Thanks, Dennis. I will check it out.
Ron On Feb 8, 2013, at 3:36 PM, Dennis Sosnoski <[email protected]<mailto:[email protected]>> wrote: Hi Ron, You can see my CXF article on IBM developerWorks for some basics of using policies to define WS-Security handling: http://www.ibm.com/developerworks/java/library/j-jws13.html Some of the later articles in the series might also be of interest, discussing WS-SecureConversation and more details of WS-Policy. - Dennis Dennis M. Sosnoski Java SOA and Web Services Consulting <http://www.sosnoski.com/consult.html> CXF and Web Services Security Training <http://www.sosnoski.com/training.html> Web Services Jump-Start <http://www.sosnoski.com/jumpstart.html> On 02/09/2013 06:23 AM, Ron Grimes wrote: I have the task of building a client to a secure .Net web service. Although I've done this sort of thing for many years, I have not had to deal with the wsp:Policy section, and so I'm at a bit of a loss, not finding any decent documentation on the how-tos. The provider of the web service sent me a Java client example, but it confused me even more as it seems they are using a wsdd, which I gather is a holdover from Axis 1. From the best I can tell, the replacement for that, in Axis 2, is defining the policy in a service.xml file. But, again, can't really find any examples of its use. Finally, the Java client example that they sent to me applies the policy through a generated ServiceLocator class. However, when I run wsdl2java, no ServiceLocator class is created. Nor do I find a way to handle the policy through the generated classes. There's nothing like wsdl2java's parameter "-exsh" that's used to generate header classes as a corollary on the policies side. I tried something like the following, but it didn't work: SecurityServiceTest service = new SecurityServiceTest(); ICreateToken createToken = service.getCreateToken2(); ((BindingProvider) createToken).getRequestContext().put(BindingProvider.USERNAME_PROPERTY, wsUser); ((BindingProvider) createToken).getRequestContext().put(BindingProvider.PASSWORD_PROPERTY, wsPassword); As you can tell, I'm totaling groping in the dark on this one. Any help/pointers are greatly appreciated. Here's the WSDL I'm trying to accommodate: <?xml version="1.0" encoding="utf-8"?> <wsdl:definitions name="SecurityService" targetNamespace="http://tempuri.org/"; xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"; xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"; xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"; xmlns:tns="http://tempuri.org/"; xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"; xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy"; xmlns:xsd="http://www.w3.org/2001/XMLSchema"; xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract"; xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"; xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"; xmlns:wsa10="http://www.w3.org/2005/08/addressing"; xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex";> <wsp:Policy wsu:Id="CreateToken_policy"> <wsp:ExactlyOne> <wsp:All> <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken RequireClientCertificate="false"/> </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> </wsp:Policy> </sp:TransportBinding> <sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:SecureConversationToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";> <wsp:Policy> <sp:BootstrapPolicy> <wsp:Policy> <sp:SignedParts> <sp:Body/> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/> </sp:SignedParts> <sp:EncryptedParts> <sp:Body/> </sp:EncryptedParts> <sp:TransportBinding> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken RequireClientCertificate="false"/> </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> </wsp:Policy> </sp:TransportBinding> <sp:SignedSupportingTokens> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";> <wsp:Policy> <sp:WssUsernameToken10/> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SignedSupportingTokens> <sp:Wss11> <wsp:Policy> <sp:MustSupportRefKeyIdentifier/> <sp:MustSupportRefIssuerSerial/> <sp:MustSupportRefThumbprint/> <sp:MustSupportRefEncryptedKey/> </wsp:Policy> </sp:Wss11> <sp:Trust10> <wsp:Policy> <sp:MustSupportIssuedTokens/> <sp:RequireClientEntropy/> <sp:RequireServerEntropy/> </wsp:Policy> </sp:Trust10> </wsp:Policy> </sp:BootstrapPolicy> </wsp:Policy> </sp:SecureConversationToken> <sp:SignedParts> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> </sp:SignedParts> </wsp:Policy> </sp:EndorsingSupportingTokens> <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:MustSupportRefKeyIdentifier/> <sp:MustSupportRefIssuerSerial/> <sp:MustSupportRefThumbprint/> <sp:MustSupportRefEncryptedKey/> </wsp:Policy> </sp:Wss11> <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:MustSupportIssuedTokens/> <sp:RequireClientEntropy/> <sp:RequireServerEntropy/> </wsp:Policy> </sp:Trust10> <wsaw:UsingAddressing/> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <wsp:Policy wsu:Id="DecryptToken_policy"> <wsp:ExactlyOne> <wsp:All> <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken RequireClientCertificate="false"/> </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> </wsp:Policy> </sp:TransportBinding> <sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:SecureConversationToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";> <wsp:Policy> <sp:BootstrapPolicy> <wsp:Policy> <sp:SignedParts> <sp:Body/> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/> <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/> </sp:SignedParts> <sp:EncryptedParts> <sp:Body/> </sp:EncryptedParts> <sp:TransportBinding> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken RequireClientCertificate="false"/> </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> </wsp:Policy> </sp:TransportBinding> <sp:SignedSupportingTokens> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";> <wsp:Policy> <sp:WssUsernameToken10/> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SignedSupportingTokens> <sp:Wss11> <wsp:Policy> <sp:MustSupportRefKeyIdentifier/> <sp:MustSupportRefIssuerSerial/> <sp:MustSupportRefThumbprint/> <sp:MustSupportRefEncryptedKey/> </wsp:Policy> </sp:Wss11> <sp:Trust10> <wsp:Policy> <sp:MustSupportIssuedTokens/> <sp:RequireClientEntropy/> <sp:RequireServerEntropy/> </wsp:Policy> </sp:Trust10> </wsp:Policy> </sp:BootstrapPolicy> </wsp:Policy> </sp:SecureConversationToken> <sp:SignedParts> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/> </sp:SignedParts> </wsp:Policy> </sp:EndorsingSupportingTokens> <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:MustSupportRefKeyIdentifier/> <sp:MustSupportRefIssuerSerial/> <sp:MustSupportRefThumbprint/> <sp:MustSupportRefEncryptedKey/> </wsp:Policy> </sp:Wss11> <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:MustSupportIssuedTokens/> <sp:RequireClientEntropy/> <sp:RequireServerEntropy/> </wsp:Policy> </sp:Trust10> <wsaw:UsingAddressing/> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <wsp:Policy wsu:Id="CreateToken2_policy"> <wsp:ExactlyOne> <wsp:All> <sp:TransportBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:TransportToken> <wsp:Policy> <sp:HttpsToken RequireClientCertificate="false"/> </wsp:Policy> </sp:TransportToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Lax/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> </wsp:Policy> </sp:TransportBinding> <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";> <wsp:Policy> <sp:WssUsernameToken10/> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SignedSupportingTokens> <sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:MustSupportRefKeyIdentifier/> <sp:MustSupportRefIssuerSerial/> </wsp:Policy> </sp:Wss10> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <wsdl:types> <xsd:schema targetNamespace="http://tempuri.org/Imports";> <xsd:import schemaLocation="https://catdtnrfsecurityservice.dtnenergy.com/Service.svc?xsd=xsd0"; namespace="http://tempuri.org/"/> <xsd:import schemaLocation="https://catdtnrfsecurityservice.dtnenergy.com/Service.svc?xsd=xsd1"; namespace="http://schemas.microsoft.com/2003/10/Serialization/"/> <xsd:import schemaLocation="https://catdtnrfsecurityservice.dtnenergy.com/Service.svc?xsd=xsd2"; namespace="http://schemas.datacontract.org/2004/07/DTN.RefinedFuel.Security"/> </xsd:schema> </wsdl:types> <wsdl:message name="ICreateToken_CreateSecurityToken_InputMessage"> <wsdl:part name="parameters" element="tns:CreateSecurityToken"/> </wsdl:message> <wsdl:message name="ICreateToken_CreateSecurityToken_OutputMessage"> <wsdl:part name="parameters" element="tns:CreateSecurityTokenResponse"/> </wsdl:message> <wsdl:message name="IDecryptToken_DecryptToken_InputMessage"> <wsdl:part name="parameters" element="tns:DecryptToken"/> </wsdl:message> <wsdl:message name="IDecryptToken_DecryptToken_OutputMessage"> <wsdl:part name="parameters" element="tns:DecryptTokenResponse"/> </wsdl:message> <wsdl:portType name="ICreateToken"> <wsdl:operation name="CreateSecurityToken"> <wsdl:input wsaw:Action="http://tempuri.org/ICreateToken/CreateSecurityToken"; message="tns:ICreateToken_CreateSecurityToken_InputMessage"/> <wsdl:output wsaw:Action="http://tempuri.org/ICreateToken/CreateSecurityTokenResponse"; message="tns:ICreateToken_CreateSecurityToken_OutputMessage"/> </wsdl:operation> </wsdl:portType> <wsdl:portType name="IDecryptToken"> <wsdl:operation name="DecryptToken"> <wsdl:input wsaw:Action="http://tempuri.org/IDecryptToken/DecryptToken"; message="tns:IDecryptToken_DecryptToken_InputMessage"/> <wsdl:output wsaw:Action="http://tempuri.org/IDecryptToken/DecryptTokenResponse"; message="tns:IDecryptToken_DecryptToken_OutputMessage"/> </wsdl:operation> </wsdl:portType> <wsdl:binding name="CreateToken" type="tns:ICreateToken"> <wsp:PolicyReference URI="#CreateToken_policy"/> <soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/> <wsdl:operation name="CreateSecurityToken"> <soap12:operation soapAction="http://tempuri.org/ICreateToken/CreateSecurityToken"; style="document"/> <wsdl:input> <soap12:body use="literal"/> </wsdl:input> <wsdl:output> <soap12:body use="literal"/> </wsdl:output> </wsdl:operation> </wsdl:binding> <wsdl:binding name="DecryptToken" type="tns:IDecryptToken"> <wsp:PolicyReference URI="#DecryptToken_policy"/> <soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/> <wsdl:operation name="DecryptToken"> <soap12:operation soapAction="http://tempuri.org/IDecryptToken/DecryptToken"; style="document"/> <wsdl:input> <soap12:body use="literal"/> </wsdl:input> <wsdl:output> <soap12:body use="literal"/> </wsdl:output> </wsdl:operation> </wsdl:binding> <wsdl:binding name="CreateToken2" type="tns:ICreateToken"> <wsp:PolicyReference URI="#CreateToken2_policy"/> <soap:binding transport="http://schemas.xmlsoap.org/soap/http"/> <wsdl:operation name="CreateSecurityToken"> <soap:operation soapAction="http://tempuri.org/ICreateToken/CreateSecurityToken"; style="document"/> <wsdl:input> <soap:body use="literal"/> </wsdl:input> <wsdl:output> <soap:body use="literal"/> </wsdl:output> </wsdl:operation> </wsdl:binding> <wsdl:service name="SecurityService"> <wsdl:port name="CreateToken" binding="tns:CreateToken"> <soap12:address location="https://catdtnrfsecurityservice.dtnenergy.com/Service.svc/CreateToken"/> <wsa10:EndpointReference> <wsa10:Address>https://catdtnrfsecurityservice.dtnenergy.com/Service.svc/CreateToken</wsa10:Address> </wsa10:EndpointReference> </wsdl:port> <wsdl:port name="DecryptToken" binding="tns:DecryptToken"> <soap12:address location="https://catdtnrfsecurityservice.dtnenergy.com/Service.svc/DecryptToken"/> <wsa10:EndpointReference> <wsa10:Address>https://catdtnrfsecurityservice.dtnenergy.com/Service.svc/DecryptToken</wsa10:Address> </wsa10:EndpointReference> </wsdl:port> <wsdl:port name="CreateToken2" binding="tns:CreateToken2"> <soap:address location="https://catdtnrfsecurityservice.dtnenergy.com/Service.svc/CreateToken2"/> </wsdl:port> </wsdl:service> </wsdl:definitions>
