The Symmetric key that the client generates signs (and encrypts) the request (SOAP Body). There is no need for a signing certificate as you are using the Symmetric binding. Authentication is enforced via the UsernameToken SupportingToken.
Colm. On Fri, May 3, 2013 at 4:25 AM, Josh Hill <[email protected]> wrote: > My understanding is that the client generates the symmetric key (as > defined by the sp:ProtectionToken i.e. a sp:X509Token) and encrypts it > using the STS’s public key (configured on client using > “ws-security.encryption.properties\username”). When sending this encrypted > key to the STS what is it signed with? I haven’t set the > “ws-security.signature.properties\username” on my client but the input > policy on the STS requires the sp:Body be signed. **** > > ** ** > > ...**** > > <entry key="ws-security.sts.client">**** > > <bean class="org.apache.cxf.ws.security.trust.STSClient">* > *** > > <constructor-arg ref="cxf" />**** > > <property name="wsdlLocation" value=" > http://localhost:8080/STS?wsdl"; />**** > > <property name="serviceName" value="{ > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"; /> > **** > > <property name="endpointName" value="{ > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}STS_Port"; />**** > > <property name="properties">**** > > <map>**** > > <entry > key="ws-security.username" value="bob" />**** > > <entry > key="ws-security.callback-handler" value="ClientCallbackHandler" />**** > > <entry > key="ws-security.encryption.properties" value="clientKeystore.properties" /> > **** > > <entry > key="ws-security.encryption.username" value="stskey" />**** > > </map>**** > > </property>**** > > </bean>**** > > </entry>**** > > …**** > > ** ** > > <wsp:Policy wsu:Id="STS-UT-Policy">**** > > <wsp:ExactlyOne>**** > > <wsp:All>**** > > <sp:SymmetricBinding>**** > > > <wsp:Policy>**** > > > <sp:ProtectionToken>**** > > > <wsp:Policy>**** > > > <sp:X509Token sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never > ">**** > > > <wsp:Policy>**** > > > <sp:RequireDerivedKeys/>**** > > > <sp:RequireThumbprintReference/>**** > > > <sp:WssX509V3Token10/>**** > > > </wsp:Policy>**** > > > </sp:X509Token>**** > > > </wsp:Policy>**** > > > </sp:ProtectionToken>**** > > > <sp:AlgorithmSuite>**** > > > <wsp:Policy>**** > > > <sp:Basic256/>**** > > > </wsp:Policy>**** > > > </sp:AlgorithmSuite>**** > > > <sp:Layout>**** > > > <wsp:Policy>**** > > > <sp:Lax/>**** > > > </wsp:Policy>**** > > > </sp:Layout>**** > > > <sp:IncludeTimestamp/>**** > > > <sp:EncryptSignature/>**** > > > <sp:OnlySignEntireHeadersAndBody/>**** > > > </wsp:Policy>**** > > </sp:SymmetricBinding>**** > > > <sp:SignedEncryptedSupportingTokens>**** > > > <wsp:Policy>**** > > > <sp:UsernameToken sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > ">**** > > > <wsp:Policy>**** > > > <sp:HashPassword/>**** > > > <sp:WssUsernameToken10/>**** > > > </wsp:Policy>**** > > > </sp:UsernameToken>**** > > > </wsp:Policy>**** > > > </sp:SignedEncryptedSupportingTokens>**** > > <sp:Wss11>**** > > > <wsp:Policy>**** > > > <sp:MustSupportRefKeyIdentifier/>**** > > > <sp:MustSupportRefIssuerSerial/>**** > > > <sp:MustSupportRefThumbprint/>**** > > > <sp:MustSupportRefEncryptedKey/>**** > > > </wsp:Policy>**** > > </sp:Wss11>**** > > <sp:Trust13>**** > > > <wsp:Policy>**** > > > <sp:MustSupportIssuedTokens/>**** > > > <sp:RequireClientEntropy/>**** > > > <sp:RequireServerEntropy/>**** > > > </wsp:Policy>**** > > </sp:Trust13>**** > > </wsp:All>**** > > </wsp:ExactlyOne>**** > > </wsp:Policy>**** > > ** ** > > <wsp:Policy wsu:Id="STS-Input-Policy">**** > > <wsp:ExactlyOne>**** > > <wsp:All>**** > > <sp:SignedParts>**** > > <sp:Body/> > **** > > </sp:SignedParts>**** > > <sp:EncryptedParts>**** > > <sp:Body/> > **** > > </sp:EncryptedParts>**** > > </wsp:All>**** > > </wsp:ExactlyOne>**** > > </wsp:Policy>**** > > ** ** > > <wsp:Policy wsu:Id="STS-Output-Policy">**** > > <wsp:ExactlyOne>**** > > <wsp:All>**** > > <sp:SignedParts>**** > > <sp:Body/> > **** > > </sp:SignedParts>**** > > <sp:EncryptedParts>**** > > <sp:Body/> > **** > > </sp:EncryptedParts>**** > > </wsp:All>**** > > </wsp:ExactlyOne>**** > > </wsp:Policy>**** > > > > *Josh Hill* > Senior Java Developer > > > > [image: Finzsoft - Your Vision + Our Innovations] > > > > sovereign finance and banking software > > > > *A* Level 1, Building C, Millennium Centre, 602 Great South Road, > Greenlane, Auckland, New Zealand > *D* 64 9 571 6812 *P* 64 9 571 6800 *F* 64 9 571 6899 > *E* [email protected] *W* www.finzsoft.com > > > *Please note*: This email contains information that is confidential > and may be privileged. If you are not the intended recipient, you must > not peruse, use, disseminate, distribute or copy this email or attachments. > If you have received this in error, please notify Finzsoft Solutions (New > Zealand) Ltd immediately by return email and delete this email. Thank you. > > > ______________________________________________________________________ > This email has been scanned by the Symantec Email Security.cloud service. > ______________________________________________________________________ > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
