the X509Token authentication
> use-case. My tests are working if i am configuring in this way.
>
> If I add a:
> <sp:SignedEncryptedSupportingTokens>
> <wsp:Policy>
> <wsp:ExactlyOne>
> <wsp:All wsu:Id="X509TokenPolicyAlternative">
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> <sp:RequireIssuerSerialReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> </sp:SignedEncryptedSupportingTokens>
>
> to the STS server wsdl, and not in the client's copy, then the server is
> validating the certificate (enters in the validator) and throws a:
>
> Caused by: com.sun.xml.wss.XWSSecurityException: Policy verification
> error:Missing target BinarySecurityToken for Signature
> at
> com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl.resolveAndVerifyTargets(TargetResolverImpl.java:115)
> at
> com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.checkTargets(MessagePolicyVerifier.java:454)
> at
> com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.processPrimaryPolicy(MessagePolicyVerifier.java:341)
> at
> com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:146)
>
>
> The server expects something else if i add an
> SignedEncryptedSupportingTokens.
>
> However if i add this SignedEncryptedSupportingTokens in the client's
> copy, the client is throwing an exception, and the call to STS does not
> happen:
>
> Caused by: org.apache.cxf.ws.policy.PolicyException: General security
> error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
> {null}null)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler.doEncryption(AsymmetricBindingHandler.java:374)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler.doSignBeforeEncrypt(AsymmetricBindingHandler.java:168)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler.handleBinding(AsymmetricBindingHandler.java:96)
> at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:164)
> ......
>
>
> Do you have any idea what the CXF client wants more?
>
> I've saw that you are using 2 endpoints in your examples, one for each
> authentication type. In fact i want to use a single endpoint with 2
> alternatives. I manage to cheat metro to accept it. I've post an answer
> to Metro mailing list:
> http://markmail.org/search/?q=list%3Anet.java.dev.metro.users#query:list
> %3Anet.java.dev.metro.users+page:1+mid:3757ci3ob27otl7r+state:results
>
> The problem with the Metro client is that is always picking the first
> alternative, while CXF doesn't know how to handle
> <sp:SignedEncryptedSupportingTokens>
> ...
> <sp:X509Token/>
> ...
> </sp:SignedEncryptedSupportingTokens>
>
> or i don't know to configure it.
>
>
> Thank you,
> Mihai
>
>
>
> On Wed, 2011-09-21 at 08:44 -0400, Glen Mazza wrote:
> > Hi, Talend Service Factory's free examples package has a jaxws-ws-trust
> > example, which shows how to use both UT and X509 to make the STS call,
> > between a CXF client and the Metro STS. Please check the README for
> > more information.
> >
> > http://www.talend.com/download.php#IF (Click on User Documentation and
> > Examples at the bottom).
> >
> > HTH,
> > Glen
> >
> >
> > On 09/21/2011 07:35 AM, Mihai Vasilache wrote:
> > > Hello!
> > >
> > > We have a Metro STS server that accepts X09Tokens for authentication.
> > > We want to create a CXF Client that authenticate against the STS server
> > > with a X509 Token,
> > > then with the retrieved SAML token, call the Service Provider.
> > >
> > > Starting from Glen Mazza's article:
> > > http://www.jroller.com/gmazza/entry/cxf_stsclient_metro_sts
> > > I have tried to change the UsernameToken authentication to X509Token.
> > >
> > > Do you have any idea if this can be accomplished? - X509Token
> > > authentication against STS?
> > >
> > > Here is my cxf client configuration:
> > >
> > > <beans xmlns="http://www.springframework.org/schema/beans";
> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> > > xmlns:jaxws="http://cxf.apache.org/jaxws";
> > > xmlns:cxf="http://cxf.apache.org/core";
> > > xmlns:p="http://cxf.apache.org/policy";
> > > xsi:schemaLocation="
> > > http://www.springframework.org/schema/beans
> > > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
> > > http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
> > > http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
> > > http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd";>
> > >
> > > <jaxws:client
> > > name="{http://www.osiam.org/contract/DoubleIt}DoubleItPort";
> > > createdFromAPI="true">
> > > <jaxws:features>
> > > <wsa:addressing
> > > xmlns:wsa="http://cxf.apache.org/ws/addressing"/>
> > > </jaxws:features>
> > >
> > > <jaxws:properties>
> > > <entry key="ws-security.sts.client">
> > > <bean
> > > class="org.apache.cxf.ws.security.trust.STSClient">
> > > <constructor-arg ref="cxf"/>
> > > <property name="wsdlLocation"
> > > value="OsiamSTSService.wsdl"/>
> > > <property name="serviceName"
> > > value="{http://tempuri.org/}OsiamSTSService"/>
> > > <property name="endpointName"
> > > value="{http://tempuri.org/}IOsiamSTSService_Port"/>
> > > <property name="properties">
> > > <map>
> > > <entry
> > > key="ws-security.sts.token.username" value="mywsckey"/>
> > > <entry
> > > key="ws-security.username" value="mywsckey"/>
> > > <entry
> > > key="ws-security.callback-handler"
> > > value="client.UTCallbackHandler"/>
> > > <entry
> > > key="ws-security.encryption.properties"
> > > value="clientKeystore.properties"/>
> > > <entry
> > > key="ws-security.signature.properties"
> > > value="clientKeystore.properties"/>
> > > <entry
> > > key="ws-security.encryption.username" value="mywsckey"/>
> > > <entry
> > > key="ws-security.is-bsp-compliant" value="false"/>
> > > <entry
> > > key="ws-security.sts.applies-to"
> > > value="http://localhost:8080/osiam-sts-wsp/services/wsp"; />
> > > </map>
> > > </property>
> > > </bean>
> > > </entry>
> > > </jaxws:properties>
> > > </jaxws:client>
> > > </beans>
> > >
> > > I have put in ws-security.username the name of the client's private key,
> > > in the ws-security.encryption.username properties the same key even i
> > > think it should be the server's public certificate. If i am puting the
> > > server public certificate then the UTCallbackHandler is asking for a
> > > password.... what password?
> > >
> > > With the above configuration i get an:
> > >
> > > WARNING: Interceptor for
> > > {http://www.osiam.org/contract/DoubleIt}DoubleItService#{http://www.osiam.org/contract/DoubleIt}DoubleIt
> > > has thrown exception, unwinding now
> > > org.apache.cxf.interceptor.Fault: General security error
> > > (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
> > > {null}null)
> > > at
> > > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:372)
> > > at
> > > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:117)
> > > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> > > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:161)
> > > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> > > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:88)
> > > at
> > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> > > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
> > > at
> > > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:537)
> > > at
> > > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:447)
> > > at
> > > org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:152)
> > > at
> > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> > > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
> > > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
> > > at
> > > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
> > > at $Proxy25.doubleIt(Unknown Source)
> > > at client.WSClient.doubleIt(WSClient.java:41)
> > > at client.WSClient.main(WSClient.java:34)
> > > Caused by: org.apache.cxf.ws.policy.PolicyException: General security
> > > error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
> > > {null}null)
> > > at
> > > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295)
> > > at
> > > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doEncryption(SymmetricBindingHandler.java:558)
> > > at
> > > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:366)
> > > ... 21 more
> > > Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: General
> > > security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign
> > > not found: {null}null)
> > > at
> > > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:146)
> > > at $Proxy25.doubleIt(Unknown Source)
> > > at client.WSClient.doubleIt(WSClient.java:41)
> > > at client.WSClient.main(WSClient.java:34)
> > > Caused by: org.apache.cxf.ws.policy.PolicyException: General security
> > > error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
> > > {null}null)
> > > at
> > > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295)
> > > at
> > > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doEncryption(SymmetricBindingHandler.java:558)
> > > at
> > > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:366)
> > > at
> > > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:117)
> > > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> > > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:161)
> > > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> > > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:88)
> > > at
> > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> > > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
> > > at
> > > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:537)
> > > at
> > > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:447)
> > > at
> > > org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:152)
> > > at
> > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> > > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
> > > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
> > > at
> > > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
> > > ... 3 more
> > >
> > >
> > > There is another Glen Mazza's article:
> > > http://www.jroller.com/gmazza/entry/cxf_x509_profile
> > >
> > > Here is authenticating with the Service Provider directly with a
> > > X509Token by configuring an WSS4JOutInterceptor.
> > > I have no idea how to combine this 2 examples to make the STS call with
> > > x509 authentication.
> > > Has someone some experience related to this use case scenario?
> > >
> > > Thank you,
> > > Mihai
> > >
> >
> >
>
>
