You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by "Hrbacek, Stepan" <st...@atos.net> on 2014/02/11 14:19:40 UTC
Error "A encryption username needs to be declared" when using Fediz
IdP with external WS-Trust STS
Hi all,
I am trying to use the the Apache CXF Fediz IdP (1.1.0) with an external WS-Trust STS [Atos (c) DirX Access implementation based Oracle Metro]. When the Fediz IdP tries to send the http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue request to the STS, an error occurs and following exception can be found in idp.log. The STS's WSDL is quoted below. Java clients using Oracle Metro work fine with this STS.
Can you plese give me a hint where and how to configure the encryption certificate (I think the error message is misleading)?
Thank you!
Stepan
---------------
2014-02-11 11:24:40,053 [org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder@http-nio-9443-exec-6] DEBUG org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder - A encryption username needs to be declared.
org.apache.cxf.ws.policy.PolicyException: A encryption username needs to be declared.
at org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:315)
at org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.setEncryptionUser(AbstractBindingBuilder.java:1631)
at org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.getEncryptedKeyBuilder(AbstractBindingBuilder.java:1453)
at org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.setupEncryptedKey(SymmetricBindingHandler.java:856)
at org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:298)
at org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:124)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:173)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:90)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
at org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:759)
at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:62)
at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:56)
at org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:52)
at org.apache.cxf.fediz.service.idp.STSAuthenticationProvider.authenticate(STSAuthenticationProvider.java:116)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSPortFilter.java:66)
...
---------------
The WS-Policy parts of the STS's WSDL are:
---------------
<?xml version='1.0' encoding='UTF-8'?>
<wsdl:definitions xmlns:dxa-fed="http://dxa.siemens.com/wsdl/federation/" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:soap11="http://schemas.xmlsoap.org/wsdl/soap11/" xmlns:wsa10="http://www.w3.org/2005/08/addressing" xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:wsp-xmlsoap="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" name="Federation" targetNamespace="http://dxa.siemens.com/wsdl/federation/">
...
<!-- Bindings section -->
<wsdl:binding name="SecurityTokenManagingSoap12Http" type="dxa-fed:SecurityTokenManaging">
<wsp-xmlsoap:PolicyReference URI="#SecurityTokenService_policy" />
<soap12:binding style="document" transport="http://schemas.xmlsoap.org/soap/http" />
<wsdl:operation name="issueSecurityToken">
<soap12:operation soapAction="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue" />
<wsdl:input>
<soap12:body use="literal" />
<wsp-xmlsoap:PolicyReference URI="#SecurityTokenManaging_Input_Policy" />
</wsdl:input>
<wsdl:output>
<soap12:body use="literal" />
<wsp-xmlsoap:PolicyReference URI="#SecurityTokenManaging_Output_Policy" />
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
...
<!-- WS-Policies section -->
<wsp:Policy wsu:Id="SecurityTokenService_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<!-- sp:RequireDerivedKeys /-->
<!-- sp:RequireThumbprintReference /-->
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:EncryptSignature />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:SymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
<sp:RequireSignatureConfirmation />
</wsp:Policy>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<sp:RequireClientEntropy />
<sp:RequireServerEntropy />
</wsp:Policy>
</sp:Trust10>
<wsap10:UsingAddressing />
<sp:EndorsingSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<!--sp:RequireThumbprintReference/-->
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="SecurityTokenManaging_Input_Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
<sp:Body />
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="SecurityTokenManaging_Output_Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
<sp:Body />
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing" />
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing" />
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</wsdl:definitions>
---------------
Re: Error "A encryption username needs to be declared" when using
Fediz IdP with external WS-Trust STS
Posted by Colm O hEigeartaigh <co...@apache.org>.
Are you using a third-party STS? The problem is that the EncryptedData
SecurityTokenReferences do not contain TokenType attributes as required by
the Basic Security Profile specification. You can turn off the latter by
setting the property "ws-security.is-bsp-compliant" to "false", in a
similar way to how you specified the other properties.
Colm.
On Thu, Feb 13, 2014 at 12:23 PM, Hrbacek, Stepan
<st...@atos.net>wrote:
> The encrypted message is:
> ----------------------
> <?xml version='1.0' encoding='UTF-8'?><S:Envelope xmlns:S="
> http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:wsse11="
> http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xenc="
> http://www.w3.org/2001/04/xmlenc#" xmlns:exc14n="
> http://www.w3.org/2001/10/xml-exc-c14n#"><S:Header><wsse:Security
> S:mustUnderstand="true"><wsu:Timestamp xmlns:ns18="
> http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
> xmlns:ns17="http://schemas.xmlsoap.org/soap/envelope/"
> wsu:Id="_3"><wsu:Created>2014-02-13T11:47:33Z</wsu:Created><wsu:Expires>2014-02-13T11:52:33Z</wsu:Expires></wsu:Timestamp><xenc:ReferenceList
> xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
> xmlns:ns17="http://schemas.xmlsoap.org/soap/envelope/"><xenc:DataReference
> URI="#_5004" /><xenc:DataReference URI="#_5005" /><xenc:DataReference
> URI="#_5006" /></xenc:ReferenceList><xenc:EncryptedData xmlns:ns18="
> http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
> xmlns:ns17="http://schemas.xmlsoap.org/soap/envelope/" Type="
> http://www.w3.org/2001/04/xmlenc#Element"
> Id="_5006"><xenc:EncryptionMethod Algorithm="
> http://www.w3.org/2001/04/xmlenc#aes128-cbc" /><ds:KeyInfo xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="keyInfo"><wsse:SecurityTokenReference><wsse:KeyIdentifier
> ValueType="
> http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1"
> EncodingType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">a5lU/W3F/TDdnXT41CiDtKH9OMM=</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>/Wt8uVRddMIJRDkrY6vSnlXHkdVpKXvsNh/OWGcjFt66pigBj0crWYB+/B7l9Gi9Cmh0nKupWFKYCUQSYw0Ce3dp5FltT/F+lXH3QS2Y9lGj2RszmPBOuVMRuY4+aTCviNBBYWEpYvZZEhm8Kr737PkI9LVqgZw8miT+pIsmplbYDd1HqNIUSmaUnQ9AUB1x8n84MvrIExR8RjX9m+7DI6tw2anoZTTlwU/oBsPuCgmEKlvjAt4pxIDDOAJ1o/2rqqsQsRQ8DFYCE3BugMVtg4uPIqIh8RkBlA3YGbO3u/Kfxp5tJY21eCRoSDn0TmPItWrWxK/Zq+BpScFGUii+ri+Qpj/5/kMrcOnFc6hEOe0KEyZlWZ0JxSgXGQT06hjirbr1DOX/FzKU3ncA/Xw8DONaYkTkEZcDf4Qo7HYhQpo=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData><xenc:EncryptedData
> xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
> xmlns:ns17="http://schemas.xmlsoap.org/soap/envelope/" Type="
> http://www.w3.org/2001/04/xmlenc#Element"
> Id="_5005"><xenc:EncryptionMethod Algorithm="
> http://www.w3.org/2001/04/xmlenc#aes128-cbc" /><ds:KeyInfo xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="keyInfo"><wsse:SecurityTokenReference><wsse:KeyIdentifier
> ValueType="
> http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1"
> EncodingType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">a5lU/W3F/TDdnXT41CiDtKH9OMM=</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>P6lOUK76N0AE5iSOtgvAWShskC5y/zMbaoTDd88WNnrTmzbVT1tyjNVMrK2PcNoerrr4p0l7yl2Nwi7AKFpekQTfp9GZqmNMktSUo0EKxkNvQ54zrVmB3sp73sU/tizIGZNhq4Xt4OogfzCJ55puDxsKzD0B5Vsbni/M0ArrGwe7Fv/TH55aRp56OOfDithrd5tjLFfgNlS0GjNsZu9G8Yqdi+7US+mLQeZ/VLudGIe0MnBH/Uv4HWNPAYzpbQ5Hd1Y5VyOAgrlCRCCyZp7wFPec1ND67vioxK8ai6KSAzY6jvx83efsV2t+vOMd1HfetcUB5LwjxfaRTfJp8mBZqvpk2w4mcveR2QzX02NYluWcugMHYJ7S7eRAiXSyHW6r3Zt2w9kmq1WoUCHJ+3HW51JPq8Hzw3DNIBBVD29cy9UWSShx+ugARloDo7UNNHFJEQID1yHrdL6AzABBaX7pKqohlIDaAqklFCQf5fuYCLpa87cjU3kw9tCroxPm1SYK96oaiikqadBoJDmda6vd63ekB26X/ic9L/1dEerNHjZaJmn/BXrFQel/HpqZsZVOYO1LKOVgQRcjxHlFSfSvP4t9F73CffXvZB5u5T/RA+LdlhGZN86JLuyuuLufuWXItjbStczKGwGbwEvgryFtXCFzuUR63Kkvu6lBgW5cCJczqNUBaXaSK2kT7zwi8pNIxYgUBdUV6zUi/9zC7G5z61D8uF9DrK4RtWPWu9J6TNzskcFbVsgvEdciST1Fj+WYnmxizIT5wbZ6JVniGCUyXhgcSJzqGUGkwg9/2bX9Y/M0p8xOSugIiXSMxuihQ8kK/zHaF4TbMVsX+eS2xox5WlVIaSR/W3btzR9+bTH3/ITyGoahD/chxHAdXIpbfK9ppE143+5MThXI6bDfg2f+5HuiErrqfljd+geUKMChLQLXxZXwuy0FYDVTDAkW064jZWPrSokBYS9//d/SGCk4qBj/QYExuixsnTZtgxx73iYKDAoe5hkleVHoYpNbAFGcWlWtU5NbkROQQGNJZbs9C/SvkjlluhVnT2Not8l3JwPXJAncikvI7U6Ap4p3tcc07hXzfymsUs7adGP0NtKN1w9YTjNGnfCXmu0DTYkmVhdZMyeCZ5n7Dy0gAQxuuJh+Uhg1yjWeDc4vmhMhwsIAH+ZIJXrZbEScqLVxU2+fD7vLpD5rzun9BSKw/gukOruKgOWyyAy88A0aeBrX9JDPBaA204N1Fk4XUsy5gyWbdOaP86BJQ+6d9UX84W6icJlBgYvA0Nf86p3lNAhwPeOR0jfr5U7rpjK664p4pv8qp7NmITYL1NtMJpl8JoXuYleYd5dQeKrAWew9j7KFrhhW8iEIzI9f1bK6dTx4PQKS/mnPACBSsOieHOfzjzrUQEJCfM60pEXTAVuESw9e/mBah8BvKLaQS1ejUK/94iocnvcWvdJv9Okfee7u2pBXa42hdCP1BYpQA85gaHUlFzosn8IBo6LsknU2D3XpEE1Wk2btGH6lAy/j310E4JwgdXwLFym/eP7OBcKiNM9XpuJwhqbBtJGXRDTGCUKySYawDdEHf7JMOrfNGWSKvuDRMvTe5l4c0xXwMBSKu0AnCnL3Tc4AYrI00ISA+ZOMEdnYlkmvW1zVQCxgpN6uy+rVl+lf81TY8QbNvO/5LySnis3TJffpzkcb8ab8mEekN2tOdZ3cyqTo9eaULflvidkfiPxR48t+WgWynIYCsqB4D31+U1XU6DkCa1Dxy5fOi85oVv6Fflt8eouhTvpCUg6XpvRnOtyTrD5fgvni8FGXGEPJb+oZnaMmfh3EhRH6HIdwfrrs8dFtJ1dhM5A60wKo5gTWOdCEZMVKVF1nQKTTnISzdd99U/uZrhdylRdk4c1xsmqDVx26JcIh9q/EJaUkVoJKgRWzDq3EVEFsqpVGgvO0VWXbPt6ud0M4D1baIipwpC7/O/th3aWhdSCljfw8P3motcD/r/yWY8fsOY/IZVLod7mHQJDjgpAiCyNivJxYgjQ5NHsTqFuJYKI05afge1mFcSI788HEvhckKrjl29mFS7TnxDczLpzk5K9hGU3zOp+tCJ2f5MGgaRTiHHAIUdCIchWbx0GOkNDVFAX0un0TeELRpheCLUd2Apn9+mnA9onXEgYjUFe3T8BLDxdIHnQiICF6BnNm4/8wX9R8QIGWSgUebZlCHM7Dkmcr4zV+chFmU7Gvq+8txKY8pipdcSGYk72OZ7tGhDSCs7TCM83sp7yjFtQV1LRGn5mz6JDd+m4RoryNBoG1fjUZqKd9RBUlrWFvz7eKJWrFBuoyrOeBMeboBHu5T0NhYmWTt0N9Evc4efSSxR+DGw/9w+Gv7RqjhV0UxyaITddAnmuGhLKH2sRW0HdCJ2jcFKBU5st2mvCnntUSkw5Ff2QtAfWRt9rcg+W4WoqqPNEyxCVfSZBDErFoxTKeDzFPgSr0lEgc6ofJc2d7aqzkbjOhJgWWSeEJQ2e9iTUiJprVaUPCelLX20dST2JDMgLC2GtQqHGnWwiV1/oAyKuFAXf0rMuG1J8YfVfMXsQEAJNAG8YUZLBKdiWj8/XPT1wMBgiwMIbOZGlh+w8Ed3UQmNbE98V+BqSegYrSOQb8ZoHH1z4l2T9PiFkdHNEPXWfvzL7zNa1r01mPN3RGCO0NHIZyx8Gs1vq80oH9BPUPbykU0ejyUVBOueBKTgbUW98tIy1j7LlMjSbGZuSypgX1UlD6QCp7oBqYyiK+EP6DUpEE9pO12trarM7OZxazqixHFi54h2RKschvDyDUtc+uigsnA4/5Xxjy7gtGZWfgTxvVOkiyYy58WZbzbXGjzvhqajwZv91S6kdtQ1FDqrVuyIe6UbRG2Za3pkpuzL0H3ldRSxf/dNjrT6KyVfkdiUjygGlg/rmNNy8LJPdB8CzA2vwKkwGwYc9MZzBRjcrmbvpAm/zPCPU8kXJN4R0wxasGdeehPdLhO713LCcM3bE8dbYqAAk9NsIHTIcRmMiOSQ3VSxgI+Q9+upwB6qF5m614rxXIUtQQxFs=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></wsse:Security></S:Header><S:Body
> wsu:Id="_5003"><xenc:EncryptedData xmlns:ns18="
> http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
> xmlns:ns17="http://schemas.xmlsoap.org/soap/envelope/" Type="
> http://www.w3.org/2001/04/xmlenc#Content"
> Id="_5004"><xenc:EncryptionMethod Algorithm="
> http://www.w3.org/2001/04/xmlenc#aes128-cbc" /><ds:KeyInfo xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="keyInfo"><wsse:SecurityTokenReference><wsse:KeyIdentifier
> ValueType="
> http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1"
> EncodingType="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
> ">a5lU/W3F/TDdnXT41CiDtKH9OMM=</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>bGXVzTDOZY4GqQ334p95+C9+s5k1E0fvhlKg1krSplpymBzpQ/1h9GQI7vH0HMW5Q1jIFwBOS5CQGfHwsR8hdfUvnHyht6CxkLU0mSqiSJS/QR4DHJrOJThIxIY+1YpDfGl56+5eta4c59uIqN7DT0575SnZB3BeQW/OhxPJAlbz1DGhL08eiclhoIY7abFwR7403kMeJnYIfbBsvpRXzWFNrNrB9PTdGTRHuP63fsiPQyJTowReC5yy0zvAUd3jC8pfm10+ee6n9pR20gXxxSvWMjsoNSuZ840SdyiG/6KRWX8CGEf5yemK1Rbp1LsImUVBvwL7/VuxUMxPp+BpyvBGN3GZGqQg2twNbwNDAgMzCu8k/Eo98wUtfohXBwnCA1TSPQMsXhgT+oO2Q3+UdVjQ8mWRnsgaDTLGinvFWzSu6AxC1piwq8/YIagR/D8VQVGj+xkh7paU60ngtxS7FhXH+kTNLNCiPArNqz1gWC+6xaDrxqYllVw5Ho/V2ehgc/fV/WEwoh+p3tkPAK2RD8OMePz1EnT6kKG6mwiAM7JVLHeRi5CbtR94Gi1YzXnRnHCeStRlj2DBFP2xUDseD71b9BSg3hk418Dcj+emrnqKO2v6d63DDYjVJy6SJZLM2I8t5Py6tYguao3qAJILs6KoKloursgF+Rv+htUc+fjY6OP/dHkyRi8oGnB4/dcp+MxAvVLRVwPDtTy/DItbjwTSHQRvF27w6FiNNK2tcywfEC+RIMrzGjNy/XOfgAX8G9+qLmXejqTH2WmPdTOhKfApRI0+6P9Ic4vEDJGrmC4Ux9+3YYWQA8ZlS3p6WwMH5moLAA37qCGYa2KL1YX7ISX93uwd04YSbAvHGslhHM2VJWGw12vI5H/jPepLoCnvVNjhDQLz7jyAEVU+Jq0FD6SOGct+3dbSo4c9ZcssodWJalume2CftBuzLlx99RpqZ89YEY7QSGgs0t1dG4A4EOGDIvmXhT5vruMiNa0VlMsLG2PKA0jjtzRwFCe9rM7+V0Nqcuj1rFrD7Xi++cRtUzGZwilaQlZR3OO1IJ/3XYIFiq+kMTr7qjKeF9FS3S8Pj7Kf0zhtEKj+y4eM0bpg7XS/LVD1/c/HWoA86XdEd8JhOQ0Cc7IzG/o34ogHlczhVzv+pvhPhxfxYoLcSWWGjk4LMStmiEiPaCZqX4fxyxv948Vln9hsYz04rxH6eTx/POFYaoQs8BdnHqpBpNVzJiQs92pWxSws/p7pL09DiNzeKBfQMrjgZT1WNW4J+ufpXq+GrlHBcvOM8mG2I9LLrOwDiHElyZCkXoQGQNeBnUCI7ySoNU/LU1T1/Y/b/aY6zHGgxBeIVxRHgjbm25rlHPFeF5bdXlQRK5BiUGeYxg3zNzbQHbHN0+pgDsgqzeOqISPKxXxm0V2TFGgsAMj95/0np6fJ2WGq2Zoy0J1SHjJS13i6QMpG8l5ElSEvfY8Vvdh1LvkEX35tlk/KKfzBVnbqeDEFC84p7waEbmKounSIN697MZymaR39766Zl0LhbudZ+wZhgMInf2fOMpq3AaOAYrBVhYA/BxK4A+aP/g1sLjALTlHNzMEKKLhzsiKwJn28LuWYziSJ5MCfSk5BK+K0Gg/kQhPOA3kvke6Bhlz0DU8A71ig4wm+AnjxeHqkBMFjJw1xZY8R7AbRWW8RcEJFsutdkiTADE7R+fq5bZGJqSLQS0BxAP4DBbFHapeQryjXHDBQMuMhg7qpLM6T3EKpBslsvoAjG7nZLI1TNlbFnQu8LQh0qDM6m/0C4B5jbtZoKm5mKqcUD4tzICNq1fwoIQJNAk8rfIZTDpljLUBB3xAdQVPN/S0J3+o9pSsqC5jNhAuewLau+Prw9LCLfcoCSelnvQZ9XPqKlde9de8+qLKSTr49GQHyuzuOzGwtFxw3DqelE18TAksVaka7VipIL3f+y0kth0O/XARx9DDG5QFtSQB/NVjlcSjPaNY2zrRBdRuNsxQnowMqQ9Js67T0P5cgIQ0IYh7MURT8gCwAv5GJMYKuI5+eK/kbu1EVTdvPqwj9850QThwJ/ZBjSPP7WYHWcEpOx/z1Jz8CZxlGFrw1bEcmKOxQZ12bgOAxuBx79dZb5jk/ALXnpYEG5BjZY+j14dNkrjyXvQndJ29O2tTbK+cbTKkdXxz2780ndfp4mRI43Lh5Iy7kbnezQY1FH9IyzfoyPhOIcHzs7nAIS2xAJojdKzB+RLHJap6WrKhA8TjoNH9ag5B8YC9unBEmj+qdDGK7kshYNL+YWEFJZ3IoHQUpDBe3ihhH8dQ4eYTe3WPWO/7wQ3KtF4QjpAEWalfuCozV4K/3QhJ7mQ/Y92+QwZy0tmp5/ZG4fFOBZOT1tm1Zv1GBYwP1er3M0ZPEWe/hjDZlBBJYLfaEpwtf4dkifPolKBxil90aNS/HCyKdA803V7yXrneEnfBdKWz4CPohmvUKhSUO1CHEynTd0YG5xbuTPTcsk19r6xQIV4g3BZGbiUBDeUJrlZLe2ynoS+FOL55i1q4UdCxmDDHQRaDiil84Hmhj/u2FG10UnCxocNegwVxVe6NLbNOkEgojKbGHzNxxML3nL6cN3wU2yGbkza5h9Yhbx6FR585LWVB7W55YxUs12gXhjxMC48txgSS06p0SBCqxojZ6Oc+CUMiGbxdKOSWONMzKRjw449t6VOmdq0PQBbKYuzR7wPmX2uTNW90dVf+PSRTSUgQgXp8UlII5ETLbz+uF7lcHX43XnwUOZ4ZWRmHvagiU8YDWJW9svyz1JHQGN/314191QUbhO6u1jF4kUZKErJWwB4JDBZl4h0RqqykshKZLvZXB1a3XTY+b1T7RnbHqSivJT+JVi8ejM5H8x0wxFomQCTMVj6PVDb6hLhoFnOr4KGNRxg3sL/QKYQrC8WZNwZ1yqvvuBfsPlRB2h8pJfL5KtkYbLS6DeXJ+3p1iA6CLaOOqFPifzTk+ddl2XBSJA2V0kBlvjaZejbln9tsC/bIQdOnjrNDbYF5JTdTU/5bvqCHagf9ixfvmaCYyOhVkOXPS6UCHPxtvSokUrw83Yprw5+qzIcy8MR0C9jPzeulkp11IBTJEZE4Vi1YFeLi3q2aHKAPYwTpZj9aq6qgCIjgQXMjxt+gTnC3eVSGcYSdIi0IfmNLMUZoHHKS+3oG3u5YKiWF7XHzNTCaNyikzSz4vqHrtwptgLiMrhJwAselNbNQKQBOdOwcYpWwJQrQWvKksj6f0MaRDAeR9S/rr52VoTOhKS1bA4cpaiJO20pH00fpxarEfUaMmOAIwCCCKhcUL8ozpRuz/Nz7A3mNjex+TsCncFec43Uyta8qGZLl1qvKsLvrrFVG2JVCqf/fxBdR5vp3Dh2H0gcE9GY5Pe5wZg5QTBweLlG8qCfcN9AvFJmlgJc/2DUzHHZbLN8ANftquZLNQAKJXf4R1r+GHl7Tjr7VKY8/U5gKu/QY8rDglL+bKPzTknPv1h9SuSdf3tSt1YTmkpDyT8CFAuGMXaOKFh0GUOhndawbMYYMwAZVPc1Ytkk9/8wCcFVR8gRMGxsERxgkryl/qe69Qx2LpsLiK46Q0WTQrXn5E1aAayNWUbb127u4DE6sKhEDpijRnRGNlzSHf77r4nZMS/blp228FtItfwF12ht2tPyjougktc4sdg+K1dJur6GiQhMevjdKBLhyRH2r0fracMLN5K2GvcZGujMvmr+0hZIc1deX10Ow79c1uTJCS1edNcFRezRkF5XOHApdNZhiQHuBUDMKloO5d/zNhUn5BavMjkIpydabt1754cHi+oMIdIRUIAyZxkfMtpLJ2DiElNKxtA4plM9h4aUIJzOvrNrCXa+yjM3JqUh7UiGUH/xbx5/0WlhJjbmenLJLQ2TXtjGr+XpKKR3VsHocBo7wPunqK6y7ScPF+qPqHgjtxk33BptaOtI1jHzmRJ8vYXion6/HhLK440ytnZArt4tAmCt97UaiQsA5TYuqw8tjA8SINpaF4eU/X1wTsOkU2oP4jeM56uShuJDB6CGMHBrVvgYsyo0FB+Th56isj2+6Vo++2gk09X7Cv7ZNuoeDNHEmOTm8XVjzNVKLOObd3E5RsAZnDRz9WNRakGHn/ZidYoeil7/wd/1N3Pn/kfPfZzvF57F+JnY3BVtcWLzKzt94Maz9Xj/lptYbYGgbMuK8Mx4dDRnJN5+n/9a5YVlI3l3n3zmDaxWXCR6uy5V7A0vpWhA4HTux5yHnpBuIY/PY6ZjSVvvpL913vJQDrr+QN/7xD4L5ePUcsuq7bccEx4l6MpFHKejHhin6cWL4IyHsamBRhQFKpquvOPqg8VDIy9XDnhp9fr8p4Fi0zfEUZNRry/FfoLpReEW4kOWuExc3mee1ko0JPMhHC315mxpN4Ed2Y6uG/+sCZs5d7vav9+srRbmlKewqaZ7EIrONQrFV7IMsPqR2RPEdTnrlH96PTK4L1TvycXpkCBMqh1YI0TdTVZZiLAcN1Cl2llE3LKhND5ND+OYBKhVwH79qCCVaPjAhryfbJJj5Y7QIB2QKsH4IpqLmdvDbo4owG/qJlJ79Q4kKB57ki+5fWBhsaYwd7+bwpCZuEaYadj6tZy8KeiMe2dByRTvP11OznvP4wDAF3i1rGPHISgu7Qa/7WZy7wT77u+8YHnt4eGUqXRILbzZ7EE2rUHvwCYxIfd4S/R1oRbUqszsPC2W47bdcCp1IIIv6ulVfOzeztz7sm1naDSUEgC0vPUMc+CdF5U9fVYP8L0JGFojG0Gcj1m768D/Q4m01tkEfekPqMacuw/Bce/UIqyPGXQONAB+76wbyyKFKN2FDMl2sJ+EbYR2rWjwqzOnvyJhyRwO3J0AuyQ1UUM1YMBe69KrswL2B/3BMdOT2yAQdRE6llHhDM6Ow+kUAndFM7jKZ280Onuo0IMwlR+LN5OQF1jfDckmflsJHtuRG+1eCKRXo7jpaZS03WE0bE7o4uie6Q+6bImvkxwNm/KKEFqJuKc0IhiBnBoCDttXk60dWjLLm+l9Wg8rCBj1ztM/tX/s5aJFnIAt5kSYJNg5fcVxUYlOYyR2JmVKF2MCNkkKkfzpR9rS9FcxMxYOn59y/1G29GUMurNTmy22vXuFdFZNhOCE0TecR2s5z6/JcUPwnJAoKMmbwQS624E6USdFkmO/ZCjIC0ra7BeFRpN9aTNttxAk12maFSk321+PzCReZ+Tdu5FJL9SAr0ima+P4SJYI/0nK/QUjGAWXdnHYpDV0KDQ+i9CO77EQpK9WVb8zBWrV4Ln4c+NHguFhwOaxBFlGjIc/4VsSOo1syKErHsYkS51+W/HJYcMgR5RSh30DLMpQ7VtBoWTvPJxWYIGBkuo36DJ/yX17pybr2b6ObNBJyHQjlfcYrXFrWBgXcxxQSRHMur9MoI69LbeXZXc8u8HvLU7e5hpmcYFOz0HGIsGUi1D4srAS+Mpg0EsMBcvTKNiqiNq73YZFy/Ta+Dw4jL0GYd6m/b1kX0xPxz6bJeosxLhwPcmdt4AuJkxbfMKGzNFuqIoIRp0XeCb2wXUxcd08bHUqfMvbUlwyfZEOqNzDIiex0ukD+JFyOXnEgwVD4EkP+GVXAHyQKgnXgzsPCRlczhZ9ft+9am43STNQmQpjsgsZfuc/WiycNB9d7Q3BDZgrKTqCSZNHUNYmW44IFtN0AOyeS8JFYL07bTYgsS7HSvniLVIujjKreb7gf5ugDV/QcDcQ6vZxdBvc2BTOYBl2zfujTDvP0I2Dm0MuCBypZILTh09j0R+NXYHE3cKyxA2BJrO00J7wcR/FQ3WS9A9EPW7FMYmel/ltDKSW/nAms0zguT4GaTFB26qTc4wwDRz8lx10eNLb/E58mqIlkkMpXeRcU249QzPASCfFWtT7xdKvMj5xUGezUNS53Cbm7aZ1oex7LkT6ui3nbWHgZk5NRfhaQcvo5IHe0G2kLL2XTbtSMIj1bMNe+5oWsOBKPCPawjF7uZ1cbjKLanG0xlbD2K7qUl2ZRXBKXyeGxu5rF9aBlVToT4/Bp7tA4HLPH8/5FSNt9CbTk2LFh0bwSaBCIL1a3z8PMRL1SDrJa95pCEfTfMWciDbtFQa7KNInu/P65/NYchn7Wf1ZdrbGq6S0MU0IKs2w0Dcsi3FLkeR7CA37EHVfb5ovjkIg/GbC/8r9hMupJudoLoYSAwnumQXeerLgQOdQQDSjrURBLnbC9SMlwlzbVGQgrpLXJfu/k5VV4JfdFTZkTOKtwjkJoEd2bR4XOnbkMK62aCt/Pma9ctarQHVIhqw7DlOrAtr0cMHJY4jI7k7zfn7MXGZVAyIacOmjInKdgrXG3O0eyW3CaJBWJq3AQnAJyDWNOkKuM1Tt3juxA=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></S:Body></S:Envelope>
> ----------------------
>
> The unencrypted (after disabling the symmetric binding) looks like:
> ----------------------
> <?xml version='1.0' encoding='UTF-8'?><S:Envelope xmlns:S="
> http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:wsse11="
> http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><S:Header><wsse:Security
> S:mustUnderstand="true"><wsse11:SignatureConfirmation xmlns:ns15="
> http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512"
> xmlns:ns14="http://schemas.xmlsoap.org/soap/envelope/" wsu:Id="_5002"
> /></wsse:Security></S:Header><S:Body><wst:RequestSecurityTokenResponse
> xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsp="
> http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wssc="
> http://schemas.xmlsoap.org/ws/2005/02/sc" xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
> xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wst:RequestedSecurityToken><saml2:Assertion
> xmlns="" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="uuid-28dc31a1-c066-491c-87f2-b49fb76ba3b2"
> IssueInstant="2014-02-13T12:17:53.870Z"
> Version="2.0"><saml2:Issuer>urn:com:siemens:dxa:sample:sts:issuer-uri:mycompany</saml2:Issuer><ds:Signature
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod
> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><ds:Reference
> URI="#uuid-28dc31a1-c066-491c-87f2-b49fb76ba3b2"><ds:Transforms><ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"
> /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"
> /></ds:Transforms><ds:DigestMethod Algorithm="
> http://www.w3.org/2000/09/xmldsig#sha1"
> /><ds:DigestValue>rGFnS5T+UohK63GuVwZG6ADeUto=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>
>
> L5PZKpy4fKhhRMLxiKgaXJzXm57FxdVpV0m4h7dyUjb2SZCpnEHrM+Bm6+TK2w7bVi4m27u8fWgD
>
> Ek0Fa5+uJELAMFbRXf01MRCFkn5fp8xlEg7eNLE1YJTnNqXWxKufx56VxlnQWwcEt7M4qsb62DQs
> UsAtDigF6kB9SaODoms=
> </ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICHDCCAYWgAwIBAgIDA8ytMA0GCSqGSIb3DQEBBQUAMDoxGzAZBgNVBAMTEk15LUNvbXBhbnkgRGVtbyBDQTEbMBkGA1UEChMSbXktY29tcGFueS5leGFtcGxlMB4XDTE0MDEyOTE2NDcyMloXDTM0MDEyNDE2NDcyMlowPDETMBEGA1UEChMKTXktQ29tcGFueTElMCMGA1UEAxMcbXktc2VydmVyLm15LWNvbXBhbnkuZXhhbXBsZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuODChcwXjX1wCOfy8BuLCcobmfLnqgPETuDutNaO6e3EjbZ43hozJOE7wkUoDNpFlg3QyWG/ipc8qyKFkzVf30kklHn0PpjBYvJpatBvp2OcVcvrZCP1DupVymnl7wRoVvKFacWSmOyPF8jT/XFBIni8BZeXw9LxbHpo/e/xdn0CAwEAAaMuMCwwCwYDVR0PBAQDAgC5MB0GA1UdDgQWBBSPIE01hTCl0/GZY1BqL0vE+3HFXzANBgkqhkiG9w0BAQUFAAOBgQBLfywPK9DpcCr6bSFNeh6Bc0Lit/H4HtURSNRH5SC/bZt1c1A2nAFWwVW3jNmqKlrCoTsf9UAtPOJmFQnq6uTAgvg/qtqm8A5maFtjwrKYkVSkhsmc4ecs7h+TUrrIbLoFbxUwyV1rWFW8qdTI612fFKIFzlRMPm2l7nmhonYsSg==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
> NameQualifier="urn:com:siemens:dxa:sample:sts:issuer-uri:mycompany">Art_Tahir@Airiuscom.com</saml2:NameID><saml2:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"><saml2:SubjectConfirmationData><ds:KeyInfo
> xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
> /></saml2:SubjectConfirmationData></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions
> NotBefore="2014-02-13T12:17:53.870Z"
> NotOnOrAfter="2014-02-13T12:22:53.870Z" /><saml2:AuthnStatement
> AuthnInstant="2014-02-13T12:18:23.791Z"
> SessionIndex="uuid-28dc31a1-c066-491c-87f2-b49fb76ba3b2"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute
> FriendlyName="Role assignments" Name="roles" NameFormat="
> http://www.siemens.com/dxa/80B/identity/claims"><saml2:AttributeValue
> xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">/config/My-Company/Intranet Manager
> Payroll</saml2:AttributeValue><saml2:AttributeValue xmlns:xs="
> http://www.w3.org/2001/XMLSchema" xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">/config/My-Company/User</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></wst:RequestedSecurityToken><wst:RequestedAttachedReference><wsse:SecurityTokenReference><wsse:KeyIdentifier
> ValueType="
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">uuid-28dc31a1-c066-491c-87f2-b49fb76ba3b2</wsse:KeyIdentifier></wsse:SecurityTokenReference></wst:RequestedAttachedReference><wst:RequestedUnattachedReference><wsse:SecurityTokenReference><wsse:KeyIdentifier
> ValueType="
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
> ">uuid-28dc31a1-c066-491c-87f2-b49fb76ba3b2</wsse:KeyIdentifier></wsse:SecurityTokenReference></wst:RequestedUnattachedReference><wst:Lifetime><wsu:Created>2014-02-13T12:18:24.024Z</wsu:Created><wsu:Expires>2014-03-27T04:18:24.024Z</wsu:Expires></wst:Lifetime><wst:KeySize>256</wst:KeySize></wst:RequestSecurityTokenResponse></S:Body></S:Envelope>
> ------------------
>
> > -----Original Message-----
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > Sent: Thursday, February 13, 2014 12:56 PM
> > To: users@cxf.apache.org
> > Subject: Re: Error "A encryption username needs to be declared" when
> using
> > Fediz IdP with external WS-Trust STS
> >
> > What does the RSTR look like?
> >
> > Colm.
> >
> >
> > On Thu, Feb 13, 2014 at 11:52 AM, Hrbacek, Stepan
> > <st...@atos.net>wrote:
> >
> > > Hi Colm.
> > > The exception in Fediz IdP log (see attached) is:
> > > ----------------------------
> > > 2014-02-13 12:47:34,302
> > > [org.apache.cxf.phase.PhaseInterceptorChain@http-nio-9443-exec-6] WARN
> > > org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
> > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Federation#{http://d
> > > ocs.oasis-open.org/ws-sx/ws-trust/200512/}Issuehas thrown exception,
> > > unwinding now
> > > org.apache.cxf.binding.soap.SoapFault: An invalid security token was
> > > provided (Bad TokenType "")
> > > at
> > >
> >
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInI
> > nterceptor.java:790)
> > > at
> > >
> >
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInI
> > nterceptor.java:336)
> > > at
> > > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleM
> > > essage(PolicyBasedWSS4JInInterceptor.java:120)
> > > ------------------------------
> > > Kind regards,
> > > Stepan.
> > >
> > > > -----Original Message-----
> > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > > > Sent: Thursday, February 13, 2014 10:50 AM
> > > > To: users@cxf.apache.org
> > > > Subject: Re: Error "A encryption username needs to be declared" when
> > > using
> > > > Fediz IdP with external WS-Trust STS
> > > >
> > > > I think it makes sense to allow the user to pass through some
> > > > Properties
> > > to the
> > > > STSAuthenticationProvider, I will merge a fix for this. What is the
> > > error on
> > > > processing the RSTR?
> > > >
> > > > Colm.
> > > >
> > > >
> > > > On Thu, Feb 13, 2014 at 9:46 AM, Hrbacek, Stepan
> > > > <st...@atos.net>wrote:
> > > >
> > > > > Hi.
> > > > > I needed to change the
> > > > > org.apache.cxf.fediz.service.idp.STSAuthenticationProvider class
> > > > > and hardcode the crypto properties and encryption username
> > > > > (certificate
> > > > > alias) there. No other configuration option seems possible with
> > > > > the current Fediz code.
> > > > > -------------
> > > > > org.apache.cxf.fediz.service.idp.STSAuthenticationProvider
> > > > > --------------------
> > > > > @Override
> > > > > public Authentication authenticate(Authentication
> > > > > authentication) throws AuthenticationException {
> > > > > ...
> > > > >
> > > > > sts.getProperties().put(SecurityConstants.USERNAME,
> > > > > authentication.getName());
> > > > > sts.getProperties().put(SecurityConstants.PASSWORD,
> > > > > (String)authentication.getCredentials());
> > > > >
> > > > > // STS certificate needed for symmetric binding
> > > > >
> > > > > sts.getProperties().put(SecurityConstants.ENCRYPT_USERNAME,
> > > > > "ws-sec-comm.dirxaccess"); // 1
> > > > >
> > > > > sts.getProperties().put(SecurityConstants.ENCRYPT_PROPERTIES,
> > > > > "stsKeystoreA.properties"); // 2
> > > > >
> > > > > ...
> > > > > }
> > > > > ---------------------------------
> > > > >
> > > > > But then I have found that RSTR response cannot be processed in
> > > > > Fediz IDP (and subsequently in WS-Federation passive profile SP)
> > > > > :-( I have thus removed the symmetric binding from the WS-Policy
> > > > > used by STS and then all the walkthrough run well - my issue is
> solved.
> > > > > I don't know if it makes sense to make Fediz configurable in this
> > > > > area, I don't know WS-Federation use cases that well...
> > > > >
> > > > > Regards,
> > > > > Stepan.
> > > > >
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > > > > > Sent: Tuesday, February 11, 2014 4:48 PM
> > > > > > To: users@cxf.apache.org
> > > > > > Subject: Re: Error "A encryption username needs to be declared"
> > > > > > when
> > > > > using
> > > > > > Fediz IdP with external WS-Trust STS
> > > > > >
> > > > > > Could you create a JIRA + I will look into it? You also need to
> > > > > > specify
> > > > > a Crypto
> > > > > > properties file as well as a username.
> > > > > >
> > > > > > Colm.
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Colm O hEigeartaigh
> > > >
> > > > Talend Community Coder
> > > > http://coders.talend.com
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: Error "A encryption username needs to be declared" when using
Fediz IdP with external WS-Trust STS
Posted by "Hrbacek, Stepan" <st...@atos.net>.
The encrypted message is:
----------------------
<?xml version='1.0' encoding='UTF-8'?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" xmlns:exc14n="http://www.w3.org/2001/10/xml-exc-c14n#"><S:Header><wsse:Security S:mustUnderstand="true"><wsu:Timestamp xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns17="http://schemas.xmlsoap.org/soap/envelope/" wsu:Id="_3"><wsu:Created>2014-02-13T11:47:33Z</wsu:Created><wsu:Expires>2014-02-13T11:52:33Z</wsu:Expires></wsu:Timestamp><xenc:ReferenceList xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns17="http://schemas.xmlsoap.org/soap/envelope/"><xenc:DataReference URI="#_5004" /><xenc:DataReference URI="#_5005" /><xenc:DataReference URI="#_5006" /></xenc:ReferenceList><xenc:EncryptedData xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns17="http://schemas.xmlsoap.org/soap/envelope/" Type="http://www.w3.org/2001/04/xmlenc#Element" Id="_5006"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" /><ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="keyInfo"><wsse:SecurityTokenReference><wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">a5lU/W3F/TDdnXT41CiDtKH9OMM=</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>/Wt8uVRddMIJRDkrY6vSnlXHkdVpKXvsNh/OWGcjFt66pigBj0crWYB+/B7l9Gi9Cmh0nKupWFKYCUQSYw0Ce3dp5FltT/F+lXH3QS2Y9lGj2RszmPBOuVMRuY4+aTCviNBBYWEpYvZZEhm8Kr737PkI9LVqgZw8miT+pIsmplbYDd1HqNIUSmaUnQ9AUB1x8n84MvrIExR8RjX9m+7DI6tw2anoZTTlwU/oBsPuCgmEKlvjAt4pxIDDOAJ1o/2rqqsQsRQ8DFYCE3BugMVtg4uPIqIh8RkBlA3YGbO3u/Kfxp5tJY21eCRoSDn0TmPItWrWxK/Zq+BpScFGUii+ri+Qpj/5/kMrcOnFc6hEOe0KEyZlWZ0JxSgXGQT06hjirbr1DOX/FzKU3ncA/Xw8DONaYkTkEZcDf4Qo7HYhQpo=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData><xenc:EncryptedData xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns17="http://schemas.xmlsoap.org/soap/envelope/" Type="http://www.w3.org/2001/04/xmlenc#Element" Id="_5005"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" /><ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="keyInfo"><wsse:SecurityTokenReference><wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">a5lU/W3F/TDdnXT41CiDtKH9OMM=</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>P6lOUK76N0AE5iSOtgvAWShskC5y/zMbaoTDd88WNnrTmzbVT1tyjNVMrK2PcNoerrr4p0l7yl2Nwi7AKFpekQTfp9GZqmNMktSUo0EKxkNvQ54zrVmB3sp73sU/tizIGZNhq4Xt4OogfzCJ55puDxsKzD0B5Vsbni/M0ArrGwe7Fv/TH55aRp56OOfDithrd5tjLFfgNlS0GjNsZu9G8Yqdi+7US+mLQeZ/VLudGIe0MnBH/Uv4HWNPAYzpbQ5Hd1Y5VyOAgrlCRCCyZp7wFPec1ND67vioxK8ai6KSAzY6jvx83efsV2t+vOMd1HfetcUB5LwjxfaRTfJp8mBZqvpk2w4mcveR2QzX02NYluWcugMHYJ7S7eRAiXSyHW6r3Zt2w9kmq1WoUCHJ+3HW51JPq8Hzw3DNIBBVD29cy9UWSShx+ugARloDo7UNNHFJEQID1yHrdL6AzABBaX7pKqohlIDaAqklFCQf5fuYCLpa87cjU3kw9tCroxPm1SYK96oaiikqadBoJDmda6vd63ekB26X/ic9L/1dEerNHjZaJmn/BXrFQel/HpqZsZVOYO1LKOVgQRcjxHlFSfSvP4t9F73CffXvZB5u5T/RA+LdlhGZN86JLuyuuLufuWXItjbStczKGwGbwEvgryFtXCFzuUR63Kkvu6lBgW5cCJczqNUBaXaSK2kT7zwi8pNIxYgUBdUV6zUi/9zC7G5z61D8uF9DrK4RtWPWu9J6TNzskcFbVsgvEdciST1Fj+WYnmxizIT5wbZ6JVniGCUyXhgcSJzqGUGkwg9/2bX9Y/M0p8xOSugIiXSMxuihQ8kK/zHaF4TbMVsX+eS2xox5WlVIaSR/W3btzR9+bTH3/ITyGoahD/chxHAdXIpbfK9ppE143+5MThXI6bDfg2f+5HuiErrqfljd+geUKMChLQLXxZXwuy0FYDVTDAkW064jZWPrSokBYS9//d/SGCk4qBj/QYExuixsnTZtgxx73iYKDAoe5hkleVHoYpNbAFGcWlWtU5NbkROQQGNJZbs9C/SvkjlluhVnT2Not8l3JwPXJAncikvI7U6Ap4p3tcc07hXzfymsUs7adGP0NtKN1w9YTjNGnfCXmu0DTYkmVhdZMyeCZ5n7Dy0gAQxuuJh+Uhg1yjWeDc4vmhMhwsIAH+ZIJXrZbEScqLVxU2+fD7vLpD5rzun9BSKw/gukOruKgOWyyAy88A0aeBrX9JDPBaA204N1Fk4XUsy5gyWbdOaP86BJQ+6d9UX84W6icJlBgYvA0Nf86p3lNAhwPeOR0jfr5U7rpjK664p4pv8qp7NmITYL1NtMJpl8JoXuYleYd5dQeKrAWew9j7KFrhhW8iEIzI9f1bK6dTx4PQKS/mnPACBSsOieHOfzjzrUQEJCfM60pEXTAVuESw9e/mBah8BvKLaQS1ejUK/94iocnvcWvdJv9Okfee7u2pBXa42hdCP1BYpQA85gaHUlFzosn8IBo6LsknU2D3XpEE1Wk2btGH6lAy/j310E4JwgdXwLFym/eP7OBcKiNM9XpuJwhqbBtJGXRDTGCUKySYawDdEHf7JMOrfNGWSKvuDRMvTe5l4c0xXwMBSKu0AnCnL3Tc4AYrI00ISA+ZOMEdnYlkmvW1zVQCxgpN6uy+rVl+lf81TY8QbNvO/5LySnis3TJffpzkcb8ab8mEekN2tOdZ3cyqTo9eaULflvidkfiPxR48t+WgWynIYCsqB4D31+U1XU6DkCa1Dxy5fOi85oVv6Fflt8eouhTvpCUg6XpvRnOtyTrD5fgvni8FGXGEPJb+oZnaMmfh3EhRH6HIdwfrrs8dFtJ1dhM5A60wKo5gTWOdCEZMVKVF1nQKTTnISzdd99U/uZrhdylRdk4c1xsmqDVx26JcIh9q/EJaUkVoJKgRWzDq3EVEFsqpVGgvO0VWXbPt6ud0M4D1baIipwpC7/O/th3aWhdSCljfw8P3motcD/r/yWY8fsOY/IZVLod7mHQJDjgpAiCyNivJxYgjQ5NHsTqFuJYKI05afge1mFcSI788HEvhckKrjl29mFS7TnxDczLpzk5K9hGU3zOp+tCJ2f5MGgaRTiHHAIUdCIchWbx0GOkNDVFAX0un0TeELRpheCLUd2Apn9+mnA9onXEgYjUFe3T8BLDxdIHnQiICF6BnNm4/8wX9R8QIGWSgUebZlCHM7Dkmcr4zV+chFmU7Gvq+8txKY8pipdcSGYk72OZ7tGhDSCs7TCM83sp7yjFtQV1LRGn5mz6JDd+m4RoryNBoG1fjUZqKd9RBUlrWFvz7eKJWrFBuoyrOeBMeboBHu5T0NhYmWTt0N9Evc4efSSxR+DGw/9w+Gv7RqjhV0UxyaITddAnmuGhLKH2sRW0HdCJ2jcFKBU5st2mvCnntUSkw5Ff2QtAfWRt9rcg+W4WoqqPNEyxCVfSZBDErFoxTKeDzFPgSr0lEgc6ofJc2d7aqzkbjOhJgWWSeEJQ2e9iTUiJprVaUPCelLX20dST2JDMgLC2GtQqHGnWwiV1/oAyKuFAXf0rMuG1J8YfVfMXsQEAJNAG8YUZLBKdiWj8/XPT1wMBgiwMIbOZGlh+w8Ed3UQmNbE98V+BqSegYrSOQb8ZoHH1z4l2T9PiFkdHNEPXWfvzL7zNa1r01mPN3RGCO0NHIZyx8Gs1vq80oH9BPUPbykU0ejyUVBOueBKTgbUW98tIy1j7LlMjSbGZuSypgX1UlD6QCp7oBqYyiK+EP6DUpEE9pO12trarM7OZxazqixHFi54h2RKschvDyDUtc+uigsnA4/5Xxjy7gtGZWfgTxvVOkiyYy58WZbzbXGjzvhqajwZv91S6kdtQ1FDqrVuyIe6UbRG2Za3pkpuzL0H3ldRSxf/dNjrT6KyVfkdiUjygGlg/rmNNy8LJPdB8CzA2vwKkwGwYc9MZzBRjcrmbvpAm/zPCPU8kXJN4R0wxasGdeehPdLhO713LCcM3bE8dbYqAAk9NsIHTIcRmMiOSQ3VSxgI+Q9+upwB6qF5m614rxXIUtQQxFs=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></wsse:Security></S:Header><S:Body wsu:Id="_5003"><xenc:EncryptedData xmlns:ns18="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns17="http://schemas.xmlsoap.org/soap/envelope/" Type="http://www.w3.org/2001/04/xmlenc#Content" Id="_5004"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#aes128-cbc" /><ds:KeyInfo xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="keyInfo"><wsse:SecurityTokenReference><wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">a5lU/W3F/TDdnXT41CiDtKH9OMM=</wsse:KeyIdentifier></wsse:SecurityTokenReference></ds:KeyInfo><xenc:CipherData><xenc:CipherValue>bGXVzTDOZY4GqQ334p95+C9+s5k1E0fvhlKg1krSplpymBzpQ/1h9GQI7vH0HMW5Q1jIFwBOS5CQGfHwsR8hdfUvnHyht6CxkLU0mSqiSJS/QR4DHJrOJThIxIY+1YpDfGl56+5eta4c59uIqN7DT0575SnZB3BeQW/OhxPJAlbz1DGhL08eiclhoIY7abFwR7403kMeJnYIfbBsvpRXzWFNrNrB9PTdGTRHuP63fsiPQyJTowReC5yy0zvAUd3jC8pfm10+ee6n9pR20gXxxSvWMjsoNSuZ840SdyiG/6KRWX8CGEf5yemK1Rbp1LsImUVBvwL7/VuxUMxPp+BpyvBGN3GZGqQg2twNbwNDAgMzCu8k/Eo98wUtfohXBwnCA1TSPQMsXhgT+oO2Q3+UdVjQ8mWRnsgaDTLGinvFWzSu6AxC1piwq8/YIagR/D8VQVGj+xkh7paU60ngtxS7FhXH+kTNLNCiPArNqz1gWC+6xaDrxqYllVw5Ho/V2ehgc/fV/WEwoh+p3tkPAK2RD8OMePz1EnT6kKG6mwiAM7JVLHeRi5CbtR94Gi1YzXnRnHCeStRlj2DBFP2xUDseD71b9BSg3hk418Dcj+emrnqKO2v6d63DDYjVJy6SJZLM2I8t5Py6tYguao3qAJILs6KoKloursgF+Rv+htUc+fjY6OP/dHkyRi8oGnB4/dcp+MxAvVLRVwPDtTy/DItbjwTSHQRvF27w6FiNNK2tcywfEC+RIMrzGjNy/XOfgAX8G9+qLmXejqTH2WmPdTOhKfApRI0+6P9Ic4vEDJGrmC4Ux9+3YYWQA8ZlS3p6WwMH5moLAA37qCGYa2KL1YX7ISX93uwd04YSbAvHGslhHM2VJWGw12vI5H/jPepLoCnvVNjhDQLz7jyAEVU+Jq0FD6SOGct+3dbSo4c9ZcssodWJalume2CftBuzLlx99RpqZ89YEY7QSGgs0t1dG4A4EOGDIvmXhT5vruMiNa0VlMsLG2PKA0jjtzRwFCe9rM7+V0Nqcuj1rFrD7Xi++cRtUzGZwilaQlZR3OO1IJ/3XYIFiq+kMTr7qjKeF9FS3S8Pj7Kf0zhtEKj+y4eM0bpg7XS/LVD1/c/HWoA86XdEd8JhOQ0Cc7IzG/o34ogHlczhVzv+pvhPhxfxYoLcSWWGjk4LMStmiEiPaCZqX4fxyxv948Vln9hsYz04rxH6eTx/POFYaoQs8BdnHqpBpNVzJiQs92pWxSws/p7pL09DiNzeKBfQMrjgZT1WNW4J+ufpXq+GrlHBcvOM8mG2I9LLrOwDiHElyZCkXoQGQNeBnUCI7ySoNU/LU1T1/Y/b/aY6zHGgxBeIVxRHgjbm25rlHPFeF5bdXlQRK5BiUGeYxg3zNzbQHbHN0+pgDsgqzeOqISPKxXxm0V2TFGgsAMj95/0np6fJ2WGq2Zoy0J1SHjJS13i6QMpG8l5ElSEvfY8Vvdh1LvkEX35tlk/KKfzBVnbqeDEFC84p7waEbmKounSIN697MZymaR39766Zl0LhbudZ+wZhgMInf2fOMpq3AaOAYrBVhYA/BxK4A+aP/g1sLjALTlHNzMEKKLhzsiKwJn28LuWYziSJ5MCfSk5BK+K0Gg/kQhPOA3kvke6Bhlz0DU8A71ig4wm+AnjxeHqkBMFjJw1xZY8R7AbRWW8RcEJFsutdkiTADE7R+fq5bZGJqSLQS0BxAP4DBbFHapeQryjXHDBQMuMhg7qpLM6T3EKpBslsvoAjG7nZLI1TNlbFnQu8LQh0qDM6m/0C4B5jbtZoKm5mKqcUD4tzICNq1fwoIQJNAk8rfIZTDpljLUBB3xAdQVPN/S0J3+o9pSsqC5jNhAuewLau+Prw9LCLfcoCSelnvQZ9XPqKlde9de8+qLKSTr49GQHyuzuOzGwtFxw3DqelE18TAksVaka7VipIL3f+y0kth0O/XARx9DDG5QFtSQB/NVjlcSjPaNY2zrRBdRuNsxQnowMqQ9Js67T0P5cgIQ0IYh7MURT8gCwAv5GJMYKuI5+eK/kbu1EVTdvPqwj9850QThwJ/ZBjSPP7WYHWcEpOx/z1Jz8CZxlGFrw1bEcmKOxQZ12bgOAxuBx79dZb5jk/ALXnpYEG5BjZY+j14dNkrjyXvQndJ29O2tTbK+cbTKkdXxz2780ndfp4mRI43Lh5Iy7kbnezQY1FH9IyzfoyPhOIcHzs7nAIS2xAJojdKzB+RLHJap6WrKhA8TjoNH9ag5B8YC9unBEmj+qdDGK7kshYNL+YWEFJZ3IoHQUpDBe3ihhH8dQ4eYTe3WPWO/7wQ3KtF4QjpAEWalfuCozV4K/3QhJ7mQ/Y92+QwZy0tmp5/ZG4fFOBZOT1tm1Zv1GBYwP1er3M0ZPEWe/hjDZlBBJYLfaEpwtf4dkifPolKBxil90aNS/HCyKdA803V7yXrneEnfBdKWz4CPohmvUKhSUO1CHEynTd0YG5xbuTPTcsk19r6xQIV4g3BZGbiUBDeUJrlZLe2ynoS+FOL55i1q4UdCxmDDHQRaDiil84Hmhj/u2FG10UnCxocNegwVxVe6NLbNOkEgojKbGHzNxxML3nL6cN3wU2yGbkza5h9Yhbx6FR585LWVB7W55YxUs12gXhjxMC48txgSS06p0SBCqxojZ6Oc+CUMiGbxdKOSWONMzKRjw449t6VOmdq0PQBbKYuzR7wPmX2uTNW90dVf+PSRTSUgQgXp8UlII5ETLbz+uF7lcHX43XnwUOZ4ZWRmHvagiU8YDWJW9svyz1JHQGN/314191QUbhO6u1jF4kUZKErJWwB4JDBZl4h0RqqykshKZLvZXB1a3XTY+b1T7RnbHqSivJT+JVi8ejM5H8x0wxFomQCTMVj6PVDb6hLhoFnOr4KGNRxg3sL/QKYQrC8WZNwZ1yqvvuBfsPlRB2h8pJfL5KtkYbLS6DeXJ+3p1iA6CLaOOqFPifzTk+ddl2XBSJA2V0kBlvjaZejbln9tsC/bIQdOnjrNDbYF5JTdTU/5bvqCHagf9ixfvmaCYyOhVkOXPS6UCHPxtvSokUrw83Yprw5+qzIcy8MR0C9jPzeulkp11IBTJEZE4Vi1YFeLi3q2aHKAPYwTpZj9aq6qgCIjgQXMjxt+gTnC3eVSGcYSdIi0IfmNLMUZoHHKS+3oG3u5YKiWF7XHzNTCaNyikzSz4vqHrtwptgLiMrhJwAselNbNQKQBOdOwcYpWwJQrQWvKksj6f0MaRDAeR9S/rr52VoTOhKS1bA4cpaiJO20pH00fpxarEfUaMmOAIwCCCKhcUL8ozpRuz/Nz7A3mNjex+TsCncFec43Uyta8qGZLl1qvKsLvrrFVG2JVCqf/fxBdR5vp3Dh2H0gcE9GY5Pe5wZg5QTBweLlG8qCfcN9AvFJmlgJc/2DUzHHZbLN8ANftquZLNQAKJXf4R1r+GHl7Tjr7VKY8/U5gKu/QY8rDglL+bKPzTknPv1h9SuSdf3tSt1YTmkpDyT8CFAuGMXaOKFh0GUOhndawbMYYMwAZVPc1Ytkk9/8wCcFVR8gRMGxsERxgkryl/qe69Qx2LpsLiK46Q0WTQrXn5E1aAayNWUbb127u4DE6sKhEDpijRnRGNlzSHf77r4nZMS/blp228FtItfwF12ht2tPyjougktc4sdg+K1dJur6GiQhMevjdKBLhyRH2r0fracMLN5K2GvcZGujMvmr+0hZIc1deX10Ow79c1uTJCS1edNcFRezRkF5XOHApdNZhiQHuBUDMKloO5d/zNhUn5BavMjkIpydabt1754cHi+oMIdIRUIAyZxkfMtpLJ2DiElNKxtA4plM9h4aUIJzOvrNrCXa+yjM3JqUh7UiGUH/xbx5/0WlhJjbmenLJLQ2TXtjGr+XpKKR3VsHocBo7wPunqK6y7ScPF+qPqHgjtxk33BptaOtI1jHzmRJ8vYXion6/HhLK440ytnZArt4tAmCt97UaiQsA5TYuqw8tjA8SINpaF4eU/X1wTsOkU2oP4jeM56uShuJDB6CGMHBrVvgYsyo0FB+Th56isj2+6Vo++2gk09X7Cv7ZNuoeDNHEmOTm8XVjzNVKLOObd3E5RsAZnDRz9WNRakGHn/ZidYoeil7/wd/1N3Pn/kfPfZzvF57F+JnY3BVtcWLzKzt94Maz9Xj/lptYbYGgbMuK8Mx4dDRnJN5+n/9a5YVlI3l3n3zmDaxWXCR6uy5V7A0vpWhA4HTux5yHnpBuIY/PY6ZjSVvvpL913vJQDrr+QN/7xD4L5ePUcsuq7bccEx4l6MpFHKejHhin6cWL4IyHsamBRhQFKpquvOPqg8VDIy9XDnhp9fr8p4Fi0zfEUZNRry/FfoLpReEW4kOWuExc3mee1ko0JPMhHC315mxpN4Ed2Y6uG/+sCZs5d7vav9+srRbmlKewqaZ7EIrONQrFV7IMsPqR2RPEdTnrlH96PTK4L1TvycXpkCBMqh1YI0TdTVZZiLAcN1Cl2llE3LKhND5ND+OYBKhVwH79qCCVaPjAhryfbJJj5Y7QIB2QKsH4IpqLmdvDbo4owG/qJlJ79Q4kKB57ki+5fWBhsaYwd7+bwpCZuEaYadj6tZy8KeiMe2dByRTvP11OznvP4wDAF3i1rGPHISgu7Qa/7WZy7wT77u+8YHnt4eGUqXRILbzZ7EE2rUHvwCYxIfd4S/R1oRbUqszsPC2W47bdcCp1IIIv6ulVfOzeztz7sm1naDSUEgC0vPUMc+CdF5U9fVYP8L0JGFojG0Gcj1m768D/Q4m01tkEfekPqMacuw/Bce/UIqyPGXQONAB+76wbyyKFKN2FDMl2sJ+EbYR2rWjwqzOnvyJhyRwO3J0AuyQ1UUM1YMBe69KrswL2B/3BMdOT2yAQdRE6llHhDM6Ow+kUAndFM7jKZ280Onuo0IMwlR+LN5OQF1jfDckmflsJHtuRG+1eCKRXo7jpaZS03WE0bE7o4uie6Q+6bImvkxwNm/KKEFqJuKc0IhiBnBoCDttXk60dWjLLm+l9Wg8rCBj1ztM/tX/s5aJFnIAt5kSYJNg5fcVxUYlOYyR2JmVKF2MCNkkKkfzpR9rS9FcxMxYOn59y/1G29GUMurNTmy22vXuFdFZNhOCE0TecR2s5z6/JcUPwnJAoKMmbwQS624E6USdFkmO/ZCjIC0ra7BeFRpN9aTNttxAk12maFSk321+PzCReZ+Tdu5FJL9SAr0ima+P4SJYI/0nK/QUjGAWXdnHYpDV0KDQ+i9CO77EQpK9WVb8zBWrV4Ln4c+NHguFhwOaxBFlGjIc/4VsSOo1syKErHsYkS51+W/HJYcMgR5RSh30DLMpQ7VtBoWTvPJxWYIGBkuo36DJ/yX17pybr2b6ObNBJyHQjlfcYrXFrWBgXcxxQSRHMur9MoI69LbeXZXc8u8HvLU7e5hpmcYFOz0HGIsGUi1D4srAS+Mpg0EsMBcvTKNiqiNq73YZFy/Ta+Dw4jL0GYd6m/b1kX0xPxz6bJeosxLhwPcmdt4AuJkxbfMKGzNFuqIoIRp0XeCb2wXUxcd08bHUqfMvbUlwyfZEOqNzDIiex0ukD+JFyOXnEgwVD4EkP+GVXAHyQKgnXgzsPCRlczhZ9ft+9am43STNQmQpjsgsZfuc/WiycNB9d7Q3BDZgrKTqCSZNHUNYmW44IFtN0AOyeS8JFYL07bTYgsS7HSvniLVIujjKreb7gf5ugDV/QcDcQ6vZxdBvc2BTOYBl2zfujTDvP0I2Dm0MuCBypZILTh09j0R+NXYHE3cKyxA2BJrO00J7wcR/FQ3WS9A9EPW7FMYmel/ltDKSW/nAms0zguT4GaTFB26qTc4wwDRz8lx10eNLb/E58mqIlkkMpXeRcU249QzPASCfFWtT7xdKvMj5xUGezUNS53Cbm7aZ1oex7LkT6ui3nbWHgZk5NRfhaQcvo5IHe0G2kLL2XTbtSMIj1bMNe+5oWsOBKPCPawjF7uZ1cbjKLanG0xlbD2K7qUl2ZRXBKXyeGxu5rF9aBlVToT4/Bp7tA4HLPH8/5FSNt9CbTk2LFh0bwSaBCIL1a3z8PMRL1SDrJa95pCEfTfMWciDbtFQa7KNInu/P65/NYchn7Wf1ZdrbGq6S0MU0IKs2w0Dcsi3FLkeR7CA37EHVfb5ovjkIg/GbC/8r9hMupJudoLoYSAwnumQXeerLgQOdQQDSjrURBLnbC9SMlwlzbVGQgrpLXJfu/k5VV4JfdFTZkTOKtwjkJoEd2bR4XOnbkMK62aCt/Pma9ctarQHVIhqw7DlOrAtr0cMHJY4jI7k7zfn7MXGZVAyIacOmjInKdgrXG3O0eyW3CaJBWJq3AQnAJyDWNOkKuM1Tt3juxA=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></S:Body></S:Envelope>
----------------------
The unencrypted (after disabling the symmetric binding) looks like:
----------------------
<?xml version='1.0' encoding='UTF-8'?><S:Envelope xmlns:S="http://www.w3.org/2003/05/soap-envelope" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:wsse11="http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd"><S:Header><wsse:Security S:mustUnderstand="true"><wsse11:SignatureConfirmation xmlns:ns15="http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512" xmlns:ns14="http://schemas.xmlsoap.org/soap/envelope/" wsu:Id="_5002" /></wsse:Security></S:Header><S:Body><wst:RequestSecurityTokenResponse xmlns:wsa="http://www.w3.org/2005/08/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wssc="http://schemas.xmlsoap.org/ws/2005/02/sc" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><wst:RequestedSecurityToken><saml2:Assertion xmlns="" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="uuid-28dc31a1-c066-491c-87f2-b49fb76ba3b2" IssueInstant="2014-02-13T12:17:53.870Z" Version="2.0"><saml2:Issuer>urn:com:siemens:dxa:sample:sts:issuer-uri:mycompany</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /><ds:Reference URI="#uuid-28dc31a1-c066-491c-87f2-b49fb76ba3b2"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /><ds:DigestValue>rGFnS5T+UohK63GuVwZG6ADeUto=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>
L5PZKpy4fKhhRMLxiKgaXJzXm57FxdVpV0m4h7dyUjb2SZCpnEHrM+Bm6+TK2w7bVi4m27u8fWgD
Ek0Fa5+uJELAMFbRXf01MRCFkn5fp8xlEg7eNLE1YJTnNqXWxKufx56VxlnQWwcEt7M4qsb62DQs
UsAtDigF6kB9SaODoms=
</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICHDCCAYWgAwIBAgIDA8ytMA0GCSqGSIb3DQEBBQUAMDoxGzAZBgNVBAMTEk15LUNvbXBhbnkgRGVtbyBDQTEbMBkGA1UEChMSbXktY29tcGFueS5leGFtcGxlMB4XDTE0MDEyOTE2NDcyMloXDTM0MDEyNDE2NDcyMlowPDETMBEGA1UEChMKTXktQ29tcGFueTElMCMGA1UEAxMcbXktc2VydmVyLm15LWNvbXBhbnkuZXhhbXBsZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuODChcwXjX1wCOfy8BuLCcobmfLnqgPETuDutNaO6e3EjbZ43hozJOE7wkUoDNpFlg3QyWG/ipc8qyKFkzVf30kklHn0PpjBYvJpatBvp2OcVcvrZCP1DupVymnl7wRoVvKFacWSmOyPF8jT/XFBIni8BZeXw9LxbHpo/e/xdn0CAwEAAaMuMCwwCwYDVR0PBAQDAgC5MB0GA1UdDgQWBBSPIE01hTCl0/GZY1BqL0vE+3HFXzANBgkqhkiG9w0BAQUFAAOBgQBLfywPK9DpcCr6bSFNeh6Bc0Lit/H4HtURSNRH5SC/bZt1c1A2nAFWwVW3jNmqKlrCoTsf9UAtPOJmFQnq6uTAgvg/qtqm8A5maFtjwrKYkVSkhsmc4ecs7h+TUrrIbLoFbxUwyV1rWFW8qdTI612fFKIFzlRMPm2l7nmhonYsSg==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="urn:com:siemens:dxa:sample:sts:issuer-uri:mycompany">Art_Tahir@Airiuscom.com</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"><saml2:SubjectConfirmationData><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#" /></saml2:SubjectConfirmationData></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2014-02-13T12:17:53.870Z" NotOnOrAfter="2014-02-13T12:22:53.870Z" /><saml2:AuthnStatement AuthnInstant="2014-02-13T12:18:23.791Z" SessionIndex="uuid-28dc31a1-c066-491c-87f2-b49fb76ba3b2"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute FriendlyName="Role assignments" Name="roles" NameFormat="http://www.siemens.com/dxa/80B/identity/claims"><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">/config/My-Company/Intranet Manager Payroll</saml2:AttributeValue><saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">/config/My-Company/User</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></wst:RequestedSecurityToken><wst:RequestedAttachedReference><wsse:SecurityTokenReference><wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">uuid-28dc31a1-c066-491c-87f2-b49fb76ba3b2</wsse:KeyIdentifier></wsse:SecurityTokenReference></wst:RequestedAttachedReference><wst:RequestedUnattachedReference><wsse:SecurityTokenReference><wsse:KeyIdentifier ValueType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID">uuid-28dc31a1-c066-491c-87f2-b49fb76ba3b2</wsse:KeyIdentifier></wsse:SecurityTokenReference></wst:RequestedUnattachedReference><wst:Lifetime><wsu:Created>2014-02-13T12:18:24.024Z</wsu:Created><wsu:Expires>2014-03-27T04:18:24.024Z</wsu:Expires></wst:Lifetime><wst:KeySize>256</wst:KeySize></wst:RequestSecurityTokenResponse></S:Body></S:Envelope>
------------------
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Thursday, February 13, 2014 12:56 PM
> To: users@cxf.apache.org
> Subject: Re: Error "A encryption username needs to be declared" when using
> Fediz IdP with external WS-Trust STS
>
> What does the RSTR look like?
>
> Colm.
>
>
> On Thu, Feb 13, 2014 at 11:52 AM, Hrbacek, Stepan
> <st...@atos.net>wrote:
>
> > Hi Colm.
> > The exception in Fediz IdP log (see attached) is:
> > ----------------------------
> > 2014-02-13 12:47:34,302
> > [org.apache.cxf.phase.PhaseInterceptorChain@http-nio-9443-exec-6] WARN
> > org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Federation#{http://d
> > ocs.oasis-open.org/ws-sx/ws-trust/200512/}Issuehas thrown exception,
> > unwinding now
> > org.apache.cxf.binding.soap.SoapFault: An invalid security token was
> > provided (Bad TokenType "")
> > at
> >
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInI
> nterceptor.java:790)
> > at
> >
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInI
> nterceptor.java:336)
> > at
> > org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleM
> > essage(PolicyBasedWSS4JInInterceptor.java:120)
> > ------------------------------
> > Kind regards,
> > Stepan.
> >
> > > -----Original Message-----
> > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > > Sent: Thursday, February 13, 2014 10:50 AM
> > > To: users@cxf.apache.org
> > > Subject: Re: Error "A encryption username needs to be declared" when
> > using
> > > Fediz IdP with external WS-Trust STS
> > >
> > > I think it makes sense to allow the user to pass through some
> > > Properties
> > to the
> > > STSAuthenticationProvider, I will merge a fix for this. What is the
> > error on
> > > processing the RSTR?
> > >
> > > Colm.
> > >
> > >
> > > On Thu, Feb 13, 2014 at 9:46 AM, Hrbacek, Stepan
> > > <st...@atos.net>wrote:
> > >
> > > > Hi.
> > > > I needed to change the
> > > > org.apache.cxf.fediz.service.idp.STSAuthenticationProvider class
> > > > and hardcode the crypto properties and encryption username
> > > > (certificate
> > > > alias) there. No other configuration option seems possible with
> > > > the current Fediz code.
> > > > -------------
> > > > org.apache.cxf.fediz.service.idp.STSAuthenticationProvider
> > > > --------------------
> > > > @Override
> > > > public Authentication authenticate(Authentication
> > > > authentication) throws AuthenticationException {
> > > > ...
> > > >
> > > > sts.getProperties().put(SecurityConstants.USERNAME,
> > > > authentication.getName());
> > > > sts.getProperties().put(SecurityConstants.PASSWORD,
> > > > (String)authentication.getCredentials());
> > > >
> > > > // STS certificate needed for symmetric binding
> > > >
> > > > sts.getProperties().put(SecurityConstants.ENCRYPT_USERNAME,
> > > > "ws-sec-comm.dirxaccess"); // 1
> > > >
> > > > sts.getProperties().put(SecurityConstants.ENCRYPT_PROPERTIES,
> > > > "stsKeystoreA.properties"); // 2
> > > >
> > > > ...
> > > > }
> > > > ---------------------------------
> > > >
> > > > But then I have found that RSTR response cannot be processed in
> > > > Fediz IDP (and subsequently in WS-Federation passive profile SP)
> > > > :-( I have thus removed the symmetric binding from the WS-Policy
> > > > used by STS and then all the walkthrough run well - my issue is solved.
> > > > I don't know if it makes sense to make Fediz configurable in this
> > > > area, I don't know WS-Federation use cases that well...
> > > >
> > > > Regards,
> > > > Stepan.
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > > > > Sent: Tuesday, February 11, 2014 4:48 PM
> > > > > To: users@cxf.apache.org
> > > > > Subject: Re: Error "A encryption username needs to be declared"
> > > > > when
> > > > using
> > > > > Fediz IdP with external WS-Trust STS
> > > > >
> > > > > Could you create a JIRA + I will look into it? You also need to
> > > > > specify
> > > > a Crypto
> > > > > properties file as well as a username.
> > > > >
> > > > > Colm.
> > > >
> > >
> > >
> > >
> > > --
> > > Colm O hEigeartaigh
> > >
> > > Talend Community Coder
> > > http://coders.talend.com
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
Re: Error "A encryption username needs to be declared" when using
Fediz IdP with external WS-Trust STS
Posted by Colm O hEigeartaigh <co...@apache.org>.
What does the RSTR look like?
Colm.
On Thu, Feb 13, 2014 at 11:52 AM, Hrbacek, Stepan
<st...@atos.net>wrote:
> Hi Colm.
> The exception in Fediz IdP log (see attached) is:
> ----------------------------
> 2014-02-13 12:47:34,302
> [org.apache.cxf.phase.PhaseInterceptorChain@http-nio-9443-exec-6] WARN
> org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Federation#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issuehas thrown exception, unwinding now
> org.apache.cxf.binding.soap.SoapFault: An invalid security token was
> provided (Bad TokenType "")
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:790)
> at
> org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:336)
> at
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:120)
> ------------------------------
> Kind regards,
> Stepan.
>
> > -----Original Message-----
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > Sent: Thursday, February 13, 2014 10:50 AM
> > To: users@cxf.apache.org
> > Subject: Re: Error "A encryption username needs to be declared" when
> using
> > Fediz IdP with external WS-Trust STS
> >
> > I think it makes sense to allow the user to pass through some Properties
> to the
> > STSAuthenticationProvider, I will merge a fix for this. What is the
> error on
> > processing the RSTR?
> >
> > Colm.
> >
> >
> > On Thu, Feb 13, 2014 at 9:46 AM, Hrbacek, Stepan
> > <st...@atos.net>wrote:
> >
> > > Hi.
> > > I needed to change the
> > > org.apache.cxf.fediz.service.idp.STSAuthenticationProvider class and
> > > hardcode the crypto properties and encryption username (certificate
> > > alias) there. No other configuration option seems possible with the
> > > current Fediz code.
> > > -------------
> > > org.apache.cxf.fediz.service.idp.STSAuthenticationProvider
> > > --------------------
> > > @Override
> > > public Authentication authenticate(Authentication authentication)
> > > throws AuthenticationException {
> > > ...
> > >
> > > sts.getProperties().put(SecurityConstants.USERNAME,
> > > authentication.getName());
> > > sts.getProperties().put(SecurityConstants.PASSWORD,
> > > (String)authentication.getCredentials());
> > >
> > > // STS certificate needed for symmetric binding
> > > sts.getProperties().put(SecurityConstants.ENCRYPT_USERNAME,
> > > "ws-sec-comm.dirxaccess"); // 1
> > > sts.getProperties().put(SecurityConstants.ENCRYPT_PROPERTIES,
> > > "stsKeystoreA.properties"); // 2
> > >
> > > ...
> > > }
> > > ---------------------------------
> > >
> > > But then I have found that RSTR response cannot be processed in Fediz
> > > IDP (and subsequently in WS-Federation passive profile SP) :-( I have
> > > thus removed the symmetric binding from the WS-Policy used by STS and
> > > then all the walkthrough run well - my issue is solved.
> > > I don't know if it makes sense to make Fediz configurable in this
> > > area, I don't know WS-Federation use cases that well...
> > >
> > > Regards,
> > > Stepan.
> > >
> > >
> > > > -----Original Message-----
> > > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > > > Sent: Tuesday, February 11, 2014 4:48 PM
> > > > To: users@cxf.apache.org
> > > > Subject: Re: Error "A encryption username needs to be declared" when
> > > using
> > > > Fediz IdP with external WS-Trust STS
> > > >
> > > > Could you create a JIRA + I will look into it? You also need to
> > > > specify
> > > a Crypto
> > > > properties file as well as a username.
> > > >
> > > > Colm.
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: Error "A encryption username needs to be declared" when using
Fediz IdP with external WS-Trust STS
Posted by "Hrbacek, Stepan" <st...@atos.net>.
Hi Colm.
The exception in Fediz IdP log (see attached) is:
----------------------------
2014-02-13 12:47:34,302 [org.apache.cxf.phase.PhaseInterceptorChain@http-nio-9443-exec-6] WARN org.apache.cxf.phase.PhaseInterceptorChain - Interceptor for {http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Federation#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue has thrown exception, unwinding now
org.apache.cxf.binding.soap.SoapFault: An invalid security token was provided (Bad TokenType "")
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.createSoapFault(WSS4JInInterceptor.java:790)
at org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor.handleMessage(WSS4JInInterceptor.java:336)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JInInterceptor.handleMessage(PolicyBasedWSS4JInInterceptor.java:120)
------------------------------
Kind regards,
Stepan.
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Thursday, February 13, 2014 10:50 AM
> To: users@cxf.apache.org
> Subject: Re: Error "A encryption username needs to be declared" when using
> Fediz IdP with external WS-Trust STS
>
> I think it makes sense to allow the user to pass through some Properties to the
> STSAuthenticationProvider, I will merge a fix for this. What is the error on
> processing the RSTR?
>
> Colm.
>
>
> On Thu, Feb 13, 2014 at 9:46 AM, Hrbacek, Stepan
> <st...@atos.net>wrote:
>
> > Hi.
> > I needed to change the
> > org.apache.cxf.fediz.service.idp.STSAuthenticationProvider class and
> > hardcode the crypto properties and encryption username (certificate
> > alias) there. No other configuration option seems possible with the
> > current Fediz code.
> > -------------
> > org.apache.cxf.fediz.service.idp.STSAuthenticationProvider
> > --------------------
> > @Override
> > public Authentication authenticate(Authentication authentication)
> > throws AuthenticationException {
> > ...
> >
> > sts.getProperties().put(SecurityConstants.USERNAME,
> > authentication.getName());
> > sts.getProperties().put(SecurityConstants.PASSWORD,
> > (String)authentication.getCredentials());
> >
> > // STS certificate needed for symmetric binding
> > sts.getProperties().put(SecurityConstants.ENCRYPT_USERNAME,
> > "ws-sec-comm.dirxaccess"); // 1
> > sts.getProperties().put(SecurityConstants.ENCRYPT_PROPERTIES,
> > "stsKeystoreA.properties"); // 2
> >
> > ...
> > }
> > ---------------------------------
> >
> > But then I have found that RSTR response cannot be processed in Fediz
> > IDP (and subsequently in WS-Federation passive profile SP) :-( I have
> > thus removed the symmetric binding from the WS-Policy used by STS and
> > then all the walkthrough run well - my issue is solved.
> > I don't know if it makes sense to make Fediz configurable in this
> > area, I don't know WS-Federation use cases that well...
> >
> > Regards,
> > Stepan.
> >
> >
> > > -----Original Message-----
> > > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > > Sent: Tuesday, February 11, 2014 4:48 PM
> > > To: users@cxf.apache.org
> > > Subject: Re: Error "A encryption username needs to be declared" when
> > using
> > > Fediz IdP with external WS-Trust STS
> > >
> > > Could you create a JIRA + I will look into it? You also need to
> > > specify
> > a Crypto
> > > properties file as well as a username.
> > >
> > > Colm.
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
Re: Error "A encryption username needs to be declared" when using
Fediz IdP with external WS-Trust STS
Posted by Colm O hEigeartaigh <co...@apache.org>.
I think it makes sense to allow the user to pass through some Properties to
the STSAuthenticationProvider, I will merge a fix for this. What is the
error on processing the RSTR?
Colm.
On Thu, Feb 13, 2014 at 9:46 AM, Hrbacek, Stepan <st...@atos.net>wrote:
> Hi.
> I needed to change the
> org.apache.cxf.fediz.service.idp.STSAuthenticationProvider class and
> hardcode the crypto properties and encryption username (certificate alias)
> there. No other configuration option seems possible with the current Fediz
> code.
> ------------- org.apache.cxf.fediz.service.idp.STSAuthenticationProvider
> --------------------
> @Override
> public Authentication authenticate(Authentication authentication)
> throws AuthenticationException {
> ...
>
> sts.getProperties().put(SecurityConstants.USERNAME,
> authentication.getName());
> sts.getProperties().put(SecurityConstants.PASSWORD,
> (String)authentication.getCredentials());
>
> // STS certificate needed for symmetric binding
> sts.getProperties().put(SecurityConstants.ENCRYPT_USERNAME,
> "ws-sec-comm.dirxaccess"); // 1
> sts.getProperties().put(SecurityConstants.ENCRYPT_PROPERTIES,
> "stsKeystoreA.properties"); // 2
>
> ...
> }
> ---------------------------------
>
> But then I have found that RSTR response cannot be processed in Fediz IDP
> (and subsequently in WS-Federation passive profile SP) :-( I have thus
> removed the symmetric binding from the WS-Policy used by STS and then all
> the walkthrough run well - my issue is solved.
> I don't know if it makes sense to make Fediz configurable in this area, I
> don't know WS-Federation use cases that well...
>
> Regards,
> Stepan.
>
>
> > -----Original Message-----
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > Sent: Tuesday, February 11, 2014 4:48 PM
> > To: users@cxf.apache.org
> > Subject: Re: Error "A encryption username needs to be declared" when
> using
> > Fediz IdP with external WS-Trust STS
> >
> > Could you create a JIRA + I will look into it? You also need to specify
> a Crypto
> > properties file as well as a username.
> >
> > Colm.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: Error "A encryption username needs to be declared" when using
Fediz IdP with external WS-Trust STS
Posted by "Hrbacek, Stepan" <st...@atos.net>.
Hi.
I needed to change the org.apache.cxf.fediz.service.idp.STSAuthenticationProvider class and hardcode the crypto properties and encryption username (certificate alias) there. No other configuration option seems possible with the current Fediz code.
------------- org.apache.cxf.fediz.service.idp.STSAuthenticationProvider --------------------
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
...
sts.getProperties().put(SecurityConstants.USERNAME, authentication.getName());
sts.getProperties().put(SecurityConstants.PASSWORD, (String)authentication.getCredentials());
// STS certificate needed for symmetric binding
sts.getProperties().put(SecurityConstants.ENCRYPT_USERNAME, "ws-sec-comm.dirxaccess"); // 1
sts.getProperties().put(SecurityConstants.ENCRYPT_PROPERTIES, "stsKeystoreA.properties"); // 2
...
}
---------------------------------
But then I have found that RSTR response cannot be processed in Fediz IDP (and subsequently in WS-Federation passive profile SP) :-( I have thus removed the symmetric binding from the WS-Policy used by STS and then all the walkthrough run well - my issue is solved.
I don't know if it makes sense to make Fediz configurable in this area, I don't know WS-Federation use cases that well...
Regards,
Stepan.
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Tuesday, February 11, 2014 4:48 PM
> To: users@cxf.apache.org
> Subject: Re: Error "A encryption username needs to be declared" when using
> Fediz IdP with external WS-Trust STS
>
> Could you create a JIRA + I will look into it? You also need to specify a Crypto
> properties file as well as a username.
>
> Colm.
Re: Error "A encryption username needs to be declared" when using
Fediz IdP with external WS-Trust STS
Posted by Colm O hEigeartaigh <co...@apache.org>.
Could you create a JIRA + I will look into it? You also need to specify a
Crypto properties file as well as a username.
Colm.
On Tue, Feb 11, 2014 at 3:40 PM, Hrbacek, Stepan <st...@atos.net>wrote:
> Thank you Colm!
> I would like to use the first approach - specify the encryption username
> via "properties" in the STS client configuration.
> I am unfortunately not able to find the right place in the Fediz IDP Web
> application, currently I am lost among all the beans :-(
> Stepan
>
> > -----Original Message-----
> > From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> > Sent: Tuesday, February 11, 2014 3:20 PM
> > To: users@cxf.apache.org
> > Subject: Re: Error "A encryption username needs to be declared" when
> using
> > Fediz IdP with external WS-Trust STS
> >
> > A CXF client using the Symmetric binding needs the public key of the
> recipient.
> > This is typically done by specifying an encryption username
> (corresponding to a
> > keystore alias), and a Crypto properties file for encryption (pointing
> to a
> > keystore). Here is an example:
> >
> >
> http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/res
> > ources/org/apache/cxf/systest/sts/symmetric/cxf-client.xml?view=markup
> >
> > So one possibly solution is to update the IdP STSClient configuration so
> that it is
> > possible to pass through "properties" as per the client configuration
> above.
> > Alternatively, we could use an encryption certificate from metadata or
> > something, although this would likely require a small amount of work in
> CXF.
> > Which would you prefer to use?
> >
> > Colm.
> >
> >
> > On Tue, Feb 11, 2014 at 1:19 PM, Hrbacek, Stepan
> > <st...@atos.net>wrote:
> >
> > > Hi all,
> > > I am trying to use the the Apache CXF Fediz IdP (1.1.0) with an
> > > external WS-Trust STS [Atos (c) DirX Access implementation based
> > > Oracle Metro]. When the Fediz IdP tries to send the
> > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue request to
> > > the STS, an error occurs and following exception can be found in
> > > idp.log. The STS's WSDL is quoted below. Java clients using Oracle
> > > Metro work fine with this STS.
> > > Can you plese give me a hint where and how to configure the encryption
> > > certificate (I think the error message is misleading)?
> > > Thank you!
> > > Stepan
> > >
> > > ---------------
> > > 2014-02-11 11:24:40,053
> > > [org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilde
> > > r@http-nio-9443-exec-6]
> > > DEBUG
> > > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder
> > > - A encryption username needs to be declared.
> > > org.apache.cxf.ws.policy.PolicyException: A encryption username needs
> > > to be declared.
> > > at
> > >
> >
> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyN
> > otAsserted(AbstractBindingBuilder.java:315)
> > > at
> > >
> >
> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.setEncr
> > yptionUser(AbstractBindingBuilder.java:1631)
> > > at
> > >
> >
> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.getEncr
> > yptedKeyBuilder(AbstractBindingBuilder.java:1453)
> > > at
> > >
> >
> org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.setu
> > pEncryptedKey(SymmetricBindingHandler.java:856)
> > > at
> > >
> >
> org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSi
> > gnBeforeEncrypt(SymmetricBindingHandler.java:298)
> > > at
> > >
> >
> org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.hand
> > leBinding(SymmetricBindingHandler.java:124)
> > > at
> > >
> >
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBased
> > WSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.
> > java:173)
> > > at
> > >
> >
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBased
> > WSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.
> > java:90)
> > > at
> > >
> >
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChai
> > n.java:272)
> > > at
> org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
> > > at
> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
> > > at
> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
> > > at
> org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
> > > at
> > >
> >
> org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:
> > 759)
> > > at
> > >
> >
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:
> > 62)
> > > at
> > >
> >
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:
> > 56)
> > > at
> > >
> >
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:
> > 52)
> > > at
> > >
> >
> org.apache.cxf.fediz.service.idp.STSAuthenticationProvider.authenticate(STSAut
> > henticationProvider.java:116)
> > > at
> > >
> >
> org.springframework.security.authentication.ProviderManager.authenticate(Pr
> > oviderManager.java:156)
> > > at
> > >
> >
> org.springframework.security.authentication.ProviderManager.authenticate(Pr
> > oviderManager.java:174)
> > > at
> > >
> > org.springframework.security.web.authentication.UsernamePasswordAuthentic
> >
> ationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:
> > 94)
> > > at
> > >
> >
> org.springframework.security.web.authentication.AbstractAuthenticationProces
> > singFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> > > at
> > >
> >
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(F
> > ilterChainProxy.java:342)
> > > at
> > >
> >
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doF
> > ilter(SecurityContextPersistenceFilter.java:87)
> > > at
> > >
> >
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(F
> > ilterChainProxy.java:342)
> > > at
> > >
> org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSPortFilter.java:66)
> > > ...
> > > ---------------
> > >
> > > The WS-Policy parts of the STS's WSDL are:
> > > ---------------
> > > <?xml version='1.0' encoding='UTF-8'?> <wsdl:definitions
> > > xmlns:dxa-fed="http://dxa.siemens.com/wsdl/federation/"
> > > xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:soap11="
> > > http://schemas.xmlsoap.org/wsdl/soap11/" xmlns:wsa10="
> > > http://www.w3.org/2005/08/addressing" xmlns:wsap10="
> > > http://www.w3.org/2006/05/addressing/wsdl" xmlns:wsdl="
> > > http://schemas.xmlsoap.org/wsdl/" xmlns:wsp-xmlsoap="
> > > http://schemas.xmlsoap.org/ws/2004/09/policy"
> > > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="
> > > http://www.w3.org/2001/XMLSchema" xmlns:sp="
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" xmlns:wsp="
> > > http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wst="
> > > http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="
> > >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
> > 1.0.xsd"
> > > name="Federation"
> > > targetNamespace="http://dxa.siemens.com/wsdl/federation/
> > > ">
> > > ...
> > >
> > > <!-- Bindings section -->
> > > <wsdl:binding name="SecurityTokenManagingSoap12Http"
> > > type="dxa-fed:SecurityTokenManaging">
> > > <wsp-xmlsoap:PolicyReference URI="#SecurityTokenService_policy" />
> > > <soap12:binding style="document" transport="
> > > http://schemas.xmlsoap.org/soap/http" />
> > > <wsdl:operation name="issueSecurityToken">
> > > <soap12:operation soapAction="
> > > http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue" />
> > > <wsdl:input>
> > > <soap12:body use="literal" />
> > > <wsp-xmlsoap:PolicyReference
> > > URI="#SecurityTokenManaging_Input_Policy" />
> > > </wsdl:input>
> > > <wsdl:output>
> > > <soap12:body use="literal" />
> > > <wsp-xmlsoap:PolicyReference
> > > URI="#SecurityTokenManaging_Output_Policy" />
> > > </wsdl:output>
> > > </wsdl:operation>
> > > </wsdl:binding>
> > >
> > > ...
> > >
> > > <!-- WS-Policies section -->
> > > <wsp:Policy wsu:Id="SecurityTokenService_policy">
> > > <wsp:ExactlyOne>
> > > <wsp:All>
> > > <sp:SymmetricBinding>
> > > <wsp:Policy>
> > > <sp:ProtectionToken>
> > > <wsp:Policy>
> > > <sp:X509Token sp:IncludeToken="
> > >
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never
> ">
> > > <wsp:Policy>
> > > <!-- sp:RequireDerivedKeys /-->
> > > <!-- sp:RequireThumbprintReference /-->
> > > <sp:WssX509V3Token10 />
> > > </wsp:Policy>
> > > </sp:X509Token>
> > > </wsp:Policy>
> > > </sp:ProtectionToken>
> > > <sp:AlgorithmSuite>
> > > <wsp:Policy>
> > > <sp:Basic128 />
> > > </wsp:Policy>
> > > </sp:AlgorithmSuite>
> > > <sp:Layout>
> > > <wsp:Policy>
> > > <sp:Lax />
> > > </wsp:Policy>
> > > </sp:Layout>
> > > <sp:IncludeTimestamp />
> > > <sp:EncryptSignature />
> > > <sp:OnlySignEntireHeadersAndBody />
> > > </wsp:Policy>
> > > </sp:SymmetricBinding>
> > > <sp:Wss11>
> > > <wsp:Policy>
> > > <sp:MustSupportRefKeyIdentifier />
> > > <sp:MustSupportRefIssuerSerial />
> > > <sp:MustSupportRefThumbprint />
> > > <sp:MustSupportRefEncryptedKey />
> > > <sp:RequireSignatureConfirmation />
> > > </wsp:Policy>
> > > </sp:Wss11>
> > > <sp:Trust10>
> > > <wsp:Policy>
> > > <sp:MustSupportIssuedTokens />
> > > <sp:RequireClientEntropy />
> > > <sp:RequireServerEntropy />
> > > </wsp:Policy>
> > > </sp:Trust10>
> > >
> > >
> > > <wsap10:UsingAddressing />
> > > <sp:EndorsingSupportingTokens xmlns:sp="
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > > <wsp:Policy>
> > > <sp:X509Token sp:IncludeToken="
> > > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Alwa
> > > ysToRecipient
> > > ">
> > > <wsp:Policy>
> > > <!--sp:RequireThumbprintReference/-->
> > > <sp:WssX509V3Token10 />
> > > </wsp:Policy>
> > > </sp:X509Token>
> > > </wsp:Policy>
> > > </sp:EndorsingSupportingTokens>
> > > </wsp:All>
> > > </wsp:ExactlyOne>
> > > </wsp:Policy>
> > >
> > > <wsp:Policy wsu:Id="SecurityTokenManaging_Input_Policy">
> > > <wsp:ExactlyOne>
> > > <wsp:All>
> > > <sp:SignedParts>
> > > <sp:Body />
> > > <sp:Header Name="To" Namespace="
> > > http://www.w3.org/2005/08/addressing" />
> > > <sp:Header Name="From" Namespace="
> > > http://www.w3.org/2005/08/addressing" />
> > > <sp:Header Name="FaultTo" Namespace="
> > > http://www.w3.org/2005/08/addressing" />
> > > <sp:Header Name="ReplyTo" Namespace="
> > > http://www.w3.org/2005/08/addressing" />
> > > <sp:Header Name="MessageID" Namespace="
> > > http://www.w3.org/2005/08/addressing" />
> > > <sp:Header Name="RelatesTo" Namespace="
> > > http://www.w3.org/2005/08/addressing" />
> > > <sp:Header Name="Action" Namespace="
> > > http://www.w3.org/2005/08/addressing" />
> > > </sp:SignedParts>
> > > <sp:EncryptedParts>
> > > <sp:Body />
> > > </sp:EncryptedParts>
> > > </wsp:All>
> > > </wsp:ExactlyOne>
> > > </wsp:Policy>
> > >
> > > <wsp:Policy wsu:Id="SecurityTokenManaging_Output_Policy">
> > > <wsp:ExactlyOne>
> > > <wsp:All>
> > > <sp:SignedParts>
> > > <sp:Body />
> > > <sp:Header Name="To" Namespace="
> > > http://www.w3.org/2005/08/addressing" />
> > > <sp:Header Name="From" Namespace="
> > > http://www.w3.org/2005/08/addressing" />
> > > <sp:Header Name="FaultTo" Namespace="
> > > http://www.w3.org/2005/08/addressing" />
> > > <sp:Header Name="ReplyTo" Namespace="
> > > http://www.w3.org/2005/08/addressing" />
> > > <sp:Header Name="MessageID" Namespace="
> > > http://www.w3.org/2005/08/addressing" />
> > > <sp:Header Name="RelatesTo" Namespace="
> > > http://www.w3.org/2005/08/addressing" />
> > > <sp:Header Name="Action" Namespace="
> > > http://www.w3.org/2005/08/addressing" />
> > > </sp:SignedParts>
> > > <sp:EncryptedParts>
> > > <sp:Body />
> > > </sp:EncryptedParts>
> > > </wsp:All>
> > > </wsp:ExactlyOne>
> > > </wsp:Policy>
> > >
> > > </wsdl:definitions>
> > > ---------------
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: Error "A encryption username needs to be declared" when using
Fediz IdP with external WS-Trust STS
Posted by "Hrbacek, Stepan" <st...@atos.net>.
Thank you Colm!
I would like to use the first approach - specify the encryption username via "properties" in the STS client configuration.
I am unfortunately not able to find the right place in the Fediz IDP Web application, currently I am lost among all the beans :-(
Stepan
> -----Original Message-----
> From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
> Sent: Tuesday, February 11, 2014 3:20 PM
> To: users@cxf.apache.org
> Subject: Re: Error "A encryption username needs to be declared" when using
> Fediz IdP with external WS-Trust STS
>
> A CXF client using the Symmetric binding needs the public key of the recipient.
> This is typically done by specifying an encryption username (corresponding to a
> keystore alias), and a Crypto properties file for encryption (pointing to a
> keystore). Here is an example:
>
> http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/res
> ources/org/apache/cxf/systest/sts/symmetric/cxf-client.xml?view=markup
>
> So one possibly solution is to update the IdP STSClient configuration so that it is
> possible to pass through "properties" as per the client configuration above.
> Alternatively, we could use an encryption certificate from metadata or
> something, although this would likely require a small amount of work in CXF.
> Which would you prefer to use?
>
> Colm.
>
>
> On Tue, Feb 11, 2014 at 1:19 PM, Hrbacek, Stepan
> <st...@atos.net>wrote:
>
> > Hi all,
> > I am trying to use the the Apache CXF Fediz IdP (1.1.0) with an
> > external WS-Trust STS [Atos (c) DirX Access implementation based
> > Oracle Metro]. When the Fediz IdP tries to send the
> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue request to
> > the STS, an error occurs and following exception can be found in
> > idp.log. The STS's WSDL is quoted below. Java clients using Oracle
> > Metro work fine with this STS.
> > Can you plese give me a hint where and how to configure the encryption
> > certificate (I think the error message is misleading)?
> > Thank you!
> > Stepan
> >
> > ---------------
> > 2014-02-11 11:24:40,053
> > [org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilde
> > r@http-nio-9443-exec-6]
> > DEBUG
> > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder
> > - A encryption username needs to be declared.
> > org.apache.cxf.ws.policy.PolicyException: A encryption username needs
> > to be declared.
> > at
> >
> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyN
> otAsserted(AbstractBindingBuilder.java:315)
> > at
> >
> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.setEncr
> yptionUser(AbstractBindingBuilder.java:1631)
> > at
> >
> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.getEncr
> yptedKeyBuilder(AbstractBindingBuilder.java:1453)
> > at
> >
> org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.setu
> pEncryptedKey(SymmetricBindingHandler.java:856)
> > at
> >
> org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSi
> gnBeforeEncrypt(SymmetricBindingHandler.java:298)
> > at
> >
> org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.hand
> leBinding(SymmetricBindingHandler.java:124)
> > at
> >
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBased
> WSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.
> java:173)
> > at
> >
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBased
> WSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.
> java:90)
> > at
> >
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChai
> n.java:272)
> > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
> > at
> >
> org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:
> 759)
> > at
> >
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:
> 62)
> > at
> >
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:
> 56)
> > at
> >
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:
> 52)
> > at
> >
> org.apache.cxf.fediz.service.idp.STSAuthenticationProvider.authenticate(STSAut
> henticationProvider.java:116)
> > at
> >
> org.springframework.security.authentication.ProviderManager.authenticate(Pr
> oviderManager.java:156)
> > at
> >
> org.springframework.security.authentication.ProviderManager.authenticate(Pr
> oviderManager.java:174)
> > at
> >
> org.springframework.security.web.authentication.UsernamePasswordAuthentic
> ationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:
> 94)
> > at
> >
> org.springframework.security.web.authentication.AbstractAuthenticationProces
> singFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> > at
> >
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(F
> ilterChainProxy.java:342)
> > at
> >
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doF
> ilter(SecurityContextPersistenceFilter.java:87)
> > at
> >
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(F
> ilterChainProxy.java:342)
> > at
> > org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSPortFilter.java:66)
> > ...
> > ---------------
> >
> > The WS-Policy parts of the STS's WSDL are:
> > ---------------
> > <?xml version='1.0' encoding='UTF-8'?> <wsdl:definitions
> > xmlns:dxa-fed="http://dxa.siemens.com/wsdl/federation/"
> > xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:soap11="
> > http://schemas.xmlsoap.org/wsdl/soap11/" xmlns:wsa10="
> > http://www.w3.org/2005/08/addressing" xmlns:wsap10="
> > http://www.w3.org/2006/05/addressing/wsdl" xmlns:wsdl="
> > http://schemas.xmlsoap.org/wsdl/" xmlns:wsp-xmlsoap="
> > http://schemas.xmlsoap.org/ws/2004/09/policy"
> > xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="
> > http://www.w3.org/2001/XMLSchema" xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" xmlns:wsp="
> > http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wst="
> > http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="
> > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
> 1.0.xsd"
> > name="Federation"
> > targetNamespace="http://dxa.siemens.com/wsdl/federation/
> > ">
> > ...
> >
> > <!-- Bindings section -->
> > <wsdl:binding name="SecurityTokenManagingSoap12Http"
> > type="dxa-fed:SecurityTokenManaging">
> > <wsp-xmlsoap:PolicyReference URI="#SecurityTokenService_policy" />
> > <soap12:binding style="document" transport="
> > http://schemas.xmlsoap.org/soap/http" />
> > <wsdl:operation name="issueSecurityToken">
> > <soap12:operation soapAction="
> > http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue" />
> > <wsdl:input>
> > <soap12:body use="literal" />
> > <wsp-xmlsoap:PolicyReference
> > URI="#SecurityTokenManaging_Input_Policy" />
> > </wsdl:input>
> > <wsdl:output>
> > <soap12:body use="literal" />
> > <wsp-xmlsoap:PolicyReference
> > URI="#SecurityTokenManaging_Output_Policy" />
> > </wsdl:output>
> > </wsdl:operation>
> > </wsdl:binding>
> >
> > ...
> >
> > <!-- WS-Policies section -->
> > <wsp:Policy wsu:Id="SecurityTokenService_policy">
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <sp:SymmetricBinding>
> > <wsp:Policy>
> > <sp:ProtectionToken>
> > <wsp:Policy>
> > <sp:X509Token sp:IncludeToken="
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> > <wsp:Policy>
> > <!-- sp:RequireDerivedKeys /-->
> > <!-- sp:RequireThumbprintReference /-->
> > <sp:WssX509V3Token10 />
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> > </sp:ProtectionToken>
> > <sp:AlgorithmSuite>
> > <wsp:Policy>
> > <sp:Basic128 />
> > </wsp:Policy>
> > </sp:AlgorithmSuite>
> > <sp:Layout>
> > <wsp:Policy>
> > <sp:Lax />
> > </wsp:Policy>
> > </sp:Layout>
> > <sp:IncludeTimestamp />
> > <sp:EncryptSignature />
> > <sp:OnlySignEntireHeadersAndBody />
> > </wsp:Policy>
> > </sp:SymmetricBinding>
> > <sp:Wss11>
> > <wsp:Policy>
> > <sp:MustSupportRefKeyIdentifier />
> > <sp:MustSupportRefIssuerSerial />
> > <sp:MustSupportRefThumbprint />
> > <sp:MustSupportRefEncryptedKey />
> > <sp:RequireSignatureConfirmation />
> > </wsp:Policy>
> > </sp:Wss11>
> > <sp:Trust10>
> > <wsp:Policy>
> > <sp:MustSupportIssuedTokens />
> > <sp:RequireClientEntropy />
> > <sp:RequireServerEntropy />
> > </wsp:Policy>
> > </sp:Trust10>
> >
> >
> > <wsap10:UsingAddressing />
> > <sp:EndorsingSupportingTokens xmlns:sp="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> > <wsp:Policy>
> > <sp:X509Token sp:IncludeToken="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Alwa
> > ysToRecipient
> > ">
> > <wsp:Policy>
> > <!--sp:RequireThumbprintReference/-->
> > <sp:WssX509V3Token10 />
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> > </sp:EndorsingSupportingTokens>
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> > <wsp:Policy wsu:Id="SecurityTokenManaging_Input_Policy">
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <sp:SignedParts>
> > <sp:Body />
> > <sp:Header Name="To" Namespace="
> > http://www.w3.org/2005/08/addressing" />
> > <sp:Header Name="From" Namespace="
> > http://www.w3.org/2005/08/addressing" />
> > <sp:Header Name="FaultTo" Namespace="
> > http://www.w3.org/2005/08/addressing" />
> > <sp:Header Name="ReplyTo" Namespace="
> > http://www.w3.org/2005/08/addressing" />
> > <sp:Header Name="MessageID" Namespace="
> > http://www.w3.org/2005/08/addressing" />
> > <sp:Header Name="RelatesTo" Namespace="
> > http://www.w3.org/2005/08/addressing" />
> > <sp:Header Name="Action" Namespace="
> > http://www.w3.org/2005/08/addressing" />
> > </sp:SignedParts>
> > <sp:EncryptedParts>
> > <sp:Body />
> > </sp:EncryptedParts>
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> > <wsp:Policy wsu:Id="SecurityTokenManaging_Output_Policy">
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <sp:SignedParts>
> > <sp:Body />
> > <sp:Header Name="To" Namespace="
> > http://www.w3.org/2005/08/addressing" />
> > <sp:Header Name="From" Namespace="
> > http://www.w3.org/2005/08/addressing" />
> > <sp:Header Name="FaultTo" Namespace="
> > http://www.w3.org/2005/08/addressing" />
> > <sp:Header Name="ReplyTo" Namespace="
> > http://www.w3.org/2005/08/addressing" />
> > <sp:Header Name="MessageID" Namespace="
> > http://www.w3.org/2005/08/addressing" />
> > <sp:Header Name="RelatesTo" Namespace="
> > http://www.w3.org/2005/08/addressing" />
> > <sp:Header Name="Action" Namespace="
> > http://www.w3.org/2005/08/addressing" />
> > </sp:SignedParts>
> > <sp:EncryptedParts>
> > <sp:Body />
> > </sp:EncryptedParts>
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> > </wsdl:definitions>
> > ---------------
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
Re: Error "A encryption username needs to be declared" when using
Fediz IdP with external WS-Trust STS
Posted by Colm O hEigeartaigh <co...@apache.org>.
A CXF client using the Symmetric binding needs the public key of the
recipient. This is typically done by specifying an encryption username
(corresponding to a keystore alias), and a Crypto properties file for
encryption (pointing to a keystore). Here is an example:
http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/symmetric/cxf-client.xml?view=markup
So one possibly solution is to update the IdP STSClient configuration so
that it is possible to pass through "properties" as per the client
configuration above. Alternatively, we could use an encryption certificate
from metadata or something, although this would likely require a small
amount of work in CXF. Which would you prefer to use?
Colm.
On Tue, Feb 11, 2014 at 1:19 PM, Hrbacek, Stepan <st...@atos.net>wrote:
> Hi all,
> I am trying to use the the Apache CXF Fediz IdP (1.1.0) with an external
> WS-Trust STS [Atos (c) DirX Access implementation based Oracle Metro]. When
> the Fediz IdP tries to send the
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue request to the
> STS, an error occurs and following exception can be found in idp.log. The
> STS's WSDL is quoted below. Java clients using Oracle Metro work fine with
> this STS.
> Can you plese give me a hint where and how to configure the encryption
> certificate (I think the error message is misleading)?
> Thank you!
> Stepan
>
> ---------------
> 2014-02-11 11:24:40,053
> [org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder@http-nio-9443-exec-6]
> DEBUG
> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder - A
> encryption username needs to be declared.
> org.apache.cxf.ws.policy.PolicyException: A encryption username needs to
> be declared.
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:315)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.setEncryptionUser(AbstractBindingBuilder.java:1631)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.getEncryptedKeyBuilder(AbstractBindingBuilder.java:1453)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.setupEncryptedKey(SymmetricBindingHandler.java:856)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:298)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:124)
> at
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:173)
> at
> org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:90)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
> at
> org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:759)
> at
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:62)
> at
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:56)
> at
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:52)
> at
> org.apache.cxf.fediz.service.idp.STSAuthenticationProvider.authenticate(STSAuthenticationProvider.java:116)
> at
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
> at
> org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
> at
> org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94)
> at
> org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:195)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
> at
> org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
> at
> org.apache.cxf.fediz.service.idp.STSPortFilter.doFilter(STSPortFilter.java:66)
> ...
> ---------------
>
> The WS-Policy parts of the STS's WSDL are:
> ---------------
> <?xml version='1.0' encoding='UTF-8'?>
> <wsdl:definitions xmlns:dxa-fed="http://dxa.siemens.com/wsdl/federation/"
> xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:soap11="
> http://schemas.xmlsoap.org/wsdl/soap11/" xmlns:wsa10="
> http://www.w3.org/2005/08/addressing" xmlns:wsap10="
> http://www.w3.org/2006/05/addressing/wsdl" xmlns:wsdl="
> http://schemas.xmlsoap.org/wsdl/" xmlns:wsp-xmlsoap="
> http://schemas.xmlsoap.org/ws/2004/09/policy"
> xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:xs="
> http://www.w3.org/2001/XMLSchema" xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy" xmlns:wsp="
> http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wst="
> http://schemas.xmlsoap.org/ws/2005/02/trust" xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> name="Federation" targetNamespace="http://dxa.siemens.com/wsdl/federation/
> ">
> ...
>
> <!-- Bindings section -->
> <wsdl:binding name="SecurityTokenManagingSoap12Http"
> type="dxa-fed:SecurityTokenManaging">
> <wsp-xmlsoap:PolicyReference URI="#SecurityTokenService_policy" />
> <soap12:binding style="document" transport="
> http://schemas.xmlsoap.org/soap/http" />
> <wsdl:operation name="issueSecurityToken">
> <soap12:operation soapAction="
> http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue" />
> <wsdl:input>
> <soap12:body use="literal" />
> <wsp-xmlsoap:PolicyReference
> URI="#SecurityTokenManaging_Input_Policy" />
> </wsdl:input>
> <wsdl:output>
> <soap12:body use="literal" />
> <wsp-xmlsoap:PolicyReference
> URI="#SecurityTokenManaging_Output_Policy" />
> </wsdl:output>
> </wsdl:operation>
> </wsdl:binding>
>
> ...
>
> <!-- WS-Policies section -->
> <wsp:Policy wsu:Id="SecurityTokenService_policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SymmetricBinding>
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
> <wsp:Policy>
> <!-- sp:RequireDerivedKeys /-->
> <!-- sp:RequireThumbprintReference /-->
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> <sp:EncryptSignature />
> <sp:OnlySignEntireHeadersAndBody />
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:Wss11>
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier />
> <sp:MustSupportRefIssuerSerial />
> <sp:MustSupportRefThumbprint />
> <sp:MustSupportRefEncryptedKey />
> <sp:RequireSignatureConfirmation />
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust10>
> <wsp:Policy>
> <sp:MustSupportIssuedTokens />
> <sp:RequireClientEntropy />
> <sp:RequireServerEntropy />
> </wsp:Policy>
> </sp:Trust10>
>
>
> <wsap10:UsingAddressing />
> <sp:EndorsingSupportingTokens xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
> <!--sp:RequireThumbprintReference/-->
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:EndorsingSupportingTokens>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> <wsp:Policy wsu:Id="SecurityTokenManaging_Input_Policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SignedParts>
> <sp:Body />
> <sp:Header Name="To" Namespace="
> http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="From" Namespace="
> http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="FaultTo" Namespace="
> http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="ReplyTo" Namespace="
> http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="MessageID" Namespace="
> http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="RelatesTo" Namespace="
> http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="Action" Namespace="
> http://www.w3.org/2005/08/addressing" />
> </sp:SignedParts>
> <sp:EncryptedParts>
> <sp:Body />
> </sp:EncryptedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> <wsp:Policy wsu:Id="SecurityTokenManaging_Output_Policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SignedParts>
> <sp:Body />
> <sp:Header Name="To" Namespace="
> http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="From" Namespace="
> http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="FaultTo" Namespace="
> http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="ReplyTo" Namespace="
> http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="MessageID" Namespace="
> http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="RelatesTo" Namespace="
> http://www.w3.org/2005/08/addressing" />
> <sp:Header Name="Action" Namespace="
> http://www.w3.org/2005/08/addressing" />
> </sp:SignedParts>
> <sp:EncryptedParts>
> <sp:Body />
> </sp:EncryptedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> </wsdl:definitions>
> ---------------
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com