Hi,
I am having trouble communicating with a WCF service from CXF. The service
has the following policy set:
<wsp:Policy wsu:Id="EP_BasicHTTP_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken
RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:SecureConversationToken sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
">
<wsp:Policy>
<sp:BootstrapPolicy>
<wsp:Policy>
<sp:SignedParts>
<sp:Body/>
<sp:Header Name="To" Namespace="
http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="From"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken
RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
<sp:SignedParts>
<sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefThumbprint/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
</wsp:Policy>
</sp:BootstrapPolicy>
</wsp:Policy>
</sp:SecureConversationToken>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11 xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy/>
</sp:Wss11>
<sp:Trust10 xmlns:sp="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
The client setup is as follows:
<jaxws:client id="client"
serviceClass="<!-- Web service interface here -->"
address="${ws.url}"
serviceName="<!-- Service name here -->"
wsdlLocation="service.wsdl"
endpointName="tns:EP_BasicHTTP"
xmlns:tns="<!-- namespace here -->">
<jaxws:properties>
<entry key="ws-security.callback-handler"
value-ref="clientKeyStorePasswordCallback"/>
<entry key="ws-security.signature.properties"
value="configuration.properties"/>
<entry key="ws-security.encryption.properties"
value="configuration.properties"/>
<entry key="ws-security.encryption.username"
value="${wss.key.alias}"/>
</jaxws:properties>
<jaxws:features>
<p:policies/>
<wsa:addressing/>
</jaxws:features>
</jaxws:client>
Example of a request and a response:
21:55:15:44 INFO [pool-1-thread-1] [SecurityTokenService.log] Outbound
Message
---------------------------
ID: 1
Address: <!-- Service url here -->
Encoding: UTF-8
Http-Method: POST
Content-Type: application/soap+xml; action="
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT";
Headers: {Accept=[*/*]}
Payload: <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope
">
<soap:Header>
<Action xmlns="http://www.w3.org/2005/08/addressing";>
http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</Action>
<MessageID xmlns="http://www.w3.org/2005/08/addressing
">urn:uuid:809fc1b2-8c40-4569-b52a-a91b7e4eb7f8</MessageID>
<To xmlns="http://www.w3.org/2005/08/addressing"; xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="_e170c408-9a50-4738-9f6d-677b55ed14b6"><!-- Service url here
--></To>
<ReplyTo xmlns="http://www.w3.org/2005/08/addressing";>
<Address>http://www.w3.org/2005/08/addressing/anonymous</Address>
</ReplyTo>
<wsse:Security xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
soap:mustUnderstand="true">
<wsse:BinarySecurityToken EncodingType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3";
wsu:Id="X509-0a7e2fb7-e71b-4340-86c4-fe732877af5a"><!-- Content of token
--></wsse:BinarySecurityToken>
<wsu:Timestamp wsu:Id="TS-dfca1879-ef2e-4183-b6b2-89a92cd5eaf4">
<wsu:Created>2015-05-29T19:55:14.627Z</wsu:Created>
<wsu:Expires>2015-05-29T20:00:14.627Z</wsu:Expires>
</wsu:Timestamp>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";
Id="SIG-08bff489-e467-4da5-a999-b51096e51300">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="soap"/>
</ds:CanonicalizationMethod>
<ds:SignatureMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#TS-dfca1879-ef2e-4183-b6b2-89a92cd5eaf4">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="wsse soap"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>vgd18TGtABe56ZzEq6JtA4g6Ys0=</ds:DigestValue>
</ds:Reference>
<ds:Reference URI="#_e170c408-9a50-4738-9f6d-677b55ed14b6">
<ds:Transforms>
<ds:Transform Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#";>
<ec:InclusiveNamespaces xmlns:ec="
http://www.w3.org/2001/10/xml-exc-c14n#"; PrefixList="soap"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>gBYkqJJI3RZDz3MlJ2GNoT6BuD0=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue><!-- Signature value here --></ds:SignatureValue>
<ds:KeyInfo Id="KI-b8b963ba-2b4d-4257-a751-5e5d3b9f4567">
<wsse:SecurityTokenReference
wsu:Id="STR-e254523d-a34e-4f2f-8402-d4263143a6fb">
<wsse:KeyIdentifier EncodingType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary";
ValueType="
http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1";><!--
key identifier here --></wsse:KeyIdentifier>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</soap:Header>
<soap:Body>
<wst:RequestSecurityToken xmlns:wst="
http://schemas.xmlsoap.org/ws/2005/02/trust";>
<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
</wst:RequestType>
<wsp:AppliesTo xmlns:wsp="http://www.w3.org/ns/ws-policy";>
<wsa:EndpointReference xmlns:wsa="
http://www.w3.org/2005/08/addressing";>
<wsa:Address><!-- Service address here --></wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:Lifetime xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">
<wsu:Created>2015-05-29T19:55:14.237Z</wsu:Created>
<wsu:Expires>2015-05-29T20:00:14.237Z</wsu:Expires>
</wst:Lifetime>
<wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct
</wst:TokenType>
<wst:KeySize>256</wst:KeySize>
<wst:Entropy>
<wst:BinarySecret Type="
http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce";><!-- Binary secret here
--><wst:BinarySecret>
</wst:Entropy>
<wst:ComputedKeyAlgorithm>
http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
</wst:ComputedKeyAlgorithm>
<wst:Renewing/>
</wst:RequestSecurityToken>
</soap:Body>
</soap:Envelope>
--------------------------------------
21:55:15:228 INFO [pool-1-thread-1] [SecurityTokenService.log] Inbound
Message
----------------------------
ID: 1
Response-Code: 500
Encoding: UTF-8
Content-Type: application/soap+xml; charset=utf-8
Headers: {Content-Length=[648], content-type=[application/soap+xml;
charset=utf-8], Date=[Fri, 29 May 2015 19:55:11 GMT],
Server=[Microsoft-IIS/7.5], X-Powered-By=[ASP.NET]}
Payload: <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope";
xmlns:a="http://www.w3.org/2005/08/addressing";>
<s:Header>
<a:Action s:mustUnderstand="1">
http://www.w3.org/2005/08/addressing/soap/fault</a:Action>
<a:RelatesTo>urn:uuid:809fc1b2-8c40-4569-b52a-a91b7e4eb7f8</a:RelatesTo>
</s:Header>
<s:Body>
<s:Fault>
<s:Code>
<s:Value>s:Sender</s:Value>
<s:Subcode>
<s:Value xmlns:a="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
">a:InvalidSecurity</s:Value>
</s:Subcode>
</s:Code>
<s:Reason>
<s:Text xml:lang="es-ES">An error occurred when verifying security
for the message.</s:Text>
</s:Reason>
</s:Fault>
</s:Body>
</s:Envelope>
I got an example of a working request from the owners of the web service:
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"; xmlns:a="
http://www.w3.org/2005/08/addressing"; xmlns:u="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">
<s:Header>
<a:Action s:mustUnderstand="1"><!-- Service action here --></a:Action>
<a:MessageID>urn:uuid:5423fdc4-3e5d-4289-acce-066337b96027</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1"><!-- Web service address here --></a:To>
<o:Security s:mustUnderstand="1" xmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
">
<u:Timestamp u:Id="_0">
<u:Created>2014-12-01T16:55:45.083Z</u:Created>
<u:Expires>2014-12-01T17:00:45.083Z</u:Expires>
</u:Timestamp>
<c:SecurityContextToken
u:Id="uuid-88c5a094-9659-4403-b411-a592439a65fb-195" xmlns:c="
http://schemas.xmlsoap.org/ws/2005/02/sc";>
<c:Identifier>urn:uuid:90a6e254-e454-4944-81f8-ccc1a15c60f8</c:Identifier>
</c:SecurityContextToken>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#
"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
<Reference URI="#_0">
<Transforms>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue><!-- Digest value here --></DigestValue>
</Reference>
</SignedInfo>
<SignatureValue><!-- Signature value here --></SignatureValue>
<KeyInfo>
<o:SecurityTokenReference>
<o:Reference ValueType="http://schemas.xmlsoap.org/ws/2005/02/sc/sct";
URI="#uuid-88c5a094-9659-4403-b411-a592439a65fb-195"/>
</o:SecurityTokenReference>
</KeyInfo>
</Signature>
</o:Security>
</s:Header>
<s:Body>
<!-- Body contents here -->
</s:Body>
</s:Envelope>
I have not been given a link to a STS, only a link to the service itself.
Is the STS bundled in the same endpoint somehow or is it not required? All
examples I have seen operates with a separate trust-wsdl so I am a bit
confused? Is a STS required when trust10 is present in the wsdl?
Since I use WS-policy and not the cxf interceptors, should I expect that
things would work out of the box? I see that some of the algorithms differ
in my request and the example I got.
I have no idea what is wrong and any help or pointers would be much
appreciated!
Best regards
/Kurt
