Encryption Parts not followed

[DTaylor]

Good day,

I've run into a scenario attempting a manual token retrieval from a CXF STS
and using it in a call to a service.  At this point, the STS call is
successful and I receive a token back from the STS server.  Now when I'm
trying to use the token with the service call I'm receiving an indication
that certain items are missing.

My manual set up is:


Map<String, Object> outProps = new HashMap<String, Object>();
        Properties merProps = new Properties();
        
        outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP
+ " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT);
        outProps.put(WSHandlerConstants.ENC_PROP_FILE,
"keys/clientKeystore.properties");
        outProps.put(WSHandlerConstants.USER, "xws-security-client");
        outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS,
"demo.wssec.client.ClientCallbackHandler");
        outProps.put(WSHandlerConstants.SIGNATURE_PARTS,
"{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{urn:oasis:names:tc:SAML:2.0:assertion}Assertion;{Content}{}Body;{Element}{http://www.w3.org/2005/08/addressing}To;{Element}{http://www.w3.org/2005/08/addressing}ReplyTo;{Element}{http://www.w3.org/2005/08/addressing}MessageID;{Element}{http://www.w3.org/2005/08/addressing}Action;";);
        outProps.put(WSHandlerConstants.ENCRYPTION_PARTS,
"{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body";);
        //outProps.put(WSHandlerConstants.SIGNATURE_PARTS,
"{Content}{}Body;{Element}{http://www.w3.org/2005/08/addressing}To;{Element}{http://www.w3.org/2005/08/addressing}From;{Element}{http://www.w3.org/2005/08/addressing}FaultTo;{Element}{http://www.w3.org/2005/08/addressing}ReplyTo;{Element}{http://www.w3.org/2005/08/addressing}MessageID;{Element}{http://www.w3.org/2005/08/addressing}RelatesTo;{Element}{http://www.w3.org/2005/08/addressing}Action;{Element}{http://docs.oasis-open.org/ws-rx/wsrm/200702}AckRequested;{Element}{http://docs.oasis-open.org/ws-rx/wsrm/200702}SequenceAcknowledgement;{Element}{http://docs.oasis-open.org/ws-rx/wsrm/200702}Sequence;{Element}{http://docs.oasis-open.org/ws-rx/wsrm/200702}CreateSequence;";);
        //outProps.put(WSHandlerConstants.ENCRYPTION_PARTS,
"{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body";);
        outProps.put(WSHandlerConstants.SIG_PROP_FILE,
"keys/clientKeystore.properties");
        outProps.put(WSHandlerConstants.SIGNATURE_USER,
"xws-security-server");


        outProps.put("org.apache.ws.security.crypto.provider",
"org.apache.ws.security.components.crypto.Merlin");
        merProps.put("org.apache.ws.security.crypto.provider",
"org.apache.ws.security.components.crypto.Merlin");
        merProps.put(Merlin.KEYSTORE_TYPE, "jks");
        merProps.put(Merlin.KEYSTORE_PASSWORD, "changeit");
        merProps.put(Merlin.KEYSTORE_ALIAS, "xws-security-client");
        merProps.put(Merlin.KEYSTORE_FILE, "keys/keystore.jks");
        merProps.put(Merlin.TRUSTSTORE_TYPE, "jks");
        merProps.put(Merlin.TRUSTSTORE_FILE, "keys/cacerts.jks");
        merProps.put(Merlin.TRUSTSTORE_PASSWORD, "changeit");
        outProps.put("ws-security.encryption.properties", merProps);
        try {
            Merlin merlin = new Merlin(merProps);
            outProps.put("ws-security.encryption.crypto", merlin);
        } catch (Exception ex) {
            System.out.println("**** EXCEPTION STORING MERLIN:  " +
ex.getMessage());
        }
        
        factory.getOutInterceptors().add(new WSS4JOutInterceptor(outProps));




The resulting log from the STS side is:

Response-Code: 500
Encoding: UTF-8
Content-Type: text/xml;charset=UTF-8
Headers: {Content-Length=[672], content-type=[text/xml;charset=UTF-8],
Server=[Jetty(7.5.3.v20111011)]}
Payload: soap:ServerThese policy alternatives can not be
satisfied:{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding:
The Key transport method does not match the requirement
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IssuedToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp

I'm assuming this is meaning that the sts cannot find the member for the
issued token, initiator token, recipient token nor the timestamp.  While I
haven't shown the code for adding the IssuedToken, and the include timestamp
is missing because I haven't included it in the encryption parts as of yet,
my question is around the initiator and recipient tokens.  Would the
initiator token be public key of the client in the keystore and the
recipient token be the public key of the server?

Thanks,

Dan.

--
View this message in context: 
http://cxf.547215.n5.nabble.com/Encryption-Parts-not-followed-tp5067011p5067011.html
Sent from the cxf-user mailing list archive at Nabble.com.