Re: Proglem with loading Apache CXF STS with UT authentication

Fri, 01 Jun 2012 08:58:02 -0700 

Hi Colm,

Thanks for your response. You are right. When I use Apache CXF STS, I used
SymmetricBinding and WSP is using SymmetricBinding. Now, I keep WSP the
same, but try to use ADFS2.0 as STS and the end point that I try to use is
using TransportBinding. What certificate requirement do I need to satisfy
in this case?
org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler is
throwing null pointer exception.

at
org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.doIssuedTokenSignature(TransportBindingHandler.java:429)
Following is content of the STS policy.

  <wsp:Policy wsu:Id="UserNameWSTrustBinding_IWSTrust13Async2_policy">
    <wsp:ExactlyOne>
      <wsp:All>
        <sp:TransportBinding xmlns:sp="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
          <wsp:Policy>
            <sp:TransportToken>
              <wsp:Policy>
                <sp:HttpsToken>
                  <wsp:Policy />
                </sp:HttpsToken>
              </wsp:Policy>
            </sp:TransportToken>
            <sp:AlgorithmSuite>
              <wsp:Policy>
                <sp:Basic256 />
              </wsp:Policy>
            </sp:AlgorithmSuite>
            <sp:Layout>
              <wsp:Policy>
                <sp:Strict />
              </wsp:Policy>
            </sp:Layout>
            <sp:IncludeTimestamp />
          </wsp:Policy>
        </sp:TransportBinding>
        <sp:SignedEncryptedSupportingTokens xmlns:sp="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
          <wsp:Policy>
            <sp:UsernameToken sp:IncludeToken="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
">
              <wsp:Policy>
                <sp:WssUsernameToken10 />
              </wsp:Policy>
            </sp:UsernameToken>
          </wsp:Policy>
        </sp:SignedEncryptedSupportingTokens>
        <sp:EndorsingSupportingTokens xmlns:sp="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
          <wsp:Policy>
            <sp:KeyValueToken sp:IncludeToken="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
"
            wsp:Optional="true">
              <wsp:Policy />
            </sp:KeyValueToken>
            <sp:SignedParts>
              <sp:Header Name="To"
              Namespace="http://www.w3.org/2005/08/addressing"; />
            </sp:SignedParts>
          </wsp:Policy>
        </sp:EndorsingSupportingTokens>
        <sp:Wss11 xmlns:sp="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
          <wsp:Policy>
            <sp:MustSupportRefKeyIdentifier />
            <sp:MustSupportRefIssuerSerial />
            <sp:MustSupportRefThumbprint />
            <sp:MustSupportRefEncryptedKey />
          </wsp:Policy>
        </sp:Wss11>
        <sp:Trust13 xmlns:sp="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
          <wsp:Policy>
            <sp:MustSupportIssuedTokens />
            <sp:RequireClientEntropy />
            <sp:RequireServerEntropy />
          </wsp:Policy>
        </sp:Trust13>
        <wsaw:UsingAddressing />
      </wsp:All>
    </wsp:ExactlyOne>
  </wsp:Policy>

Thanks.

Gina
On Fri, Jun 1, 2012 at 4:20 AM, Colm O hEigeartaigh <[email protected]>wrote:

> Hi Gina,
>
> If i recall correctly, the STS was using the SymmetricBinding. For this
> case, the client only needs to know the certificate of the STS (specified
> via ws-security.encryption.username" in the STSClient bean). It doesn't
> need any signature username configuration, as this is not used in the
> Symmetric binding.
>
> I don't know what security policy your WSP is using and so I can't comment
> on the rest of it.
>
> Colm.
>
>
> On Thu, May 31, 2012 at 6:09 PM, Gina Choi <[email protected]> wrote:
>
>> Hi Colm,
>>
>> The client configuration file you provided worked as it is. Thank you.
>> But I don't have client certificate in both WSP and STS truststore. I also
>> don't have WSP certificate in client truststore either. Following two
>> entries are referenced in client configuration file, but they seems get
>> ignored. Otherwise if request from client to WSP and STS are signed using
>> clientkey, but without client certificate in both WSP and STS
>> truststore, how WSP and STS verify client signature?
>>
>>
>> <entry key="ws-security.signature.username" value="myclientkey"/>
>> <entry key="ws-security.encryption.username" value="myservicekey"
>>
>>
>> Thanks.
>>
>> Gina
>> On Mon, May 28, 2012 at 6:11 AM, Colm O hEigeartaigh <[email protected]
>> > wrote:
>>
>>> The certificate you are using on the client side to encrypt the message
>>> to
>>> the STS does not match with the private key of the STS:
>>>
>>> Client:
>>>
>>> >  keytool -list -keystore src/main/resources/clientstore.jks -alias
>>> mystskey -v
>>> Enter keystore password:
>>> Alias name: mystskey
>>> Creation date: 07-Oct-2011
>>> Entry type: trustedCertEntry
>>>
>>> Owner: [email protected], CN=Tom Token, O=Sample STS Key
>>> --
>>> NOT FOR PRODUCTION USE, L=Baltimore, ST=Maryland, C=US
>>>
>>> STS:
>>>
>>> >  keytool -list -keystore src/main/resources/stsstore.jks -alias
>>> mystskey
>>> -v
>>> Enter keystore password:
>>> Alias name: mystskey
>>> Creation date: 10-Apr-2012
>>> Entry type: PrivateKeyEntry
>>> Certificate chain length: 1
>>> Certificate[1]:
>>> Owner: [email protected], CN=stscn, OU=SCT, O=SDL, L=wakefield,
>>> ST=massachusetts, C=US
>>>
>>> Also, your client configuration should look something like this instead:
>>>
>>> <jaxws:client name="{
>>> http://www.example.org/contract/DoubleIt}DoubleItPort";
>>> createdFromAPI="true">
>>>        <jaxws:properties>
>>>            <entry key="ws-security.callback-handler"
>>> value="client.ClientCallbackHandler"/>
>>>            <entry key="ws-security.signature.username"
>>> value="myclientkey"/>
>>>            <entry key="ws-security.encryption.username"
>>> value="myservicekey"/>
>>>            <entry key="ws-security.signature.properties"
>>> value="clientKeystore.properties"/>
>>>            <entry key="ws-security.encryption.properties"
>>> value="clientKeystore.properties"/>
>>>            <entry key="ws-security.sts.client">
>>>                <bean class="org.apache.cxf.ws.security.trust.STSClient">
>>>                    <constructor-arg ref="cxf"/>
>>>                    <property name="wsdlLocation"
>>> value="DoubleItSTSService.wsdl"/>
>>>                    <property name="serviceName" value="{
>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}DoubleItSTSService"/>
>>>                    <property name="endpointName" value="{
>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}DoubleItSTSPort"/>
>>>                    <property name="properties">
>>>                        <map>
>>>                            <entry key="ws-security.signature.username"
>>> value="myclientkey"/>
>>>                            <entry key="ws-security.callback-handler"
>>> value="client.ClientCallbackHandler"/>
>>>                            <entry key="ws-security.username"
>>> value="alice"/>
>>>                            <entry key="ws-security.signature.properties"
>>> value="clientKeystore.properties"/>
>>>                            <entry key="ws-security.encryption.properties"
>>> value="clientKeystore.properties"/>
>>>                            <entry key="ws-security.encryption.username"
>>> value="mystskey"/>
>>>                        </map>
>>>                    </property>
>>>                </bean>
>>>           </entry>
>>>       </jaxws:properties>
>>>   </jaxws:client>
>>>
>>> Colm.
>>>
>>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>

Reply via email to