A CXF client using the Symmetric binding needs the public key of the recipient. This is typically done by specifying an encryption username (corresponding to a keystore alias), and a Crypto properties file for encryption (pointing to a keystore). Here is an example:
http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/symmetric/cxf-client.xml?view=markup So one possibly solution is to update the IdP STSClient configuration so that it is possible to pass through "properties" as per the client configuration above. Alternatively, we could use an encryption certificate from metadata or something, although this would likely require a small amount of work in CXF. Which would you prefer to use? Colm. On Tue, Feb 11, 2014 at 1:19 PM, Hrbacek, Stepan <[email protected]>wrote: > Hi all, > I am trying to use the the Apache CXF Fediz IdP (1.1.0) with an external > WS-Trust STS [Atos (c) DirX Access implementation based Oracle Metro]. When > the Fediz IdP tries to send the > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue request to the > STS, an error occurs and following exception can be found in idp.log. The > STS's WSDL is quoted below. Java clients using Oracle Metro work fine with > this STS. > Can you plese give me a hint where and how to configure the encryption > certificate (I think the error message is misleading)? > Thank you! > Stepan > > --------------- > 2014-02-11 11:24:40,053 > [org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder@http-nio-9443-exec-6] > DEBUG > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder - A > encryption username needs to be declared. > org.apache.cxf.ws.policy.PolicyException: A encryption username needs to > be declared. > at > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:315) > at > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.setEncryptionUser(AbstractBindingBuilder.java:1631) > at > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.getEncryptedKeyBuilder(AbstractBindingBuilder.java:1453) > at > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.setupEncryptedKey(SymmetricBindingHandler.java:856) > at > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:298) > at > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:124) > at > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:173) > at > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:90) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330) > at > org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:759) > at > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:62) > at > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:56) > at > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:52) > at > org.apache.cxf.fediz.service.idp.STSAuthenticationProvider.authenticate(STSAuthenticationProvider.java:116) > at > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156) > at > org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174) > at > org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94) > at > org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) > at > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) > at > org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSPortFilter.java:66) > ... > --------------- > > The WS-Policy parts of the STS's WSDL are: > --------------- > <?xml version='1.0' encoding='UTF-8'?> > <wsdl:definitions xmlns:dxa-fed="http://dxa.siemens.com/wsdl/federation/"; > xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"; xmlns:soap11=" > http://schemas.xmlsoap.org/wsdl/soap11/"; xmlns:wsa10=" > http://www.w3.org/2005/08/addressing"; xmlns:wsap10=" > http://www.w3.org/2006/05/addressing/wsdl"; xmlns:wsdl=" > http://schemas.xmlsoap.org/wsdl/"; xmlns:wsp-xmlsoap=" > http://schemas.xmlsoap.org/ws/2004/09/policy"; > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs=" > http://www.w3.org/2001/XMLSchema"; xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"; xmlns:wsp=" > http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wst=" > http://schemas.xmlsoap.org/ws/2005/02/trust"; xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; > name="Federation" targetNamespace="http://dxa.siemens.com/wsdl/federation/ > "> > ... > > <!-- Bindings section --> > <wsdl:binding name="SecurityTokenManagingSoap12Http" > type="dxa-fed:SecurityTokenManaging"> > <wsp-xmlsoap:PolicyReference URI="#SecurityTokenService_policy" /> > <soap12:binding style="document" transport=" > http://schemas.xmlsoap.org/soap/http"; /> > <wsdl:operation name="issueSecurityToken"> > <soap12:operation soapAction=" > http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue"; /> > <wsdl:input> > <soap12:body use="literal" /> > <wsp-xmlsoap:PolicyReference > URI="#SecurityTokenManaging_Input_Policy" /> > </wsdl:input> > <wsdl:output> > <soap12:body use="literal" /> > <wsp-xmlsoap:PolicyReference > URI="#SecurityTokenManaging_Output_Policy" /> > </wsdl:output> > </wsdl:operation> > </wsdl:binding> > > ... > > <!-- WS-Policies section --> > <wsp:Policy wsu:Id="SecurityTokenService_policy"> > <wsp:ExactlyOne> > <wsp:All> > <sp:SymmetricBinding> > <wsp:Policy> > <sp:ProtectionToken> > <wsp:Policy> > <sp:X509Token sp:IncludeToken=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";> > <wsp:Policy> > <!-- sp:RequireDerivedKeys /--> > <!-- sp:RequireThumbprintReference /--> > <sp:WssX509V3Token10 /> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:ProtectionToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic128 /> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Lax /> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp /> > <sp:EncryptSignature /> > <sp:OnlySignEntireHeadersAndBody /> > </wsp:Policy> > </sp:SymmetricBinding> > <sp:Wss11> > <wsp:Policy> > <sp:MustSupportRefKeyIdentifier /> > <sp:MustSupportRefIssuerSerial /> > <sp:MustSupportRefThumbprint /> > <sp:MustSupportRefEncryptedKey /> > <sp:RequireSignatureConfirmation /> > </wsp:Policy> > </sp:Wss11> > <sp:Trust10> > <wsp:Policy> > <sp:MustSupportIssuedTokens /> > <sp:RequireClientEntropy /> > <sp:RequireServerEntropy /> > </wsp:Policy> > </sp:Trust10> > > > <wsap10:UsingAddressing /> > <sp:EndorsingSupportingTokens xmlns:sp=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <sp:X509Token sp:IncludeToken=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > <!--sp:RequireThumbprintReference/--> > <sp:WssX509V3Token10 /> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:EndorsingSupportingTokens> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > <wsp:Policy wsu:Id="SecurityTokenManaging_Input_Policy"> > <wsp:ExactlyOne> > <wsp:All> > <sp:SignedParts> > <sp:Body /> > <sp:Header Name="To" Namespace=" > http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="From" Namespace=" > http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="FaultTo" Namespace=" > http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="ReplyTo" Namespace=" > http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="MessageID" Namespace=" > http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="RelatesTo" Namespace=" > http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="Action" Namespace=" > http://www.w3.org/2005/08/addressing"; /> > </sp:SignedParts> > <sp:EncryptedParts> > <sp:Body /> > </sp:EncryptedParts> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > <wsp:Policy wsu:Id="SecurityTokenManaging_Output_Policy"> > <wsp:ExactlyOne> > <wsp:All> > <sp:SignedParts> > <sp:Body /> > <sp:Header Name="To" Namespace=" > http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="From" Namespace=" > http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="FaultTo" Namespace=" > http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="ReplyTo" Namespace=" > http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="MessageID" Namespace=" > http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="RelatesTo" Namespace=" > http://www.w3.org/2005/08/addressing"; /> > <sp:Header Name="Action" Namespace=" > http://www.w3.org/2005/08/addressing"; /> > </sp:SignedParts> > <sp:EncryptedParts> > <sp:Body /> > </sp:EncryptedParts> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > </wsdl:definitions> > --------------- > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
