You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Alessio Soldano <as...@redhat.com> on 2013/04/03 17:13:52 UTC
WS-Mex issue on CXF 2.6.7
Hi,
I'm seeing exceptions as at http://fpaste.org/Nidh/ when ws-mex Get
calls are done against WS-Security Policy enabled endpoints. I have a
common ws-trust scenario, with the endpoint wsdl containing
<sp:InitiatorToken>
<wsp:Policy>
<sp:IssuedToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<sp:RequestSecurityTokenTemplate>
<t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
<t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireInternalReference/>
</wsp:Policy>
<sp:Issuer>
<wsaws:Address>http://localhost:8080/jaxws-samples-wsse-policy-trust-sts/SecurityTokenService</wsaws:Address>
<wsaws:Metadata
xmlns:wsdli="http://www.w3.org/2006/01/wsdl-instance"
wsdli:wsdlLocation="http://localhost:8080/jaxws-samples-wsse-policy-trust-sts/SecurityTokenService?wsdl">
<wsaw:ServiceName
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
xmlns:stsns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
EndpointName="UT_Port">stsns:SecurityTokenService</wsaw:ServiceName>
</wsaws:Metadata>
</sp:Issuer>
</sp:IssuedToken>
</wsp:Policy>
</sp:InitiatorToken>
The STS service is also using ws-security policy
@WebServiceProvider(serviceName = "SecurityTokenService",
portName = "UT_Port",
targetNamespace = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/",
wsdlLocation = "WEB-INF/wsdl/ws-trust-1.4-service.wsdl")
@EndpointProperties(value = {
@EndpointProperty(key = "ws-security.signature.username", value =
"mystskey"),
@EndpointProperty(key = "ws-security.signature.properties", value
= "stsKeystore.properties"),
@EndpointProperty(key = "ws-security.callback-handler", value =
"org.jboss.test.ws.jaxws.samples.wsse.policy.trust.STSCallbackHandler"),
@EndpointProperty(key = "ws-security.validate.token", value =
"false") //to let the JAAS integration deal with validation through the
interceptor below
})
@InInterceptors(interceptors =
{"org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingPolicyInterceptor"})
public class SampleSTS extends SecurityTokenServiceProvider
{
...
}
with the mentioned ws-trust-1.4-service.wsdl being a reduced version of
the sts-war one having the UT port and policies only.
A quick debugging seems to reveal that the
PolicyBasedWSS4JInInterceptor::computeAction method is failing to
retrieve the action as no AssertionInfoMap attachment is found in the
message. Any idea of what might have changed between 2.6.6 and 2.6.7 here?
Thanks
Alessio
--
Alessio Soldano
Web Service Lead, JBoss
Re: WS-Mex issue on CXF 2.6.7
Posted by Daniel Kulp <dk...@apache.org>.
Alessio and I chatted a bit on IRC about this:
http://irclogs.dankulp.com/logs/irclogger_log/cxf?date=2013-04-03,Wed&sel=91#l87
Looks like a bug in how the mex and WSS4JPolicyIn things are interacting. He's investigating.
Dan
On Apr 3, 2013, at 11:13 AM, Alessio Soldano <as...@redhat.com> wrote:
> Hi,
> I'm seeing exceptions as at http://fpaste.org/Nidh/ when ws-mex Get
> calls are done against WS-Security Policy enabled endpoints. I have a
> common ws-trust scenario, with the endpoint wsdl containing
>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:IssuedToken
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <sp:RequestSecurityTokenTemplate>
>
> <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
>
> <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
> </sp:RequestSecurityTokenTemplate>
> <wsp:Policy>
> <sp:RequireInternalReference/>
> </wsp:Policy>
> <sp:Issuer>
>
> <wsaws:Address>http://localhost:8080/jaxws-samples-wsse-policy-trust-sts/SecurityTokenService</wsaws:Address>
> <wsaws:Metadata
> xmlns:wsdli="http://www.w3.org/2006/01/wsdl-instance"
> wsdli:wsdlLocation="http://localhost:8080/jaxws-samples-wsse-policy-trust-sts/SecurityTokenService?wsdl">
> <wsaw:ServiceName
> xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
> xmlns:stsns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
> EndpointName="UT_Port">stsns:SecurityTokenService</wsaw:ServiceName>
> </wsaws:Metadata>
> </sp:Issuer>
> </sp:IssuedToken>
> </wsp:Policy>
> </sp:InitiatorToken>
>
> The STS service is also using ws-security policy
>
> @WebServiceProvider(serviceName = "SecurityTokenService",
> portName = "UT_Port",
> targetNamespace = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/",
> wsdlLocation = "WEB-INF/wsdl/ws-trust-1.4-service.wsdl")
> @EndpointProperties(value = {
> @EndpointProperty(key = "ws-security.signature.username", value =
> "mystskey"),
> @EndpointProperty(key = "ws-security.signature.properties", value
> = "stsKeystore.properties"),
> @EndpointProperty(key = "ws-security.callback-handler", value =
> "org.jboss.test.ws.jaxws.samples.wsse.policy.trust.STSCallbackHandler"),
> @EndpointProperty(key = "ws-security.validate.token", value =
> "false") //to let the JAAS integration deal with validation through the
> interceptor below
> })
> @InInterceptors(interceptors =
> {"org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingPolicyInterceptor"})
> public class SampleSTS extends SecurityTokenServiceProvider
> {
> ...
> }
>
> with the mentioned ws-trust-1.4-service.wsdl being a reduced version of
> the sts-war one having the UT port and policies only.
>
> A quick debugging seems to reveal that the
> PolicyBasedWSS4JInInterceptor::computeAction method is failing to
> retrieve the action as no AssertionInfoMap attachment is found in the
> message. Any idea of what might have changed between 2.6.6 and 2.6.7 here?
> Thanks
> Alessio
>
>
> --
> Alessio Soldano
> Web Service Lead, JBoss
--
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com