Hi Colm, I did some debugging work on both WSP and STS side.
1. WSP Side I did debugging when commenting out "EncryptionProperties" and uncommenting it on STS side, but I don't see any differences. 2. STS Side. I found out settings for both "encryptionAlgorithm" and "keyWrapAlgorithm" doesn't affect run time values for "encryptionAlgorithm" and "keyWrapAlgorithm". So, somehow properties for "encProperties" bean doesn't get set. When I comment out "encryptionProperties" from "encryptedUtSTSProperties" bean, I have following values at the run time. That's why it is always working when comment out "encryptionProperties". encryptionAlgorithm: http://www.w3.org/2001/04/xmlenc#aes256-cbc keyWrapAlgorithm: http://www.w3.org/2001/04/xmlenc#rsa-1_5 acceptedEncryptionAlgorithms: [ http://www.w3.org/2001/04/xmlenc#tripledes-cbc, http://www.w3.org/2001/04/xmlenc#aes128-cbc, http://www.w3.org/2001/04/xmlenc#aes192-cbc, http://www.w3.org/2001/04/xmlenc#aes256-cbc, http://www.w3.org/2009/xmlenc11#aes128-gcm, http://www.w3.org/2009/xmlenc11#aes192-gcm, http://www.w3.org/2009/xmlenc11#aes256-gcm] acceptedKeyWrapAlgorithms: [http://www.w3.org/2001/04/xmlenc#rsa-1_5, http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p] When I uncomment "encryptionProperties" from "encryptedUtSTSProperties" bean, regardless of properties values for "encryptionAlgorithm" and "keyWrapAlgorithm" in "encProperties" bean, I always have following values at the run time. I don't know why, but that's why it fails. encryptionAlgorithm: http://www.w3.org/2001/04/xmlenc#aes128-cbc keyWrapAlgorithm: http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p acceptedEncryptionAlgorithms: [ http://www.w3.org/2001/04/xmlenc#tripledes-cbc, http://www.w3.org/2001/04/xmlenc#aes128-cbc, http://www.w3.org/2001/04/xmlenc#aes192-cbc, http://www.w3.org/2001/04/xmlenc#aes256-cbc, http://www.w3.org/2009/xmlenc11#aes128-gcm, http://www.w3.org/2009/xmlenc11#aes192-gcm, http://www.w3.org/2009/xmlenc11#aes256-gcm] acceptedKeyWrapAlgorithms: [http://www.w3.org/2001/04/xmlenc#rsa-1_5, http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p] <bean id="encProperties" class="org.apache.cxf.sts.service.EncryptionProperties"> <property name="encryptionAlgorithm" value=" http://www.w3.org/2001/04/xmlenc#aes256-cbc"; /> <property name="keyWrapAlgorithm" value=" http://www.w3.org/2001/04/xmlenc#rsa-1_5"; /> <!--property name="keyWrapAlgorithm" value=" http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"; /--> </bean> <bean id="encryptedUtSTSProperties" class="org.apache.cxf.sts.StaticSTSProperties"> <property name="signaturePropertiesFile" value="stsKeystore.properties"/> <property name="signatureUsername" value="mystskey"/> <property name="callbackHandlerClass" value="org.apache.cxf.fediz.service.sts.PasswordCallbackHandler"/> <property name="encryptionPropertiesFile" value="stsKeystore.properties"/> <property name="encryptionProperties" ref="encProperties"/> <property name="issuer" value="DoubleItSTSIssuer"/> <property name="encryptionUsername" value="myservicekey"/> </bean> On Wed, Jul 18, 2012 at 10:54 AM, Gina Choi <[email protected]> wrote: > Previous logs obtained when I set "EncryptionProperties" as follow. This > is same as default value when I comment "EncryptionProperties" out. I don't > know why it doesn't work. > > > > <bean id="encProperties" > class="org.apache.cxf.sts.service.EncryptionProperties"> > <property name="encryptionAlgorithm" value=" > http://www.w3.org/2001/04/xmlenc#aes256-cbc"; /> > <property name="keyWrapAlgorithm" value=" > http://www.w3.org/2001/04/xmlenc#rsa-1_5"; /> > <!--property name="keyWrapAlgorithm" value=" > http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"; /--> > </bean> > > > On Wed, Jul 18, 2012 at 10:50 AM, Gina Choi <[email protected]> wrote: > >> Hi Colm, >> >> I abbreviated content of soap request from WSC to WSP to save space >> previously. I have attached zip logs from WSC, STS and WSP for your >> reference. I do see EncryptedData from WSC to WSP request. >> >> Thanks. >> >> Gina >> >> >> On Wed, Jul 18, 2012 at 9:55 AM, Colm O hEigeartaigh <[email protected] >> > wrote: >> >>> >>> Are you sure you're using the ut_encrypted port? Because the token that >>> is issued by the STS is encrypted for the WSP and so should appear in the >>> WSC -> WSP request as an "EncryptedData" structure, whereas in your >>> test-case I can see the SAML Assertion. >>> >>> Colm. >>> >>> >> >
