It doesn't make any difference as CXF considers the message payload signed + encrypted as TLS is being used.
Colm. On Tue, Jul 24, 2012 at 4:57 PM, Gina Choi <[email protected]> wrote: > <<< > Try uncommenting the "UsingAddress" policy listed in "TransportUT_policy". > >>> > Thanks Colm. Will let you know result tomorrow morning. As you know, we > will be using TransportUT_Binding since it is using TransporUT_policy. > Should we also need to comment out "Input_policy" from TransportUT_Biling > like bellow since 'Input_policy" in Fediz STS wsdl require both encryption > and signature? This is same as "Output_policy". > > <wsdl:binding name="TransportUT_Binding" type="wstrust:STS"> > <wsp:PolicyReference URI="#TransportUT_policy" /> > <soap12:binding style="document" > transport="http://schemas.xmlsoap.org/soap/http"; /> > <wsdl:operation name="Issue"> > <soap12:operation > soapAction=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; /> > <wsdl:input> > <!--wsp:PolicyReference > URI="#Input_policy" /--> > <soap12:body use="literal" /> > </wsdl:input> > <wsdl:output> > <!--wsp:PolicyReference > URI="#Output_policy" /--> > <soap12:body use="literal" /> > </wsdl:output> > > On Tue, Jul 24, 2012 at 11:17 AM, Colm O hEigeartaigh > <[email protected]>wrote: > > > > > Try uncommenting the "UsingAddress" policy listed in > "TransportUT_policy". > > > > Colm. > > > > > > On Tue, Jul 24, 2012 at 4:01 PM, Gina Choi <[email protected]> wrote: > > > >> Hi Colm, > >> > >> First of all, sorry for massive emails we sent. Alex works in different > >> timezone, so we didn't have much common time to debug together. So, we > are > >> kind of rushing this morning. > >> > >> We use Fediz STS and try to minimize changes to save time. We tried > >> TransportUT_Binding(please see bellow) that shipped with Fediz STS. > Since > >> it is also referencing Input_policy, I am not sure if it will work as > it is. > >> > >> <wsdl:binding name="TransportUT_Binding" type="wstrust:STS"> > >> <wsp:PolicyReference URI="#TransportUT_policy" /> > >> <soap12:binding style="document" > >> transport="http://schemas.xmlsoap.org/soap/http"; /> > >> <wsdl:operation name="Issue"> > >> <soap12:operation > >> soapAction=" > >> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; /> > >> <wsdl:input> > >> <wsp:PolicyReference > >> URI="#Input_policy" /> > >> <soap12:body use="literal" /> > >> </wsdl:input> > >> <wsdl:output> > >> <wsp:PolicyReference > >> URI="#Output_policy" /> > >> <soap12:body use="literal" /> > >> </wsdl:output> > >> </wsdl:operation> > >> <wsdl:operation name="Validate"> > >> <soap12:operation > >> soapAction=" > >> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate"; /> > >> <wsdl:input> > >> <wsp:PolicyReference > >> URI="#Input_policy" /> > >> <soap12:body use="literal" /> > >> </wsdl:input> > >> <wsdl:output> > >> <wsp:PolicyReference > >> URI="#Output_policy" /> > >> <soap12:body use="literal" /> > >> </wsdl:output> > >> </wsdl:operation> > >> <wsdl:operation name="Cancel"> > >> <soap12:operation > >> soapAction=" > >> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel"; /> > >> <wsdl:input> > >> <soap12:body use="literal" /> > >> </wsdl:input> > >> <wsdl:output> > >> <soap12:body use="literal" /> > >> </wsdl:output> > >> </wsdl:operation> > >> <wsdl:operation name="Renew"> > >> <soap12:operation > >> soapAction=" > >> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew"; /> > >> <wsdl:input> > >> <soap12:body use="literal" /> > >> </wsdl:input> > >> <wsdl:output> > >> <soap12:body use="literal" /> > >> </wsdl:output> > >> </wsdl:operation> > >> <wsdl:operation name="KeyExchangeToken"> > >> <soap12:operation > >> soapAction=" > >> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KeyExchangeToken"; > /> > >> <wsdl:input> > >> <soap12:body use="literal" /> > >> </wsdl:input> > >> <wsdl:output> > >> <soap12:body use="literal" /> > >> </wsdl:output> > >> </wsdl:operation> > >> <wsdl:operation name="RequestCollection"> > >> <soap12:operation > >> soapAction=" > >> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/RequestCollection"; > >> /> > >> <wsdl:input> > >> <soap12:body use="literal" /> > >> </wsdl:input> > >> <wsdl:output> > >> <soap12:body use="literal" /> > >> </wsdl:output> > >> </wsdl:operation> > >> </wsdl:binding> > >> > >> On Tue, Jul 24, 2012 at 10:28 AM, Colm O hEigeartaigh < > >> [email protected]> wrote: > >> > >>> > >>> What security policy are you using for the TransportUT_Port? It sounds > >>> like the WS-SecurityPolicy layer is not getting invoked. > >>> > >>> Colm. > >>> > >>> > >>> On Tue, Jul 24, 2012 at 2:35 PM, Gina Choi <[email protected]> > wrote: > >>> > >>>> Hi Colm, > >>>> > >>>> Alex and I working together to get this work. I am responsible to > >>>> configure Fediz STS for him. Could you take a look following > exceptions > >>>> from Alex's RST. We decided to use TransportUT_Port. I think that is > being > >>>> used for WS-Federation SSO as well. Anyway, please ignore previous our > >>>> emails. Could you tell us what is wrong with his RST? > >>>> > >>>> > >>>> ID: 1 > >>>> Address: > https://wkqasv0805.global.sdl.corp:9443/fedizidpsts/STSService > >>>> Encoding: UTF-8 > >>>> Http-Method: POST > >>>> Content-Type: application/soap+xml; charset=utf-8 > >>>> Headers: {accept-encoding=[gzip, deflate], connection=[Keep-Alive], > >>>> Content-Length=[1908], content-type=[application/soap+xml; > charset=utf-8], > >>>> expect= > >>>> [100-continue], host=[wkqasv0805.global.sdl.corp:9443]} > >>>> Payload: <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope > " > >>>> xmlns:a="http://www.w3.org/2005/08/addressing"; xmlns:u=" > >>>> http://docs.oasis-open. > >>>> > org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Header><a:Action > >>>> s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512 > >>>> > >>>> > /RST/Issue</a:Action><a:MessageID>urn:uuid:24a48857-71ec-466e-bfe6-675c08f84c6e</a:MessageID><a:ReplyTo><a:Address> > >>>> http://www.w3.org/2005/08/addressin > >>>> g/anonymous</a:Address></a:ReplyTo><VsDebuggerCausalityData xmlns=" > >>>> http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink > >>>> ">uIDPo8DHZtWXyK1J > >>>> > n2JxXCS85z4AAAAAlruHm4rOAUCcZNvbjFb/PND3aSmMn0JLk9BMBxOE9WoACQAA</VsDebuggerCausalityData><a:To > >>>> s:mustUnderstand="1">https://wkqasv0805.global.sdl.cor > >>>> p:9443/fedizidpsts/STSService</a:To><o:Security s:mustUnderstand="1" > >>>> xmlns:o=" > >>>> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex > >>>> t-1.0.xsd"><u:Timestamp > >>>> > u:Id="_0"><u:Created>2012-07-24T13:27:55.050Z</u:Created><u:Expires>2012-07-24T13:32:55.050Z</u:Expires></u:Timestamp><o:Usern > >>>> ameToken > >>>> > u:Id="uuid-64599397-270f-4886-975c-086f44f45f27-1"><o:Username>gchoi</o:Username><o:Password > >>>> Type="http://docs.oasis-open.org/wss/2004/01/oas > >>>> > >>>> > is-200401-wss-username-token-profile-1.0#PasswordText">gchoi</o:Password></o:UsernameToken></o:Security></s:Header><s:Body><trust:RequestSecurityToken > >>>> xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512 > "><wsp:AppliesTo > >>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy > "><a:EndpointRef > >>>> erence><a:Address>https://medevasarafia01.global.sdl.corp/Agency/ > >>>> </a:Address></a:EndpointReference></wsp:AppliesTo><trust:KeyType> > >>>> http://docs.oasis-op > >>>> en.org/ws-sx/ws-trust/200512/Bearer > </trust:KeyType><trust:RequestType> > >>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue > >>>> </trust:RequestType><trust > >>>> > >>>> > :TokenType>urn:oasis:names:tc:SAML:1.0:assertion</trust:TokenType></trust:RequestSecurityToken></s:Body></s:Envelope> > >>>> -------------------------------------- > >>>> SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". > >>>> SLF4J: Defaulting to no-operation (NOP) logger implementation > >>>> SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for > >>>> further details. > >>>> [LdapLoginModule] authentication-only mode; SSL > disabled > >>>> [LdapLoginModule] user provider: > >>>> ldap://wkqasv0805.global.sdl.corp:389/ou=People,dc=maxcrc,dc=com > >>>> [LdapLoginModule] attempting to authenticate user: > gchoi > >>>> [LdapLoginModule] authentication succeeded > >>>> [LdapLoginModule] added LdapPrincipal > >>>> "cn=gchoi,ou=People,dc=maxcrc,dc=com" to Subject > >>>> [LdapLoginModule] added UserPrincipal "gchoi" to > Subject > >>>> Jul 24, 2012 9:28:00 AM org.apache.cxf.phase.PhaseInterceptorChain > >>>> doDefaultLogging > >>>> WARNING: Interceptor for { > >>>> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Va > >>>> lidate has thrown exception, unwinding now > >>>> org.apache.cxf.binding.soap.SoapFault: MustUnderstand headers: [{ > >>>> http://www.w3.org/2005/08/addressing}Action, { > >>>> http://www.w3.org/2005/08/addressing}To > >>>> ] are not understood. > >>>> at > >>>> > org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.checkUltimateReceiverHeaders(MustUnderstandInterceptor.java:150) > >>>> at > >>>> > org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:96) > >>>> at > >>>> > org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:49) > >>>> at > >>>> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) > >>>> at > >>>> > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:122) > >>>> at > >>>> > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:211) > >>>> at > >>>> > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213) > >>>> at > >>>> > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:193) > >>>> at > >>>> > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:129) > >>>> at > >>>> > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:187) > >>>> at > >>>> > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:110) > >>>> at > javax.servlet.http.HttpServlet.service(HttpServlet.java:641) > >>>> at > >>>> > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:166) > >>>> at > >>>> > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) > >>>> at > >>>> > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) > >>>> at > >>>> > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225) > >>>> at > >>>> > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) > >>>> at > >>>> > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) > >>>> at > >>>> > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) > >>>> at > >>>> > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) > >>>> at > >>>> > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) > >>>> at > >>>> > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) > >>>> at > >>>> > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) > >>>> at > >>>> > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999) > >>>> at > >>>> > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565) > >>>> at > >>>> > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307) > >>>> at > >>>> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source) > >>>> at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown > >>>> Source) > >>>> at java.lang.Thread.run(Unknown Source) > >>>> Jul 24, 2012 9:28:00 AM > >>>> > org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInternal > >>>> handleMessage > >>>> INFO: class > >>>> > org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInternalapplication/soap+xml > >>>> Jul 24, 2012 9:28:00 AM > >>>> org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS > >>>> INFO: Outbound Message > >>>> --------------------------- > >>>> ID: 1 > >>>> Response-Code: 500 > >>>> Encoding: UTF-8 > >>>> Content-Type: application/soap+xml > >>>> Headers: {} > >>>> Payload: <soap:Envelope xmlns:soap=" > >>>> http://www.w3.org/2003/05/soap-envelope > >>>> > "><soap:Body><soap:Fault><soap:Code><soap:Value>soap:MustUnderstand</soap:V > >>>> alue></soap:Code><soap:Reason><soap:Text xml:lang="en">MustUnderstand > >>>> headers: [{http://www.w3.org/2005/08/addressing}Action, { > >>>> http://www.w3.org/2005/ > >>>> 08/addressing}To] are not > >>>> > understood.</soap:Text></soap:Reason></soap:Fault></soap:Body></soap:Envelope> > >>>> -------------------------------------- > >>>> > >>>> > >>>> On Tue, Jul 24, 2012 at 8:58 AM, Gina Choi <[email protected] > >wrote: > >>>> > >>>>> Hi Colm, > >>>>> > >>>>> I would like to confirm if I understand you correctly. So, do we need > >>>>> to add following content to Fediz STS wsdl file to issue a token? At > this > >>>>> point we mostly interested in(minimum) issuing a a token. I am not > sure if > >>>>> we need to "Validate" operation to issue a RSTR. > >>>>> > >>>>> > >>>>> > >>>>> <!-- 2.1.1.3 UsernameToken with timestamp, nonce and password hash > --> > >>>>> <wsp:Policy wsu:Id="DoubleItDigestPolicy"> > >>>>> <sp:SupportingTokens> > >>>>> <wsp:Policy> > >>>>> <sp:UsernameToken sp:IncludeToken=" > >>>>> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > >>>>> "> > >>>>> <wsp:Policy> > >>>>> <sp:HashPassword /> > >>>>> </wsp:Policy> > >>>>> </sp:UsernameToken> > >>>>> </wsp:Policy> > >>>>> </sp:SupportingTokens> > >>>>> </wsp:Policy> > >>>>> <wsdl:binding name="DoubleItDigestBinding" > type="tns:DoubleItPortType"> > >>>>> <wsp:PolicyReference URI="#DoubleItDigestPolicy" /> > >>>>> <soap:binding style="document" > >>>>> transport="http://schemas.xmlsoap.org/soap/http"; /> > >>>>> <wsdl:operation name="Issue"> > >>>>> <soap:operation soapAction=" > >>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; /> > >>>>> <wsdl:input> > >>>>> <soap:body use="literal" /> > >>>>> </wsdl:input> > >>>>> <wsdl:output> > >>>>> <soap:body use="literal" /> > >>>>> </wsdl:output> > >>>>> </wsdl:operation> > >>>>> </wsdl:binding> > >>>>> > >>>>> > >>>>> Thanks. > >>>>> > >>>>> Gina > >>>>> > >>>>> On Tue, Jul 24, 2012 at 6:34 AM, Colm O hEigeartaigh < > >>>>> [email protected]> wrote: > >>>>> > >>>>>> You could use a SecurityPolicy that just requires a UsernameToken > >>>>>> without a > >>>>>> binding. For example see the policy "<!-- 2.1.1.3 UsernameToken with > >>>>>> timestamp, nonce and password hash -->" starting on line 214: > >>>>>> > >>>>>> > >>>>>> > http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/DoubleItUt.wsdl?view=markup > >>>>>> > >>>>>> Of course, in practise one would combine a UsernameToken with the > >>>>>> Transport > >>>>>> binding to secure the message exchange... > >>>>>> > >>>>>> Colm. > >>>>>> > >>>>>> On Mon, Jul 23, 2012 at 4:41 PM, Sarafian < > >>>>>> [email protected]>wrote: > >>>>>> > >>>>>> > I have a C# code that asks the STS for a token using username > >>>>>> password > >>>>>> > credentials. > >>>>>> > I'm using the UT or UTEncrypted endpoints but I get this error: > >>>>>> > > >>>>>> > These policy alternatives can not be satisfied: > >>>>>> > { > >>>>>> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken > >>>>>> > { > >>>>>> > > >>>>>> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp > >>>>>> > : > >>>>>> > Received Timestamp does not match the requirements > >>>>>> > { > >>>>>> > > >>>>>> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding > >>>>>> > : > >>>>>> > Received Timestamp does not match the requirements > >>>>>> > { > >>>>>> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts > >>>>>> : > >>>>>> > {http://schemas.xmlsoap.org/soap/envelope/}Body not SIGNED > >>>>>> > { > >>>>>> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts > >>>>>> : > >>>>>> > {http://schemas.xmlsoap.org/soap/envelope/}Body not ENCRYPTED > >>>>>> > > >>>>>> > Is there a way for the STS to be configured not to apply the above > >>>>>> > policies? > >>>>>> > Is there another endpoint for these kind of things? > >>>>>> > > >>>>>> > I simply want to use a username/password credential combination to > >>>>>> request > >>>>>> > a > >>>>>> > security token. > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> > -- > >>>>>> > View this message in context: > >>>>>> > > >>>>>> > http://cxf.547215.n5.nabble.com/RequestSecurityToken-without-Encrypting-and-Signing-tp5711426.html > >>>>>> > Sent from the cxf-user mailing list archive at Nabble.com. > >>>>>> > > >>>>>> > >>>>>> > >>>>>> > >>>>>> -- > >>>>>> Colm O hEigeartaigh > >>>>>> > >>>>>> Talend Community Coder > >>>>>> http://coders.talend.com > >>>>>> > >>>>> > >>>>> > >>>> > >>> > >>> > >>> -- > >>> Colm O hEigeartaigh > >>> > >>> Talend Community Coder > >>> http://coders.talend.com > >>> > >>> > >> > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
