Re: Proglem with loading Apache CXF STS with UT authentication

Fri, 01 Jun 2012 09:48:11 -0700

I think you just need to use SSL between the WSC and STS (the latter which should already have an "https://"; endpoint right?) -- my SSL blog tutorial has some guidance on that. IIRC, transport layer encryption is not enforceable by the web service framework itself (as opposed to message-layer which is), but by the web.xml for the servlet running the STS. 

Glen

On 06/01/2012 11:57 AM, Gina Choi wrote:

Hi Colm,

Thanks for your response. You are right. When I use Apache CXF STS, I used
SymmetricBinding and WSP is using SymmetricBinding. Now, I keep WSP the
same, but try to use ADFS2.0 as STS and the end point that I try to use is
using TransportBinding. What certificate requirement do I need to satisfy
in this case?
org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler is
throwing null pointer exception.

at
org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.doIssuedTokenSignature(TransportBindingHandler.java:429)
Following is content of the STS policy.

   <wsp:Policy wsu:Id="UserNameWSTrustBinding_IWSTrust13Async2_policy">
     <wsp:ExactlyOne>
       <wsp:All>
         <sp:TransportBinding xmlns:sp="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
           <wsp:Policy>
             <sp:TransportToken>
               <wsp:Policy>
                 <sp:HttpsToken>
                   <wsp:Policy />
                 </sp:HttpsToken>
               </wsp:Policy>
             </sp:TransportToken>
             <sp:AlgorithmSuite>
               <wsp:Policy>
                 <sp:Basic256 />
               </wsp:Policy>
             </sp:AlgorithmSuite>
             <sp:Layout>
               <wsp:Policy>
                 <sp:Strict />
               </wsp:Policy>
             </sp:Layout>
             <sp:IncludeTimestamp />
           </wsp:Policy>
         </sp:TransportBinding>
         <sp:SignedEncryptedSupportingTokens xmlns:sp="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
           <wsp:Policy>
             <sp:UsernameToken sp:IncludeToken="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
">
               <wsp:Policy>
                 <sp:WssUsernameToken10 />
               </wsp:Policy>
             </sp:UsernameToken>
           </wsp:Policy>
         </sp:SignedEncryptedSupportingTokens>
         <sp:EndorsingSupportingTokens xmlns:sp="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
           <wsp:Policy>
             <sp:KeyValueToken sp:IncludeToken="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
"
             wsp:Optional="true">
               <wsp:Policy />
             </sp:KeyValueToken>
             <sp:SignedParts>
               <sp:Header Name="To"
               Namespace="http://www.w3.org/2005/08/addressing"; />
             </sp:SignedParts>
           </wsp:Policy>
         </sp:EndorsingSupportingTokens>
         <sp:Wss11 xmlns:sp="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
           <wsp:Policy>
             <sp:MustSupportRefKeyIdentifier />
             <sp:MustSupportRefIssuerSerial />
             <sp:MustSupportRefThumbprint />
             <sp:MustSupportRefEncryptedKey />
           </wsp:Policy>
         </sp:Wss11>
         <sp:Trust13 xmlns:sp="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
           <wsp:Policy>
             <sp:MustSupportIssuedTokens />
             <sp:RequireClientEntropy />
             <sp:RequireServerEntropy />
           </wsp:Policy>
         </sp:Trust13>
         <wsaw:UsingAddressing />
       </wsp:All>
     </wsp:ExactlyOne>
   </wsp:Policy>

Thanks.

Gina
On Fri, Jun 1, 2012 at 4:20 AM, Colm O hEigeartaigh<[email protected]>wrote:


Hi Gina,

If i recall correctly, the STS was using the SymmetricBinding. For this
case, the client only needs to know the certificate of the STS (specified
via ws-security.encryption.username" in the STSClient bean). It doesn't
need any signature username configuration, as this is not used in the
Symmetric binding.

I don't know what security policy your WSP is using and so I can't comment
on the rest of it.

Colm.


On Thu, May 31, 2012 at 6:09 PM, Gina Choi<[email protected]>  wrote:


Hi Colm,

The client configuration file you provided worked as it is. Thank you.
But I don't have client certificate in both WSP and STS truststore. I also
don't have WSP certificate in client truststore either. Following two
entries are referenced in client configuration file, but they seems get
ignored. Otherwise if request from client to WSP and STS are signed using
clientkey, but without client certificate in both WSP and STS
truststore, how WSP and STS verify client signature?


<entry key="ws-security.signature.username" value="myclientkey"/>
<entry key="ws-security.encryption.username" value="myservicekey"


Thanks.

Gina
On Mon, May 28, 2012 at 6:11 AM, Colm O hEigeartaigh<[email protected]

wrote:
The certificate you are using on the client side to encrypt the message
to
the STS does not match with the private key of the STS:

Client:


  keytool -list -keystore src/main/resources/clientstore.jks -alias

mystskey -v
Enter keystore password:
Alias name: mystskey
Creation date: 07-Oct-2011
Entry type: trustedCertEntry

Owner: [email protected], CN=Tom Token, O=Sample STS Key
--
NOT FOR PRODUCTION USE, L=Baltimore, ST=Maryland, C=US

STS:


  keytool -list -keystore src/main/resources/stsstore.jks -alias

mystskey
-v
Enter keystore password:
Alias name: mystskey
Creation date: 10-Apr-2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: [email protected], CN=stscn, OU=SCT, O=SDL, L=wakefield,
ST=massachusetts, C=US

Also, your client configuration should look something like this instead:

<jaxws:client name="{
http://www.example.org/contract/DoubleIt}DoubleItPort";
createdFromAPI="true">
        <jaxws:properties>
            <entry key="ws-security.callback-handler"
value="client.ClientCallbackHandler"/>
            <entry key="ws-security.signature.username"
value="myclientkey"/>
            <entry key="ws-security.encryption.username"
value="myservicekey"/>
            <entry key="ws-security.signature.properties"
value="clientKeystore.properties"/>
            <entry key="ws-security.encryption.properties"
value="clientKeystore.properties"/>
            <entry key="ws-security.sts.client">
                <bean class="org.apache.cxf.ws.security.trust.STSClient">
                    <constructor-arg ref="cxf"/>
                    <property name="wsdlLocation"
value="DoubleItSTSService.wsdl"/>
                    <property name="serviceName" value="{
http://docs.oasis-open.org/ws-sx/ws-trust/200512/}DoubleItSTSService"/>
                    <property name="endpointName" value="{
http://docs.oasis-open.org/ws-sx/ws-trust/200512/}DoubleItSTSPort"/>
                    <property name="properties">
                        <map>
                            <entry key="ws-security.signature.username"
value="myclientkey"/>
                            <entry key="ws-security.callback-handler"
value="client.ClientCallbackHandler"/>
                            <entry key="ws-security.username"
value="alice"/>
                            <entry key="ws-security.signature.properties"
value="clientKeystore.properties"/>
                            <entry key="ws-security.encryption.properties"
value="clientKeystore.properties"/>
                            <entry key="ws-security.encryption.username"
value="mystskey"/>
                        </map>
                    </property>
                </bean>
           </entry>
       </jaxws:properties>
   </jaxws:client>

Colm.



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com





--
Glen Mazza
Talend Community Coders
coders.talend.com
blog: www.jroller.com/gmazza

Reply via email to