The WSDL of the service provider expects that a client will first authenticate to the STS using the BootstrapPolicy (UsernameToken over Asymmetric). The typical pattern is that the STS is co-located with the service provider. CXF uses a kind of dummy STS for this scenario. It creates the SecurityContextToken which the client can then use to invoke on the service.
The problem with calling an STS separately, as in your post, is that the service provider does not know anything about the SecurityContextToken is is receiving from the client, and hence rejects the message. Colm. On Mon, Aug 14, 2017 at 12:15 PM, pat7 <[email protected]> wrote: > Hi, > I implemented a STS with CXF 3.1.7 in a JAVA spring boot configuration for > the BiPRO norm. I tested the STS with SoapUI and issuing a security context > token worked well. > Now I implement a second service, which should work with the implemented > STS, however I receive several errors if I call the second service with > SoapUI. > > Here is my *STS config* in spring boot: > > @Bean > public ServletRegistrationBean dispatcherServlet() { > ServletRegistrationBean servletRegistrationBean = new > ServletRegistrationBean(new CXFServlet()); > servletRegistrationBean.addUrlMappings("/*"); > return servletRegistrationBean; > } > > @Bean(name = Bus.DEFAULT_BUS_ID) > public SpringBus springBus() { > return new SpringBus(); > } > > > @Bean > public StaxTransformFeature transformFeature(){ > StaxTransformFeature staxTransformFeature = new > StaxTransformFeature(); > Map<String,String> inAppendElements = new > HashMap<String,String>(); > Map<String,String> inTransformElements = new > HashMap<String,String>(); > > > inAppendElements.put("{http://schemas.xmlsoap.org/ws/2005/ > 02/trust}RequestType", > "{http://schemas.xmlsoap.org/ws/2005/02/trust}RequestType= > http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue";); > > inTransformElements.put("{http://schemas.xmlsoap.org/ws/2005/02/trust} > RequestSecurityToken", > "{http://docs.oasis-open.org/ws-sx/ws-trust/200512}RequestSecurityToken";); > > inTransformElements.put("{http://schemas.xmlsoap.org/ws/ > 2005/02/trust}RequestType", > "{http://docs.oasis-open.org/ws-sx/ws-trust/200512}RequestType";); > > inTransformElements.put("{http://schemas.xmlsoap.org/ws/ > 2005/02/trust}TokenType", > "{http://docs.oasis-open.org/ws-sx/ws-trust/200512}TokenType";); > > staxTransformFeature.setInAppendElements( > inAppendElements); > staxTransformFeature.setInTransformElements( > inTransformElements); > return staxTransformFeature; > } > > @Bean > public SecurityTokenServiceProvider mySTSProviderBean(){ > try { > SecurityTokenServiceProvider securityTokenServiceProvider = new > SecurityTokenServiceProvider(); > > securityTokenServiceProvider.setIssueSingleOperation( > transprotIssueDelegate()); > securityTokenServiceProvider.setValidateOperation( > transportValidateDelegate()); > securityTokenServiceProvider.setCancelOperation( > transportCancelDelegate()); > return securityTokenServiceProvider; > } catch (Exception e) { > e.printStackTrace(); > } > > return null; > } > > @Bean > public TokenIssueOperation transprotIssueDelegate(){ > TokenIssueOperation tokenIssueOperation = new > TokenIssueOperation(); > tokenIssueOperation.setTokenProviders( > transportTokenProviders()); > tokenIssueOperation.setServices(transportServices()); > tokenIssueOperation.setStsProperties( > transportSTSProperties()); > tokenIssueOperation.setTokenStore(defaulttokenStore()); > tokenIssueOperation.setReturnReferences(false); > return tokenIssueOperation; > } > @Bean > public TokenValidateOperation transportValidateDelegate(){ > TokenValidateOperation tokenValidateOperation = new > TokenValidateOperation(); > tokenValidateOperation.setTokenProviders( > transportTokenProviders()); > tokenValidateOperation.setTokenValidators( > transportTokenValidators()); > tokenValidateOperation.setStsProperties( > transportSTSProperties()); > tokenValidateOperation.setTokenStore(defaulttokenStore()); > return tokenValidateOperation; > } > @Bean > public TokenCancelOperation transportCancelDelegate(){ > TokenCancelOperation tokenCancelOperation = new > TokenCancelOperation(); > tokenCancelOperation.setTokenCancellers( > transportTokenCancellers()); > tokenCancelOperation.setStsProperties( > transportSTSProperties()); > tokenCancelOperation.setTokenStore(defaulttokenStore()); > return tokenCancelOperation; > } > > @Bean > public BiPROTokenProvider transportSCTProvider(){ //SCTProvider > BiPROTokenProvider biprotokenprovider = new > BiPROTokenProvider(); > biprotokenprovider.setReturnEntropy(false); > return biprotokenprovider; > } > @Bean > public SCTValidator transportSCTValidator(){ > return new SCTValidator(); > } > @Bean > public SCTCanceller transportSCTCanceller(){ > return new SCTCanceller(); > } > @Bean > public StaticService transportService(){ > StaticService staticservice = new StaticService(); > staticservice.setEndpoints(transportEndpoints()); > return staticservice; > } > > @Bean > public DefaultInMemoryTokenStore defaulttokenStore(){ > DefaultInMemoryTokenStore tokenstore = new > DefaultInMemoryTokenStore(); > tokenstore.setTTL(1800); > return tokenstore; > } > @Bean > public EncryptionProperties encProperties(){ > EncryptionProperties encryptionproperties = new > EncryptionProperties(); > encryptionproperties.setEncryptionAlgorithm("http:/ > /www.w3.org/2001/04/xmlenc#aes128-cbc"); > return encryptionproperties; > } > @Bean > public StaticSTSProperties transportSTSProperties(){ > StaticSTSProperties staticSTSproperties = new > StaticSTSProperties(); > > staticSTSproperties.setCallbackHandlerClass("com.test.endpoint. > STSCallbackHandler"); > return staticSTSproperties; > } > > @Bean > public SCTInInterceptor sctinterceptor(){ > return new SCTInInterceptor(); > } > @Bean > public SCTOutInterceptor sctOutInterceptor(){ > return new SCTOutInterceptor(); > } > > @Bean > public List<TokenProvider> transportTokenProviders(){ > List<TokenProvider> tokenProviderList= new > ArrayList<TokenProvider>(); > tokenProviderList.add(transportSCTProvider()); > return tokenProviderList; > } > @Bean > public List<TokenValidator> transportTokenValidators(){ > List<TokenValidator> tokenValidator= new > ArrayList<TokenValidator>(); > tokenValidator.add(transportSCTValidator()); > return tokenValidator; > } > @Bean > public List<TokenCanceller> transportTokenCancellers(){ > List<TokenCanceller> tokenCanceller= new > ArrayList<TokenCanceller>(); > tokenCanceller.add(transportSCTCanceller()); > return tokenCanceller; > } > @Bean > public List<String> transportEndpoints(){ > List<String> transportendpoints = new ArrayList<String>(); > > transportendpoints.add("https://localhost:8443/TransferService-2.6.0.1.0 > "); > return transportendpoints; > } > @Bean > public List<ServiceMBean> transportServices(){ > List<ServiceMBean> serviceMBean = new > ArrayList<ServiceMBean>(); > serviceMBean.add(transportService()); > return serviceMBean; > } > /* > * endpoint STS > * */ > @Bean > public SecurityTokenService26010 securityTokenService26010(){ > return new SecurityTokenService26010(); > } > @Bean > public Endpoint endpoint() throws Exception{ > //Object implementor = new SecurityTokenServiceProvider() > ; > EndpointImpl endpoint = new EndpointImpl(springBus(), > mySTSProviderBean()); > > endpoint.setServiceName(securityTokenService26010(). > getServiceName()); > endpoint.setWsdlLocation(securityTokenService26010(). > getWSDLDocumentLocation().toString()); > endpoint.publish("/SecurityTokenService-2.6.0.1.0"); > > endpoint.getInInterceptors().add(sctinterceptor()); > endpoint.getOutInterceptors().add(sctOutInterceptor()); > > > Map<String, Object> inProps = new HashMap<>(); > inProps.put("ws-security.callback-handler", > STSCallbackHandler.class.getName()); > inProps.put("org.apache.cxf.ws.security.tokenstore.TokenStore", > defaulttokenStore()); > endpoint.setProperties(inProps); > > endpoint.getFeatures().add(transformFeature()); > > return endpoint; > } > /* > * endpoint Transferservice > * */ > @Bean > public TransferServicePortType transferServicePortType(){ > return new TransferServiceEndpoint(); > } > > @Bean > public TransferService26010 transferService26010(){ > return new TransferService26010(); > } > > @Bean > public Endpoint transferendpoint(){ > EndpointImpl transferendpoint = new > EndpointImpl(springBus(),transferServicePortType()); > > transferendpoint.setServiceName(transferService26010(). > getServiceName()); > > transferendpoint.setWsdlLocation(transferService26010(). > getWSDLDocumentLocation().toString()); > transferendpoint.publish("/TransferService-2.6.0.1.0"); > transferendpoint.getInInterceptors().add( > sctinterceptor()); > transferendpoint.getOutInterceptors().add( > sctOutInterceptor()); > > > Map<String, Object> inProps = new HashMap<>(); > inProps.put("mtom-enabled", true); > > transferendpoint.setProperties(inProps); > > return transferendpoint; > } > *End STS config* > > This is the request in SoapUI, which is sent to the second service: > > <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/ > " > xmlns:tran="http://www.bipro.net/namespace/transfer"; > xmlns:bas="http://www.bipro.net/namespace/basis"; > xmlns:nac="http://www.bipro.net/namespace/nachrichten"; > xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis- > 200401-wss-wssecurity-secext-1.0.xsd" > xmlns:wsu="http://docs.oasisopen.org/wss/2004/01/ > oasis-200401-wss-wssecurity-utility-1.0.xsd"> > <soapenv:Header> > <wsse:Security> > <wsc:SecurityContextToken > xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc";> > > <wsc:Identifier>bipro:880fa760-5e59-41aa-b883- > fbfa89b1c136</wsc:Identifier> > </wsc:SecurityContextToken> > </wsse:Security> > </soapenv:Header> > <soapenv:Body> > <tran:listShipments> > <tran:Request> > <nac:BiPROVersion>2.0.6.1.0</nac:BiPROVersion> > <nac:ConsumerID>VR-12345</nac:ConsumerID> > <tran:KategorieDerLieferung>170</tran:KategorieDerLieferung> > <tran:BestaetigeLieferungen>false</tran:BestaetigeLieferungen> > </tran:Request> > </tran:listShipments> > </soapenv:Body> > </soapenv:Envelope> > > And here is the policy definition in the wsdl from the second service: > > <wsp:Policy wsu:Id="AuthSecurityPolicy" > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:ExactlyOne> > <wsp:All> > <sp:SymmetricBinding> > <wsp:Policy> > <sp:ProtectionToken> > <wsp:Policy> > <sp:SecureConversationToken > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws- > securitypolicy/200702/IncludeToken/AlwaysToRecipient"> > <wsp:Policy> > <sp:RequireDerivedKeys/> > <sp:BootstrapPolicy> > <wsp:Policy> > <sp:AsymmetricBinding> > <wsp:Policy> > <sp:UsernameToken > sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws- > securitypolicy/200702/IncludeToken/AlwaysToRecipient"> > > <wsp:Policy> > > <sp:WssUsernameToken11/> > > </wsp:Policy> > </sp:UsernameToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic128/> > </wsp:Policy> > > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Strict/> > </wsp:Policy> > </sp:Layout> > </wsp:Policy> > </sp:AsymmetricBinding> > <sp:Wss10> > <wsp:Policy> > > <sp:MustSupportIssuedTokens/> > </wsp:Policy> > </sp:Wss10> > </wsp:Policy> > </sp:BootstrapPolicy> > </wsp:Policy> > </sp:SecureConversationToken> > </wsp:Policy> > </sp:ProtectionToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic128/> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Strict/> > </wsp:Policy> > </sp:Layout> > </wsp:Policy> > </sp:SymmetricBinding> > <sp:Trust13> > <wsp:Policy> > <sp:MustSupportIssuedTokens/> > </wsp:Policy> > </sp:Trust13> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > *End policy* > > I read a lot in older forum posts to get working my second service with the > STS, but nothing worked. Here are the errors if I call the second service > with the above SoapUI request: > org.apache.cxf.ws.policy.PolicyException: These policy alternatives can > not > be satisfied: > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/ > 200702}SecureConversationToken: > No SecureConversation token found in message. > {http://www.w3.org/2007/08/soap12-mtom-policy}MTOM > > Does anybody know why I am getting these errors? Maybe I forget something > in > my configuration? Thx in advance. > Regards, > Patrick > > > > > -- > View this message in context: http://cxf.547215.n5.nabble. > com/These-policy-alternatives-can-not-be-satisfied-tp5782647.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
