You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Christofer Steingrefer <cs...@gmail.com> on 2014/10/23 15:16:18 UTC
STS and Business Service
Hey,
i have some problems, hope you can help me.
I'm trying to implement my Business Service with cxf, but have some
problems with policies.
This is the policy definition from my wsdl:
<wsp:Policy wsu:Id="AuthSecurityPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SupportingTokens>
<wsp:Policy>
<sp:SecureConversationToken
sp:IncludeToken="
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
">
<sp:Issuer>
<wsa:Address>http://localhost:8080/STS
</wsa:Address>
</sp:Issuer>
</sp:SecureConversationToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
and this is my Soap-Request:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:doub="http://www.example.org/schema/DoubleIt">
<soapenv:Header>
<wsse:Security xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
">
<wsc:SecurityContextToken wsu:Id="sctId-C369774BE974CD565514139821204088"
xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc" xmlns:wsu="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
">
<wsc:Identifier>bipro:C369774BE974CD565514139821204087</wsc:Identifier>
</wsc:SecurityContextToken>
</wsse:Security>
</soapenv:Header>
<soapenv:Body>
..................
</soapenv:Body>
</soapenv:Envelope>
I always get a Soap-Fault back:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>These policy alternatives can not be satisfied:
{
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient}SupportingTokens
{
http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient}SecureConversationToken
</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>
Do you know why?
I'm using cxf with version 2.7.11.
Thanks,
Chris
Re: STS and Business Service
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi,
You could take a look at the following code for a UsernameToken:
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/UsernameTokenInterceptorProvider.java;h=9b3381a6e0483d2da8a0928d204a706dd5674efd;hb=HEAD
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/UsernameTokenInterceptor.java;h=4325ad9951626e66501974246d0c8a868fe52eb6;hb=HEAD
Colm.
On Thu, Oct 23, 2014 at 4:25 PM, Christofer Steingrefer <
csteingrefer@gmail.com> wrote:
> Okay, thank you, i will try.
>
> But i'm new in cxf, do you have any advices or a tutorial / simple example
> for me, how to write and integrate it?
>
> I have a jax-ws endpoint. Should i add the interceptor as InInterceptor in
> my configuration xml?
>
> Thanks,
> Chris
>
> 2014-10-23 16:12 GMT+02:00 Colm O hEigeartaigh <co...@apache.org>:
>
> > CXF does not support "SecureConversationTokens" when they are defined as
> a
> > "SupportingToken" with no accompanying security binding. If the sole
> > use-case of your service is just to check that the SecurityContextToken
> is
> > in the security header of the request, then it is pretty easy to write
> your
> > own CXF interceptor to check this and assert the appropriate policies.
> >
> > Colm.
> >
> > On Thu, Oct 23, 2014 at 2:16 PM, Christofer Steingrefer <
> > csteingrefer@gmail.com> wrote:
> >
> > > Hey,
> > >
> > > i have some problems, hope you can help me.
> > >
> > > I'm trying to implement my Business Service with cxf, but have some
> > > problems with policies.
> > >
> > > This is the policy definition from my wsdl:
> > > <wsp:Policy wsu:Id="AuthSecurityPolicy">
> > > <wsp:ExactlyOne>
> > > <wsp:All>
> > > <sp:SupportingTokens>
> > > <wsp:Policy>
> > > <sp:SecureConversationToken
> > > sp:IncludeToken="
> > >
> > >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > > ">
> > > <sp:Issuer>
> > > <wsa:Address>http://localhost:8080/STS
> > > </wsa:Address>
> > > </sp:Issuer>
> > > </sp:SecureConversationToken>
> > > </wsp:Policy>
> > > </sp:SupportingTokens>
> > > </wsp:All>
> > > </wsp:ExactlyOne>
> > > </wsp:Policy>
> > >
> > > and this is my Soap-Request:
> > > <soapenv:Envelope xmlns:soapenv="
> > http://schemas.xmlsoap.org/soap/envelope/
> > > "
> > > xmlns:doub="http://www.example.org/schema/DoubleIt">
> > > <soapenv:Header>
> > > <wsse:Security xmlns:wsse="
> > >
> > >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> > > ">
> > > <wsc:SecurityContextToken
> wsu:Id="sctId-C369774BE974CD565514139821204088"
> > > xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc" xmlns:wsu="
> > >
> > >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > > ">
> > >
> > > <wsc:Identifier>bipro:C369774BE974CD565514139821204087</wsc:Identifier>
> > > </wsc:SecurityContextToken>
> > > </wsse:Security>
> > > </soapenv:Header>
> > > <soapenv:Body>
> > > ..................
> > > </soapenv:Body>
> > > </soapenv:Envelope>
> > >
> > > I always get a Soap-Fault back:
> > > <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> > > <soap:Body>
> > > <soap:Fault>
> > > <faultcode>soap:Server</faultcode>
> > > <faultstring>These policy alternatives can not be satisfied:
> > > {
> > >
> > >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient}SupportingTokens
> > > {
> > >
> > >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient}SecureConversationToken
> > > </faultstring>
> > > </soap:Fault>
> > > </soap:Body>
> > > </soap:Envelope>
> > >
> > > Do you know why?
> > > I'm using cxf with version 2.7.11.
> > >
> > > Thanks,
> > > Chris
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
> >
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: STS and Business Service
Posted by Christofer Steingrefer <cs...@gmail.com>.
Okay, thank you, i will try.
But i'm new in cxf, do you have any advices or a tutorial / simple example
for me, how to write and integrate it?
I have a jax-ws endpoint. Should i add the interceptor as InInterceptor in
my configuration xml?
Thanks,
Chris
2014-10-23 16:12 GMT+02:00 Colm O hEigeartaigh <co...@apache.org>:
> CXF does not support "SecureConversationTokens" when they are defined as a
> "SupportingToken" with no accompanying security binding. If the sole
> use-case of your service is just to check that the SecurityContextToken is
> in the security header of the request, then it is pretty easy to write your
> own CXF interceptor to check this and assert the appropriate policies.
>
> Colm.
>
> On Thu, Oct 23, 2014 at 2:16 PM, Christofer Steingrefer <
> csteingrefer@gmail.com> wrote:
>
> > Hey,
> >
> > i have some problems, hope you can help me.
> >
> > I'm trying to implement my Business Service with cxf, but have some
> > problems with policies.
> >
> > This is the policy definition from my wsdl:
> > <wsp:Policy wsu:Id="AuthSecurityPolicy">
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <sp:SupportingTokens>
> > <wsp:Policy>
> > <sp:SecureConversationToken
> > sp:IncludeToken="
> >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > ">
> > <sp:Issuer>
> > <wsa:Address>http://localhost:8080/STS
> > </wsa:Address>
> > </sp:Issuer>
> > </sp:SecureConversationToken>
> > </wsp:Policy>
> > </sp:SupportingTokens>
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> > and this is my Soap-Request:
> > <soapenv:Envelope xmlns:soapenv="
> http://schemas.xmlsoap.org/soap/envelope/
> > "
> > xmlns:doub="http://www.example.org/schema/DoubleIt">
> > <soapenv:Header>
> > <wsse:Security xmlns:wsse="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> > ">
> > <wsc:SecurityContextToken wsu:Id="sctId-C369774BE974CD565514139821204088"
> > xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc" xmlns:wsu="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > ">
> >
> > <wsc:Identifier>bipro:C369774BE974CD565514139821204087</wsc:Identifier>
> > </wsc:SecurityContextToken>
> > </wsse:Security>
> > </soapenv:Header>
> > <soapenv:Body>
> > ..................
> > </soapenv:Body>
> > </soapenv:Envelope>
> >
> > I always get a Soap-Fault back:
> > <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> > <soap:Body>
> > <soap:Fault>
> > <faultcode>soap:Server</faultcode>
> > <faultstring>These policy alternatives can not be satisfied:
> > {
> >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient}SupportingTokens
> > {
> >
> >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient}SecureConversationToken
> > </faultstring>
> > </soap:Fault>
> > </soap:Body>
> > </soap:Envelope>
> >
> > Do you know why?
> > I'm using cxf with version 2.7.11.
> >
> > Thanks,
> > Chris
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: STS and Business Service
Posted by Colm O hEigeartaigh <co...@apache.org>.
CXF does not support "SecureConversationTokens" when they are defined as a
"SupportingToken" with no accompanying security binding. If the sole
use-case of your service is just to check that the SecurityContextToken is
in the security header of the request, then it is pretty easy to write your
own CXF interceptor to check this and assert the appropriate policies.
Colm.
On Thu, Oct 23, 2014 at 2:16 PM, Christofer Steingrefer <
csteingrefer@gmail.com> wrote:
> Hey,
>
> i have some problems, hope you can help me.
>
> I'm trying to implement my Business Service with cxf, but have some
> problems with policies.
>
> This is the policy definition from my wsdl:
> <wsp:Policy wsu:Id="AuthSecurityPolicy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:SecureConversationToken
> sp:IncludeToken="
>
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> <sp:Issuer>
> <wsa:Address>http://localhost:8080/STS
> </wsa:Address>
> </sp:Issuer>
> </sp:SecureConversationToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> and this is my Soap-Request:
> <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/
> "
> xmlns:doub="http://www.example.org/schema/DoubleIt">
> <soapenv:Header>
> <wsse:Security xmlns:wsse="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">
> <wsc:SecurityContextToken wsu:Id="sctId-C369774BE974CD565514139821204088"
> xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc" xmlns:wsu="
>
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
>
> <wsc:Identifier>bipro:C369774BE974CD565514139821204087</wsc:Identifier>
> </wsc:SecurityContextToken>
> </wsse:Security>
> </soapenv:Header>
> <soapenv:Body>
> ..................
> </soapenv:Body>
> </soapenv:Envelope>
>
> I always get a Soap-Fault back:
> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
> <soap:Body>
> <soap:Fault>
> <faultcode>soap:Server</faultcode>
> <faultstring>These policy alternatives can not be satisfied:
> {
>
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient}SupportingTokens
> {
>
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient}SecureConversationToken
> </faultstring>
> </soap:Fault>
> </soap:Body>
> </soap:Envelope>
>
> Do you know why?
> I'm using cxf with version 2.7.11.
>
> Thanks,
> Chris
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com