Re: CXF STS with SecureConversation

Mon, 25 Aug 2014 07:27:47 -0700 

Hi Colm,
thanks for your response.
I took the next step and got the STS working without security policy.
The response of the STS looks like this:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
   <soap:Body>
      <ns2:RequestSecurityTokenResponseCollection
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200802";
xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:ns5="http://www.w3.org/2005/08/addressing";>
         <ns2:RequestSecurityTokenResponse>
           
<ns2:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</ns2:TokenType>
            <ns2:RequestedSecurityToken>
               <wsc:SecurityContextToken
wsu:Id="sctId-EDC87B557EC37DDB9614089740074994"
xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
                 
<wsc:Identifier>uuid:EDC87B557EC37DDB9614089740074993</wsc:Identifier>
               </wsc:SecurityContextToken>
            </ns2:RequestedSecurityToken>
            <ns2:RequestedAttachedReference>
               <ns4:SecurityTokenReference>
                  <ns4:Reference
URI="#sctId-EDC87B557EC37DDB9614089740074994"
ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"/>
               </ns4:SecurityTokenReference>
            </ns2:RequestedAttachedReference>
            <ns2:RequestedUnattachedReference>
               <ns4:SecurityTokenReference>
                  <ns4:Reference URI="uuid:EDC87B557EC37DDB9614089740074993"
ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct"/>
               </ns4:SecurityTokenReference>
            </ns2:RequestedUnattachedReference>
            <ns2:RequestedProofToken>
               <ns2:BinarySecret
Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce";>NZ0dFRyWuPMIIdsTtz+2C6uo02py/vNSmPWtT+nCoM4=</ns2:BinarySecret>
            </ns2:RequestedProofToken>
            <ns2:Lifetime>
               <ns3:Created>2014-08-25T13:40:07.499Z</ns3:Created>
               <ns3:Expires>2014-08-25T14:10:07.499Z</ns3:Expires>
            </ns2:Lifetime>
         </ns2:RequestSecurityTokenResponse>
      </ns2:RequestSecurityTokenResponseCollection>
   </soap:Body>
</soap:Envelope>

I now wanted to call my business service with the token responded from STS
but got the error:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
   <soap:Body>
      <soap:Fault>
         <faultcode>soap:Server</faultcode>
         <faultstring>These policy alternatives can not be satisfied: 
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient}TransportBinding
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient}TransportToken
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient}HttpsToken
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient}SupportingTokens
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient}SecureConversationToken</faultstring>
      </soap:Fault>
   </soap:Body>
</soap:Envelope>

I simple called the service with the request shown below:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:doub="http://www.example.org/schema/DoubleIt";
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
   <soapenv:Header>
        <wsse:Security>
                <wsc:SecurityContextToken
xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc";> 
                        
<wsc:Identifier>uuid:EDC87B557EC37DDB9614089740074993</wsc:Identifier>
                </wsc:SecurityContextToken>
        </wsse:Security>
   </soapenv:Header>
   <soapenv:Body>
      <doub:DoubleIt>
         <numberToDouble>2</numberToDouble>
      </doub:DoubleIt>
   </soapenv:Body>
</soapenv:Envelope>


The policy description in business service looks like this:
<wsp:Policy wsu:Id="BiPROAuthSecurityPolicy">
        <wsp:ExactlyOne>
            <wsp:All>
                <sp:TransportBinding>
                    <wsp:Policy>
                        <sp:TransportToken>
                            <wsp:Policy>
                                <sp:HttpsToken
                                    RequireClientCertificate="false" />
                            </wsp:Policy>
                        </sp:TransportToken>
                    </wsp:Policy>
                </sp:TransportBinding>
                <sp:SupportingTokens>
                    <wsp:Policy>
                        <sp:SecureConversationToken
                           
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";>
                            <sp:Issuer>
                               
<wsa:Address>http://localhost:8080/DoubleItSTS/STS/mex</wsa:Address>
                            </sp:Issuer>
                        </sp:SecureConversationToken>
                    </wsp:Policy>
                </sp:SupportingTokens>
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>

Maybe you have another hint for me, to steer me to right direction?

Thanks for your help,
SRog






--
View this message in context: 
http://cxf.547215.n5.nabble.com/CXF-STS-with-SecureConversation-tp5748092p5748115.html
Sent from the cxf-user mailing list archive at Nabble.com.

Reply via email to