You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Mihai Vasilache <mi...@esolutions.ro> on 2011/09/21 13:35:17 UTC
Authentication with a X509Token against a STS Server.
Hello!
We have a Metro STS server that accepts X09Tokens for authentication.
We want to create a CXF Client that authenticate against the STS server
with a X509 Token,
then with the retrieved SAML token, call the Service Provider.
Starting from Glen Mazza's article:
http://www.jroller.com/gmazza/entry/cxf_stsclient_metro_sts
I have tried to change the UsernameToken authentication to X509Token.
Do you have any idea if this can be accomplished? - X509Token
authentication against STS?
Here is my cxf client configuration:
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:jaxws="http://cxf.apache.org/jaxws"
xmlns:cxf="http://cxf.apache.org/core"
xmlns:p="http://cxf.apache.org/policy"
xsi:schemaLocation="
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd">
<jaxws:client
name="{http://www.osiam.org/contract/DoubleIt}DoubleItPort"
createdFromAPI="true">
<jaxws:features>
<wsa:addressing xmlns:wsa="http://cxf.apache.org/ws/addressing"/>
</jaxws:features>
<jaxws:properties>
<entry key="ws-security.sts.client">
<bean class="org.apache.cxf.ws.security.trust.STSClient">
<constructor-arg ref="cxf"/>
<property name="wsdlLocation" value="OsiamSTSService.wsdl"/>
<property name="serviceName"
value="{http://tempuri.org/}OsiamSTSService"/>
<property name="endpointName"
value="{http://tempuri.org/}IOsiamSTSService_Port"/>
<property name="properties">
<map>
<entry key="ws-security.sts.token.username" value="mywsckey"/>
<entry key="ws-security.username" value="mywsckey"/>
<entry key="ws-security.callback-handler"
value="client.UTCallbackHandler"/>
<entry key="ws-security.encryption.properties"
value="clientKeystore.properties"/>
<entry key="ws-security.signature.properties"
value="clientKeystore.properties"/>
<entry key="ws-security.encryption.username" value="mywsckey"/>
<entry key="ws-security.is-bsp-compliant" value="false"/>
<entry key="ws-security.sts.applies-to"
value="http://localhost:8080/osiam-sts-wsp/services/wsp" />
</map>
</property>
</bean>
</entry>
</jaxws:properties>
</jaxws:client>
</beans>
I have put in ws-security.username the name of the client's private key,
in the ws-security.encryption.username properties the same key even i
think it should be the server's public certificate. If i am puting the
server public certificate then the UTCallbackHandler is asking for a
password.... what password?
With the above configuration i get an:
WARNING: Interceptor for
{http://www.osiam.org/contract/DoubleIt}DoubleItService#{http://www.osiam.org/contract/DoubleIt}DoubleIt has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: General security error
(WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
{null}null)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:372)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:117)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:161)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:88)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
at
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:537)
at
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:447)
at
org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:152)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
at $Proxy25.doubleIt(Unknown Source)
at client.WSClient.doubleIt(WSClient.java:41)
at client.WSClient.main(WSClient.java:34)
Caused by: org.apache.cxf.ws.policy.PolicyException: General security
error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
{null}null)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doEncryption(SymmetricBindingHandler.java:558)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:366)
... 21 more
Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: General
security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign
not found: {null}null)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:146)
at $Proxy25.doubleIt(Unknown Source)
at client.WSClient.doubleIt(WSClient.java:41)
at client.WSClient.main(WSClient.java:34)
Caused by: org.apache.cxf.ws.policy.PolicyException: General security
error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
{null}null)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doEncryption(SymmetricBindingHandler.java:558)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:366)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:117)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:161)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:88)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
at
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:537)
at
org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:447)
at
org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:152)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
... 3 more
There is another Glen Mazza's article:
http://www.jroller.com/gmazza/entry/cxf_x509_profile
Here is authenticating with the Service Provider directly with a
X509Token by configuring an WSS4JOutInterceptor.
I have no idea how to combine this 2 examples to make the STS call with
x509 authentication.
Has someone some experience related to this use case scenario?
Thank you,
Mihai
Re: Authentication with a X509Token against a STS Server.
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Mihai,
> You are using an <sp:AsymmetricBinding> with no
> <sp:SignedEncryptedSupportingTokens> for the X509Token authentication
> use-case. My tests are working if i am configuring in this way.
Why are you adding a SignedEncryptedSupportingToken policy consisting
of an X509Token? What are your security requirements? The Asymmetric
binding should satisfy the requirement for X509Token authentication.
> However if i add this SignedEncryptedSupportingTokens in the client's
> copy, the client is throwing an exception, and the call to STS does not
> happen:
It won't work, as the certificate is added as part of the signature
process, whereas tokens to sign/encrypt are retrieved before the
signature process, and so it won't find the certificate. This is a bug
I guess, but hardly a common one.
Colm.
On Thu, Sep 22, 2011 at 2:13 PM, Mihai Vasilache
<mi...@esolutions.ro> wrote:
> Hi Glen,
>
> Thank you very much for your answer.
> I've tried your jaxws-ws-trust example.
> You are using an <sp:AsymmetricBinding> with no
> <sp:SignedEncryptedSupportingTokens> for the X509Token authentication
> use-case. My tests are working if i am configuring in this way.
>
> If I add a:
> <sp:SignedEncryptedSupportingTokens>
> <wsp:Policy>
> <wsp:ExactlyOne>
> <wsp:All wsu:Id="X509TokenPolicyAlternative">
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> <sp:RequireIssuerSerialReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> </sp:SignedEncryptedSupportingTokens>
>
> to the STS server wsdl, and not in the client's copy, then the server is
> validating the certificate (enters in the validator) and throws a:
>
> Caused by: com.sun.xml.wss.XWSSecurityException: Policy verification
> error:Missing target BinarySecurityToken for Signature
> at
> com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl.resolveAndVerifyTargets(TargetResolverImpl.java:115)
> at
> com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.checkTargets(MessagePolicyVerifier.java:454)
> at
> com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.processPrimaryPolicy(MessagePolicyVerifier.java:341)
> at
> com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:146)
>
>
> The server expects something else if i add an
> SignedEncryptedSupportingTokens.
>
> However if i add this SignedEncryptedSupportingTokens in the client's
> copy, the client is throwing an exception, and the call to STS does not
> happen:
>
> Caused by: org.apache.cxf.ws.policy.PolicyException: General security
> error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
> {null}null)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler.doEncryption(AsymmetricBindingHandler.java:374)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler.doSignBeforeEncrypt(AsymmetricBindingHandler.java:168)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler.handleBinding(AsymmetricBindingHandler.java:96)
> at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:164)
> ......
>
>
> Do you have any idea what the CXF client wants more?
>
> I've saw that you are using 2 endpoints in your examples, one for each
> authentication type. In fact i want to use a single endpoint with 2
> alternatives. I manage to cheat metro to accept it. I've post an answer
> to Metro mailing list:
> http://markmail.org/search/?q=list%3Anet.java.dev.metro.users#query:list
> %3Anet.java.dev.metro.users+page:1+mid:3757ci3ob27otl7r+state:results
>
> The problem with the Metro client is that is always picking the first
> alternative, while CXF doesn't know how to handle
> <sp:SignedEncryptedSupportingTokens>
> ...
> <sp:X509Token/>
> ...
> </sp:SignedEncryptedSupportingTokens>
>
> or i don't know to configure it.
>
>
> Thank you,
> Mihai
>
>
>
> On Wed, 2011-09-21 at 08:44 -0400, Glen Mazza wrote:
>> Hi, Talend Service Factory's free examples package has a jaxws-ws-trust
>> example, which shows how to use both UT and X509 to make the STS call,
>> between a CXF client and the Metro STS. Please check the README for
>> more information.
>>
>> http://www.talend.com/download.php#IF (Click on User Documentation and
>> Examples at the bottom).
>>
>> HTH,
>> Glen
>>
>>
>> On 09/21/2011 07:35 AM, Mihai Vasilache wrote:
>> > Hello!
>> >
>> > We have a Metro STS server that accepts X09Tokens for authentication.
>> > We want to create a CXF Client that authenticate against the STS server
>> > with a X509 Token,
>> > then with the retrieved SAML token, call the Service Provider.
>> >
>> > Starting from Glen Mazza's article:
>> > http://www.jroller.com/gmazza/entry/cxf_stsclient_metro_sts
>> > I have tried to change the UsernameToken authentication to X509Token.
>> >
>> > Do you have any idea if this can be accomplished? - X509Token
>> > authentication against STS?
>> >
>> > Here is my cxf client configuration:
>> >
>> > <beans xmlns="http://www.springframework.org/schema/beans"
>> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> > xmlns:jaxws="http://cxf.apache.org/jaxws"
>> > xmlns:cxf="http://cxf.apache.org/core"
>> > xmlns:p="http://cxf.apache.org/policy"
>> > xsi:schemaLocation="
>> > http://www.springframework.org/schema/beans
>> > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
>> > http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
>> > http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
>> > http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd">
>> >
>> > <jaxws:client
>> > name="{http://www.osiam.org/contract/DoubleIt}DoubleItPort"
>> > createdFromAPI="true">
>> > <jaxws:features>
>> > <wsa:addressing xmlns:wsa="http://cxf.apache.org/ws/addressing"/>
>> > </jaxws:features>
>> >
>> > <jaxws:properties>
>> > <entry key="ws-security.sts.client">
>> > <bean class="org.apache.cxf.ws.security.trust.STSClient">
>> > <constructor-arg ref="cxf"/>
>> > <property name="wsdlLocation" value="OsiamSTSService.wsdl"/>
>> > <property name="serviceName"
>> > value="{http://tempuri.org/}OsiamSTSService"/>
>> > <property name="endpointName"
>> > value="{http://tempuri.org/}IOsiamSTSService_Port"/>
>> > <property name="properties">
>> > <map>
>> > <entry key="ws-security.sts.token.username" value="mywsckey"/>
>> > <entry key="ws-security.username" value="mywsckey"/>
>> > <entry key="ws-security.callback-handler"
>> > value="client.UTCallbackHandler"/>
>> > <entry key="ws-security.encryption.properties"
>> > value="clientKeystore.properties"/>
>> > <entry key="ws-security.signature.properties"
>> > value="clientKeystore.properties"/>
>> > <entry key="ws-security.encryption.username" value="mywsckey"/>
>> > <entry key="ws-security.is-bsp-compliant" value="false"/>
>> > <entry key="ws-security.sts.applies-to"
>> > value="http://localhost:8080/osiam-sts-wsp/services/wsp" />
>> > </map>
>> > </property>
>> > </bean>
>> > </entry>
>> > </jaxws:properties>
>> > </jaxws:client>
>> > </beans>
>> >
>> > I have put in ws-security.username the name of the client's private key,
>> > in the ws-security.encryption.username properties the same key even i
>> > think it should be the server's public certificate. If i am puting the
>> > server public certificate then the UTCallbackHandler is asking for a
>> > password.... what password?
>> >
>> > With the above configuration i get an:
>> >
>> > WARNING: Interceptor for
>> > {http://www.osiam.org/contract/DoubleIt}DoubleItService#{http://www.osiam.org/contract/DoubleIt}DoubleIt has thrown exception, unwinding now
>> > org.apache.cxf.interceptor.Fault: General security error
>> > (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
>> > {null}null)
>> > at
>> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:372)
>> > at
>> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:117)
>> > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
>> > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:161)
>> > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
>> > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:88)
>> > at
>> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
>> > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
>> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
>> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
>> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
>> > at
>> > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:537)
>> > at
>> > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:447)
>> > at
>> > org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:152)
>> > at
>> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
>> > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
>> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
>> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
>> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
>> > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
>> > at
>> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
>> > at $Proxy25.doubleIt(Unknown Source)
>> > at client.WSClient.doubleIt(WSClient.java:41)
>> > at client.WSClient.main(WSClient.java:34)
>> > Caused by: org.apache.cxf.ws.policy.PolicyException: General security
>> > error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
>> > {null}null)
>> > at
>> > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295)
>> > at
>> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doEncryption(SymmetricBindingHandler.java:558)
>> > at
>> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:366)
>> > ... 21 more
>> > Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: General
>> > security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign
>> > not found: {null}null)
>> > at
>> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:146)
>> > at $Proxy25.doubleIt(Unknown Source)
>> > at client.WSClient.doubleIt(WSClient.java:41)
>> > at client.WSClient.main(WSClient.java:34)
>> > Caused by: org.apache.cxf.ws.policy.PolicyException: General security
>> > error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
>> > {null}null)
>> > at
>> > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295)
>> > at
>> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doEncryption(SymmetricBindingHandler.java:558)
>> > at
>> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:366)
>> > at
>> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:117)
>> > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
>> > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:161)
>> > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
>> > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:88)
>> > at
>> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
>> > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
>> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
>> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
>> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
>> > at
>> > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:537)
>> > at
>> > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:447)
>> > at
>> > org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:152)
>> > at
>> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
>> > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
>> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
>> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
>> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
>> > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
>> > at
>> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
>> > ... 3 more
>> >
>> >
>> > There is another Glen Mazza's article:
>> > http://www.jroller.com/gmazza/entry/cxf_x509_profile
>> >
>> > Here is authenticating with the Service Provider directly with a
>> > X509Token by configuring an WSS4JOutInterceptor.
>> > I have no idea how to combine this 2 examples to make the STS call with
>> > x509 authentication.
>> > Has someone some experience related to this use case scenario?
>> >
>> > Thank you,
>> > Mihai
>> >
>>
>>
>
>
>
--
Colm O hEigeartaigh
http://coheigea.blogspot.com/
Talend - http://www.talend.com
Re: Authentication with a X509Token against a STS Server.
Posted by Mihai Vasilache <mi...@esolutions.ro>.
Hello again.
It is somebody using X509Token authentication because i don't know if
this is a CXF bug or i am mission something in CXF configuration?
I've found in
org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder
this code:
} else if (token instanceof X509Token) {
//We have to use a cert
//Prepare X509 signature
WSSecSignature sig = getSignatureBuilder(suppTokens,
token, endorse);
Element bstElem = sig.getBinarySecurityTokenElement();
if (bstElem != null) {
sig.prependBSTElementToHeader(secHeader);
}
if (suppTokens.isEncryptedToken()) {
encryptedTokensIdList.add(sig.getBSTTokenId());
}
ret.put(token, sig);
} else if (token instanceof KeyValueToken) {
WSSecSignature sig = getSignatureBuilder(suppTokens,
token, endorse);
if (suppTokens.isEncryptedToken()) {
encryptedTokensIdList.add(sig.getBSTTokenId());
}
ret.put(token, sig);
} else if (token instanceof SamlToken) {
AssertionWrapper assertionWrapper =
addSamlToken((SamlToken)token);
if (assertionWrapper != null) {
addSupportingElement(assertionWrapper.toDOM(saaj.getSOAPPart()));
ret.put(token, assertionWrapper);
}
}
after sig.prependBSTElementToHeader(secHeader), the sig.getBSTTokenId()
becomes null causing:
org.apache.cxf.ws.policy.PolicyException: General security error
(WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
{null}null)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler.doEncryption(AsymmetricBindingHandler.java:374)
The token id is still accessible from bstElem.
Mihai
On Thu, 2011-09-22 at 16:13 +0300, Mihai Vasilache wrote:
> Hi Glen,
>
> Thank you very much for your answer.
> I've tried your jaxws-ws-trust example.
> You are using an <sp:AsymmetricBinding> with no
> <sp:SignedEncryptedSupportingTokens> for the X509Token authentication
> use-case. My tests are working if i am configuring in this way.
>
> If I add a:
> <sp:SignedEncryptedSupportingTokens>
> <wsp:Policy>
> <wsp:ExactlyOne>
> <wsp:All wsu:Id="X509TokenPolicyAlternative">
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
> <wsp:Policy>
> <sp:WssX509V3Token10/>
> <sp:RequireIssuerSerialReference/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> </sp:SignedEncryptedSupportingTokens>
>
> to the STS server wsdl, and not in the client's copy, then the server is
> validating the certificate (enters in the validator) and throws a:
>
> Caused by: com.sun.xml.wss.XWSSecurityException: Policy verification
> error:Missing target BinarySecurityToken for Signature
> at
> com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl.resolveAndVerifyTargets(TargetResolverImpl.java:115)
> at
> com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.checkTargets(MessagePolicyVerifier.java:454)
> at
> com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.processPrimaryPolicy(MessagePolicyVerifier.java:341)
> at
> com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:146)
>
>
> The server expects something else if i add an
> SignedEncryptedSupportingTokens.
>
> However if i add this SignedEncryptedSupportingTokens in the client's
> copy, the client is throwing an exception, and the call to STS does not
> happen:
>
> Caused by: org.apache.cxf.ws.policy.PolicyException: General security
> error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
> {null}null)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler.doEncryption(AsymmetricBindingHandler.java:374)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler.doSignBeforeEncrypt(AsymmetricBindingHandler.java:168)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler.handleBinding(AsymmetricBindingHandler.java:96)
> at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:164)
> ......
>
>
> Do you have any idea what the CXF client wants more?
>
> I've saw that you are using 2 endpoints in your examples, one for each
> authentication type. In fact i want to use a single endpoint with 2
> alternatives. I manage to cheat metro to accept it. I've post an answer
> to Metro mailing list:
> http://markmail.org/search/?q=list%3Anet.java.dev.metro.users#query:list
> %3Anet.java.dev.metro.users+page:1+mid:3757ci3ob27otl7r+state:results
>
> The problem with the Metro client is that is always picking the first
> alternative, while CXF doesn't know how to handle
> <sp:SignedEncryptedSupportingTokens>
> ...
> <sp:X509Token/>
> ...
> </sp:SignedEncryptedSupportingTokens>
>
> or i don't know to configure it.
>
>
> Thank you,
> Mihai
>
>
>
> On Wed, 2011-09-21 at 08:44 -0400, Glen Mazza wrote:
> > Hi, Talend Service Factory's free examples package has a jaxws-ws-trust
> > example, which shows how to use both UT and X509 to make the STS call,
> > between a CXF client and the Metro STS. Please check the README for
> > more information.
> >
> > http://www.talend.com/download.php#IF (Click on User Documentation and
> > Examples at the bottom).
> >
> > HTH,
> > Glen
> >
> >
> > On 09/21/2011 07:35 AM, Mihai Vasilache wrote:
> > > Hello!
> > >
> > > We have a Metro STS server that accepts X09Tokens for authentication.
> > > We want to create a CXF Client that authenticate against the STS server
> > > with a X509 Token,
> > > then with the retrieved SAML token, call the Service Provider.
> > >
> > > Starting from Glen Mazza's article:
> > > http://www.jroller.com/gmazza/entry/cxf_stsclient_metro_sts
> > > I have tried to change the UsernameToken authentication to X509Token.
> > >
> > > Do you have any idea if this can be accomplished? - X509Token
> > > authentication against STS?
> > >
> > > Here is my cxf client configuration:
> > >
> > > <beans xmlns="http://www.springframework.org/schema/beans"
> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > > xmlns:jaxws="http://cxf.apache.org/jaxws"
> > > xmlns:cxf="http://cxf.apache.org/core"
> > > xmlns:p="http://cxf.apache.org/policy"
> > > xsi:schemaLocation="
> > > http://www.springframework.org/schema/beans
> > > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
> > > http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
> > > http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
> > > http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd">
> > >
> > > <jaxws:client
> > > name="{http://www.osiam.org/contract/DoubleIt}DoubleItPort"
> > > createdFromAPI="true">
> > > <jaxws:features>
> > > <wsa:addressing xmlns:wsa="http://cxf.apache.org/ws/addressing"/>
> > > </jaxws:features>
> > >
> > > <jaxws:properties>
> > > <entry key="ws-security.sts.client">
> > > <bean class="org.apache.cxf.ws.security.trust.STSClient">
> > > <constructor-arg ref="cxf"/>
> > > <property name="wsdlLocation" value="OsiamSTSService.wsdl"/>
> > > <property name="serviceName"
> > > value="{http://tempuri.org/}OsiamSTSService"/>
> > > <property name="endpointName"
> > > value="{http://tempuri.org/}IOsiamSTSService_Port"/>
> > > <property name="properties">
> > > <map>
> > > <entry key="ws-security.sts.token.username" value="mywsckey"/>
> > > <entry key="ws-security.username" value="mywsckey"/>
> > > <entry key="ws-security.callback-handler"
> > > value="client.UTCallbackHandler"/>
> > > <entry key="ws-security.encryption.properties"
> > > value="clientKeystore.properties"/>
> > > <entry key="ws-security.signature.properties"
> > > value="clientKeystore.properties"/>
> > > <entry key="ws-security.encryption.username" value="mywsckey"/>
> > > <entry key="ws-security.is-bsp-compliant" value="false"/>
> > > <entry key="ws-security.sts.applies-to"
> > > value="http://localhost:8080/osiam-sts-wsp/services/wsp" />
> > > </map>
> > > </property>
> > > </bean>
> > > </entry>
> > > </jaxws:properties>
> > > </jaxws:client>
> > > </beans>
> > >
> > > I have put in ws-security.username the name of the client's private key,
> > > in the ws-security.encryption.username properties the same key even i
> > > think it should be the server's public certificate. If i am puting the
> > > server public certificate then the UTCallbackHandler is asking for a
> > > password.... what password?
> > >
> > > With the above configuration i get an:
> > >
> > > WARNING: Interceptor for
> > > {http://www.osiam.org/contract/DoubleIt}DoubleItService#{http://www.osiam.org/contract/DoubleIt}DoubleIt has thrown exception, unwinding now
> > > org.apache.cxf.interceptor.Fault: General security error
> > > (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
> > > {null}null)
> > > at
> > > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:372)
> > > at
> > > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:117)
> > > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> > > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:161)
> > > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> > > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:88)
> > > at
> > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> > > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
> > > at
> > > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:537)
> > > at
> > > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:447)
> > > at
> > > org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:152)
> > > at
> > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> > > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
> > > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
> > > at
> > > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
> > > at $Proxy25.doubleIt(Unknown Source)
> > > at client.WSClient.doubleIt(WSClient.java:41)
> > > at client.WSClient.main(WSClient.java:34)
> > > Caused by: org.apache.cxf.ws.policy.PolicyException: General security
> > > error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
> > > {null}null)
> > > at
> > > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295)
> > > at
> > > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doEncryption(SymmetricBindingHandler.java:558)
> > > at
> > > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:366)
> > > ... 21 more
> > > Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: General
> > > security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign
> > > not found: {null}null)
> > > at
> > > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:146)
> > > at $Proxy25.doubleIt(Unknown Source)
> > > at client.WSClient.doubleIt(WSClient.java:41)
> > > at client.WSClient.main(WSClient.java:34)
> > > Caused by: org.apache.cxf.ws.policy.PolicyException: General security
> > > error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
> > > {null}null)
> > > at
> > > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295)
> > > at
> > > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doEncryption(SymmetricBindingHandler.java:558)
> > > at
> > > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:366)
> > > at
> > > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:117)
> > > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> > > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:161)
> > > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> > > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:88)
> > > at
> > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> > > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
> > > at
> > > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:537)
> > > at
> > > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:447)
> > > at
> > > org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:152)
> > > at
> > > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> > > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
> > > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
> > > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
> > > at
> > > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
> > > ... 3 more
> > >
> > >
> > > There is another Glen Mazza's article:
> > > http://www.jroller.com/gmazza/entry/cxf_x509_profile
> > >
> > > Here is authenticating with the Service Provider directly with a
> > > X509Token by configuring an WSS4JOutInterceptor.
> > > I have no idea how to combine this 2 examples to make the STS call with
> > > x509 authentication.
> > > Has someone some experience related to this use case scenario?
> > >
> > > Thank you,
> > > Mihai
> > >
> >
> >
>
>
Re: Authentication with a X509Token against a STS Server.
Posted by Mihai Vasilache <mi...@esolutions.ro>.
Hi Glen,
Thank you very much for your answer.
I've tried your jaxws-ws-trust example.
You are using an <sp:AsymmetricBinding> with no
<sp:SignedEncryptedSupportingTokens> for the X509Token authentication
use-case. My tests are working if i am configuring in this way.
If I add a:
<sp:SignedEncryptedSupportingTokens>
<wsp:Policy>
<wsp:ExactlyOne>
<wsp:All wsu:Id="X509TokenPolicyAlternative">
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssX509V3Token10/>
<sp:RequireIssuerSerialReference/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</sp:SignedEncryptedSupportingTokens>
to the STS server wsdl, and not in the client's copy, then the server is
validating the certificate (enters in the validator) and throws a:
Caused by: com.sun.xml.wss.XWSSecurityException: Policy verification
error:Missing target BinarySecurityToken for Signature
at
com.sun.xml.ws.security.opt.impl.incoming.TargetResolverImpl.resolveAndVerifyTargets(TargetResolverImpl.java:115)
at
com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.checkTargets(MessagePolicyVerifier.java:454)
at
com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.processPrimaryPolicy(MessagePolicyVerifier.java:341)
at
com.sun.xml.wss.impl.policy.verifier.MessagePolicyVerifier.verifyPolicy(MessagePolicyVerifier.java:146)
The server expects something else if i add an
SignedEncryptedSupportingTokens.
However if i add this SignedEncryptedSupportingTokens in the client's
copy, the client is throwing an exception, and the call to STS does not
happen:
Caused by: org.apache.cxf.ws.policy.PolicyException: General security
error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
{null}null)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler.doEncryption(AsymmetricBindingHandler.java:374)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler.doSignBeforeEncrypt(AsymmetricBindingHandler.java:168)
at
org.apache.cxf.ws.security.wss4j.policyhandlers.AsymmetricBindingHandler.handleBinding(AsymmetricBindingHandler.java:96)
at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
$PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:164)
......
Do you have any idea what the CXF client wants more?
I've saw that you are using 2 endpoints in your examples, one for each
authentication type. In fact i want to use a single endpoint with 2
alternatives. I manage to cheat metro to accept it. I've post an answer
to Metro mailing list:
http://markmail.org/search/?q=list%3Anet.java.dev.metro.users#query:list
%3Anet.java.dev.metro.users+page:1+mid:3757ci3ob27otl7r+state:results
The problem with the Metro client is that is always picking the first
alternative, while CXF doesn't know how to handle
<sp:SignedEncryptedSupportingTokens>
...
<sp:X509Token/>
...
</sp:SignedEncryptedSupportingTokens>
or i don't know to configure it.
Thank you,
Mihai
On Wed, 2011-09-21 at 08:44 -0400, Glen Mazza wrote:
> Hi, Talend Service Factory's free examples package has a jaxws-ws-trust
> example, which shows how to use both UT and X509 to make the STS call,
> between a CXF client and the Metro STS. Please check the README for
> more information.
>
> http://www.talend.com/download.php#IF (Click on User Documentation and
> Examples at the bottom).
>
> HTH,
> Glen
>
>
> On 09/21/2011 07:35 AM, Mihai Vasilache wrote:
> > Hello!
> >
> > We have a Metro STS server that accepts X09Tokens for authentication.
> > We want to create a CXF Client that authenticate against the STS server
> > with a X509 Token,
> > then with the retrieved SAML token, call the Service Provider.
> >
> > Starting from Glen Mazza's article:
> > http://www.jroller.com/gmazza/entry/cxf_stsclient_metro_sts
> > I have tried to change the UsernameToken authentication to X509Token.
> >
> > Do you have any idea if this can be accomplished? - X509Token
> > authentication against STS?
> >
> > Here is my cxf client configuration:
> >
> > <beans xmlns="http://www.springframework.org/schema/beans"
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > xmlns:jaxws="http://cxf.apache.org/jaxws"
> > xmlns:cxf="http://cxf.apache.org/core"
> > xmlns:p="http://cxf.apache.org/policy"
> > xsi:schemaLocation="
> > http://www.springframework.org/schema/beans
> > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
> > http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
> > http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
> > http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd">
> >
> > <jaxws:client
> > name="{http://www.osiam.org/contract/DoubleIt}DoubleItPort"
> > createdFromAPI="true">
> > <jaxws:features>
> > <wsa:addressing xmlns:wsa="http://cxf.apache.org/ws/addressing"/>
> > </jaxws:features>
> >
> > <jaxws:properties>
> > <entry key="ws-security.sts.client">
> > <bean class="org.apache.cxf.ws.security.trust.STSClient">
> > <constructor-arg ref="cxf"/>
> > <property name="wsdlLocation" value="OsiamSTSService.wsdl"/>
> > <property name="serviceName"
> > value="{http://tempuri.org/}OsiamSTSService"/>
> > <property name="endpointName"
> > value="{http://tempuri.org/}IOsiamSTSService_Port"/>
> > <property name="properties">
> > <map>
> > <entry key="ws-security.sts.token.username" value="mywsckey"/>
> > <entry key="ws-security.username" value="mywsckey"/>
> > <entry key="ws-security.callback-handler"
> > value="client.UTCallbackHandler"/>
> > <entry key="ws-security.encryption.properties"
> > value="clientKeystore.properties"/>
> > <entry key="ws-security.signature.properties"
> > value="clientKeystore.properties"/>
> > <entry key="ws-security.encryption.username" value="mywsckey"/>
> > <entry key="ws-security.is-bsp-compliant" value="false"/>
> > <entry key="ws-security.sts.applies-to"
> > value="http://localhost:8080/osiam-sts-wsp/services/wsp" />
> > </map>
> > </property>
> > </bean>
> > </entry>
> > </jaxws:properties>
> > </jaxws:client>
> > </beans>
> >
> > I have put in ws-security.username the name of the client's private key,
> > in the ws-security.encryption.username properties the same key even i
> > think it should be the server's public certificate. If i am puting the
> > server public certificate then the UTCallbackHandler is asking for a
> > password.... what password?
> >
> > With the above configuration i get an:
> >
> > WARNING: Interceptor for
> > {http://www.osiam.org/contract/DoubleIt}DoubleItService#{http://www.osiam.org/contract/DoubleIt}DoubleIt has thrown exception, unwinding now
> > org.apache.cxf.interceptor.Fault: General security error
> > (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
> > {null}null)
> > at
> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:372)
> > at
> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:117)
> > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:161)
> > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:88)
> > at
> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
> > at
> > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:537)
> > at
> > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:447)
> > at
> > org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:152)
> > at
> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
> > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
> > at
> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
> > at $Proxy25.doubleIt(Unknown Source)
> > at client.WSClient.doubleIt(WSClient.java:41)
> > at client.WSClient.main(WSClient.java:34)
> > Caused by: org.apache.cxf.ws.policy.PolicyException: General security
> > error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
> > {null}null)
> > at
> > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295)
> > at
> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doEncryption(SymmetricBindingHandler.java:558)
> > at
> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:366)
> > ... 21 more
> > Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: General
> > security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign
> > not found: {null}null)
> > at
> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:146)
> > at $Proxy25.doubleIt(Unknown Source)
> > at client.WSClient.doubleIt(WSClient.java:41)
> > at client.WSClient.main(WSClient.java:34)
> > Caused by: org.apache.cxf.ws.policy.PolicyException: General security
> > error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
> > {null}null)
> > at
> > org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295)
> > at
> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doEncryption(SymmetricBindingHandler.java:558)
> > at
> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:366)
> > at
> > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:117)
> > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:161)
> > at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> > $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:88)
> > at
> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
> > at
> > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:537)
> > at
> > org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:447)
> > at
> > org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:152)
> > at
> > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> > at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
> > at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
> > at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
> > at
> > org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
> > ... 3 more
> >
> >
> > There is another Glen Mazza's article:
> > http://www.jroller.com/gmazza/entry/cxf_x509_profile
> >
> > Here is authenticating with the Service Provider directly with a
> > X509Token by configuring an WSS4JOutInterceptor.
> > I have no idea how to combine this 2 examples to make the STS call with
> > x509 authentication.
> > Has someone some experience related to this use case scenario?
> >
> > Thank you,
> > Mihai
> >
>
>
Re: Authentication with a X509Token against a STS Server.
Posted by Glen Mazza <gl...@gmail.com>.
Hi, Talend Service Factory's free examples package has a jaxws-ws-trust
example, which shows how to use both UT and X509 to make the STS call,
between a CXF client and the Metro STS. Please check the README for
more information.
http://www.talend.com/download.php#IF (Click on User Documentation and
Examples at the bottom).
HTH,
Glen
On 09/21/2011 07:35 AM, Mihai Vasilache wrote:
> Hello!
>
> We have a Metro STS server that accepts X09Tokens for authentication.
> We want to create a CXF Client that authenticate against the STS server
> with a X509 Token,
> then with the retrieved SAML token, call the Service Provider.
>
> Starting from Glen Mazza's article:
> http://www.jroller.com/gmazza/entry/cxf_stsclient_metro_sts
> I have tried to change the UsernameToken authentication to X509Token.
>
> Do you have any idea if this can be accomplished? - X509Token
> authentication against STS?
>
> Here is my cxf client configuration:
>
> <beans xmlns="http://www.springframework.org/schema/beans"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns:jaxws="http://cxf.apache.org/jaxws"
> xmlns:cxf="http://cxf.apache.org/core"
> xmlns:p="http://cxf.apache.org/policy"
> xsi:schemaLocation="
> http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
> http://cxf.apache.org/core http://cxf.apache.org/schemas/core.xsd
> http://cxf.apache.org/jaxws http://cxf.apache.org/schemas/jaxws.xsd
> http://cxf.apache.org/policy http://cxf.apache.org/schemas/policy.xsd">
>
> <jaxws:client
> name="{http://www.osiam.org/contract/DoubleIt}DoubleItPort"
> createdFromAPI="true">
> <jaxws:features>
> <wsa:addressing xmlns:wsa="http://cxf.apache.org/ws/addressing"/>
> </jaxws:features>
>
> <jaxws:properties>
> <entry key="ws-security.sts.client">
> <bean class="org.apache.cxf.ws.security.trust.STSClient">
> <constructor-arg ref="cxf"/>
> <property name="wsdlLocation" value="OsiamSTSService.wsdl"/>
> <property name="serviceName"
> value="{http://tempuri.org/}OsiamSTSService"/>
> <property name="endpointName"
> value="{http://tempuri.org/}IOsiamSTSService_Port"/>
> <property name="properties">
> <map>
> <entry key="ws-security.sts.token.username" value="mywsckey"/>
> <entry key="ws-security.username" value="mywsckey"/>
> <entry key="ws-security.callback-handler"
> value="client.UTCallbackHandler"/>
> <entry key="ws-security.encryption.properties"
> value="clientKeystore.properties"/>
> <entry key="ws-security.signature.properties"
> value="clientKeystore.properties"/>
> <entry key="ws-security.encryption.username" value="mywsckey"/>
> <entry key="ws-security.is-bsp-compliant" value="false"/>
> <entry key="ws-security.sts.applies-to"
> value="http://localhost:8080/osiam-sts-wsp/services/wsp" />
> </map>
> </property>
> </bean>
> </entry>
> </jaxws:properties>
> </jaxws:client>
> </beans>
>
> I have put in ws-security.username the name of the client's private key,
> in the ws-security.encryption.username properties the same key even i
> think it should be the server's public certificate. If i am puting the
> server public certificate then the UTCallbackHandler is asking for a
> password.... what password?
>
> With the above configuration i get an:
>
> WARNING: Interceptor for
> {http://www.osiam.org/contract/DoubleIt}DoubleItService#{http://www.osiam.org/contract/DoubleIt}DoubleIt has thrown exception, unwinding now
> org.apache.cxf.interceptor.Fault: General security error
> (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
> {null}null)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:372)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:117)
> at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:161)
> at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:88)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
> at
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:537)
> at
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:447)
> at
> org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:152)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
> at $Proxy25.doubleIt(Unknown Source)
> at client.WSClient.doubleIt(WSClient.java:41)
> at client.WSClient.main(WSClient.java:34)
> Caused by: org.apache.cxf.ws.policy.PolicyException: General security
> error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
> {null}null)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doEncryption(SymmetricBindingHandler.java:558)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:366)
> ... 21 more
> Exception in thread "main" javax.xml.ws.soap.SOAPFaultException: General
> security error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign
> not found: {null}null)
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:146)
> at $Proxy25.doubleIt(Unknown Source)
> at client.WSClient.doubleIt(WSClient.java:41)
> at client.WSClient.main(WSClient.java:34)
> Caused by: org.apache.cxf.ws.policy.PolicyException: General security
> error (WSEncryptBody/WSSignEnvelope: Element to encrypt/sign not found:
> {null}null)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.AbstractBindingBuilder.policyNotAsserted(AbstractBindingBuilder.java:295)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doEncryption(SymmetricBindingHandler.java:558)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:366)
> at
> org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.handleBinding(SymmetricBindingHandler.java:117)
> at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:161)
> at org.apache.cxf.ws.security.wss4j.PolicyBasedWSS4JOutInterceptor
> $PolicyBasedWSS4JOutInterceptorInternal.handleMessage(PolicyBasedWSS4JOutInterceptor.java:88)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
> at
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:537)
> at
> org.apache.cxf.ws.security.trust.STSClient.requestSecurityToken(STSClient.java:447)
> at
> org.apache.cxf.ws.security.policy.interceptors.IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor.handleMessage(IssuedTokenInterceptorProvider.java:152)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:263)
> at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:510)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:440)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:343)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:295)
> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:124)
> ... 3 more
>
>
> There is another Glen Mazza's article:
> http://www.jroller.com/gmazza/entry/cxf_x509_profile
>
> Here is authenticating with the Service Provider directly with a
> X509Token by configuring an WSS4JOutInterceptor.
> I have no idea how to combine this 2 examples to make the STS call with
> x509 authentication.
> Has someone some experience related to this use case scenario?
>
> Thank you,
> Mihai
>
--
Glen Mazza
Talend - http://www.talend.com/ai
Blog - http://www.jroller.com/gmazza
Twitter - glenmazza