It looks like your jaxws:client "name" either does not match the WSDL port
or else the configuration file is not getting picked up at all. When you
have a security policy, you don't need to specify the "WSHandlerConstants"
style configuration. Take a look at the WS-Security Examples tests in the
"systests/ws-security-examples" module in the CXF source. All of these
tests have security policies embedded in the WSDLs, and the security
configuration is picked up via spring configuration files.

Colm.

On Wed, Feb 15, 2017 at 10:29 PM, Morein, Arnie <arnold.mor...@dps.texas.gov
> wrote:

> I have to consume a web service that was written in .Net and requires the
> security policies listed below. We develop in Java to a WAR. I created a
> separate project for the WSDL's Java stubs using Maven's cxf-codegen-plugin
> (3.1.10). It was added to the main WAR project and compiles fine. But
> during initial access to the service, a CXF error occurs.
>
> The manual which came with the WSDL had the following to say about the
> security features in use:
>
>
> Transport Layer Security
>
> Third party X.509 certificate and Tokens
> Client X.509 certificate
>
> We received a file from the vendor which was converted into a JKS. It has
> two trustedCertEntry entries and one private key of X.509 type.
>
> As I understand the manual, the service does not use the user
> name/password type of WS security. All traffic goes over HTTPS of course,
> and the certificate is supposed to be used to encrypt the message content
> both coming and going.
>
> I have tried to configure the necessary values for CXF to work but always
> get the same error:
>
> Caused by: org.apache.cxf.ws.policy.PolicyException: Security
> configuration could not be detected. Potential cause: Make sure
> jaxws:client element with name attribute value matching endpoint port is
> defined as well as a security.signature.properties element within it.
>
> I have tried setting the necessary (AFAIK) properties via API and Spring
> XML configuration to no avail.
>
> I would greatly appreciate some guidance as to what CXF is looking for
> (and where the file is supposed to be if configuration). Currently I have
> the client-crypto.properties file under /WEB-INF/cxf along with the jks
> file. Its contents:
>
> org.apache.ws.security.crypto.merlin.keystore.file=/WEB-INF/
> cxf/dlsKeystore.jks
> org.apache.ws.security.crypto.merlin.keystore.type=JKS
> org.apache.ws.security.crypto.merlin.keystore.alias=1
> org.apache.ws.security.crypto.merlin.keystore.password=****
> org.apache.ws.security.crypto.merlin.keystore.private.password=****
> org.apache.ws.security.crypto.merlin.truststore.file=/WEB-
> INF/cxf/dlsKeystore.jks
> org.apache.ws.security.crypto.merlin.truststore.type=JKS
> org.apache.ws.security.crypto.merlin.truststore.password=****
>
> Things I have tried setting via API:
>
> // set up ws-security
> /*HashMap<String, Object> crytoProperties = new HashMap<String, Object>();
> crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.file",
> KEYSTORE_FILE);
> crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.type",
> "JKS");
> crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.alias",
> KEYSTORE_KEY_ALIAS);
> crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.password",
> KEYSTORE_PASSWORD);
> crytoProperties.put("org.apache.ws.security.crypto.
> merlin.keystore.private.password", KEYSTORE_KEY_PASSWORD);
>
> crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.file",
> KEYSTORE_FILE);
> crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.type",
> "JKS");
> crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.password",
> KEYSTORE_PASSWORD);
> crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.alias",
> KEYSTORE_KEY_ALIAS);
>
> Map<String, Object> ctx = ((BindingProvider) port).getRequestContext();
> ctx.putAll(crytoProperties);*/
>
> // activate ws-security
> /*org.apache.cxf.endpoint.Client client = (org.apache.cxf.endpoint.Client)
> port;
> org.apache.cxf.endpoint.Endpoint endpoint = client.getEndpoint();*/
>
> // add intercepters
> /*HashMap<String, Object> inProps = new HashMap<String, Object>();
> inProps.put(WSHandlerConstants.SIG_KEY_ID, KEYSTORE_KEY_ALIAS);
> inProps.put(WSHandlerConstants.ENC_KEY_ID, KEYSTORE_KEY_ALIAS);
> inProps.put(WSHandlerConstants.SIG_PROP_FILE, WSS4J_PROPERTIES);
> inProps.put(WSHandlerConstants.ENC_PROP_FILE, WSS4J_PROPERTIES);
>
> endpoint.getInInterceptors().add(new WSS4JOutInterceptor(inProps));
> endpoint.getInInterceptors().add(new LoggingInInterceptor());
>
> HashMap<String, Object> outProps = new HashMap<String, Object>();
> outProps.put(WSHandlerConstants.SIG_KEY_ID, KEYSTORE_KEY_ALIAS);
> outProps.put(WSHandlerConstants.ENC_KEY_ID, KEYSTORE_KEY_ALIAS);
> outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP
>        + " " +  WSHandlerConstants.SIGNATURE + " " +
> WSHandlerConstants.ENCRYPT);
> outProps.put(WSHandlerConstants.SIG_PROP_FILE, WSS4J_PROPERTIES);
> outProps.put(WSHandlerConstants.ENC_PROP_FILE, WSS4J_PROPERTIES);
>
> outProps.put(WSHandlerConstants.PW_CALLBACK_REF,
> "txdps.dl.bpr.common.business.VlsCxfKeystorePasswordCallback");
>
> endpoint.getOutInterceptors().add(new WSS4JOutInterceptor(outProps));
> endpoint.getOutInterceptors().add(new LoggingOutInterceptor());*/
>
> // set options
> /*HTTPConduit httpConduit = (HTTPConduit) ClientProxy.getClient(port).
> getConduit();
> final HTTPClientPolicy httpClientPolicy = httpConduit.getClient();
> httpClientPolicy.setAllowChunking(false); // MS does not support
> httpClientPolicy.setAutoRedirect(true); // hopefully
> httpClientPolicy.setConnection(ConnectionType.KEEP_ALIVE); // maybe
>
> TLSClientParameters tlsCP = new TLSClientParameters();
> String keyPassword = KEYSTORE_PASSWORD;
> KeyStore keyStore = KeyStore.getInstance("JKS");
> Resource aamvaJks = applicationContext.getResource(KEYSTORE_FILE);
>
> keyStore.load(aamvaJks.getInputStream(), KEYSTORE_PASSWORD.toCharArray());
> KeyManager[] myKeyManagers = getKeyManagers(keyStore, keyPassword);
> tlsCP.setKeyManagers(myKeyManagers);
>
> KeyStore trustStore = KeyStore.getInstance("JKS");
> aamvaJks = applicationContext.getResource(KEYSTORE_FILE);
> trustStore.load(aamvaJks.getInputStream(), KEYSTORE_PASSWORD.toCharArray(
> ));
> TrustManager[] myTrustStoreKeyManagers = getTrustManagers(trustStore);
> tlsCP.setTrustManagers(myTrustStoreKeyManagers);
> httpConduit.setTlsClientParameters(tlsCP);*/
>
> Things I have tried setting via configuration (there are actually two
> WSDLs compiled into one external jar).
>
>     <!-- ********************************************************* -->
>     <!-- * Configure the CXF Bus * -->
>     <!-- ********************************************************* -->
>     <import resource="classpath:META-INF/cxf/cxf.xml" />
>     <cxf:bus>
>         <cxf:features>
>             <p:policies />
>             <cxf:logging />
>         </cxf:features>
>     </cxf:bus>
>     <jaxws:client id="aamva-authentication"
>         name="{http://aamva.org/authentication/3.1.0}AuthenticationService
> "
>         createdFromAPI="true"
>     >
>         <jaxws:properties>
>             <entry
>                 key="ws-security.signature.properties"
>                 value="/WEB-INF/cxf/client-crypto.properties" />
>             <entry
>                 key="ws-security.encryption.properties"
>                 value="/WEB-INF/cxf/client-crypto.properties" />
>         </jaxws:properties>
>     </jaxws:client>
>     <jaxws:client id="aamva-vls3"
>         name="{http://uscis.gov/uscis/services/esb/vls/3.0}
> VerificationOfLawfulStatusService30"
>         createdFromAPI="true"
>     >
>         <jaxws:properties>
>             <entry
>                 key="ws-security.signature.properties"
>                 value="/WEB-INF/cxf/client-crypto.properties" />
>             <entry
>                 key="ws-security.encryption.properties"
>                 value="/WEB-INF/cxf/client-crypto.properties" />
>         </jaxws:properties>
>     </jaxws:client>
>
> WSDL policies:
>
>     <wsp:Policy wsu:Id="wsHttpEndPoint_policy">
>         <wsp:ExactlyOne>
>             <wsp:All>
>                 <sp:TransportBinding
>                     xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/
> securitypolicy"
>                 >
>                     <wsp:Policy>
>                         <sp:TransportToken>
>                             <wsp:Policy>
>                                 <sp:HttpsToken
>                                     RequireClientCertificate="false" />
>                             </wsp:Policy>
>                         </sp:TransportToken>
>                         <sp:AlgorithmSuite>
>                             <wsp:Policy>
>                                 <sp:Basic256 />
>                             </wsp:Policy>
>                         </sp:AlgorithmSuite>
>                         <sp:Layout>
>                             <wsp:Policy>
>                                 <sp:Strict />
>                             </wsp:Policy>
>                         </sp:Layout>
>                         <sp:IncludeTimestamp />
>                     </wsp:Policy>
>                 </sp:TransportBinding>
>                 <sp:EndorsingSupportingTokens
>                     xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/
> securitypolicy"
>                 >
>                     <wsp:Policy>
>                         <sp:SecureConversationToken
>                             sp:IncludeToken="http://
> schemas.xmlsoap.org/ws/2005/07/securitypolicy/
> IncludeToken/AlwaysToRecipient"
>                         >
>                             <wsp:Policy>
>                                 <sp:BootstrapPolicy>
>                                     <wsp:Policy>
>                                         <sp:SignedParts>
>                                             <sp:Body />
>                                             <sp:Header
>                                                 Name="To"
>                                                 Namespace="
> http://www.w3.org/2005/08/addressing"; />
>                                             <sp:Header
>                                                 Name="From"
>                                                 Namespace="
> http://www.w3.org/2005/08/addressing"; />
>                                             <sp:Header
>                                                 Name="FaultTo"
>                                                 Namespace="
> http://www.w3.org/2005/08/addressing"; />
>                                             <sp:Header
>                                                 Name="ReplyTo"
>                                                 Namespace="
> http://www.w3.org/2005/08/addressing"; />
>                                             <sp:Header
>                                                 Name="MessageID"
>                                                 Namespace="
> http://www.w3.org/2005/08/addressing"; />
>                                             <sp:Header
>                                                 Name="RelatesTo"
>                                                 Namespace="
> http://www.w3.org/2005/08/addressing"; />
>                                             <sp:Header
>                                                 Name="Action"
>                                                 Namespace="
> http://www.w3.org/2005/08/addressing"; />
>                                         </sp:SignedParts>
>                                         <sp:EncryptedParts>
>                                             <sp:Body />
>                                         </sp:EncryptedParts>
>                                         <sp:TransportBinding>
>                                             <wsp:Policy>
>                                                 <sp:TransportToken>
>                                                     <wsp:Policy>
>                                                         <sp:HttpsToken
>
> RequireClientCertificate="false" />
>                                                     </wsp:Policy>
>                                                 </sp:TransportToken>
>                                                 <sp:AlgorithmSuite>
>                                                     <wsp:Policy>
>                                                         <sp:Basic256 />
>                                                     </wsp:Policy>
>                                                 </sp:AlgorithmSuite>
>                                                 <sp:Layout>
>                                                     <wsp:Policy>
>                                                         <sp:Strict />
>                                                     </wsp:Policy>
>                                                 </sp:Layout>
>                                                 <sp:IncludeTimestamp />
>                                             </wsp:Policy>
>                                         </sp:TransportBinding>
>                                         <sp:EndorsingSupportingTokens>
>                                             <wsp:Policy>
>                                                 <sp:X509Token
>                                                     sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/
> IncludeToken/AlwaysToRecipient"
>                                                 >
>                                                     <wsp:Policy>
>
> <sp:RequireThumbprintReference />
>
> <sp:WssX509V3Token10 />
>                                                     </wsp:Policy>
>                                                 </sp:X509Token>
>                                                 <sp:SignedParts>
>                                                     <sp:Header
>                                                         Name="To"
>                                                         Namespace="
> http://www.w3.org/2005/08/addressing"; />
>                                                 </sp:SignedParts>
>                                             </wsp:Policy>
>                                         </sp:EndorsingSupportingTokens>
>                                         <sp:Wss11>
>                                             <wsp:Policy>
>
> <sp:MustSupportRefThumbprint />
>                                             </wsp:Policy>
>                                         </sp:Wss11>
>                                         <sp:Trust10>
>                                             <wsp:Policy>
>
> <sp:MustSupportIssuedTokens />
>                                                 <sp:RequireClientEntropy />
>                                                 <sp:RequireServerEntropy />
>                                             </wsp:Policy>
>                                         </sp:Trust10>
>                                     </wsp:Policy>
>                                 </sp:BootstrapPolicy>
>                             </wsp:Policy>
>                         </sp:SecureConversationToken>
>                     </wsp:Policy>
>                 </sp:EndorsingSupportingTokens>
>                 <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/
> securitypolicy">
>                     <wsp:Policy />
>                 </sp:Wss11>
>                 <sp:Trust10
>                     xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/
> securitypolicy"
>                 >
>                     <wsp:Policy>
>                         <sp:MustSupportIssuedTokens />
>                         <sp:RequireClientEntropy />
>                         <sp:RequireServerEntropy />
>                     </wsp:Policy>
>                 </sp:Trust10>
>                 <wsaw:UsingAddressing />
>             </wsp:All>
>         </wsp:ExactlyOne>
>     </wsp:Policy>
>
>
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Reply via email to