You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cxf.apache.org by lotos <sp...@gmail.com> on 2014/04/26 01:48:54 UTC
Http proxy with STS
I just faced with the problem that if I use http proxy and STS at the same
time it doesn't work.
Conversation regarding security token doesn't go through the proxy. Only
main request goes through the proxy. As a result it's not possible to get
that token at all.
*Is it possible to force CXF to use proxy for all network communications?*
*Java code for proxy*
/ Client client = ClientProxy.getClient(port);
HTTPConduit http = (HTTPConduit) client.getConduit();
HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
httpClientPolicy.setProxyServer("localhost");
httpClientPolicy.setProxyServerPort(3128);
http.setClient(httpClientPolicy);/
*Policy part of the WSDL:*
/<wsp:Policy wsu:Id="WSHttpBinding_IAccountService_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken
RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:SecureConversationToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:BootstrapPolicy>
<wsp:Policy>
<sp:SignedParts>
<sp:Body/>
<sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="From"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
<sp:EncryptedParts>
<sp:Body/>
</sp:EncryptedParts>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken
RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
<sp:SignedParts>
<sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefThumbprint/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
</wsp:Policy>
</sp:BootstrapPolicy>
</wsp:Policy>
</sp:SecureConversationToken>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy/>
</sp:Wss11>
<sp:Trust10
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust10>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>/
--
View this message in context: http://cxf.547215.n5.nabble.com/Http-proxy-with-STS-tp5743324.html
Sent from the cxf-dev mailing list archive at Nabble.com.
Re: Http proxy with STS
Posted by Jason Pell <ja...@pellcorp.com>.
Hi,
Just noticed this thread. I have managed to be able to configure the
conduit using properties, but its not exactly standard. And it won't work
with OSGI. Its documented here
https://issues.apache.org/jira/browse/CXF-4811?focusedCommentId=13578150&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-13578150
On Thu, May 1, 2014 at 7:09 PM, Colm O hEigeartaigh <co...@apache.org>
wrote:
> I'm not sure...I tried a few different options for the STS QName, but
> nothing worked.
>
> Colm.
>
>
> On Wed, Apr 30, 2014 at 9:25 PM, lotos <sp...@gmail.com> wrote:
>
> > Yes, you are right.
> >
> > <http-conf:conduit name="https://localhost:.*"> works. I didn't notice
> > asterisk before.
> >
> > But how to do it in via xml config. I need it because proxy will be
> > configured by system variables.
> >
> > Sergei
> >
> >
> >
> > --
> > View this message in context:
> >
> http://cxf.547215.n5.nabble.com/Http-proxy-with-STS-tp5743324p5743532.html
> > Sent from the cxf-dev mailing list archive at Nabble.com.
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: Http proxy with STS
Posted by Colm O hEigeartaigh <co...@apache.org>.
I'm not sure...I tried a few different options for the STS QName, but
nothing worked.
Colm.
On Wed, Apr 30, 2014 at 9:25 PM, lotos <sp...@gmail.com> wrote:
> Yes, you are right.
>
> <http-conf:conduit name="https://localhost:.*"> works. I didn't notice
> asterisk before.
>
> But how to do it in via xml config. I need it because proxy will be
> configured by system variables.
>
> Sergei
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Http-proxy-with-STS-tp5743324p5743532.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Http proxy with STS
Posted by lotos <sp...@gmail.com>.
Yes, you are right.
<http-conf:conduit name="https://localhost:.*"> works. I didn't notice
asterisk before.
But how to do it in via xml config. I need it because proxy will be
configured by system variables.
Sergei
--
View this message in context: http://cxf.547215.n5.nabble.com/Http-proxy-with-STS-tp5743324p5743532.html
Sent from the cxf-dev mailing list archive at Nabble.com.
Re: Http proxy with STS
Posted by Colm O hEigeartaigh <co...@apache.org>.
Could you try with a http conduit based on the address instead, e.g.?
<http-conf:conduit name="https://localhost:.*">
<http-conf:client ProxyServer="localhost" ProxyServerPort="3128" />
</http-conf:conduit>
I've tried with this with CXF 3.0.0-SNAPSHOT + the SecureConveration code
does pick up the proxy settings...
Colm.
On Tue, Apr 29, 2014 at 4:28 PM, lotos <sp...@gmail.com> wrote:
> I see timeout too but only for the second request.
>
> First request doesn't use proxy:
>
> 28.04.2014 16:37:01
>
> org.apache.cxf.services.SecurityTokenService.SecurityTokenService.SecurityTokenService
> INFO: Outbound Message
> ---------------------------
> ID: 1
> Address: https://....URL...../account/
> Encoding: UTF-8
> Http-Method: POST
> Content-Type: application/soap+xml;
> action="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT"
> Headers: {Accept=[*/*]}
> Payload: <soap:Envelope
> xmlns:soap="http://www.w3.org/2003/05/soap-envelope
> "><soap:Header>........</wst:RequestSecurityToken></soap:Body></soap:Envelope>
> --------------------------------------
> 28.04.2014 16:37:01
>
> org.apache.cxf.services.SecurityTokenService.SecurityTokenService.SecurityTokenService
> INFO: Inbound Message
> ----------------------------
> ID: 1
> Response-Code: 200
> Encoding: UTF-8
> Content-Type: application/soap+xml; charset=utf-8
> Headers: {Cache-Control=[private], Content-Length=[2329],
> content-type=[application/soap+xml; charset=utf-8], Date=[Mon, 28 Apr 2014
> 20:37:03 GMT], P3P=[CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"],
> Server=[Microsoft-IIS/7.5],
> Set-Cookie=[ASP.NET_SessionId=gdst00ndzizcvhbmnmt3pao3; path=/; HttpOnly],
> X-AspNet-Version=[4.0.30319]}
> Payload: <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
> xmlns:a="http://www.w3.org/2005/08/addressing"
> xmlns:u="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">..........</t:KeySize></t:RequestSecurityTokenResponse></s:Body></s:Envelope>
>
>
> Different variants were tried, here is one of them with xml configuration
>
> <http-conf:conduit
> name="{...blablabla...}WSHttpBinding_IAccountService.http-conduit">
> <http-conf:client ProxyServer="localhost" ProxyServerPort="3128" />
> </http-conf:conduit>
>
>
>
>
> *here is the workaround with features*
>
> <beans xmlns="....">
>
> <cxf:bus>
> <cxf:features>
> <cxf:logging/>
> <p:policies/>
> </cxf:features>
> </cxf:bus>
>
> <jaxws:client name="{....blablabla....}WSHttpBinding_IAccountService"
> createdFromAPI="true">
> <jaxws:properties>
> <entry key="ws-security.signature.properties"
> value="etc/Client_Sign.properties"/>
> <entry key="ws-security.callback-handler"
> value="demo.wssec.client.UTPasswordCallback" />
>
> <entry key="ws-security.sts.client">
> <bean class="org.apache.cxf.ws.security.trust.STSClient">
> <constructor-arg ref="cxf"/>
> <property name="features">
> <beans:list>
> *<bean
> class="demo.wssec.client.ClientProxyFeature"/>*
> </beans:list>
> </property>
> </bean>
> </entry>
> </jaxws:properties>
> <jaxws:features>
> *<bean class="demo.wssec.client.ClientProxyFeature"/>*
> </jaxws:features>
> </jaxws:client>
> </beans>
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Http-proxy-with-STS-tp5743324p5743422.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Http proxy with STS
Posted by lotos <sp...@gmail.com>.
I see timeout too but only for the second request.
First request doesn't use proxy:
28.04.2014 16:37:01
org.apache.cxf.services.SecurityTokenService.SecurityTokenService.SecurityTokenService
INFO: Outbound Message
---------------------------
ID: 1
Address: https://....URL...../account/
Encoding: UTF-8
Http-Method: POST
Content-Type: application/soap+xml;
action="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT"
Headers: {Accept=[*/*]}
Payload: <soap:Envelope
xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header>........</wst:RequestSecurityToken></soap:Body></soap:Envelope>
--------------------------------------
28.04.2014 16:37:01
org.apache.cxf.services.SecurityTokenService.SecurityTokenService.SecurityTokenService
INFO: Inbound Message
----------------------------
ID: 1
Response-Code: 200
Encoding: UTF-8
Content-Type: application/soap+xml; charset=utf-8
Headers: {Cache-Control=[private], Content-Length=[2329],
content-type=[application/soap+xml; charset=utf-8], Date=[Mon, 28 Apr 2014
20:37:03 GMT], P3P=[CP="NOI ADM DEV PSAi COM NAV OUR OTR STP IND DEM"],
Server=[Microsoft-IIS/7.5],
Set-Cookie=[ASP.NET_SessionId=gdst00ndzizcvhbmnmt3pao3; path=/; HttpOnly],
X-AspNet-Version=[4.0.30319]}
Payload: <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">..........</t:KeySize></t:RequestSecurityTokenResponse></s:Body></s:Envelope>
Different variants were tried, here is one of them with xml configuration
<http-conf:conduit
name="{...blablabla...}WSHttpBinding_IAccountService.http-conduit">
<http-conf:client ProxyServer="localhost" ProxyServerPort="3128" />
</http-conf:conduit>
*here is the workaround with features*
<beans xmlns="....">
<cxf:bus>
<cxf:features>
<cxf:logging/>
<p:policies/>
</cxf:features>
</cxf:bus>
<jaxws:client name="{....blablabla....}WSHttpBinding_IAccountService"
createdFromAPI="true">
<jaxws:properties>
<entry key="ws-security.signature.properties"
value="etc/Client_Sign.properties"/>
<entry key="ws-security.callback-handler"
value="demo.wssec.client.UTPasswordCallback" />
<entry key="ws-security.sts.client">
<bean class="org.apache.cxf.ws.security.trust.STSClient">
<constructor-arg ref="cxf"/>
<property name="features">
<beans:list>
*<bean
class="demo.wssec.client.ClientProxyFeature"/>*
</beans:list>
</property>
</bean>
</entry>
</jaxws:properties>
<jaxws:features>
*<bean class="demo.wssec.client.ClientProxyFeature"/>*
</jaxws:features>
</jaxws:client>
</beans>
--
View this message in context: http://cxf.547215.n5.nabble.com/Http-proxy-with-STS-tp5743324p5743422.html
Sent from the cxf-dev mailing list archive at Nabble.com.
Re: Http proxy with STS
Posted by Colm O hEigeartaigh <co...@apache.org>.
Could you share how you are configuring the client using spring? I tested
using CXF 3.0.0-SNAPSHOT and a http Conduit with a ReceiveTimeout value
set, and it appears to be picking it up.
Colm.
On Mon, Apr 28, 2014 at 5:03 PM, lotos <sp...@gmail.com> wrote:
> Unfortunately it's the same problem. Conduit from the configuration isn't
> used by STS. Looks like a bug.
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Http-proxy-with-STS-tp5743324p5743381.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Http proxy with STS
Posted by Colm O hEigeartaigh <co...@apache.org>.
Yep. Could you create a JIRA and I'll take a look?
Colm.
On Mon, Apr 28, 2014 at 5:03 PM, lotos <sp...@gmail.com> wrote:
> Unfortunately it's the same problem. Conduit from the configuration isn't
> used by STS. Looks like a bug.
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Http-proxy-with-STS-tp5743324p5743381.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Http proxy with STS
Posted by lotos <sp...@gmail.com>.
Unfortunately it's the same problem. Conduit from the configuration isn't
used by STS. Looks like a bug.
--
View this message in context: http://cxf.547215.n5.nabble.com/Http-proxy-with-STS-tp5743324p5743381.html
Sent from the cxf-dev mailing list archive at Nabble.com.
Re: Http proxy with STS
Posted by Colm O hEigeartaigh <co...@apache.org>.
The simplest way of doing this is to just define http:conduit in Spring as
per the following, which should get picked up by all clients:
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/transport/cxf-client.xml;h=41291d063acd23090424add371f816e8bba38bd7;hb=HEAD
I'm not sure offhand how this can be done in code.
Colm.
On Sat, Apr 26, 2014 at 12:48 AM, lotos <sp...@gmail.com> wrote:
> I just faced with the problem that if I use http proxy and STS at the same
> time it doesn't work.
> Conversation regarding security token doesn't go through the proxy. Only
> main request goes through the proxy. As a result it's not possible to get
> that token at all.
>
> *Is it possible to force CXF to use proxy for all network communications?*
>
> *Java code for proxy*
>
> / Client client = ClientProxy.getClient(port);
> HTTPConduit http = (HTTPConduit) client.getConduit();
>
> HTTPClientPolicy httpClientPolicy = new HTTPClientPolicy();
> httpClientPolicy.setProxyServer("localhost");
> httpClientPolicy.setProxyServerPort(3128);
> http.setClient(httpClientPolicy);/
>
> *Policy part of the WSDL:*
> /<wsp:Policy wsu:Id="WSHttpBinding_IAccountService_policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:TransportBinding
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken
> RequireClientCertificate="false"/>
> </wsp:Policy>
> </sp:TransportToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> </wsp:Policy>
> </sp:TransportBinding>
> <sp:EndorsingSupportingTokens
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:SecureConversationToken
>
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
> <sp:BootstrapPolicy>
> <wsp:Policy>
> <sp:SignedParts>
> <sp:Body/>
> <sp:Header Name="To"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="From"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="FaultTo"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="ReplyTo"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="MessageID"
>
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="RelatesTo"
>
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="Action"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> </sp:SignedParts>
> <sp:EncryptedParts>
> <sp:Body/>
> </sp:EncryptedParts>
> <sp:TransportBinding>
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken
> RequireClientCertificate="false"/>
> </wsp:Policy>
> </sp:TransportToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> </wsp:Policy>
> </sp:TransportBinding>
> <sp:EndorsingSupportingTokens>
> <wsp:Policy>
> <sp:X509Token
>
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
>
> <sp:RequireThumbprintReference/>
>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> <sp:SignedParts>
> <sp:Header Name="To"
>
> Namespace="http://www.w3.org/2005/08/addressing"/>
> </sp:SignedParts>
> </wsp:Policy>
> </sp:EndorsingSupportingTokens>
> <sp:Wss11>
> <wsp:Policy>
>
> <sp:MustSupportRefThumbprint/>
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust10>
> <wsp:Policy>
>
> <sp:MustSupportIssuedTokens/>
> <sp:RequireClientEntropy/>
> <sp:RequireServerEntropy/>
> </wsp:Policy>
> </sp:Trust10>
> </wsp:Policy>
> </sp:BootstrapPolicy>
> </wsp:Policy>
> </sp:SecureConversationToken>
> </wsp:Policy>
> </sp:EndorsingSupportingTokens>
> <sp:Wss11
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy/>
> </sp:Wss11>
> <sp:Trust10
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
> <wsp:Policy>
> <sp:MustSupportIssuedTokens/>
> <sp:RequireClientEntropy/>
> <sp:RequireServerEntropy/>
> </wsp:Policy>
> </sp:Trust10>
> <wsaw:UsingAddressing/>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>/
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Http-proxy-with-STS-tp5743324.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com