Error "A encryption username needs to be declared" when using Fediz IdP with external WS-Trust STS

Tue, 11 Feb 2014 05:20:32 -0800 

Hi all,
I am trying to use the the Apache CXF Fediz IdP (1.1.0) with an external 
WS-Trust STS [Atos (c) DirX Access implementation based Oracle Metro]. When the 
Fediz IdP tries to send the 
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue request to the STS, 
an error occurs and following exception can be found in idp.log. The STS's WSDL 
is quoted below. Java clients using Oracle Metro work fine with this STS.
Can you plese give me a hint where and how to configure the encryption 
certificate (I think the error message is misleading)?
Thank you!
Stepan

---------------
2014-02-11 11:24:40,053 
[org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder@http-nio-9443-exec-6]
 DEBUG org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder  
- A encryption username needs to be declared.
org.apache.cxf.ws.policy.PolicyException: A encryption username needs to be 
declared.
        at 
org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:315)
        at 
org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.setEncryptionUser(AbstractBindingBuilder.java:1631)
        at 
org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.getEncryptedKeyBuilder(AbstractBindingBuilder.java:1453)
        at 
org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.setupEncryptedKey(SymmetricBindingHandler.java:856)
        at 
org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:298)
        at 
org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:124)
        at 
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:173)
        at 
org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:90)
        at 
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
        at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
        at 
org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:759)
        at 
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:62)
        at 
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:56)
        at 
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:52)
        at 
org.apache.cxf.fediz.service.idp.STSAuthenticationProvider.authenticate(STSAuthenticationProvider.java:116)
        at 
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
        at 
org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
        at 
org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94)
        at 
org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
        at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at 
org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
        at 
org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
        at 
org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSPortFilter.java:66)
        ...
---------------

The WS-Policy parts of the STS's WSDL are:
---------------
<?xml version='1.0' encoding='UTF-8'?>
<wsdl:definitions xmlns:dxa-fed="http://dxa.siemens.com/wsdl/federation/"; 
xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"; 
xmlns:soap11="http://schemas.xmlsoap.org/wsdl/soap11/"; 
xmlns:wsa10="http://www.w3.org/2005/08/addressing"; 
xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"; 
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"; 
xmlns:wsp-xmlsoap="http://schemas.xmlsoap.org/ws/2004/09/policy"; 
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" 
xmlns:xs="http://www.w3.org/2001/XMLSchema"; 
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"; 
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; 
xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust"; 
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
 name="Federation" targetNamespace="http://dxa.siemens.com/wsdl/federation/";>
 ...

 <!-- Bindings section -->
 <wsdl:binding name="SecurityTokenManagingSoap12Http" 
type="dxa-fed:SecurityTokenManaging">
    <wsp-xmlsoap:PolicyReference URI="#SecurityTokenService_policy" />
    <soap12:binding style="document" 
transport="http://schemas.xmlsoap.org/soap/http"; />
    <wsdl:operation name="issueSecurityToken">
      <soap12:operation 
soapAction="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue"; />
      <wsdl:input>
        <soap12:body use="literal" />
        <wsp-xmlsoap:PolicyReference URI="#SecurityTokenManaging_Input_Policy" 
/>
      </wsdl:input>
      <wsdl:output>
        <soap12:body use="literal" />
        <wsp-xmlsoap:PolicyReference URI="#SecurityTokenManaging_Output_Policy" 
/>
      </wsdl:output>
    </wsdl:operation>
  </wsdl:binding>

  ...

  <!-- WS-Policies section -->
  <wsp:Policy wsu:Id="SecurityTokenService_policy">
    <wsp:ExactlyOne>
      <wsp:All>
        <sp:SymmetricBinding>
          <wsp:Policy>
            <sp:ProtectionToken>
              <wsp:Policy>
                <sp:X509Token 
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";>
                  <wsp:Policy>
                    <!-- sp:RequireDerivedKeys /-->
                    <!-- sp:RequireThumbprintReference /-->
                    <sp:WssX509V3Token10 />
                  </wsp:Policy>
                </sp:X509Token>
              </wsp:Policy>
            </sp:ProtectionToken>
            <sp:AlgorithmSuite>
              <wsp:Policy>
                <sp:Basic128 />
              </wsp:Policy>
            </sp:AlgorithmSuite>
            <sp:Layout>
              <wsp:Policy>
                <sp:Lax />
              </wsp:Policy>
            </sp:Layout>
            <sp:IncludeTimestamp />
            <sp:EncryptSignature />
            <sp:OnlySignEntireHeadersAndBody />
          </wsp:Policy>
        </sp:SymmetricBinding>
        <sp:Wss11>
          <wsp:Policy>
            <sp:MustSupportRefKeyIdentifier />
            <sp:MustSupportRefIssuerSerial />
            <sp:MustSupportRefThumbprint />
            <sp:MustSupportRefEncryptedKey />
            <sp:RequireSignatureConfirmation />
          </wsp:Policy>
        </sp:Wss11>
        <sp:Trust10>
          <wsp:Policy>
            <sp:MustSupportIssuedTokens />
            <sp:RequireClientEntropy />
            <sp:RequireServerEntropy />
          </wsp:Policy>
        </sp:Trust10>
        
        
        <wsap10:UsingAddressing />
        <sp:EndorsingSupportingTokens 
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
          <wsp:Policy>
            <sp:X509Token 
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
              <wsp:Policy>
                <!--sp:RequireThumbprintReference/-->
                <sp:WssX509V3Token10 />
              </wsp:Policy>
            </sp:X509Token>
          </wsp:Policy>
        </sp:EndorsingSupportingTokens>
      </wsp:All>
    </wsp:ExactlyOne>
  </wsp:Policy>

  <wsp:Policy wsu:Id="SecurityTokenManaging_Input_Policy">
    <wsp:ExactlyOne>
      <wsp:All>
        <sp:SignedParts>
          <sp:Body />
          <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"; 
/>
          <sp:Header Name="From" 
Namespace="http://www.w3.org/2005/08/addressing"; />
          <sp:Header Name="FaultTo" 
Namespace="http://www.w3.org/2005/08/addressing"; />
          <sp:Header Name="ReplyTo" 
Namespace="http://www.w3.org/2005/08/addressing"; />
          <sp:Header Name="MessageID" 
Namespace="http://www.w3.org/2005/08/addressing"; />
          <sp:Header Name="RelatesTo" 
Namespace="http://www.w3.org/2005/08/addressing"; />
          <sp:Header Name="Action" 
Namespace="http://www.w3.org/2005/08/addressing"; />
        </sp:SignedParts>
        <sp:EncryptedParts>
          <sp:Body />
        </sp:EncryptedParts>
      </wsp:All>
    </wsp:ExactlyOne>
  </wsp:Policy>

  <wsp:Policy wsu:Id="SecurityTokenManaging_Output_Policy">
    <wsp:ExactlyOne>
      <wsp:All>
        <sp:SignedParts>
          <sp:Body />
          <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"; 
/>
          <sp:Header Name="From" 
Namespace="http://www.w3.org/2005/08/addressing"; />
          <sp:Header Name="FaultTo" 
Namespace="http://www.w3.org/2005/08/addressing"; />
          <sp:Header Name="ReplyTo" 
Namespace="http://www.w3.org/2005/08/addressing"; />
          <sp:Header Name="MessageID" 
Namespace="http://www.w3.org/2005/08/addressing"; />
          <sp:Header Name="RelatesTo" 
Namespace="http://www.w3.org/2005/08/addressing"; />
          <sp:Header Name="Action" 
Namespace="http://www.w3.org/2005/08/addressing"; />
        </sp:SignedParts>
        <sp:EncryptedParts>
          <sp:Body />
        </sp:EncryptedParts>
      </wsp:All>
    </wsp:ExactlyOne>
  </wsp:Policy>

</wsdl:definitions>
---------------

Reply via email to