Hi Dan, > From here, I've gathered that the problem is that the encryptionName is > null, however I'm unsure what the encryptionName should be (should it be > "alice" (the username), the encryption certificate alias, something else?) > and also where this property would be propagated from (I currently set the > ws-security.username property to alice on the STSClient and the > SecurityConstants.STS_TOKEN_USERNAME property to the certificate alias on > the STSClient).
The encryption name should be the keystore alias corresponding to the X509Certificate of the recipient of the SAML Token. To see how to configure this, take a look at the SymmetricBindingTest in the basic STS systests: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/symmetric/SymmetricBindingTest.java?view=markup The WSDL of the service provider has an IssuedToken policy requiring a SymmetricKey KeyType: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/symmetric/DoubleIt.wsdl?view=markup This means that the STS must encrypt the symmetric key in the Subject of the generated SAML Token using the alias corresponding to the certificate for this service provider. To see how to configure this take a look at the STS configuration for this test: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/cxf-ut.xml?view=markup The StaticSTSProperties bean has a configuration item that is used for all services: <property name="encryptionUsername" value="myservicekey" /> <property name="encryptionPropertiesFile" value="stsKeystore.properties" /> However, you can also configure the certificate per service endpoint, see this for more information "1.2) AppliesTo parsing": http://coheigea.blogspot.com/2011/11/apache-cxf-sts-documentation-part-viii_10.html Colm. On Tue, Dec 6, 2011 at 10:24 PM, DTaylor <[email protected]> wrote: > Good afternoon, > > We've just recently switched to CXF from Metro and are trying to retrieve a > SAML 1.1 token from the CXF STS. I've managed to retrieve the token using > the PublicKey key type, however when using the SymmetricKey key type, I > receive the following error message: > > *org.apache.cxf.ws.security.sts.provider.STSException: The specified request > failed > at > org.apache.cxf.sts.token.provider.DefaultSubjectProvider.getSubject(DefaultSubjectProvider.java:116)* > > From here, I've gathered that the problem is that the encryptionName is > null, however I'm unsure what the encryptionName should be (should it be > "alice" (the username), the encryption certificate alias, something else?) > and also where this property would be propagated from (I currently set the > ws-security.username property to alice on the STSClient and the > SecurityConstants.STS_TOKEN_USERNAME property to the certificate alias on > the STSClient). > > Any help would be much appreciated, as I need to be able to create and use > the STSClient instance via code rather than through Spring configuration > files. > > Thanks, > > Dan. > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Unable-to-acquire-token-from-STS-using-SymmetricKey-key-type-tp5053667p5053667.html > Sent from the cxf-user mailing list archive at Nabble.com. -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
