Hi Dan, Could you paste the security policy of the service provider, as well as the message it is rejecting? The error message "The Key transport method does not match the requirement" indicates that the encryption algorithm that was used in the request does not match with the configured policy.
Colm. On Mon, Dec 12, 2011 at 2:23 AM, DTaylor <[email protected]> wrote: > Good day, > > I've run into a scenario attempting a manual token retrieval from a CXF STS > and using it in a call to a service. At this point, the STS call is > successful and I receive a token back from the STS server. Now when I'm > trying to use the token with the service call I'm receiving an indication > that certain items are missing. > > My manual set up is: > > > Map<String, Object> outProps = new HashMap<String, Object>(); > Properties merProps = new Properties(); > > outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP > + " " + WSHandlerConstants.SIGNATURE + " " + WSHandlerConstants.ENCRYPT); > outProps.put(WSHandlerConstants.ENC_PROP_FILE, > "keys/clientKeystore.properties"); > outProps.put(WSHandlerConstants.USER, "xws-security-client"); > outProps.put(WSHandlerConstants.PW_CALLBACK_CLASS, > "demo.wssec.client.ClientCallbackHandler"); > outProps.put(WSHandlerConstants.SIGNATURE_PARTS, > "{Element}{http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd}Timestamp;{Element}{urn:oasis:names:tc:SAML:2.0:assertion}Assertion;{Content}{}Body;{Element}{http://www.w3.org/2005/08/addressing}To;{Element}{http://www.w3.org/2005/08/addressing}ReplyTo;{Element}{http://www.w3.org/2005/08/addressing}MessageID;{Element}{http://www.w3.org/2005/08/addressing}Action;";); > outProps.put(WSHandlerConstants.ENCRYPTION_PARTS, > "{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body";); > //outProps.put(WSHandlerConstants.SIGNATURE_PARTS, > "{Content}{}Body;{Element}{http://www.w3.org/2005/08/addressing}To;{Element}{http://www.w3.org/2005/08/addressing}From;{Element}{http://www.w3.org/2005/08/addressing}FaultTo;{Element}{http://www.w3.org/2005/08/addressing}ReplyTo;{Element}{http://www.w3.org/2005/08/addressing}MessageID;{Element}{http://www.w3.org/2005/08/addressing}RelatesTo;{Element}{http://www.w3.org/2005/08/addressing}Action;{Element}{http://docs.oasis-open.org/ws-rx/wsrm/200702}AckRequested;{Element}{http://docs.oasis-open.org/ws-rx/wsrm/200702}SequenceAcknowledgement;{Element}{http://docs.oasis-open.org/ws-rx/wsrm/200702}Sequence;{Element}{http://docs.oasis-open.org/ws-rx/wsrm/200702}CreateSequence;";); > //outProps.put(WSHandlerConstants.ENCRYPTION_PARTS, > "{Element}{http://www.w3.org/2000/09/xmldsig#}Signature;{Content}{http://schemas.xmlsoap.org/soap/envelope/}Body";); > outProps.put(WSHandlerConstants.SIG_PROP_FILE, > "keys/clientKeystore.properties"); > outProps.put(WSHandlerConstants.SIGNATURE_USER, > "xws-security-server"); > > > outProps.put("org.apache.ws.security.crypto.provider", > "org.apache.ws.security.components.crypto.Merlin"); > merProps.put("org.apache.ws.security.crypto.provider", > "org.apache.ws.security.components.crypto.Merlin"); > merProps.put(Merlin.KEYSTORE_TYPE, "jks"); > merProps.put(Merlin.KEYSTORE_PASSWORD, "changeit"); > merProps.put(Merlin.KEYSTORE_ALIAS, "xws-security-client"); > merProps.put(Merlin.KEYSTORE_FILE, "keys/keystore.jks"); > merProps.put(Merlin.TRUSTSTORE_TYPE, "jks"); > merProps.put(Merlin.TRUSTSTORE_FILE, "keys/cacerts.jks"); > merProps.put(Merlin.TRUSTSTORE_PASSWORD, "changeit"); > outProps.put("ws-security.encryption.properties", merProps); > try { > Merlin merlin = new Merlin(merProps); > outProps.put("ws-security.encryption.crypto", merlin); > } catch (Exception ex) { > System.out.println("**** EXCEPTION STORING MERLIN: " + > ex.getMessage()); > } > > factory.getOutInterceptors().add(new WSS4JOutInterceptor(outProps)); > > > > > The resulting log from the STS side is: > > Response-Code: 500 > Encoding: UTF-8 > Content-Type: text/xml;charset=UTF-8 > Headers: {Content-Length=[672], content-type=[text/xml;charset=UTF-8], > Server=[Jetty(7.5.3.v20111011)]} > Payload: soap:ServerThese policy alternatives can not be > satisfied:{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}AsymmetricBinding: > The Key transport method does not match the requirement > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IssuedToken > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}InitiatorToken > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}RecipientToken > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp > > I'm assuming this is meaning that the sts cannot find the member for the > issued token, initiator token, recipient token nor the timestamp. While I > haven't shown the code for adding the IssuedToken, and the include timestamp > is missing because I haven't included it in the encryption parts as of yet, > my question is around the initiator and recipient tokens. Would the > initiator token be public key of the client in the keystore and the > recipient token be the public key of the server? > > Thanks, > > Dan. > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Encryption-Parts-not-followed-tp5067011p5067011.html > Sent from the cxf-user mailing list archive at Nabble.com. -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
