Hoping this is what you want. Even I can take a guess that SecureConversation
looks to be part of my future, though I would appreciate any pointer to a
specific example I can work with.
Thanks
<wsp:Policy wsu:Id="SomethingServiceHttp_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:SecureConversationToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:BootstrapPolicy>
<wsp:Policy>
<sp:SignedParts>
<sp:Body/>
<sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="From"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:IssuedToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<Issuer
xmlns="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<Address
xmlns="http://www.w3.org/2005/08/addressing";>http://hostname/SecurityTokenService/username</Address>
<Metadata
xmlns="http://www.w3.org/2005/08/addressing";>
<Metadata
xmlns="http://schemas.xmlsoap.org/ws/2004/09/mex";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<wsx:MetadataSection xmlns="">
<wsx:MetadataReference>
<Address
xmlns="http://www.w3.org/2005/08/addressing";>http://hostname/SecurityTokenService/mex</Address>
</wsx:MetadataReference>
</wsx:MetadataSection>
</Metadata>
</Metadata>
</Issuer>
<sp:RequestSecurityTokenTemplate>
<trust:TokenType
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</trust:TokenType>
<trust:KeyType
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
<app:EpCode
xmlns:app="http://www.foobar.com/app/ws-trust/2010/11";>epCode</app:EpCode>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:RequireInternalReference/>
</wsp:Policy>
</sp:IssuedToken>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:EncryptSignature/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11>
<wsp:Policy/>
</sp:Wss11>
<sp:Trust13>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust13>
</wsp:Policy>
</sp:BootstrapPolicy>
<sp:MustNotSendAmend/>
</wsp:Policy>
</sp:SecureConversationToken>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:EncryptSignature/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:Policy/>
</sp:Wss11>
<sp:Trust13
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust13>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
________________________________________
From: Colm O hEigeartaigh [[email protected]]
Sent: Friday, January 17, 2014 4:51 AM
To: [email protected]
Subject: Re: CXF client/WCF server interop
Could you paste the security policy of the service + I will take a look?
Colm.
On Fri, Jan 17, 2014 at 2:22 AM, Walters, Jay M <[email protected]> wrote:
> I have a third party MS WCF Webservice which is using some variant of STS,
> that I have been trying to call from a CXF client. This is WSDL first.
>
> I have been trying the simple STS examples I find on the website and
> around the network, I am not close to getting this type of packet with the
> off the internet examples to reproduce this soap envelope which is sent to
> the STS server by a Metro client or a C# client.
>
> Is this secure conversation? I expect there is a working example in the
> source if somebody could point me towards it?
>
> Thanks in advance.
>
> <S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope";
> xmlns:wsse11="
> http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
> xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
> xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:ds="
> http://www.w3.org/2000/09/xmldsig#"; xmlns:wsc="
> http://schemas.xmlsoap.org/ws/2005/02/sc"; xmlns:xenc="
> http://www.w3.org/2001/04/xmlenc#"; xmlns:exc14n="
> http://www.w3.org/2001/10/xml-exc-c14n#";>
> <S:Header>
> <To xmlns="http://www.w3.org/2005/08/addressing"; wsu:Id="_5007">
> http://hostname:8030/SecurityTokenService/username</To>
> <Action xmlns="http://www.w3.org/2005/08/addressing"; wsu:Id="_5006">
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action>
> <ReplyTo xmlns="http://www.w3.org/2005/08/addressing"; wsu:Id="_5005">
> <Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
> </ReplyTo>
> <MessageID xmlns="http://www.w3.org/2005/08/addressing";
> wsu:Id="_5004">uuid:fqef</MessageID>
> <wsse:Security S:mustUnderstand="true">
> <wsu:Timestamp xmlns:ns20="
> http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"; xmlns:ns19="
> http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
> xmlns:ns18="http://schemas.xmlsoap.org/soap/envelope/"; wsu:Id="_5">
> <wsu:Created>2014-01-17T02:00:30Z</wsu:Created>
> <wsu:Expires>2014-01-17T02:05:30Z</wsu:Expires>
> </wsu:Timestamp>
> <xenc:EncryptedKey xmlns:ns20="
> http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"; xmlns:ns19="
> http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
> xmlns:ns18="http://schemas.xmlsoap.org/soap/envelope/"; Id="_5002">
> <xenc:EncryptionMethod Algorithm="
> http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="KeyInfoType">
> <wsse:SecurityTokenReference>
> <wsse:KeyIdentifier ValueType="
> http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";
> EncodingType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
> ">fjkqefq=</wsse:KeyIdentifier>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> <xenc:CipherData>
> <xenc:CipherValue>akjefefe</xenc:CipherValue>
> </xenc:CipherData>
> </xenc:EncryptedKey>
> <ns19:DerivedKeyToken xmlns:ns19="
> http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
> xmlns:ns20="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity";
> xmlns:ns18="http://schemas.xmlsoap.org/soap/envelope/"; wsu:Id="_3">
> <wsse:SecurityTokenReference>
> <wsse:Reference URI="#_5002" ValueType="
> http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
> "/>
> </wsse:SecurityTokenReference>
> <ns19:Offset>0</ns19:Offset>
> <ns19:Length>24</ns19:Length>
> <ns19:Nonce>xyzzy</ns19:Nonce>
> </ns19:DerivedKeyToken>
> <ns19:DerivedKeyToken xmlns:ns19="
> http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
> xmlns:ns20="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity";
> xmlns:ns18="http://schemas.xmlsoap.org/soap/envelope/"; wsu:Id="_4">
> <wsse:SecurityTokenReference>
> <wsse:Reference URI="#_5002" ValueType="
> http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
> "/>
> </wsse:SecurityTokenReference>
> <ns19:Offset>0</ns19:Offset>
> <ns19:Length>32</ns19:Length>
> <ns19:Nonce>xyzzy</ns19:Nonce>
> </ns19:DerivedKeyToken>
> <xenc:ReferenceList xmlns:ns20="
> http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"; xmlns:ns19="
> http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
> xmlns:ns18="http://schemas.xmlsoap.org/soap/envelope/";>
> <xenc:DataReference URI="#_5010"/>
> <xenc:DataReference URI="#_5011"/>
> <xenc:DataReference URI="#_5012"/>
> </xenc:ReferenceList>
> <xenc:EncryptedData xmlns:ns20="
> http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"; xmlns:ns19="
> http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
> xmlns:ns18="http://schemas.xmlsoap.org/soap/envelope/"; Id="_5012" Type="
> http://www.w3.org/2001/04/xmlenc#Element";>
> <xenc:EncryptionMethod Algorithm="
> http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="KeyInfoType">
> <wsse:SecurityTokenReference>
> <wsse:Reference URI="#_4"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> <xenc:CipherData>
> <xenc:CipherValue>abc</xenc:CipherValue>
> </xenc:CipherData>
> </xenc:EncryptedData>
> <xenc:EncryptedData xmlns:ns20="
> http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"; xmlns:ns19="
> http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
> xmlns:ns18="http://schemas.xmlsoap.org/soap/envelope/"; Id="_5011" Type="
> http://www.w3.org/2001/04/xmlenc#Element";>
> <xenc:EncryptionMethod Algorithm="
> http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="KeyInfoType">
> <wsse:SecurityTokenReference>
> <wsse:Reference URI="#_4"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
>
> <xenc:CipherData><xenc:CipherValue>eqef</xenc:CipherValue></xenc:CipherData>
> </xenc:EncryptedData>
> </wsse:Security>
> </S:Header>
> <S:Body wsu:Id="_5008">
> <xenc:EncryptedData xmlns:ns20="
> http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"; xmlns:ns19="
> http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512";
> xmlns:ns18="http://schemas.xmlsoap.org/soap/envelope/"; Id="_5010" Type="
> http://www.w3.org/2001/04/xmlenc#Content";>
> <xenc:EncryptionMethod Algorithm="
> http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
> <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xsi:type="KeyInfoType">
> <wsse:SecurityTokenReference>
> <wsse:Reference URI="#_4"/>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> <xenc:CipherData>
> <xenc:CipherValue>bgdwd </xenc:CipherValue>
> </xenc:CipherData>
> </xenc:EncryptedData>
> </S:Body>
> </S:Envelope>
>
>
