The problem is that your business service WSDL has both a SymmetricBinding + a TransportBinding policy. What exactly are you trying to achieve?
Colm. On Thu, Feb 6, 2014 at 9:28 AM, bob45 <[email protected]> wrote: > Hi Colm, > > I added the TransportBindings to the policies. That solved the timestamp > issue! > Now I receive another error due to a policy violation from the RST/SCT > Issue > call: > > WARNING - PhaseInterceptorChain.doDefaultLogging(364) | Interceptor for > { > http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}SecureConversationTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}RequestSecurityToken > has thrown exception, unwinding now: > org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not > be satisfied: > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout > { > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding > at > > org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167) > > > Below you can see the policies and the request. > Can you tell me why the policy verification fails? Is there a way to get > more precise information form the DEBUG output to better understand why the > request fails? > > > Policy STS > > > <wsp:Policy wsu:Id="UT_policy"> > <wsp:ExactlyOne> > <wsp:All> > <wsap10:UsingAddressing/> > > <sp:TransportBinding > xmlns:sp=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:TransportToken> > <wsp:Policy> > <sp:HttpsToken> > > <wsp:Policy /> > </sp:HttpsToken> > </wsp:Policy> > </sp:TransportToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256 /> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Lax /> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp /> > </wsp:Policy> > </sp:TransportBinding> > > <sp:SupportingTokens > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:UsernameToken > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > > <sp:WssUsernameToken11/> > </wsp:Policy> > </sp:UsernameToken> > </wsp:Policy> > </sp:SupportingTokens> > <sp:Wss11 > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:MustSupportRefKeyIdentifier /> > <sp:MustSupportRefIssuerSerial /> > <sp:MustSupportRefThumbprint /> > <sp:MustSupportRefEncryptedKey /> > </wsp:Policy> > </sp:Wss11> > <sp:Trust13 > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:MustSupportIssuedTokens /> > <sp:RequireClientEntropy /> > <sp:RequireServerEntropy /> > </wsp:Policy> > </sp:Trust13> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > > Policy business service > > > <wsp:Policy xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing > " > xmlns:wsp="http://www.w3.org/ns/ws-policy"; > > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; > xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512 > " > xmlns:wsaw="http://www.w3.org/2005/08/addressing"; > xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"; > xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"; > xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"; > wsu:Id="PoCAuthSecurityPolicy"> > <wsp:ExactlyOne> > <wsp:All> > <wsap10:UsingAddressing/> > > <sp:TransportBinding > xmlns:sp=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:TransportToken> > <wsp:Policy> > <sp:HttpsToken> > > <wsp:Policy /> > </sp:HttpsToken> > </wsp:Policy> > </sp:TransportToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256 /> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Lax /> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp /> > </wsp:Policy> > </sp:TransportBinding> > > <sp:SymmetricBinding> > <wsp:Policy> > <sp:ProtectionToken> > <wsp:Policy> > <sp:SecureConversationToken > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > <sp:RequireDerivedKeys /> > <sp:BootstrapPolicy> > <wsp:Policy> > <sp:SymmetricBinding> > <wsp:Policy> > <sp:ProtectionToken> > <wsp:Policy> > > > <sp:IssuedToken > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > > <sp:RequestSecurityTokenTemplate> > > <wst:TokenType> > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 > </wst:TokenType> > > <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer > </wst:KeyType> > > </sp:RequestSecurityTokenTemplate> > > > <wsp:Policy> > > > </wsp:Policy> > > <sp:Issuer> > > <wsaw:Address>https://server:8443/sts</wsaw:Address> > > <wsaw:Metadata> > > <wsam:ServiceName > EndpointName="UT_Port">wst:SecurityTokenService</wsam:ServiceName> > > </wsaw:Metadata> > > </sp:Issuer> > > > </sp:IssuedToken> > </wsp:Policy> > </sp:ProtectionToken> > <sp:Layout> > <wsp:Policy> > <sp:Lax /> > </wsp:Policy> > </sp:Layout> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256 /> > </wsp:Policy> > </sp:AlgorithmSuite> > </wsp:Policy> > </sp:SymmetricBinding> > </wsp:Policy> > </sp:BootstrapPolicy> > </wsp:Policy> > </sp:SecureConversationToken> > </wsp:Policy> > </sp:ProtectionToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256/> > </wsp:Policy> > </sp:AlgorithmSuite> > </wsp:Policy> > </sp:SymmetricBinding> > <sp:SignedParts> > <sp:Body/> > </sp:SignedParts> > <sp:EncryptedElements> > <sp:XPath>//*[local-name()='Data' and > namespace-uri()='http://data']</sp:XPath> > </sp:EncryptedElements> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > > SOAP Message with RST-Issue SCT > > > <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"; > xmlns:a="http://www.w3.org/2005/08/addressing"; > xmlns:u=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > "> > <s:Header> > <a:Action > s:mustUnderstand="1"> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT</a:Action> > > <a:MessageID>urn:uuid:c4151332-8fe1-4111-a792-5bd668eb821e</a:MessageID> > <a:ReplyTo> > > <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address> > </a:ReplyTo> > <a:To s:mustUnderstand="1">https://192.168.1.47:8443/service</a:To> > <o:Security s:mustUnderstand="1" > xmlns:o=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > "> > <u:Timestamp u:Id="_0"> > <u:Created>2014-02-06T09:06:20.795Z</u:Created> > <u:Expires>2014-02-06T09:11:20.795Z</u:Expires> > </u:Timestamp> > <xenc:EncryptedData Id="ED-17" > Type="http://www.w3.org/2001/04/xmlenc#Element"; > xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";> > <xenc:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/> > <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <xenc:EncryptedKey > Id="EK-B343A30ECED362416C139167757963318"> > <xenc:EncryptionMethod > Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/> > <ds:KeyInfo> > <wsse:SecurityTokenReference > xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > "> > <ds:X509Data> > <ds:X509IssuerSerial> > > <ds:X509IssuerName>CN=Company</ds:X509IssuerName> > > <ds:X509SerialNumber>556889307</ds:X509SerialNumber> > </ds:X509IssuerSerial> > </ds:X509Data> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > <xenc:CipherData> > <xenc:CipherValue>WuARdO...xenc:CipherValue> > </xenc:CipherData> > </xenc:EncryptedKey> > </ds:KeyInfo> > <xenc:CipherData> > <xenc:CipherValue>2YYuHU0xZq5...</xenc:CipherValue> > </xenc:CipherData> > </xenc:EncryptedData> > </o:Security> > </s:Header> > <s:Body> > <trust:RequestSecurityToken > xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";> > > <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue > </trust:RequestType> > <trust:Lifetime > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > "> > <wsu:Created>2014-01-28T12:33:24.835Z</wsu:Created> > <wsu:Expires>2014-01-28T12:38:24.835Z</wsu:Expires> > </trust:Lifetime> > > <trust:TokenType> > http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct > </trust:TokenType> > <trust:Entropy> > <trust:BinarySecret > u:Id="uuid-ccb577a5-b787-4777-b52a-0387e70d5d34-1" > Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce > ">M0TLwBNGSzOrJAeafQOsrA/Fl48woeeuKDxwnD8Iicc=</trust:BinarySecret> > </trust:Entropy> > <trust:KeySize>256</trust:KeySize> > > <trust:ComputedKeyAlgorithm> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1 > </trust:ComputedKeyAlgorithm> > <trust:Renewing/> > </trust:RequestSecurityToken> > </s:Body> > </s:Envelope> > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739549.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
