Hi, If I am not mistaken, STS communication is triggered by policy IssuedToken assertion.
Your policy specifies SymmetricBinding using X509 protection token and UsernameToken as SignedEncryptedSupportingTokens. I do not think that your policy will initiate communication with STS service at all. You can find similar sample with STS communication into http://svn.apache.org/repos/asf/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/symmetric/SymmetricBindingTest.java Regards, Andrei. From: Josh Hill [mailto:[email protected]] Sent: Freitag, 3. Mai 2013 05:26 To: [email protected] Subject: SymmetricBinding key exchange and signing My understanding is that the client generates the symmetric key (as defined by the sp:ProtectionToken i.e. a sp:X509Token) and encrypts it using the STS's public key (configured on client using "ws-security.encryption.properties\username"). When sending this encrypted key to the STS what is it signed with? I haven't set the "ws-security.signature.properties\username" on my client but the input policy on the STS requires the sp:Body be signed. ... <entry key="ws-security.sts.client"> <bean class="org.apache.cxf.ws.security.trust.STSClient"> <constructor-arg ref="cxf" /> <property name="wsdlLocation" value="http://localhost:8080/STS?wsdl"; /> <property name="serviceName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"; /> <property name="endpointName" value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}STS_Port"; /> <property name="properties"> <map> <entry key="ws-security.username" value="bob" /> <entry key="ws-security.callback-handler" value="ClientCallbackHandler" /> <entry key="ws-security.encryption.properties" value="clientKeystore.properties" /> <entry key="ws-security.encryption.username" value="stskey" /> </map> </property> </bean> </entry> ... <wsp:Policy wsu:Id="STS-UT-Policy"> <wsp:ExactlyOne> <wsp:All> <sp:SymmetricBinding> <wsp:Policy> <sp:ProtectionToken> <wsp:Policy> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never";> <wsp:Policy> <sp:RequireDerivedKeys/> <sp:RequireThumbprintReference/> <sp:WssX509V3Token10/> </wsp:Policy> </sp:X509Token> </wsp:Policy> </sp:ProtectionToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Lax/> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp/> <sp:EncryptSignature/> <sp:OnlySignEntireHeadersAndBody/> </wsp:Policy> </sp:SymmetricBinding> <sp:SignedEncryptedSupportingTokens> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> <wsp:Policy> <sp:HashPassword/> <sp:WssUsernameToken10/> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SignedEncryptedSupportingTokens> <sp:Wss11> <wsp:Policy> <sp:MustSupportRefKeyIdentifier/> <sp:MustSupportRefIssuerSerial/> <sp:MustSupportRefThumbprint/> <sp:MustSupportRefEncryptedKey/> </wsp:Policy> </sp:Wss11> <sp:Trust13> <wsp:Policy> <sp:MustSupportIssuedTokens/> <sp:RequireClientEntropy/> <sp:RequireServerEntropy/> </wsp:Policy> </sp:Trust13> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <wsp:Policy wsu:Id="STS-Input-Policy"> <wsp:ExactlyOne> <wsp:All> <sp:SignedParts> <sp:Body/> </sp:SignedParts> <sp:EncryptedParts> <sp:Body/> </sp:EncryptedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <wsp:Policy wsu:Id="STS-Output-Policy"> <wsp:ExactlyOne> <wsp:All> <sp:SignedParts> <sp:Body/> </sp:SignedParts> <sp:EncryptedParts> <sp:Body/> </sp:EncryptedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> Josh Hill Senior Java Developer [Finzsoft - Your Vision + Our Innovations] sovereign finance and banking software A Level 1, Building C, Millennium Centre, 602 Great South Road, Greenlane, Auckland, New Zealand D 64 9 571 6812 P 64 9 571 6800 F 64 9 571 6899 E [email protected]<mailto:[email protected]> W www.finzsoft.com<http://www.finzsoft.com> Please note: This email contains information that is confidential and may be privileged. If you are not the intended recipient, you must not peruse, use, disseminate, distribute or copy this email or attachments. If you have received this in error, please notify Finzsoft Solutions (New Zealand) Ltd immediately by return email and delete this email. Thank you. ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. ______________________________________________________________________
