You could take a look at a somewhat similar system test in CXF: https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/cross_domain/CrossDomainTest.java;h=8f340f66441c8d7fb4122bffb45c435e95c3ce70;hb=HEAD
Getting a token from the first STS + then using it to get a token from the second STS is not really all that well tested + is quite tricky to get right. For Symmetric KeyType configuration see: https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob_plain;f=services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/symmetric/cxf-client.xml;hb=HEAD Colm. On Wed, Sep 24, 2014 at 7:47 PM, niranjana.murthy < [email protected]> wrote: > Thanks for enlightening me on those properties. I have few more questions. > > What should be the configuration for a SYMMETRIC KEYTYPE? > How do I pass the issued token which I have already? > In totality, how do I go about if I were to access this endpoint? > > On Wed, Sep 24, 2014 at 7:45 PM, coheigea [via CXF] < > [email protected]> wrote: > > > > Question: what should be the expected value of 'ws-security.username' > & > > > 'ws-security.sts.token.username'? > > > > Assuming that the STS has a UsernameToken policy requirement, the > > 'ws-security.username' is used to used as the "username". Alternatively, > > it > > is used as the keystore alias if this is required by the security policy. > > 'ws-security.sts.token.username' is the keystore alias to use if you are > > sending a certificate to the STS as part of "UseKey" (required if the > > KeyType is PublicKey). As the security policy you are using is > > "SymmetricKey" you don't need any of the "ws-security.sts.token.*" > > properties. > > > > Colm. > > > > On Wed, Sep 24, 2014 at 10:54 AM, niranjana.murthy < > > [hidden email] <http://user/SendEmail.jtp?type=node&node=5749172&i=0>> > > wrote: > > > > > The problem still exists. > > > > > > *Here is the bean configuration: I did not have the properties mapping > > > earlier, added it on your suggestion > > > * > > > <bean id="stsClientFederation" > > > class="org.apache.cxf.ws.security.trust.STSClient" scope="prototype"> > > > <constructor-arg ref="cxf" /> > > > <property name="wsdlLocation" value="adfs.wsdl" /> > > > <property name="sendRenewing" value="false" /> > > > <property name="serviceName" > > > value="{ > > > > http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}SecurityTokenService > > > > > "/> > > > <property name="endpointName" > > > value="{ > > > > http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}IssuedTokenWSTrustBinding_IWSTrust13Async1 > > > > > "/> > > > <property name="addressingNamespace" > > > value="http://www.w3.org/2005/08/addressing"; /> > > > <property name="enableAppliesTo" value="true" /> > > > <property name="properties"> > > > <map> > > > <entry key="ws-security.username" value="username"/> > > > <entry key="ws-security.callback-handler" > > > value="clientKeystore.PasswordCallbackHandler"/> > > > <entry key="ws-security.sts.token.username" > > > value="clientstskey"/> > > > <entry key="ws-security.sts.token.properties" > > > value="clientKeystore.properties"/> > > > <entry key="ws-security.sts.token.usecert" > > value="true"/> > > > </map> > > > </property> > > > </bean> > > > > > > > > > Question: > > > what should be the expected value of 'ws-security.username' & > > > 'ws-security.sts.token.username'? > > > > > > > > > > > > ------------------------------------------------------------------------------------------------------------------ > > > > > *Security policy, binding.. from the wsdl* > > > > > > <wsp:Policy wsu:Id="IssuedTokenWSTrustBinding_IWSTrust13Async1_policy"> > > > <wsp:ExactlyOne> > > > <wsp:All> > > > <sp:TransportBinding > > > xmlns:sp=" > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > > <wsp:Policy> > > > <sp:TransportToken> > > > <wsp:Policy> > > > > > > <sp:HttpsToken /> > > > </wsp:Policy> > > > </sp:TransportToken> > > > <sp:AlgorithmSuite> > > > <wsp:Policy> > > > > > > <sp:Basic256 /> > > > </wsp:Policy> > > > </sp:AlgorithmSuite> > > > <sp:Layout> > > > <wsp:Policy> > > > > > <sp:Strict > > > /> > > > </wsp:Policy> > > > </sp:Layout> > > > <sp:IncludeTimestamp /> > > > </wsp:Policy> > > > </sp:TransportBinding> > > > <sp:EndorsingSupportingTokens > > > xmlns:sp=" > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > > <wsp:Policy> > > > <sp:IssuedToken > > > > > > sp:IncludeToken=" > > > > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > > > "> > > > > > > <sp:RequestSecurityTokenTemplate> > > > > > > <trust:KeyType> > > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey > > > > > > </trust:KeyType> > > > > > > <trust:KeySize>256</trust:KeySize> > > > > > > <trust:KeyWrapAlgorithm> > http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p > > > > > > </trust:KeyWrapAlgorithm> > > > > > > <trust:EncryptWith>http://www.w3.org/2001/04/xmlenc#aes256-cbc > > > > > > </trust:EncryptWith> > > > > > > <trust:SignatureAlgorithm>http://www.w3.org/2000/09/xmldsig#hmac-sha1 > > > > > > </trust:SignatureAlgorithm> > > > > > > <trust:CanonicalizationAlgorithm> > http://www.w3.org/2001/10/xml-exc-c14n# > > > > > > </trust:CanonicalizationAlgorithm> > > > > > > <trust:EncryptionAlgorithm>http://www.w3.org/2001/04/xmlenc#aes256-cbc > > > > > > </trust:EncryptionAlgorithm> > > > > > > </sp:RequestSecurityTokenTemplate> > > > <wsp:Policy> > > > > > > <sp:RequireInternalReference /> > > > </wsp:Policy> > > > </sp:IssuedToken> > > > <sp:SignedParts> > > > <sp:Header > > > Name="To" Namespace="http://www.w3.org/2005/08/addressing"; > > > /> > > > </sp:SignedParts> > > > <KeyValueToken > > > IncludeToken="" Optional=""> > > > <Policy /> > > > </KeyValueToken> > > > </wsp:Policy> > > > </sp:EndorsingSupportingTokens> > > > <sp:Wss11 > > > xmlns:sp=" > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > > <wsp:Policy> > > > > > > <sp:MustSupportRefKeyIdentifier /> > > > > > > <sp:MustSupportRefIssuerSerial /> > > > > > > <sp:MustSupportRefThumbprint /> > > > > > > <sp:MustSupportRefEncryptedKey /> > > > </wsp:Policy> > > > </sp:Wss11> > > > <sp:Trust13 > > > xmlns:sp=" > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > > <wsp:Policy> > > > > > > <sp:MustSupportIssuedTokens /> > > > > <sp:RequireClientEntropy > > /> > > > > <sp:RequireServerEntropy > > /> > > > </wsp:Policy> > > > </sp:Trust13> > > > <wsaw:UsingAddressing /> > > > </wsp:All> > > > </wsp:ExactlyOne> > > > </wsp:Policy> > > > > > > > > > > > > ---------------------------------------------------------------------------------------------- > > > > > > > > <wsdl:binding name="IssuedTokenWSTrustBinding_IWSTrust13Async1" > > > type="tns:IWSTrust13Async"> > > > <wsp:PolicyReference > > > > > > URI="#IssuedTokenWSTrustBinding_IWSTrust13Async1_policy" /> > > > <soap12:binding transport=" > > > http://schemas.xmlsoap.org/soap/http"; /> > > > <wsdl:operation name="Trust13IssueAsync"> > > > <soap12:operation > > > soapAction=" > > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; > > > style="document" /> > > > <wsdl:input> > > > <soap12:body use="literal" /> > > > </wsdl:input> > > > <wsdl:output> > > > <soap12:body use="literal" /> > > > </wsdl:output> > > > </wsdl:operation> > > > </wsdl:binding> > > > > > > > > > > > > -------------------------------------------------------------------------------------------------------------- > > > > > Here is my code snippet to get the token > > > > > > public SecurityToken getFederatedToken(TokenInputs tokenInputVo, > > > SecurityToken issuedToken) { > > > SecurityToken securityToken = null; > > > try { > > > stsClient = (STSClient) > > > ctx.getBean("stsClientFederation"); > > > stsClient.setEnableAppliesTo(true); > > > stsClient.setTokenType(SAML2_TOKEN_TYPE); > > > > > > //Next two lines are necessary as ADFS will throw unrecognized Policy > > > otherwise > > > stsClient.setAddressingNamespace(" > > > http://schemas.xmlsoap.org/ws/2004/08/addressing";); > > > > > > stsClient.setWspNamespace(" > http://schemas.xmlsoap.org/ws/2004/09/policy";); > > > > > > > > > > stsClient.getProperties().put("ws-security.token", > > > issuedToken); > > > > > > securityToken = > > > stsClient.requestSecurityToken(tokenInputVo.getAdfsRelyingParty()); > > > } catch (Exception exp) { throw new > > > RuntimeException("Error occured while > > > requesting a federation security token from ADFS", exp); > > > } > > > return securityToken; > > > } > > > > > > What do you suggest. Is it the right way to get an issuedToken? > > > > > > > > > > > > -- > > > View this message in context: > > > > > > http://cxf.547215.n5.nabble.com/IssuedToken-nullpointer-exception-tp5749119p5749157.html > > > Sent from the cxf-user mailing list archive at Nabble.com. > > > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > > > > > > ------------------------------ > > If you reply to this email, your message will be added to the discussion > > below: > > > > > http://cxf.547215.n5.nabble.com/IssuedToken-nullpointer-exception-tp5749119p5749172.html > > To unsubscribe from IssuedToken nullpointer exception, click here > > < > http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5749119&code=bmlyYW5qYW5hLmJpbGxhcHBhQGdtYWlsLmNvbXw1NzQ5MTE5fC0xNzgyMzM0NzQ4 > > > > . > > NAML > > < > http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml > > > > > > > > -- > Niranjan > > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/IssuedToken-nullpointer-exception-tp5749119p5749197.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
