Hi, We don't support BinarySecurityToken SupportingToken policies on their own in CXF (i.e. without a security binding). The reason being is that they are largely pointless - you mention wanting an X.509 cert for authentication, but as there is no signature, there is no proof-of-possession associated with the certificate. Hence no authentication at all - all the client is proving is that they are in possession of the certificate, nothing more.
However, it should be very easy enough for you to support this use-case if you are willing to do a small bit of implementation. We have a core class that should process the BinarySecurityToken here: https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/BinarySecurityTokenInterceptor.java;h=d086673fa8ad54441261c1f7698073851abb02c7;hb=HEAD For Kerberos we extend it just to assert some policies: https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java;h=de83d7b453472743d6dc2aa7931ff3f81b765339;hb=HEAD You will need to likewise to assert the X509Token policies. Then you need to register your interceptor. This is how the Kerberos registration is done: https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java;h=7d93cb3330029d00246d6e4c6bc1ab1937065080;hb=HEAD Colm. On Mon, Jun 15, 2015 at 2:05 PM, Chad Sturtz <[email protected]> wrote: > Hello, > > I'm working on WS-Security based authentication with an X509 certificate > for a JAXWS service. I'm looking for help/confirmation on what a valid > Policy would look like in the WSDL. Most X509 policy examples include > signing/encryption, which I do not need (based solely on my requirements). > > Below is the policy I have come up. If you see any errors or can offer any > thoughts on its correctness, I'd appreciate it. > > <wsp:Policy wsu:Id="MyBindingPolicy"> > <wsp:ExactlyOne> > <wsp:All> > <sp:SupportingTokens> > <wsp:Policy> > <sp:X509Token > sp:IncludeToken=" > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy/> > </sp:X509Token> > </wsp:Policy> > </sp:SupportingTokens> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > > I wouldn't be here if I could get authentication working on my service with > this policy. When I invoke the service, I end up with the stack trace you > can see at the bottom of this email. Through working with a few example > projects from github, I know that an issue with the Policy can result in > this exception. > > Here are some additional details. If there's any more information you'd > like to see, please let me know. Thanks in advance! > > CXF Version 2.7.16 > > Relevant Namespaces Used: > 1. xmlns:wsp="http://www.w3.org/ns/ws-policy"; > 2. xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > 3. xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; > 4. xmlns:wsse=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > > JAXWS Endpoint Properties: > The only property I'm setting is "ws-security.bst.validator". I believe the > defaults for other properties are acceptable to me. > > WS-Security Header from a request I'm sending: > <soap:Header> > <wsse:Security > xmlns:wsse=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > xmlns:wsu=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > soap:mustUnderstand="1"> > <wsse:BinarySecurityToken > EncodingType=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary > " > ValueType=" > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 > " > > wsu:Id="SecurityToken-f6f96b4b-23c5-421e-92ff-f1050d531e82">MIIBoTCCAQqgA > [...] vONEqd9wa4XuA== > </wsse:BinarySecurityToken> > </wsse:Security> > </soap:Header> > > > Stack Trace: > > 08:25:38,153 INFO [stdout] (http-/127.0.0.1:8080-1) > org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not > be satisfied: > 08:25:38,154 INFO [stdout] (http-/127.0.0.1:8080-1) { > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SupportingTokens > 08:25:38,155 INFO [stdout] (http-/127.0.0.1:8080-1) { > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token > 08:25:38,156 INFO [stdout] (http-/127.0.0.1:8080-1) at > > org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179) > ~[cxf-rt-ws-policy-2.7.16.jar:2.7.16] > 08:25:38,157 INFO [stdout] (http-/127.0.0.1:8080-1) at > > org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101) > ~[cxf-rt-ws-policy-2.7.16.jar:2.7.16] > 08:25:38,157 INFO [stdout] (http-/127.0.0.1:8080-1) at > > org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44) > ~[cxf-rt-ws-policy-2.7.16.jar:2.7.16] > 08:25:38,158 INFO [stdout] (http-/127.0.0.1:8080-1) at > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272) > [cxf-api-2.7.16.jar:2.7.16] > 08:25:38,160 INFO [stdout] (http-/127.0.0.1:8080-1) at > > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > [cxf-api-2.7.16.jar:2.7.16] > 08:25:38,160 INFO [stdout] (http-/127.0.0.1:8080-1) at > > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249) > [cxf-rt-transports-http-2.7.16.jar:2.7.16] > 08:25:38,161 INFO [stdout] (http-/127.0.0.1:8080-1) at > > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248) > [cxf-rt-transports-http-2.7.16.jar:2.7.16] > 08:25:38,162 INFO [stdout] (http-/127.0.0.1:8080-1) at > > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222) > [cxf-rt-transports-http-2.7.16.jar:2.7.16] > 08:25:38,163 INFO [stdout] (http-/127.0.0.1:8080-1) at > > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153) > [cxf-rt-transports-http-2.7.16.jar:2.7.16] > 08:25:38,164 INFO [stdout] (http-/127.0.0.1:8080-1) at > > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171) > [cxf-rt-transports-http-2.7.16.jar:2.7.16] > 08:25:38,164 INFO [stdout] (http-/127.0.0.1:8080-1) at > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:289) > [cxf-rt-transports-http-2.7.16.jar:2.7.16] > 08:25:38,168 INFO [stdout] (http-/127.0.0.1:8080-1) at > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:209) > [cxf-rt-transports-http-2.7.16.jar:2.7.16] > 08:25:38,169 INFO [stdout] (http-/127.0.0.1:8080-1) at > javax.servlet.http.HttpServlet.service(HttpServlet.java:754) > > [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar!/:1.0.2.Final-redhat-1] > 08:25:38,171 INFO [stdout] (http-/127.0.0.1:8080-1) at > > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265) > [cxf-rt-transports-http-2.7.16.jar:2.7.16] > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
