Try uncommenting the "UsingAddress" policy listed in "TransportUT_policy".
Colm. On Tue, Jul 24, 2012 at 4:01 PM, Gina Choi <[email protected]> wrote: > Hi Colm, > > First of all, sorry for massive emails we sent. Alex works in different > timezone, so we didn't have much common time to debug together. So, we are > kind of rushing this morning. > > We use Fediz STS and try to minimize changes to save time. We tried > TransportUT_Binding(please see bellow) that shipped with Fediz STS. Since > it is also referencing Input_policy, I am not sure if it will work as it is. > > <wsdl:binding name="TransportUT_Binding" type="wstrust:STS"> > <wsp:PolicyReference URI="#TransportUT_policy" /> > <soap12:binding style="document" > transport="http://schemas.xmlsoap.org/soap/http"; /> > <wsdl:operation name="Issue"> > <soap12:operation > soapAction=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; /> > <wsdl:input> > <wsp:PolicyReference > URI="#Input_policy" /> > <soap12:body use="literal" /> > </wsdl:input> > <wsdl:output> > <wsp:PolicyReference > URI="#Output_policy" /> > <soap12:body use="literal" /> > </wsdl:output> > </wsdl:operation> > <wsdl:operation name="Validate"> > <soap12:operation > soapAction=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate"; /> > <wsdl:input> > <wsp:PolicyReference > URI="#Input_policy" /> > <soap12:body use="literal" /> > </wsdl:input> > <wsdl:output> > <wsp:PolicyReference > URI="#Output_policy" /> > <soap12:body use="literal" /> > </wsdl:output> > </wsdl:operation> > <wsdl:operation name="Cancel"> > <soap12:operation > soapAction=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel"; /> > <wsdl:input> > <soap12:body use="literal" /> > </wsdl:input> > <wsdl:output> > <soap12:body use="literal" /> > </wsdl:output> > </wsdl:operation> > <wsdl:operation name="Renew"> > <soap12:operation > soapAction=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew"; /> > <wsdl:input> > <soap12:body use="literal" /> > </wsdl:input> > <wsdl:output> > <soap12:body use="literal" /> > </wsdl:output> > </wsdl:operation> > <wsdl:operation name="KeyExchangeToken"> > <soap12:operation > soapAction=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KeyExchangeToken"; /> > <wsdl:input> > <soap12:body use="literal" /> > </wsdl:input> > <wsdl:output> > <soap12:body use="literal" /> > </wsdl:output> > </wsdl:operation> > <wsdl:operation name="RequestCollection"> > <soap12:operation > soapAction=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/RequestCollection"; /> > <wsdl:input> > <soap12:body use="literal" /> > </wsdl:input> > <wsdl:output> > <soap12:body use="literal" /> > </wsdl:output> > </wsdl:operation> > </wsdl:binding> > > On Tue, Jul 24, 2012 at 10:28 AM, Colm O hEigeartaigh <[email protected] > > wrote: > >> >> What security policy are you using for the TransportUT_Port? It sounds >> like the WS-SecurityPolicy layer is not getting invoked. >> >> Colm. >> >> >> On Tue, Jul 24, 2012 at 2:35 PM, Gina Choi <[email protected]> wrote: >> >>> Hi Colm, >>> >>> Alex and I working together to get this work. I am responsible to >>> configure Fediz STS for him. Could you take a look following exceptions >>> from Alex's RST. We decided to use TransportUT_Port. I think that is being >>> used for WS-Federation SSO as well. Anyway, please ignore previous our >>> emails. Could you tell us what is wrong with his RST? >>> >>> >>> ID: 1 >>> Address: https://wkqasv0805.global.sdl.corp:9443/fedizidpsts/STSService >>> Encoding: UTF-8 >>> Http-Method: POST >>> Content-Type: application/soap+xml; charset=utf-8 >>> Headers: {accept-encoding=[gzip, deflate], connection=[Keep-Alive], >>> Content-Length=[1908], content-type=[application/soap+xml; charset=utf-8], >>> expect= >>> [100-continue], host=[wkqasv0805.global.sdl.corp:9443]} >>> Payload: <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"; >>> xmlns:a="http://www.w3.org/2005/08/addressing"; xmlns:u=" >>> http://docs.oasis-open. >>> org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Header><a:Action >>> s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512 >>> >>> /RST/Issue</a:Action><a:MessageID>urn:uuid:24a48857-71ec-466e-bfe6-675c08f84c6e</a:MessageID><a:ReplyTo><a:Address> >>> http://www.w3.org/2005/08/addressin >>> g/anonymous</a:Address></a:ReplyTo><VsDebuggerCausalityData xmlns=" >>> http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink >>> ">uIDPo8DHZtWXyK1J >>> n2JxXCS85z4AAAAAlruHm4rOAUCcZNvbjFb/PND3aSmMn0JLk9BMBxOE9WoACQAA</VsDebuggerCausalityData><a:To >>> s:mustUnderstand="1">https://wkqasv0805.global.sdl.cor >>> p:9443/fedizidpsts/STSService</a:To><o:Security s:mustUnderstand="1" >>> xmlns:o=" >>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex >>> t-1.0.xsd"><u:Timestamp >>> u:Id="_0"><u:Created>2012-07-24T13:27:55.050Z</u:Created><u:Expires>2012-07-24T13:32:55.050Z</u:Expires></u:Timestamp><o:Usern >>> ameToken >>> u:Id="uuid-64599397-270f-4886-975c-086f44f45f27-1"><o:Username>gchoi</o:Username><o:Password >>> Type="http://docs.oasis-open.org/wss/2004/01/oas >>> >>> is-200401-wss-username-token-profile-1.0#PasswordText">gchoi</o:Password></o:UsernameToken></o:Security></s:Header><s:Body><trust:RequestSecurityToken >>> >>> xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";><wsp:AppliesTo >>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";><a:EndpointRef >>> erence><a:Address>https://medevasarafia01.global.sdl.corp/Agency/ >>> </a:Address></a:EndpointReference></wsp:AppliesTo><trust:KeyType> >>> http://docs.oasis-op >>> en.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType><trust:RequestType> >>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue >>> </trust:RequestType><trust >>> >>> :TokenType>urn:oasis:names:tc:SAML:1.0:assertion</trust:TokenType></trust:RequestSecurityToken></s:Body></s:Envelope> >>> -------------------------------------- >>> SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". >>> SLF4J: Defaulting to no-operation (NOP) logger implementation >>> SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for >>> further details. >>> [LdapLoginModule] authentication-only mode; SSL disabled >>> [LdapLoginModule] user provider: >>> ldap://wkqasv0805.global.sdl.corp:389/ou=People,dc=maxcrc,dc=com >>> [LdapLoginModule] attempting to authenticate user: gchoi >>> [LdapLoginModule] authentication succeeded >>> [LdapLoginModule] added LdapPrincipal >>> "cn=gchoi,ou=People,dc=maxcrc,dc=com" to Subject >>> [LdapLoginModule] added UserPrincipal "gchoi" to Subject >>> Jul 24, 2012 9:28:00 AM org.apache.cxf.phase.PhaseInterceptorChain >>> doDefaultLogging >>> WARNING: Interceptor for { >>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Va >>> lidate has thrown exception, unwinding now >>> org.apache.cxf.binding.soap.SoapFault: MustUnderstand headers: [{ >>> http://www.w3.org/2005/08/addressing}Action, { >>> http://www.w3.org/2005/08/addressing}To >>> ] are not understood. >>> at >>> org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.checkUltimateReceiverHeaders(MustUnderstandInterceptor.java:150) >>> at >>> org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:96) >>> at >>> org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:49) >>> at >>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) >>> at >>> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:122) >>> at >>> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:211) >>> at >>> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213) >>> at >>> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:193) >>> at >>> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:129) >>> at >>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:187) >>> at >>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:110) >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) >>> at >>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:166) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) >>> at >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) >>> at >>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225) >>> at >>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) >>> at >>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) >>> at >>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) >>> at >>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) >>> at >>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) >>> at >>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) >>> at >>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) >>> at >>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999) >>> at >>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565) >>> at >>> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307) >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) >>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown >>> Source) >>> at java.lang.Thread.run(Unknown Source) >>> Jul 24, 2012 9:28:00 AM >>> org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInternal >>> handleMessage >>> INFO: class >>> org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInternalapplication/soap+xml >>> Jul 24, 2012 9:28:00 AM >>> org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS >>> INFO: Outbound Message >>> --------------------------- >>> ID: 1 >>> Response-Code: 500 >>> Encoding: UTF-8 >>> Content-Type: application/soap+xml >>> Headers: {} >>> Payload: <soap:Envelope xmlns:soap=" >>> http://www.w3.org/2003/05/soap-envelope >>> "><soap:Body><soap:Fault><soap:Code><soap:Value>soap:MustUnderstand</soap:V >>> alue></soap:Code><soap:Reason><soap:Text xml:lang="en">MustUnderstand >>> headers: [{http://www.w3.org/2005/08/addressing}Action, { >>> http://www.w3.org/2005/ >>> 08/addressing}To] are not >>> understood.</soap:Text></soap:Reason></soap:Fault></soap:Body></soap:Envelope> >>> -------------------------------------- >>> >>> >>> On Tue, Jul 24, 2012 at 8:58 AM, Gina Choi <[email protected]> wrote: >>> >>>> Hi Colm, >>>> >>>> I would like to confirm if I understand you correctly. So, do we need >>>> to add following content to Fediz STS wsdl file to issue a token? At this >>>> point we mostly interested in(minimum) issuing a a token. I am not sure if >>>> we need to "Validate" operation to issue a RSTR. >>>> >>>> >>>> >>>> <!-- 2.1.1.3 UsernameToken with timestamp, nonce and password hash --> >>>> <wsp:Policy wsu:Id="DoubleItDigestPolicy"> >>>> <sp:SupportingTokens> >>>> <wsp:Policy> >>>> <sp:UsernameToken sp:IncludeToken=" >>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient >>>> "> >>>> <wsp:Policy> >>>> <sp:HashPassword /> >>>> </wsp:Policy> >>>> </sp:UsernameToken> >>>> </wsp:Policy> >>>> </sp:SupportingTokens> >>>> </wsp:Policy> >>>> <wsdl:binding name="DoubleItDigestBinding" type="tns:DoubleItPortType"> >>>> <wsp:PolicyReference URI="#DoubleItDigestPolicy" /> >>>> <soap:binding style="document" >>>> transport="http://schemas.xmlsoap.org/soap/http"; /> >>>> <wsdl:operation name="Issue"> >>>> <soap:operation soapAction=" >>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; /> >>>> <wsdl:input> >>>> <soap:body use="literal" /> >>>> </wsdl:input> >>>> <wsdl:output> >>>> <soap:body use="literal" /> >>>> </wsdl:output> >>>> </wsdl:operation> >>>> </wsdl:binding> >>>> >>>> >>>> Thanks. >>>> >>>> Gina >>>> >>>> On Tue, Jul 24, 2012 at 6:34 AM, Colm O hEigeartaigh < >>>> [email protected]> wrote: >>>> >>>>> You could use a SecurityPolicy that just requires a UsernameToken >>>>> without a >>>>> binding. For example see the policy "<!-- 2.1.1.3 UsernameToken with >>>>> timestamp, nonce and password hash -->" starting on line 214: >>>>> >>>>> >>>>> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/DoubleItUt.wsdl?view=markup >>>>> >>>>> Of course, in practise one would combine a UsernameToken with the >>>>> Transport >>>>> binding to secure the message exchange... >>>>> >>>>> Colm. >>>>> >>>>> On Mon, Jul 23, 2012 at 4:41 PM, Sarafian <[email protected] >>>>> >wrote: >>>>> >>>>> > I have a C# code that asks the STS for a token using username >>>>> password >>>>> > credentials. >>>>> > I'm using the UT or UTEncrypted endpoints but I get this error: >>>>> > >>>>> > These policy alternatives can not be satisfied: >>>>> > { >>>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken >>>>> > { >>>>> > >>>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp >>>>> > : >>>>> > Received Timestamp does not match the requirements >>>>> > { >>>>> > >>>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding >>>>> > : >>>>> > Received Timestamp does not match the requirements >>>>> > { >>>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts: >>>>> > {http://schemas.xmlsoap.org/soap/envelope/}Body not SIGNED >>>>> > { >>>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts >>>>> : >>>>> > {http://schemas.xmlsoap.org/soap/envelope/}Body not ENCRYPTED >>>>> > >>>>> > Is there a way for the STS to be configured not to apply the above >>>>> > policies? >>>>> > Is there another endpoint for these kind of things? >>>>> > >>>>> > I simply want to use a username/password credential combination to >>>>> request >>>>> > a >>>>> > security token. >>>>> > >>>>> > >>>>> > >>>>> > >>>>> > -- >>>>> > View this message in context: >>>>> > >>>>> http://cxf.547215.n5.nabble.com/RequestSecurityToken-without-Encrypting-and-Signing-tp5711426.html >>>>> > Sent from the cxf-user mailing list archive at Nabble.com. >>>>> > >>>>> >>>>> >>>>> >>>>> -- >>>>> Colm O hEigeartaigh >>>>> >>>>> Talend Community Coder >>>>> http://coders.talend.com >>>>> >>>> >>>> >>> >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com >> >> > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
