Hello all, I am attempting to use the STS client functionality of CXF 2.5.2, and have run into some problems (most recently a NPE in AbstractBindingBuilder.getSecurityToken() ). I think this is due to the WS-Policy I have created so far not stating the security token requirements properly, as it does not appear I am getting to the point where WS-Trust traffic is being sent to my STS for the Issue.
My goal is to have an RST Issue between a CXF-based client and a PingFederate server which takes an X.509 token and gives a SAML token, and a Validate between a CXF-based service and PingFederate to confirm the message once sent by the client. I'm rather unsure how to do the Validate as well once I do get the Issue working properly. TemperatureConversion.wsdl: <?xml version='1.0' encoding='UTF-8'?> <wsdl:definitions name="TemperatureConversion" targetNamespace="http://sample.pingidentity.com/"; xmlns:ns1="http://schemas.xmlsoap.org/soap/http"; xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; xmlns:tns="http://sample.pingidentity.com/"; xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"; xmlns:wsp="http://www.w3.org/ns/ws-policy"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"; xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512"; xmlns:wsaw="http://www.w3.org/2005/08/addressing";> <wsdl:types>...</wsdl:types> <wsdl:message name="convertTemperatureResponse"> <wsdl:part element="tns:convertTemperatureResponse" name="parameters"> </wsdl:part> </wsdl:message> <wsdl:message name="convertTemperature"> <wsdl:part element="tns:convertTemperature" name="parameters"> </wsdl:part> </wsdl:message> <wsdl:portType name="TemperatureConversion"> <wsdl:operation name="convertTemperature"> <wsdl:input message="tns:convertTemperature" name="convertTemperature"> </wsdl:input> <wsdl:output message="tns:convertTemperatureResponse" name="convertTemperatureResponse"> </wsdl:output> </wsdl:operation> </wsdl:portType> <wsdl:binding name="TemperatureConversionSoapBinding" type="tns:TemperatureConversion"> <wsp:PolicyReference URI="#AsymmetricSAML2Policy"/> <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/> <wsdl:operation name="convertTemperature"> <soap:operation soapAction="" style="document"/> <wsdl:input name="convertTemperature"> <soap:body use="literal"/> <wsp:PolicyReference URI="#Input_Policy"/> </wsdl:input> <wsdl:output name="convertTemperatureResponse"> <soap:body use="literal"/> <wsp:PolicyReference URI="#Output_Policy"/> </wsdl:output> </wsdl:operation> </wsdl:binding> <wsdl:service name="TemperatureConversion"> <wsdl:port binding="tns:TemperatureConversionSoapBinding" name="TemperatureConversionPort"> <soap:address location="https://wsp.partner.com:8443/temperature-service/services/TemperatureConversion"/> </wsdl:port> </wsdl:service> <wsp:Policy wsu:Id="AsymmetricSAML2Policy"> <wsp:ExactlyOne> <wsp:All> <wsam:Addressing wsp:Optional="false"> <wsp:Policy/> </wsam:Addressing> <sp:AsymmetricBinding> <wsp:Policy> <sp:InitiatorToken> <wsp:Policy> <sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> <sp:RequestSecurityTokenTemplate> <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType> <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType> </sp:RequestSecurityTokenTemplate> <wsp:Policy> <sp:RequireInternalReference/> </wsp:Policy> <!-- <sp:Issuer> <wsaw:Address>https://sts.customer.com:9031/idp/sts.wst</wsaw:Address> </sp:Issuer> --> </sp:IssuedToken> </wsp:Policy> </sp:InitiatorToken> <sp:RecipientToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> <wsp:Policy> <sp:WssX509V3Token10/> <sp:RequireIssuerSerialReference/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:RecipientToken> <sp:Layout> <wsp:Policy> <sp:Lax/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> <sp:OnlySignEntireHeadersAndBody/> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite> </wsp:Policy> </sp:AsymmetricBinding> <sp:Wss11> <wsp:Policy> <sp:MustSupportRefIssuerSerial/> <sp:MustSupportRefThumbprint/> <sp:MustSupportRefEncryptedKey/> </wsp:Policy> </sp:Wss11> <sp:Trust13> <wsp:Policy> <sp:MustSupportIssuedTokens/> <sp:RequireClientEntropy/> <sp:RequireServerEntropy/> </wsp:Policy> </sp:Trust13> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <wsp:Policy wsu:Id="Input_Policy"> <wsp:ExactlyOne> <wsp:All> <sp:SignedParts> <sp:Body/> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="AckRequested" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/> <sp:Header Name="SequenceAcknowledgement" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/> <sp:Header Name="Sequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/> <sp:Header Name="CreateSequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/> </sp:SignedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <wsp:Policy wsu:Id="Output_Policy"> <wsp:ExactlyOne> <wsp:All> <sp:SignedParts> <sp:Body/> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="AckRequested" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/> <sp:Header Name="SequenceAcknowledgement" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/> <sp:Header Name="Sequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/> <sp:Header Name="CreateSequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/> </sp:SignedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> </wsdl:definitions> mex.xml: <wsdl:definitions xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"xmlns:tns="http://schemas.pingidentity.com/ws/securitytokenservice"; xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"xmlns:wsa10="http://www.w3.org/2005/08/addressing"; xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"; name="SecurityTokenService"targetNamespace="http://schemas.pingidentity.com/ws/securitytokenservice";> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"; wsu:Id="x509"> <wsp:ExactlyOne> <wsp:All> <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken/> </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> </wsp:Policy> </sp:TransportBinding> <sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> <wsp:Policy> <sp:RequireThumbprintReference/> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> <sp:KeyValueToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never"wsp:Optional="true"/> <sp:SignedParts> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> </sp:SignedParts> </wsp:Policy> </sp:EndorsingSupportingTokens> <sp:Wss11 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> <wsp:Policy> <sp:MustSupportRefKeyIdentifier/> <sp:MustSupportRefIssuerSerial/> <sp:MustSupportRefThumbprint/> <sp:MustSupportRefEncryptedKey/> </wsp:Policy> </sp:Wss11> <sp:Trust13 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> <wsp:Policy> <sp:MustSupportIssuedTokens/> <sp:RequireClientEntropy/> <sp:RequireServerEntropy/> </wsp:Policy> </sp:Trust13> <wsaw:UsingAddressing/> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <wsdl:types> <xs:schema xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; xmlns:tns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"; xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"; xmlns:wsp="http://www.w3.org/ns/ws-policy"; xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"; xmlns:wstrust="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"xmlns:xs="http://www.w3.org/2001/XMLSchema"; elementFormDefault="qualified" targetNamespace="http://docs.oasis-open.org/ws-sx/ws-trust/200512";> <xs:element name="RequestSecurityToken" type="wst:AbstractRequestSecurityTokenType"/> <xs:element name="RequestSecurityTokenResponse" type="wst:AbstractRequestSecurityTokenType"/> <xs:complexType name="AbstractRequestSecurityTokenType"> <xs:sequence> <xs:any maxOccurs="unbounded" minOccurs="0" namespace="##any" processContents="lax"/> </xs:sequence> <xs:attribute name="Context" type="xs:anyURI" use="optional"/> <xs:anyAttribute namespace="##other" processContents="lax"/> </xs:complexType> <xs:element name="RequestSecurityTokenCollection" type="wst:RequestSecurityTokenCollectionType"/> <xs:complexType name="RequestSecurityTokenCollectionType"> <xs:sequence> <xs:element maxOccurs="unbounded" minOccurs="2" name="RequestSecurityToken"type="wst:AbstractRequestSecurityTokenType"/> </xs:sequence> </xs:complexType> <xs:element name="RequestSecurityTokenResponseCollection" type="wst:RequestSecurityTokenResponseCollectionType"/> <xs:complexType name="RequestSecurityTokenResponseCollectionType"> <xs:sequence> <xs:element maxOccurs="unbounded" minOccurs="1" ref="wst:RequestSecurityTokenResponse"/> </xs:sequence> <xs:anyAttribute namespace="##other" processContents="lax"/> </xs:complexType> </xs:schema> </wsdl:types> <wsdl:message name="InputMessage"> <wsdl:part name="request" element="trust:RequestSecurityToken"/> </wsdl:message> <wsdl:message name="OutputMessage"> <wsdl:part name="response" element="trust:RequestSecurityTokenResponseCollection"/> </wsdl:message> <wsdl:portType name="WsTrust13"> <wsdl:operation name="WsTrust13Issue"> <wsdl:input wsaw:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; message="tns:InputMessage"/> <wsdl:output wsaw:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal"; message="tns:OutputMessage"/> </wsdl:operation> </wsdl:portType> <wsdl:binding name="SecurityTokenServiceBinding_x509" type="tns:WsTrust13"> <wsp:PolicyReference URI="#x509"/> <soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/> <wsdl:operation name="WsTrust13Issue"> <soap12:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; style="document"/> <wsdl:input> <soap12:body use="literal"/> </wsdl:input> <wsdl:output> <soap12:body use="literal"/> </wsdl:output> </wsdl:operation> </wsdl:binding> <wsdl:service name="SecurityTokenService"> <wsdl:port name="SecurityTokenServicePort_x509_x509" binding="tns:SecurityTokenServiceBinding_x509"> <soap12:address location="https://localhost:9031/idp/sts.wst?TokenProcessorId=x509"/> <wsa10:EndpointReference> <wsa10:Address> https://localhost:9031/idp/sts.wst?TokenProcessorId=x509 </wsa10:Address> </wsa10:EndpointReference> </wsdl:port> </wsdl:service> </wsdl:definitions> Client beans.xml: <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:http="http://cxf.apache.org/transports/http/configuration"; xmlns:jaxws="http://cxf.apache.org/jaxws"; xmlns:cxf="http://cxf.apache.org/core"; xmlns:p="http://cxf.apache.org/policy"; xmlns:sec="http://cxf.apache.org/configuration/security"; xsi:schemaLocation=" http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd";> <cxf:bus> <cxf:features> <cxf:logging/> <p:policies /> </cxf:features> </cxf:bus> <bean name="{http://sample.pingidentity.com/}TemperatureConversionPort.sts-client"; class="org.apache.cxf.ws.security.trust.STSClient"> <constructor-arg ref="cxf"/> <property name="serviceName" value="{http://schemas.pingidentity.com/ws/securitytokenservice}SecurityTokenService"; /> <property name="wsdlLocation" value="http://localhost/mex.xml"; /> <property name="endpointName" value="{http://schemas.pingidentity.com/ws/securitytokenservice}SecurityTokenServicePort_x509_x509"/> <property name="properties"> <map> <entry key="ws-security.sts.token.username" value="3"/> <entry key="ws-security.sts.token.password" value="2Federate" /> <entry key="ws-security.sts.token.properties" value="certs/clientcert.properties"/> <entry key="ws-security.sts.token.usecert" value="true"/> </map> </property> </bean> <jaxws:client name="{http://sample.pingidentity.com/}TemperatureConversionPort"; createdFromAPI="true"> <jaxws:properties> <entry key="ws-security.signature.properties" value="certs/clientcert.properties" /> <entry key="ws-security.signature.username" value="4" /> <entry key="ws-security.callback-handler" value="com.pingidentity.sample.client.ClientCallbackHandler"/> </jaxws:properties> </jaxws:client> <!-- https://wsp.partner.com:8443/.* --> <http:conduit name="*.http-conduit"> <http:tlsClientParameters disableCNCheck="true"> <sec:trustManagers> <sec:keyStore type="JKS" password="changeit" resource="/certs/clienttrust.jks"/> </sec:trustManagers> <sec:keyManagers keyPassword="2Federate"> <sec:keyStore type="pkcs12" password="2Federate" resource="/certs/clientcert.p12"/> </sec:keyManagers> <sec:cipherSuitesFilter> <!-- these filters ensure that a ciphersuite with export-suitable or null encryption is used, but exclude anonymous Diffie-Hellman key change as this is vulnerable to man-in-the-middle attacks --> <sec:include>.*_EXPORT_.*</sec:include> <sec:include>.*_EXPORT1024_.*</sec:include> <sec:include>.*_WITH_DES_.*</sec:include> <sec:include>.*_WITH_AES_.*</sec:include> <sec:include>.*_WITH_NULL_.*</sec:include> <sec:exclude>.*_DH_anon_.*</sec:exclude> </sec:cipherSuitesFilter> </http:tlsClientParameters> </http:conduit> </beans>
