I'm not sure if your STSClient bean is getting picked up. Could you
try configuring it instead like:
<jaxws:client name="{http://sample.pingidentity.com/}TemperatureConversionPort";
createdFromAPI="true">
<jaxws:properties>
<entry key="ws-security.sts.client">
<bean class="org.apache.cxf.ws.security.trust.STSClient">
....
Colm.
On Mon, Mar 12, 2012 at 4:32 PM, David Waite <[email protected]> wrote:
> Hello all,
>
> I am attempting to use the STS client functionality of CXF 2.5.2, and have
> run into some problems (most recently a NPE in
> AbstractBindingBuilder.getSecurityToken() ). I think this is due to the
> WS-Policy I have created so far not stating the security token requirements
> properly, as it does not appear I am getting to the point where WS-Trust
> traffic is being sent to my STS for the Issue.
>
> My goal is to have an RST Issue between a CXF-based client and a PingFederate
> server which takes an X.509 token and gives a SAML token, and a Validate
> between a CXF-based service and PingFederate to confirm the message once sent
> by the client. I'm rather unsure how to do the Validate as well once I do get
> the Issue working properly.
>
> TemperatureConversion.wsdl:
>
> <?xml version='1.0' encoding='UTF-8'?>
> <wsdl:definitions name="TemperatureConversion"
> targetNamespace="http://sample.pingidentity.com/";
> xmlns:ns1="http://schemas.xmlsoap.org/soap/http";
> xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/";
> xmlns:tns="http://sample.pingidentity.com/";
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
> xmlns:wsp="http://www.w3.org/ns/ws-policy";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata";
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";
> xmlns:xsd="http://www.w3.org/2001/XMLSchema";
> xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
> xmlns:wsaw="http://www.w3.org/2005/08/addressing";>
> <wsdl:types>...</wsdl:types>
> <wsdl:message name="convertTemperatureResponse">
> <wsdl:part element="tns:convertTemperatureResponse" name="parameters">
> </wsdl:part>
> </wsdl:message>
> <wsdl:message name="convertTemperature">
> <wsdl:part element="tns:convertTemperature" name="parameters">
> </wsdl:part>
> </wsdl:message>
> <wsdl:portType name="TemperatureConversion">
> <wsdl:operation name="convertTemperature">
> <wsdl:input message="tns:convertTemperature" name="convertTemperature">
> </wsdl:input>
> <wsdl:output message="tns:convertTemperatureResponse"
> name="convertTemperatureResponse">
> </wsdl:output>
> </wsdl:operation>
> </wsdl:portType>
> <wsdl:binding name="TemperatureConversionSoapBinding"
> type="tns:TemperatureConversion">
> <wsp:PolicyReference URI="#AsymmetricSAML2Policy"/>
> <soap:binding style="document"
> transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="convertTemperature">
> <soap:operation soapAction="" style="document"/>
> <wsdl:input name="convertTemperature">
> <soap:body use="literal"/>
> <wsp:PolicyReference URI="#Input_Policy"/>
> </wsdl:input>
> <wsdl:output name="convertTemperatureResponse">
> <soap:body use="literal"/>
> <wsp:PolicyReference URI="#Output_Policy"/>
> </wsdl:output>
> </wsdl:operation>
> </wsdl:binding>
> <wsdl:service name="TemperatureConversion">
> <wsdl:port binding="tns:TemperatureConversionSoapBinding"
> name="TemperatureConversionPort">
> <soap:address
> location="https://wsp.partner.com:8443/temperature-service/services/TemperatureConversion"/>
> </wsdl:port>
> </wsdl:service>
> <wsp:Policy wsu:Id="AsymmetricSAML2Policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <wsam:Addressing wsp:Optional="false">
> <wsp:Policy/>
> </wsam:Addressing>
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
>
> <sp:IssuedToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
>
> <sp:RequestSecurityTokenTemplate>
>
> <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
>
> <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
>
> </sp:RequestSecurityTokenTemplate>
>
> <wsp:Policy>
>
> <sp:RequireInternalReference/>
>
> </wsp:Policy>
> <!--
> <sp:Issuer>
>
> <wsaw:Address>https://sts.customer.com:9031/idp/sts.wst</wsaw:Address>
>
> </sp:Issuer>
> -->
> </sp:IssuedToken>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";>
>
> <wsp:Policy>
>
> <sp:WssX509V3Token10/>
>
> <sp:RequireIssuerSerialReference/>
>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
>
> <sp:OnlySignEntireHeadersAndBody/>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss11>
> <wsp:Policy>
>
> <sp:MustSupportRefIssuerSerial/>
> <sp:MustSupportRefThumbprint/>
>
> <sp:MustSupportRefEncryptedKey/>
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust13>
> <wsp:Policy>
> <sp:MustSupportIssuedTokens/>
> <sp:RequireClientEntropy/>
> <sp:RequireServerEntropy/>
> </wsp:Policy>
> </sp:Trust13>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> <wsp:Policy wsu:Id="Input_Policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SignedParts>
> <sp:Body/>
> <sp:Header Name="To"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="From"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="FaultTo"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="ReplyTo"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="MessageID"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="RelatesTo"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="Action"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="AckRequested"
> Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> <sp:Header
> Name="SequenceAcknowledgement"
> Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> <sp:Header Name="Sequence"
> Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> <sp:Header Name="CreateSequence"
> Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> <wsp:Policy wsu:Id="Output_Policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SignedParts>
> <sp:Body/>
> <sp:Header Name="To"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="From"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="FaultTo"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="ReplyTo"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="MessageID"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="RelatesTo"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="Action"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="AckRequested"
> Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> <sp:Header
> Name="SequenceAcknowledgement"
> Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> <sp:Header Name="Sequence"
> Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> <sp:Header Name="CreateSequence"
> Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> </wsdl:definitions>
>
> mex.xml:
> <wsdl:definitions
> xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"xmlns:tns="http://schemas.pingidentity.com/ws/securitytokenservice";
>
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"xmlns:wsa10="http://www.w3.org/2005/08/addressing";
>
> xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl";
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
> name="SecurityTokenService"targetNamespace="http://schemas.pingidentity.com/ws/securitytokenservice";>
> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"; wsu:Id="x509">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:TransportBinding
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken/>
> </wsp:Policy>
> </sp:TransportToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> </wsp:Policy>
> </sp:TransportBinding>
> <sp:EndorsingSupportingTokens
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> <sp:KeyValueToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never"wsp:Optional="true"/>
> <sp:SignedParts>
> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
> </sp:SignedParts>
> </wsp:Policy>
> </sp:EndorsingSupportingTokens>
> <sp:Wss11
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefIssuerSerial/>
> <sp:MustSupportRefThumbprint/>
> <sp:MustSupportRefEncryptedKey/>
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust13
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
> <wsp:Policy>
> <sp:MustSupportIssuedTokens/>
> <sp:RequireClientEntropy/>
> <sp:RequireServerEntropy/>
> </wsp:Policy>
> </sp:Trust13>
> <wsaw:UsingAddressing/>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> <wsdl:types>
> <xs:schema xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/";
> xmlns:tns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata";
>
> xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";
> xmlns:wsp="http://www.w3.org/ns/ws-policy";
> xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
> xmlns:wstrust="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"xmlns:xs="http://www.w3.org/2001/XMLSchema";
> elementFormDefault="qualified"
> targetNamespace="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>
> <xs:element name="RequestSecurityToken"
> type="wst:AbstractRequestSecurityTokenType"/>
> <xs:element name="RequestSecurityTokenResponse"
> type="wst:AbstractRequestSecurityTokenType"/>
> <xs:complexType name="AbstractRequestSecurityTokenType">
> <xs:sequence>
> <xs:any maxOccurs="unbounded" minOccurs="0" namespace="##any"
> processContents="lax"/>
> </xs:sequence>
> <xs:attribute name="Context" type="xs:anyURI" use="optional"/>
> <xs:anyAttribute namespace="##other" processContents="lax"/>
> </xs:complexType>
> <xs:element name="RequestSecurityTokenCollection"
> type="wst:RequestSecurityTokenCollectionType"/>
> <xs:complexType name="RequestSecurityTokenCollectionType">
> <xs:sequence>
> <xs:element maxOccurs="unbounded" minOccurs="2"
> name="RequestSecurityToken"type="wst:AbstractRequestSecurityTokenType"/>
> </xs:sequence>
> </xs:complexType>
> <xs:element name="RequestSecurityTokenResponseCollection"
> type="wst:RequestSecurityTokenResponseCollectionType"/>
> <xs:complexType name="RequestSecurityTokenResponseCollectionType">
> <xs:sequence>
> <xs:element maxOccurs="unbounded" minOccurs="1"
> ref="wst:RequestSecurityTokenResponse"/>
> </xs:sequence>
> <xs:anyAttribute namespace="##other" processContents="lax"/>
> </xs:complexType>
> </xs:schema>
> </wsdl:types>
> <wsdl:message name="InputMessage">
> <wsdl:part name="request" element="trust:RequestSecurityToken"/>
> </wsdl:message>
> <wsdl:message name="OutputMessage">
> <wsdl:part name="response"
> element="trust:RequestSecurityTokenResponseCollection"/>
> </wsdl:message>
> <wsdl:portType name="WsTrust13">
> <wsdl:operation name="WsTrust13Issue">
> <wsdl:input
> wsaw:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue";
> message="tns:InputMessage"/>
> <wsdl:output
> wsaw:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal";
> message="tns:OutputMessage"/>
> </wsdl:operation>
> </wsdl:portType>
> <wsdl:binding name="SecurityTokenServiceBinding_x509" type="tns:WsTrust13">
> <wsp:PolicyReference URI="#x509"/>
> <soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="WsTrust13Issue">
> <soap12:operation
> soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue";
> style="document"/>
> <wsdl:input>
> <soap12:body use="literal"/>
> </wsdl:input>
> <wsdl:output>
> <soap12:body use="literal"/>
> </wsdl:output>
> </wsdl:operation>
> </wsdl:binding>
> <wsdl:service name="SecurityTokenService">
> <wsdl:port name="SecurityTokenServicePort_x509_x509"
> binding="tns:SecurityTokenServiceBinding_x509">
> <soap12:address
> location="https://localhost:9031/idp/sts.wst?TokenProcessorId=x509"/>
> <wsa10:EndpointReference>
> <wsa10:Address>
> https://localhost:9031/idp/sts.wst?TokenProcessorId=x509
> </wsa10:Address>
> </wsa10:EndpointReference>
> </wsdl:port>
> </wsdl:service>
> </wsdl:definitions>
>
> Client beans.xml:
> <?xml version="1.0" encoding="UTF-8"?>
> <beans xmlns="http://www.springframework.org/schema/beans";
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xmlns:http="http://cxf.apache.org/transports/http/configuration";
> xmlns:jaxws="http://cxf.apache.org/jaxws";
> xmlns:cxf="http://cxf.apache.org/core";
> xmlns:p="http://cxf.apache.org/policy";
> xmlns:sec="http://cxf.apache.org/configuration/security";
> xsi:schemaLocation="
> http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
> http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
> http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd
> http://cxf.apache.org/configuration/security
> http://cxf.apache.org/schemas/configuration/security.xsd
> http://cxf.apache.org/transports/http/configuration
> http://cxf.apache.org/schemas/configuration/http-conf.xsd
> http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans.xsd";>
>
> <cxf:bus>
> <cxf:features>
> <cxf:logging/>
> <p:policies />
> </cxf:features>
> </cxf:bus>
> <bean
> name="{http://sample.pingidentity.com/}TemperatureConversionPort.sts-client";
> class="org.apache.cxf.ws.security.trust.STSClient">
> <constructor-arg ref="cxf"/>
> <property name="serviceName"
> value="{http://schemas.pingidentity.com/ws/securitytokenservice}SecurityTokenService";
> />
> <property name="wsdlLocation" value="http://localhost/mex.xml"; />
> <property name="endpointName"
>
> value="{http://schemas.pingidentity.com/ws/securitytokenservice}SecurityTokenServicePort_x509_x509"/>
> <property name="properties">
> <map>
> <entry key="ws-security.sts.token.username"
> value="3"/>
> <entry key="ws-security.sts.token.password"
> value="2Federate" />
> <entry key="ws-security.sts.token.properties"
> value="certs/clientcert.properties"/>
> <entry key="ws-security.sts.token.usecert"
> value="true"/>
> </map>
> </property>
> </bean>
>
> <jaxws:client
> name="{http://sample.pingidentity.com/}TemperatureConversionPort";
> createdFromAPI="true">
> <jaxws:properties>
> <entry key="ws-security.signature.properties"
> value="certs/clientcert.properties" />
> <entry key="ws-security.signature.username" value="4" />
> <entry key="ws-security.callback-handler"
>
> value="com.pingidentity.sample.client.ClientCallbackHandler"/>
> </jaxws:properties>
> </jaxws:client>
> <!-- https://wsp.partner.com:8443/.* -->
> <http:conduit name="*.http-conduit">
> <http:tlsClientParameters disableCNCheck="true">
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="changeit"
> resource="/certs/clienttrust.jks"/>
> </sec:trustManagers>
> <sec:keyManagers keyPassword="2Federate">
> <sec:keyStore type="pkcs12" password="2Federate"
> resource="/certs/clientcert.p12"/>
> </sec:keyManagers>
> <sec:cipherSuitesFilter>
> <!-- these filters ensure that a ciphersuite with
> export-suitable or null encryption is used,
> but exclude anonymous Diffie-Hellman key change as
> this is vulnerable to man-in-the-middle attacks -->
> <sec:include>.*_EXPORT_.*</sec:include>
> <sec:include>.*_EXPORT1024_.*</sec:include>
> <sec:include>.*_WITH_DES_.*</sec:include>
> <sec:include>.*_WITH_AES_.*</sec:include>
> <sec:include>.*_WITH_NULL_.*</sec:include>
> <sec:exclude>.*_DH_anon_.*</sec:exclude>
> </sec:cipherSuitesFilter>
> </http:tlsClientParameters>
> </http:conduit>
> </beans>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
