Thank you Colm! I would like to use the first approach - specify the encryption username via "properties" in the STS client configuration. I am unfortunately not able to find the right place in the Fediz IDP Web application, currently I am lost among all the beans :-( Stepan
> -----Original Message----- > From: Colm O hEigeartaigh [mailto:[email protected]] > Sent: Tuesday, February 11, 2014 3:20 PM > To: [email protected] > Subject: Re: Error "A encryption username needs to be declared" when using > Fediz IdP with external WS-Trust STS > > A CXF client using the Symmetric binding needs the public key of the > recipient. > This is typically done by specifying an encryption username (corresponding to > a > keystore alias), and a Crypto properties file for encryption (pointing to a > keystore). Here is an example: > > http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/res > ources/org/apache/cxf/systest/sts/symmetric/cxf-client.xml?view=markup > > So one possibly solution is to update the IdP STSClient configuration so that > it is > possible to pass through "properties" as per the client configuration above. > Alternatively, we could use an encryption certificate from metadata or > something, although this would likely require a small amount of work in CXF. > Which would you prefer to use? > > Colm. > > > On Tue, Feb 11, 2014 at 1:19 PM, Hrbacek, Stepan > <[email protected]>wrote: > > > Hi all, > > I am trying to use the the Apache CXF Fediz IdP (1.1.0) with an > > external WS-Trust STS [Atos (c) DirX Access implementation based > > Oracle Metro]. When the Fediz IdP tries to send the > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue request to > > the STS, an error occurs and following exception can be found in > > idp.log. The STS's WSDL is quoted below. Java clients using Oracle > > Metro work fine with this STS. > > Can you plese give me a hint where and how to configure the encryption > > certificate (I think the error message is misleading)? > > Thank you! > > Stepan > > > > --------------- > > 2014-02-11 11:24:40,053 > > [org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilde > > r@http-nio-9443-exec-6] > > DEBUG > > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder > > - A encryption username needs to be declared. > > org.apache.cxf.ws.policy.PolicyException: A encryption username needs > > to be declared. > > at > > > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyN > otAsserted(AbstractBindingBuilder.java:315) > > at > > > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.setEncr > yptionUser(AbstractBindingBuilder.java:1631) > > at > > > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.getEncr > yptedKeyBuilder(AbstractBindingBuilder.java:1453) > > at > > > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.setu > pEncryptedKey(SymmetricBindingHandler.java:856) > > at > > > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSi > gnBeforeEncrypt(SymmetricBindingHandler.java:298) > > at > > > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.hand > leBinding(SymmetricBindingHandler.java:124) > > at > > > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBased > WSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor. > java:173) > > at > > > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBased > WSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor. > java:90) > > at > > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChai > n.java:272) > > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565) > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474) > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377) > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330) > > at > > > org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java: > 759) > > at > > > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java: > 62) > > at > > > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java: > 56) > > at > > > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java: > 52) > > at > > > org.apache.cxf.fediz.service.idp.STSAuthenticationProvider.authenticate(STSAut > henticationProvider.java:116) > > at > > > org.springframework.security.authentication.ProviderManager.authenticate(Pr > oviderManager.java:156) > > at > > > org.springframework.security.authentication.ProviderManager.authenticate(Pr > oviderManager.java:174) > > at > > > org.springframework.security.web.authentication.UsernamePasswordAuthentic > ationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java: > 94) > > at > > > org.springframework.security.web.authentication.AbstractAuthenticationProces > singFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195) > > at > > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(F > ilterChainProxy.java:342) > > at > > > org.springframework.security.web.context.SecurityContextPersistenceFilter.doF > ilter(SecurityContextPersistenceFilter.java:87) > > at > > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(F > ilterChainProxy.java:342) > > at > > org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSPortFilter.java:66) > > ... > > --------------- > > > > The WS-Policy parts of the STS's WSDL are: > > --------------- > > <?xml version='1.0' encoding='UTF-8'?> <wsdl:definitions > > xmlns:dxa-fed="http://dxa.siemens.com/wsdl/federation/"; > > xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"; xmlns:soap11=" > > http://schemas.xmlsoap.org/wsdl/soap11/"; xmlns:wsa10=" > > http://www.w3.org/2005/08/addressing"; xmlns:wsap10=" > > http://www.w3.org/2006/05/addressing/wsdl"; xmlns:wsdl=" > > http://schemas.xmlsoap.org/wsdl/"; xmlns:wsp-xmlsoap=" > > http://schemas.xmlsoap.org/ws/2004/09/policy"; > > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs=" > > http://www.w3.org/2001/XMLSchema"; xmlns:sp=" > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"; xmlns:wsp=" > > http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wst=" > > http://schemas.xmlsoap.org/ws/2005/02/trust"; xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility- > 1.0.xsd" > > name="Federation" > > targetNamespace="http://dxa.siemens.com/wsdl/federation/ > > "> > > ... > > > > <!-- Bindings section --> > > <wsdl:binding name="SecurityTokenManagingSoap12Http" > > type="dxa-fed:SecurityTokenManaging"> > > <wsp-xmlsoap:PolicyReference URI="#SecurityTokenService_policy" /> > > <soap12:binding style="document" transport=" > > http://schemas.xmlsoap.org/soap/http"; /> > > <wsdl:operation name="issueSecurityToken"> > > <soap12:operation soapAction=" > > http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue"; /> > > <wsdl:input> > > <soap12:body use="literal" /> > > <wsp-xmlsoap:PolicyReference > > URI="#SecurityTokenManaging_Input_Policy" /> > > </wsdl:input> > > <wsdl:output> > > <soap12:body use="literal" /> > > <wsp-xmlsoap:PolicyReference > > URI="#SecurityTokenManaging_Output_Policy" /> > > </wsdl:output> > > </wsdl:operation> > > </wsdl:binding> > > > > ... > > > > <!-- WS-Policies section --> > > <wsp:Policy wsu:Id="SecurityTokenService_policy"> > > <wsp:ExactlyOne> > > <wsp:All> > > <sp:SymmetricBinding> > > <wsp:Policy> > > <sp:ProtectionToken> > > <wsp:Policy> > > <sp:X509Token sp:IncludeToken=" > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never";> > > <wsp:Policy> > > <!-- sp:RequireDerivedKeys /--> > > <!-- sp:RequireThumbprintReference /--> > > <sp:WssX509V3Token10 /> > > </wsp:Policy> > > </sp:X509Token> > > </wsp:Policy> > > </sp:ProtectionToken> > > <sp:AlgorithmSuite> > > <wsp:Policy> > > <sp:Basic128 /> > > </wsp:Policy> > > </sp:AlgorithmSuite> > > <sp:Layout> > > <wsp:Policy> > > <sp:Lax /> > > </wsp:Policy> > > </sp:Layout> > > <sp:IncludeTimestamp /> > > <sp:EncryptSignature /> > > <sp:OnlySignEntireHeadersAndBody /> > > </wsp:Policy> > > </sp:SymmetricBinding> > > <sp:Wss11> > > <wsp:Policy> > > <sp:MustSupportRefKeyIdentifier /> > > <sp:MustSupportRefIssuerSerial /> > > <sp:MustSupportRefThumbprint /> > > <sp:MustSupportRefEncryptedKey /> > > <sp:RequireSignatureConfirmation /> > > </wsp:Policy> > > </sp:Wss11> > > <sp:Trust10> > > <wsp:Policy> > > <sp:MustSupportIssuedTokens /> > > <sp:RequireClientEntropy /> > > <sp:RequireServerEntropy /> > > </wsp:Policy> > > </sp:Trust10> > > > > > > <wsap10:UsingAddressing /> > > <sp:EndorsingSupportingTokens xmlns:sp=" > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > <wsp:Policy> > > <sp:X509Token sp:IncludeToken=" > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Alwa > > ysToRecipient > > "> > > <wsp:Policy> > > <!--sp:RequireThumbprintReference/--> > > <sp:WssX509V3Token10 /> > > </wsp:Policy> > > </sp:X509Token> > > </wsp:Policy> > > </sp:EndorsingSupportingTokens> > > </wsp:All> > > </wsp:ExactlyOne> > > </wsp:Policy> > > > > <wsp:Policy wsu:Id="SecurityTokenManaging_Input_Policy"> > > <wsp:ExactlyOne> > > <wsp:All> > > <sp:SignedParts> > > <sp:Body /> > > <sp:Header Name="To" Namespace=" > > http://www.w3.org/2005/08/addressing"; /> > > <sp:Header Name="From" Namespace=" > > http://www.w3.org/2005/08/addressing"; /> > > <sp:Header Name="FaultTo" Namespace=" > > http://www.w3.org/2005/08/addressing"; /> > > <sp:Header Name="ReplyTo" Namespace=" > > http://www.w3.org/2005/08/addressing"; /> > > <sp:Header Name="MessageID" Namespace=" > > http://www.w3.org/2005/08/addressing"; /> > > <sp:Header Name="RelatesTo" Namespace=" > > http://www.w3.org/2005/08/addressing"; /> > > <sp:Header Name="Action" Namespace=" > > http://www.w3.org/2005/08/addressing"; /> > > </sp:SignedParts> > > <sp:EncryptedParts> > > <sp:Body /> > > </sp:EncryptedParts> > > </wsp:All> > > </wsp:ExactlyOne> > > </wsp:Policy> > > > > <wsp:Policy wsu:Id="SecurityTokenManaging_Output_Policy"> > > <wsp:ExactlyOne> > > <wsp:All> > > <sp:SignedParts> > > <sp:Body /> > > <sp:Header Name="To" Namespace=" > > http://www.w3.org/2005/08/addressing"; /> > > <sp:Header Name="From" Namespace=" > > http://www.w3.org/2005/08/addressing"; /> > > <sp:Header Name="FaultTo" Namespace=" > > http://www.w3.org/2005/08/addressing"; /> > > <sp:Header Name="ReplyTo" Namespace=" > > http://www.w3.org/2005/08/addressing"; /> > > <sp:Header Name="MessageID" Namespace=" > > http://www.w3.org/2005/08/addressing"; /> > > <sp:Header Name="RelatesTo" Namespace=" > > http://www.w3.org/2005/08/addressing"; /> > > <sp:Header Name="Action" Namespace=" > > http://www.w3.org/2005/08/addressing"; /> > > </sp:SignedParts> > > <sp:EncryptedParts> > > <sp:Body /> > > </sp:EncryptedParts> > > </wsp:All> > > </wsp:ExactlyOne> > > </wsp:Policy> > > > > </wsdl:definitions> > > --------------- > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com
