<<<
Try uncommenting the "UsingAddress" policy listed in "TransportUT_policy".
>>>
Thanks Colm. Will let you know result tomorrow morning. As you know, we
will be using TransportUT_Binding since it is using TransporUT_policy.
Should we also need to comment out "Input_policy" from TransportUT_Biling
like bellow since 'Input_policy" in Fediz STS wsdl require both encryption
and signature? This is same as "Output_policy".
<wsdl:binding name="TransportUT_Binding" type="wstrust:STS">
<wsp:PolicyReference URI="#TransportUT_policy" />
<soap12:binding style="document"
transport="http://schemas.xmlsoap.org/soap/http"; />
<wsdl:operation name="Issue">
<soap12:operation
soapAction="
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; />
<wsdl:input>
<!--wsp:PolicyReference
URI="#Input_policy" /-->
<soap12:body use="literal" />
</wsdl:input>
<wsdl:output>
<!--wsp:PolicyReference
URI="#Output_policy" /-->
<soap12:body use="literal" />
</wsdl:output>
On Tue, Jul 24, 2012 at 11:17 AM, Colm O hEigeartaigh
<[email protected]>wrote:
>
> Try uncommenting the "UsingAddress" policy listed in "TransportUT_policy".
>
> Colm.
>
>
> On Tue, Jul 24, 2012 at 4:01 PM, Gina Choi <[email protected]> wrote:
>
>> Hi Colm,
>>
>> First of all, sorry for massive emails we sent. Alex works in different
>> timezone, so we didn't have much common time to debug together. So, we are
>> kind of rushing this morning.
>>
>> We use Fediz STS and try to minimize changes to save time. We tried
>> TransportUT_Binding(please see bellow) that shipped with Fediz STS. Since
>> it is also referencing Input_policy, I am not sure if it will work as it is.
>>
>> <wsdl:binding name="TransportUT_Binding" type="wstrust:STS">
>> <wsp:PolicyReference URI="#TransportUT_policy" />
>> <soap12:binding style="document"
>> transport="http://schemas.xmlsoap.org/soap/http"; />
>> <wsdl:operation name="Issue">
>> <soap12:operation
>> soapAction="
>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; />
>> <wsdl:input>
>> <wsp:PolicyReference
>> URI="#Input_policy" />
>> <soap12:body use="literal" />
>> </wsdl:input>
>> <wsdl:output>
>> <wsp:PolicyReference
>> URI="#Output_policy" />
>> <soap12:body use="literal" />
>> </wsdl:output>
>> </wsdl:operation>
>> <wsdl:operation name="Validate">
>> <soap12:operation
>> soapAction="
>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate"; />
>> <wsdl:input>
>> <wsp:PolicyReference
>> URI="#Input_policy" />
>> <soap12:body use="literal" />
>> </wsdl:input>
>> <wsdl:output>
>> <wsp:PolicyReference
>> URI="#Output_policy" />
>> <soap12:body use="literal" />
>> </wsdl:output>
>> </wsdl:operation>
>> <wsdl:operation name="Cancel">
>> <soap12:operation
>> soapAction="
>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel"; />
>> <wsdl:input>
>> <soap12:body use="literal" />
>> </wsdl:input>
>> <wsdl:output>
>> <soap12:body use="literal" />
>> </wsdl:output>
>> </wsdl:operation>
>> <wsdl:operation name="Renew">
>> <soap12:operation
>> soapAction="
>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew"; />
>> <wsdl:input>
>> <soap12:body use="literal" />
>> </wsdl:input>
>> <wsdl:output>
>> <soap12:body use="literal" />
>> </wsdl:output>
>> </wsdl:operation>
>> <wsdl:operation name="KeyExchangeToken">
>> <soap12:operation
>> soapAction="
>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KeyExchangeToken"; />
>> <wsdl:input>
>> <soap12:body use="literal" />
>> </wsdl:input>
>> <wsdl:output>
>> <soap12:body use="literal" />
>> </wsdl:output>
>> </wsdl:operation>
>> <wsdl:operation name="RequestCollection">
>> <soap12:operation
>> soapAction="
>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/RequestCollection";
>> />
>> <wsdl:input>
>> <soap12:body use="literal" />
>> </wsdl:input>
>> <wsdl:output>
>> <soap12:body use="literal" />
>> </wsdl:output>
>> </wsdl:operation>
>> </wsdl:binding>
>>
>> On Tue, Jul 24, 2012 at 10:28 AM, Colm O hEigeartaigh <
>> [email protected]> wrote:
>>
>>>
>>> What security policy are you using for the TransportUT_Port? It sounds
>>> like the WS-SecurityPolicy layer is not getting invoked.
>>>
>>> Colm.
>>>
>>>
>>> On Tue, Jul 24, 2012 at 2:35 PM, Gina Choi <[email protected]> wrote:
>>>
>>>> Hi Colm,
>>>>
>>>> Alex and I working together to get this work. I am responsible to
>>>> configure Fediz STS for him. Could you take a look following exceptions
>>>> from Alex's RST. We decided to use TransportUT_Port. I think that is being
>>>> used for WS-Federation SSO as well. Anyway, please ignore previous our
>>>> emails. Could you tell us what is wrong with his RST?
>>>>
>>>>
>>>> ID: 1
>>>> Address: https://wkqasv0805.global.sdl.corp:9443/fedizidpsts/STSService
>>>> Encoding: UTF-8
>>>> Http-Method: POST
>>>> Content-Type: application/soap+xml; charset=utf-8
>>>> Headers: {accept-encoding=[gzip, deflate], connection=[Keep-Alive],
>>>> Content-Length=[1908], content-type=[application/soap+xml; charset=utf-8],
>>>> expect=
>>>> [100-continue], host=[wkqasv0805.global.sdl.corp:9443]}
>>>> Payload: <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope";
>>>> xmlns:a="http://www.w3.org/2005/08/addressing"; xmlns:u="
>>>> http://docs.oasis-open.
>>>> org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Header><a:Action
>>>> s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512
>>>>
>>>> /RST/Issue</a:Action><a:MessageID>urn:uuid:24a48857-71ec-466e-bfe6-675c08f84c6e</a:MessageID><a:ReplyTo><a:Address>
>>>> http://www.w3.org/2005/08/addressin
>>>> g/anonymous</a:Address></a:ReplyTo><VsDebuggerCausalityData xmlns="
>>>> http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink
>>>> ">uIDPo8DHZtWXyK1J
>>>> n2JxXCS85z4AAAAAlruHm4rOAUCcZNvbjFb/PND3aSmMn0JLk9BMBxOE9WoACQAA</VsDebuggerCausalityData><a:To
>>>> s:mustUnderstand="1">https://wkqasv0805.global.sdl.cor
>>>> p:9443/fedizidpsts/STSService</a:To><o:Security s:mustUnderstand="1"
>>>> xmlns:o="
>>>> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex
>>>> t-1.0.xsd"><u:Timestamp
>>>> u:Id="_0"><u:Created>2012-07-24T13:27:55.050Z</u:Created><u:Expires>2012-07-24T13:32:55.050Z</u:Expires></u:Timestamp><o:Usern
>>>> ameToken
>>>> u:Id="uuid-64599397-270f-4886-975c-086f44f45f27-1"><o:Username>gchoi</o:Username><o:Password
>>>> Type="http://docs.oasis-open.org/wss/2004/01/oas
>>>>
>>>> is-200401-wss-username-token-profile-1.0#PasswordText">gchoi</o:Password></o:UsernameToken></o:Security></s:Header><s:Body><trust:RequestSecurityToken
>>>>
>>>> xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";><wsp:AppliesTo
>>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";><a:EndpointRef
>>>> erence><a:Address>https://medevasarafia01.global.sdl.corp/Agency/
>>>> </a:Address></a:EndpointReference></wsp:AppliesTo><trust:KeyType>
>>>> http://docs.oasis-op
>>>> en.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType><trust:RequestType>
>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
>>>> </trust:RequestType><trust
>>>>
>>>> :TokenType>urn:oasis:names:tc:SAML:1.0:assertion</trust:TokenType></trust:RequestSecurityToken></s:Body></s:Envelope>
>>>> --------------------------------------
>>>> SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
>>>> SLF4J: Defaulting to no-operation (NOP) logger implementation
>>>> SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for
>>>> further details.
>>>> [LdapLoginModule] authentication-only mode; SSL disabled
>>>> [LdapLoginModule] user provider:
>>>> ldap://wkqasv0805.global.sdl.corp:389/ou=People,dc=maxcrc,dc=com
>>>> [LdapLoginModule] attempting to authenticate user: gchoi
>>>> [LdapLoginModule] authentication succeeded
>>>> [LdapLoginModule] added LdapPrincipal
>>>> "cn=gchoi,ou=People,dc=maxcrc,dc=com" to Subject
>>>> [LdapLoginModule] added UserPrincipal "gchoi" to Subject
>>>> Jul 24, 2012 9:28:00 AM org.apache.cxf.phase.PhaseInterceptorChain
>>>> doDefaultLogging
>>>> WARNING: Interceptor for {
>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Va
>>>> lidate has thrown exception, unwinding now
>>>> org.apache.cxf.binding.soap.SoapFault: MustUnderstand headers: [{
>>>> http://www.w3.org/2005/08/addressing}Action, {
>>>> http://www.w3.org/2005/08/addressing}To
>>>> ] are not understood.
>>>> at
>>>> org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.checkUltimateReceiverHeaders(MustUnderstandInterceptor.java:150)
>>>> at
>>>> org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:96)
>>>> at
>>>> org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:49)
>>>> at
>>>> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262)
>>>> at
>>>> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:122)
>>>> at
>>>> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:211)
>>>> at
>>>> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213)
>>>> at
>>>> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:193)
>>>> at
>>>> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:129)
>>>> at
>>>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:187)
>>>> at
>>>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:110)
>>>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:641)
>>>> at
>>>> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:166)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
>>>> at
>>>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
>>>> at
>>>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
>>>> at
>>>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
>>>> at
>>>> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
>>>> at
>>>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
>>>> at
>>>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
>>>> at
>>>> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
>>>> at
>>>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
>>>> at
>>>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
>>>> at
>>>> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
>>>> at
>>>> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
>>>> at
>>>> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307)
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
>>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
>>>> Source)
>>>> at java.lang.Thread.run(Unknown Source)
>>>> Jul 24, 2012 9:28:00 AM
>>>> org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInternal
>>>> handleMessage
>>>> INFO: class
>>>> org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInternalapplication/soap+xml
>>>> Jul 24, 2012 9:28:00 AM
>>>> org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS
>>>> INFO: Outbound Message
>>>> ---------------------------
>>>> ID: 1
>>>> Response-Code: 500
>>>> Encoding: UTF-8
>>>> Content-Type: application/soap+xml
>>>> Headers: {}
>>>> Payload: <soap:Envelope xmlns:soap="
>>>> http://www.w3.org/2003/05/soap-envelope
>>>> "><soap:Body><soap:Fault><soap:Code><soap:Value>soap:MustUnderstand</soap:V
>>>> alue></soap:Code><soap:Reason><soap:Text xml:lang="en">MustUnderstand
>>>> headers: [{http://www.w3.org/2005/08/addressing}Action, {
>>>> http://www.w3.org/2005/
>>>> 08/addressing}To] are not
>>>> understood.</soap:Text></soap:Reason></soap:Fault></soap:Body></soap:Envelope>
>>>> --------------------------------------
>>>>
>>>>
>>>> On Tue, Jul 24, 2012 at 8:58 AM, Gina Choi <[email protected]>wrote:
>>>>
>>>>> Hi Colm,
>>>>>
>>>>> I would like to confirm if I understand you correctly. So, do we need
>>>>> to add following content to Fediz STS wsdl file to issue a token? At this
>>>>> point we mostly interested in(minimum) issuing a a token. I am not sure if
>>>>> we need to "Validate" operation to issue a RSTR.
>>>>>
>>>>>
>>>>>
>>>>> <!-- 2.1.1.3 UsernameToken with timestamp, nonce and password hash -->
>>>>> <wsp:Policy wsu:Id="DoubleItDigestPolicy">
>>>>> <sp:SupportingTokens>
>>>>> <wsp:Policy>
>>>>> <sp:UsernameToken sp:IncludeToken="
>>>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
>>>>> ">
>>>>> <wsp:Policy>
>>>>> <sp:HashPassword />
>>>>> </wsp:Policy>
>>>>> </sp:UsernameToken>
>>>>> </wsp:Policy>
>>>>> </sp:SupportingTokens>
>>>>> </wsp:Policy>
>>>>> <wsdl:binding name="DoubleItDigestBinding" type="tns:DoubleItPortType">
>>>>> <wsp:PolicyReference URI="#DoubleItDigestPolicy" />
>>>>> <soap:binding style="document"
>>>>> transport="http://schemas.xmlsoap.org/soap/http"; />
>>>>> <wsdl:operation name="Issue">
>>>>> <soap:operation soapAction="
>>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; />
>>>>> <wsdl:input>
>>>>> <soap:body use="literal" />
>>>>> </wsdl:input>
>>>>> <wsdl:output>
>>>>> <soap:body use="literal" />
>>>>> </wsdl:output>
>>>>> </wsdl:operation>
>>>>> </wsdl:binding>
>>>>>
>>>>>
>>>>> Thanks.
>>>>>
>>>>> Gina
>>>>>
>>>>> On Tue, Jul 24, 2012 at 6:34 AM, Colm O hEigeartaigh <
>>>>> [email protected]> wrote:
>>>>>
>>>>>> You could use a SecurityPolicy that just requires a UsernameToken
>>>>>> without a
>>>>>> binding. For example see the policy "<!-- 2.1.1.3 UsernameToken with
>>>>>> timestamp, nonce and password hash -->" starting on line 214:
>>>>>>
>>>>>>
>>>>>> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/DoubleItUt.wsdl?view=markup
>>>>>>
>>>>>> Of course, in practise one would combine a UsernameToken with the
>>>>>> Transport
>>>>>> binding to secure the message exchange...
>>>>>>
>>>>>> Colm.
>>>>>>
>>>>>> On Mon, Jul 23, 2012 at 4:41 PM, Sarafian <
>>>>>> [email protected]>wrote:
>>>>>>
>>>>>> > I have a C# code that asks the STS for a token using username
>>>>>> password
>>>>>> > credentials.
>>>>>> > I'm using the UT or UTEncrypted endpoints but I get this error:
>>>>>> >
>>>>>> > These policy alternatives can not be satisfied:
>>>>>> > {
>>>>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken
>>>>>> > {
>>>>>> >
>>>>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp
>>>>>> > :
>>>>>> > Received Timestamp does not match the requirements
>>>>>> > {
>>>>>> >
>>>>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding
>>>>>> > :
>>>>>> > Received Timestamp does not match the requirements
>>>>>> > {
>>>>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts
>>>>>> :
>>>>>> > {http://schemas.xmlsoap.org/soap/envelope/}Body not SIGNED
>>>>>> > {
>>>>>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts
>>>>>> :
>>>>>> > {http://schemas.xmlsoap.org/soap/envelope/}Body not ENCRYPTED
>>>>>> >
>>>>>> > Is there a way for the STS to be configured not to apply the above
>>>>>> > policies?
>>>>>> > Is there another endpoint for these kind of things?
>>>>>> >
>>>>>> > I simply want to use a username/password credential combination to
>>>>>> request
>>>>>> > a
>>>>>> > security token.
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > --
>>>>>> > View this message in context:
>>>>>> >
>>>>>> http://cxf.547215.n5.nabble.com/RequestSecurityToken-without-Encrypting-and-Signing-tp5711426.html
>>>>>> > Sent from the cxf-user mailing list archive at Nabble.com.
>>>>>> >
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Colm O hEigeartaigh
>>>>>>
>>>>>> Talend Community Coder
>>>>>> http://coders.talend.com
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>> --
>>> Colm O hEigeartaigh
>>>
>>> Talend Community Coder
>>> http://coders.talend.com
>>>
>>>
>>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
