It should go in the BootstrapPolicy as a child of the SymmetricBinding policy, e.g. after the sp:Layout assertion.
Colm. On Wed, Feb 5, 2014 at 3:24 PM, bob45 <[email protected]> wrote: > Hi, > > I am trying to send a RST-Issue to my business service to get an SCT. The > header contains a SAML bootstrap token. When I send the message without > <u:Timestamp> in the security header everything works fine. But when I add > the timestamp header the service complains: > > WARNING - PhaseInterceptorChain.doDefaultLogging(364) | Interceptor for > { > http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}SecureConversationTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}RequestSecurityToken > has thrown exception, unwinding now: > org.apache.cxf.ws.policy.PolicyException: *These policy alternatives can > not > be satisfied: > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken > { > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding > : > Received Timestamp does not match the requirements* at > > org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167) > at > > org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101) > at > > org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44) > > Ok, that makes sense as the timestamp ist not part of the service policy. > So I tried to add <sp:IncludeTimestamp> at various places in the policy > without effect. > Please see the message and policy below. > > My question is where to put the <sp:IncludeTimestamp> in the policy to > match > the incoming message? > > Message (including timestamp header): > > > <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"; > xmlns:a="http://www.w3.org/2005/08/addressing"; > > xmlns:u=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > "> > <s:Header> > <a:Action > s:mustUnderstand="1"> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT</a:Action> > > <a:MessageID>urn:uuid:f878193d-b3b7-4b54-ba02-c11a01285348</a:MessageID> > <a:ReplyTo> > <a:Address> > http://www.w3.org/2005/08/addressing/anonymous</a:Address> > </a:ReplyTo> > <a:To > s:mustUnderstand="1">https://192.168.1.47:8443/businessservice/komposit > </a:To> > <o:Security s:mustUnderstand="1" > > xmlns:o=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > "> > <u:Timestamp u:Id="_0"> > > <u:Created>2014-02-05T15:02:02.694Z</u:Created> > > <u:Expires>2014-02-05T15:07:02.694Z</u:Expires> > </u:Timestamp> > <xenc:EncryptedData Id="ED-4"> > ENCRYPTED SAML TOKEN > </xenc:EncryptedData> > </o:Security> > </s:Header> > <s:Body> > <trust:RequestSecurityToken > xmlns:trust=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512";> > > <trust:TokenType> > http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct > </trust:TokenType> > > <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue > </trust:RequestType> > <trust:Entropy> > <trust:BinarySecret > u:Id="uuid-c604a73d-5045-4b75-859f-778aefc62d70-1" > > Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce > ">8Ae+h7iuAVGlxCOH5FtdIu0NPI+R52AtdtVecEPIGBA=</trust:BinarySecret> > </trust:Entropy> > <trust:KeySize>256</trust:KeySize> > </trust:RequestSecurityToken> > </s:Body> > </s:Envelope> > > WS-Policy: > > > <wsp:Policy xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"; > xmlns:wsp="http://www.w3.org/ns/ws-policy"; > > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > xmlns:sp=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; > xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"; > xmlns:wsaw="http://www.w3.org/2005/08/addressing"; > xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"; > xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"; > xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"; > wsu:Id="PoCAuthSecurityPolicy"> > <wsp:ExactlyOne> > <wsp:All> > <wsap10:UsingAddressing /> > <sp:SymmetricBinding> > <wsp:Policy> > <sp:ProtectionToken> > <wsp:Policy> > > <sp:SecureConversationToken > > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > > <wsp:Policy> > > <sp:RequireDerivedKeys /> > > <sp:BootstrapPolicy> > > <wsp:Policy> > > <sp:SymmetricBinding> > > <wsp:Policy> > > <sp:ProtectionToken> > > <wsp:Policy> > > <sp:IssuedToken > > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > > > <sp:RequestSecurityTokenTemplate> > > <wst:TokenType> > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 > > > </wst:TokenType> > > <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer > </wst:KeyType> > > > </sp:RequestSecurityTokenTemplate> > > <wsp:Policy> > > > </wsp:Policy> > > <sp:Issuer> > > <wsaw:Address> > http://localhost:8080/sts/sts > > > </wsaw:Address> > > > <wsaw:Metadata> > > > <wsam:ServiceName > EndpointName="UT_Port">wst:SecurityTokenService</wsam:ServiceName> > > > </wsaw:Metadata> > > </sp:Issuer> > > </sp:IssuedToken> > > </wsp:Policy> > > </sp:ProtectionToken> > > <sp:Layout> > > <wsp:Policy> > > <sp:Lax /> > > </wsp:Policy> > > </sp:Layout> > > <sp:AlgorithmSuite> > > <wsp:Policy> > > <sp:Basic256 /> > > </wsp:Policy> > > </sp:AlgorithmSuite> > > </wsp:Policy> > > </sp:SymmetricBinding> > > <sp:Wss11> > > <wsp:Policy> > > <sp:MustSupportRefIssuerSerial /> > > <sp:MustSupportRefThumbprint /> > > <sp:MustSupportRefEncryptedKey /> > > </wsp:Policy> > > </sp:Wss11> > > <sp:Trust13> > > <wsp:Policy> > > <sp:MustSupportIssuedTokens /> > > <sp:RequireClientEntropy /> > > <sp:RequireServerEntropy /> > > </wsp:Policy> > > </sp:Trust13> > > </wsp:Policy> > > </sp:BootstrapPolicy> > > </wsp:Policy> > > </sp:SecureConversationToken> > </wsp:Policy> > </sp:ProtectionToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256 /> > </wsp:Policy> > </sp:AlgorithmSuite> > </wsp:Policy> > </sp:SymmetricBinding> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
