Hi, Yes, the problem is that NegotiateAuthentication and RsaToken are Microsoft specific assertions and aren't recognized by CXF. I don't know exactly what these assertions are doing, as workaround you can register custom dummy handlers for both assertions: http://cxf.apache.org/using-ws-policy-in-cxf-projects .
Regards, Andrei. > -----Original Message----- > From: Thomas Johansen [mailto:[email protected]] > Sent: Montag, 9. Februar 2015 11:58 > To: [email protected] > Subject: Advice for handling Microsoft specific assertions > > Hi, > > I have an STSClient communicating with Microsoft Server 2012 R2 Active > Directory Federation Services. This seems to work fine, except that I get the > following warnings logged on the client side: > > *feb 09, 2015 11:29:56 AM > org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl > handleNoRegisteredBuilder* > *WARNING: No assertion builder for type > {http://schemas.microsoft.com/ws/06/2004/policy/http}NegotiateAuthenticatio > n > <http://schemas.microsoft.com/ws/06/2004/policy/http}NegotiateAuthenticatio > n> > registered.* > *feb 09, 2015 11:29:56 AM > org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl > handleNoRegisteredBuilder* > *WARNING: No assertion builder for type > {http://schemas.microsoft.com/ws/2005/07/securitypolicy}RsaToken > <http://schemas.microsoft.com/ws/2005/07/securitypolicy}RsaToken> > registered.* > feb 09, 2015 11:29:56 AM > org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider > getElementPolicy > WARNING: Failed to build the policy > 'CustomBinding_IWSTrust13Async_policy':Invalid Policy feb 09, 2015 11:29:56 > AM > org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider > getElementPolicy > WARNING: Failed to build the policy > 'CertificateWSTrustBinding_IWSTrust13Async_policy':Invalid Policy feb 09, 2015 > 11:29:56 AM > org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider > getElementPolicy > WARNING: Failed to build the policy > 'IssuedTokenWSTrustBinding_IWSTrust13Async_policy':Invalid Policy feb 09, > 2015 11:29:56 AM > org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider > getElementPolicy > WARNING: Failed to build the policy > 'IssuedTokenWSTrustBinding_IWSTrust13Async1_policy':Invalid Policy > > So I understand that AD FS' policy contains a couple of assertions that CXF > does > not understand. The question is if I should try to handle this in a way. At a > minimum I want to get rid of the WARN logging, but is there anything else I > should consider doing? Does this affect security? > > Also, should I do anything with these "Invalid Policy" warnings? > > My STSClient configuration: > > <bean id="stsClient" class="org.apache.cxf.ws.security.trust.STSClient"> > <constructor-arg ref="cxf"/> > <property name="tokenType" > value="urn:oasis:names:tc:SAML:2.0:assertion"/> > <property name="wsdlLocation" > value="https://XXX/adfs/services/trust/mex"/> > <property name="serviceName" > value="{http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservic > e}SecurityTokenService"/> > <property name="endpointName" > value="{http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservic > e}UserNameWSTrustBinding_IWSTrust13Async"/> > <property name="sendRenewing" value="false"/> > <property name="allowRenewing" value="false"/> > <property name="enableLifetime" value="true"/> > <property name="ttl" value="30"/> > <property name="outInterceptors"> > <!-- This will ask for user name and password on the console and set > them > on the message context properties > 'ws-security.username'/'ws-security.password', which STSClient > then > will use for generating UsernameToken > which is requested by ADFS' policy on the endpoint configured > above > ('endpointName' property) --> > <bean class="XXX.CredentialsInterceptor"/> > </property> > </bean> > > > Regards, > Thomas Johansen
