The policy is read from the WSDL. Most security parameter values are
then configured in the cxf.xml. You can instead set them directly in
code, but it's generally cleaner to have them in the configuration file.
Generally the only thing that changes in your code is a callback class
used to provide secret passwords and (on the server) verify
username/password pairs when you're using UsernameToken.
- Dennis
On 01/22/2014 02:49 AM, Walters, Jay M wrote:
How do I configure the policy? All of the examples keep giving me a very
simple cxf.xml file and nothing in the java code.
________________________________________
From: Dennis Sosnoski [[email protected]]
Sent: Saturday, January 18, 2014 5:02 PM
To: [email protected]
Subject: Re: To use WS-SecureConversation does one need to run wsdl2java on the
STS?
Secure conversation uses a predefined interface for the STS service - so
no, you do not need to run a separate generation step for the STS
service per se.
But in your case, the policy (from your other email thread, copied
below) says that you're using a SAML IssuedToken to establish the secure
conversation, and you'd need to configure the WS-Trust client code in
CXF to connect to the service to get that token.
<wsp:Policy wsu:Id="SomethingServiceHttp_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:SecureConversationToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:BootstrapPolicy>
<wsp:Policy>
...
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:IssuedToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<Issuer
xmlns="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<Address
xmlns="http://www.w3.org/2005/08/addressing";>http://hostname/SecurityTokenService/username</Address>
<Metadata
xmlns="http://www.w3.org/2005/08/addressing";>
<Metadata
xmlns="http://schemas.xmlsoap.org/ws/2004/09/mex";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<wsx:MetadataSection xmlns="">
<wsx:MetadataReference>
<Address
xmlns="http://www.w3.org/2005/08/addressing";>http://hostname/SecurityTokenService/mex</Address>
</wsx:MetadataReference>
</wsx:MetadataSection>
</Metadata>
</Metadata>
</Issuer>
<sp:RequestSecurityTokenTemplate>
<trust:TokenType
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</trust:TokenType>
<trust:KeyType
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</trust:KeyType>
<app:EpCode
xmlns:app="http://www.foobar.com/app/ws-trust/2010/11";>epCode</app:EpCode>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:RequireInternalReference/>
</wsp:Policy>
</sp:IssuedToken>
</wsp:Policy>
</sp:ProtectionToken>
...
</sp:SymmetricBinding>
So the sequence of operations performed by your client will be:
1. Connect to the http://hostname/SecurityTokenService/username service
to get a SAML token
2. Use that SAML token to request a Secure Conversation security token
3. Use the Secure Conversation token to actually communicate with the
server
This is a complex arrangement. The test code that Colm pointed you at
shows that CXF supports this configuration, but you're going to need to
set the security parameters that are specific to your application -
generally you'd put those parameters into the cxf.xml file for your client.
The client code reads the WSDL (which should include the whole policy
definition) as part of its initialization, and uses that policy to
configure the security handling for messages in and out of CXF.
If you haven't used CXF with secure service before you probably want to
work through some simpler examples before you try making this work. You
can see Glen Mazza's excellent blog posts such as this one:
http://www.jroller.com/gmazza/entry/cxf_x509_profile , or my own
articles on IBM developerWorks including
http://www.ibm.com/developerworks/java/library/j-jws13.html and
http://www.ibm.com/developerworks/java/library/j-jws15/index.html for
some examples with explanation.
Hope that helps,
- Dennis
Dennis M. Sosnoski
Java Web Services Consulting <http://www.sosnoski.com/consult.html>
CXF and Web Services Security Training
<http://www.sosnoski.com/training.html>
Web Services Jump-Start <http://www.sosnoski.com/jumpstart.html>
On 01/19/2014 09:20 AM, Walters, Jay M wrote:
I realize I ran wsdl2java vs the service endpoint for WSDL first CXF client, do
I need to also run it vs the STS Service? I am having troubles getting the
client security policy right and not sure how that gets into the client in the
first place as the cfx.xml file doesn't really have much of the information.
Cheers
