The policy is not correct. It should have a ProtectionToken which references the key to use to secure the request. See here for an example (line 415):
http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/ws-trust-1.4-service.wsdl?view=markup Colm. On Wed, Feb 5, 2014 at 4:41 PM, bob45 <[email protected]> wrote: > This is my amended STS policy: > > <wsp:Policy wsu:Id="UT_policy" > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:ExactlyOne> > <wsp:All> > <wsap10:UsingAddressing/> > <sp:SymmetricBinding > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > > <sp:SupportingTokens > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:UsernameToken > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > > <sp:WssUsernameToken11/> > </wsp:Policy> > </sp:UsernameToken> > </wsp:Policy> > </sp:SupportingTokens> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256 /> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Lax /> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp /> > </wsp:Policy> > </sp:SymmetricBinding> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > When I use this I get the following error already on the Initial RST-Issue > for the SAML Token: > > WARNING - PhaseInterceptorChain.doDefaultLogging(364) | Interceptor for > { > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue > has thrown exception, unwinding now: > org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not > be satisfied: > { > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp > : > Received Timestamp does not match the requirements > { > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding > : > Received Timestamp does not match the requirements > at > > org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167) > > > The SAML RST is as follows: > > <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"; > xmlns:a="http://www.w3.org/2005/08/addressing"; > > xmlns:u=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > "> > <s:Header> > <a:Action > s:mustUnderstand="1"> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue > </a:Action> > <a:MessageID>urn:uuid:bf62d776-4eff-461a-8a57-471e165e19df > </a:MessageID> > <a:ReplyTo> > <a:Address> > http://www.w3.org/2005/08/addressing/anonymous</a:Address> > </a:ReplyTo> > <a:To s:mustUnderstand="1">https:/server:8443/sts</a:To> > <o:Security s:mustUnderstand="1" > > xmlns:o=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > "> > <u:Timestamp u:Id="_0"> > > <u:Created>2014-02-05T16:35:38.720Z</u:Created> > > <u:Expires>2014-02-05T16:40:38.720Z</u:Expires> > </u:Timestamp> > <o:UsernameToken > u:Id="uuid-2341ccae-1fe5-46d8-a84e-4569e6e7dfb5-1"> > <o:Username>user</o:Username> > <o:Password > > Type=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText > ">pwd</o:Password> > </o:UsernameToken> > </o:Security> > </s:Header> > <s:Body> > <trust:RequestSecurityToken > xmlns:trust=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512";> > <wsp:AppliesTo xmlns:wsp=" > http://schemas.xmlsoap.org/ws/2004/09/policy";> > <wsa:EndpointReference xmlns:wsa=" > http://www.w3.org/2005/08/addressing";> > <wsa:Address> > http://server:8080/service > </wsa:Address> > </wsa:EndpointReference> > </wsp:AppliesTo> > <trust:KeyType> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer > </trust:KeyType> > <trust:Lifetime> > <wsu:Created > > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > ">2014-02-05T16:35:38.684Z</wsu:Created> > <wsu:Expires > > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > ">2014-02-05T22:35:38.684Z</wsu:Expires> > </trust:Lifetime> > <trust:RequestType> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue > </trust:RequestType> > > <trust:TokenType> > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 > </trust:TokenType> > </trust:RequestSecurityToken> > </s:Body> > </s:Envelope> > > > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739521.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
