There's a Timestamp in the message and so you must either get the client to not send a Timestamp or else add the sp:IncludeTimestamp policy back in to the STS policy.
Colm. On Wed, Jul 25, 2012 at 3:06 PM, Gina Choi <[email protected]> wrote: > Hi Colm, > > I uncommented "UsingAddress" policy from "TransportUT_policy" and getting > following error messages from STS side. By the way <sp:IncludeTimestamp> > was commented out from "TransportUT_policy". It is complaining TimeStamp, > signing and encryption. > > > Address: https://wkengchoi.global.sdl.corp:9443/fedizidpsts/STSService > Encoding: UTF-8 > Http-Method: POST > Content-Type: application/soap+xml; charset=utf-8 > Headers: {accept-encoding=[gzip, deflate], connection=[Keep-Alive], > Content-Length=[1907], content-type=[application/soap+xml; charset=utf-8], > expect= > [100-continue], host=[wkengchoi.global.sdl.corp:9443]} > Payload: <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"; > xmlns:a="http://www.w3.org/2005/08/addressing"; xmlns:u=" > http://docs.oasis-open. > org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Header><a:Action > s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512 > > /RST/Issue</a:Action><a:MessageID>urn:uuid:a84aec02-96d9-41c3-bb70-ed344680ae3a</a:MessageID><a:ReplyTo><a:Address> > http://www.w3.org/2005/08/addressin > g/anonymous</a:Address></a:ReplyTo><VsDebuggerCausalityData xmlns=" > http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink > ">uIDPo2uNX8IHl0xD > vpsG8DkbC4EAAAAAIpbBvh7PMEOZCojgKR2l9XnahJb+Hu9Fl8u5a6fFn9wACQAA</VsDebuggerCausalityData><a:To > s:mustUnderstand="1">https://wkengchoi.global.sdl.corp > :9443/fedizidpsts/STSService</a:To><o:Security s:mustUnderstand="1" > xmlns:o=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext > -1.0.xsd"><u:Timestamp > u:Id="_0"><u:Created>2012-07-25T13:45:42.287Z</u:Created><u:Expires>2012-07-25T13:50:42.287Z</u:Expires></u:Timestamp><o:Userna > meToken > u:Id="uuid-56a2db82-67ec-430b-80e9-0bb1b3645c88-1"><o:Username>gchoi</o:Username><o:Password > Type="http://docs.oasis-open.org/wss/2004/01/oasi > > s-200401-wss-username-token-profile-1.0#PasswordText">gchoi</o:Password></o:UsernameToken></o:Security></s:Header><s:Body><trust:RequestSecurityToken > xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";><wsp:AppliesTo > xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";><a:EndpointRefe > rence><a:Address>https://medevasarafia01.global.sdl.corp/Agency/ > </a:Address></a:EndpointReference></wsp:AppliesTo><trust:KeyType> > http://docs.oasis-ope > n.org/ws-sx/ws-trust/200512/Bearer</trust:KeyType><trust:RequestType> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue > </trust:RequestType><trust: > > TokenType>urn:oasis:names:tc:SAML:1.0:assertion</trust:TokenType></trust:RequestSecurityToken></s:Body></s:Envelope> > -------------------------------------- > SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". > SLF4J: Defaulting to no-operation (NOP) logger implementation > SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further > details. > [LdapLoginModule] authentication-only mode; SSL disabled > [LdapLoginModule] user provider: > ldap://wkqasv0805.global.sdl.corp:389/ou=People,dc=maxcrc,dc=com > [LdapLoginModule] attempting to authenticate user: gchoi > [LdapLoginModule] authentication succeeded > [LdapLoginModule] added LdapPrincipal > "cn=gchoi,ou=People,dc=maxcrc,dc=com" to Subject > [LdapLoginModule] added UserPrincipal "gchoi" to Subject > Jul 25, 2012 9:45:47 AM org.apache.cxf.phase.PhaseInterceptorChain > doDefaultLogging > WARNING: Interceptor for { > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Va > lidate has thrown exception, unwinding now > org.apache.cxf.interceptor.Fault: These policy alternatives can not be > satisfied: > { > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportBinding: > Received Timestamp does not match the requirements > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts > at > org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:47) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) > at > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > at > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:211) > at > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213) > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:193) > at > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:130) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:221) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:141) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:197) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565) > at > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307) > at > java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) > at java.lang.Thread.run(Thread.java:662) > Caused by: org.apache.cxf.ws.policy.PolicyException: These policy > alternatives can not be satisfied: > { > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportBinding: > Received Timestamp does not match the requirements > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts > at > org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167) > at > org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101) > at > org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:45) > ... 26 more > Jul 25, 2012 9:45:47 AM > org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInternal > handleMessage > INFO: class > org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInternalapplication/soap+xml > Jul 25, 2012 9:45:47 AM > org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS > INFO: Outbound Message > --------------------------- > ID: 1 > Response-Code: 500 > Encoding: UTF-8 > Content-Type: application/soap+xml > Headers: {} > Payload: <soap:Envelope xmlns:soap=" > http://www.w3.org/2003/05/soap-envelope > "><soap:Body><soap:Fault><soap:Code><soap:Value>soap:Receiver</soap:Value>< > /soap:Code><soap:Reason><soap:Text xml:lang="en">These policy alternatives > can not be satisfied: > { > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}TransportBinding: > Received Timestamp does not match the requirements > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts > </soap:Text></soap:Reason></soap:Fault></soap:Body></soap:Envelope> > -------------------------------------- > > On Tue, Jul 24, 2012 at 12:23 PM, Colm O hEigeartaigh <[email protected] > > wrote: > >> It doesn't make any difference as CXF considers the message payload signed >> + encrypted as TLS is being used. >> >> Colm. >> >> On Tue, Jul 24, 2012 at 4:57 PM, Gina Choi <[email protected]> wrote: >> >> > <<< >> > Try uncommenting the "UsingAddress" policy listed in >> "TransportUT_policy". >> > >>> >> > Thanks Colm. Will let you know result tomorrow morning. As you know, we >> > will be using TransportUT_Binding since it is using TransporUT_policy. >> > Should we also need to comment out "Input_policy" from >> TransportUT_Biling >> > like bellow since 'Input_policy" in Fediz STS wsdl require both >> encryption >> > and signature? This is same as "Output_policy". >> > >> > <wsdl:binding name="TransportUT_Binding" type="wstrust:STS"> >> > <wsp:PolicyReference URI="#TransportUT_policy" /> >> > <soap12:binding style="document" >> > transport="http://schemas.xmlsoap.org/soap/http"; /> >> > <wsdl:operation name="Issue"> >> > <soap12:operation >> > soapAction=" >> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; /> >> > <wsdl:input> >> > <!--wsp:PolicyReference >> > URI="#Input_policy" /--> >> > <soap12:body use="literal" /> >> > </wsdl:input> >> > <wsdl:output> >> > <!--wsp:PolicyReference >> > URI="#Output_policy" /--> >> > <soap12:body use="literal" /> >> > </wsdl:output> >> > >> > On Tue, Jul 24, 2012 at 11:17 AM, Colm O hEigeartaigh >> > <[email protected]>wrote: >> > >> > > >> > > Try uncommenting the "UsingAddress" policy listed in >> > "TransportUT_policy". >> > > >> > > Colm. >> > > >> > > >> > > On Tue, Jul 24, 2012 at 4:01 PM, Gina Choi <[email protected]> >> wrote: >> > > >> > >> Hi Colm, >> > >> >> > >> First of all, sorry for massive emails we sent. Alex works in >> different >> > >> timezone, so we didn't have much common time to debug together. So, >> we >> > are >> > >> kind of rushing this morning. >> > >> >> > >> We use Fediz STS and try to minimize changes to save time. We tried >> > >> TransportUT_Binding(please see bellow) that shipped with Fediz STS. >> > Since >> > >> it is also referencing Input_policy, I am not sure if it will work as >> > it is. >> > >> >> > >> <wsdl:binding name="TransportUT_Binding" type="wstrust:STS"> >> > >> <wsp:PolicyReference URI="#TransportUT_policy" /> >> > >> <soap12:binding style="document" >> > >> transport="http://schemas.xmlsoap.org/soap/http"; /> >> > >> <wsdl:operation name="Issue"> >> > >> <soap12:operation >> > >> soapAction=" >> > >> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; /> >> > >> <wsdl:input> >> > >> <wsp:PolicyReference >> > >> URI="#Input_policy" /> >> > >> <soap12:body use="literal" /> >> > >> </wsdl:input> >> > >> <wsdl:output> >> > >> <wsp:PolicyReference >> > >> URI="#Output_policy" /> >> > >> <soap12:body use="literal" /> >> > >> </wsdl:output> >> > >> </wsdl:operation> >> > >> <wsdl:operation name="Validate"> >> > >> <soap12:operation >> > >> soapAction=" >> > >> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate"; /> >> > >> <wsdl:input> >> > >> <wsp:PolicyReference >> > >> URI="#Input_policy" /> >> > >> <soap12:body use="literal" /> >> > >> </wsdl:input> >> > >> <wsdl:output> >> > >> <wsp:PolicyReference >> > >> URI="#Output_policy" /> >> > >> <soap12:body use="literal" /> >> > >> </wsdl:output> >> > >> </wsdl:operation> >> > >> <wsdl:operation name="Cancel"> >> > >> <soap12:operation >> > >> soapAction=" >> > >> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel"; /> >> > >> <wsdl:input> >> > >> <soap12:body use="literal" /> >> > >> </wsdl:input> >> > >> <wsdl:output> >> > >> <soap12:body use="literal" /> >> > >> </wsdl:output> >> > >> </wsdl:operation> >> > >> <wsdl:operation name="Renew"> >> > >> <soap12:operation >> > >> soapAction=" >> > >> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew"; /> >> > >> <wsdl:input> >> > >> <soap12:body use="literal" /> >> > >> </wsdl:input> >> > >> <wsdl:output> >> > >> <soap12:body use="literal" /> >> > >> </wsdl:output> >> > >> </wsdl:operation> >> > >> <wsdl:operation name="KeyExchangeToken"> >> > >> <soap12:operation >> > >> soapAction=" >> > >> >> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KeyExchangeToken"; >> > /> >> > >> <wsdl:input> >> > >> <soap12:body use="literal" /> >> > >> </wsdl:input> >> > >> <wsdl:output> >> > >> <soap12:body use="literal" /> >> > >> </wsdl:output> >> > >> </wsdl:operation> >> > >> <wsdl:operation name="RequestCollection"> >> > >> <soap12:operation >> > >> soapAction=" >> > >> >> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/RequestCollection"; >> > >> /> >> > >> <wsdl:input> >> > >> <soap12:body use="literal" /> >> > >> </wsdl:input> >> > >> <wsdl:output> >> > >> <soap12:body use="literal" /> >> > >> </wsdl:output> >> > >> </wsdl:operation> >> > >> </wsdl:binding> >> > >> >> > >> On Tue, Jul 24, 2012 at 10:28 AM, Colm O hEigeartaigh < >> > >> [email protected]> wrote: >> > >> >> > >>> >> > >>> What security policy are you using for the TransportUT_Port? It >> sounds >> > >>> like the WS-SecurityPolicy layer is not getting invoked. >> > >>> >> > >>> Colm. >> > >>> >> > >>> >> > >>> On Tue, Jul 24, 2012 at 2:35 PM, Gina Choi <[email protected]> >> > wrote: >> > >>> >> > >>>> Hi Colm, >> > >>>> >> > >>>> Alex and I working together to get this work. I am responsible to >> > >>>> configure Fediz STS for him. Could you take a look following >> > exceptions >> > >>>> from Alex's RST. We decided to use TransportUT_Port. I think that >> is >> > being >> > >>>> used for WS-Federation SSO as well. Anyway, please ignore previous >> our >> > >>>> emails. Could you tell us what is wrong with his RST? >> > >>>> >> > >>>> >> > >>>> ID: 1 >> > >>>> Address: >> > https://wkqasv0805.global.sdl.corp:9443/fedizidpsts/STSService >> > >>>> Encoding: UTF-8 >> > >>>> Http-Method: POST >> > >>>> Content-Type: application/soap+xml; charset=utf-8 >> > >>>> Headers: {accept-encoding=[gzip, deflate], connection=[Keep-Alive], >> > >>>> Content-Length=[1908], content-type=[application/soap+xml; >> > charset=utf-8], >> > >>>> expect= >> > >>>> [100-continue], host=[wkqasv0805.global.sdl.corp:9443]} >> > >>>> Payload: <s:Envelope xmlns:s=" >> http://www.w3.org/2003/05/soap-envelope >> > " >> > >>>> xmlns:a="http://www.w3.org/2005/08/addressing"; xmlns:u=" >> > >>>> http://docs.oasis-open. >> > >>>> >> > >> org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Header><a:Action >> > >>>> s:mustUnderstand="1"> >> http://docs.oasis-open.org/ws-sx/ws-trust/200512 >> > >>>> >> > >>>> >> > >> /RST/Issue</a:Action><a:MessageID>urn:uuid:24a48857-71ec-466e-bfe6-675c08f84c6e</a:MessageID><a:ReplyTo><a:Address> >> > >>>> http://www.w3.org/2005/08/addressin >> > >>>> g/anonymous</a:Address></a:ReplyTo><VsDebuggerCausalityData xmlns=" >> > >>>> http://schemas.microsoft.com/vstudio/diagnostics/servicemodelsink >> > >>>> ">uIDPo8DHZtWXyK1J >> > >>>> >> > >> n2JxXCS85z4AAAAAlruHm4rOAUCcZNvbjFb/PND3aSmMn0JLk9BMBxOE9WoACQAA</VsDebuggerCausalityData><a:To >> > >>>> s:mustUnderstand="1">https://wkqasv0805.global.sdl.cor >> > >>>> p:9443/fedizidpsts/STSService</a:To><o:Security >> s:mustUnderstand="1" >> > >>>> xmlns:o=" >> > >>>> >> > >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex >> > >>>> t-1.0.xsd"><u:Timestamp >> > >>>> >> > >> u:Id="_0"><u:Created>2012-07-24T13:27:55.050Z</u:Created><u:Expires>2012-07-24T13:32:55.050Z</u:Expires></u:Timestamp><o:Usern >> > >>>> ameToken >> > >>>> >> > >> u:Id="uuid-64599397-270f-4886-975c-086f44f45f27-1"><o:Username>gchoi</o:Username><o:Password >> > >>>> Type="http://docs.oasis-open.org/wss/2004/01/oas >> > >>>> >> > >>>> >> > >> is-200401-wss-username-token-profile-1.0#PasswordText">gchoi</o:Password></o:UsernameToken></o:Security></s:Header><s:Body><trust:RequestSecurityToken >> > >>>> xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512 >> > "><wsp:AppliesTo >> > >>>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy >> > "><a:EndpointRef >> > >>>> erence><a:Address>https://medevasarafia01.global.sdl.corp/Agency/ >> > >>>> </a:Address></a:EndpointReference></wsp:AppliesTo><trust:KeyType> >> > >>>> http://docs.oasis-op >> > >>>> en.org/ws-sx/ws-trust/200512/Bearer >> > </trust:KeyType><trust:RequestType> >> > >>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue >> > >>>> </trust:RequestType><trust >> > >>>> >> > >>>> >> > >> :TokenType>urn:oasis:names:tc:SAML:1.0:assertion</trust:TokenType></trust:RequestSecurityToken></s:Body></s:Envelope> >> > >>>> -------------------------------------- >> > >>>> SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". >> > >>>> SLF4J: Defaulting to no-operation (NOP) logger implementation >> > >>>> SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for >> > >>>> further details. >> > >>>> [LdapLoginModule] authentication-only mode; SSL >> > disabled >> > >>>> [LdapLoginModule] user provider: >> > >>>> ldap://wkqasv0805.global.sdl.corp:389/ou=People,dc=maxcrc,dc=com >> > >>>> [LdapLoginModule] attempting to authenticate user: >> > gchoi >> > >>>> [LdapLoginModule] authentication succeeded >> > >>>> [LdapLoginModule] added LdapPrincipal >> > >>>> "cn=gchoi,ou=People,dc=maxcrc,dc=com" to Subject >> > >>>> [LdapLoginModule] added UserPrincipal "gchoi" to >> > Subject >> > >>>> Jul 24, 2012 9:28:00 AM org.apache.cxf.phase.PhaseInterceptorChain >> > >>>> doDefaultLogging >> > >>>> WARNING: Interceptor for { >> > >>>> >> > >> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Va >> > >>>> lidate has thrown exception, unwinding now >> > >>>> org.apache.cxf.binding.soap.SoapFault: MustUnderstand headers: [{ >> > >>>> http://www.w3.org/2005/08/addressing}Action, { >> > >>>> http://www.w3.org/2005/08/addressing}To >> > >>>> ] are not understood. >> > >>>> at >> > >>>> >> > >> org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.checkUltimateReceiverHeaders(MustUnderstandInterceptor.java:150) >> > >>>> at >> > >>>> >> > >> org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:96) >> > >>>> at >> > >>>> >> > >> org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:49) >> > >>>> at >> > >>>> >> > >> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) >> > >>>> at >> > >>>> >> > >> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:122) >> > >>>> at >> > >>>> >> > >> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:211) >> > >>>> at >> > >>>> >> > >> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213) >> > >>>> at >> > >>>> >> > >> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:193) >> > >>>> at >> > >>>> >> > >> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:129) >> > >>>> at >> > >>>> >> > >> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:187) >> > >>>> at >> > >>>> >> > >> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:110) >> > >>>> at >> > javax.servlet.http.HttpServlet.service(HttpServlet.java:641) >> > >>>> at >> > >>>> >> > >> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:166) >> > >>>> at >> > >>>> >> > >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) >> > >>>> at >> > >>>> >> > >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) >> > >>>> at >> > >>>> >> > >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225) >> > >>>> at >> > >>>> >> > >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) >> > >>>> at >> > >>>> >> > >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) >> > >>>> at >> > >>>> >> > >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) >> > >>>> at >> > >>>> >> > >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) >> > >>>> at >> > >>>> >> > >> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) >> > >>>> at >> > >>>> >> > >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) >> > >>>> at >> > >>>> >> > >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) >> > >>>> at >> > >>>> >> > >> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999) >> > >>>> at >> > >>>> >> > >> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565) >> > >>>> at >> > >>>> >> > >> org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307) >> > >>>> at >> > >>>> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown >> Source) >> > >>>> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown >> > >>>> Source) >> > >>>> at java.lang.Thread.run(Unknown Source) >> > >>>> Jul 24, 2012 9:28:00 AM >> > >>>> >> > >> org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInternal >> > >>>> handleMessage >> > >>>> INFO: class >> > >>>> >> > >> org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInternalapplication/soap+xml >> > >>>> Jul 24, 2012 9:28:00 AM >> > >>>> org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS >> > >>>> INFO: Outbound Message >> > >>>> --------------------------- >> > >>>> ID: 1 >> > >>>> Response-Code: 500 >> > >>>> Encoding: UTF-8 >> > >>>> Content-Type: application/soap+xml >> > >>>> Headers: {} >> > >>>> Payload: <soap:Envelope xmlns:soap=" >> > >>>> http://www.w3.org/2003/05/soap-envelope >> > >>>> >> > >> "><soap:Body><soap:Fault><soap:Code><soap:Value>soap:MustUnderstand</soap:V >> > >>>> alue></soap:Code><soap:Reason><soap:Text >> xml:lang="en">MustUnderstand >> > >>>> headers: [{http://www.w3.org/2005/08/addressing}Action, { >> > >>>> http://www.w3.org/2005/ >> > >>>> 08/addressing}To] are not >> > >>>> >> > >> understood.</soap:Text></soap:Reason></soap:Fault></soap:Body></soap:Envelope> >> > >>>> -------------------------------------- >> > >>>> >> > >>>> >> > >>>> On Tue, Jul 24, 2012 at 8:58 AM, Gina Choi <[email protected] >> > >wrote: >> > >>>> >> > >>>>> Hi Colm, >> > >>>>> >> > >>>>> I would like to confirm if I understand you correctly. So, do we >> need >> > >>>>> to add following content to Fediz STS wsdl file to issue a token? >> At >> > this >> > >>>>> point we mostly interested in(minimum) issuing a a token. I am not >> > sure if >> > >>>>> we need to "Validate" operation to issue a RSTR. >> > >>>>> >> > >>>>> >> > >>>>> >> > >>>>> <!-- 2.1.1.3 UsernameToken with timestamp, nonce and password hash >> > --> >> > >>>>> <wsp:Policy wsu:Id="DoubleItDigestPolicy"> >> > >>>>> <sp:SupportingTokens> >> > >>>>> <wsp:Policy> >> > >>>>> <sp:UsernameToken sp:IncludeToken=" >> > >>>>> >> > >> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient >> > >>>>> "> >> > >>>>> <wsp:Policy> >> > >>>>> <sp:HashPassword /> >> > >>>>> </wsp:Policy> >> > >>>>> </sp:UsernameToken> >> > >>>>> </wsp:Policy> >> > >>>>> </sp:SupportingTokens> >> > >>>>> </wsp:Policy> >> > >>>>> <wsdl:binding name="DoubleItDigestBinding" >> > type="tns:DoubleItPortType"> >> > >>>>> <wsp:PolicyReference URI="#DoubleItDigestPolicy" /> >> > >>>>> <soap:binding style="document" >> > >>>>> transport="http://schemas.xmlsoap.org/soap/http"; /> >> > >>>>> <wsdl:operation name="Issue"> >> > >>>>> <soap:operation soapAction=" >> > >>>>> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; /> >> > >>>>> <wsdl:input> >> > >>>>> <soap:body use="literal" /> >> > >>>>> </wsdl:input> >> > >>>>> <wsdl:output> >> > >>>>> <soap:body use="literal" /> >> > >>>>> </wsdl:output> >> > >>>>> </wsdl:operation> >> > >>>>> </wsdl:binding> >> > >>>>> >> > >>>>> >> > >>>>> Thanks. >> > >>>>> >> > >>>>> Gina >> > >>>>> >> > >>>>> On Tue, Jul 24, 2012 at 6:34 AM, Colm O hEigeartaigh < >> > >>>>> [email protected]> wrote: >> > >>>>> >> > >>>>>> You could use a SecurityPolicy that just requires a UsernameToken >> > >>>>>> without a >> > >>>>>> binding. For example see the policy "<!-- 2.1.1.3 UsernameToken >> with >> > >>>>>> timestamp, nonce and password hash -->" starting on line 214: >> > >>>>>> >> > >>>>>> >> > >>>>>> >> > >> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/DoubleItUt.wsdl?view=markup >> > >>>>>> >> > >>>>>> Of course, in practise one would combine a UsernameToken with the >> > >>>>>> Transport >> > >>>>>> binding to secure the message exchange... >> > >>>>>> >> > >>>>>> Colm. >> > >>>>>> >> > >>>>>> On Mon, Jul 23, 2012 at 4:41 PM, Sarafian < >> > >>>>>> [email protected]>wrote: >> > >>>>>> >> > >>>>>> > I have a C# code that asks the STS for a token using username >> > >>>>>> password >> > >>>>>> > credentials. >> > >>>>>> > I'm using the UT or UTEncrypted endpoints but I get this error: >> > >>>>>> > >> > >>>>>> > These policy alternatives can not be satisfied: >> > >>>>>> > { >> > >>>>>> >> > >> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken >> > >>>>>> > { >> > >>>>>> > >> > >>>>>> >> > >> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp >> > >>>>>> > : >> > >>>>>> > Received Timestamp does not match the requirements >> > >>>>>> > { >> > >>>>>> > >> > >>>>>> >> > >> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding >> > >>>>>> > : >> > >>>>>> > Received Timestamp does not match the requirements >> > >>>>>> > { >> > >>>>>> >> > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts >> > >>>>>> : >> > >>>>>> > {http://schemas.xmlsoap.org/soap/envelope/}Body not SIGNED >> > >>>>>> > { >> > >>>>>> >> > >> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts >> > >>>>>> : >> > >>>>>> > {http://schemas.xmlsoap.org/soap/envelope/}Body not ENCRYPTED >> > >>>>>> > >> > >>>>>> > Is there a way for the STS to be configured not to apply the >> above >> > >>>>>> > policies? >> > >>>>>> > Is there another endpoint for these kind of things? >> > >>>>>> > >> > >>>>>> > I simply want to use a username/password credential >> combination to >> > >>>>>> request >> > >>>>>> > a >> > >>>>>> > security token. >> > >>>>>> > >> > >>>>>> > >> > >>>>>> > >> > >>>>>> > >> > >>>>>> > -- >> > >>>>>> > View this message in context: >> > >>>>>> > >> > >>>>>> >> > >> http://cxf.547215.n5.nabble.com/RequestSecurityToken-without-Encrypting-and-Signing-tp5711426.html >> > >>>>>> > Sent from the cxf-user mailing list archive at Nabble.com. >> > >>>>>> > >> > >>>>>> >> > >>>>>> >> > >>>>>> >> > >>>>>> -- >> > >>>>>> Colm O hEigeartaigh >> > >>>>>> >> > >>>>>> Talend Community Coder >> > >>>>>> http://coders.talend.com >> > >>>>>> >> > >>>>> >> > >>>>> >> > >>>> >> > >>> >> > >>> >> > >>> -- >> > >>> Colm O hEigeartaigh >> > >>> >> > >>> Talend Community Coder >> > >>> http://coders.talend.com >> > >>> >> > >>> >> > >> >> > > >> > > >> > > -- >> > > Colm O hEigeartaigh >> > > >> > > Talend Community Coder >> > > http://coders.talend.com >> > > >> > > >> > >> >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com >> > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
