To make it clear here is what I have so far. 1. WSP: SymmetricBinding, ProtectionToken is IssuedToken 2. STS: endpoint:
https://strts01.ams.dev/adfs/services/trust/13/usernamemixed Following policy is used. <wsp:Policy wsu:Id="UserNameWSTrustBinding_IWSTrust13Async2_policy"> <wsp:ExactlyOne> <wsp:All> <sp:TransportBinding xmlns:sp=" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken> <wsp:Policy /> </sp:HttpsToken> </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256 /> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict /> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp /> </wsp:Policy> </sp:TransportBinding> <sp:SignedEncryptedSupportingTokens xmlns:sp=" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> <wsp:Policy> <sp:UsernameToken sp:IncludeToken=" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient "> <wsp:Policy> <sp:WssUsernameToken10 /> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SignedEncryptedSupportingTokens> <sp:EndorsingSupportingTokens xmlns:sp=" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> <wsp:Policy> <sp:KeyValueToken sp:IncludeToken=" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never " wsp:Optional="true"> <wsp:Policy/> </sp:KeyValueToken> <sp:SignedParts> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"; /> </sp:SignedParts> </wsp:Policy> </sp:EndorsingSupportingTokens> <sp:Wss11 xmlns:sp=" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> <wsp:Policy> <sp:MustSupportRefKeyIdentifier /> <sp:MustSupportRefIssuerSerial /> <sp:MustSupportRefThumbprint /> <sp:MustSupportRefEncryptedKey /> </wsp:Policy> </sp:Wss11> <sp:Trust13 xmlns:sp=" http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> <wsp:Policy> <sp:MustSupportIssuedTokens /> <sp:RequireClientEntropy /> <sp:RequireServerEntropy /> </wsp:Policy> </sp:Trust13> <wsaw:UsingAddressing /> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> 3. WSC Following is client configuration. <jaxws:client name="{ http://www.example.org/contract/DoubleIt}DoubleItPort"; createdFromAPI="true"> <jaxws:properties> <entry key="ws-security.sts.client"> <bean class="org.apache.cxf.ws.security.trust.STSClient"> <constructor-arg ref="cxf"/> <property name="wsdlLocation" value="adfs_new_simple.wsdl"/> <property name="serviceName" value="{ http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}SecurityTokenService "/> <property name="endpointName" value="{ http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}UserNameWSTrustBinding_IWSTrust13Async2 "/> <property name="properties"> <map> <entry key="ws-security.username" value="gchoi"/> <entry key="ws-security.callback-handler" value="client.ClientCallbackHandler"/> <entry key="ws-security.encryption.properties" value="clientKeystore.properties"/> <entry key="ws-security.encryption.username" value="mystskey"/> </map> </property> </bean> </entry> </jaxws:properties> </jaxws:client> </beans> I am getting following exception when I execute client. WARNING: Interceptor for { http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}SecurityTokenService#{http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}Trust13IssueAsynchas thrown exception, unwinding now org.apache.cxf.interceptor.Fault at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleBinding(TransportBindingHandler.java:153) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:159) at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:89) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:532) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:464) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:367) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:320) at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:722) at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:602) at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:594) at org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.getTokenFromSTS(IssuedTokenInterceptorProvider.java:404) at org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:188) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:532) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:464) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:367) at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:320) at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:89) at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:134) at $Proxy25.doubleIt(Unknown Source) at client.WSClient.doubleIt(WSClient.java:18) at client.WSClient.main(WSClient.java:11) Caused by: java.lang.NullPointerException at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.doIssuedTokenSignature(TransportBindingHandler.java:429) at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleEndorsingToken(TransportBindingHandler.java:283) at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleEndorsingSupportingTokens(TransportBindingHandler.java:240) at org.apache.cxf.ws.security.wss4j.policyhandlers.TransportBindingHandler.handleBinding(TransportBindingHandler.java:147) ... 22 more Jun 1, 2012 1:12:51 PM org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging On Fri, Jun 1, 2012 at 1:06 PM, Gina Choi <[email protected]> wrote: > Hi Colm, > > <<< > The client needs to configure the HTTP conduit with the keystore that > contains the certificate of the STS, e.g.: > >>> > Forgot to ask you. ADFS exposes three different certificates - Service > communications, Token-decrypting and Token-singing, but most of the time I > had to deal with decrypting and signing cert. Which of the STS certificate > do I need to have in client keystore? > > On Fri, Jun 1, 2012 at 12:52 PM, Gina Choi <[email protected]> wrote: > >> <<< >> The following policy (KeyValueToken) is not supported, but you could >> remove it as it is optional and see if that works: >> >>> >> Per Oliver advise, after I added an empty <wsp:Policy />element as a >> child of <sp:KeyValueToken>, I don't receive anymore compaining. >> >> <<< >> The client needs to configure the HTTP conduit with the keystore that >> contains the certificate of the STS, e.g.: >> <http:conduit name="https://localhost:.*";> >> <http:tlsClientParameters disableCNCheck="true"> >> <sec:trustManagers> >> <sec:keyStore type="jks" password="cspass" >> resource="clientstore.jks"/> >> </sec:trustManagers> >> </http:tlsClientParameters> >> </http:conduit> >> >>> >> Afer added following to my client configuration, now I am getting new >> exception. By the way, with ADFS, I have to use https. >> >> <http:conduit name="https://strts01.ams.dev.*";> >> >> <http:tlsClientParameters disableCNCheck="true"> >> <sec:trustManagers> >> <sec:keyStore type="jks" password="cspass" >> resource="clientstore.jks"/> >> </sec:trustManagers> >> </http:tlsClientParameters> >> </http:conduit> >> >> >> Jun 1, 2012 12:47:33 PM org.apache.cxf.bus.spring.SpringBusFactory >> createApplicationContext >> WARNING: Initial attempt to create application context was unsuccessful. >> org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: >> Line 57 in XML document from class path resource [cxf.xml] is invalid; >> nested exception is org.xml.sax.SAXParseException: The prefix "http" for >> element "http:conduit" is not bo >> . >> at >> org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:396) >> at >> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader.doLoadBeanDefinitions(ControlledValidationXmlBeanDefinitionReader.java:115) >> at >> org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:334) >> at >> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader.internalLoadBeanDefinitions(ControlledValidationXmlBeanDefinitionReader.java:154) >> at >> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader.access$000(ControlledValidationXmlBeanDefinitionReader.java:66) >> at >> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader$1.run(ControlledValidationXmlBeanDefinitionReader.java:141) >> at >> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader$1.run(ControlledValidationXmlBeanDefinitionReader.java:140) >> at java.security.AccessController.doPrivileged(Native Method) >> at >> org.apache.cxf.bus.spring.ControlledValidationXmlBeanDefinitionReader.loadBeanDefinitions(ControlledValidationXmlBeanDefinitionReader.java:139) >> at >> org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:302) >> at >> org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:143) >> at >> org.springframework.context.support.AbstractXmlApplicationContext.loadBeanDefinitions(AbstractXmlApplicationContext.java:122) >> at >> org.apache.cxf.bus.spring.BusApplicationContext.loadBeanDefinitions(BusApplicationContext.java:309) >> at >> org.springframework.context.support.AbstractRefreshableApplicationContext.refreshBeanFactory(AbstractRefreshableApplicationContext.java:130) >> at >> org.springframework.context.support.AbstractApplicationContext.obtainFreshBeanFactory(AbstractApplicationContext.java:467) >> at >> org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:397) >> at >> org.apache.cxf.bus.spring.BusApplicationContext$1.run(BusApplicationContext.java:101) >> at >> org.apache.cxf.bus.spring.BusApplicationContext$1.run(BusApplicationContext.java:100) >> at java.security.AccessController.doPrivileged(Native Method) >> at >> org.apache.cxf.bus.spring.BusApplicationContext.<init>(BusApplicationContext.java:99) >> at >> org.apache.cxf.bus.spring.SpringBusFactory.createApplicationContext(SpringBusFactory.java:130) >> at >> org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:121) >> at >> org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:95) >> at >> org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:69) >> at >> org.apache.cxf.bus.spring.SpringBusFactory.createBus(SpringBusFactory.java:58) >> at org.apache.cxf.BusFactory.getDefaultBus(BusFactory.java:99) >> at org.apache.cxf.BusFactory.createThreadBus(BusFactory.java:165) >> at >> org.apache.cxf.BusFactory.getThreadDefaultBus(BusFactory.java:155) >> at >> org.apache.cxf.BusFactory.getThreadDefaultBus(BusFactory.java:140) >> at >> org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:96) >> at javax.xml.ws.Service.<init>(Service.java:92) >> at >> org.example.contract.doubleit.DoubleItService.<init>(DoubleItService.java:47) >> at client.WSClient.main(WSClient.java:8) >> >> >> On Fri, Jun 1, 2012 at 12:13 PM, Colm O hEigeartaigh <[email protected] >> > wrote: >> >>> >>> The client needs to configure the HTTP conduit with the keystore that >>> contains the certificate of the STS, e.g.: >>> >>> <http:conduit name="https://localhost:.*";> >>> <http:tlsClientParameters disableCNCheck="true"> >>> <sec:trustManagers> >>> <sec:keyStore type="jks" password="cspass" >>> resource="clientstore.jks"/> >>> </sec:trustManagers> >>> </http:tlsClientParameters> >>> </http:conduit> >>> >>> What NPE are you getting? The following policy (KeyValueToken) is not >>> supported, but you could remove it as it is optional and see if that works: >>> >>> >>> <sp:EndorsingSupportingTokens xmlns:sp=" >>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> >>> <wsp:Policy> >>> <sp:KeyValueToken sp:IncludeToken=" >>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never >>> " >>> wsp:Optional="true"> >>> <wsp:Policy /> >>> </sp:KeyValueToken> >>> <sp:SignedParts> >>> <sp:Header Name="To" >>> Namespace="http://www.w3.org/2005/08/addressing"; /> >>> </sp:SignedParts> >>> </wsp:Policy> >>> </sp: >>> EndorsingSupportingTokens> >>> >>> Colm. >>> >> >
