Hi, I am trying to send a RST-Issue to my business service to get an SCT. The header contains a SAML bootstrap token. When I send the message without <u:Timestamp> in the security header everything works fine. But when I add the timestamp header the service complains:
WARNING - PhaseInterceptorChain.doDefaultLogging(364) | Interceptor for
{http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}SecureConversationTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}RequestSecurityToken
has thrown exception, unwinding now:
org.apache.cxf.ws.policy.PolicyException: *These policy alternatives can not
be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding:
Received Timestamp does not match the requirements* at
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167)
at
org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101)
at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
Ok, that makes sense as the timestamp ist not part of the service policy.
So I tried to add <sp:IncludeTimestamp> at various places in the policy
without effect.
Please see the message and policy below.
My question is where to put the <sp:IncludeTimestamp> in the policy to match
the incoming message?
Message (including timestamp header):
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:a="http://www.w3.org/2005/08/addressing";
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<s:Header>
<a:Action
s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT</a:Action>
<a:MessageID>urn:uuid:f878193d-b3b7-4b54-ba02-c11a01285348</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To
s:mustUnderstand="1">https://192.168.1.47:8443/businessservice/komposit</a:To>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<u:Timestamp u:Id="_0">
<u:Created>2014-02-05T15:02:02.694Z</u:Created>
<u:Expires>2014-02-05T15:07:02.694Z</u:Expires>
</u:Timestamp>
<xenc:EncryptedData Id="ED-4">
ENCRYPTED SAML TOKEN
</xenc:EncryptedData>
</o:Security>
</s:Header>
<s:Body>
<trust:RequestSecurityToken
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>
<trust:TokenType>http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
</trust:TokenType>
<trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
<trust:Entropy>
<trust:BinarySecret
u:Id="uuid-c604a73d-5045-4b75-859f-778aefc62d70-1"
Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce";>8Ae+h7iuAVGlxCOH5FtdIu0NPI+R52AtdtVecEPIGBA=</trust:BinarySecret>
</trust:Entropy>
<trust:KeySize>256</trust:KeySize>
</trust:RequestSecurityToken>
</s:Body>
</s:Envelope>
WS-Policy:
<wsp:Policy xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing";
xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
xmlns:wsaw="http://www.w3.org/2005/08/addressing";
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata";
xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl";
xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex";
wsu:Id="PoCAuthSecurityPolicy">
<wsp:ExactlyOne>
<wsp:All>
<wsap10:UsingAddressing />
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:SecureConversationToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:RequireDerivedKeys />
<sp:BootstrapPolicy>
<wsp:Policy>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:IssuedToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<sp:RequestSecurityTokenTemplate>
<wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
</wst:TokenType>
<wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
</wsp:Policy>
<sp:Issuer>
<wsaw:Address>http://localhost:8080/sts/sts
</wsaw:Address>
<wsaw:Metadata>
<wsam:ServiceName
EndpointName="UT_Port">wst:SecurityTokenService</wsam:ServiceName>
</wsaw:Metadata>
</sp:Issuer>
</sp:IssuedToken>
</wsp:Policy>
</sp:ProtectionToken>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
</wsp:Policy>
</sp:Wss11>
<sp:Trust13>
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<sp:RequireClientEntropy />
<sp:RequireServerEntropy />
</wsp:Policy>
</sp:Trust13>
</wsp:Policy>
</sp:BootstrapPolicy>
</wsp:Policy>
</sp:SecureConversationToken>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:SymmetricBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
--
View this message in context:
http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515.html
Sent from the cxf-user mailing list archive at Nabble.com.
