RE: To use WS-SecureConversation does one need to run wsdl2java on the STS?

Tue, 21 Jan 2014 05:51:07 -0800 

How do I configure the policy?   All of the examples keep giving me a very 
simple cxf.xml file and nothing in the java code.
________________________________________
From: Dennis Sosnoski [[email protected]]
Sent: Saturday, January 18, 2014 5:02 PM
To: [email protected]
Subject: Re: To use WS-SecureConversation does one need to run wsdl2java on the 
STS?

Secure conversation uses a predefined interface for the STS service - so
no, you do not need to run a separate generation step for the STS
service per se.

But in your case, the policy (from your other email thread, copied
below) says that you're using a SAML IssuedToken to establish the secure
conversation, and you'd need to configure the WS-Trust client code in
CXF to connect to the service to get that token.


  <wsp:Policy wsu:Id="SomethingServiceHttp_policy">
     <wsp:ExactlyOne>
       <wsp:All>
         <sp:SymmetricBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
           <wsp:Policy>
             <sp:ProtectionToken>
               <wsp:Policy>
                 <sp:SecureConversationToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
                   <wsp:Policy>
                     <sp:RequireDerivedKeys/>
                     <sp:BootstrapPolicy>
                       <wsp:Policy>
                         ...
                         <sp:SymmetricBinding>
                           <wsp:Policy>
                             <sp:ProtectionToken>
                               <wsp:Policy>
                                 <sp:IssuedToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
                                   <Issuer
xmlns="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
                                     <Address
xmlns="http://www.w3.org/2005/08/addressing";>http://hostname/SecurityTokenService/username</Address>
                                     <Metadata
xmlns="http://www.w3.org/2005/08/addressing";>
                                       <Metadata
xmlns="http://schemas.xmlsoap.org/ws/2004/09/mex";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
                                         <wsx:MetadataSection xmlns="">
<wsx:MetadataReference>
                                             <Address
xmlns="http://www.w3.org/2005/08/addressing";>http://hostname/SecurityTokenService/mex</Address>
</wsx:MetadataReference>
</wsx:MetadataSection>
                                       </Metadata>
                                     </Metadata>
                                   </Issuer>
<sp:RequestSecurityTokenTemplate>
                                     <trust:TokenType
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</trust:TokenType>
                                     <trust:KeyType
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
                                     <app:EpCode
xmlns:app="http://www.foobar.com/app/ws-trust/2010/11";>epCode</app:EpCode>
</sp:RequestSecurityTokenTemplate>
                                   <wsp:Policy>
                                     <sp:RequireDerivedKeys/>
<sp:RequireInternalReference/>
                                   </wsp:Policy>
                                 </sp:IssuedToken>
                               </wsp:Policy>
                             </sp:ProtectionToken>
                             ...
                         </sp:SymmetricBinding>

So the sequence of operations performed by your client will be:

 1. Connect to the http://hostname/SecurityTokenService/username service
    to get a SAML token
 2. Use that SAML token to request a Secure Conversation security token
 3. Use the Secure Conversation token to actually communicate with the
    server

This is a complex arrangement. The test code that Colm pointed you at
shows that CXF supports this configuration, but you're going to need to
set the security parameters that are specific to your application -
generally you'd put those parameters into the cxf.xml file for your client.

The client code reads the WSDL (which should include the whole policy
definition) as part of its initialization, and uses that policy to
configure the security handling for messages in and out of CXF.

If you haven't used CXF with secure service before you probably want to
work through some simpler examples before you try making this work. You
can see Glen Mazza's excellent blog posts such as this one:
http://www.jroller.com/gmazza/entry/cxf_x509_profile , or my own
articles on IBM developerWorks including
http://www.ibm.com/developerworks/java/library/j-jws13.html and
http://www.ibm.com/developerworks/java/library/j-jws15/index.html for
some examples with explanation.

Hope that helps,

   - Dennis

Dennis M. Sosnoski
Java Web Services Consulting <http://www.sosnoski.com/consult.html>
CXF and Web Services Security Training
<http://www.sosnoski.com/training.html>
Web Services Jump-Start <http://www.sosnoski.com/jumpstart.html>

On 01/19/2014 09:20 AM, Walters, Jay M wrote:
> I realize I ran wsdl2java vs the service endpoint for WSDL first CXF client, 
> do I need to also run it vs the STS Service?  I am having troubles getting 
> the client security policy right and not sure how that gets into  the client 
> in the first place as the cfx.xml file doesn't really have much of the 
> information.
>
> Cheers
>

Reply via email to