Does the WSDL need to go anyplace special or does the client just grab the server wsdl and dynamically hook everything up? ________________________________________ From: Colm O hEigeartaigh [[email protected]] Sent: Friday, January 17, 2014 10:53 AM To: [email protected] Subject: Re: CXF client/WCF server interop
Here is a test in CXF that uses WS-Trust with SecureConversation: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/symmetric/SymmetricBindingTest.java?view=markup Here is the WSDL + security policy: http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/symmetric/DoubleIt.wsdl?view=markup Colm. On Fri, Jan 17, 2014 at 3:01 PM, Walters, Jay M <[email protected]> wrote: > Hoping this is what you want. Even I can take a guess that > SecureConversation looks to be part of my future, though I would appreciate > any pointer to a specific example I can work with. > > Thanks > > <wsp:Policy wsu:Id="SomethingServiceHttp_policy"> > <wsp:ExactlyOne> > <wsp:All> > <sp:SymmetricBinding xmlns:sp=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:ProtectionToken> > <wsp:Policy> > <sp:SecureConversationToken sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > <sp:RequireDerivedKeys/> > <sp:BootstrapPolicy> > <wsp:Policy> > <sp:SignedParts> > <sp:Body/> > <sp:Header Name="To" Namespace=" > http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="From" Namespace=" > http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="FaultTo" Namespace=" > http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="ReplyTo" Namespace=" > http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="MessageID" Namespace=" > http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="RelatesTo" Namespace=" > http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="Action" Namespace=" > http://www.w3.org/2005/08/addressing"/> > </sp:SignedParts> > <sp:EncryptedParts> > <sp:Body/> > </sp:EncryptedParts> > <sp:SymmetricBinding> > <wsp:Policy> > <sp:ProtectionToken> > <wsp:Policy> > <sp:IssuedToken sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > <Issuer xmlns=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <Address xmlns=" > http://www.w3.org/2005/08/addressing";> > http://hostname/SecurityTokenService/username</Address> > <Metadata xmlns=" > http://www.w3.org/2005/08/addressing";> > <Metadata xmlns=" > http://schemas.xmlsoap.org/ws/2004/09/mex"; xmlns:xsi=" > http://www.w3.org/2001/XMLSchema-instance";> > <wsx:MetadataSection xmlns=""> > <wsx:MetadataReference> > <Address xmlns=" > http://www.w3.org/2005/08/addressing";> > http://hostname/SecurityTokenService/mex</Address> > </wsx:MetadataReference> > </wsx:MetadataSection> > </Metadata> > </Metadata> > </Issuer> > <sp:RequestSecurityTokenTemplate> > <trust:TokenType xmlns:trust=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512";> > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 > </trust:TokenType> > <trust:KeyType xmlns:trust=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512";> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey > </trust:KeyType> > <app:EpCode xmlns:app=" > http://www.foobar.com/app/ws-trust/2010/11";>epCode</app:EpCode> > </sp:RequestSecurityTokenTemplate> > <wsp:Policy> > <sp:RequireDerivedKeys/> > <sp:RequireInternalReference/> > </wsp:Policy> > </sp:IssuedToken> > </wsp:Policy> > </sp:ProtectionToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256/> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Strict/> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp/> > <sp:EncryptSignature/> > <sp:OnlySignEntireHeadersAndBody/> > </wsp:Policy> > </sp:SymmetricBinding> > <sp:Wss11> > <wsp:Policy/> > </sp:Wss11> > <sp:Trust13> > <wsp:Policy> > <sp:MustSupportIssuedTokens/> > <sp:RequireClientEntropy/> > <sp:RequireServerEntropy/> > </wsp:Policy> > </sp:Trust13> > </wsp:Policy> > </sp:BootstrapPolicy> > <sp:MustNotSendAmend/> > </wsp:Policy> > </sp:SecureConversationToken> > </wsp:Policy> > </sp:ProtectionToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256/> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Strict/> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp/> > <sp:EncryptSignature/> > <sp:OnlySignEntireHeadersAndBody/> > </wsp:Policy> > </sp:SymmetricBinding> > <sp:Wss11 xmlns:sp=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy/> > </sp:Wss11> > <sp:Trust13 xmlns:sp=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:MustSupportIssuedTokens/> > <sp:RequireClientEntropy/> > <sp:RequireServerEntropy/> > </wsp:Policy> > </sp:Trust13> > <wsaw:UsingAddressing/> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > ________________________________________ > From: Colm O hEigeartaigh [[email protected]] > Sent: Friday, January 17, 2014 4:51 AM > To: [email protected] > Subject: Re: CXF client/WCF server interop > > Could you paste the security policy of the service + I will take a look? > > Colm. > > > On Fri, Jan 17, 2014 at 2:22 AM, Walters, Jay M <[email protected]> wrote: > > > I have a third party MS WCF Webservice which is using some variant of > STS, > > that I have been trying to call from a CXF client. This is WSDL first. > > > > I have been trying the simple STS examples I find on the website and > > around the network, I am not close to getting this type of packet with > the > > off the internet examples to reproduce this soap envelope which is sent > to > > the STS server by a Metro client or a C# client. > > > > Is this secure conversation? I expect there is a working example in the > > source if somebody could point me towards it? > > > > Thanks in advance. > > > > <S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope"; > > xmlns:wsse11=" > > http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"; > > xmlns:wsse=" > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > > xmlns:wsu=" > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > > xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:ds=" > > http://www.w3.org/2000/09/xmldsig#"; xmlns:wsc=" > > http://schemas.xmlsoap.org/ws/2005/02/sc"; xmlns:xenc=" > > http://www.w3.org/2001/04/xmlenc#"; xmlns:exc14n=" > > http://www.w3.org/2001/10/xml-exc-c14n#";> > > <S:Header> > > <To xmlns="http://www.w3.org/2005/08/addressing"; wsu:Id="_5007"> > > http://hostname:8030/SecurityTokenService/username</To> > > <Action xmlns="http://www.w3.org/2005/08/addressing"; wsu:Id="_5006"> > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</Action> > > <ReplyTo xmlns="http://www.w3.org/2005/08/addressing"; > wsu:Id="_5005"> > > <Address>http://www.w3.org/2005/08/addressing/anonymous</Address> > > </ReplyTo> > > <MessageID xmlns="http://www.w3.org/2005/08/addressing"; > > wsu:Id="_5004">uuid:fqef</MessageID> > > <wsse:Security S:mustUnderstand="true"> > > <wsu:Timestamp xmlns:ns20=" > > http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"; xmlns:ns19=" > > http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"; > > xmlns:ns18="http://schemas.xmlsoap.org/soap/envelope/"; wsu:Id="_5"> > > <wsu:Created>2014-01-17T02:00:30Z</wsu:Created> > > <wsu:Expires>2014-01-17T02:05:30Z</wsu:Expires> > > </wsu:Timestamp> > > <xenc:EncryptedKey xmlns:ns20=" > > http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"; xmlns:ns19=" > > http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"; > > xmlns:ns18="http://schemas.xmlsoap.org/soap/envelope/"; Id="_5002"> > > <xenc:EncryptionMethod Algorithm=" > > http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> > > <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance > " > > xsi:type="KeyInfoType"> > > <wsse:SecurityTokenReference> > > <wsse:KeyIdentifier ValueType=" > > > http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1 > " > > EncodingType=" > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary > > ">fjkqefq=</wsse:KeyIdentifier> > > </wsse:SecurityTokenReference> > > </ds:KeyInfo> > > <xenc:CipherData> > > <xenc:CipherValue>akjefefe</xenc:CipherValue> > > </xenc:CipherData> > > </xenc:EncryptedKey> > > <ns19:DerivedKeyToken xmlns:ns19=" > > http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"; > > xmlns:ns20="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"; > > xmlns:ns18="http://schemas.xmlsoap.org/soap/envelope/"; wsu:Id="_3"> > > <wsse:SecurityTokenReference> > > <wsse:Reference URI="#_5002" ValueType=" > > > http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey > > "/> > > </wsse:SecurityTokenReference> > > <ns19:Offset>0</ns19:Offset> > > <ns19:Length>24</ns19:Length> > > <ns19:Nonce>xyzzy</ns19:Nonce> > > </ns19:DerivedKeyToken> > > <ns19:DerivedKeyToken xmlns:ns19=" > > http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"; > > xmlns:ns20="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"; > > xmlns:ns18="http://schemas.xmlsoap.org/soap/envelope/"; wsu:Id="_4"> > > <wsse:SecurityTokenReference> > > <wsse:Reference URI="#_5002" ValueType=" > > > http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey > > "/> > > </wsse:SecurityTokenReference> > > <ns19:Offset>0</ns19:Offset> > > <ns19:Length>32</ns19:Length> > > <ns19:Nonce>xyzzy</ns19:Nonce> > > </ns19:DerivedKeyToken> > > <xenc:ReferenceList xmlns:ns20=" > > http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"; xmlns:ns19=" > > http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"; > > xmlns:ns18="http://schemas.xmlsoap.org/soap/envelope/";> > > <xenc:DataReference URI="#_5010"/> > > <xenc:DataReference URI="#_5011"/> > > <xenc:DataReference URI="#_5012"/> > > </xenc:ReferenceList> > > <xenc:EncryptedData xmlns:ns20=" > > http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"; xmlns:ns19=" > > http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"; > > xmlns:ns18="http://schemas.xmlsoap.org/soap/envelope/"; Id="_5012" Type=" > > http://www.w3.org/2001/04/xmlenc#Element";> > > <xenc:EncryptionMethod Algorithm=" > > http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> > > <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance > " > > xsi:type="KeyInfoType"> > > <wsse:SecurityTokenReference> > > <wsse:Reference URI="#_4"/> > > </wsse:SecurityTokenReference> > > </ds:KeyInfo> > > <xenc:CipherData> > > <xenc:CipherValue>abc</xenc:CipherValue> > > </xenc:CipherData> > > </xenc:EncryptedData> > > <xenc:EncryptedData xmlns:ns20=" > > http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"; xmlns:ns19=" > > http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"; > > xmlns:ns18="http://schemas.xmlsoap.org/soap/envelope/"; Id="_5011" Type=" > > http://www.w3.org/2001/04/xmlenc#Element";> > > <xenc:EncryptionMethod Algorithm=" > > http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> > > <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance > " > > xsi:type="KeyInfoType"> > > <wsse:SecurityTokenReference> > > <wsse:Reference URI="#_4"/> > > </wsse:SecurityTokenReference> > > </ds:KeyInfo> > > > > > <xenc:CipherData><xenc:CipherValue>eqef</xenc:CipherValue></xenc:CipherData> > > </xenc:EncryptedData> > > </wsse:Security> > > </S:Header> > > <S:Body wsu:Id="_5008"> > > <xenc:EncryptedData xmlns:ns20=" > > http://schemas.xmlsoap.org/ws/2006/02/addressingidentity"; xmlns:ns19=" > > http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"; > > xmlns:ns18="http://schemas.xmlsoap.org/soap/envelope/"; Id="_5010" Type=" > > http://www.w3.org/2001/04/xmlenc#Content";> > > <xenc:EncryptionMethod Algorithm=" > > http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> > > <ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > > xsi:type="KeyInfoType"> > > <wsse:SecurityTokenReference> > > <wsse:Reference URI="#_4"/> > > </wsse:SecurityTokenReference> > > </ds:KeyInfo> > > <xenc:CipherData> > > <xenc:CipherValue>bgdwd </xenc:CipherValue> > > </xenc:CipherData> > > </xenc:EncryptedData> > > </S:Body> > > </S:Envelope> > > > > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
