The policy statements in Talend's jaxws-cxf-sts and
jaxws-cxf-sts-advanced samples (available here off Github:
https://github.com/Talend/tesb-rt-se/tree/master/examples/cxf or more
easily from the open-source Talend ESB Standard Edition download) may
have something you can leverage, the latter sample also shows WSP<->STS
validation. I have a text tutorial for an example closely similar to
the jaxws-cxf-sts sample:
http://www.jroller.com/gmazza/entry/cxf_sts_tutorial.
One CXF STS sample I see in our test cases is quite similar to your
policy statements
(http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/asymmetric/DoubleIt.wsdl?revision=1185706&view=markup),
so I'm not sure what the problem is. Did you remember to include the
cxf-rt-ws-policy dependency in your project (as listed in my blog
tutorial)--WS-Policy won't activate in CXF without it.
HTH,
Glen
On 03/12/2012 12:32 PM, David Waite wrote:
Hello all,
I am attempting to use the STS client functionality of CXF 2.5.2, and have run
into some problems (most recently a NPE in
AbstractBindingBuilder.getSecurityToken() ). I think this is due to the
WS-Policy I have created so far not stating the security token requirements
properly, as it does not appear I am getting to the point where WS-Trust
traffic is being sent to my STS for the Issue.
My goal is to have an RST Issue between a CXF-based client and a PingFederate
server which takes an X.509 token and gives a SAML token, and a Validate
between a CXF-based service and PingFederate to confirm the message once sent
by the client. I'm rather unsure how to do the Validate as well once I do get
the Issue working properly.
TemperatureConversion.wsdl:
<?xml version='1.0' encoding='UTF-8'?>
<wsdl:definitions name="TemperatureConversion"
targetNamespace="http://sample.pingidentity.com/";
xmlns:ns1="http://schemas.xmlsoap.org/soap/http";
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/";
xmlns:tns="http://sample.pingidentity.com/";
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";
xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
xmlns:wsaw="http://www.w3.org/2005/08/addressing";>
<wsdl:types>...</wsdl:types>
<wsdl:message name="convertTemperatureResponse">
<wsdl:part element="tns:convertTemperatureResponse" name="parameters">
</wsdl:part>
</wsdl:message>
<wsdl:message name="convertTemperature">
<wsdl:part element="tns:convertTemperature" name="parameters">
</wsdl:part>
</wsdl:message>
<wsdl:portType name="TemperatureConversion">
<wsdl:operation name="convertTemperature">
<wsdl:input message="tns:convertTemperature" name="convertTemperature">
</wsdl:input>
<wsdl:output message="tns:convertTemperatureResponse"
name="convertTemperatureResponse">
</wsdl:output>
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="TemperatureConversionSoapBinding"
type="tns:TemperatureConversion">
<wsp:PolicyReference URI="#AsymmetricSAML2Policy"/>
<soap:binding style="document"
transport="http://schemas.xmlsoap.org/soap/http"/>
<wsdl:operation name="convertTemperature">
<soap:operation soapAction="" style="document"/>
<wsdl:input name="convertTemperature">
<soap:body use="literal"/>
<wsp:PolicyReference URI="#Input_Policy"/>
</wsdl:input>
<wsdl:output name="convertTemperatureResponse">
<soap:body use="literal"/>
<wsp:PolicyReference URI="#Output_Policy"/>
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="TemperatureConversion">
<wsdl:port binding="tns:TemperatureConversionSoapBinding"
name="TemperatureConversionPort">
<soap:address
location="https://wsp.partner.com:8443/temperature-service/services/TemperatureConversion"/>
</wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="AsymmetricSAML2Policy">
<wsp:ExactlyOne>
<wsp:All>
<wsam:Addressing wsp:Optional="false">
<wsp:Policy/>
</wsam:Addressing>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:IssuedToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<sp:RequestSecurityTokenTemplate>
<t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
<t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireInternalReference/>
</wsp:Policy>
<!--
<sp:Issuer>
<wsaw:Address>https://sts.customer.com:9031/idp/sts.wst</wsaw:Address>
</sp:Issuer>
-->
</sp:IssuedToken>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
<wsp:Policy>
<sp:WssX509V3Token10/>
<sp:RequireIssuerSerialReference/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust13>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust13>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="Input_Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
<sp:Body/>
<sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="From"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="AckRequested"
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
<sp:Header Name="SequenceAcknowledgement"
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
<sp:Header Name="Sequence"
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
<sp:Header Name="CreateSequence"
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="Output_Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
<sp:Body/>
<sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="From"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="AckRequested"
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
<sp:Header Name="SequenceAcknowledgement"
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
<sp:Header Name="Sequence"
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
<sp:Header Name="CreateSequence"
Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</wsdl:definitions>
mex.xml:
<wsdl:definitions xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"xmlns:tns="http://schemas.pingidentity.com/ws/securitytokenservice";
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"xmlns:wsa10="http://www.w3.org/2005/08/addressing";
xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
name="SecurityTokenService"targetNamespace="http://schemas.pingidentity.com/ws/securitytokenservice";>
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"; wsu:Id="x509">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
<sp:KeyValueToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never"wsp:Optional="true"/>
<sp:SignedParts>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust13
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust13>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsdl:types>
<xs:schema xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/";
xmlns:tns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata";
xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"; xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
xmlns:wstrust="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"xmlns:xs="http://www.w3.org/2001/XMLSchema";
elementFormDefault="qualified" targetNamespace="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>
<xs:element name="RequestSecurityToken"
type="wst:AbstractRequestSecurityTokenType"/>
<xs:element name="RequestSecurityTokenResponse"
type="wst:AbstractRequestSecurityTokenType"/>
<xs:complexType name="AbstractRequestSecurityTokenType">
<xs:sequence>
<xs:any maxOccurs="unbounded" minOccurs="0" namespace="##any"
processContents="lax"/>
</xs:sequence>
<xs:attribute name="Context" type="xs:anyURI" use="optional"/>
<xs:anyAttribute namespace="##other" processContents="lax"/>
</xs:complexType>
<xs:element name="RequestSecurityTokenCollection"
type="wst:RequestSecurityTokenCollectionType"/>
<xs:complexType name="RequestSecurityTokenCollectionType">
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="2"
name="RequestSecurityToken"type="wst:AbstractRequestSecurityTokenType"/>
</xs:sequence>
</xs:complexType>
<xs:element name="RequestSecurityTokenResponseCollection"
type="wst:RequestSecurityTokenResponseCollectionType"/>
<xs:complexType name="RequestSecurityTokenResponseCollectionType">
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="1"
ref="wst:RequestSecurityTokenResponse"/>
</xs:sequence>
<xs:anyAttribute namespace="##other" processContents="lax"/>
</xs:complexType>
</xs:schema>
</wsdl:types>
<wsdl:message name="InputMessage">
<wsdl:part name="request" element="trust:RequestSecurityToken"/>
</wsdl:message>
<wsdl:message name="OutputMessage">
<wsdl:part name="response"
element="trust:RequestSecurityTokenResponseCollection"/>
</wsdl:message>
<wsdl:portType name="WsTrust13">
<wsdl:operation name="WsTrust13Issue">
<wsdl:input wsaw:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue";
message="tns:InputMessage"/>
<wsdl:output wsaw:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal";
message="tns:OutputMessage"/>
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="SecurityTokenServiceBinding_x509" type="tns:WsTrust13">
<wsp:PolicyReference URI="#x509"/>
<soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>
<wsdl:operation name="WsTrust13Issue">
<soap12:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue";
style="document"/>
<wsdl:input>
<soap12:body use="literal"/>
</wsdl:input>
<wsdl:output>
<soap12:body use="literal"/>
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="SecurityTokenService">
<wsdl:port name="SecurityTokenServicePort_x509_x509"
binding="tns:SecurityTokenServiceBinding_x509">
<soap12:address
location="https://localhost:9031/idp/sts.wst?TokenProcessorId=x509"/>
<wsa10:EndpointReference>
<wsa10:Address>
https://localhost:9031/idp/sts.wst?TokenProcessorId=x509
</wsa10:Address>
</wsa10:EndpointReference>
</wsdl:port>
</wsdl:service>
</wsdl:definitions>
Client beans.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xmlns:http="http://cxf.apache.org/transports/http/configuration";
xmlns:jaxws="http://cxf.apache.org/jaxws";
xmlns:cxf="http://cxf.apache.org/core";
xmlns:p="http://cxf.apache.org/policy";
xmlns:sec="http://cxf.apache.org/configuration/security";
xsi:schemaLocation="
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd";>
<cxf:bus>
<cxf:features>
<cxf:logging/>
<p:policies />
</cxf:features>
</cxf:bus>
<bean
name="{http://sample.pingidentity.com/}TemperatureConversionPort.sts-client";
class="org.apache.cxf.ws.security.trust.STSClient">
<constructor-arg ref="cxf"/>
<property name="serviceName"
value="{http://schemas.pingidentity.com/ws/securitytokenservice}SecurityTokenService"; />
<property name="wsdlLocation" value="http://localhost/mex.xml"; />
<property name="endpointName"
value="{http://schemas.pingidentity.com/ws/securitytokenservice}SecurityTokenServicePort_x509_x509"/>
<property name="properties">
<map>
<entry key="ws-security.sts.token.username"
value="3"/>
<entry key="ws-security.sts.token.password"
value="2Federate" />
<entry key="ws-security.sts.token.properties"
value="certs/clientcert.properties"/>
<entry key="ws-security.sts.token.usecert"
value="true"/>
</map>
</property>
</bean>
<jaxws:client name="{http://sample.pingidentity.com/}TemperatureConversionPort";
createdFromAPI="true">
<jaxws:properties>
<entry key="ws-security.signature.properties"
value="certs/clientcert.properties" />
<entry key="ws-security.signature.username" value="4" />
<entry key="ws-security.callback-handler"
value="com.pingidentity.sample.client.ClientCallbackHandler"/>
</jaxws:properties>
</jaxws:client>
<!-- https://wsp.partner.com:8443/.* -->
<http:conduit name="*.http-conduit">
<http:tlsClientParameters disableCNCheck="true">
<sec:trustManagers>
<sec:keyStore type="JKS" password="changeit"
resource="/certs/clienttrust.jks"/>
</sec:trustManagers>
<sec:keyManagers keyPassword="2Federate">
<sec:keyStore type="pkcs12" password="2Federate"
resource="/certs/clientcert.p12"/>
</sec:keyManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
export-suitable or null encryption is used,
but exclude anonymous Diffie-Hellman key change as
this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
</http:conduit>
</beans>
--
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza
