Hi there, I’m new to CXF and I’m trying to call a service that requires authentication via a separate STS (.NET based) that has some interesting requirements. I’m a bit stuck as to how I can accomplish what I need to accomplish.
I've configured the service client to call out for the security token before invoking the main service and it works (it's trying to call the STS), but the STS is expecting some extra data to be provided in the RequestSecurityToken element. The STS's policy specifies that the RequestSecurityToken be encrypted and signed before being sent up and that's what's causing me the issues. The encryption and signing is working, but I can't seem to modify the RST in the SOAP message before it gets encrypted/digested/signed. I made an Interceptor and tried it on all the different phases I could find, but none of them seem to get invoked between the RequestSecurityToken being created and the encryption and signing taking place. I could make modifications to the final SOAP message, but the part I’m interested in is encrypted inside a CipherData block by that point. Is there already a facility to add extra elements to the RequestSecurityToken? Or do I have to do something more custom? Here's what my RST looks like now before it gets encrypted: <wst:RequestSecurityToken xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";> <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType> <wsp:AppliesTo xmlns:wsp="http://www.w3.org/ns/ws-policy";> <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing";> <wsa:Address>http://localhost:9085/MyService</wsa:Address> </wsa:EndpointReference> </wsp:AppliesTo> <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType> <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</wst:KeyType> <wst:KeySize>192</wst:KeySize> <wst:Entropy> <wst:BinarySecret Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce";>OlbfbuCUf3N2lNf9mhD03gfeMk0TfPI2nLWx8edlL5w=</wst:BinarySecret> </wst:Entropy> <wst:ComputedKeyAlgorithm>http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1</wst:ComputedKeyAlgorithm> <wst:Renewing/> </wst:RequestSecurityToken> Here’s what the service needs it to look like (see the added Credentials element near the end): <t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust";> <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType> <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";> <EndpointReference xmlns="http://www.w3.org/2005/08/addressing";> <Address>http://localhost:9085/MyService</Address> </EndpointReference> </wsp:AppliesTo> <t:Entropy> <t:BinarySecret u:Id="uuid-e2d08122-45ab-45cd-80d1-46de2306836b-1" Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce"; xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>Ssex4V/175NCIOK1j4Mmbl47GiThOQMd</t:BinarySecret> </t:Entropy> <t:KeySize>192</t:KeySize> <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</t:TokenType> <t:KeyType>http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey</t:KeyType> <Credentials> <UserName type="string">username</UserName> <Password type="string">password</Password> </Credentials> <t:ComputedKeyAlgorithm>http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1</t:ComputedKeyAlgorithm> </t:RequestSecurityToken> And this is more or less my code - where would I alter the RST?: CXFBusFactory bf = new CXFBusFactory(); Bus bus = bf.createBus(); STSClient stsClient = new STSClient(bus); Map<String, Object> stsProperties = new HashMap<>(); stsProperties.put(SecurityConstants.ENCRYPT_CRYPTO, stsMerlin); stsProperties.put(SecurityConstants.SIGNATURE_CRYPTO, stsMerlin); stsProperties.put(SecurityConstants.IS_BSP_COMPLIANT, "false"); stsClient.setProperties(stsProperties); stsClient.setWsdlLocation("http://localhost:9999/SecurityTokenService?wsdl";); stsClient.setServiceName("{http://tempuri.org/}Service";); stsClient.setEndpointName("{http://tempuri.org/}Service_Port";); stsClient.setKeySize(192); stsClient.getInInterceptors().add(new LoggingInInterceptor()); stsClient.getOutInterceptors().add(new LoggingOutInterceptor()); stsClient.setTokenType("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";); stsClient.setSoap12(); // Set the STS Client on the bus bus.setProperty(SecurityConstants.STS_CLIENT, stsClient); BusFactory.setDefaultBus(bus); BusFactory.setThreadDefaultBus(bus); MyService myService = new MyService(); IMyService myServicePort = myService.getCustomBindingIMyService(); Map<String, Object> ctx = ((BindingProvider)myServicePort).getRequestContext(); ctx.put(SecurityConstants.ENCRYPT_CRYPTO, merlin); ctx.put(SecurityConstants.SIGNATURE_CRYPTO, merlin); ctx.put(SecurityConstants.IS_BSP_COMPLIANT, "false"); myServicePort.doSomething(); Any insights are greatly appreciated. Thanks Will
