You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by bob45 <fu...@gmx.de> on 2014/02/05 16:24:21 UTC
Where to put in WS-Policy for RST/SCT Issue Request
with Timestamp?
Hi,
I am trying to send a RST-Issue to my business service to get an SCT. The
header contains a SAML bootstrap token. When I send the message without
<u:Timestamp> in the security header everything works fine. But when I add
the timestamp header the service complains:
WARNING - PhaseInterceptorChain.doDefaultLogging(364) | Interceptor for
{http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}SecureConversationTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}RequestSecurityToken
has thrown exception, unwinding now:
org.apache.cxf.ws.policy.PolicyException: *These policy alternatives can not
be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding:
Received Timestamp does not match the requirements* at
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167)
at
org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101)
at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
Ok, that makes sense as the timestamp ist not part of the service policy.
So I tried to add <sp:IncludeTimestamp> at various places in the policy
without effect.
Please see the message and policy below.
My question is where to put the <sp:IncludeTimestamp> in the policy to match
the incoming message?
Message (including timestamp header):
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action
s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT</a:Action>
<a:MessageID>urn:uuid:f878193d-b3b7-4b54-ba02-c11a01285348</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To
s:mustUnderstand="1">https://192.168.1.47:8443/businessservice/komposit</a:To>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2014-02-05T15:02:02.694Z</u:Created>
<u:Expires>2014-02-05T15:07:02.694Z</u:Expires>
</u:Timestamp>
<xenc:EncryptedData Id="ED-4">
ENCRYPTED SAML TOKEN
</xenc:EncryptedData>
</o:Security>
</s:Header>
<s:Body>
<trust:RequestSecurityToken
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:TokenType>http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
</trust:TokenType>
<trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
<trust:Entropy>
<trust:BinarySecret u:Id="uuid-c604a73d-5045-4b75-859f-778aefc62d70-1"
Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">8Ae+h7iuAVGlxCOH5FtdIu0NPI+R52AtdtVecEPIGBA=</trust:BinarySecret>
</trust:Entropy>
<trust:KeySize>256</trust:KeySize>
</trust:RequestSecurityToken>
</s:Body>
</s:Envelope>
WS-Policy:
<wsp:Policy xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:wsaw="http://www.w3.org/2005/08/addressing"
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"
xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"
wsu:Id="PoCAuthSecurityPolicy">
<wsp:ExactlyOne>
<wsp:All>
<wsap10:UsingAddressing />
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:SecureConversationToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireDerivedKeys />
<sp:BootstrapPolicy>
<wsp:Policy>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:IssuedToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<sp:RequestSecurityTokenTemplate>
<wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
</wst:TokenType>
<wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
</wsp:Policy>
<sp:Issuer>
<wsaw:Address>http://localhost:8080/sts/sts
</wsaw:Address>
<wsaw:Metadata>
<wsam:ServiceName
EndpointName="UT_Port">wst:SecurityTokenService</wsam:ServiceName>
</wsaw:Metadata>
</sp:Issuer>
</sp:IssuedToken>
</wsp:Policy>
</sp:ProtectionToken>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
</wsp:Policy>
</sp:Wss11>
<sp:Trust13>
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<sp:RequireClientEntropy />
<sp:RequireServerEntropy />
</wsp:Policy>
</sp:Trust13>
</wsp:Policy>
</sp:BootstrapPolicy>
</wsp:Policy>
</sp:SecureConversationToken>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:SymmetricBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
--
View this message in context: http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Where to put in WS-Policy for RST/SCT Issue
Request with Timestamp?
Posted by bob45 <fu...@gmx.de>.
I am still struggling with this. Unfortunately I can't give you my code.
Could you please provide an example of a policy that expresses the following
requirements?
1. The client communicates with the STS and business service via SSL.
2. The SecurityHeader includes a Timestamp.
3. The business service uses SAML-Token obtained from the STS as bootstrap
token.
4. The client is authenticated by the STS based on a UsernameToken.
Thank you very much in advance.
--
View this message in context: http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739795.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Where to put in WS-Policy for RST/SCT Issue
Request with Timestamp?
Posted by bob45 <fu...@gmx.de>.
Unfortunately I don't have enough time to create this as it is not easy to
isolate this part from our solution. NDA is also an issue.
Tried to add <sp:IncludeTimestamp> again at all possible places in the
policy. I always get the same error. Somehow it must be possible to specify
the need for a timestamp in the security header without a TransportBinding.
Thanks for your help. I appreciate this very much.
Is there anything else I can do?
--
View this message in context: http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739596.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Where to put in WS-Policy for RST/SCT Issue
Request with Timestamp?
Posted by Colm O hEigeartaigh <co...@apache.org>.
A maven project that reproduces the issue you are facing...
Colm.
On Thu, Feb 6, 2014 at 12:09 PM, bob45 <fu...@gmx.de> wrote:
> Great. What do you need?
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739580.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Where to put in WS-Policy for RST/SCT Issue
Request with Timestamp?
Posted by bob45 <fu...@gmx.de>.
Great. What do you need?
--
View this message in context: http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739580.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Where to put in WS-Policy for RST/SCT Issue
Request with Timestamp?
Posted by Colm O hEigeartaigh <co...@apache.org>.
If you can supply a test-case I will take a look.
Colm.
On Thu, Feb 6, 2014 at 11:42 AM, bob45 <fu...@gmx.de> wrote:
> This is where I started (see first post in this thread).
>
> /"So I tried to add <sp:IncludeTimestamp> at various places in the policy
> without effect."/
>
> Where exactly do I have to put the <sp:IncludeTimestamp> in the policy?
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739571.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Where to put in WS-Policy for RST/SCT Issue
Request with Timestamp?
Posted by bob45 <fu...@gmx.de>.
This is where I started (see first post in this thread).
/"So I tried to add <sp:IncludeTimestamp> at various places in the policy
without effect."/
Where exactly do I have to put the <sp:IncludeTimestamp> in the policy?
--
View this message in context: http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739571.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Where to put in WS-Policy for RST/SCT Issue
Request with Timestamp?
Posted by Colm O hEigeartaigh <co...@apache.org>.
I don't see any IncludeTimestamp policy in the bootstrap policy.
Colm.
On Thu, Feb 6, 2014 at 11:05 AM, bob45 <fu...@gmx.de> wrote:
> I removed the TransportBinding from the WSDL of the business service.
> Now the timestamp issue is back again:
>
> WARNING - PhaseInterceptorChain.doDefaultLogging(364) | Interceptor for
> {
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}SecureConversationTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}RequestSecurityToken
> has thrown exception, unwinding now:
> org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not
> be satisfied:
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding
> :
> Received Timestamp does not match the requirements
> at
>
> org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167)
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739565.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Where to put in WS-Policy for RST/SCT Issue
Request with Timestamp?
Posted by bob45 <fu...@gmx.de>.
I removed the TransportBinding from the WSDL of the business service.
Now the timestamp issue is back again:
WARNING - PhaseInterceptorChain.doDefaultLogging(364) | Interceptor for
{http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}SecureConversationTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}RequestSecurityToken
has thrown exception, unwinding now:
org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not
be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding:
Received Timestamp does not match the requirements
at
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167)
--
View this message in context: http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739565.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Where to put in WS-Policy for RST/SCT Issue
Request with Timestamp?
Posted by Colm O hEigeartaigh <co...@apache.org>.
Try removing the TransportBinding from your service WSDL.
Colm.
On Thu, Feb 6, 2014 at 10:07 AM, bob45 <fu...@gmx.de> wrote:
> I have a client, a business service and an STS.
>
> The scenario is as follows:
> 1. Client receives a SAML token from the STS. Client authenticates with a
> UsernameToken. (RST-Issue to STS TokenType=SAML)
> 2. Client uses the SAML token as bootstrap token to create a security
> context (RST-Issue to Business Service TokenType=SCT)
> 3. Client uses SCT to encrypt and sign the message payload. (Business
> method
> call)
>
> All communication goes over TLS.
> Currently I am stuck at stage 2.
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739552.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Where to put in WS-Policy for RST/SCT Issue
Request with Timestamp?
Posted by bob45 <fu...@gmx.de>.
I have a client, a business service and an STS.
The scenario is as follows:
1. Client receives a SAML token from the STS. Client authenticates with a
UsernameToken. (RST-Issue to STS TokenType=SAML)
2. Client uses the SAML token as bootstrap token to create a security
context (RST-Issue to Business Service TokenType=SCT)
3. Client uses SCT to encrypt and sign the message payload. (Business method
call)
All communication goes over TLS.
Currently I am stuck at stage 2.
--
View this message in context: http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739552.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Where to put in WS-Policy for RST/SCT Issue
Request with Timestamp?
Posted by Colm O hEigeartaigh <co...@apache.org>.
The problem is that your business service WSDL has both a SymmetricBinding
+ a TransportBinding policy. What exactly are you trying to achieve?
Colm.
On Thu, Feb 6, 2014 at 9:28 AM, bob45 <fu...@gmx.de> wrote:
> Hi Colm,
>
> I added the TransportBindings to the policies. That solved the timestamp
> issue!
> Now I receive another error due to a policy violation from the RST/SCT
> Issue
> call:
>
> WARNING - PhaseInterceptorChain.doDefaultLogging(364) | Interceptor for
> {
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}SecureConversationTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}RequestSecurityToken
> has thrown exception, unwinding now:
> org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not
> be satisfied:
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding
> at
>
> org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167)
>
>
> Below you can see the policies and the request.
> Can you tell me why the policy verification fails? Is there a way to get
> more precise information form the DEBUG output to better understand why the
> request fails?
>
>
> Policy STS
>
>
> <wsp:Policy wsu:Id="UT_policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <wsap10:UsingAddressing/>
>
> <sp:TransportBinding
> xmlns:sp="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken>
>
> <wsp:Policy />
> </sp:HttpsToken>
> </wsp:Policy>
> </sp:TransportToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> </wsp:Policy>
> </sp:TransportBinding>
>
> <sp:SupportingTokens
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
>
> <sp:WssUsernameToken11/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> <sp:Wss11
>
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier />
> <sp:MustSupportRefIssuerSerial />
> <sp:MustSupportRefThumbprint />
> <sp:MustSupportRefEncryptedKey />
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust13
>
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:MustSupportIssuedTokens />
> <sp:RequireClientEntropy />
> <sp:RequireServerEntropy />
> </wsp:Policy>
> </sp:Trust13>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
>
> Policy business service
>
>
> <wsp:Policy xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing
> "
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
>
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
>
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
> xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512
> "
> xmlns:wsaw="http://www.w3.org/2005/08/addressing"
> xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
> xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"
> xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"
> wsu:Id="PoCAuthSecurityPolicy">
> <wsp:ExactlyOne>
> <wsp:All>
> <wsap10:UsingAddressing/>
>
> <sp:TransportBinding
> xmlns:sp="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken>
>
> <wsp:Policy />
> </sp:HttpsToken>
> </wsp:Policy>
> </sp:TransportToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> </wsp:Policy>
> </sp:TransportBinding>
>
> <sp:SymmetricBinding>
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:SecureConversationToken
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
> <sp:RequireDerivedKeys />
> <sp:BootstrapPolicy>
> <wsp:Policy>
> <sp:SymmetricBinding>
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
>
>
> <sp:IssuedToken
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
>
> <sp:RequestSecurityTokenTemplate>
>
> <wst:TokenType>
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
> </wst:TokenType>
>
> <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
> </wst:KeyType>
>
> </sp:RequestSecurityTokenTemplate>
>
>
> <wsp:Policy>
>
>
> </wsp:Policy>
>
> <sp:Issuer>
>
> <wsaw:Address>https://server:8443/sts</wsaw:Address>
>
> <wsaw:Metadata>
>
> <wsam:ServiceName
> EndpointName="UT_Port">wst:SecurityTokenService</wsam:ServiceName>
>
> </wsaw:Metadata>
>
> </sp:Issuer>
>
>
> </sp:IssuedToken>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax />
> </wsp:Policy>
> </sp:Layout>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:SymmetricBinding>
> </wsp:Policy>
> </sp:BootstrapPolicy>
> </wsp:Policy>
> </sp:SecureConversationToken>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:SignedParts>
> <sp:Body/>
> </sp:SignedParts>
> <sp:EncryptedElements>
> <sp:XPath>//*[local-name()='Data' and
> namespace-uri()='http://data']</sp:XPath>
> </sp:EncryptedElements>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
>
> SOAP Message with RST-Issue SCT
>
>
> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
> xmlns:a="http://www.w3.org/2005/08/addressing"
> xmlns:u="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
> <s:Header>
> <a:Action
> s:mustUnderstand="1">
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT</a:Action>
>
> <a:MessageID>urn:uuid:c4151332-8fe1-4111-a792-5bd668eb821e</a:MessageID>
> <a:ReplyTo>
>
> <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
> </a:ReplyTo>
> <a:To s:mustUnderstand="1">https://192.168.1.47:8443/service</a:To>
> <o:Security s:mustUnderstand="1"
> xmlns:o="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">
> <u:Timestamp u:Id="_0">
> <u:Created>2014-02-06T09:06:20.795Z</u:Created>
> <u:Expires>2014-02-06T09:11:20.795Z</u:Expires>
> </u:Timestamp>
> <xenc:EncryptedData Id="ED-17"
> Type="http://www.w3.org/2001/04/xmlenc#Element"
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
> <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <xenc:EncryptedKey
> Id="EK-B343A30ECED362416C139167757963318">
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
> <ds:KeyInfo>
> <wsse:SecurityTokenReference
> xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">
> <ds:X509Data>
> <ds:X509IssuerSerial>
>
> <ds:X509IssuerName>CN=Company</ds:X509IssuerName>
>
> <ds:X509SerialNumber>556889307</ds:X509SerialNumber>
> </ds:X509IssuerSerial>
> </ds:X509Data>
> </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> <xenc:CipherData>
> <xenc:CipherValue>WuARdO...xenc:CipherValue>
> </xenc:CipherData>
> </xenc:EncryptedKey>
> </ds:KeyInfo>
> <xenc:CipherData>
> <xenc:CipherValue>2YYuHU0xZq5...</xenc:CipherValue>
> </xenc:CipherData>
> </xenc:EncryptedData>
> </o:Security>
> </s:Header>
> <s:Body>
> <trust:RequestSecurityToken
> xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
>
> <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
> </trust:RequestType>
> <trust:Lifetime
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
> <wsu:Created>2014-01-28T12:33:24.835Z</wsu:Created>
> <wsu:Expires>2014-01-28T12:38:24.835Z</wsu:Expires>
> </trust:Lifetime>
>
> <trust:TokenType>
> http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
> </trust:TokenType>
> <trust:Entropy>
> <trust:BinarySecret
> u:Id="uuid-ccb577a5-b787-4777-b52a-0387e70d5d34-1"
> Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce
> ">M0TLwBNGSzOrJAeafQOsrA/Fl48woeeuKDxwnD8Iicc=</trust:BinarySecret>
> </trust:Entropy>
> <trust:KeySize>256</trust:KeySize>
>
> <trust:ComputedKeyAlgorithm>
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1
> </trust:ComputedKeyAlgorithm>
> <trust:Renewing/>
> </trust:RequestSecurityToken>
> </s:Body>
> </s:Envelope>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739549.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Where to put in WS-Policy for RST/SCT Issue
Request with Timestamp?
Posted by bob45 <fu...@gmx.de>.
Hi Colm,
I added the TransportBindings to the policies. That solved the timestamp
issue!
Now I receive another error due to a policy violation from the RST/SCT Issue
call:
WARNING - PhaseInterceptorChain.doDefaultLogging(364) | Interceptor for
{http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}SecureConversationTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}RequestSecurityToken
has thrown exception, unwinding now:
org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not
be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding
at
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167)
Below you can see the policies and the request.
Can you tell me why the policy verification fails? Is there a way to get
more precise information form the DEBUG output to better understand why the
request fails?
Policy STS
<wsp:Policy wsu:Id="UT_policy">
<wsp:ExactlyOne>
<wsp:All>
<wsap10:UsingAddressing/>
<sp:TransportBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken>
<wsp:Policy />
</sp:HttpsToken>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:SupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken11/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
<sp:Wss11
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
</wsp:Policy>
</sp:Wss11>
<sp:Trust13
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<sp:RequireClientEntropy />
<sp:RequireServerEntropy />
</wsp:Policy>
</sp:Trust13>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Policy business service
<wsp:Policy xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:wsaw="http://www.w3.org/2005/08/addressing"
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"
xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"
wsu:Id="PoCAuthSecurityPolicy">
<wsp:ExactlyOne>
<wsp:All>
<wsap10:UsingAddressing/>
<sp:TransportBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken>
<wsp:Policy />
</sp:HttpsToken>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:SecureConversationToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireDerivedKeys />
<sp:BootstrapPolicy>
<wsp:Policy>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:IssuedToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<sp:RequestSecurityTokenTemplate>
<wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
<wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
</wsp:Policy>
<sp:Issuer>
<wsaw:Address>https://server:8443/sts</wsaw:Address>
<wsaw:Metadata>
<wsam:ServiceName
EndpointName="UT_Port">wst:SecurityTokenService</wsam:ServiceName>
</wsaw:Metadata>
</sp:Issuer>
</sp:IssuedToken>
</wsp:Policy>
</sp:ProtectionToken>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:SymmetricBinding>
</wsp:Policy>
</sp:BootstrapPolicy>
</wsp:Policy>
</sp:SecureConversationToken>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:SignedParts>
<sp:Body/>
</sp:SignedParts>
<sp:EncryptedElements>
<sp:XPath>//*[local-name()='Data' and
namespace-uri()='http://data']</sp:XPath>
</sp:EncryptedElements>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
SOAP Message with RST-Issue SCT
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action
s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT</a:Action>
<a:MessageID>urn:uuid:c4151332-8fe1-4111-a792-5bd668eb821e</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https://192.168.1.47:8443/service</a:To>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2014-02-06T09:06:20.795Z</u:Created>
<u:Expires>2014-02-06T09:11:20.795Z</u:Expires>
</u:Timestamp>
<xenc:EncryptedData Id="ED-17"
Type="http://www.w3.org/2001/04/xmlenc#Element"
xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<xenc:EncryptedKey Id="EK-B343A30ECED362416C139167757963318">
<xenc:EncryptionMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
<ds:KeyInfo>
<wsse:SecurityTokenReference
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<ds:X509Data>
<ds:X509IssuerSerial>
<ds:X509IssuerName>CN=Company</ds:X509IssuerName>
<ds:X509SerialNumber>556889307</ds:X509SerialNumber>
</ds:X509IssuerSerial>
</ds:X509Data>
</wsse:SecurityTokenReference>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>WuARdO...xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedKey>
</ds:KeyInfo>
<xenc:CipherData>
<xenc:CipherValue>2YYuHU0xZq5...</xenc:CipherValue>
</xenc:CipherData>
</xenc:EncryptedData>
</o:Security>
</s:Header>
<s:Body>
<trust:RequestSecurityToken
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</trust:RequestType>
<trust:Lifetime
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<wsu:Created>2014-01-28T12:33:24.835Z</wsu:Created>
<wsu:Expires>2014-01-28T12:38:24.835Z</wsu:Expires>
</trust:Lifetime>
<trust:TokenType>http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct</trust:TokenType>
<trust:Entropy>
<trust:BinarySecret
u:Id="uuid-ccb577a5-b787-4777-b52a-0387e70d5d34-1"
Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce">M0TLwBNGSzOrJAeafQOsrA/Fl48woeeuKDxwnD8Iicc=</trust:BinarySecret>
</trust:Entropy>
<trust:KeySize>256</trust:KeySize>
<trust:ComputedKeyAlgorithm>http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1</trust:ComputedKeyAlgorithm>
<trust:Renewing/>
</trust:RequestSecurityToken>
</s:Body>
</s:Envelope>
--
View this message in context: http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739549.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Where to put in WS-Policy for RST/SCT Issue
Request with Timestamp?
Posted by bob45 <fu...@gmx.de>.
Is it possible to have a policy that describes a timestamp in the security
header without using TLS?
This is what I currently need for my testing.
--
View this message in context: http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739531.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Where to put in WS-Policy for RST/SCT Issue
Request with Timestamp?
Posted by Colm O hEigeartaigh <co...@apache.org>.
If you want to use TLS then you should have a TransportBinding, and not a
SymmetricBinding policy.
Colm.
On Wed, Feb 5, 2014 at 4:59 PM, bob45 <fu...@gmx.de> wrote:
> I see.
> But what I if I don't want to protect (sign/encrypt) the usernametoken?
> My it for testing purpose or because SSL is enough.
>
> The pasted policy does that. Except for the timestamp.
> Is there a way not to protect the usernametoken but add the timestamp?
>
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739523.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Where to put in WS-Policy for RST/SCT Issue
Request with Timestamp?
Posted by bob45 <fu...@gmx.de>.
I see.
But what I if I don't want to protect (sign/encrypt) the usernametoken?
My it for testing purpose or because SSL is enough.
The pasted policy does that. Except for the timestamp.
Is there a way not to protect the usernametoken but add the timestamp?
--
View this message in context: http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739523.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Where to put in WS-Policy for RST/SCT Issue
Request with Timestamp?
Posted by Colm O hEigeartaigh <co...@apache.org>.
The policy is not correct. It should have a ProtectionToken which
references the key to use to secure the request. See here for an example
(line 415):
http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/deployment/ws-trust-1.4-service.wsdl?view=markup
Colm.
On Wed, Feb 5, 2014 at 4:41 PM, bob45 <fu...@gmx.de> wrote:
> This is my amended STS policy:
>
> <wsp:Policy wsu:Id="UT_policy"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:ExactlyOne>
> <wsp:All>
> <wsap10:UsingAddressing/>
> <sp:SymmetricBinding
>
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
>
> <sp:SupportingTokens
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:UsernameToken
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
>
> <sp:WssUsernameToken11/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> </wsp:Policy>
> </sp:SymmetricBinding>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> When I use this I get the following error already on the Initial RST-Issue
> for the SAML Token:
>
> WARNING - PhaseInterceptorChain.doDefaultLogging(364) | Interceptor for
> {
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
> has thrown exception, unwinding now:
> org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not
> be satisfied:
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp
> :
> Received Timestamp does not match the requirements
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding
> :
> Received Timestamp does not match the requirements
> at
>
> org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167)
>
>
> The SAML RST is as follows:
>
> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
> xmlns:a="http://www.w3.org/2005/08/addressing"
>
> xmlns:u="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
> <s:Header>
> <a:Action
> s:mustUnderstand="1">
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
> </a:Action>
> <a:MessageID>urn:uuid:bf62d776-4eff-461a-8a57-471e165e19df
> </a:MessageID>
> <a:ReplyTo>
> <a:Address>
> http://www.w3.org/2005/08/addressing/anonymous</a:Address>
> </a:ReplyTo>
> <a:To s:mustUnderstand="1">https:/server:8443/sts</a:To>
> <o:Security s:mustUnderstand="1"
>
> xmlns:o="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">
> <u:Timestamp u:Id="_0">
>
> <u:Created>2014-02-05T16:35:38.720Z</u:Created>
>
> <u:Expires>2014-02-05T16:40:38.720Z</u:Expires>
> </u:Timestamp>
> <o:UsernameToken
> u:Id="uuid-2341ccae-1fe5-46d8-a84e-4569e6e7dfb5-1">
> <o:Username>user</o:Username>
> <o:Password
>
> Type="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
> ">pwd</o:Password>
> </o:UsernameToken>
> </o:Security>
> </s:Header>
> <s:Body>
> <trust:RequestSecurityToken
> xmlns:trust="
> http://docs.oasis-open.org/ws-sx/ws-trust/200512">
> <wsp:AppliesTo xmlns:wsp="
> http://schemas.xmlsoap.org/ws/2004/09/policy">
> <wsa:EndpointReference xmlns:wsa="
> http://www.w3.org/2005/08/addressing">
> <wsa:Address>
> http://server:8080/service
> </wsa:Address>
> </wsa:EndpointReference>
> </wsp:AppliesTo>
> <trust:KeyType>
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
> </trust:KeyType>
> <trust:Lifetime>
> <wsu:Created
>
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">2014-02-05T16:35:38.684Z</wsu:Created>
> <wsu:Expires
>
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">2014-02-05T22:35:38.684Z</wsu:Expires>
> </trust:Lifetime>
> <trust:RequestType>
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
> </trust:RequestType>
>
> <trust:TokenType>
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
> </trust:TokenType>
> </trust:RequestSecurityToken>
> </s:Body>
> </s:Envelope>
>
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739521.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Where to put in WS-Policy for RST/SCT Issue
Request with Timestamp?
Posted by bob45 <fu...@gmx.de>.
This is my amended STS policy:
<wsp:Policy wsu:Id="UT_policy"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:ExactlyOne>
<wsp:All>
<wsap10:UsingAddressing/>
<sp:SymmetricBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:SupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken11/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:SymmetricBinding>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
When I use this I get the following error already on the Initial RST-Issue
for the SAML Token:
WARNING - PhaseInterceptorChain.doDefaultLogging(364) | Interceptor for
{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
has thrown exception, unwinding now:
org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not
be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp:
Received Timestamp does not match the requirements
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding:
Received Timestamp does not match the requirements
at
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167)
The SAML RST is as follows:
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action
s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue
</a:Action>
<a:MessageID>urn:uuid:bf62d776-4eff-461a-8a57-471e165e19df
</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">https:/server:8443/sts</a:To>
<o:Security s:mustUnderstand="1"
xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2014-02-05T16:35:38.720Z</u:Created>
<u:Expires>2014-02-05T16:40:38.720Z</u:Expires>
</u:Timestamp>
<o:UsernameToken u:Id="uuid-2341ccae-1fe5-46d8-a84e-4569e6e7dfb5-1">
<o:Username>user</o:Username>
<o:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">pwd</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<trust:RequestSecurityToken
xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>http://server:8080/service
</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<trust:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
</trust:KeyType>
<trust:Lifetime>
<wsu:Created
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2014-02-05T16:35:38.684Z</wsu:Created>
<wsu:Expires
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2014-02-05T22:35:38.684Z</wsu:Expires>
</trust:Lifetime>
<trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
</trust:RequestType>
<trust:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
</trust:TokenType>
</trust:RequestSecurityToken>
</s:Body>
</s:Envelope>
--
View this message in context: http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739521.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Where to put in WS-Policy for RST/SCT Issue
Request with Timestamp?
Posted by Colm O hEigeartaigh <co...@apache.org>.
Actually, the policy you pasted was the service policy. The
IncludeTimestamp policy assertion should instead be in the policy of the
STS.
Colm.
On Wed, Feb 5, 2014 at 4:12 PM, bob45 <fu...@gmx.de> wrote:
> I tried and the effect is:
>
> WARNING - PhaseInterceptorChain.doDefaultLogging(364) | Interceptor for
> {
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}SecureConversationTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}RequestSecurityToken
> has thrown exception, unwinding now:
> org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not
> be satisfied:
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp
> :
> Received Timestamp does not match the requirements
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding
> :
> Received Timestamp does not match the requirements
> at
>
> org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167)
>
> Could it be a namespace problem? The namespace in the message is:
> xmlns:u="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
>
> Do you have an idea?
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739518.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Where to put in WS-Policy for RST/SCT Issue
Request with Timestamp?
Posted by bob45 <fu...@gmx.de>.
I tried and the effect is:
WARNING - PhaseInterceptorChain.doDefaultLogging(364) | Interceptor for
{http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}SecureConversationTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}RequestSecurityToken
has thrown exception, unwinding now:
org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not
be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp:
Received Timestamp does not match the requirements
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding:
Received Timestamp does not match the requirements
at
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167)
Could it be a namespace problem? The namespace in the message is:
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
Do you have an idea?
--
View this message in context: http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739518.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Where to put in WS-Policy for RST/SCT Issue
Request with Timestamp?
Posted by Colm O hEigeartaigh <co...@apache.org>.
It should go in the BootstrapPolicy as a child of the SymmetricBinding
policy, e.g. after the sp:Layout assertion.
Colm.
On Wed, Feb 5, 2014 at 3:24 PM, bob45 <fu...@gmx.de> wrote:
> Hi,
>
> I am trying to send a RST-Issue to my business service to get an SCT. The
> header contains a SAML bootstrap token. When I send the message without
> <u:Timestamp> in the security header everything works fine. But when I add
> the timestamp header the service complains:
>
> WARNING - PhaseInterceptorChain.doDefaultLogging(364) | Interceptor for
> {
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}SecureConversationTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}RequestSecurityToken
> has thrown exception, unwinding now:
> org.apache.cxf.ws.policy.PolicyException: *These policy alternatives can
> not
> be satisfied:
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding
> :
> Received Timestamp does not match the requirements* at
>
> org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167)
> at
>
> org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101)
> at
>
> org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
>
> Ok, that makes sense as the timestamp ist not part of the service policy.
> So I tried to add <sp:IncludeTimestamp> at various places in the policy
> without effect.
> Please see the message and policy below.
>
> My question is where to put the <sp:IncludeTimestamp> in the policy to
> match
> the incoming message?
>
> Message (including timestamp header):
>
>
> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
> xmlns:a="http://www.w3.org/2005/08/addressing"
>
> xmlns:u="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
> <s:Header>
> <a:Action
> s:mustUnderstand="1">
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT</a:Action>
>
> <a:MessageID>urn:uuid:f878193d-b3b7-4b54-ba02-c11a01285348</a:MessageID>
> <a:ReplyTo>
> <a:Address>
> http://www.w3.org/2005/08/addressing/anonymous</a:Address>
> </a:ReplyTo>
> <a:To
> s:mustUnderstand="1">https://192.168.1.47:8443/businessservice/komposit
> </a:To>
> <o:Security s:mustUnderstand="1"
>
> xmlns:o="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">
> <u:Timestamp u:Id="_0">
>
> <u:Created>2014-02-05T15:02:02.694Z</u:Created>
>
> <u:Expires>2014-02-05T15:07:02.694Z</u:Expires>
> </u:Timestamp>
> <xenc:EncryptedData Id="ED-4">
> ENCRYPTED SAML TOKEN
> </xenc:EncryptedData>
> </o:Security>
> </s:Header>
> <s:Body>
> <trust:RequestSecurityToken
> xmlns:trust="
> http://docs.oasis-open.org/ws-sx/ws-trust/200512">
>
> <trust:TokenType>
> http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
> </trust:TokenType>
>
> <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
> </trust:RequestType>
> <trust:Entropy>
> <trust:BinarySecret
> u:Id="uuid-c604a73d-5045-4b75-859f-778aefc62d70-1"
>
> Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce
> ">8Ae+h7iuAVGlxCOH5FtdIu0NPI+R52AtdtVecEPIGBA=</trust:BinarySecret>
> </trust:Entropy>
> <trust:KeySize>256</trust:KeySize>
> </trust:RequestSecurityToken>
> </s:Body>
> </s:Envelope>
>
> WS-Policy:
>
>
> <wsp:Policy xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
>
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> xmlns:sp="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
> xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
> xmlns:wsaw="http://www.w3.org/2005/08/addressing"
> xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
> xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"
> xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"
> wsu:Id="PoCAuthSecurityPolicy">
> <wsp:ExactlyOne>
> <wsp:All>
> <wsap10:UsingAddressing />
> <sp:SymmetricBinding>
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
>
> <sp:SecureConversationToken
>
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
>
> <wsp:Policy>
>
> <sp:RequireDerivedKeys />
>
> <sp:BootstrapPolicy>
>
> <wsp:Policy>
>
> <sp:SymmetricBinding>
>
> <wsp:Policy>
>
> <sp:ProtectionToken>
>
> <wsp:Policy>
>
> <sp:IssuedToken
>
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
>
>
> <sp:RequestSecurityTokenTemplate>
>
> <wst:TokenType>
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
>
>
> </wst:TokenType>
>
> <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
> </wst:KeyType>
>
>
> </sp:RequestSecurityTokenTemplate>
>
> <wsp:Policy>
>
>
> </wsp:Policy>
>
> <sp:Issuer>
>
> <wsaw:Address>
> http://localhost:8080/sts/sts
>
>
> </wsaw:Address>
>
>
> <wsaw:Metadata>
>
>
> <wsam:ServiceName
> EndpointName="UT_Port">wst:SecurityTokenService</wsam:ServiceName>
>
>
> </wsaw:Metadata>
>
> </sp:Issuer>
>
> </sp:IssuedToken>
>
> </wsp:Policy>
>
> </sp:ProtectionToken>
>
> <sp:Layout>
>
> <wsp:Policy>
>
> <sp:Lax />
>
> </wsp:Policy>
>
> </sp:Layout>
>
> <sp:AlgorithmSuite>
>
> <wsp:Policy>
>
> <sp:Basic256 />
>
> </wsp:Policy>
>
> </sp:AlgorithmSuite>
>
> </wsp:Policy>
>
> </sp:SymmetricBinding>
>
> <sp:Wss11>
>
> <wsp:Policy>
>
> <sp:MustSupportRefIssuerSerial />
>
> <sp:MustSupportRefThumbprint />
>
> <sp:MustSupportRefEncryptedKey />
>
> </wsp:Policy>
>
> </sp:Wss11>
>
> <sp:Trust13>
>
> <wsp:Policy>
>
> <sp:MustSupportIssuedTokens />
>
> <sp:RequireClientEntropy />
>
> <sp:RequireServerEntropy />
>
> </wsp:Policy>
>
> </sp:Trust13>
>
> </wsp:Policy>
>
> </sp:BootstrapPolicy>
>
> </wsp:Policy>
>
> </sp:SecureConversationToken>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:SymmetricBinding>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com