Hi,
I have an STSClient communicating with Microsoft Server 2012 R2 Active
Directory Federation Services. This seems to work fine, except that I get
the following warnings logged on the client side:
*feb 09, 2015 11:29:56 AM
org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl
handleNoRegisteredBuilder*
*WARNING: No assertion builder for type
{http://schemas.microsoft.com/ws/06/2004/policy/http}NegotiateAuthentication
<http://schemas.microsoft.com/ws/06/2004/policy/http}NegotiateAuthentication>
registered.*
*feb 09, 2015 11:29:56 AM
org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl
handleNoRegisteredBuilder*
*WARNING: No assertion builder for type
{http://schemas.microsoft.com/ws/2005/07/securitypolicy}RsaToken
<http://schemas.microsoft.com/ws/2005/07/securitypolicy}RsaToken>
registered.*
feb 09, 2015 11:29:56 AM
org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider
getElementPolicy
WARNING: Failed to build the policy
'CustomBinding_IWSTrust13Async_policy':Invalid Policy
feb 09, 2015 11:29:56 AM
org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider
getElementPolicy
WARNING: Failed to build the policy
'CertificateWSTrustBinding_IWSTrust13Async_policy':Invalid Policy
feb 09, 2015 11:29:56 AM
org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider
getElementPolicy
WARNING: Failed to build the policy
'IssuedTokenWSTrustBinding_IWSTrust13Async_policy':Invalid Policy
feb 09, 2015 11:29:56 AM
org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider
getElementPolicy
WARNING: Failed to build the policy
'IssuedTokenWSTrustBinding_IWSTrust13Async1_policy':Invalid Policy
So I understand that AD FS' policy contains a couple of assertions that CXF
does not understand. The question is if I should try to handle this in a
way. At a minimum I want to get rid of the WARN logging, but is there
anything else I should consider doing? Does this affect security?
Also, should I do anything with these "Invalid Policy" warnings?
My STSClient configuration:
<bean id="stsClient" class="org.apache.cxf.ws.security.trust.STSClient">
<constructor-arg ref="cxf"/>
<property name="tokenType" value="urn:oasis:names:tc:SAML:2.0:assertion"/>
<property name="wsdlLocation" value="https://XXX/adfs/services/trust/mex"/>
<property name="serviceName"
value="{http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}SecurityTokenService"/>
<property name="endpointName"
value="{http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}UserNameWSTrustBinding_IWSTrust13Async"/>
<property name="sendRenewing" value="false"/>
<property name="allowRenewing" value="false"/>
<property name="enableLifetime" value="true"/>
<property name="ttl" value="30"/>
<property name="outInterceptors">
<!-- This will ask for user name and password on the console
and set them on the message context properties
'ws-security.username'/'ws-security.password', which
STSClient then will use for generating UsernameToken
which is requested by ADFS' policy on the endpoint
configured above ('endpointName' property) -->
<bean class="XXX.CredentialsInterceptor"/>
</property>
</bean>
Regards,
Thomas Johansen
