Hi, Yep this scenario is possible and tested in CXF. You need to use an AsymmetricBinding with an IssuedToken policy, which is either the InitiatorToken or an EndorsingSupportingToken. Here is an example:
http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/asymmetric/DoubleIt.wsdl?view=markup If you want to run the test itself, here it is: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/asymmetric/AsymmetricBindingTest.java?view=markup Colm. On Thu, Nov 14, 2013 at 8:34 PM, Emiliano Carlesi < [email protected]> wrote: > Hi Colm :-) > > I'd like to avoid to use https in the communication between client and > service provider. > In my scenario I'd like to use https only in the communication between > client and the sts (to avoid the sniff of the credential). > Instead I'd like to use http in the communication between client and the > service provider. > To avoid the sniff of the token I'd like to encrypt the request with the > public key of the service provider and sign the same request with the > private key of the client. > It's possibile? > > Thank you very much! > > Ciao ciao :-) > > Emiliano Carlesi > > Email: [email protected] > Mobile: +39 3487837153 > Phone: +39 0650939115 > Fax: +39 0689284365 > Skype: emiliano.carlesi > Lync: [email protected] > > > > -----Original Message----- > From: Colm O hEigeartaigh [mailto:[email protected]] > Sent: Thursday, November 14, 2013 5:27 PM > To: [email protected] > Subject: Re: PublicKey as KeyType > > What does the client request look like? To satisfy a Holder of Key > Assertion, the client must prove to the message recipient that it knows the > private key associated with the public key in the Assertion. It must do > this either by signing some part of the message using WS-Security, or else > by using TLS with client authentication. > > Colm. > > > On Thu, Nov 14, 2013 at 4:21 PM, Emiliano Carlesi < > [email protected]> wrote: > > > Hi Guys, > > I'd like to move from current KeyType "Bearer" to "PublicKey". I > > change the WSDL of the WSS, but I get this error: > > > > WARNING: Interceptor for { > > http://test.itattitude.com/}SampleService#{http://test.itattitude.com/ > > }getMessagehas thrown exception, unwinding now > > org.apache.cxf.ws.policy.PolicyException: These policy alternatives > > can not be satisfied: > > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IssuedToken: > > Assertion fails holder-of-key requirements > > at > > > org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179) > > at > > > org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101) > > at > > > org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44) > > at > > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) > > at > > > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > > at > > > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239) > > at > > > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248) > > at > > > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222) > > at > > > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153) > > at > > > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:167) > > at > > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286) > > at > > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:647) > > at > > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262) > > at > > > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) > > at > > > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) > > at > > > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222) > > at > > > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) > > at > > > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) > > at > > > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171) > > at > > > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99) > > at > > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953) > > at > > > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) > > at > > > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408) > > at > > > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023) > > at > > > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589) > > at > > > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:310) > > at > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > > at > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > > at java.lang.Thread.run(Thread.java:724) > > > > I google about this error but I don't found nothing help me... Someone > > know how to solve it? > > > > Thanks > > > > Ciao ciao > > > > Emiliano Carlesi > > > > Email: [email protected] > > Mobile: +39 3487837153 > > Phone: +39 0650939115 > > Fax: +39 0689284365 > > Skype: emiliano.carlesi > > Lync: [email protected] > > > > > > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
