Hi Will, What I would suggest you do here is to subclass the STSClient in CXF:
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java;h=afdaaeaa092460c5cbccd3f9723660ded9f12e2b;hb=HEAD In particular, you want to override the "issue" method here: https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java;h=4b4630e9d3fe0afab4496de0c7b0dd5df2fca292;hb=HEAD Just copy the existing method code + add in your own custom code at the end. Colm. On Thu, Feb 5, 2015 at 8:06 PM, Will Warren <[email protected]> wrote: > Hi there, I’m new to CXF and I’m trying to call a service that requires > authentication via a separate STS (.NET based) that has some interesting > requirements. I’m a bit stuck as to how I can accomplish what I need to > accomplish. > > I've configured the service client to call out for the security token > before invoking the main service and it works (it's trying to call the > STS), but the STS is expecting some extra data to be provided in the > RequestSecurityToken element. The STS's policy specifies that the > RequestSecurityToken be encrypted and signed before being sent up and > that's what's causing me the issues. The encryption and signing is working, > but I can't seem to modify the RST in the SOAP message before it gets > encrypted/digested/signed. > > I made an Interceptor and tried it on all the different phases I could > find, but none of them seem to get invoked between the RequestSecurityToken > being created and the encryption and signing taking place. I could make > modifications to the final SOAP message, but the part I’m interested in is > encrypted inside a CipherData block by that point. > > Is there already a facility to add extra elements to the > RequestSecurityToken? Or do I have to do something more custom? > > Here's what my RST looks like now before it gets encrypted: > > <wst:RequestSecurityToken xmlns:wst=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512";> > <wst:RequestType> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType> > <wsp:AppliesTo xmlns:wsp="http://www.w3.org/ns/ws-policy";> > <wsa:EndpointReference xmlns:wsa=" > http://www.w3.org/2005/08/addressing";> > <wsa:Address>http://localhost:9085/MyService</wsa:Address> > </wsa:EndpointReference> > </wsp:AppliesTo> > <wst:TokenType> > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 > </wst:TokenType> > <wst:KeyType> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey > </wst:KeyType> > <wst:KeySize>192</wst:KeySize> > <wst:Entropy> > <wst:BinarySecret Type=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce > ">OlbfbuCUf3N2lNf9mhD03gfeMk0TfPI2nLWx8edlL5w=</wst:BinarySecret> > </wst:Entropy> > <wst:ComputedKeyAlgorithm> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1 > </wst:ComputedKeyAlgorithm> > <wst:Renewing/> > </wst:RequestSecurityToken> > > Here’s what the service needs it to look like (see the added Credentials > element near the end): > > <t:RequestSecurityToken xmlns:t=" > http://schemas.xmlsoap.org/ws/2005/02/trust";> > <t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue > </t:RequestType> > <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy > "> > <EndpointReference xmlns="http://www.w3.org/2005/08/addressing";> > <Address>http://localhost:9085/MyService</Address> > </EndpointReference> > </wsp:AppliesTo> > <t:Entropy> > <t:BinarySecret u:Id="uuid-e2d08122-45ab-45cd-80d1-46de2306836b-1" > Type="http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce"; xmlns:u=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > ">Ssex4V/175NCIOK1j4Mmbl47GiThOQMd</t:BinarySecret> > </t:Entropy> > <t:KeySize>192</t:KeySize> > <t:TokenType> > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 > </t:TokenType> > <t:KeyType>http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey > </t:KeyType> > <Credentials> > <UserName type="string">username</UserName> > <Password type="string">password</Password> > </Credentials> > <t:ComputedKeyAlgorithm> > http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1 > </t:ComputedKeyAlgorithm> > </t:RequestSecurityToken> > > And this is more or less my code - where would I alter the RST?: > > CXFBusFactory bf = new CXFBusFactory(); > Bus bus = bf.createBus(); > > STSClient stsClient = new STSClient(bus); > Map<String, Object> stsProperties = new HashMap<>(); > > stsProperties.put(SecurityConstants.ENCRYPT_CRYPTO, stsMerlin); > stsProperties.put(SecurityConstants.SIGNATURE_CRYPTO, stsMerlin); > stsProperties.put(SecurityConstants.IS_BSP_COMPLIANT, "false"); > stsClient.setProperties(stsProperties); > > stsClient.setWsdlLocation("http://localhost:9999/SecurityTokenService?wsdl > "); > stsClient.setServiceName("{http://tempuri.org/}Service";); > stsClient.setEndpointName("{http://tempuri.org/}Service_Port";); > > stsClient.setKeySize(192); > > stsClient.getInInterceptors().add(new LoggingInInterceptor()); > stsClient.getOutInterceptors().add(new LoggingOutInterceptor()); > > stsClient.setTokenType(" > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 > "); > stsClient.setSoap12(); > > // Set the STS Client on the bus > bus.setProperty(SecurityConstants.STS_CLIENT, stsClient); > > BusFactory.setDefaultBus(bus); > BusFactory.setThreadDefaultBus(bus); > > MyService myService = new MyService(); > IMyService myServicePort = myService.getCustomBindingIMyService(); > > Map<String, Object> ctx = > ((BindingProvider)myServicePort).getRequestContext(); > ctx.put(SecurityConstants.ENCRYPT_CRYPTO, merlin); > ctx.put(SecurityConstants.SIGNATURE_CRYPTO, merlin); > ctx.put(SecurityConstants.IS_BSP_COMPLIANT, "false"); > > myServicePort.doSomething(); > > Any insights are greatly appreciated. > > Thanks > Will > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
