Could you create a JIRA + I will look into it? You also need to specify a Crypto properties file as well as a username.
Colm. On Tue, Feb 11, 2014 at 3:40 PM, Hrbacek, Stepan <[email protected]>wrote: > Thank you Colm! > I would like to use the first approach - specify the encryption username > via "properties" in the STS client configuration. > I am unfortunately not able to find the right place in the Fediz IDP Web > application, currently I am lost among all the beans :-( > Stepan > > > -----Original Message----- > > From: Colm O hEigeartaigh [mailto:[email protected]] > > Sent: Tuesday, February 11, 2014 3:20 PM > > To: [email protected] > > Subject: Re: Error "A encryption username needs to be declared" when > using > > Fediz IdP with external WS-Trust STS > > > > A CXF client using the Symmetric binding needs the public key of the > recipient. > > This is typically done by specifying an encryption username > (corresponding to a > > keystore alias), and a Crypto properties file for encryption (pointing > to a > > keystore). Here is an example: > > > > > http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/res > > ources/org/apache/cxf/systest/sts/symmetric/cxf-client.xml?view=markup > > > > So one possibly solution is to update the IdP STSClient configuration so > that it is > > possible to pass through "properties" as per the client configuration > above. > > Alternatively, we could use an encryption certificate from metadata or > > something, although this would likely require a small amount of work in > CXF. > > Which would you prefer to use? > > > > Colm. > > > > > > On Tue, Feb 11, 2014 at 1:19 PM, Hrbacek, Stepan > > <[email protected]>wrote: > > > > > Hi all, > > > I am trying to use the the Apache CXF Fediz IdP (1.1.0) with an > > > external WS-Trust STS [Atos (c) DirX Access implementation based > > > Oracle Metro]. When the Fediz IdP tries to send the > > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue request to > > > the STS, an error occurs and following exception can be found in > > > idp.log. The STS's WSDL is quoted below. Java clients using Oracle > > > Metro work fine with this STS. > > > Can you plese give me a hint where and how to configure the encryption > > > certificate (I think the error message is misleading)? > > > Thank you! > > > Stepan > > > > > > --------------- > > > 2014-02-11 11:24:40,053 > > > [org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilde > > > r@http-nio-9443-exec-6] > > > DEBUG > > > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder > > > - A encryption username needs to be declared. > > > org.apache.cxf.ws.policy.PolicyException: A encryption username needs > > > to be declared. > > > at > > > > > > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyN > > otAsserted(AbstractBindingBuilder.java:315) > > > at > > > > > > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.setEncr > > yptionUser(AbstractBindingBuilder.java:1631) > > > at > > > > > > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.getEncr > > yptedKeyBuilder(AbstractBindingBuilder.java:1453) > > > at > > > > > > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.setu > > pEncryptedKey(SymmetricBindingHandler.java:856) > > > at > > > > > > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSi > > gnBeforeEncrypt(SymmetricBindingHandler.java:298) > > > at > > > > > > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.hand > > leBinding(SymmetricBindingHandler.java:124) > > > at > > > > > > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBased > > WSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor. > > java:173) > > > at > > > > > > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBased > > WSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor. > > java:90) > > > at > > > > > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChai > > n.java:272) > > > at > org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565) > > > at > org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474) > > > at > org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377) > > > at > org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330) > > > at > > > > > > org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java: > > 759) > > > at > > > > > > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java: > > 62) > > > at > > > > > > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java: > > 56) > > > at > > > > > > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java: > > 52) > > > at > > > > > > org.apache.cxf.fediz.service.idp.STSAuthenticationProvider.authenticate(STSAut > > henticationProvider.java:116) > > > at > > > > > > org.springframework.security.authentication.ProviderManager.authenticate(Pr > > oviderManager.java:156) > > > at > > > > > > org.springframework.security.authentication.ProviderManager.authenticate(Pr > > oviderManager.java:174) > > > at > > > > > org.springframework.security.web.authentication.UsernamePasswordAuthentic > > > ationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java: > > 94) > > > at > > > > > > org.springframework.security.web.authentication.AbstractAuthenticationProces > > singFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195) > > > at > > > > > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(F > > ilterChainProxy.java:342) > > > at > > > > > > org.springframework.security.web.context.SecurityContextPersistenceFilter.doF > > ilter(SecurityContextPersistenceFilter.java:87) > > > at > > > > > > org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(F > > ilterChainProxy.java:342) > > > at > > > > org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSPortFilter.java:66) > > > ... > > > --------------- > > > > > > The WS-Policy parts of the STS's WSDL are: > > > --------------- > > > <?xml version='1.0' encoding='UTF-8'?> <wsdl:definitions > > > xmlns:dxa-fed="http://dxa.siemens.com/wsdl/federation/"; > > > xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"; xmlns:soap11=" > > > http://schemas.xmlsoap.org/wsdl/soap11/"; xmlns:wsa10=" > > > http://www.w3.org/2005/08/addressing"; xmlns:wsap10=" > > > http://www.w3.org/2006/05/addressing/wsdl"; xmlns:wsdl=" > > > http://schemas.xmlsoap.org/wsdl/"; xmlns:wsp-xmlsoap=" > > > http://schemas.xmlsoap.org/ws/2004/09/policy"; > > > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs=" > > > http://www.w3.org/2001/XMLSchema"; xmlns:sp=" > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"; xmlns:wsp=" > > > http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wst=" > > > http://schemas.xmlsoap.org/ws/2005/02/trust"; xmlns:wsu=" > > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility- > > 1.0.xsd" > > > name="Federation" > > > targetNamespace="http://dxa.siemens.com/wsdl/federation/ > > > "> > > > ... > > > > > > <!-- Bindings section --> > > > <wsdl:binding name="SecurityTokenManagingSoap12Http" > > > type="dxa-fed:SecurityTokenManaging"> > > > <wsp-xmlsoap:PolicyReference URI="#SecurityTokenService_policy" /> > > > <soap12:binding style="document" transport=" > > > http://schemas.xmlsoap.org/soap/http"; /> > > > <wsdl:operation name="issueSecurityToken"> > > > <soap12:operation soapAction=" > > > http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue"; /> > > > <wsdl:input> > > > <soap12:body use="literal" /> > > > <wsp-xmlsoap:PolicyReference > > > URI="#SecurityTokenManaging_Input_Policy" /> > > > </wsdl:input> > > > <wsdl:output> > > > <soap12:body use="literal" /> > > > <wsp-xmlsoap:PolicyReference > > > URI="#SecurityTokenManaging_Output_Policy" /> > > > </wsdl:output> > > > </wsdl:operation> > > > </wsdl:binding> > > > > > > ... > > > > > > <!-- WS-Policies section --> > > > <wsp:Policy wsu:Id="SecurityTokenService_policy"> > > > <wsp:ExactlyOne> > > > <wsp:All> > > > <sp:SymmetricBinding> > > > <wsp:Policy> > > > <sp:ProtectionToken> > > > <wsp:Policy> > > > <sp:X509Token sp:IncludeToken=" > > > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never > "> > > > <wsp:Policy> > > > <!-- sp:RequireDerivedKeys /--> > > > <!-- sp:RequireThumbprintReference /--> > > > <sp:WssX509V3Token10 /> > > > </wsp:Policy> > > > </sp:X509Token> > > > </wsp:Policy> > > > </sp:ProtectionToken> > > > <sp:AlgorithmSuite> > > > <wsp:Policy> > > > <sp:Basic128 /> > > > </wsp:Policy> > > > </sp:AlgorithmSuite> > > > <sp:Layout> > > > <wsp:Policy> > > > <sp:Lax /> > > > </wsp:Policy> > > > </sp:Layout> > > > <sp:IncludeTimestamp /> > > > <sp:EncryptSignature /> > > > <sp:OnlySignEntireHeadersAndBody /> > > > </wsp:Policy> > > > </sp:SymmetricBinding> > > > <sp:Wss11> > > > <wsp:Policy> > > > <sp:MustSupportRefKeyIdentifier /> > > > <sp:MustSupportRefIssuerSerial /> > > > <sp:MustSupportRefThumbprint /> > > > <sp:MustSupportRefEncryptedKey /> > > > <sp:RequireSignatureConfirmation /> > > > </wsp:Policy> > > > </sp:Wss11> > > > <sp:Trust10> > > > <wsp:Policy> > > > <sp:MustSupportIssuedTokens /> > > > <sp:RequireClientEntropy /> > > > <sp:RequireServerEntropy /> > > > </wsp:Policy> > > > </sp:Trust10> > > > > > > > > > <wsap10:UsingAddressing /> > > > <sp:EndorsingSupportingTokens xmlns:sp=" > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > > > <wsp:Policy> > > > <sp:X509Token sp:IncludeToken=" > > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Alwa > > > ysToRecipient > > > "> > > > <wsp:Policy> > > > <!--sp:RequireThumbprintReference/--> > > > <sp:WssX509V3Token10 /> > > > </wsp:Policy> > > > </sp:X509Token> > > > </wsp:Policy> > > > </sp:EndorsingSupportingTokens> > > > </wsp:All> > > > </wsp:ExactlyOne> > > > </wsp:Policy> > > > > > > <wsp:Policy wsu:Id="SecurityTokenManaging_Input_Policy"> > > > <wsp:ExactlyOne> > > > <wsp:All> > > > <sp:SignedParts> > > > <sp:Body /> > > > <sp:Header Name="To" Namespace=" > > > http://www.w3.org/2005/08/addressing"; /> > > > <sp:Header Name="From" Namespace=" > > > http://www.w3.org/2005/08/addressing"; /> > > > <sp:Header Name="FaultTo" Namespace=" > > > http://www.w3.org/2005/08/addressing"; /> > > > <sp:Header Name="ReplyTo" Namespace=" > > > http://www.w3.org/2005/08/addressing"; /> > > > <sp:Header Name="MessageID" Namespace=" > > > http://www.w3.org/2005/08/addressing"; /> > > > <sp:Header Name="RelatesTo" Namespace=" > > > http://www.w3.org/2005/08/addressing"; /> > > > <sp:Header Name="Action" Namespace=" > > > http://www.w3.org/2005/08/addressing"; /> > > > </sp:SignedParts> > > > <sp:EncryptedParts> > > > <sp:Body /> > > > </sp:EncryptedParts> > > > </wsp:All> > > > </wsp:ExactlyOne> > > > </wsp:Policy> > > > > > > <wsp:Policy wsu:Id="SecurityTokenManaging_Output_Policy"> > > > <wsp:ExactlyOne> > > > <wsp:All> > > > <sp:SignedParts> > > > <sp:Body /> > > > <sp:Header Name="To" Namespace=" > > > http://www.w3.org/2005/08/addressing"; /> > > > <sp:Header Name="From" Namespace=" > > > http://www.w3.org/2005/08/addressing"; /> > > > <sp:Header Name="FaultTo" Namespace=" > > > http://www.w3.org/2005/08/addressing"; /> > > > <sp:Header Name="ReplyTo" Namespace=" > > > http://www.w3.org/2005/08/addressing"; /> > > > <sp:Header Name="MessageID" Namespace=" > > > http://www.w3.org/2005/08/addressing"; /> > > > <sp:Header Name="RelatesTo" Namespace=" > > > http://www.w3.org/2005/08/addressing"; /> > > > <sp:Header Name="Action" Namespace=" > > > http://www.w3.org/2005/08/addressing"; /> > > > </sp:SignedParts> > > > <sp:EncryptedParts> > > > <sp:Body /> > > > </sp:EncryptedParts> > > > </wsp:All> > > > </wsp:ExactlyOne> > > > </wsp:Policy> > > > > > > </wsdl:definitions> > > > --------------- > > > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
