Hi Mihai, > You are using an <sp:AsymmetricBinding> with no > <sp:SignedEncryptedSupportingTokens> for the X509Token authentication > use-case. My tests are working if i am configuring in this way.
Why are you adding a SignedEncryptedSupportingToken policy consisting of an X509Token? What are your security requirements? The Asymmetric binding should satisfy the requirement for X509Token authentication. > However if i add this SignedEncryptedSupportingTokens in the client's > copy, the client is throwing an exception, and the call to STS does not > happen: It won't work, as the certificate is added as part of the signature process, whereas tokens to sign/encrypt are retrieved before the signature process, and so it won't find the certificate. This is a bug I guess, but hardly a common one. Colm. On Thu, Sep 22, 2011 at 2:13 PM, Mihai Vasilache <[email protected]> wrote: > Hi Glen, > > Thank you very much for your answer. > I've tried your jaxws-ws-trust example. > You are using an <sp:AsymmetricBinding> with no > <sp:SignedEncryptedSupportingTokens> for the X509Token authentication > use-case. My tests are working if i am configuring in this way. > > If I add a: > <sp:SignedEncryptedSupportingTokens> > <wsp:Policy> > <wsp:ExactlyOne> > <wsp:All wsu:Id="X509TokenPolicyAlternative"> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> > <wsp:Policy> > <sp:WssX509V3Token10/> > <sp:RequireIssuerSerialReference/> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > </sp:SignedEncryptedSupportingTokens> > > to the STS server wsdl, and not in the client's copy, then the server is > validating the certificate (enters in the validator) and throws a: > > Caused by: com.sun.xml.wss.XWSSecurityException: Policy verification > error:Missing target BinarySecurityToken for Signature > at > com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl.resolveAndVerifyTargets(TargetResolverImpl.java:115) > at > com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.checkTargets(MessagePolicyVerifier.java:454) > at > com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.processPrimaryPolicy(MessagePolicyVerifier.java:341) > at > com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:146) > > > The server expects something else if i add an > SignedEncryptedSupportingTokens. > > However if i add this SignedEncryptedSupportingTokens in the client's > copy, the client is throwing an exception, and the call to STS does not > happen: > > Caused by: org.apache.cxf.ws.policy.PolicyException: General security > error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found: > {null}null) > at > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295) > at > org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler.doEncryption(AsymmetricBindingHandler.java:374) > at > org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler.doSignBeforeEncrypt(AsymmetricBindingHandler.java:168) > at > org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler.handleBinding(AsymmetricBindingHandler.java:96) > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:164) > ...... > > > Do you have any idea what the CXF client wants more? > > I've saw that you are using 2 endpoints in your examples, one for each > authentication type. In fact i want to use a single endpoint with 2 > alternatives. I manage to cheat metro to accept it. I've post an answer > to Metro mailing list: > http://markmail.org/search/?q=list%3Anet.java.dev.metro.users#query:list > %3Anet.java.dev.metro.users+page:1+mid:3757ci3ob27otl7r+state:results > > The problem with the Metro client is that is always picking the first > alternative, while CXF doesn't know how to handle > <sp:SignedEncryptedSupportingTokens> > ... > <sp:X509Token/> > ... > </sp:SignedEncryptedSupportingTokens> > > or i don't know to configure it. > > > Thank you, > Mihai > > > > On Wed, 2011-09-21 at 08:44 -0400, Glen Mazza wrote: >> Hi, Talend Service Factory's free examples package has a jaxws-ws-trust >> example, which shows how to use both UT and X509 to make the STS call, >> between a CXF client and the Metro STS. Please check the README for >> more information. >> >> http://www.talend.com/download.php#IF (Click on User Documentation and >> Examples at the bottom). >> >> HTH, >> Glen >> >> >> On 09/21/2011 07:35 AM, Mihai Vasilache wrote: >> > Hello! >> > >> > We have a Metro STS server that accepts X09Tokens for authentication. >> > We want to create a CXF Client that authenticate against the STS server >> > with a X509 Token, >> > then with the retrieved SAML token, call the Service Provider. >> > >> > Starting from Glen Mazza's article: >> > http://www.jroller.com/gmazza/entry/cxf_stsclient_metro_sts >> > I have tried to change the UsernameToken authentication to X509Token. >> > >> > Do you have any idea if this can be accomplished? - X509Token >> > authentication against STS? >> > >> > Here is my cxf client configuration: >> > >> > <beans xmlns="http://www.springframework.org/schema/beans"; >> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> > xmlns:jaxws="http://cxf.apache.org/jaxws"; >> > xmlns:cxf="http://cxf.apache.org/core"; >> > xmlns:p="http://cxf.apache.org/policy"; >> > xsi:schemaLocation=" >> > http://www.springframework.org/schema/beans >> > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd >> > http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd >> > http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd >> > http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd";> >> > >> > <jaxws:client >> > name="{http://www.osiam.org/contract/DoubleIt}DoubleItPort"; >> > createdFromAPI="true"> >> > <jaxws:features> >> > <wsa:addressing >> > xmlns:wsa="http://cxf.apache.org/ws/addressing"/> >> > </jaxws:features> >> > >> > <jaxws:properties> >> > <entry key="ws-security.sts.client"> >> > <bean >> > class="org.apache.cxf.ws.security.trust.STSClient"> >> > <constructor-arg ref="cxf"/> >> > <property name="wsdlLocation" >> > value="OsiamSTSService.wsdl"/> >> > <property name="serviceName" >> > value="{http://tempuri.org/}OsiamSTSService"/> >> > <property name="endpointName" >> > value="{http://tempuri.org/}IOsiamSTSService_Port"/> >> > <property name="properties"> >> > <map> >> > <entry >> > key="ws-security.sts.token.username" value="mywsckey"/> >> > <entry >> > key="ws-security.username" value="mywsckey"/> >> > <entry >> > key="ws-security.callback-handler" >> > value="client.UTCallbackHandler"/> >> > <entry >> > key="ws-security.encryption.properties" >> > value="clientKeystore.properties"/> >> > <entry >> > key="ws-security.signature.properties" >> > value="clientKeystore.properties"/> >> > <entry >> > key="ws-security.encryption.username" value="mywsckey"/> >> > <entry >> > key="ws-security.is-bsp-compliant" value="false"/> >> > <entry >> > key="ws-security.sts.applies-to" >> > value="http://localhost:8080/osiam-sts-wsp/services/wsp"; /> >> > </map> >> > </property> >> > </bean> >> > </entry> >> > </jaxws:properties> >> > </jaxws:client> >> > </beans> >> > >> > I have put in ws-security.username the name of the client's private key, >> > in the ws-security.encryption.username properties the same key even i >> > think it should be the server's public certificate. If i am puting the >> > server public certificate then the UTCallbackHandler is asking for a >> > password.... what password? >> > >> > With the above configuration i get an: >> > >> > WARNING: Interceptor for >> > {http://www.osiam.org/contract/DoubleIt}DoubleItService#{http://www.osiam.org/contract/DoubleIt}DoubleIt >> > has thrown exception, unwinding now >> > org.apache.cxf.interceptor.Fault: General security error >> > (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found: >> > {null}null) >> > at >> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:372) >> > at >> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:117) >> > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor >> > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:161) >> > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor >> > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:88) >> > at >> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) >> > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510) >> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440) >> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343) >> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295) >> > at >> > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:537) >> > at >> > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:447) >> > at >> > org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:152) >> > at >> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) >> > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510) >> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440) >> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343) >> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295) >> > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73) >> > at >> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124) >> > at $Proxy25.doubleIt(Unknown Source) >> > at client.WSClient.doubleIt(WSClient.java:41) >> > at client.WSClient.main(WSClient.java:34) >> > Caused by: org.apache.cxf.ws.policy.PolicyException: General security >> > error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found: >> > {null}null) >> > at >> > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295) >> > at >> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doEncryption(SymmetricBindingHandler.java:558) >> > at >> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:366) >> > ... 21 more >> > Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: General >> > security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign >> > not found: {null}null) >> > at >> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:146) >> > at $Proxy25.doubleIt(Unknown Source) >> > at client.WSClient.doubleIt(WSClient.java:41) >> > at client.WSClient.main(WSClient.java:34) >> > Caused by: org.apache.cxf.ws.policy.PolicyException: General security >> > error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found: >> > {null}null) >> > at >> > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295) >> > at >> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doEncryption(SymmetricBindingHandler.java:558) >> > at >> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:366) >> > at >> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:117) >> > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor >> > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:161) >> > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor >> > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:88) >> > at >> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) >> > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510) >> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440) >> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343) >> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295) >> > at >> > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:537) >> > at >> > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:447) >> > at >> > org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:152) >> > at >> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263) >> > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510) >> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440) >> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343) >> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295) >> > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73) >> > at >> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124) >> > ... 3 more >> > >> > >> > There is another Glen Mazza's article: >> > http://www.jroller.com/gmazza/entry/cxf_x509_profile >> > >> > Here is authenticating with the Service Provider directly with a >> > X509Token by configuring an WSS4JOutInterceptor. >> > I have no idea how to combine this 2 examples to make the STS call with >> > x509 authentication. >> > Has someone some experience related to this use case scenario? >> > >> > Thank you, >> > Mihai >> > >> >> > > > -- Colm O hEigeartaigh http://coheigea.blogspot.com/ Talend - http://www.talend.com
