This is my amended STS policy:
<wsp:Policy wsu:Id="UT_policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:ExactlyOne>
<wsp:All>
<wsap10:UsingAddressing/>
<sp:SymmetricBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:Policy>
<sp:SupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:WssUsernameToken11/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:SymmetricBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
When I use this I get the following error already on the Initial RST-Issue
for the SAML Token:
WARNING - PhaseInterceptorChain.doDefaultLogging(364) | Interceptor for
{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
has thrown exception, unwinding now:
org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not
be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp:
Received Timestamp does not match the requirements
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding:
Received Timestamp does not match the requirements
at
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167)
The SAML RST is as follows:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:a="http://www.w3.org/2005/08/addressing";
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<s:Header>
<a:Action
s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
</a:Action>
<a:MessageID>urn:uuid:bf62d776-4eff-461a-8a57-471e165e19df
</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https:/server:8443/sts</a:To>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<u:Timestamp u:Id="_0">
<u:Created>2014-02-05T16:35:38.720Z</u:Created>
<u:Expires>2014-02-05T16:40:38.720Z</u:Expires>
</u:Timestamp>
<o:UsernameToken
u:Id="uuid-2341ccae-1fe5-46d8-a84e-4569e6e7dfb5-1">
<o:Username>user</o:Username>
<o:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>pwd</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<trust:RequestSecurityToken
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>
<wsp:AppliesTo
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
<wsa:EndpointReference
xmlns:wsa="http://www.w3.org/2005/08/addressing";>
<wsa:Address>http://server:8080/service
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
</trust:KeyType>
<trust:Lifetime>
<wsu:Created
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>2014-02-05T16:35:38.684Z</wsu:Created>
<wsu:Expires
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>2014-02-05T22:35:38.684Z</wsu:Expires>
</trust:Lifetime>
<trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
</trust:RequestType>
<trust:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
</trust:TokenType>
</trust:RequestSecurityToken>
</s:Body>
</s:Envelope>
--
View this message in context:
http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739521.html
Sent from the cxf-user mailing list archive at Nabble.com.
