Hi Colm, I uncommented "UsingAddress" policy from "TransportUT_policy" and getting following error messages from STS side. By the way <sp:IncludeTimestamp> was commented out from "TransportUT_policy". It is complaining TimeStamp, signing and encryption.
Address: https://wkengchoi.global.sdl.corp:9443/fedizidpsts/STSService Encoding: UTF-8 Http-Method: POST Content-Type: application/soap+xml; charset=utf-8 Headers: {accept-encoding=[gzip, deflate], connection=[Keep-Alive], Content-Length=[1907], content-type=[application/soap+xml; charset=utf-8], expect= [100-continue], host=[wkengchoi.global.sdl.corp:9443]} Payload: <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"; xmlns:a="http://www.w3.org/2005/08/addressing"; xmlns:u=" http://docs.oasis-open. org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Header><a:Action s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512 /RST/Issue</a:Action><a:MessageID>urn:uuid:a84aec02-96d9-41c3-bb70-ed344680ae3a</a:MessageID><a:ReplyTo><a:Address> http://www.w3.org/2005/08/addressin g/anonymous</a:Address></a:ReplyTo><VsDebuggerCausalityData xmlns=" http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink ">uIDPo2uNX8IHl0xD vpsG8DkbC4EAAAAAIpbBvh7PMEOZCojgKR2l9XnahJb+Hu9Fl8u5a6fFn9wACQAA</VsDebuggerCausalityData><a:To s:mustUnderstand="1">https://wkengchoi.global.sdl.corp :9443/fedizidpsts/STSService</a:To><o:Security s:mustUnderstand="1" xmlns:o=" http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext -1.0.xsd"><u:Timestamp u:Id="_0"><u:Created>2012-07-25T13:45:42.287Z</u:Created><u:Expires>2012-07-25T13:50:42.287Z</u:Expires></u:Timestamp><o:Userna meToken u:Id="uuid-56a2db82-67ec-430b-80e9-0bb1b3645c88-1"><o:Username>gchoi</o:Username><o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasi s-200401-wss-username-token-profile-1.0#PasswordText">gchoi</o:Password></o:UsernameToken></o:Security></s:Header><s:Body><trust:RequestSecurityToken xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";><a:EndpointRefe rence><a:Address>https://medevasarafia01.global.sdl.corp/Agency/ </a:Address></a:EndpointReference></wsp:AppliesTo><trust:KeyType> http://docs.oasis-ope n.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType><trust:RequestType> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue </trust:RequestType><trust: TokenType>urn:oasis:names:tc:SAML:1.0:assertion</trust:TokenType></trust:RequestSecurityToken></s:Body></s:Envelope> -------------------------------------- SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". SLF4J: Defaulting to no-operation (NOP) logger implementation SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details. [LdapLoginModule] authentication-only mode; SSL disabled [LdapLoginModule] user provider: ldap://wkqasv0805.global.sdl.corp:389/ou=People,dc=maxcrc,dc=com [LdapLoginModule] attempting to authenticate user: gchoi [LdapLoginModule] authentication succeeded [LdapLoginModule] added LdapPrincipal "cn=gchoi,ou=People,dc=maxcrc,dc=com" to Subject [LdapLoginModule] added UserPrincipal "gchoi" to Subject Jul 25, 2012 9:45:47 AM org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging WARNING: Interceptor for { http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Va lidate has thrown exception, unwinding now org.apache.cxf.interceptor.Fault: These policy alternatives can not be satisfied: {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportBinding: Received Timestamp does not match the requirements {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts at org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:47) at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:211) at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213) at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:193) at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:130) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:221) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:141) at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:197) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565) at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307) at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) at java.lang.Thread.run(Thread.java:662) Caused by: org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not be satisfied: {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportBinding: Received Timestamp does not match the requirements {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts at org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167) at org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101) at org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:45) ... 26 more Jul 25, 2012 9:45:47 AM org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInternal handleMessage INFO: class org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInternalapplication/soap+xml Jul 25, 2012 9:45:47 AM org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS INFO: Outbound Message --------------------------- ID: 1 Response-Code: 500 Encoding: UTF-8 Content-Type: application/soap+xml Headers: {} Payload: <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope "><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Receiver</soap:Value>< /soap:Code><soap:Reason><soap:Text xml:lang="en">These policy alternatives can not be satisfied: {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportBinding: Received Timestamp does not match the requirements {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts </soap:Text></soap:Reason></soap:Fault></soap:Body></soap:Envelope> -------------------------------------- On Tue, Jul 24, 2012 at 12:23 PM, Colm O hEigeartaigh <[email protected]>wrote: > It doesn't make any difference as CXF considers the message payload signed > + encrypted as TLS is being used. > > Colm. > > On Tue, Jul 24, 2012 at 4:57 PM, Gina Choi <[email protected]> wrote: > > > <<< > > Try uncommenting the "UsingAddress" policy listed in > "TransportUT_policy". > > >>> > > Thanks Colm. Will let you know result tomorrow morning. As you know, we > > will be using TransportUT_Binding since it is using TransporUT_policy. > > Should we also need to comment out "Input_policy" from TransportUT_Biling > > like bellow since 'Input_policy" in Fediz STS wsdl require both > encryption > > and signature? This is same as "Output_policy". > > > > <wsdl:binding name="TransportUT_Binding" type="wstrust:STS"> > > <wsp:PolicyReference URI="#TransportUT_policy" /> > > <soap12:binding style="document" > > transport="http://schemas.xmlsoap.org/soap/http"; /> > > <wsdl:operation name="Issue"> > > <soap12:operation > > soapAction=" > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; /> > > <wsdl:input> > > <!--wsp:PolicyReference > > URI="#Input_policy" /--> > > <soap12:body use="literal" /> > > </wsdl:input> > > <wsdl:output> > > <!--wsp:PolicyReference > > URI="#Output_policy" /--> > > <soap12:body use="literal" /> > > </wsdl:output> > > > > On Tue, Jul 24, 2012 at 11:17 AM, Colm O hEigeartaigh > > <[email protected]>wrote: > > > > > > > > Try uncommenting the "UsingAddress" policy listed in > > "TransportUT_policy". > > > > > > Colm. > > > > > > > > > On Tue, Jul 24, 2012 at 4:01 PM, Gina Choi <[email protected]> > wrote: > > > > > >> Hi Colm, > > >> > > >> First of all, sorry for massive emails we sent. Alex works in > different > > >> timezone, so we didn't have much common time to debug together. So, we > > are > > >> kind of rushing this morning. > > >> > > >> We use Fediz STS and try to minimize changes to save time. We tried > > >> TransportUT_Binding(please see bellow) that shipped with Fediz STS. > > Since > > >> it is also referencing Input_policy, I am not sure if it will work as > > it is. > > >> > > >> <wsdl:binding name="TransportUT_Binding" type="wstrust:STS"> > > >> <wsp:PolicyReference URI="#TransportUT_policy" /> > > >> <soap12:binding style="document" > > >> transport="http://schemas.xmlsoap.org/soap/http"; /> > > >> <wsdl:operation name="Issue"> > > >> <soap12:operation > > >> soapAction=" > > >> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; /> > > >> <wsdl:input> > > >> <wsp:PolicyReference > > >> URI="#Input_policy" /> > > >> <soap12:body use="literal" /> > > >> </wsdl:input> > > >> <wsdl:output> > > >> <wsp:PolicyReference > > >> URI="#Output_policy" /> > > >> <soap12:body use="literal" /> > > >> </wsdl:output> > > >> </wsdl:operation> > > >> <wsdl:operation name="Validate"> > > >> <soap12:operation > > >> soapAction=" > > >> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate"; /> > > >> <wsdl:input> > > >> <wsp:PolicyReference > > >> URI="#Input_policy" /> > > >> <soap12:body use="literal" /> > > >> </wsdl:input> > > >> <wsdl:output> > > >> <wsp:PolicyReference > > >> URI="#Output_policy" /> > > >> <soap12:body use="literal" /> > > >> </wsdl:output> > > >> </wsdl:operation> > > >> <wsdl:operation name="Cancel"> > > >> <soap12:operation > > >> soapAction=" > > >> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel"; /> > > >> <wsdl:input> > > >> <soap12:body use="literal" /> > > >> </wsdl:input> > > >> <wsdl:output> > > >> <soap12:body use="literal" /> > > >> </wsdl:output> > > >> </wsdl:operation> > > >> <wsdl:operation name="Renew"> > > >> <soap12:operation > > >> soapAction=" > > >> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew"; /> > > >> <wsdl:input> > > >> <soap12:body use="literal" /> > > >> </wsdl:input> > > >> <wsdl:output> > > >> <soap12:body use="literal" /> > > >> </wsdl:output> > > >> </wsdl:operation> > > >> <wsdl:operation name="KeyExchangeToken"> > > >> <soap12:operation > > >> soapAction=" > > >> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KeyExchangeToken > " > > /> > > >> <wsdl:input> > > >> <soap12:body use="literal" /> > > >> </wsdl:input> > > >> <wsdl:output> > > >> <soap12:body use="literal" /> > > >> </wsdl:output> > > >> </wsdl:operation> > > >> <wsdl:operation name="RequestCollection"> > > >> <soap12:operation > > >> soapAction=" > > >> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/RequestCollection"; > > >> /> > > >> <wsdl:input> > > >> <soap12:body use="literal" /> > > >> </wsdl:input> > > >> <wsdl:output> > > >> <soap12:body use="literal" /> > > >> </wsdl:output> > > >> </wsdl:operation> > > >> </wsdl:binding> > > >> > > >> On Tue, Jul 24, 2012 at 10:28 AM, Colm O hEigeartaigh < > > >> [email protected]> wrote: > > >> > > >>> > > >>> What security policy are you using for the TransportUT_Port? It > sounds > > >>> like the WS-SecurityPolicy layer is not getting invoked. > > >>> > > >>> Colm. > > >>> > > >>> > > >>> On Tue, Jul 24, 2012 at 2:35 PM, Gina Choi <[email protected]> > > wrote: > > >>> > > >>>> Hi Colm, > > >>>> > > >>>> Alex and I working together to get this work. I am responsible to > > >>>> configure Fediz STS for him. Could you take a look following > > exceptions > > >>>> from Alex's RST. We decided to use TransportUT_Port. I think that is > > being > > >>>> used for WS-Federation SSO as well. Anyway, please ignore previous > our > > >>>> emails. Could you tell us what is wrong with his RST? > > >>>> > > >>>> > > >>>> ID: 1 > > >>>> Address: > > https://wkqasv0805.global.sdl.corp:9443/fedizidpsts/STSService > > >>>> Encoding: UTF-8 > > >>>> Http-Method: POST > > >>>> Content-Type: application/soap+xml; charset=utf-8 > > >>>> Headers: {accept-encoding=[gzip, deflate], connection=[Keep-Alive], > > >>>> Content-Length=[1908], content-type=[application/soap+xml; > > charset=utf-8], > > >>>> expect= > > >>>> [100-continue], host=[wkqasv0805.global.sdl.corp:9443]} > > >>>> Payload: <s:Envelope xmlns:s=" > http://www.w3.org/2003/05/soap-envelope > > " > > >>>> xmlns:a="http://www.w3.org/2005/08/addressing"; xmlns:u=" > > >>>> http://docs.oasis-open. > > >>>> > > > org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Header><a:Action > > >>>> s:mustUnderstand="1"> > http://docs.oasis-open.org/ws-sx/ws-trust/200512 > > >>>> > > >>>> > > > /RST/Issue</a:Action><a:MessageID>urn:uuid:24a48857-71ec-466e-bfe6-675c08f84c6e</a:MessageID><a:ReplyTo><a:Address> > > >>>> http://www.w3.org/2005/08/addressin > > >>>> g/anonymous</a:Address></a:ReplyTo><VsDebuggerCausalityData xmlns=" > > >>>> http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink > > >>>> ">uIDPo8DHZtWXyK1J > > >>>> > > > n2JxXCS85z4AAAAAlruHm4rOAUCcZNvbjFb/PND3aSmMn0JLk9BMBxOE9WoACQAA</VsDebuggerCausalityData><a:To > > >>>> s:mustUnderstand="1">https://wkqasv0805.global.sdl.cor > > >>>> p:9443/fedizidpsts/STSService</a:To><o:Security s:mustUnderstand="1" > > >>>> xmlns:o=" > > >>>> > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex > > >>>> t-1.0.xsd"><u:Timestamp > > >>>> > > > u:Id="_0"><u:Created>2012-07-24T13:27:55.050Z</u:Created><u:Expires>2012-07-24T13:32:55.050Z</u:Expires></u:Timestamp><o:Usern > > >>>> ameToken > > >>>> > > > u:Id="uuid-64599397-270f-4886-975c-086f44f45f27-1"><o:Username>gchoi</o:Username><o:Password > > >>>> Type="http://docs.oasis-open.org/wss/2004/01/oas > > >>>> > > >>>> > > > is-200401-wss-username-token-profile-1.0#PasswordText">gchoi</o:Password></o:UsernameToken></o:Security></s:Header><s:Body><trust:RequestSecurityToken > > >>>> xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512 > > "><wsp:AppliesTo > > >>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy > > "><a:EndpointRef > > >>>> erence><a:Address>https://medevasarafia01.global.sdl.corp/Agency/ > > >>>> </a:Address></a:EndpointReference></wsp:AppliesTo><trust:KeyType> > > >>>> http://docs.oasis-op > > >>>> en.org/ws-sx/ws-trust/200512/Bearer > > </trust:KeyType><trust:RequestType> > > >>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue > > >>>> </trust:RequestType><trust > > >>>> > > >>>> > > > :TokenType>urn:oasis:names:tc:SAML:1.0:assertion</trust:TokenType></trust:RequestSecurityToken></s:Body></s:Envelope> > > >>>> -------------------------------------- > > >>>> SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". > > >>>> SLF4J: Defaulting to no-operation (NOP) logger implementation > > >>>> SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for > > >>>> further details. > > >>>> [LdapLoginModule] authentication-only mode; SSL > > disabled > > >>>> [LdapLoginModule] user provider: > > >>>> ldap://wkqasv0805.global.sdl.corp:389/ou=People,dc=maxcrc,dc=com > > >>>> [LdapLoginModule] attempting to authenticate user: > > gchoi > > >>>> [LdapLoginModule] authentication succeeded > > >>>> [LdapLoginModule] added LdapPrincipal > > >>>> "cn=gchoi,ou=People,dc=maxcrc,dc=com" to Subject > > >>>> [LdapLoginModule] added UserPrincipal "gchoi" to > > Subject > > >>>> Jul 24, 2012 9:28:00 AM org.apache.cxf.phase.PhaseInterceptorChain > > >>>> doDefaultLogging > > >>>> WARNING: Interceptor for { > > >>>> > > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Va > > >>>> lidate has thrown exception, unwinding now > > >>>> org.apache.cxf.binding.soap.SoapFault: MustUnderstand headers: [{ > > >>>> http://www.w3.org/2005/08/addressing}Action, { > > >>>> http://www.w3.org/2005/08/addressing}To > > >>>> ] are not understood. > > >>>> at > > >>>> > > > org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.checkUltimateReceiverHeaders(MustUnderstandInterceptor.java:150) > > >>>> at > > >>>> > > > org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:96) > > >>>> at > > >>>> > > > org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:49) > > >>>> at > > >>>> > > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) > > >>>> at > > >>>> > > > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:122) > > >>>> at > > >>>> > > > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:211) > > >>>> at > > >>>> > > > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213) > > >>>> at > > >>>> > > > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:193) > > >>>> at > > >>>> > > > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:129) > > >>>> at > > >>>> > > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:187) > > >>>> at > > >>>> > > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:110) > > >>>> at > > javax.servlet.http.HttpServlet.service(HttpServlet.java:641) > > >>>> at > > >>>> > > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:166) > > >>>> at > > >>>> > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) > > >>>> at > > >>>> > > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) > > >>>> at > > >>>> > > > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225) > > >>>> at > > >>>> > > > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) > > >>>> at > > >>>> > > > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) > > >>>> at > > >>>> > > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) > > >>>> at > > >>>> > > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) > > >>>> at > > >>>> > > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) > > >>>> at > > >>>> > > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) > > >>>> at > > >>>> > > > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) > > >>>> at > > >>>> > > > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999) > > >>>> at > > >>>> > > > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565) > > >>>> at > > >>>> > > > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307) > > >>>> at > > >>>> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown > Source) > > >>>> at > java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown > > >>>> Source) > > >>>> at java.lang.Thread.run(Unknown Source) > > >>>> Jul 24, 2012 9:28:00 AM > > >>>> > > > org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInternal > > >>>> handleMessage > > >>>> INFO: class > > >>>> > > > org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInternalapplication/soap+xml > > >>>> Jul 24, 2012 9:28:00 AM > > >>>> org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS > > >>>> INFO: Outbound Message > > >>>> --------------------------- > > >>>> ID: 1 > > >>>> Response-Code: 500 > > >>>> Encoding: UTF-8 > > >>>> Content-Type: application/soap+xml > > >>>> Headers: {} > > >>>> Payload: <soap:Envelope xmlns:soap=" > > >>>> http://www.w3.org/2003/05/soap-envelope > > >>>> > > > "><soap:Body><soap:Fault><soap:Code><soap:Value>soap:MustUnderstand</soap:V > > >>>> alue></soap:Code><soap:Reason><soap:Text > xml:lang="en">MustUnderstand > > >>>> headers: [{http://www.w3.org/2005/08/addressing}Action, { > > >>>> http://www.w3.org/2005/ > > >>>> 08/addressing}To] are not > > >>>> > > > understood.</soap:Text></soap:Reason></soap:Fault></soap:Body></soap:Envelope> > > >>>> -------------------------------------- > > >>>> > > >>>> > > >>>> On Tue, Jul 24, 2012 at 8:58 AM, Gina Choi <[email protected] > > >wrote: > > >>>> > > >>>>> Hi Colm, > > >>>>> > > >>>>> I would like to confirm if I understand you correctly. So, do we > need > > >>>>> to add following content to Fediz STS wsdl file to issue a token? > At > > this > > >>>>> point we mostly interested in(minimum) issuing a a token. I am not > > sure if > > >>>>> we need to "Validate" operation to issue a RSTR. > > >>>>> > > >>>>> > > >>>>> > > >>>>> <!-- 2.1.1.3 UsernameToken with timestamp, nonce and password hash > > --> > > >>>>> <wsp:Policy wsu:Id="DoubleItDigestPolicy"> > > >>>>> <sp:SupportingTokens> > > >>>>> <wsp:Policy> > > >>>>> <sp:UsernameToken sp:IncludeToken=" > > >>>>> > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > > >>>>> "> > > >>>>> <wsp:Policy> > > >>>>> <sp:HashPassword /> > > >>>>> </wsp:Policy> > > >>>>> </sp:UsernameToken> > > >>>>> </wsp:Policy> > > >>>>> </sp:SupportingTokens> > > >>>>> </wsp:Policy> > > >>>>> <wsdl:binding name="DoubleItDigestBinding" > > type="tns:DoubleItPortType"> > > >>>>> <wsp:PolicyReference URI="#DoubleItDigestPolicy" /> > > >>>>> <soap:binding style="document" > > >>>>> transport="http://schemas.xmlsoap.org/soap/http"; /> > > >>>>> <wsdl:operation name="Issue"> > > >>>>> <soap:operation soapAction=" > > >>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; /> > > >>>>> <wsdl:input> > > >>>>> <soap:body use="literal" /> > > >>>>> </wsdl:input> > > >>>>> <wsdl:output> > > >>>>> <soap:body use="literal" /> > > >>>>> </wsdl:output> > > >>>>> </wsdl:operation> > > >>>>> </wsdl:binding> > > >>>>> > > >>>>> > > >>>>> Thanks. > > >>>>> > > >>>>> Gina > > >>>>> > > >>>>> On Tue, Jul 24, 2012 at 6:34 AM, Colm O hEigeartaigh < > > >>>>> [email protected]> wrote: > > >>>>> > > >>>>>> You could use a SecurityPolicy that just requires a UsernameToken > > >>>>>> without a > > >>>>>> binding. For example see the policy "<!-- 2.1.1.3 UsernameToken > with > > >>>>>> timestamp, nonce and password hash -->" starting on line 214: > > >>>>>> > > >>>>>> > > >>>>>> > > > http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/DoubleItUt.wsdl?view=markup > > >>>>>> > > >>>>>> Of course, in practise one would combine a UsernameToken with the > > >>>>>> Transport > > >>>>>> binding to secure the message exchange... > > >>>>>> > > >>>>>> Colm. > > >>>>>> > > >>>>>> On Mon, Jul 23, 2012 at 4:41 PM, Sarafian < > > >>>>>> [email protected]>wrote: > > >>>>>> > > >>>>>> > I have a C# code that asks the STS for a token using username > > >>>>>> password > > >>>>>> > credentials. > > >>>>>> > I'm using the UT or UTEncrypted endpoints but I get this error: > > >>>>>> > > > >>>>>> > These policy alternatives can not be satisfied: > > >>>>>> > { > > >>>>>> > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken > > >>>>>> > { > > >>>>>> > > > >>>>>> > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp > > >>>>>> > : > > >>>>>> > Received Timestamp does not match the requirements > > >>>>>> > { > > >>>>>> > > > >>>>>> > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding > > >>>>>> > : > > >>>>>> > Received Timestamp does not match the requirements > > >>>>>> > { > > >>>>>> > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts > > >>>>>> : > > >>>>>> > {http://schemas.xmlsoap.org/soap/envelope/}Body not SIGNED > > >>>>>> > { > > >>>>>> > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts > > >>>>>> : > > >>>>>> > {http://schemas.xmlsoap.org/soap/envelope/}Body not ENCRYPTED > > >>>>>> > > > >>>>>> > Is there a way for the STS to be configured not to apply the > above > > >>>>>> > policies? > > >>>>>> > Is there another endpoint for these kind of things? > > >>>>>> > > > >>>>>> > I simply want to use a username/password credential combination > to > > >>>>>> request > > >>>>>> > a > > >>>>>> > security token. > > >>>>>> > > > >>>>>> > > > >>>>>> > > > >>>>>> > > > >>>>>> > -- > > >>>>>> > View this message in context: > > >>>>>> > > > >>>>>> > > > http://cxf.547215.n5.nabble.com/RequestSecurityToken-without-Encrypting-and-Signing-tp5711426.html > > >>>>>> > Sent from the cxf-user mailing list archive at Nabble.com. > > >>>>>> > > > >>>>>> > > >>>>>> > > >>>>>> > > >>>>>> -- > > >>>>>> Colm O hEigeartaigh > > >>>>>> > > >>>>>> Talend Community Coder > > >>>>>> http://coders.talend.com > > >>>>>> > > >>>>> > > >>>>> > > >>>> > > >>> > > >>> > > >>> -- > > >>> Colm O hEigeartaigh > > >>> > > >>> Talend Community Coder > > >>> http://coders.talend.com > > >>> > > >>> > > >> > > > > > > > > > -- > > > Colm O hEigeartaigh > > > > > > Talend Community Coder > > > http://coders.talend.com > > > > > > > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com >
