You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Chad Sturtz <st...@gmail.com> on 2015/06/15 15:05:58 UTC
(WS-Security) Authentication Only with X509
Hello,
I'm working on WS-Security based authentication with an X509 certificate
for a JAXWS service. I'm looking for help/confirmation on what a valid
Policy would look like in the WSDL. Most X509 policy examples include
signing/encryption, which I do not need (based solely on my requirements).
Below is the policy I have come up. If you see any errors or can offer any
thoughts on its correctness, I'd appreciate it.
<wsp:Policy wsu:Id="MyBindingPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
">
<wsp:Policy/>
</sp:X509Token>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
I wouldn't be here if I could get authentication working on my service with
this policy. When I invoke the service, I end up with the stack trace you
can see at the bottom of this email. Through working with a few example
projects from github, I know that an issue with the Policy can result in
this exception.
Here are some additional details. If there's any more information you'd
like to see, please let me know. Thanks in advance!
CXF Version 2.7.16
Relevant Namespaces Used:
1. xmlns:wsp="http://www.w3.org/ns/ws-policy"
2. xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
"
3. xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
4. xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
"
JAXWS Endpoint Properties:
The only property I'm setting is "ws-security.bst.validator". I believe the
defaults for other properties are acceptable to me.
WS-Security Header from a request I'm sending:
<soap:Header>
<wsse:Security
xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
"
xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
"
soap:mustUnderstand="1">
<wsse:BinarySecurityToken
EncodingType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
"
ValueType="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
"
wsu:Id="SecurityToken-f6f96b4b-23c5-421e-92ff-f1050d531e82">MIIBoTCCAQqgA
[...] vONEqd9wa4XuA==
</wsse:BinarySecurityToken>
</wsse:Security>
</soap:Header>
Stack Trace:
08:25:38,153 INFO [stdout] (http-/127.0.0.1:8080-1)
org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not
be satisfied:
08:25:38,154 INFO [stdout] (http-/127.0.0.1:8080-1) {
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SupportingTokens
08:25:38,155 INFO [stdout] (http-/127.0.0.1:8080-1) {
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token
08:25:38,156 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179)
~[cxf-rt-ws-policy-2.7.16.jar:2.7.16]
08:25:38,157 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101)
~[cxf-rt-ws-policy-2.7.16.jar:2.7.16]
08:25:38,157 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
~[cxf-rt-ws-policy-2.7.16.jar:2.7.16]
08:25:38,158 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
[cxf-api-2.7.16.jar:2.7.16]
08:25:38,160 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
[cxf-api-2.7.16.jar:2.7.16]
08:25:38,160 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249)
[cxf-rt-transports-http-2.7.16.jar:2.7.16]
08:25:38,161 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
[cxf-rt-transports-http-2.7.16.jar:2.7.16]
08:25:38,162 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
[cxf-rt-transports-http-2.7.16.jar:2.7.16]
08:25:38,163 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
[cxf-rt-transports-http-2.7.16.jar:2.7.16]
08:25:38,164 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
[cxf-rt-transports-http-2.7.16.jar:2.7.16]
08:25:38,164 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:289)
[cxf-rt-transports-http-2.7.16.jar:2.7.16]
08:25:38,168 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:209)
[cxf-rt-transports-http-2.7.16.jar:2.7.16]
08:25:38,169 INFO [stdout] (http-/127.0.0.1:8080-1) at
javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
[jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar!/:1.0.2.Final-redhat-1]
08:25:38,171 INFO [stdout] (http-/127.0.0.1:8080-1) at
org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265)
[cxf-rt-transports-http-2.7.16.jar:2.7.16]
Re: (WS-Security) Authentication Only with X509
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi,
We don't support BinarySecurityToken SupportingToken policies on their own
in CXF (i.e. without a security binding). The reason being is that they are
largely pointless - you mention wanting an X.509 cert for authentication,
but as there is no signature, there is no proof-of-possession associated
with the certificate. Hence no authentication at all - all the client is
proving is that they are in possession of the certificate, nothing more.
However, it should be very easy enough for you to support this use-case if
you are willing to do a small bit of implementation. We have a core class
that should process the BinarySecurityToken here:
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/BinarySecurityTokenInterceptor.java;h=d086673fa8ad54441261c1f7698073851abb02c7;hb=HEAD
For Kerberos we extend it just to assert some policies:
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/KerberosTokenInterceptor.java;h=de83d7b453472743d6dc2aa7931ff3f81b765339;hb=HEAD
You will need to likewise to assert the X509Token policies. Then you need
to register your interceptor. This is how the Kerberos registration is done:
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/KerberosTokenInterceptorProvider.java;h=7d93cb3330029d00246d6e4c6bc1ab1937065080;hb=HEAD
Colm.
On Mon, Jun 15, 2015 at 2:05 PM, Chad Sturtz <st...@gmail.com> wrote:
> Hello,
>
> I'm working on WS-Security based authentication with an X509 certificate
> for a JAXWS service. I'm looking for help/confirmation on what a valid
> Policy would look like in the WSDL. Most X509 policy examples include
> signing/encryption, which I do not need (based solely on my requirements).
>
> Below is the policy I have come up. If you see any errors or can offer any
> thoughts on its correctness, I'd appreciate it.
>
> <wsp:Policy wsu:Id="MyBindingPolicy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="
>
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy/>
> </sp:X509Token>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
>
> I wouldn't be here if I could get authentication working on my service with
> this policy. When I invoke the service, I end up with the stack trace you
> can see at the bottom of this email. Through working with a few example
> projects from github, I know that an issue with the Policy can result in
> this exception.
>
> Here are some additional details. If there's any more information you'd
> like to see, please let me know. Thanks in advance!
>
> CXF Version 2.7.16
>
> Relevant Namespaces Used:
> 1. xmlns:wsp="http://www.w3.org/ns/ws-policy"
> 2. xmlns:wsu="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> 3. xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
> 4. xmlns:wsse="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
>
> JAXWS Endpoint Properties:
> The only property I'm setting is "ws-security.bst.validator". I believe the
> defaults for other properties are acceptable to me.
>
> WS-Security Header from a request I'm sending:
> <soap:Header>
> <wsse:Security
> xmlns:wsse="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
> xmlns:wsu="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> soap:mustUnderstand="1">
> <wsse:BinarySecurityToken
> EncodingType="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
> "
> ValueType="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3
> "
>
> wsu:Id="SecurityToken-f6f96b4b-23c5-421e-92ff-f1050d531e82">MIIBoTCCAQqgA
> [...] vONEqd9wa4XuA==
> </wsse:BinarySecurityToken>
> </wsse:Security>
> </soap:Header>
>
>
> Stack Trace:
>
> 08:25:38,153 INFO [stdout] (http-/127.0.0.1:8080-1)
> org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not
> be satisfied:
> 08:25:38,154 INFO [stdout] (http-/127.0.0.1:8080-1) {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SupportingTokens
> 08:25:38,155 INFO [stdout] (http-/127.0.0.1:8080-1) {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token
> 08:25:38,156 INFO [stdout] (http-/127.0.0.1:8080-1) at
>
> org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179)
> ~[cxf-rt-ws-policy-2.7.16.jar:2.7.16]
> 08:25:38,157 INFO [stdout] (http-/127.0.0.1:8080-1) at
>
> org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101)
> ~[cxf-rt-ws-policy-2.7.16.jar:2.7.16]
> 08:25:38,157 INFO [stdout] (http-/127.0.0.1:8080-1) at
>
> org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
> ~[cxf-rt-ws-policy-2.7.16.jar:2.7.16]
> 08:25:38,158 INFO [stdout] (http-/127.0.0.1:8080-1) at
>
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
> [cxf-api-2.7.16.jar:2.7.16]
> 08:25:38,160 INFO [stdout] (http-/127.0.0.1:8080-1) at
>
> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
> [cxf-api-2.7.16.jar:2.7.16]
> 08:25:38,160 INFO [stdout] (http-/127.0.0.1:8080-1) at
>
> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249)
> [cxf-rt-transports-http-2.7.16.jar:2.7.16]
> 08:25:38,161 INFO [stdout] (http-/127.0.0.1:8080-1) at
>
> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
> [cxf-rt-transports-http-2.7.16.jar:2.7.16]
> 08:25:38,162 INFO [stdout] (http-/127.0.0.1:8080-1) at
>
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
> [cxf-rt-transports-http-2.7.16.jar:2.7.16]
> 08:25:38,163 INFO [stdout] (http-/127.0.0.1:8080-1) at
>
> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
> [cxf-rt-transports-http-2.7.16.jar:2.7.16]
> 08:25:38,164 INFO [stdout] (http-/127.0.0.1:8080-1) at
>
> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
> [cxf-rt-transports-http-2.7.16.jar:2.7.16]
> 08:25:38,164 INFO [stdout] (http-/127.0.0.1:8080-1) at
>
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:289)
> [cxf-rt-transports-http-2.7.16.jar:2.7.16]
> 08:25:38,168 INFO [stdout] (http-/127.0.0.1:8080-1) at
>
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:209)
> [cxf-rt-transports-http-2.7.16.jar:2.7.16]
> 08:25:38,169 INFO [stdout] (http-/127.0.0.1:8080-1) at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
>
> [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar!/:1.0.2.Final-redhat-1]
> 08:25:38,171 INFO [stdout] (http-/127.0.0.1:8080-1) at
>
> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265)
> [cxf-rt-transports-http-2.7.16.jar:2.7.16]
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com