Hi Colm,
I added the TransportBindings to the policies. That solved the timestamp
issue!
Now I receive another error due to a policy violation from the RST/SCT Issue
call:
WARNING - PhaseInterceptorChain.doDefaultLogging(364) | Interceptor for
{http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}SecureConversationTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}RequestSecurityToken
has thrown exception, unwinding now:
org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not
be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding
at
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167)
Below you can see the policies and the request.
Can you tell me why the policy verification fails? Is there a way to get
more precise information form the DEBUG output to better understand why the
request fails?
Policy STS
<wsp:Policy wsu:Id="UT_policy">
<wsp:ExactlyOne>
<wsp:All>
<wsap10:UsingAddressing/>
<sp:TransportBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken>
<wsp:Policy />
</sp:HttpsToken>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:SupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:WssUsernameToken11/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
<sp:Wss11
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
</wsp:Policy>
</sp:Wss11>
<sp:Trust13
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<sp:RequireClientEntropy />
<sp:RequireServerEntropy />
</wsp:Policy>
</sp:Trust13>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Policy business service
<wsp:Policy xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing";
xmlns:wsp="http://www.w3.org/ns/ws-policy";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
xmlns:wsaw="http://www.w3.org/2005/08/addressing";
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata";
xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl";
xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex";
wsu:Id="PoCAuthSecurityPolicy">
<wsp:ExactlyOne>
<wsp:All>
<wsap10:UsingAddressing/>
<sp:TransportBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken>
<wsp:Policy />
</sp:HttpsToken>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:SecureConversationToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<wsp:Policy>
<sp:RequireDerivedKeys />
<sp:BootstrapPolicy>
<wsp:Policy>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:IssuedToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";>
<sp:RequestSecurityTokenTemplate>
<wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
<wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
</wsp:Policy>
<sp:Issuer>
<wsaw:Address>https://server:8443/sts</wsaw:Address>
<wsaw:Metadata>
<wsam:ServiceName
EndpointName="UT_Port">wst:SecurityTokenService</wsam:ServiceName>
</wsaw:Metadata>
</sp:Issuer>
</sp:IssuedToken>
</wsp:Policy>
</sp:ProtectionToken>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:SymmetricBinding>
</wsp:Policy>
</sp:BootstrapPolicy>
</wsp:Policy>
</sp:SecureConversationToken>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:SignedParts>
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedElements>
<sp:XPath>//*[local-name()='Data' and
namespace-uri()='http://data']</sp:XPath>
</sp:EncryptedElements>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
SOAP Message with RST-Issue SCT
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:a="http://www.w3.org/2005/08/addressing";
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<s:Header>
<a:Action
s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT</a:Action>
<a:MessageID>urn:uuid:c4151332-8fe1-4111-a792-5bd668eb821e</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://192.168.1.47:8443/service</a:To>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<u:Timestamp u:Id="_0">
<u:Created>2014-02-06T09:06:20.795Z</u:Created>
<u:Expires>2014-02-06T09:11:20.795Z</u:Expires>
</u:Timestamp>
<xenc:EncryptedData Id="ED-17"
Type="http://www.w3.org/2001/04/xmlenc#Element";
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<xenc:EncryptedKey Id="EK-B343A30ECED362416C139167757963318">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<ds:KeyInfo>
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=Company</ds:X509IssuerName>
<ds:X509SerialNumber>556889307</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>WuARdO...xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>2YYuHU0xZq5...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</o:Security>
</s:Header>
<s:Body>
<trust:RequestSecurityToken
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>
<trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
<trust:Lifetime
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<wsu:Created>2014-01-28T12:33:24.835Z</wsu:Created>
<wsu:Expires>2014-01-28T12:38:24.835Z</wsu:Expires>
</trust:Lifetime>
<trust:TokenType>http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct</trust:TokenType>
<trust:Entropy>
<trust:BinarySecret
u:Id="uuid-ccb577a5-b787-4777-b52a-0387e70d5d34-1"
Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce";>M0TLwBNGSzOrJAeafQOsrA/Fl48woeeuKDxwnD8Iicc=</trust:BinarySecret>
</trust:Entropy>
<trust:KeySize>256</trust:KeySize>
<trust:ComputedKeyAlgorithm>http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1</trust:ComputedKeyAlgorithm>
<trust:Renewing/>
</trust:RequestSecurityToken>
</s:Body>
</s:Envelope>
--
View this message in context:
http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739549.html
Sent from the cxf-user mailing list archive at Nabble.com.
