What's interesting is, CXF is complaining about this service:
Interceptor for
{http://schemas.xmlsoap.org/ws/2005/02/trust/wsdl}SecurityTokenService#{http://schemas.xmlsoap.org/ws/2005/02/trust/wsdl}RequestSecurityToken
has thrown exception, unwinding now
Note the URL above. It isn't mentioned in the WSDL at all. The policy section
of the WSDL is below. That URL and an STS isn't mentioned explicitly.
This WS was developed by a .Net shop. Is something missing from their WSDL?
<wsp:Policy wsu:Id="wsHttpEndPoint_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";
>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken
RequireClientCertificate="false" />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";
>
<wsp:Policy>
<sp:SecureConversationToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";
>
<wsp:Policy>
<sp:BootstrapPolicy>
<wsp:Policy>
<sp:SignedParts>
<sp:Body />
<sp:Header
Name="To"
Namespace="http://www.w3.org/2005/08/addressing"; />
<sp:Header
Name="From"
Namespace="http://www.w3.org/2005/08/addressing"; />
<sp:Header
Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing"; />
<sp:Header
Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing"; />
<sp:Header
Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing"; />
<sp:Header
Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing"; />
<sp:Header
Name="Action"
Namespace="http://www.w3.org/2005/08/addressing"; />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken
RequireClientCertificate="false" />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient";
>
<wsp:Policy>
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
<sp:SignedParts>
<sp:Header
Name="To"
Namespace="http://www.w3.org/2005/08/addressing"; />
</sp:SignedParts>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefThumbprint />
</wsp:Policy>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<sp:RequireClientEntropy />
<sp:RequireServerEntropy />
</wsp:Policy>
</sp:Trust10>
</wsp:Policy>
</sp:BootstrapPolicy>
</wsp:Policy>
</sp:SecureConversationToken>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";>
<wsp:Policy />
</sp:Wss11>
<sp:Trust10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";
>
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<sp:RequireClientEntropy />
<sp:RequireServerEntropy />
</wsp:Policy>
</sp:Trust10>
<wsaw:UsingAddressing />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
-----Original Message-----
From: Colm O hEigeartaigh [mailto:[email protected]]
Sent: Monday, February 20, 2017 8:39 AM
To: [email protected]
Subject: [EXTERNAL] Re: Problem calling WCF MS service with security, policies,
trust
For WS-SecureConversation, the configuration parameters for the "bootstrap"
phase end with ".sct". See the examples here:
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/secconv/client.xml;h=b5a395f7048cfa4d084f38d311df4b5c4206070b;hb=HEAD
I'm not sure if your use-case is going to work by the way. Typically,
WS-SecureConversation is not used to obtain a token for once service and then
re-used for another service.
Colm.
On Fri, Feb 17, 2017 at 2:21 PM, Morein, Arnie <[email protected]>
wrote:
> My situation has two WSDLs: a and b.
>
> Both use the same keystore which contains two Trusted Cert Entries and
> a Private Key Entry (x.509 cert). This key is supposed to be used to
> sign and encrypt the messages.
>
> Calling the a::authentication.authenticate method should be over
> https, signed and encrypted with the cert as mentioned above. NO user
> credentials are supplied. A session token is returned if all is well.
>
> The session token, along with a user name and password are to be
> passed into all calls for WSDL b, using the same cert for signing and
> encryption.
>
> I created two maven projects, one for each WSDL, using the
> cxf-codegen-plugin (3.1.10). Each has a /META-INF/cxf/ folder with
> client-crypto.properties, a cfx-wsdl-a/b.xml file which is a Spring
> beans file with the required jaxws:client entries for the port names,
> and the related key store JKS file.
>
> Both were added to the main WAR project and in one of the Spring XML
> files, I added:
>
> <!-- set up the CXF bus -->
> <import resource="classpath:META-INF/cxf/cxf.xml" />
> <cxf:bus>
> <cxf:features>
> <p:policies />
> <cxf:logging />
> </cxf:features>
> </cxf:bus>
> <import resource="classpath:META-INF/cxf/cxf-aamva-authentication.xml"
> />
> <import resource="classpath:META-INF/cxf/cxf-aamva-vls3.xml" />
>
> And at boot time, spring finds those files and creates the beans. So
> no error THERE.
>
> Calling the constructor for the service class and getting the port
> instance works for WSDL a without error.
>
> But when calling .authenticate, I continually get the following. What
> gives? There isn't a SecurityTokenService listed in the a or b wsdl. I
> have no idea if the port name matches the syntax below ({
> http://schemas.xmlsoap.org/ws/2005/02/trust/wsdl}SecurityTokenService)
> or not.
>
>
>
> Feb17 08:17:37.735 WARN [PhaseInterceptorChain ][::] - Interceptor
> for {http://schemas.xmlsoap.org/ws/2005/02/trust/wsdl}
> SecurityTokenService#{http://schemas.xmlsoap.org/ws/2005/02/trust/wsdl
> } RequestSecurityToken has thrown exception, unwinding now
> org.apache.cxf.interceptor.Fault: Security configuration could not be
> detected. Potential cause: Make sure jaxws:client element with name
> attribute value matching endpoint port is defined as well as a
> security.signature.properties element within it.
> at org.apache.cxf.ws.security.wss4j.policyhandlers.
> TransportBindingHandler.handleBinding(TransportBindingHandler.java:172
> ) ~[cxf-rt-ws-security-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> $PolicyBasedWSS4JOutInterceptorInternal.handleMessageInternal(
> PolicyBasedWSS4JOutInterceptor.java:185) ~[cxf-rt-ws-security-3.1.10.
> jar:3.1.10]
> at
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(
> PolicyBasedWSS4JOutInterceptor.java:109) ~[cxf-rt-ws-security-3.1.10.
> jar:3.1.10]
> at
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(
> PolicyBasedWSS4JOutInterceptor.java:96) ~[cxf-rt-ws-security-3.1.10.
> jar:3.1.10]
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
> PhaseInterceptorChain.java:308) [cxf-core-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:514)
> [cxf-core-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:423)
> [cxf-core-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:324)
> [cxf-core-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:277)
> [cxf-core-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSCl
> ient.java:861) [cxf-rt-ws-security-3.1.10.jar:3.1.10]
> at org.apache.cxf.ws.security.trust.STSClient.
> requestSecurityToken(STSClient.java:61) [cxf-rt-ws-security-3.1.10.
> jar:3.1.10]
> at org.apache.cxf.ws.security.trust.STSClient.
> requestSecurityToken(STSClient.java:55) [cxf-rt-ws-security-3.1.10.
> jar:3.1.10]
> at org.apache.cxf.ws.security.trust.STSClient.
> requestSecurityToken(STSClient.java:51) [cxf-rt-ws-security-3.1.10.
> jar:3.1.10]
> at org.apache.cxf.ws.security.policy.interceptors.
> SecureConversationOutInterceptor.issueToken(SecureConversationOutInter
> ceptor.java:198) [cxf-rt-ws-security-3.1.10.jar:3.1.10]
> at org.apache.cxf.ws.security.policy.interceptors.
> SecureConversationOutInterceptor.handleMessage(
> SecureConversationOutInterceptor.java:81) [cxf-rt-ws-security-3.1.10.
> jar:3.1.10]
> at org.apache.cxf.ws.security.policy.interceptors.
> SecureConversationOutInterceptor.handleMessage(
> SecureConversationOutInterceptor.java:50) [cxf-rt-ws-security-3.1.10.
> jar:3.1.10]
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
> PhaseInterceptorChain.java:308) [cxf-core-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:514)
> [cxf-core-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:423)
> [cxf-core-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:324)
> [cxf-core-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:277)
> [cxf-core-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
> [cxf-rt-frontend-simple-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:139
> ) [cxf-rt-frontend-jaxws-3.1.10.jar:3.1.10]
> at com.sun.proxy.$Proxy56.authenticate(Unknown Source) [na:na]
> at
> txdps.dl.bpr.common.business.VlsBusiness.postConstruct(VlsBusiness.jav
> a:178)
> [VlsBusiness.class:na]
> ...
>
> Caused by: org.apache.cxf.ws.policy.PolicyException: Security
> configuration could not be detected. Potential cause: Make sure
> jaxws:client element with name attribute value matching endpoint port
> is defined as well as a security.signature.properties element within it.
> at org.apache.cxf.ws.security.wss4j.policyhandlers.
> AbstractCommonBindingHandler.unassertPolicy(AbstractCommonBindingHandl
> er.java:92) ~[cxf-rt-ws-security-3.1.10.jar:3.1.10]
> at org.apache.cxf.ws.security.wss4j.policyhandlers.
> AbstractBindingBuilder.getSignatureBuilder(AbstractBindingBuilder.java
> :1821) ~[cxf-rt-ws-security-3.1.10.jar:3.1.10]
> at org.apache.cxf.ws.security.wss4j.policyhandlers.
> TransportBindingHandler.doX509TokenSignature(TransportBindingHandler.j
> ava:388) ~[cxf-rt-ws-security-3.1.10.jar:3.1.10]
> at org.apache.cxf.ws.security.wss4j.policyhandlers.
> TransportBindingHandler.handleEndorsingToken(TransportBindingHandler.j
> ava:319) ~[cxf-rt-ws-security-3.1.10.jar:3.1.10]
> at org.apache.cxf.ws.security.wss4j.policyhandlers.
> TransportBindingHandler.handleEndorsingSupportingToken
> s(TransportBindingHandler.java:269) ~[cxf-rt-ws-security-3.1.10.
> jar:3.1.10]
> at org.apache.cxf.ws.security.wss4j.policyhandlers.
> TransportBindingHandler.handleBinding(TransportBindingHandler.java:159
> ) ~[cxf-rt-ws-security-3.1.10.jar:3.1.10]
> ... 270 common frames omitted
> Feb17 08:17:37.788 WARN [PhaseInterceptorChain ][::] - Interceptor
> for
> {http://aamva.org/authentication/3.1.0}AuthenticationService#{http://
> aamva.org/authentication/3.1.0}Authenticate has thrown exception,
> unwinding now
> org.apache.cxf.interceptor.Fault: Security configuration could not be
> detected. Potential cause: Make sure jaxws:client element with name
> attribute value matching endpoint port is defined as well as a
> security.signature.properties element within it.
> at org.apache.cxf.ws.security.wss4j.policyhandlers.
> TransportBindingHandler.handleBinding(TransportBindingHandler.java:172
> ) ~[cxf-rt-ws-security-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> $PolicyBasedWSS4JOutInterceptorInternal.handleMessageInternal(
> PolicyBasedWSS4JOutInterceptor.java:185) ~[cxf-rt-ws-security-3.1.10.
> jar:3.1.10]
> at
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(
> PolicyBasedWSS4JOutInterceptor.java:109) ~[cxf-rt-ws-security-3.1.10.
> jar:3.1.10]
> at
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(
> PolicyBasedWSS4JOutInterceptor.java:96) ~[cxf-rt-ws-security-3.1.10.
> jar:3.1.10]
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
> PhaseInterceptorChain.java:308) ~[cxf-core-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:514)
> [cxf-core-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:423)
> [cxf-core-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:324)
> [cxf-core-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:277)
> [cxf-core-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSCl
> ient.java:861) ~[cxf-rt-ws-security-3.1.10.jar:3.1.10]
> at org.apache.cxf.ws.security.trust.STSClient.
> requestSecurityToken(STSClient.java:61) ~[cxf-rt-ws-security-3.1.10.
> jar:3.1.10]
> at org.apache.cxf.ws.security.trust.STSClient.
> requestSecurityToken(STSClient.java:55) ~[cxf-rt-ws-security-3.1.10.
> jar:3.1.10]
> at org.apache.cxf.ws.security.trust.STSClient.
> requestSecurityToken(STSClient.java:51) ~[cxf-rt-ws-security-3.1.10.
> jar:3.1.10]
> at org.apache.cxf.ws.security.policy.interceptors.
> SecureConversationOutInterceptor.issueToken(SecureConversationOutInter
> ceptor.java:198) ~[cxf-rt-ws-security-3.1.10.jar:3.1.10]
> at org.apache.cxf.ws.security.policy.interceptors.
> SecureConversationOutInterceptor.handleMessage(
> SecureConversationOutInterceptor.java:81) ~[cxf-rt-ws-security-3.1.10.
> jar:3.1.10]
> at org.apache.cxf.ws.security.policy.interceptors.
> SecureConversationOutInterceptor.handleMessage(
> SecureConversationOutInterceptor.java:50) ~[cxf-rt-ws-security-3.1.10.
> jar:3.1.10]
> at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(
> PhaseInterceptorChain.java:308) ~[cxf-core-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:514)
> [cxf-core-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:423)
> [cxf-core-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:324)
> [cxf-core-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:277)
> [cxf-core-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
> [cxf-rt-frontend-simple-3.1.10.jar:3.1.10]
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:139
> ) [cxf-rt-frontend-jaxws-3.1.10.jar:3.1.10]
> at com.sun.proxy.$Proxy56.authenticate(Unknown Source) [na:na]
> at
> txdps.dl.bpr.common.business.VlsBusiness.postConstruct(VlsBusiness.jav
> a:178)
> [VlsBusiness.class:na]
>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
