The warning you are seeing can be ignored. So the outbound request to the STS is working correctly right? The problem is in the client parsing the STS response. Could you paste the STS response? What version of CXF are you using?
Colm. On Wed, Apr 30, 2014 at 4:30 AM, jeffc <[email protected]> wrote: > I have my client and and service working without issue for Username tokens > use case and return SAML token from STS. But when I change my > configuration > so that the STS accepts Binary Security Token of a custom value type, I am > getting the error: policy alternatives can not be satisfied > SupportingTokens > > The BST is of a custom value type since it holds an SMSESSION token > (Siteminder token) and the STS we are using (Layer 7) will validate the > SMSESSION and then return a SAML 2 token. Now the STSClient does call the > STS and it processes the request and returns the SAML 2 token in the > response as expected. But it throws this exception before calling > service. > > I believe this has something to do with this warning I see in logs: > > > org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl.handleNoRegisteredBuilder(AssertionBuilderRegistryImpl.java:109) > WARN : No assertion builder for type > {http://schemas.hcsc.com/ws/securitypolicy}SmSessionToken registered. > > ERROR: > > WARN : Interceptor for > { > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue > has thrown exception, unwinding now > org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not > be satisfied: > { > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SupportingTokens > at > > org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179) > at > > org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101) > at > > org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44) > at > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) > at > org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:835) > at > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1606) > at > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1502) > at > > org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1309) > at > > org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:50) > at > org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:223) > at > org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56) > at > org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:627) > at > > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62) > at > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377) > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330) > at > > org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:759) > > The supporting token in STS WSDL is defined as: > > <wsp:Policy wsu:Id="BST_Policy"> > <sp:SupportingTokens > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <hcsc:SmSessionToken > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > " > xmlns:hcsc="http://schemas.hcsc.com/ws/securitypolicy"/> > </wsp:Policy> > </sp:SupportingTokens> > </wsp:Policy> > > This is what the incoming ws-trust message to STS looks like: > > 2014-04-29 22:18:25,603 [WebContainer : 1] > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:269) > DEBUG : Invoking handleMessage on interceptor > org.apache.cxf.interceptor.BareOutInterceptor@1acf0376 > 2014-04-29 22:18:25,603 [WebContainer : 1] > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:269) > DEBUG : Invoking handleMessage on interceptor > org.apache.cxf.ws.policy.PolicyVerificationOutInterceptor@58abd51a > 2014-04-29 22:18:25,603 [WebContainer : 1] > > org.apache.cxf.ws.policy.PolicyVerificationOutInterceptor.handle(PolicyVerificationOutInterceptor.java:72) > DEBUG : An exception was thrown when verifying that the effective policy > for this request was satisfied. However, this exception will not result in > a fault. The exception raised is: > org.apache.cxf.ws.policy.PolicyException: > These policy alternatives can not be satisfied: > { > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SupportingTokens > 2014-04-29 22:18:25,613 [WebContainer : 1] > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:269) > DEBUG : Invoking handleMessage on interceptor > > org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor$SoapOutEndingInterceptor@c88f07ad > 2014-04-29 22:18:25,613 [WebContainer : 1] > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:269) > DEBUG : Invoking handleMessage on interceptor > org.apache.cxf.interceptor.StaxOutEndingInterceptor@9e81798 > 2014-04-29 22:18:25,613 [WebContainer : 1] > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:269) > DEBUG : Invoking handleMessage on interceptor > > org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor@a1c14891 > 2014-04-29 22:18:25,613 [WebContainer : 1] > > org.apache.cxf.interceptor.AbstractLoggingInterceptor.log(AbstractLoggingInterceptor.java:234) > INFO : Outbound Message > > --------------------------- > ID: 1 > Address: http://mysts.dev.mycompany.com:8080/eaa_sts > Encoding: UTF-8 > Http-Method: POST > Content-Type: application/soap+xml; > action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; > Headers: {Accept=[*/*]} > Payload: > <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";> > <soap:Header> > <wsse:Security soap:mustUnderstand="true" > xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext";> > <wsse:BinarySecurityToken > xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"; > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > EncodingType=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary > " > ValueType=" > http://schemas.hcsc.com/ws/securitypolicy/token-profile#SMSESSION"; > wsu:Id="SecurityToken">YwjtLDRg...</wsse:BinarySecurityToken> > </wsse:Security> > </soap:Header> > <soap:Body> > <wst:RequestSecurityToken > xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";> > <wst:SecondaryParameters> > <t:TokenType > xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512 > ">urn:oasis:names:tc:SAML:2.0:assertion</t:TokenType> > <t:KeyType > xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512";> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</t:KeyType> > </wst:SecondaryParameters> > <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue > </wst:RequestType> > <wsp:AppliesTo xmlns:wsp="http://www.w3.org/ns/ws-policy";> > <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing";> > <wsa:Address>http://localhost:9084/myapp/services/AccountMaintenance > </wsa:Address> > </wsa:EndpointReference> > </wsp:AppliesTo> > <wst:Renewing Allow="false"/> > </wst:RequestSecurityToken> > </soap:Body> > </soap:Envelope> > -------------------------------------- > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/PolicyException-when-using-BST-with-custom-ValueType-tp5743444.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
