Hi Colm, Alex and I working together to get this work. I am responsible to configure Fediz STS for him. Could you take a look following exceptions from Alex's RST. We decided to use TransportUT_Port. I think that is being used for WS-Federation SSO as well. Anyway, please ignore previous our emails. Could you tell us what is wrong with his RST?
ID: 1 Address: https://wkqasv0805.global.sdl.corp:9443/fedizidpsts/STSService Encoding: UTF-8 Http-Method: POST Content-Type: application/soap+xml; charset=utf-8 Headers: {accept-encoding=[gzip, deflate], connection=[Keep-Alive], Content-Length=[1908], content-type=[application/soap+xml; charset=utf-8], expect= [100-continue], host=[wkqasv0805.global.sdl.corp:9443]} Payload: <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"; xmlns:a="http://www.w3.org/2005/08/addressing"; xmlns:u=" http://docs.oasis-open. org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Header><a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512 /RST/Issue</a:Action><a:MessageID>urn:uuid:24a48857-71ec-466e-bfe6-675c08f84c6e</a:MessageID><a:ReplyTo><a:Address> http://www.w3.org/2005/08/addressin g/anonymous</a:Address></a:ReplyTo><VsDebuggerCausalityData xmlns=" http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink ">uIDPo8DHZtWXyK1J n2JxXCS85z4AAAAAlruHm4rOAUCcZNvbjFb/PND3aSmMn0JLk9BMBxOE9WoACQAA</VsDebuggerCausalityData><a:To s:mustUnderstand="1">https://wkqasv0805.global.sdl.cor p:9443/fedizidpsts/STSService</a:To><o:Security s:mustUnderstand="1" xmlns:o=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex t-1.0.xsd"><u:Timestamp u:Id="_0"><u:Created>2012-07-24T13:27:55.050Z</u:Created><u:Expires>2012-07-24T13:32:55.050Z</u:Expires></u:Timestamp><o:Usern ameToken u:Id="uuid-64599397-270f-4886-975c-086f44f45f27-1"><o:Username>gchoi</o:Username><o:Password Type="http://docs.oasis-open.org/wss/2004/01/oas is-200401-wss-username-token-profile-1.0#PasswordText">gchoi</o:Password></o:UsernameToken></o:Security></s:Header><s:Body><trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";><a:EndpointRef erence><a:Address>https://medevasarafia01.global.sdl.corp/Agency/ </a:Address></a:EndpointReference></wsp:AppliesTo><trust:KeyType> http://docs.oasis-op en.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType><trust:RequestType> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue </trust:RequestType><trust :TokenType>urn:oasis:names:tc:SAML:1.0:assertion</trust:TokenType></trust:RequestSecurityToken></s:Body></s:Envelope> -------------------------------------- SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. [LdapLoginModule] authentication-only mode; SSL disabled [LdapLoginModule] user provider: ldap://wkqasv0805.global.sdl.corp:389/ou=People,dc=maxcrc,dc=com [LdapLoginModule] attempting to authenticate user: gchoi [LdapLoginModule] authentication succeeded [LdapLoginModule] added LdapPrincipal "cn=gchoi,ou=People,dc=maxcrc,dc=com" to Subject [LdapLoginModule] added UserPrincipal "gchoi" to Subject Jul 24, 2012 9:28:00 AM org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging WARNING: Interceptor for { http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Va lidate has thrown exception, unwinding now org.apache.cxf.binding.soap.SoapFault: MustUnderstand headers: [{ http://www.w3.org/2005/08/addressing}Action, { http://www.w3.org/2005/08/addressing}To ] are not understood. at org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.checkUltimateReceiverHeaders(MustUnderstandInterceptor.java:150) at org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:96) at org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:49) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:122) at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:211) at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213) at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:193) at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:129) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:187) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:110) at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:166) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) Jul 24, 2012 9:28:00 AM org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInternal handleMessage INFO: class org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInternalapplication/soap+xml Jul 24, 2012 9:28:00 AM org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS INFO: Outbound Message --------------------------- ID: 1 Response-Code: 500 Encoding: UTF-8 Content-Type: application/soap+xml Headers: {} Payload: <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope "><soap:Body><soap:Fault><soap:Code><soap:Value>soap:MustUnderstand</soap:V alue></soap:Code><soap:Reason><soap:Text xml:lang="en">MustUnderstand headers: [{http://www.w3.org/2005/08/addressing}Action, { http://www.w3.org/2005/ 08/addressing}To] are not understood.</soap:Text></soap:Reason></soap:Fault></soap:Body></soap:Envelope> -------------------------------------- On Tue, Jul 24, 2012 at 8:58 AM, Gina Choi <[email protected]> wrote: > Hi Colm, > > I would like to confirm if I understand you correctly. So, do we need to > add following content to Fediz STS wsdl file to issue a token? At this > point we mostly interested in(minimum) issuing a a token. I am not sure if > we need to "Validate" operation to issue a RSTR. > > > > <!-- 2.1.1.3 UsernameToken with timestamp, nonce and password hash --> > <wsp:Policy wsu:Id="DoubleItDigestPolicy"> > <sp:SupportingTokens> > <wsp:Policy> > <sp:UsernameToken sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > <sp:HashPassword /> > </wsp:Policy> > </sp:UsernameToken> > </wsp:Policy> > </sp:SupportingTokens> > </wsp:Policy> > <wsdl:binding name="DoubleItDigestBinding" type="tns:DoubleItPortType"> > <wsp:PolicyReference URI="#DoubleItDigestPolicy" /> > <soap:binding style="document" > transport="http://schemas.xmlsoap.org/soap/http"; /> > <wsdl:operation name="Issue"> > <soap:operation soapAction=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; /> > <wsdl:input> > <soap:body use="literal" /> > </wsdl:input> > <wsdl:output> > <soap:body use="literal" /> > </wsdl:output> > </wsdl:operation> > </wsdl:binding> > > > Thanks. > > Gina > > On Tue, Jul 24, 2012 at 6:34 AM, Colm O hEigeartaigh > <[email protected]>wrote: > >> You could use a SecurityPolicy that just requires a UsernameToken without >> a >> binding. For example see the policy "<!-- 2.1.1.3 UsernameToken with >> timestamp, nonce and password hash -->" starting on line 214: >> >> >> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/DoubleItUt.wsdl?view=markup >> >> Of course, in practise one would combine a UsernameToken with the >> Transport >> binding to secure the message exchange... >> >> Colm. >> >> On Mon, Jul 23, 2012 at 4:41 PM, Sarafian <[email protected] >> >wrote: >> >> > I have a C# code that asks the STS for a token using username password >> > credentials. >> > I'm using the UT or UTEncrypted endpoints but I get this error: >> > >> > These policy alternatives can not be satisfied: >> > { >> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken >> > { >> > >> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp >> > : >> > Received Timestamp does not match the requirements >> > { >> > >> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding >> > : >> > Received Timestamp does not match the requirements >> > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts: >> > {http://schemas.xmlsoap.org/soap/envelope/}Body not SIGNED >> > { >> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts: >> > {http://schemas.xmlsoap.org/soap/envelope/}Body not ENCRYPTED >> > >> > Is there a way for the STS to be configured not to apply the above >> > policies? >> > Is there another endpoint for these kind of things? >> > >> > I simply want to use a username/password credential combination to >> request >> > a >> > security token. >> > >> > >> > >> > >> > -- >> > View this message in context: >> > >> http://cxf.547215.n5.nabble.com/RequestSecurityToken-without-Encrypting-and-Signing-tp5711426.html >> > Sent from the cxf-user mailing list archive at Nabble.com. >> > >> >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com >> > >
