PolicyException when using BST with custom ValueType

jeffc Tue, 29 Apr 2014 20:32:25 -0700

I have my client and and service working without issue for Username tokens
use case and return SAML token from STS.  But when I change my configuration
so that the STS accepts Binary Security Token of a custom value type, I am
getting the error: policy alternatives can not be satisfied SupportingTokens


The BST is of a custom value type since it holds an SMSESSION token
(Siteminder token) and the STS we are using (Layer 7) will validate the
SMSESSION and then return a SAML 2 token.  Now the STSClient does call the
STS and it processes the request and returns the SAML 2 token in the
response as expected.   But it throws this exception before calling service.

I believe this has something to do with this warning I see in logs:

org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl.handleNoRegisteredBuilder(AssertionBuilderRegistryImpl.java:109)
 WARN  : No assertion builder for type
{http://schemas.hcsc.com/ws/securitypolicy}SmSessionToken registered.

ERROR:

WARN  : Interceptor for
{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
has thrown exception, unwinding now
org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not
be satisfied: 
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SupportingTokens
        at
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179)
        at
org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101)
        at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
        at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
        at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:835)
        at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1606)
        at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1502)
        at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1309)
        at
org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:50)
        at 
org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:223)
        at 
org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
        at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:627)
        at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
        at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
        at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
        at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
        at
org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:759)

The supporting token in STS WSDL is defined as:

    <wsp:Policy wsu:Id="BST_Policy">
        <sp:SupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
            <wsp:Policy>
                <hcsc:SmSessionToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";
xmlns:hcsc="http://schemas.hcsc.com/ws/securitypolicy"/>
            </wsp:Policy>
        </sp:SupportingTokens>
    </wsp:Policy>

This is what the incoming ws-trust message to STS looks like:

2014-04-29 22:18:25,603 [WebContainer : 1]
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:269)
 DEBUG : Invoking handleMessage on interceptor
org.apache.cxf.interceptor.BareOutInterceptor@1acf0376
2014-04-29 22:18:25,603 [WebContainer : 1]
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:269)
 DEBUG : Invoking handleMessage on interceptor
org.apache.cxf.ws.policy.PolicyVerificationOutInterceptor@58abd51a
2014-04-29 22:18:25,603 [WebContainer : 1]
org.apache.cxf.ws.policy.PolicyVerificationOutInterceptor.handle(PolicyVerificationOutInterceptor.java:72)
 DEBUG : An exception was thrown when verifying that the effective policy
for this request was satisfied.  However, this exception will not result in
a fault.  The exception raised is: org.apache.cxf.ws.policy.PolicyException:
These policy alternatives can not be satisfied: 
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SupportingTokens
2014-04-29 22:18:25,613 [WebContainer : 1]
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:269)
 DEBUG : Invoking handleMessage on interceptor
org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor$SoapOutEndingInterceptor@c88f07ad
2014-04-29 22:18:25,613 [WebContainer : 1]
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:269)
 DEBUG : Invoking handleMessage on interceptor
org.apache.cxf.interceptor.StaxOutEndingInterceptor@9e81798
2014-04-29 22:18:25,613 [WebContainer : 1]
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:269)
 DEBUG : Invoking handleMessage on interceptor
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor@a1c14891
2014-04-29 22:18:25,613 [WebContainer : 1]
org.apache.cxf.interceptor.AbstractLoggingInterceptor.log(AbstractLoggingInterceptor.java:234)
 INFO  : Outbound Message

---------------------------
ID: 1
Address: http://mysts.dev.mycompany.com:8080/eaa_sts
Encoding: UTF-8
Http-Method: POST
Content-Type: application/soap+xml;
action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue";
Headers: {Accept=[*/*]}
Payload: 
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";>
<soap:Header>
<wsse:Security soap:mustUnderstand="true"
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext";>
<wsse:BinarySecurityToken
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="http://schemas.hcsc.com/ws/securitypolicy/token-profile#SMSESSION";
wsu:Id="SecurityToken">YwjtLDRg...</wsse:BinarySecurityToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>
<wst:SecondaryParameters>
<t:TokenType
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>urn:oasis:names:tc:SAML:2.0:assertion</t:TokenType>
<t:KeyType
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</t:KeyType>
</wst:SecondaryParameters>
<wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
<wsp:AppliesTo xmlns:wsp="http://www.w3.org/ns/ws-policy";>
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing";>
<wsa:Address>http://localhost:9084/myapp/services/AccountMaintenance</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:Renewing Allow="false"/>
</wst:RequestSecurityToken>
</soap:Body>
</soap:Envelope>
--------------------------------------



--
View this message in context: 
http://cxf.547215.n5.nabble.com/PolicyException-when-using-BST-with-custom-ValueType-tp5743444.html
Sent from the cxf-user mailing list archive at Nabble.com.

PolicyException when using BST with custom ValueType

Reply via email to