Re: To use WS-SecureConversation does one need to run wsdl2java on the STS?

Sat, 18 Jan 2014 14:06:34 -0800

Secure conversation uses a predefined interface for the STS service - so no, you do not need to run a separate generation step for the STS service per se.
But in your case, the policy (from your other email thread, copied below) says that you're using a SAML IssuedToken to establish the secure conversation, and you'd need to configure the WS-Trust client code in CXF to connect to the service to get that token. 


 <wsp:Policy wsu:Id="SomethingServiceHttp_policy">
    <wsp:ExactlyOne>
      <wsp:All>

        <sp:SymmetricBinding 
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>

          <wsp:Policy>
            <sp:ProtectionToken>
              <wsp:Policy>

                <sp:SecureConversationToken 
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>

                  <wsp:Policy>
                    <sp:RequireDerivedKeys/>
                    <sp:BootstrapPolicy>
                      <wsp:Policy>
                        ...
                        <sp:SymmetricBinding>
                          <wsp:Policy>
                            <sp:ProtectionToken>
                              <wsp:Policy>

                                <sp:IssuedToken 
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
                                  <Issuer 
xmlns="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
                                    <Address 
xmlns="http://www.w3.org/2005/08/addressing";>http://hostname/SecurityTokenService/username</Address>
                                    <Metadata 
xmlns="http://www.w3.org/2005/08/addressing";>
                                      <Metadata 
xmlns="http://schemas.xmlsoap.org/ws/2004/09/mex"; 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>

                                        <wsx:MetadataSection xmlns="">
<wsx:MetadataReference>

                                            <Address 
xmlns="http://www.w3.org/2005/08/addressing";>http://hostname/SecurityTokenService/mex</Address>

</wsx:MetadataReference>
</wsx:MetadataSection>
                                      </Metadata>
                                    </Metadata>
                                  </Issuer>
<sp:RequestSecurityTokenTemplate>

                                    <trust:TokenType 
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</trust:TokenType>
                                    <trust:KeyType 
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
                                    <app:EpCode 
xmlns:app="http://www.foobar.com/app/ws-trust/2010/11";>epCode</app:EpCode>

</sp:RequestSecurityTokenTemplate>
                                  <wsp:Policy>
                                    <sp:RequireDerivedKeys/>
<sp:RequireInternalReference/>
                                  </wsp:Policy>
                                </sp:IssuedToken>
                              </wsp:Policy>
                            </sp:ProtectionToken>
                            ...
                        </sp:SymmetricBinding>

So the sequence of operations performed by your client will be:

1. Connect to the http://hostname/SecurityTokenService/username service
   to get a SAML token
2. Use that SAML token to request a Secure Conversation security token
3. Use the Secure Conversation token to actually communicate with the
   server


This is a complex arrangement. The test code that Colm pointed you at 
shows that CXF supports this configuration, but you're going to need to 
set the security parameters that are specific to your application - 
generally you'd put those parameters into the cxf.xml file for your client.



The client code reads the WSDL (which should include the whole policy 
definition) as part of its initialization, and uses that policy to 
configure the security handling for messages in and out of CXF.



If you haven't used CXF with secure service before you probably want to 
work through some simpler examples before you try making this work. You 
can see Glen Mazza's excellent blog posts such as this one: 
http://www.jroller.com/gmazza/entry/cxf_x509_profile , or my own 
articles on IBM developerWorks including 
http://www.ibm.com/developerworks/java/library/j-jws13.html and 
http://www.ibm.com/developerworks/java/library/j-jws15/index.html for 
some examples with explanation.


Hope that helps,

  - Dennis

Dennis M. Sosnoski
Java Web Services Consulting <http://www.sosnoski.com/consult.html>

CXF and Web Services Security Training 
<http://www.sosnoski.com/training.html>

Web Services Jump-Start <http://www.sosnoski.com/jumpstart.html>

On 01/19/2014 09:20 AM, Walters, Jay M wrote:

I realize I ran wsdl2java vs the service endpoint for WSDL first CXF client, do 
I need to also run it vs the STS Service?  I am having troubles getting the 
client security policy right and not sure how that gets into  the client in the 
first place as the cfx.xml file doesn't really have much of the information.

Cheers

























					Reply via email to