You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by sumit_chauhan <su...@uhc.com> on 2013/04/03 12:23:06 UTC
SAMLToken (Signed) request failing because of WS Policy
I am implementing alternate authentication using UsernameToken or SAMLToken
(Signed). I have configured below policy in my wsdl:
<wsp:Policy wsu:Id="DoubleItPlaintextPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:SamlToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssSamlV20Token11/>
</wsp:Policy>
</sp:SamlToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
<wsp:All>
<sp:SupportingTokens>
<wsp:Policy>
<sp:UsernameToken>
<wsp:Policy>
<sp:HashPassword/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Also, I have configured the backend validators in spring beans file. I am
able to receive requests with UsernameToken. However, SAMLToken requests are
failing with below error:
<faultstring>These policy alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SupportingTokens
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SamlToken
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken</faultstring>
I am attaching a sample SAML request which I am trying to handle.
getTrustedDomainsByUserAddress_SAML_request.xml
<http://cxf.547215.n5.nabble.com/file/n5725739/getTrustedDomainsByUserAddress_SAML_request.xml>
Can someone please let me know the correct policy for handling this kind of
request.
--
View this message in context: http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739.html
Sent from the cxf-user mailing list archive at Nabble.com.
RE: SAMLToken (Signed) request failing because of WS Policy
Posted by sumit_chauhan <su...@uhc.com>.
That was the original solution I tried, but it didn't work, hence I shifted to absolute path. I am using wss4j-1.6.9 .
For the time being I have added the logic to load Crypto file to my SAMLValidator itself and it seems to work fine till now. However, it would be great if I could find a way to load it via a CXF property.
Thanks,
Sumit
From: coheigea [via CXF] [mailto:ml-node+s547215n5725801h1@n5.nabble.com]
Sent: Thursday, April 04, 2013 2:26 PM
To: Chauhan, Sumit K
Subject: Re: SAMLToken (Signed) request failing because of WS Policy
Try with just a relative path, e.g.:
<entry key="ws-security.signature.properties"
value="keystore_dev.properties"/>
Colm.
On Wed, Apr 3, 2013 at 5:05 PM, sumit_chauhan <[hidden email]</user/SendEmail.jtp?type=node&node=5725801&i=0>> wrote:
> I have shifted to CXF-2.7.3. Good news is that UsernameToken is still
> working without any changes. However, now CXF is unable to find the Crypto
> properties file. It is throwing below error:
>
> General security error (WSSecurityEngine: No crypto property file supplied
> to verify signature)
>
>
>
> I have added crypto property file using below CXF properties as mentioned
> here http://cxf.apache.org/docs/ws-securitypolicy.html:
> <jaxws:properties>
> <entry key="ws-security.saml2.validator">
> <bean
> class="com.optum.direct.secureoptumdirect.authentication.MPICustomSAMLTokenValidator"
> />
> </entry>
> <entry key="ws-security.signature.properties"
> value="C:/Workfolder/DirectProject/2_1/apache-tomcat-6.0.32/webapps/config-service/WEB-INF/classes/keystore_dev.properties"/>
> <entry key="ws-security.encryption.properties"
> value="C:/Workfolder/DirectProject/2_1/apache-tomcat-6.0.32/webapps/config-service/WEB-INF/classes/keystore_dev.properties"/>
> <entry key="ws-security.signature.username"
> value="mydomain"/>
> <entry key="ws-security.callback-handler"
> value="com.optum.direct.secureoptumdirect.authentication.CustomUserTokenCallBackHandler"/>
> </jaxws:properties>
>
>
>
>
>
> Thanks
>
> From: coheigea [via CXF] [mailto:[hidden email]</user/SendEmail.jtp?type=node&node=5725801&i=1>]
> Sent: Wednesday, April 03, 2013 6:40 PM
> To: Chauhan, Sumit K
> Subject: Re: SAMLToken (Signed) request failing because of WS Policy
>
> We fixed some bugs around policy alternatives in more recent CXF versions.
> You'll likely have to upgrade to one of the latest CXF 2.5.x, 2.6.x or
> 2.7.x releases.
>
> Colm.
>
>
> On Wed, Apr 3, 2013 at 2:04 PM, sumit_chauhan <[hidden
> email]</user/SendEmail.jtp?type=node&node=5725751&i=0>> wrote:
>
> > CXF-2.4.6
> >
> > Thanks,
> > Sumit
> >
> > From: coheigea [via CXF] [mailto:[hidden
> email]</user/SendEmail.jtp?type=node&node=5725751&i=1>]
> > Sent: Wednesday, April 03, 2013 5:41 PM
> > To: Chauhan, Sumit K
> > Subject: Re: SAMLToken (Signed) request failing because of WS Policy
> >
> > What version of CXF are you using?
> >
> > Colm.
> >
> >
> > On Wed, Apr 3, 2013 at 11:23 AM, sumit_chauhan <[hidden
> > email]</user/SendEmail.jtp?type=node&node=5725743&i=0>>wrote:
> >
> > > I am implementing alternate authentication using UsernameToken or
> > SAMLToken
> > > (Signed). I have configured below policy in my wsdl:
> > >
> > > <wsp:Policy wsu:Id="DoubleItPlaintextPolicy">
> > > <wsp:ExactlyOne>
> > > <wsp:All>
> > > <sp:SupportingTokens
> > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> > > <wsp:Policy>
> > > <sp:SamlToken
> > > sp:IncludeToken="
> > >
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> > > ">
> > > <wsp:Policy>
> > >
> > > <sp:WssSamlV20Token11/>
> > > </wsp:Policy>
> > > </sp:SamlToken>
> > > </wsp:Policy>
> > > </sp:SupportingTokens>
> > > </wsp:All>
> > > <wsp:All>
> > > <sp:SupportingTokens>
> > > <wsp:Policy>
> > > <sp:UsernameToken>
> > > <wsp:Policy>
> > >
> > > <sp:HashPassword/>
> > > </wsp:Policy>
> > > </sp:UsernameToken>
> > > </wsp:Policy>
> > > </sp:SupportingTokens>
> > > </wsp:All>
> > > </wsp:ExactlyOne>
> > > </wsp:Policy>
> > >
> > > Also, I have configured the backend validators in spring beans file. I
> am
> > > able to receive requests with UsernameToken. However, SAMLToken
> requests
> > > are
> > > failing with below error:
> > >
> > > <faultstring>These policy alternatives can not be satisfied:
> > > {
> > >
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SupportingTokens
> > > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SamlToken
> > > {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken
> > > </faultstring>
> > >
> > > I am attaching a sample SAML request which I am trying to handle.
> > > getTrustedDomainsByUserAddress_SAML_request.xml
> > > <
> > >
> >
> http://cxf.547215.n5.nabble.com/file/n5725739/getTrustedDomainsByUserAddress_SAML_request.xml
> > > >
> > > Can someone please let me know the correct policy for handling this
> kind
> > of
> > > request.
> > >
> > >
> > >
> > > --
> > > View this message in context:
> > >
> >
> http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739.html
> > > Sent from the cxf-user mailing list archive at Nabble.com.
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
> > ________________________________
> > If you reply to this email, your message will be added to the discussion
> > below:
> >
> >
> http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739p5725743.html
> > To unsubscribe from SAMLToken (Signed) request failing because of WS
> > Policy, click here<
> > >.
> > NAML<
> >
> http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
> > >
> >
> > This e-mail, including attachments, may include confidential and/or
> > proprietary information, and may be used only by the person or entity
> > to which it is addressed. If the reader of this e-mail is not the
> intended
> > recipient or his or her authorized agent, the reader is hereby notified
> > that any dissemination, distribution or copying of this e-mail is
> > prohibited. If you have received this e-mail in error, please notify the
> > sender by replying to this message and delete this e-mail immediately.
> >
> >
> >
> >
> > --
> > View this message in context:
> >
> http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739p5725750.html
> > Sent from the cxf-user mailing list archive at Nabble.com.
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
> ________________________________
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739p5725751.html
> To unsubscribe from SAMLToken (Signed) request failing because of WS
> Policy, click here<
> >.
> NAML<
> http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
> >
>
> This e-mail, including attachments, may include confidential and/or
> proprietary information, and may be used only by the person or entity
> to which it is addressed. If the reader of this e-mail is not the intended
> recipient or his or her authorized agent, the reader is hereby notified
> that any dissemination, distribution or copying of this e-mail is
> prohibited. If you have received this e-mail in error, please notify the
> sender by replying to this message and delete this e-mail immediately.
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739p5725764.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
________________________________
If you reply to this email, your message will be added to the discussion below:
http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739p5725801.html
To unsubscribe from SAMLToken (Signed) request failing because of WS Policy, click here<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5725739&code=c3VtaXRfY2hhdWhhbkB1aGMuY29tfDU3MjU3Mzl8MTgyNDk4Nzc1MA==>.
NAML<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
--
View this message in context: http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739p5725809.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: SAMLToken (Signed) request failing because of WS Policy
Posted by Colm O hEigeartaigh <co...@apache.org>.
Try with just a relative path, e.g.:
<entry key="ws-security.signature.properties"
value="keystore_dev.properties"/>
Colm.
On Wed, Apr 3, 2013 at 5:05 PM, sumit_chauhan <su...@uhc.com> wrote:
> I have shifted to CXF-2.7.3. Good news is that UsernameToken is still
> working without any changes. However, now CXF is unable to find the Crypto
> properties file. It is throwing below error:
>
> General security error (WSSecurityEngine: No crypto property file supplied
> to verify signature)
>
>
>
> I have added crypto property file using below CXF properties as mentioned
> here http://cxf.apache.org/docs/ws-securitypolicy.html:
> <jaxws:properties>
> <entry key="ws-security.saml2.validator">
> <bean
> class="com.optum.direct.secureoptumdirect.authentication.MPICustomSAMLTokenValidator"
> />
> </entry>
> <entry key="ws-security.signature.properties"
> value="C:/Workfolder/DirectProject/2_1/apache-tomcat-6.0.32/webapps/config-service/WEB-INF/classes/keystore_dev.properties"/>
> <entry key="ws-security.encryption.properties"
> value="C:/Workfolder/DirectProject/2_1/apache-tomcat-6.0.32/webapps/config-service/WEB-INF/classes/keystore_dev.properties"/>
> <entry key="ws-security.signature.username"
> value="mydomain"/>
> <entry key="ws-security.callback-handler"
> value="com.optum.direct.secureoptumdirect.authentication.CustomUserTokenCallBackHandler"/>
> </jaxws:properties>
>
>
>
>
>
> Thanks
>
> From: coheigea [via CXF] [mailto:ml-node+s547215n5725751h51@n5.nabble.com]
> Sent: Wednesday, April 03, 2013 6:40 PM
> To: Chauhan, Sumit K
> Subject: Re: SAMLToken (Signed) request failing because of WS Policy
>
> We fixed some bugs around policy alternatives in more recent CXF versions.
> You'll likely have to upgrade to one of the latest CXF 2.5.x, 2.6.x or
> 2.7.x releases.
>
> Colm.
>
>
> On Wed, Apr 3, 2013 at 2:04 PM, sumit_chauhan <[hidden
> email]</user/SendEmail.jtp?type=node&node=5725751&i=0>> wrote:
>
> > CXF-2.4.6
> >
> > Thanks,
> > Sumit
> >
> > From: coheigea [via CXF] [mailto:[hidden
> email]</user/SendEmail.jtp?type=node&node=5725751&i=1>]
> > Sent: Wednesday, April 03, 2013 5:41 PM
> > To: Chauhan, Sumit K
> > Subject: Re: SAMLToken (Signed) request failing because of WS Policy
> >
> > What version of CXF are you using?
> >
> > Colm.
> >
> >
> > On Wed, Apr 3, 2013 at 11:23 AM, sumit_chauhan <[hidden
> > email]</user/SendEmail.jtp?type=node&node=5725743&i=0>>wrote:
> >
> > > I am implementing alternate authentication using UsernameToken or
> > SAMLToken
> > > (Signed). I have configured below policy in my wsdl:
> > >
> > > <wsp:Policy wsu:Id="DoubleItPlaintextPolicy">
> > > <wsp:ExactlyOne>
> > > <wsp:All>
> > > <sp:SupportingTokens
> > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> > > <wsp:Policy>
> > > <sp:SamlToken
> > > sp:IncludeToken="
> > >
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> > > ">
> > > <wsp:Policy>
> > >
> > > <sp:WssSamlV20Token11/>
> > > </wsp:Policy>
> > > </sp:SamlToken>
> > > </wsp:Policy>
> > > </sp:SupportingTokens>
> > > </wsp:All>
> > > <wsp:All>
> > > <sp:SupportingTokens>
> > > <wsp:Policy>
> > > <sp:UsernameToken>
> > > <wsp:Policy>
> > >
> > > <sp:HashPassword/>
> > > </wsp:Policy>
> > > </sp:UsernameToken>
> > > </wsp:Policy>
> > > </sp:SupportingTokens>
> > > </wsp:All>
> > > </wsp:ExactlyOne>
> > > </wsp:Policy>
> > >
> > > Also, I have configured the backend validators in spring beans file. I
> am
> > > able to receive requests with UsernameToken. However, SAMLToken
> requests
> > > are
> > > failing with below error:
> > >
> > > <faultstring>These policy alternatives can not be satisfied:
> > > {
> > >
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SupportingTokens
> > > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SamlToken
> > > {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken
> > > </faultstring>
> > >
> > > I am attaching a sample SAML request which I am trying to handle.
> > > getTrustedDomainsByUserAddress_SAML_request.xml
> > > <
> > >
> >
> http://cxf.547215.n5.nabble.com/file/n5725739/getTrustedDomainsByUserAddress_SAML_request.xml
> > > >
> > > Can someone please let me know the correct policy for handling this
> kind
> > of
> > > request.
> > >
> > >
> > >
> > > --
> > > View this message in context:
> > >
> >
> http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739.html
> > > Sent from the cxf-user mailing list archive at Nabble.com.
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
> > ________________________________
> > If you reply to this email, your message will be added to the discussion
> > below:
> >
> >
> http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739p5725743.html
> > To unsubscribe from SAMLToken (Signed) request failing because of WS
> > Policy, click here<
> > >.
> > NAML<
> >
> http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
> > >
> >
> > This e-mail, including attachments, may include confidential and/or
> > proprietary information, and may be used only by the person or entity
> > to which it is addressed. If the reader of this e-mail is not the
> intended
> > recipient or his or her authorized agent, the reader is hereby notified
> > that any dissemination, distribution or copying of this e-mail is
> > prohibited. If you have received this e-mail in error, please notify the
> > sender by replying to this message and delete this e-mail immediately.
> >
> >
> >
> >
> > --
> > View this message in context:
> >
> http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739p5725750.html
> > Sent from the cxf-user mailing list archive at Nabble.com.
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
> ________________________________
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739p5725751.html
> To unsubscribe from SAMLToken (Signed) request failing because of WS
> Policy, click here<
> http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5725739&code=c3VtaXRfY2hhdWhhbkB1aGMuY29tfDU3MjU3Mzl8MTgyNDk4Nzc1MA==
> >.
> NAML<
> http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
> >
>
> This e-mail, including attachments, may include confidential and/or
> proprietary information, and may be used only by the person or entity
> to which it is addressed. If the reader of this e-mail is not the intended
> recipient or his or her authorized agent, the reader is hereby notified
> that any dissemination, distribution or copying of this e-mail is
> prohibited. If you have received this e-mail in error, please notify the
> sender by replying to this message and delete this e-mail immediately.
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739p5725764.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: SAMLToken (Signed) request failing because of WS Policy
Posted by sumit_chauhan <su...@uhc.com>.
I have shifted to CXF-2.7.3. Good news is that UsernameToken is still working without any changes. However, now CXF is unable to find the Crypto properties file. It is throwing below error:
General security error (WSSecurityEngine: No crypto property file supplied to verify signature)
I have added crypto property file using below CXF properties as mentioned here http://cxf.apache.org/docs/ws-securitypolicy.html:
<jaxws:properties>
<entry key="ws-security.saml2.validator">
<bean class="com.optum.direct.secureoptumdirect.authentication.MPICustomSAMLTokenValidator" />
</entry>
<entry key="ws-security.signature.properties" value="C:/Workfolder/DirectProject/2_1/apache-tomcat-6.0.32/webapps/config-service/WEB-INF/classes/keystore_dev.properties"/>
<entry key="ws-security.encryption.properties" value="C:/Workfolder/DirectProject/2_1/apache-tomcat-6.0.32/webapps/config-service/WEB-INF/classes/keystore_dev.properties"/>
<entry key="ws-security.signature.username" value="mydomain"/>
<entry key="ws-security.callback-handler" value="com.optum.direct.secureoptumdirect.authentication.CustomUserTokenCallBackHandler"/>
</jaxws:properties>
Thanks
From: coheigea [via CXF] [mailto:ml-node+s547215n5725751h51@n5.nabble.com]
Sent: Wednesday, April 03, 2013 6:40 PM
To: Chauhan, Sumit K
Subject: Re: SAMLToken (Signed) request failing because of WS Policy
We fixed some bugs around policy alternatives in more recent CXF versions.
You'll likely have to upgrade to one of the latest CXF 2.5.x, 2.6.x or
2.7.x releases.
Colm.
On Wed, Apr 3, 2013 at 2:04 PM, sumit_chauhan <[hidden email]</user/SendEmail.jtp?type=node&node=5725751&i=0>> wrote:
> CXF-2.4.6
>
> Thanks,
> Sumit
>
> From: coheigea [via CXF] [mailto:[hidden email]</user/SendEmail.jtp?type=node&node=5725751&i=1>]
> Sent: Wednesday, April 03, 2013 5:41 PM
> To: Chauhan, Sumit K
> Subject: Re: SAMLToken (Signed) request failing because of WS Policy
>
> What version of CXF are you using?
>
> Colm.
>
>
> On Wed, Apr 3, 2013 at 11:23 AM, sumit_chauhan <[hidden
> email]</user/SendEmail.jtp?type=node&node=5725743&i=0>>wrote:
>
> > I am implementing alternate authentication using UsernameToken or
> SAMLToken
> > (Signed). I have configured below policy in my wsdl:
> >
> > <wsp:Policy wsu:Id="DoubleItPlaintextPolicy">
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <sp:SupportingTokens
> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> > <wsp:Policy>
> > <sp:SamlToken
> > sp:IncludeToken="
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> > ">
> > <wsp:Policy>
> >
> > <sp:WssSamlV20Token11/>
> > </wsp:Policy>
> > </sp:SamlToken>
> > </wsp:Policy>
> > </sp:SupportingTokens>
> > </wsp:All>
> > <wsp:All>
> > <sp:SupportingTokens>
> > <wsp:Policy>
> > <sp:UsernameToken>
> > <wsp:Policy>
> >
> > <sp:HashPassword/>
> > </wsp:Policy>
> > </sp:UsernameToken>
> > </wsp:Policy>
> > </sp:SupportingTokens>
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> > Also, I have configured the backend validators in spring beans file. I am
> > able to receive requests with UsernameToken. However, SAMLToken requests
> > are
> > failing with below error:
> >
> > <faultstring>These policy alternatives can not be satisfied:
> > {
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SupportingTokens
> > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SamlToken
> > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken
> > </faultstring>
> >
> > I am attaching a sample SAML request which I am trying to handle.
> > getTrustedDomainsByUserAddress_SAML_request.xml
> > <
> >
> http://cxf.547215.n5.nabble.com/file/n5725739/getTrustedDomainsByUserAddress_SAML_request.xml
> > >
> > Can someone please let me know the correct policy for handling this kind
> of
> > request.
> >
> >
> >
> > --
> > View this message in context:
> >
> http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739.html
> > Sent from the cxf-user mailing list archive at Nabble.com.
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
> ________________________________
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739p5725743.html
> To unsubscribe from SAMLToken (Signed) request failing because of WS
> Policy, click here<
> >.
> NAML<
> http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
> >
>
> This e-mail, including attachments, may include confidential and/or
> proprietary information, and may be used only by the person or entity
> to which it is addressed. If the reader of this e-mail is not the intended
> recipient or his or her authorized agent, the reader is hereby notified
> that any dissemination, distribution or copying of this e-mail is
> prohibited. If you have received this e-mail in error, please notify the
> sender by replying to this message and delete this e-mail immediately.
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739p5725750.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
________________________________
If you reply to this email, your message will be added to the discussion below:
http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739p5725751.html
To unsubscribe from SAMLToken (Signed) request failing because of WS Policy, click here<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5725739&code=c3VtaXRfY2hhdWhhbkB1aGMuY29tfDU3MjU3Mzl8MTgyNDk4Nzc1MA==>.
NAML<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
--
View this message in context: http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739p5725764.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: SAMLToken (Signed) request failing because of WS Policy
Posted by Colm O hEigeartaigh <co...@apache.org>.
We fixed some bugs around policy alternatives in more recent CXF versions.
You'll likely have to upgrade to one of the latest CXF 2.5.x, 2.6.x or
2.7.x releases.
Colm.
On Wed, Apr 3, 2013 at 2:04 PM, sumit_chauhan <su...@uhc.com> wrote:
> CXF-2.4.6
>
> Thanks,
> Sumit
>
> From: coheigea [via CXF] [mailto:ml-node+s547215n5725743h3@n5.nabble.com]
> Sent: Wednesday, April 03, 2013 5:41 PM
> To: Chauhan, Sumit K
> Subject: Re: SAMLToken (Signed) request failing because of WS Policy
>
> What version of CXF are you using?
>
> Colm.
>
>
> On Wed, Apr 3, 2013 at 11:23 AM, sumit_chauhan <[hidden
> email]</user/SendEmail.jtp?type=node&node=5725743&i=0>>wrote:
>
> > I am implementing alternate authentication using UsernameToken or
> SAMLToken
> > (Signed). I have configured below policy in my wsdl:
> >
> > <wsp:Policy wsu:Id="DoubleItPlaintextPolicy">
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <sp:SupportingTokens
> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> > <wsp:Policy>
> > <sp:SamlToken
> > sp:IncludeToken="
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> > ">
> > <wsp:Policy>
> >
> > <sp:WssSamlV20Token11/>
> > </wsp:Policy>
> > </sp:SamlToken>
> > </wsp:Policy>
> > </sp:SupportingTokens>
> > </wsp:All>
> > <wsp:All>
> > <sp:SupportingTokens>
> > <wsp:Policy>
> > <sp:UsernameToken>
> > <wsp:Policy>
> >
> > <sp:HashPassword/>
> > </wsp:Policy>
> > </sp:UsernameToken>
> > </wsp:Policy>
> > </sp:SupportingTokens>
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> > Also, I have configured the backend validators in spring beans file. I am
> > able to receive requests with UsernameToken. However, SAMLToken requests
> > are
> > failing with below error:
> >
> > <faultstring>These policy alternatives can not be satisfied:
> > {
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SupportingTokens
> > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SamlToken
> > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken
> > </faultstring>
> >
> > I am attaching a sample SAML request which I am trying to handle.
> > getTrustedDomainsByUserAddress_SAML_request.xml
> > <
> >
> http://cxf.547215.n5.nabble.com/file/n5725739/getTrustedDomainsByUserAddress_SAML_request.xml
> > >
> > Can someone please let me know the correct policy for handling this kind
> of
> > request.
> >
> >
> >
> > --
> > View this message in context:
> >
> http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739.html
> > Sent from the cxf-user mailing list archive at Nabble.com.
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
> ________________________________
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739p5725743.html
> To unsubscribe from SAMLToken (Signed) request failing because of WS
> Policy, click here<
> http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5725739&code=c3VtaXRfY2hhdWhhbkB1aGMuY29tfDU3MjU3Mzl8MTgyNDk4Nzc1MA==
> >.
> NAML<
> http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
> >
>
> This e-mail, including attachments, may include confidential and/or
> proprietary information, and may be used only by the person or entity
> to which it is addressed. If the reader of this e-mail is not the intended
> recipient or his or her authorized agent, the reader is hereby notified
> that any dissemination, distribution or copying of this e-mail is
> prohibited. If you have received this e-mail in error, please notify the
> sender by replying to this message and delete this e-mail immediately.
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739p5725750.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: SAMLToken (Signed) request failing because of WS Policy
Posted by sumit_chauhan <su...@uhc.com>.
CXF-2.4.6
Thanks,
Sumit
From: coheigea [via CXF] [mailto:ml-node+s547215n5725743h3@n5.nabble.com]
Sent: Wednesday, April 03, 2013 5:41 PM
To: Chauhan, Sumit K
Subject: Re: SAMLToken (Signed) request failing because of WS Policy
What version of CXF are you using?
Colm.
On Wed, Apr 3, 2013 at 11:23 AM, sumit_chauhan <[hidden email]</user/SendEmail.jtp?type=node&node=5725743&i=0>>wrote:
> I am implementing alternate authentication using UsernameToken or SAMLToken
> (Signed). I have configured below policy in my wsdl:
>
> <wsp:Policy wsu:Id="DoubleItPlaintextPolicy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SupportingTokens
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:SamlToken
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
>
> <sp:WssSamlV20Token11/>
> </wsp:Policy>
> </sp:SamlToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:All>
> <wsp:All>
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken>
> <wsp:Policy>
>
> <sp:HashPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> Also, I have configured the backend validators in spring beans file. I am
> able to receive requests with UsernameToken. However, SAMLToken requests
> are
> failing with below error:
>
> <faultstring>These policy alternatives can not be satisfied:
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SupportingTokens
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SamlToken
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken
> </faultstring>
>
> I am attaching a sample SAML request which I am trying to handle.
> getTrustedDomainsByUserAddress_SAML_request.xml
> <
> http://cxf.547215.n5.nabble.com/file/n5725739/getTrustedDomainsByUserAddress_SAML_request.xml
> >
> Can someone please let me know the correct policy for handling this kind of
> request.
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
________________________________
If you reply to this email, your message will be added to the discussion below:
http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739p5725743.html
To unsubscribe from SAMLToken (Signed) request failing because of WS Policy, click here<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5725739&code=c3VtaXRfY2hhdWhhbkB1aGMuY29tfDU3MjU3Mzl8MTgyNDk4Nzc1MA==>.
NAML<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
--
View this message in context: http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739p5725750.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: SAMLToken (Signed) request failing because of WS Policy
Posted by Colm O hEigeartaigh <co...@apache.org>.
What version of CXF are you using?
Colm.
On Wed, Apr 3, 2013 at 11:23 AM, sumit_chauhan <su...@uhc.com>wrote:
> I am implementing alternate authentication using UsernameToken or SAMLToken
> (Signed). I have configured below policy in my wsdl:
>
> <wsp:Policy wsu:Id="DoubleItPlaintextPolicy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SupportingTokens
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:SamlToken
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
>
> <sp:WssSamlV20Token11/>
> </wsp:Policy>
> </sp:SamlToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:All>
> <wsp:All>
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:UsernameToken>
> <wsp:Policy>
>
> <sp:HashPassword/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> Also, I have configured the backend validators in spring beans file. I am
> able to receive requests with UsernameToken. However, SAMLToken requests
> are
> failing with below error:
>
> <faultstring>These policy alternatives can not be satisfied:
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SupportingTokens
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SamlToken
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken
> </faultstring>
>
> I am attaching a sample SAML request which I am trying to handle.
> getTrustedDomainsByUserAddress_SAML_request.xml
> <
> http://cxf.547215.n5.nabble.com/file/n5725739/getTrustedDomainsByUserAddress_SAML_request.xml
> >
> Can someone please let me know the correct policy for handling this kind of
> request.
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/SAMLToken-Signed-request-failing-because-of-WS-Policy-tp5725739.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com