You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Rubicon <rn...@gmail.com> on 2013/04/11 18:20:09 UTC
CXF client to .NET web service attempting to create
BinarySecurityToken (BST)
Greetings all, I am attempting to connect to a .NET web service using CXF.
The requirements for the request's security headers are a Timestamp and a
BinarySecurityToken from an X509 Certificate. The response only includes a
Timestamp. I think it is important to note that I do not have any control
over the web service, and we were provided a public key by the vendor to use
for generating the BST, so we do not have the private key, nor a password
for the key.
I have been working from the CXF samples and have read every blog and
mailing list post I can find, but am still having trouble. I can
successfully generate the Timestamp, and even a UsernameToken (which is not
needed for this project), but I cannot get a BinarySecurityToken to
generate. When I add the 'Signature' action, I get this
NullPointerException:
/java.lang.NullPointerException at
org.apache.ws.security.message.WSSecSignature.getSigningCerts(WSSecSignature.java:786)/
I have read other posts that imply this error indicates the keystore either
cannot be found, or cannot be opened. I have tried putting the keystore in
my JAR as a resource, in the local directory I am running from, in a
different directory, explicitly referencing it in my classpath, etc., but to
no avail. If I include 'Signature' in the action, I get this error.
I would greatly appreciate any help I can get on this. Our team attempted
this task using Axis2 for several weeks, and now I'm just starting a new
approach using CXF and need to get it done ASAP. Now I seem to be at about
the same roadblock the Axis2 route got to...
Thank you all.
Note: in my source snippets, I have used {} to indicate masked items to
protect sensitive information
*Here is my cxf.xml file:*
/<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://cxf.apache.org/jaxws
http://cxf.apache.org/schemas/jaxws.xsd">
<jaxws:client name="STWebService-CXF" createdFromAPI="true">
<jaxws:inInterceptors>
<ref bean="Timestamp_Response"/>
<bean
class="org.apache.cxf.ws.security.wss4j.DefaultCryptoCoverageChecker"/>
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<ref bean="Timestamp_Request"/>
</jaxws:outInterceptors>
</jaxws:client>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
id="Timestamp_Request">
<constructor-arg>
<map>
<entry key="action" value="Timestamp Signature"/>
<entry key="user" value="{key alias with spaces}"/>
<entry key="passwordType" value="PasswordDigest"/>
<entry key="signaturePropFile"
value="clientKeystore.properties"/>
</map>
</constructor-arg>
</bean>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"
id="Timestamp_Response">
<constructor-arg>
<map>
<entry key="action" value="Timestamp"/>
</map>
</constructor-arg>
</bean>
</beans>
/
*Here is my clientKeystore.properties file:*
/
org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
org.apache.ws.security.crypto.merlin.keystore.file=public_cert.jks
org.apache.ws.security.crypto.merlin.keystore.password={keystorepass}
org.apache.ws.security.crypto.merlin.keystore.type=jks
org.apache.ws.security.crypto.merlin.keystore.alias={key alias with spaces}
/
*Here is a snippet of my client, using the CXF-generated client until I can
get it working, then will be moving logic into my own classes:*
/
...
SpringBusFactory bf = new SpringBusFactory();
URL busFile = {Client}.class.getResource("/wssec.xml");
Bus bus = bf.createBus(busFile.toString());
BusFactory.setDefaultBus(bus);
// Out Interceptor
Map<String, Object> outProps = new HashMap<String, Object>();
outProps.put("action", "Timestamp Signature");
outProps.put("passwordType", "PasswordDigest");
outProps.put("user", "{key alias with spaces}");
outProps.put("passwordCallbackClass",
"{package}.KeystorePasswordCallback");
bus.getOutInterceptors().add(new WSS4JOutInterceptor(outProps));
// In Interceptor
Map<String, Object> inProps = new HashMap<String, Object>();
inProps.put("action", "Timestamp");
bus.getInInterceptors().add(new WSS4JInInterceptor(inProps));
SynchMethod ss = new SynchMethod(wsdlURL, SERVICE_NAME);
SynchMethodSoap port = ss.getSynchMethodSoap();
System.out.println("Invoking web service method...");
{package}.ArrayOfResponse _return = port.{method}({params...});
System.out.println("_rerturn=" + _return);
...
/
*
Here is my 'standard' KeystorePasswordCallback class:*
/
package {package}
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import org.apache.ws.security.WSPasswordCallback;
/**
* Really callback for key passwords. Configure it with a map
* of key-alias-to-password mappings. Obviously this could
* be extended to encrypt or obfuscate these passwords if desired.
*/
public class KeystorePasswordCallback implements CallbackHandler
{
private Map<String, String> passwords = new HashMap<String, String>();
/**
* {@inheritDoc}
*
* @see
javax.security.auth.callback.CallbackHandler#handle(javax.security.auth.callback.Callback[])
*/
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
for (Callback callback : callbacks) {
if (callback instanceof WSPasswordCallback) {
WSPasswordCallback pc = (WSPasswordCallback)callback;
String pass = passwords.get(pc.getIdentifier());
if (pass != null) {
pc.setPassword(pass);
return;
}
}
}
}
/**
* @return the passwords
*/
public Map<String, String> getPasswords() {
return passwords;
}
/**
* @param passwords the passwords to set
*/
public void setPasswords(Map<String, String> passwords) {
this.passwords = passwords;
}
}
/
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-client-to-NET-web-service-attempting-to-create-BinarySecurityToken-BST-tp5726168.html
Sent from the cxf-user mailing list archive at Nabble.com.
RE: CXF client to .NET web service attempting to create
BinarySecurityToken (BST)
Posted by Rubicon <rn...@gmail.com>.
Thanks to all for your help, both direct and indirect... I was able to get
the task completed using the ws-policy method referenced in the other
existing thread, but I still have an issue I'd like to resolve. It turns
out CXF was unable to 'discover' my cxf.xml config file. In order to get
the config to work, I added my jaxws:client config node into the cxf.xml in
the CXF runtime JAR and deployed that JAR.
Obviously that is not ideal, but I was able to prove that I had the correct
jaxws:client config. I had my cxf.xml file bundled in my JAR as a resource
at the root level, along with my .properties file, which it did find. What
was I doing wrong?
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-client-to-NET-web-service-attempting-to-create-BinarySecurityToken-BST-tp5726168p5726333.html
Sent from the cxf-user mailing list archive at Nabble.com.
RE: CXF client to .NET web service attempting to create
BinarySecurityToken (BST)
Posted by Andrei Shakirin <as...@talend.com>.
Hi,
It seems that CXF cannot match your client definition with WSDL.
Could you double check that name attribute in client is the same as the port name of the endpoint being created?
> One thing to note, in this WSDL, both the port and portType elements have
> the same value in the name attribute, "{foo}Soap". Could this be causing an
> issue?
I haven't check it, but don't expect problem with the same names.
Perhaps posting part of your WSDL make analyse more easy.
Regards,
Andrei.
> -----Original Message-----
> From: Rubicon [mailto:rneuendorff@gmail.com]
> Sent: Freitag, 12. April 2013 17:07
> To: users@cxf.apache.org
> Subject: Re: CXF client to .NET web service attempting to create
> BinarySecurityToken (BST)
>
> Thank you for all the help you've provided. After my last update, I continued
> working on the WS-Policy path, changing the WSDL to use HTTPS, just to see
> if I could get a SOAP Envelope created with the desired headers.
> Then I verified with the vendor this morning that they do have SSL on the
> production host, so I am working toward that endpoint and have only
> glanced at the links you posted this morning.
>
> Now that I have an HTTPS connection, the earlier error is gone, but I cannot
> get my jaxws:client name attribute set correctly (at least that's what the
> error is saying is a *potential *issue).
>
> According to the DoubleIt example, the jaxws:client name should be in the
> form {namespace}port_name:
>
> /
> <wsdl:definitions name="DoubleIt"
> ...
>
> targetNamespace="<b>http://www.example.org/contract/DoubleIt
> *"
> ...
> </wsdl:definitions>
>
> <wsdl:port name="<b>DoubleItTransportEndorsingPort*"
> binding="tns:DoubleItTransportEndorsingBinding">
> <soap:address
> location="https://localhost:9002/DoubleItX509TransportEndorsing" />
> </wsdl:port> / produces jaxws:client name attribute as such:
> /
> <jaxws:client
> name="<b>{http://www.example.org/contract/DoubleIt}DoubleItTr
> ansportEndorsingPort*"
> createdFromAPI="true">
> ...
> </jaxws:client>
> /
>
> The WSDL I am working with has this (sensitive information obfuscated):
>
> /
> <wsdl:definitions
> ...
> targetNamespace="{vendor.namespace}"
> ...
> </wsdl:definitions>
>
> <wsdl:portType name="{foo}Soap">
> <wsdl:operation name="{bar}">
> <wsdl:input message="tns:{bar}SoapIn" />
> <wsdl:output message="tns:{bar}SoapOut" />
> </wsdl:operation>
> </wsdl:portType>
>
> <wsdl:port name="{foo}Soap" binding="tns:{foo}Soap">
> <soap:address location="{_endpoint_url_}/apps/WS_{foo}/{foo}.asmx" />
> </wsdl:port>
>
> <wsdl:service name="{foo}">
> <wsdl:port name="{foo}Soap" binding="tns:{foo}Soap">
> <soap:address location="{_endpoint_url_}/apps/WS_{foo}/{foo}.asmx" />
> </wsdl:port>
> <wsdl:port name="{foo}Soap12" binding="tns:{foo}Soap12">
> <soap12:address location="{_endpoint_url_}/apps/WS_{foo}/{foo}.asmx"
> />
> </wsdl:port>
> </wsdl:service>
> /
>
> If the jaxws:client name attribute should be {namespace}port_name, then
> this should produce the following:
> /
> <jaxws:client name="{{vendor.namespace}}{foo}Soap"
> createdFromAPI="true">
> <jaxws:properties>
> <entry key="ws-security.callback-handler"
> value="client.KeystorePasswordCallback"/>
> <entry key="ws-security.signature.properties"
> value="clientKeystore.properties"/>
> <entry key="ws-security.signature.username" value="{key_alias}"/>
> </jaxws:properties>
> </jaxws:client>
> /
>
> But I get this error:
> WARNING: Interceptor for
> {{vendor.namespace}}{foo}#{{vendor.namespace}}{bar}
> has thrown exception, unwinding now
> org.apache.cxf.interceptor.Fault: Security configuration could not be
> detected. Potential cause: Make sure jaxws:client element with name
> attribute value matching endpoint port is defined as well as a ws-
> security.signature.properties element within it.
>
> I have tried all of the following combinations, but keep getting the same
> error:
> <jaxws:client name="{{vendor.namespace}}{foo}Soap"
> createdFromAPI="true"> <jaxws:client name="{{vendor.namespace}}{foo}"
> createdFromAPI="true"> <jaxws:client name="{{vendor.namespace}}{bar}"
> createdFromAPI="true"> <jaxws:client
> name="{{vendor.namespace}}{foo}#{{vendor.namespace}}{bar}"
> createdFromAPI="true">
>
> One thing to note, in this WSDL, both the port and portType elements have
> the same value in the name attribute, "{foo}Soap". Could this be causing an
> issue?
>
> In case the problem really was the attempt to access my
> clientKeystore.properties file, I have it bundled in my JAR as a resource, and
> in the local working directory and explicitly named in my classpath in hopes to
> take that issue out of the picture.
>
> Thank you again for your help. I really need to get this project behind me...
>
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-client-
> to-NET-web-service-attempting-to-create-BinarySecurityToken-BST-
> tp5726168p5726224.html
> Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF client to .NET web service attempting to create
BinarySecurityToken (BST)
Posted by Rubicon <rn...@gmail.com>.
Thank you for all the help you've provided. After my last update, I
continued working on the WS-Policy path, changing the WSDL to use HTTPS,
just to see if I could get a SOAP Envelope created with the desired headers.
Then I verified with the vendor this morning that they do have SSL on the
production host, so I am working toward that endpoint and have only glanced
at the links you posted this morning.
Now that I have an HTTPS connection, the earlier error is gone, but I cannot
get my jaxws:client name attribute set correctly (at least that's what the
error is saying is a *potential *issue).
According to the DoubleIt example, the jaxws:client name should be in the
form {namespace}port_name:
/
<wsdl:definitions name="DoubleIt"
...
targetNamespace="<b>http://www.example.org/contract/DoubleIt*"
...
</wsdl:definitions>
<wsdl:port name="<b>DoubleItTransportEndorsingPort*"
binding="tns:DoubleItTransportEndorsingBinding">
<soap:address
location="https://localhost:9002/DoubleItX509TransportEndorsing" />
</wsdl:port>
/
produces jaxws:client name attribute as such:
/
<jaxws:client
name="<b>{http://www.example.org/contract/DoubleIt}DoubleItTransportEndorsingPort*"
createdFromAPI="true">
...
</jaxws:client>
/
The WSDL I am working with has this (sensitive information obfuscated):
/
<wsdl:definitions
...
targetNamespace="{vendor.namespace}"
...
</wsdl:definitions>
<wsdl:portType name="{foo}Soap">
<wsdl:operation name="{bar}">
<wsdl:input message="tns:{bar}SoapIn" />
<wsdl:output message="tns:{bar}SoapOut" />
</wsdl:operation>
</wsdl:portType>
<wsdl:port name="{foo}Soap" binding="tns:{foo}Soap">
<soap:address location="{_endpoint_url_}/apps/WS_{foo}/{foo}.asmx" />
</wsdl:port>
<wsdl:service name="{foo}">
<wsdl:port name="{foo}Soap" binding="tns:{foo}Soap">
<soap:address location="{_endpoint_url_}/apps/WS_{foo}/{foo}.asmx" />
</wsdl:port>
<wsdl:port name="{foo}Soap12" binding="tns:{foo}Soap12">
<soap12:address location="{_endpoint_url_}/apps/WS_{foo}/{foo}.asmx" />
</wsdl:port>
</wsdl:service>
/
If the jaxws:client name attribute should be {namespace}port_name, then this
should produce the following:
/
<jaxws:client name="{{vendor.namespace}}{foo}Soap" createdFromAPI="true">
<jaxws:properties>
<entry key="ws-security.callback-handler"
value="client.KeystorePasswordCallback"/>
<entry key="ws-security.signature.properties"
value="clientKeystore.properties"/>
<entry key="ws-security.signature.username" value="{key_alias}"/>
</jaxws:properties>
</jaxws:client>
/
But I get this error:
WARNING: Interceptor for {{vendor.namespace}}{foo}#{{vendor.namespace}}{bar}
has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Security configuration could not be
detected. Potential cause: Make sure jaxws:client element with name
attribute value matching endpoint port is defined as well as a
ws-security.signature.properties element within it.
I have tried all of the following combinations, but keep getting the same
error:
<jaxws:client name="{{vendor.namespace}}{foo}Soap" createdFromAPI="true">
<jaxws:client name="{{vendor.namespace}}{foo}" createdFromAPI="true">
<jaxws:client name="{{vendor.namespace}}{bar}" createdFromAPI="true">
<jaxws:client name="{{vendor.namespace}}{foo}#{{vendor.namespace}}{bar}"
createdFromAPI="true">
One thing to note, in this WSDL, both the port and portType elements have
the same value in the name attribute, "{foo}Soap". Could this be causing an
issue?
In case the problem really was the attempt to access my
clientKeystore.properties file, I have it bundled in my JAR as a resource,
and in the local working directory and explicitly named in my classpath in
hopes to take that issue out of the picture.
Thank you again for your help. I really need to get this project behind
me...
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-client-to-NET-web-service-attempting-to-create-BinarySecurityToken-BST-tp5726168p5726224.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF client to .NET web service attempting to create
BinarySecurityToken (BST)
Posted by Colm O hEigeartaigh <co...@apache.org>.
There is no really easy way to do this. The WS-SecurityPolicy approach will
only work with the TransportBinding, which is only applicable if the
endpoint is secured using TLS. The non-TLS bindings (Symmetric +
Asymmetric) will not work without signing/encrypting the request.
Probably the best approach is to write your own code to put the Timestamp +
BinarySecurityToken in the security header using WSS4J's internal
functionality. For example, here are some tests that manually add both a
Timestamp + BinarySecurityToken to the security header of a request:
http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/TimestampTest.java?view=markup
http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/test/java/org/apache/ws/security/message/token/BinarySecurityTokenTest.java?view=markup
Colm.
On Thu, Apr 11, 2013 at 11:00 PM, Rubicon <rn...@gmail.com> wrote:
> I just need to create the security header with a Timestamp and the BST,
> without signing or encrypting... I found this topic ( x 509 security token
> <http://cxf.547215.n5.nabble.com/x-509-security-token-td5150380.html> )
> that seems to be more in the direction I need, so I have started chasing
> it...
>
> But now I am hitting an assertion: *HttpsToken could not be asserted: Not
> an
> HTTPs connection*
>
> The URL of the web service I am connecting to is HTTP://, not HTTPS://,
> but
> I cannot seem to change HttpsToken to HttpToken, even if I include older
> ws-security schemas that did have HttpToken.
>
> Am I on the right track? How can I get past this? Here is my policy:
>
> /
> <wsdl:binding name="{method}Soap" type="tns:{method}Soap">
> <wsp:PolicyReference URI="#{method}SupportingTokenPolicy" />
> ....
> </wsdl:binding>
> ....
> <wsp:Policy wsu:Id="{method}SupportingTokenPolicy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:TransportBinding>
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken>
> <wsp:Policy/>
> </sp:HttpsToken>
> </wsp:Policy>
> </sp:TransportToken>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic128 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> </wsp:Policy>
> </sp:TransportBinding>
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:X509Token
>
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> /
>
> Thanks again for everyone's help.
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-client-to-NET-web-service-attempting-to-create-BinarySecurityToken-BST-tp5726168p5726189.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: CXF client to .NET web service attempting to create
BinarySecurityToken (BST)
Posted by Rubicon <rn...@gmail.com>.
I just need to create the security header with a Timestamp and the BST,
without signing or encrypting... I found this topic ( x 509 security token
<http://cxf.547215.n5.nabble.com/x-509-security-token-td5150380.html> )
that seems to be more in the direction I need, so I have started chasing
it...
But now I am hitting an assertion: *HttpsToken could not be asserted: Not an
HTTPs connection*
The URL of the web service I am connecting to is HTTP://, not HTTPS://, but
I cannot seem to change HttpsToken to HttpToken, even if I include older
ws-security schemas that did have HttpToken.
Am I on the right track? How can I get past this? Here is my policy:
/
<wsdl:binding name="{method}Soap" type="tns:{method}Soap">
<wsp:PolicyReference URI="#{method}SupportingTokenPolicy" />
....
</wsdl:binding>
....
<wsp:Policy wsu:Id="{method}SupportingTokenPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken>
<wsp:Policy/>
</sp:HttpsToken>
</wsp:Policy>
</sp:TransportToken>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:TransportBinding>
<sp:SupportingTokens>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
/
Thanks again for everyone's help.
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-client-to-NET-web-service-attempting-to-create-BinarySecurityToken-BST-tp5726168p5726189.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF client to .NET web service attempting to create BinarySecurityToken
(BST)
Posted by Glen Mazza <gl...@gmail.com>.
I believe Colm was referring to the fact that you will still need your
own private key to sign requests, not the server's private key. With
the server's public key you can only validate server signatures as well
as encrypt so that only the server can read the message.
Glen
On 04/11/2013 01:05 PM, Rubicon wrote:
> Okay, I was thinking the same thing, since all the docs I found referenced
> the certificate password...
>
> And yes, that is exactly what I am trying to do... I am trying to use the
> X509 Certificate provided by the vendor to generate the BST. The
> vendor-supplied sample shows the following SOAP header requirements:
>
> /
> <soap:Header>
> <wsa:Action>http://{vendor}/{method}</wsa:Action>
>
> <wsa:MessageID>urn:uuid:cadc391c-77b3-43d4-8f45-7615c672e1b0</wsa:MessageID>
> <wsa:ReplyTo>
>
> <wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
> </wsa:ReplyTo>
> <wsa:To>http://{vendor}/{method}_Svc.asmx</wsa:To>
> <wsse:Security soap:mustUnderstand="1">
> <wsu:Timestamp
> wsu:Id="Timestamp-155b1d62-f628-4f8b-9dd4-ee6806f7f9bf">
> <wsu:Created>2013-02-19T18:54:28Z</wsu:Created>
> <wsu:Expires>2013-02-19T18:55:28Z</wsu:Expires>
> </wsu:Timestamp>
> <wsse:BinarySecurityToken
> ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
>
> EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
>
> wsu:Id="SecurityToken-eb10028a..............</wsse:BinarySecurityToken>
> </wsse:Security>
> </soap:Header>
> /
>
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-client-to-NET-web-service-attempting-to-create-BinarySecurityToken-BST-tp5726168p5726176.html
> Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF client to .NET web service attempting to create
BinarySecurityToken (BST)
Posted by Rubicon <rn...@gmail.com>.
Okay, I was thinking the same thing, since all the docs I found referenced
the certificate password...
And yes, that is exactly what I am trying to do... I am trying to use the
X509 Certificate provided by the vendor to generate the BST. The
vendor-supplied sample shows the following SOAP header requirements:
/
<soap:Header>
<wsa:Action>http://{vendor}/{method}</wsa:Action>
<wsa:MessageID>urn:uuid:cadc391c-77b3-43d4-8f45-7615c672e1b0</wsa:MessageID>
<wsa:ReplyTo>
<wsa:Address>http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous</wsa:Address>
</wsa:ReplyTo>
<wsa:To>http://{vendor}/{method}_Svc.asmx</wsa:To>
<wsse:Security soap:mustUnderstand="1">
<wsu:Timestamp
wsu:Id="Timestamp-155b1d62-f628-4f8b-9dd4-ee6806f7f9bf">
<wsu:Created>2013-02-19T18:54:28Z</wsu:Created>
<wsu:Expires>2013-02-19T18:55:28Z</wsu:Expires>
</wsu:Timestamp>
<wsse:BinarySecurityToken
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
wsu:Id="SecurityToken-eb10028a..............</wsse:BinarySecurityToken>
</wsse:Security>
</soap:Header>
/
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-client-to-NET-web-service-attempting-to-create-BinarySecurityToken-BST-tp5726168p5726176.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF client to .NET web service attempting to create
BinarySecurityToken (BST)
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hold on a sec...you can't use Signature without having a private key! What
exactly are you trying to do, just include the BinarySecurityToken in the
security header?
Colm.
On Thu, Apr 11, 2013 at 5:41 PM, Rubicon <rn...@gmail.com> wrote:
> Sorry for the double-reply, but I do know I have the correct keystore
> password, as I can list the certificate using keytool. As I understand it,
> there is no password on the certificate since it is only a public key.
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-client-to-NET-web-service-attempting-to-create-BinarySecurityToken-BST-tp5726168p5726173.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: CXF client to .NET web service attempting to create
BinarySecurityToken (BST)
Posted by Rubicon <rn...@gmail.com>.
Sorry for the double-reply, but I do know I have the correct keystore
password, as I can list the certificate using keytool. As I understand it,
there is no password on the certificate since it is only a public key.
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-client-to-NET-web-service-attempting-to-create-BinarySecurityToken-BST-tp5726168p5726173.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF client to .NET web service attempting to create
BinarySecurityToken (BST)
Posted by Rubicon <rn...@gmail.com>.
Thank you for the quick response... I am using CXF 2.7.4 on a Windows
platform.
I did also try moving the clientKeysotre.properties file around as I
mentioned with the keystore... in the JAR as a resource, in the working
directory, and explicitly added in the classpath. I even removed it
altogether and still get the same error. How can I figure out where it is
expecting it and get past this?
Thanks.
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-client-to-NET-web-service-attempting-to-create-BinarySecurityToken-BST-tp5726168p5726172.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF client to .NET web service attempting to create
BinarySecurityToken (BST)
Posted by Colm O hEigeartaigh <co...@apache.org>.
It looks like either your Crypto properties file isn't being found, or else
it can't find the KeyStore referenced in the file, or perhaps that one of
the passwords isn't correct.
First of all, what version of CXF are you using?
On Thu, Apr 11, 2013 at 5:20 PM, Rubicon <rn...@gmail.com> wrote:
> Greetings all, I am attempting to connect to a .NET web service using CXF.
> The requirements for the request's security headers are a Timestamp and a
> BinarySecurityToken from an X509 Certificate. The response only includes a
> Timestamp. I think it is important to note that I do not have any control
> over the web service, and we were provided a public key by the vendor to
> use
> for generating the BST, so we do not have the private key, nor a password
> for the key.
>
> I have been working from the CXF samples and have read every blog and
> mailing list post I can find, but am still having trouble. I can
> successfully generate the Timestamp, and even a UsernameToken (which is not
> needed for this project), but I cannot get a BinarySecurityToken to
> generate. When I add the 'Signature' action, I get this
> NullPointerException:
>
> /java.lang.NullPointerException at
>
> org.apache.ws.security.message.WSSecSignature.getSigningCerts(WSSecSignature.java:786)/
>
> I have read other posts that imply this error indicates the keystore either
> cannot be found, or cannot be opened. I have tried putting the keystore in
> my JAR as a resource, in the local directory I am running from, in a
> different directory, explicitly referencing it in my classpath, etc., but
> to
> no avail. If I include 'Signature' in the action, I get this error.
>
> I would greatly appreciate any help I can get on this. Our team attempted
> this task using Axis2 for several weeks, and now I'm just starting a new
> approach using CXF and need to get it done ASAP. Now I seem to be at about
> the same roadblock the Axis2 route got to...
>
> Thank you all.
>
> Note: in my source snippets, I have used {} to indicate masked items to
> protect sensitive information
> *Here is my cxf.xml file:*
>
> /<beans xmlns="http://www.springframework.org/schema/beans"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:jaxws="http://cxf.apache.org/jaxws"
> xsi:schemaLocation="http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans.xsd
> http://cxf.apache.org/jaxws
> http://cxf.apache.org/schemas/jaxws.xsd">
>
> <jaxws:client name="STWebService-CXF" createdFromAPI="true">
>
> <jaxws:inInterceptors>
> <ref bean="Timestamp_Response"/>
> <bean
> class="org.apache.cxf.ws.security.wss4j.DefaultCryptoCoverageChecker"/>
> </jaxws:inInterceptors>
> <jaxws:outInterceptors>
> <ref bean="Timestamp_Request"/>
> </jaxws:outInterceptors>
> </jaxws:client>
>
> <bean
> class="org.apache.cxf.ws.security.wss4j.WSS4JOutInterceptor"
> id="Timestamp_Request">
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp Signature"/>
> <entry key="user" value="{key alias with spaces}"/>
> <entry key="passwordType" value="PasswordDigest"/>
> <entry key="signaturePropFile"
> value="clientKeystore.properties"/>
> </map>
> </constructor-arg>
> </bean>
>
> <bean
> class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor"
> id="Timestamp_Response">
> <constructor-arg>
> <map>
> <entry key="action" value="Timestamp"/>
> </map>
> </constructor-arg>
> </bean>
> </beans>
> /
>
> *Here is my clientKeystore.properties file:*
> /
>
> org.apache.ws.security.crypto.provider=org.apache.ws.security.components.crypto.Merlin
> org.apache.ws.security.crypto.merlin.keystore.file=public_cert.jks
> org.apache.ws.security.crypto.merlin.keystore.password={keystorepass}
> org.apache.ws.security.crypto.merlin.keystore.type=jks
> org.apache.ws.security.crypto.merlin.keystore.alias={key alias with spaces}
> /
>
> *Here is a snippet of my client, using the CXF-generated client until I can
> get it working, then will be moving logic into my own classes:*
> /
> ...
> SpringBusFactory bf = new SpringBusFactory();
> URL busFile = {Client}.class.getResource("/wssec.xml");
> Bus bus = bf.createBus(busFile.toString());
> BusFactory.setDefaultBus(bus);
>
> // Out Interceptor
> Map<String, Object> outProps = new HashMap<String, Object>();
> outProps.put("action", "Timestamp Signature");
>
> outProps.put("passwordType", "PasswordDigest");
> outProps.put("user", "{key alias with spaces}");
> outProps.put("passwordCallbackClass",
> "{package}.KeystorePasswordCallback");
>
> bus.getOutInterceptors().add(new WSS4JOutInterceptor(outProps));
>
> // In Interceptor
> Map<String, Object> inProps = new HashMap<String, Object>();
> inProps.put("action", "Timestamp");
>
> bus.getInInterceptors().add(new WSS4JInInterceptor(inProps));
>
> SynchMethod ss = new SynchMethod(wsdlURL, SERVICE_NAME);
> SynchMethodSoap port = ss.getSynchMethodSoap();
>
> System.out.println("Invoking web service method...");
> {package}.ArrayOfResponse _return = port.{method}({params...});
> System.out.println("_rerturn=" + _return);
> ...
> /
> *
> Here is my 'standard' KeystorePasswordCallback class:*
> /
> package {package}
>
> import java.io.IOException;
> import java.util.HashMap;
> import java.util.Map;
> import javax.security.auth.callback.Callback;
> import javax.security.auth.callback.CallbackHandler;
> import javax.security.auth.callback.UnsupportedCallbackException;
> import org.apache.ws.security.WSPasswordCallback;
>
> /**
> * Really callback for key passwords. Configure it with a map
> * of key-alias-to-password mappings. Obviously this could
> * be extended to encrypt or obfuscate these passwords if desired.
> */
> public class KeystorePasswordCallback implements CallbackHandler
> {
> private Map<String, String> passwords = new HashMap<String, String>();
> /**
> * {@inheritDoc}
> *
> * @see
>
> javax.security.auth.callback.CallbackHandler#handle(javax.security.auth.callback.Callback[])
> */
> public void handle(Callback[] callbacks) throws IOException,
> UnsupportedCallbackException {
> for (Callback callback : callbacks) {
> if (callback instanceof WSPasswordCallback) {
> WSPasswordCallback pc = (WSPasswordCallback)callback;
>
> String pass = passwords.get(pc.getIdentifier());
> if (pass != null) {
> pc.setPassword(pass);
> return;
> }
> }
> }
> }
> /**
> * @return the passwords
> */
> public Map<String, String> getPasswords() {
> return passwords;
> }
> /**
> * @param passwords the passwords to set
> */
> public void setPasswords(Map<String, String> passwords) {
> this.passwords = passwords;
> }
> }
> /
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-client-to-NET-web-service-attempting-to-create-BinarySecurityToken-BST-tp5726168.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com