You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by David Waite <dw...@pingidentity.com> on 2012/03/12 17:32:53 UTC
Need assistance with STS Client
Hello all,
I am attempting to use the STS client functionality of CXF 2.5.2, and have run into some problems (most recently a NPE in AbstractBindingBuilder.getSecurityToken() ). I think this is due to the WS-Policy I have created so far not stating the security token requirements properly, as it does not appear I am getting to the point where WS-Trust traffic is being sent to my STS for the Issue.
My goal is to have an RST Issue between a CXF-based client and a PingFederate server which takes an X.509 token and gives a SAML token, and a Validate between a CXF-based service and PingFederate to confirm the message once sent by the client. I'm rather unsure how to do the Validate as well once I do get the Issue working properly.
TemperatureConversion.wsdl:
<?xml version='1.0' encoding='UTF-8'?>
<wsdl:definitions name="TemperatureConversion"
targetNamespace="http://sample.pingidentity.com/"
xmlns:ns1="http://schemas.xmlsoap.org/soap/http"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:tns="http://sample.pingidentity.com/"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:wsaw="http://www.w3.org/2005/08/addressing">
<wsdl:types>...</wsdl:types>
<wsdl:message name="convertTemperatureResponse">
<wsdl:part element="tns:convertTemperatureResponse" name="parameters">
</wsdl:part>
</wsdl:message>
<wsdl:message name="convertTemperature">
<wsdl:part element="tns:convertTemperature" name="parameters">
</wsdl:part>
</wsdl:message>
<wsdl:portType name="TemperatureConversion">
<wsdl:operation name="convertTemperature">
<wsdl:input message="tns:convertTemperature" name="convertTemperature">
</wsdl:input>
<wsdl:output message="tns:convertTemperatureResponse" name="convertTemperatureResponse">
</wsdl:output>
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="TemperatureConversionSoapBinding" type="tns:TemperatureConversion">
<wsp:PolicyReference URI="#AsymmetricSAML2Policy"/>
<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
<wsdl:operation name="convertTemperature">
<soap:operation soapAction="" style="document"/>
<wsdl:input name="convertTemperature">
<soap:body use="literal"/>
<wsp:PolicyReference URI="#Input_Policy"/>
</wsdl:input>
<wsdl:output name="convertTemperatureResponse">
<soap:body use="literal"/>
<wsp:PolicyReference URI="#Output_Policy"/>
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="TemperatureConversion">
<wsdl:port binding="tns:TemperatureConversionSoapBinding" name="TemperatureConversionPort">
<soap:address location="https://wsp.partner.com:8443/temperature-service/services/TemperatureConversion"/>
</wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="AsymmetricSAML2Policy">
<wsp:ExactlyOne>
<wsp:All>
<wsam:Addressing wsp:Optional="false">
<wsp:Policy/>
</wsam:Addressing>
<sp:AsymmetricBinding>
<wsp:Policy>
<sp:InitiatorToken>
<wsp:Policy>
<sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<sp:RequestSecurityTokenTemplate>
<t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
<t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireInternalReference/>
</wsp:Policy>
<!-- <sp:Issuer>
<wsaw:Address>https://sts.customer.com:9031/idp/sts.wst</wsaw:Address>
</sp:Issuer>
--> </sp:IssuedToken>
</wsp:Policy>
</sp:InitiatorToken>
<sp:RecipientToken>
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:WssX509V3Token10/>
<sp:RequireIssuerSerialReference/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:RecipientToken>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:OnlySignEntireHeadersAndBody/>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:AsymmetricBinding>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust13>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust13>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="Input_Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
<sp:Body/>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="AckRequested" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
<sp:Header Name="SequenceAcknowledgement" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
<sp:Header Name="Sequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
<sp:Header Name="CreateSequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="Output_Policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts>
<sp:Body/>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="AckRequested" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
<sp:Header Name="SequenceAcknowledgement" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
<sp:Header Name="Sequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
<sp:Header Name="CreateSequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</wsdl:definitions>
mex.xml:
<wsdl:definitions xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"xmlns:tns="http://schemas.pingidentity.com/ws/securitytokenservice" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"xmlns:wsa10="http://www.w3.org/2005/08/addressing" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" name="SecurityTokenService"targetNamespace="http://schemas.pingidentity.com/ws/securitytokenservice">
<wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" wsu:Id="x509">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
<sp:KeyValueToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never"wsp:Optional="true"/>
<sp:SignedParts>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust13 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust13>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsdl:types>
<xs:schema xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wstrust="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<xs:element name="RequestSecurityToken" type="wst:AbstractRequestSecurityTokenType"/>
<xs:element name="RequestSecurityTokenResponse" type="wst:AbstractRequestSecurityTokenType"/>
<xs:complexType name="AbstractRequestSecurityTokenType">
<xs:sequence>
<xs:any maxOccurs="unbounded" minOccurs="0" namespace="##any" processContents="lax"/>
</xs:sequence>
<xs:attribute name="Context" type="xs:anyURI" use="optional"/>
<xs:anyAttribute namespace="##other" processContents="lax"/>
</xs:complexType>
<xs:element name="RequestSecurityTokenCollection" type="wst:RequestSecurityTokenCollectionType"/>
<xs:complexType name="RequestSecurityTokenCollectionType">
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="2" name="RequestSecurityToken"type="wst:AbstractRequestSecurityTokenType"/>
</xs:sequence>
</xs:complexType>
<xs:element name="RequestSecurityTokenResponseCollection" type="wst:RequestSecurityTokenResponseCollectionType"/>
<xs:complexType name="RequestSecurityTokenResponseCollectionType">
<xs:sequence>
<xs:element maxOccurs="unbounded" minOccurs="1" ref="wst:RequestSecurityTokenResponse"/>
</xs:sequence>
<xs:anyAttribute namespace="##other" processContents="lax"/>
</xs:complexType>
</xs:schema>
</wsdl:types>
<wsdl:message name="InputMessage">
<wsdl:part name="request" element="trust:RequestSecurityToken"/>
</wsdl:message>
<wsdl:message name="OutputMessage">
<wsdl:part name="response" element="trust:RequestSecurityTokenResponseCollection"/>
</wsdl:message>
<wsdl:portType name="WsTrust13">
<wsdl:operation name="WsTrust13Issue">
<wsdl:input wsaw:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue" message="tns:InputMessage"/>
<wsdl:output wsaw:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal" message="tns:OutputMessage"/>
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="SecurityTokenServiceBinding_x509" type="tns:WsTrust13">
<wsp:PolicyReference URI="#x509"/>
<soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>
<wsdl:operation name="WsTrust13Issue">
<soap12:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue" style="document"/>
<wsdl:input>
<soap12:body use="literal"/>
</wsdl:input>
<wsdl:output>
<soap12:body use="literal"/>
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="SecurityTokenService">
<wsdl:port name="SecurityTokenServicePort_x509_x509" binding="tns:SecurityTokenServiceBinding_x509">
<soap12:address location="https://localhost:9031/idp/sts.wst?TokenProcessorId=x509"/>
<wsa10:EndpointReference>
<wsa10:Address>
https://localhost:9031/idp/sts.wst?TokenProcessorId=x509
</wsa10:Address>
</wsa10:EndpointReference>
</wsdl:port>
</wsdl:service>
</wsdl:definitions>
Client beans.xml:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:cxf="http://cxf.apache.org/core"
xmlns:p="http://cxf.apache.org/policy"
xmlns:sec="http://cxf.apache.org/configuration/security"
xsi:schemaLocation="
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd
http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd
http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<cxf:bus>
<cxf:features>
<cxf:logging/>
<p:policies />
</cxf:features>
</cxf:bus>
<bean name="{http://sample.pingidentity.com/}TemperatureConversionPort.sts-client"
class="org.apache.cxf.ws.security.trust.STSClient">
<constructor-arg ref="cxf"/>
<property name="serviceName" value="{http://schemas.pingidentity.com/ws/securitytokenservice}SecurityTokenService" />
<property name="wsdlLocation" value="http://localhost/mex.xml" />
<property name="endpointName"
value="{http://schemas.pingidentity.com/ws/securitytokenservice}SecurityTokenServicePort_x509_x509"/>
<property name="properties">
<map>
<entry key="ws-security.sts.token.username" value="3"/>
<entry key="ws-security.sts.token.password" value="2Federate" />
<entry key="ws-security.sts.token.properties" value="certs/clientcert.properties"/>
<entry key="ws-security.sts.token.usecert" value="true"/>
</map>
</property>
</bean>
<jaxws:client name="{http://sample.pingidentity.com/}TemperatureConversionPort" createdFromAPI="true">
<jaxws:properties>
<entry key="ws-security.signature.properties" value="certs/clientcert.properties" />
<entry key="ws-security.signature.username" value="4" />
<entry key="ws-security.callback-handler"
value="com.pingidentity.sample.client.ClientCallbackHandler"/>
</jaxws:properties>
</jaxws:client>
<!-- https://wsp.partner.com:8443/.* -->
<http:conduit name="*.http-conduit">
<http:tlsClientParameters disableCNCheck="true">
<sec:trustManagers>
<sec:keyStore type="JKS" password="changeit" resource="/certs/clienttrust.jks"/>
</sec:trustManagers>
<sec:keyManagers keyPassword="2Federate">
<sec:keyStore type="pkcs12" password="2Federate" resource="/certs/clientcert.p12"/>
</sec:keyManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with
export-suitable or null encryption is used,
but exclude anonymous Diffie-Hellman key change as
this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
</http:conduit>
</beans>
Re: Need assistance with STS Client
Posted by Colm O hEigeartaigh <co...@apache.org>.
I'm not sure if your STSClient bean is getting picked up. Could you
try configuring it instead like:
<jaxws:client name="{http://sample.pingidentity.com/}TemperatureConversionPort"
createdFromAPI="true">
<jaxws:properties>
<entry key="ws-security.sts.client">
<bean class="org.apache.cxf.ws.security.trust.STSClient">
....
Colm.
On Mon, Mar 12, 2012 at 4:32 PM, David Waite <dw...@pingidentity.com> wrote:
> Hello all,
>
> I am attempting to use the STS client functionality of CXF 2.5.2, and have run into some problems (most recently a NPE in AbstractBindingBuilder.getSecurityToken() ). I think this is due to the WS-Policy I have created so far not stating the security token requirements properly, as it does not appear I am getting to the point where WS-Trust traffic is being sent to my STS for the Issue.
>
> My goal is to have an RST Issue between a CXF-based client and a PingFederate server which takes an X.509 token and gives a SAML token, and a Validate between a CXF-based service and PingFederate to confirm the message once sent by the client. I'm rather unsure how to do the Validate as well once I do get the Issue working properly.
>
> TemperatureConversion.wsdl:
>
> <?xml version='1.0' encoding='UTF-8'?>
> <wsdl:definitions name="TemperatureConversion"
> targetNamespace="http://sample.pingidentity.com/"
> xmlns:ns1="http://schemas.xmlsoap.org/soap/http"
> xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
> xmlns:tns="http://sample.pingidentity.com/"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
> xmlns:wsaw="http://www.w3.org/2005/08/addressing">
> <wsdl:types>...</wsdl:types>
> <wsdl:message name="convertTemperatureResponse">
> <wsdl:part element="tns:convertTemperatureResponse" name="parameters">
> </wsdl:part>
> </wsdl:message>
> <wsdl:message name="convertTemperature">
> <wsdl:part element="tns:convertTemperature" name="parameters">
> </wsdl:part>
> </wsdl:message>
> <wsdl:portType name="TemperatureConversion">
> <wsdl:operation name="convertTemperature">
> <wsdl:input message="tns:convertTemperature" name="convertTemperature">
> </wsdl:input>
> <wsdl:output message="tns:convertTemperatureResponse" name="convertTemperatureResponse">
> </wsdl:output>
> </wsdl:operation>
> </wsdl:portType>
> <wsdl:binding name="TemperatureConversionSoapBinding" type="tns:TemperatureConversion">
> <wsp:PolicyReference URI="#AsymmetricSAML2Policy"/>
> <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="convertTemperature">
> <soap:operation soapAction="" style="document"/>
> <wsdl:input name="convertTemperature">
> <soap:body use="literal"/>
> <wsp:PolicyReference URI="#Input_Policy"/>
> </wsdl:input>
> <wsdl:output name="convertTemperatureResponse">
> <soap:body use="literal"/>
> <wsp:PolicyReference URI="#Output_Policy"/>
> </wsdl:output>
> </wsdl:operation>
> </wsdl:binding>
> <wsdl:service name="TemperatureConversion">
> <wsdl:port binding="tns:TemperatureConversionSoapBinding" name="TemperatureConversionPort">
> <soap:address location="https://wsp.partner.com:8443/temperature-service/services/TemperatureConversion"/>
> </wsdl:port>
> </wsdl:service>
> <wsp:Policy wsu:Id="AsymmetricSAML2Policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <wsam:Addressing wsp:Optional="false">
> <wsp:Policy/>
> </wsam:Addressing>
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <sp:RequestSecurityTokenTemplate>
> <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
> <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
> </sp:RequestSecurityTokenTemplate>
> <wsp:Policy>
> <sp:RequireInternalReference/>
> </wsp:Policy>
> <!-- <sp:Issuer>
> <wsaw:Address>https://sts.customer.com:9031/idp/sts.wst</wsaw:Address>
> </sp:Issuer>
> --> </sp:IssuedToken>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> <sp:RequireIssuerSerialReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> <sp:OnlySignEntireHeadersAndBody/>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss11>
> <wsp:Policy>
> <sp:MustSupportRefIssuerSerial/>
> <sp:MustSupportRefThumbprint/>
> <sp:MustSupportRefEncryptedKey/>
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust13>
> <wsp:Policy>
> <sp:MustSupportIssuedTokens/>
> <sp:RequireClientEntropy/>
> <sp:RequireServerEntropy/>
> </wsp:Policy>
> </sp:Trust13>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> <wsp:Policy wsu:Id="Input_Policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SignedParts>
> <sp:Body/>
> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="AckRequested" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> <sp:Header Name="SequenceAcknowledgement" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> <sp:Header Name="Sequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> <sp:Header Name="CreateSequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> <wsp:Policy wsu:Id="Output_Policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SignedParts>
> <sp:Body/>
> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="AckRequested" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> <sp:Header Name="SequenceAcknowledgement" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> <sp:Header Name="Sequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> <sp:Header Name="CreateSequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> </wsdl:definitions>
>
> mex.xml:
> <wsdl:definitions xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"xmlns:tns="http://schemas.pingidentity.com/ws/securitytokenservice" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"xmlns:wsa10="http://www.w3.org/2005/08/addressing" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" name="SecurityTokenService"targetNamespace="http://schemas.pingidentity.com/ws/securitytokenservice">
> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" wsu:Id="x509">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken/>
> </wsp:Policy>
> </sp:TransportToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> </wsp:Policy>
> </sp:TransportBinding>
> <sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> <sp:KeyValueToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never"wsp:Optional="true"/>
> <sp:SignedParts>
> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
> </sp:SignedParts>
> </wsp:Policy>
> </sp:EndorsingSupportingTokens>
> <sp:Wss11 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefIssuerSerial/>
> <sp:MustSupportRefThumbprint/>
> <sp:MustSupportRefEncryptedKey/>
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust13 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:MustSupportIssuedTokens/>
> <sp:RequireClientEntropy/>
> <sp:RequireServerEntropy/>
> </wsp:Policy>
> </sp:Trust13>
> <wsaw:UsingAddressing/>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> <wsdl:types>
> <xs:schema xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wstrust="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
> <xs:element name="RequestSecurityToken" type="wst:AbstractRequestSecurityTokenType"/>
> <xs:element name="RequestSecurityTokenResponse" type="wst:AbstractRequestSecurityTokenType"/>
> <xs:complexType name="AbstractRequestSecurityTokenType">
> <xs:sequence>
> <xs:any maxOccurs="unbounded" minOccurs="0" namespace="##any" processContents="lax"/>
> </xs:sequence>
> <xs:attribute name="Context" type="xs:anyURI" use="optional"/>
> <xs:anyAttribute namespace="##other" processContents="lax"/>
> </xs:complexType>
> <xs:element name="RequestSecurityTokenCollection" type="wst:RequestSecurityTokenCollectionType"/>
> <xs:complexType name="RequestSecurityTokenCollectionType">
> <xs:sequence>
> <xs:element maxOccurs="unbounded" minOccurs="2" name="RequestSecurityToken"type="wst:AbstractRequestSecurityTokenType"/>
> </xs:sequence>
> </xs:complexType>
> <xs:element name="RequestSecurityTokenResponseCollection" type="wst:RequestSecurityTokenResponseCollectionType"/>
> <xs:complexType name="RequestSecurityTokenResponseCollectionType">
> <xs:sequence>
> <xs:element maxOccurs="unbounded" minOccurs="1" ref="wst:RequestSecurityTokenResponse"/>
> </xs:sequence>
> <xs:anyAttribute namespace="##other" processContents="lax"/>
> </xs:complexType>
> </xs:schema>
> </wsdl:types>
> <wsdl:message name="InputMessage">
> <wsdl:part name="request" element="trust:RequestSecurityToken"/>
> </wsdl:message>
> <wsdl:message name="OutputMessage">
> <wsdl:part name="response" element="trust:RequestSecurityTokenResponseCollection"/>
> </wsdl:message>
> <wsdl:portType name="WsTrust13">
> <wsdl:operation name="WsTrust13Issue">
> <wsdl:input wsaw:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue" message="tns:InputMessage"/>
> <wsdl:output wsaw:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal" message="tns:OutputMessage"/>
> </wsdl:operation>
> </wsdl:portType>
> <wsdl:binding name="SecurityTokenServiceBinding_x509" type="tns:WsTrust13">
> <wsp:PolicyReference URI="#x509"/>
> <soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="WsTrust13Issue">
> <soap12:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue" style="document"/>
> <wsdl:input>
> <soap12:body use="literal"/>
> </wsdl:input>
> <wsdl:output>
> <soap12:body use="literal"/>
> </wsdl:output>
> </wsdl:operation>
> </wsdl:binding>
> <wsdl:service name="SecurityTokenService">
> <wsdl:port name="SecurityTokenServicePort_x509_x509" binding="tns:SecurityTokenServiceBinding_x509">
> <soap12:address location="https://localhost:9031/idp/sts.wst?TokenProcessorId=x509"/>
> <wsa10:EndpointReference>
> <wsa10:Address>
> https://localhost:9031/idp/sts.wst?TokenProcessorId=x509
> </wsa10:Address>
> </wsa10:EndpointReference>
> </wsdl:port>
> </wsdl:service>
> </wsdl:definitions>
>
> Client beans.xml:
> <?xml version="1.0" encoding="UTF-8"?>
> <beans xmlns="http://www.springframework.org/schema/beans"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:http="http://cxf.apache.org/transports/http/configuration"
> xmlns:jaxws="http://cxf.apache.org/jaxws"
> xmlns:cxf="http://cxf.apache.org/core"
> xmlns:p="http://cxf.apache.org/policy"
> xmlns:sec="http://cxf.apache.org/configuration/security"
> xsi:schemaLocation="
> http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
> http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
> http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd
> http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd
> http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd
> http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
>
> <cxf:bus>
> <cxf:features>
> <cxf:logging/>
> <p:policies />
> </cxf:features>
> </cxf:bus>
> <bean name="{http://sample.pingidentity.com/}TemperatureConversionPort.sts-client"
> class="org.apache.cxf.ws.security.trust.STSClient">
> <constructor-arg ref="cxf"/>
> <property name="serviceName" value="{http://schemas.pingidentity.com/ws/securitytokenservice}SecurityTokenService" />
> <property name="wsdlLocation" value="http://localhost/mex.xml" />
> <property name="endpointName"
> value="{http://schemas.pingidentity.com/ws/securitytokenservice}SecurityTokenServicePort_x509_x509"/>
> <property name="properties">
> <map>
> <entry key="ws-security.sts.token.username" value="3"/>
> <entry key="ws-security.sts.token.password" value="2Federate" />
> <entry key="ws-security.sts.token.properties" value="certs/clientcert.properties"/>
> <entry key="ws-security.sts.token.usecert" value="true"/>
> </map>
> </property>
> </bean>
>
> <jaxws:client name="{http://sample.pingidentity.com/}TemperatureConversionPort" createdFromAPI="true">
> <jaxws:properties>
> <entry key="ws-security.signature.properties" value="certs/clientcert.properties" />
> <entry key="ws-security.signature.username" value="4" />
> <entry key="ws-security.callback-handler"
> value="com.pingidentity.sample.client.ClientCallbackHandler"/>
> </jaxws:properties>
> </jaxws:client>
> <!-- https://wsp.partner.com:8443/.* -->
> <http:conduit name="*.http-conduit">
> <http:tlsClientParameters disableCNCheck="true">
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="changeit" resource="/certs/clienttrust.jks"/>
> </sec:trustManagers>
> <sec:keyManagers keyPassword="2Federate">
> <sec:keyStore type="pkcs12" password="2Federate" resource="/certs/clientcert.p12"/>
> </sec:keyManagers>
> <sec:cipherSuitesFilter>
> <!-- these filters ensure that a ciphersuite with
> export-suitable or null encryption is used,
> but exclude anonymous Diffie-Hellman key change as
> this is vulnerable to man-in-the-middle attacks -->
> <sec:include>.*_EXPORT_.*</sec:include>
> <sec:include>.*_EXPORT1024_.*</sec:include>
> <sec:include>.*_WITH_DES_.*</sec:include>
> <sec:include>.*_WITH_AES_.*</sec:include>
> <sec:include>.*_WITH_NULL_.*</sec:include>
> <sec:exclude>.*_DH_anon_.*</sec:exclude>
> </sec:cipherSuitesFilter>
> </http:tlsClientParameters>
> </http:conduit>
> </beans>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Need assistance with STS Client
Posted by Glen Mazza <gm...@talend.com>.
The policy statements in Talend's jaxws-cxf-sts and
jaxws-cxf-sts-advanced samples (available here off Github:
https://github.com/Talend/tesb-rt-se/tree/master/examples/cxf or more
easily from the open-source Talend ESB Standard Edition download) may
have something you can leverage, the latter sample also shows WSP<->STS
validation. I have a text tutorial for an example closely similar to
the jaxws-cxf-sts sample:
http://www.jroller.com/gmazza/entry/cxf_sts_tutorial.
One CXF STS sample I see in our test cases is quite similar to your
policy statements
(http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/asymmetric/DoubleIt.wsdl?revision=1185706&view=markup),
so I'm not sure what the problem is. Did you remember to include the
cxf-rt-ws-policy dependency in your project (as listed in my blog
tutorial)--WS-Policy won't activate in CXF without it.
HTH,
Glen
On 03/12/2012 12:32 PM, David Waite wrote:
> Hello all,
>
> I am attempting to use the STS client functionality of CXF 2.5.2, and have run into some problems (most recently a NPE in AbstractBindingBuilder.getSecurityToken() ). I think this is due to the WS-Policy I have created so far not stating the security token requirements properly, as it does not appear I am getting to the point where WS-Trust traffic is being sent to my STS for the Issue.
>
> My goal is to have an RST Issue between a CXF-based client and a PingFederate server which takes an X.509 token and gives a SAML token, and a Validate between a CXF-based service and PingFederate to confirm the message once sent by the client. I'm rather unsure how to do the Validate as well once I do get the Issue working properly.
>
> TemperatureConversion.wsdl:
>
> <?xml version='1.0' encoding='UTF-8'?>
> <wsdl:definitions name="TemperatureConversion"
> targetNamespace="http://sample.pingidentity.com/"
> xmlns:ns1="http://schemas.xmlsoap.org/soap/http"
> xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
> xmlns:tns="http://sample.pingidentity.com/"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
> xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
> xmlns:wsaw="http://www.w3.org/2005/08/addressing">
> <wsdl:types>...</wsdl:types>
> <wsdl:message name="convertTemperatureResponse">
> <wsdl:part element="tns:convertTemperatureResponse" name="parameters">
> </wsdl:part>
> </wsdl:message>
> <wsdl:message name="convertTemperature">
> <wsdl:part element="tns:convertTemperature" name="parameters">
> </wsdl:part>
> </wsdl:message>
> <wsdl:portType name="TemperatureConversion">
> <wsdl:operation name="convertTemperature">
> <wsdl:input message="tns:convertTemperature" name="convertTemperature">
> </wsdl:input>
> <wsdl:output message="tns:convertTemperatureResponse" name="convertTemperatureResponse">
> </wsdl:output>
> </wsdl:operation>
> </wsdl:portType>
> <wsdl:binding name="TemperatureConversionSoapBinding" type="tns:TemperatureConversion">
> <wsp:PolicyReference URI="#AsymmetricSAML2Policy"/>
> <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="convertTemperature">
> <soap:operation soapAction="" style="document"/>
> <wsdl:input name="convertTemperature">
> <soap:body use="literal"/>
> <wsp:PolicyReference URI="#Input_Policy"/>
> </wsdl:input>
> <wsdl:output name="convertTemperatureResponse">
> <soap:body use="literal"/>
> <wsp:PolicyReference URI="#Output_Policy"/>
> </wsdl:output>
> </wsdl:operation>
> </wsdl:binding>
> <wsdl:service name="TemperatureConversion">
> <wsdl:port binding="tns:TemperatureConversionSoapBinding" name="TemperatureConversionPort">
> <soap:address location="https://wsp.partner.com:8443/temperature-service/services/TemperatureConversion"/>
> </wsdl:port>
> </wsdl:service>
> <wsp:Policy wsu:Id="AsymmetricSAML2Policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <wsam:Addressing wsp:Optional="false">
> <wsp:Policy/>
> </wsam:Addressing>
> <sp:AsymmetricBinding>
> <wsp:Policy>
> <sp:InitiatorToken>
> <wsp:Policy>
> <sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <sp:RequestSecurityTokenTemplate>
> <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
> <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
> </sp:RequestSecurityTokenTemplate>
> <wsp:Policy>
> <sp:RequireInternalReference/>
> </wsp:Policy>
> <!-- <sp:Issuer>
> <wsaw:Address>https://sts.customer.com:9031/idp/sts.wst</wsaw:Address>
> </sp:Issuer>
> --> </sp:IssuedToken>
> </wsp:Policy>
> </sp:InitiatorToken>
> <sp:RecipientToken>
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> <sp:RequireIssuerSerialReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:RecipientToken>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> <sp:OnlySignEntireHeadersAndBody/>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:AsymmetricBinding>
> <sp:Wss11>
> <wsp:Policy>
> <sp:MustSupportRefIssuerSerial/>
> <sp:MustSupportRefThumbprint/>
> <sp:MustSupportRefEncryptedKey/>
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust13>
> <wsp:Policy>
> <sp:MustSupportIssuedTokens/>
> <sp:RequireClientEntropy/>
> <sp:RequireServerEntropy/>
> </wsp:Policy>
> </sp:Trust13>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> <wsp:Policy wsu:Id="Input_Policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SignedParts>
> <sp:Body/>
> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="AckRequested" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> <sp:Header Name="SequenceAcknowledgement" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> <sp:Header Name="Sequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> <sp:Header Name="CreateSequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> <wsp:Policy wsu:Id="Output_Policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SignedParts>
> <sp:Body/>
> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="AckRequested" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> <sp:Header Name="SequenceAcknowledgement" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> <sp:Header Name="Sequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> <sp:Header Name="CreateSequence" Namespace="http://docs.oasis-open.org/ws-rx/wsrm/200702"/>
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> </wsdl:definitions>
>
> mex.xml:
> <wsdl:definitions xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"xmlns:tns="http://schemas.pingidentity.com/ws/securitytokenservice" xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"xmlns:wsa10="http://www.w3.org/2005/08/addressing" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" name="SecurityTokenService"targetNamespace="http://schemas.pingidentity.com/ws/securitytokenservice">
> <wsp:Policy xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl" wsu:Id="x509">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken/>
> </wsp:Policy>
> </sp:TransportToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> </wsp:Policy>
> </sp:TransportBinding>
> <sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:RequireThumbprintReference/>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> <sp:KeyValueToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never"wsp:Optional="true"/>
> <sp:SignedParts>
> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
> </sp:SignedParts>
> </wsp:Policy>
> </sp:EndorsingSupportingTokens>
> <sp:Wss11 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefIssuerSerial/>
> <sp:MustSupportRefThumbprint/>
> <sp:MustSupportRefEncryptedKey/>
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust13 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:MustSupportIssuedTokens/>
> <sp:RequireClientEntropy/>
> <sp:RequireServerEntropy/>
> </wsp:Policy>
> </sp:Trust13>
> <wsaw:UsingAddressing/>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> <wsdl:types>
> <xs:schema xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata" xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512" xmlns:wstrust="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
> <xs:element name="RequestSecurityToken" type="wst:AbstractRequestSecurityTokenType"/>
> <xs:element name="RequestSecurityTokenResponse" type="wst:AbstractRequestSecurityTokenType"/>
> <xs:complexType name="AbstractRequestSecurityTokenType">
> <xs:sequence>
> <xs:any maxOccurs="unbounded" minOccurs="0" namespace="##any" processContents="lax"/>
> </xs:sequence>
> <xs:attribute name="Context" type="xs:anyURI" use="optional"/>
> <xs:anyAttribute namespace="##other" processContents="lax"/>
> </xs:complexType>
> <xs:element name="RequestSecurityTokenCollection" type="wst:RequestSecurityTokenCollectionType"/>
> <xs:complexType name="RequestSecurityTokenCollectionType">
> <xs:sequence>
> <xs:element maxOccurs="unbounded" minOccurs="2" name="RequestSecurityToken"type="wst:AbstractRequestSecurityTokenType"/>
> </xs:sequence>
> </xs:complexType>
> <xs:element name="RequestSecurityTokenResponseCollection" type="wst:RequestSecurityTokenResponseCollectionType"/>
> <xs:complexType name="RequestSecurityTokenResponseCollectionType">
> <xs:sequence>
> <xs:element maxOccurs="unbounded" minOccurs="1" ref="wst:RequestSecurityTokenResponse"/>
> </xs:sequence>
> <xs:anyAttribute namespace="##other" processContents="lax"/>
> </xs:complexType>
> </xs:schema>
> </wsdl:types>
> <wsdl:message name="InputMessage">
> <wsdl:part name="request" element="trust:RequestSecurityToken"/>
> </wsdl:message>
> <wsdl:message name="OutputMessage">
> <wsdl:part name="response" element="trust:RequestSecurityTokenResponseCollection"/>
> </wsdl:message>
> <wsdl:portType name="WsTrust13">
> <wsdl:operation name="WsTrust13Issue">
> <wsdl:input wsaw:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue" message="tns:InputMessage"/>
> <wsdl:output wsaw:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal" message="tns:OutputMessage"/>
> </wsdl:operation>
> </wsdl:portType>
> <wsdl:binding name="SecurityTokenServiceBinding_x509" type="tns:WsTrust13">
> <wsp:PolicyReference URI="#x509"/>
> <soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="WsTrust13Issue">
> <soap12:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue" style="document"/>
> <wsdl:input>
> <soap12:body use="literal"/>
> </wsdl:input>
> <wsdl:output>
> <soap12:body use="literal"/>
> </wsdl:output>
> </wsdl:operation>
> </wsdl:binding>
> <wsdl:service name="SecurityTokenService">
> <wsdl:port name="SecurityTokenServicePort_x509_x509" binding="tns:SecurityTokenServiceBinding_x509">
> <soap12:address location="https://localhost:9031/idp/sts.wst?TokenProcessorId=x509"/>
> <wsa10:EndpointReference>
> <wsa10:Address>
> https://localhost:9031/idp/sts.wst?TokenProcessorId=x509
> </wsa10:Address>
> </wsa10:EndpointReference>
> </wsdl:port>
> </wsdl:service>
> </wsdl:definitions>
>
> Client beans.xml:
> <?xml version="1.0" encoding="UTF-8"?>
> <beans xmlns="http://www.springframework.org/schema/beans"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:http="http://cxf.apache.org/transports/http/configuration"
> xmlns:jaxws="http://cxf.apache.org/jaxws"
> xmlns:cxf="http://cxf.apache.org/core"
> xmlns:p="http://cxf.apache.org/policy"
> xmlns:sec="http://cxf.apache.org/configuration/security"
> xsi:schemaLocation="
> http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
> http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
> http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd
> http://cxf.apache.org/configuration/security http://cxf.apache.org/schemas/configuration/security.xsd
> http://cxf.apache.org/transports/http/configuration http://cxf.apache.org/schemas/configuration/http-conf.xsd
> http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
>
> <cxf:bus>
> <cxf:features>
> <cxf:logging/>
> <p:policies />
> </cxf:features>
> </cxf:bus>
> <bean name="{http://sample.pingidentity.com/}TemperatureConversionPort.sts-client"
> class="org.apache.cxf.ws.security.trust.STSClient">
> <constructor-arg ref="cxf"/>
> <property name="serviceName" value="{http://schemas.pingidentity.com/ws/securitytokenservice}SecurityTokenService" />
> <property name="wsdlLocation" value="http://localhost/mex.xml" />
> <property name="endpointName"
> value="{http://schemas.pingidentity.com/ws/securitytokenservice}SecurityTokenServicePort_x509_x509"/>
> <property name="properties">
> <map>
> <entry key="ws-security.sts.token.username" value="3"/>
> <entry key="ws-security.sts.token.password" value="2Federate" />
> <entry key="ws-security.sts.token.properties" value="certs/clientcert.properties"/>
> <entry key="ws-security.sts.token.usecert" value="true"/>
> </map>
> </property>
> </bean>
>
> <jaxws:client name="{http://sample.pingidentity.com/}TemperatureConversionPort" createdFromAPI="true">
> <jaxws:properties>
> <entry key="ws-security.signature.properties" value="certs/clientcert.properties" />
> <entry key="ws-security.signature.username" value="4" />
> <entry key="ws-security.callback-handler"
> value="com.pingidentity.sample.client.ClientCallbackHandler"/>
> </jaxws:properties>
> </jaxws:client>
> <!-- https://wsp.partner.com:8443/.* -->
> <http:conduit name="*.http-conduit">
> <http:tlsClientParameters disableCNCheck="true">
> <sec:trustManagers>
> <sec:keyStore type="JKS" password="changeit" resource="/certs/clienttrust.jks"/>
> </sec:trustManagers>
> <sec:keyManagers keyPassword="2Federate">
> <sec:keyStore type="pkcs12" password="2Federate" resource="/certs/clientcert.p12"/>
> </sec:keyManagers>
> <sec:cipherSuitesFilter>
> <!-- these filters ensure that a ciphersuite with
> export-suitable or null encryption is used,
> but exclude anonymous Diffie-Hellman key change as
> this is vulnerable to man-in-the-middle attacks -->
> <sec:include>.*_EXPORT_.*</sec:include>
> <sec:include>.*_EXPORT1024_.*</sec:include>
> <sec:include>.*_WITH_DES_.*</sec:include>
> <sec:include>.*_WITH_AES_.*</sec:include>
> <sec:include>.*_WITH_NULL_.*</sec:include>
> <sec:exclude>.*_DH_anon_.*</sec:exclude>
> </sec:cipherSuitesFilter>
> </http:tlsClientParameters>
> </http:conduit>
> </beans>
>
--
Glen Mazza
Talend Community Coders - coders.talend.com
blog: www.jroller.com/gmazza