You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by rsearls <rs...@gmail.com> on 2014/03/19 17:01:07 UTC
HOK response not recognized
I created this simple service that requires a HOK.
The STS returns a SAML "IssuedToken". It was successfully created by
SAMLTokenProcessor in which a BasicX509Credential() was created and the
corresponding subject certificate was copied into.
However, the processing of the IssuedToken fails in
IssuedTokenPolicyValidator
because signedResults is empty and tlsCerts is null.
103 if (!checkHolderOfKey(assertionWrapper, signedResults, tlsCerts)) {
104 ai.setNotAsserted("Assertion fails holder-of-key requirements");
105 continue;
106 }
I don't see why this dose not work? Any advise would be appreciated.
--- service WSDL ---
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<definitions
targetNamespace="http://www.jboss.org/jbossws/ws-extensions/holderofkeywssecuritypolicy"
name="HolderOfKeyService"
xmlns:tns="http://www.jboss.org/jbossws/ws-extensions/holderofkeywssecuritypolicy"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns="http://schemas.xmlsoap.org/wsdl/"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsaws="http://www.w3.org/2005/08/addressing"
xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<types>
<xsd:schema>
<xsd:import
namespace="http://www.jboss.org/jbossws/ws-extensions/holderofkeywssecuritypolicy"
schemaLocation="HolderOfKeyService_schema1.xsd"/>
</xsd:schema>
</types>
<message name="sayHello">
<part name="parameters" element="tns:sayHello"/>
</message>
<message name="sayHelloResponse">
<part name="parameters" element="tns:sayHelloResponse"/>
</message>
<portType name="HolderOfKeyIface">
<operation name="sayHello">
<input message="tns:sayHello"/>
<output message="tns:sayHelloResponse"/>
</operation>
</portType>
<binding name="HolderOfKeyServicePortBinding" type="tns:HolderOfKeyIface">
<wsp:PolicyReference URI="#TransportSAML2HolderOfKeyPolicy" />
<soap:binding transport="http://schemas.xmlsoap.org/soap/http"
style="document"/>
<operation name="sayHello">
<soap:operation soapAction=""/>
<input>
<soap:body use="literal"/>
</input>
<output>
<soap:body use="literal"/>
</output>
</operation>
</binding>
<service name="HolderOfKeyService">
<port name="HolderOfKeyServicePort"
binding="tns:HolderOfKeyServicePortBinding">
<soap:address
location="https://@jboss.bind.address@:8443/jaxws-samples-wsse-policy-trust-holderofkey/HolderOfKeyService"/>
</port>
</service>
<wsp:Policy wsu:Id="TransportSAML2HolderOfKeyPolicy">
<wsp:ExactlyOne>
<wsp:All>
<wsam:Addressing wsp:Optional="false">
<wsp:Policy />
</wsam:Addressing>
<sp:TransportBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken>
<wsp:Policy/>
</sp:HttpsToken>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:TripleDes />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedSupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:IssuedToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<sp:RequestSecurityTokenTemplate>
<t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</t:TokenType>
<t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</t:KeyType>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireInternalReference />
</wsp:Policy>
<sp:Issuer>
<wsaws:Address>http://@jboss.bind.address@:8080/jaxws-samples-wsse-policy-trust-sts-holderofkey/SecurityTokenService</wsaws:Address>
<wsaws:Metadata
xmlns:wsdli="http://www.w3.org/2006/01/wsdl-instance"
wsdli:wsdlLocation="http://@jboss.bind.address@:8080/jaxws-samples-wsse-policy-trust-sts-holderofkey/SecurityTokenService?wsdl">
<wsaw:ServiceName
xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
xmlns:stsns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
EndpointName="UT_Port">stsns:SecurityTokenService</wsaw:ServiceName>
</wsaws:Metadata>
</sp:Issuer>
</sp:IssuedToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
</wsp:Policy>
</sp:Wss11>
<sp:Trust13>
<wsp:Policy>
<sp:MustSupportIssuedTokens />
<sp:RequireClientEntropy />
<sp:RequireServerEntropy />
</wsp:Policy>
</sp:Trust13>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</definitions>
---- STS wsdl ---
<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions
targetNamespace="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
xmlns:tns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
xmlns:wstrust="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsp="http://www.w3.org/ns/ws-policy"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata">
<wsdl:types>
<xs:schema elementFormDefault="qualified"
targetNamespace='http://docs.oasis-open.org/ws-sx/ws-trust/200512'>
<xs:element name='RequestSecurityToken'
type='wst:AbstractRequestSecurityTokenType'/>
<xs:element name='RequestSecurityTokenResponse'
type='wst:AbstractRequestSecurityTokenType'/>
<xs:complexType name='AbstractRequestSecurityTokenType'>
<xs:sequence>
<xs:any namespace='##any' processContents='lax' minOccurs='0'
maxOccurs='unbounded'/>
</xs:sequence>
<xs:attribute name='Context' type='xs:anyURI' use='optional'/>
<xs:anyAttribute namespace='##other' processContents='lax'/>
</xs:complexType>
<xs:element name='RequestSecurityTokenCollection'
type='wst:RequestSecurityTokenCollectionType'/>
<xs:complexType name='RequestSecurityTokenCollectionType'>
<xs:sequence>
<xs:element name='RequestSecurityToken'
type='wst:AbstractRequestSecurityTokenType'
minOccurs='2'
maxOccurs='unbounded'/>
</xs:sequence>
</xs:complexType>
<xs:element name='RequestSecurityTokenResponseCollection'
type='wst:RequestSecurityTokenResponseCollectionType'/>
<xs:complexType name='RequestSecurityTokenResponseCollectionType'>
<xs:sequence>
<xs:element ref='wst:RequestSecurityTokenResponse' minOccurs='1'
maxOccurs='unbounded'/>
</xs:sequence>
<xs:anyAttribute namespace='##other' processContents='lax'/>
</xs:complexType>
</xs:schema>
</wsdl:types>
<wsdl:message name="RequestSecurityTokenMsg">
<wsdl:part name="request" element="wst:RequestSecurityToken"/>
</wsdl:message>
<wsdl:message name="RequestSecurityTokenResponseMsg">
<wsdl:part name="response"
element="wst:RequestSecurityTokenResponse"/>
</wsdl:message>
<wsdl:message name="RequestSecurityTokenCollectionMsg">
<wsdl:part name="requestCollection"
element="wst:RequestSecurityTokenCollection"/>
</wsdl:message>
<wsdl:message name="RequestSecurityTokenResponseCollectionMsg">
<wsdl:part name="responseCollection"
element="wst:RequestSecurityTokenResponseCollection"/>
</wsdl:message>
<wsdl:portType name="WSSecurityRequestor">
<wsdl:operation name="Challenge">
<wsdl:input message="tns:RequestSecurityTokenResponseMsg"/>
<wsdl:output message="tns:RequestSecurityTokenResponseMsg"/>
</wsdl:operation>
</wsdl:portType>
<wsdl:portType name="STS">
<wsdl:operation name="Cancel">
<wsdl:input
wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel"
message="tns:RequestSecurityTokenMsg"/>
<wsdl:output
wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal"
message="tns:RequestSecurityTokenResponseMsg"/>
</wsdl:operation>
<wsdl:operation name="Issue">
<wsdl:input
wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"
message="tns:RequestSecurityTokenMsg"/>
<wsdl:output
wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal"
message="tns:RequestSecurityTokenResponseCollectionMsg"/>
</wsdl:operation>
<wsdl:operation name="Renew">
<wsdl:input
wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew"
message="tns:RequestSecurityTokenMsg"/>
<wsdl:output
wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal"
message="tns:RequestSecurityTokenResponseMsg"/>
</wsdl:operation>
<wsdl:operation name="Validate">
<wsdl:input
wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate"
message="tns:RequestSecurityTokenMsg"/>
<wsdl:output
wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal"
message="tns:RequestSecurityTokenResponseMsg"/>
</wsdl:operation>
<wsdl:operation name="KeyExchangeToken">
<wsdl:input
wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KET"
message="tns:RequestSecurityTokenMsg"/>
<wsdl:output
wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/KETFinal"
message="tns:RequestSecurityTokenResponseMsg"/>
</wsdl:operation>
<wsdl:operation name="RequestCollection">
<wsdl:input message="tns:RequestSecurityTokenCollectionMsg"/>
<wsdl:output message="tns:RequestSecurityTokenResponseCollectionMsg"/>
</wsdl:operation>
</wsdl:portType>
<wsdl:portType name="SecurityTokenResponseService">
<wsdl:operation name="RequestSecurityTokenResponse">
<wsdl:input message="tns:RequestSecurityTokenResponseMsg"/>
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="UT_Binding" type="wstrust:STS">
<wsp:PolicyReference URI="#UT_policy"/>
<soap:binding style="document"
transport="http://schemas.xmlsoap.org/soap/http"/>
<wsdl:operation name="Issue">
<soap:operation
soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"/>
<wsdl:input>
<wsp:PolicyReference
URI="#Input_policy"/>
<soap:body use="literal"/>
</wsdl:input>
<wsdl:output>
<wsp:PolicyReference
URI="#Output_policy"/>
<soap:body use="literal"/>
</wsdl:output>
</wsdl:operation>
<wsdl:operation name="Validate">
<soap:operation
soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate"/>
<wsdl:input>
<wsp:PolicyReference
URI="#Input_policy"/>
<soap:body use="literal"/>
</wsdl:input>
<wsdl:output>
<wsp:PolicyReference
URI="#Output_policy"/>
<soap:body use="literal"/>
</wsdl:output>
</wsdl:operation>
<wsdl:operation name="Cancel">
<soap:operation
soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel"/>
<wsdl:input>
<soap:body use="literal"/>
</wsdl:input>
<wsdl:output>
<soap:body use="literal"/>
</wsdl:output>
</wsdl:operation>
<wsdl:operation name="Renew">
<soap:operation
soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew"/>
<wsdl:input>
<soap:body use="literal"/>
</wsdl:input>
<wsdl:output>
<soap:body use="literal"/>
</wsdl:output>
</wsdl:operation>
<wsdl:operation name="KeyExchangeToken">
<soap:operation
soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KeyExchangeToken"/>
<wsdl:input>
<soap:body use="literal"/>
</wsdl:input>
<wsdl:output>
<soap:body use="literal"/>
</wsdl:output>
</wsdl:operation>
<wsdl:operation name="RequestCollection">
<soap:operation
soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/RequestCollection"/>
<wsdl:input>
<soap:body use="literal"/>
</wsdl:input>
<wsdl:output>
<soap:body use="literal"/>
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="SecurityTokenService">
<wsdl:port name="UT_Port" binding="tns:UT_Binding">
<soap:address
location="http://localhost:8080/SecurityTokenService/UT"/>
</wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="UT_policy">
<wsp:ExactlyOne>
<wsp:All>
<wsap10:UsingAddressing/>
<sp:SymmetricBinding
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never">
<wsp:Policy>
<sp:RequireDerivedKeys/>
<sp:RequireThumbprintReference/>
<sp:WssX509V3Token10/>
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
<sp:EncryptSignature/>
<sp:OnlySignEntireHeadersAndBody/>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:SignedSupportingTokens
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:UsernameToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedSupportingTokens>
<sp:Wss11
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier/>
<sp:MustSupportRefIssuerSerial/>
<sp:MustSupportRefThumbprint/>
<sp:MustSupportRefEncryptedKey/>
</wsp:Policy>
</sp:Wss11>
<sp:Trust13
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust13>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="Input_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:Body/>
<sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="From"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
<wsp:Policy wsu:Id="Output_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:SignedParts
xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<sp:Body/>
<sp:Header Name="To"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="From"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="FaultTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="ReplyTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="MessageID"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="RelatesTo"
Namespace="http://www.w3.org/2005/08/addressing"/>
<sp:Header Name="Action"
Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</wsdl:definitions>
--
View this message in context: http://cxf.547215.n5.nabble.com/HOK-response-not-recognized-tp5741528.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: HOK response not recognized
Posted by rsearls <rs...@gmail.com>.
Thanks. That was it, using SignedEndorsingSupportingTokens instead of
SignedSupportingTokens
On Wed, Mar 19, 2014 at 12:08 PM, coheigea [via CXF] <
ml-node+s547215n5741529h76@n5.nabble.com> wrote:
> For "Holder-of-Key", the client must show the service that it knows the
> key
> (in your case a Symmetric Key) in question. If you change your service
> policy so that the parent of the IssuedToken policy is a
> "SignedSupportingTokens" instead of "SignedEndorsingSupportingTokens" then
> it should work.
>
> Colm.
>
>
> On Wed, Mar 19, 2014 at 4:01 PM, rsearls <[hidden email]<http://user/SendEmail.jtp?type=node&node=5741529&i=0>>
> wrote:
>
> > I created this simple service that requires a HOK.
> > The STS returns a SAML "IssuedToken". It was successfully created by
> > SAMLTokenProcessor in which a BasicX509Credential() was created and the
> > corresponding subject certificate was copied into.
> >
> > However, the processing of the IssuedToken fails in
> > IssuedTokenPolicyValidator
> > because signedResults is empty and tlsCerts is null.
> >
> > 103 if (!checkHolderOfKey(assertionWrapper, signedResults, tlsCerts))
> {
> > 104 ai.setNotAsserted("Assertion fails holder-of-key
> requirements");
> > 105 continue;
> > 106 }
> >
> > I don't see why this dose not work? Any advise would be appreciated.
> >
> >
> > --- service WSDL ---
> > <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> > <definitions
> > targetNamespace="
> > http://www.jboss.org/jbossws/ws-extensions/holderofkeywssecuritypolicy"
> > name="HolderOfKeyService"
> >
> > xmlns:tns="
> > http://www.jboss.org/jbossws/ws-extensions/holderofkeywssecuritypolicy"
> > xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> > xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
> > xmlns="http://schemas.xmlsoap.org/wsdl/"
> > xmlns:wsp="http://www.w3.org/ns/ws-policy"
> > xmlns:wsam="
> http://www.w3.org/2007/05/addressing/metadata"
> >
> > xmlns:wsu="
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > "
> > xmlns:wsaws="http://www.w3.org/2005/08/addressing"
> > xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"
> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
>
> > xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
> >
> > <types>
> > <xsd:schema>
> > <xsd:import
> > namespace="
> > http://www.jboss.org/jbossws/ws-extensions/holderofkeywssecuritypolicy"
> > schemaLocation="HolderOfKeyService_schema1.xsd"/>
> > </xsd:schema>
> > </types>
> > <message name="sayHello">
> > <part name="parameters" element="tns:sayHello"/>
> > </message>
> > <message name="sayHelloResponse">
> > <part name="parameters" element="tns:sayHelloResponse"/>
> > </message>
> > <portType name="HolderOfKeyIface">
> > <operation name="sayHello">
> > <input message="tns:sayHello"/>
> > <output message="tns:sayHelloResponse"/>
> > </operation>
> > </portType>
> > <binding name="HolderOfKeyServicePortBinding"
> > type="tns:HolderOfKeyIface">
> > <wsp:PolicyReference URI="#TransportSAML2HolderOfKeyPolicy" />
> > <soap:binding transport="http://schemas.xmlsoap.org/soap/http"
> > style="document"/>
> > <operation name="sayHello">
> > <soap:operation soapAction=""/>
> > <input>
> > <soap:body use="literal"/>
> > </input>
> > <output>
> > <soap:body use="literal"/>
> > </output>
> > </operation>
> > </binding>
> > <service name="HolderOfKeyService">
> > <port name="HolderOfKeyServicePort"
> > binding="tns:HolderOfKeyServicePortBinding">
> > <soap:address
> > location="https://@jboss.bind.address@
> > :8443/jaxws-samples-wsse-policy-trust-holderofkey/HolderOfKeyService"/>
> > </port>
> > </service>
> >
> >
> > <wsp:Policy wsu:Id="TransportSAML2HolderOfKeyPolicy">
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <wsam:Addressing wsp:Optional="false">
> > <wsp:Policy />
> > </wsam:Addressing>
> >
> >
> >
> >
> > <sp:TransportBinding
> >
> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> > <wsp:Policy>
> > <sp:TransportToken>
> > <wsp:Policy>
> > <sp:HttpsToken>
> > <wsp:Policy/>
> > </sp:HttpsToken>
> > </wsp:Policy>
> > </sp:TransportToken>
> > <sp:AlgorithmSuite>
> > <wsp:Policy>
> > <sp:TripleDes />
> > </wsp:Policy>
> > </sp:AlgorithmSuite>
> > <sp:Layout>
> > <wsp:Policy>
> > <sp:Lax />
> > </wsp:Policy>
> > </sp:Layout>
> > <sp:IncludeTimestamp />
> > </wsp:Policy>
> > </sp:TransportBinding>
> >
> > <sp:SignedSupportingTokens
> >
> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> > <wsp:Policy>
> > <sp:IssuedToken
> >
> > sp:IncludeToken="
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> > ">
> > <sp:RequestSecurityTokenTemplate>
> >
> > <t:TokenType>
> > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
> > </t:TokenType>
> >
> > <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
> > </t:KeyType>
> > </sp:RequestSecurityTokenTemplate>
> > <wsp:Policy>
> > <sp:RequireInternalReference />
> > </wsp:Policy>
> >
> > <sp:Issuer>
> >
> > <wsaws:Address>http://@jboss.bind.address@
> >
> :8080/jaxws-samples-wsse-policy-trust-sts-holderofkey/SecurityTokenService</wsaws:Address>
>
> > <wsaws:Metadata
> > xmlns:wsdli="http://www.w3.org/2006/01/wsdl-instance"
> >
> > wsdli:wsdlLocation="http://@jboss.bind.address@
> >
> :8080/jaxws-samples-wsse-policy-trust-sts-holderofkey/SecurityTokenService?wsdl">
>
> > <wsaw:ServiceName
> > xmlns:wsaw="
> http://www.w3.org/2006/05/addressing/wsdl"
> >
> > xmlns:stsns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
> >
> > EndpointName="UT_Port">stsns:SecurityTokenService</wsaw:ServiceName>
> > </wsaws:Metadata>
> > </sp:Issuer>
> >
> > </sp:IssuedToken>
> > </wsp:Policy>
> > </sp:SignedSupportingTokens>
> >
> > <sp:Wss11>
> > <wsp:Policy>
> > <sp:MustSupportRefIssuerSerial />
> > <sp:MustSupportRefThumbprint />
> > <sp:MustSupportRefEncryptedKey />
> > </wsp:Policy>
> > </sp:Wss11>
> > <sp:Trust13>
> > <wsp:Policy>
> > <sp:MustSupportIssuedTokens />
> > <sp:RequireClientEntropy />
> > <sp:RequireServerEntropy />
> > </wsp:Policy>
> > </sp:Trust13>
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> >
> > </definitions>
> >
> >
> >
> >
> >
> > ---- STS wsdl ---
> > <?xml version="1.0" encoding="UTF-8"?>
> > <wsdl:definitions
> > targetNamespace="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
> > xmlns:tns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
> > xmlns:wstrust="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
> > xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> > xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
> > xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"
> >
> > xmlns:wsu="
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> > "
> > xmlns:wsp="http://www.w3.org/ns/ws-policy"
> > xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
> > xmlns:xs="http://www.w3.org/2001/XMLSchema"
> > xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata">
> >
> > <wsdl:types>
> > <xs:schema elementFormDefault="qualified"
> >
> > targetNamespace='http://docs.oasis-open.org/ws-sx/ws-trust/200512'>
> >
> > <xs:element name='RequestSecurityToken'
> > type='wst:AbstractRequestSecurityTokenType'/>
> > <xs:element name='RequestSecurityTokenResponse'
> > type='wst:AbstractRequestSecurityTokenType'/>
> >
> > <xs:complexType name='AbstractRequestSecurityTokenType'>
> > <xs:sequence>
> > <xs:any namespace='##any' processContents='lax' minOccurs='0'
> > maxOccurs='unbounded'/>
> > </xs:sequence>
> > <xs:attribute name='Context' type='xs:anyURI' use='optional'/>
> > <xs:anyAttribute namespace='##other' processContents='lax'/>
> > </xs:complexType>
> > <xs:element name='RequestSecurityTokenCollection'
> > type='wst:RequestSecurityTokenCollectionType'/>
> > <xs:complexType name='RequestSecurityTokenCollectionType'>
> > <xs:sequence>
> > <xs:element name='RequestSecurityToken'
> > type='wst:AbstractRequestSecurityTokenType'
> > minOccurs='2'
> > maxOccurs='unbounded'/>
> > </xs:sequence>
> > </xs:complexType>
> >
> > <xs:element name='RequestSecurityTokenResponseCollection'
> >
> type='wst:RequestSecurityTokenResponseCollectionType'/>
> > <xs:complexType name='RequestSecurityTokenResponseCollectionType'>
> > <xs:sequence>
> > <xs:element ref='wst:RequestSecurityTokenResponse'
> minOccurs='1'
> > maxOccurs='unbounded'/>
> > </xs:sequence>
> > <xs:anyAttribute namespace='##other' processContents='lax'/>
> > </xs:complexType>
> >
> > </xs:schema>
> > </wsdl:types>
> >
> >
> > <wsdl:message name="RequestSecurityTokenMsg">
> > <wsdl:part name="request" element="wst:RequestSecurityToken"/>
> > </wsdl:message>
> > <wsdl:message name="RequestSecurityTokenResponseMsg">
> > <wsdl:part name="response"
> > element="wst:RequestSecurityTokenResponse"/>
> > </wsdl:message>
> > <wsdl:message name="RequestSecurityTokenCollectionMsg">
> > <wsdl:part name="requestCollection"
> > element="wst:RequestSecurityTokenCollection"/>
> > </wsdl:message>
> > <wsdl:message name="RequestSecurityTokenResponseCollectionMsg">
> > <wsdl:part name="responseCollection"
> > element="wst:RequestSecurityTokenResponseCollection"/>
> > </wsdl:message>
> >
> >
> > <wsdl:portType name="WSSecurityRequestor">
> > <wsdl:operation name="Challenge">
> > <wsdl:input message="tns:RequestSecurityTokenResponseMsg"/>
> > <wsdl:output message="tns:RequestSecurityTokenResponseMsg"/>
> > </wsdl:operation>
> > </wsdl:portType>
> >
> >
> > <wsdl:portType name="STS">
> > <wsdl:operation name="Cancel">
> > <wsdl:input
> >
> > wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel"
>
> > message="tns:RequestSecurityTokenMsg"/>
> > <wsdl:output
> >
> > wsam:Action="
> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal"
> > message="tns:RequestSecurityTokenResponseMsg"/>
> > </wsdl:operation>
> > <wsdl:operation name="Issue">
> > <wsdl:input
> >
> > wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"
>
> > message="tns:RequestSecurityTokenMsg"/>
> > <wsdl:output
> >
> > wsam:Action="
> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal"
> > message="tns:RequestSecurityTokenResponseCollectionMsg"/>
> > </wsdl:operation>
> > <wsdl:operation name="Renew">
> > <wsdl:input
> >
> > wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew"
>
> > message="tns:RequestSecurityTokenMsg"/>
> > <wsdl:output
> >
> > wsam:Action="
> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal"
> > message="tns:RequestSecurityTokenResponseMsg"/>
> > </wsdl:operation>
> > <wsdl:operation name="Validate">
> > <wsdl:input
> >
> > wsam:Action="
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate
> > "
> > message="tns:RequestSecurityTokenMsg"/>
> > <wsdl:output
> >
> > wsam:Action="
> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal"
> > message="tns:RequestSecurityTokenResponseMsg"/>
> > </wsdl:operation>
> > <wsdl:operation name="KeyExchangeToken">
> > <wsdl:input
> >
> > wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KET"
> > message="tns:RequestSecurityTokenMsg"/>
> > <wsdl:output
> >
> > wsam:Action="
> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/KETFinal"
> > message="tns:RequestSecurityTokenResponseMsg"/>
> > </wsdl:operation>
> > <wsdl:operation name="RequestCollection">
> > <wsdl:input message="tns:RequestSecurityTokenCollectionMsg"/>
> > <wsdl:output
> > message="tns:RequestSecurityTokenResponseCollectionMsg"/>
> > </wsdl:operation>
> > </wsdl:portType>
> >
> >
> > <wsdl:portType name="SecurityTokenResponseService">
> > <wsdl:operation name="RequestSecurityTokenResponse">
> > <wsdl:input message="tns:RequestSecurityTokenResponseMsg"/>
> > </wsdl:operation>
> > </wsdl:portType>
> >
> > <wsdl:binding name="UT_Binding" type="wstrust:STS">
> > <wsp:PolicyReference URI="#UT_policy"/>
> > <soap:binding style="document"
> > transport="http://schemas.xmlsoap.org/soap/http"/>
> > <wsdl:operation name="Issue">
> > <soap:operation
> >
> > soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"/>
>
> > <wsdl:input>
> > <wsp:PolicyReference
> > URI="#Input_policy"/>
> > <soap:body use="literal"/>
> > </wsdl:input>
> > <wsdl:output>
> > <wsp:PolicyReference
> > URI="#Output_policy"/>
> > <soap:body use="literal"/>
> > </wsdl:output>
> > </wsdl:operation>
> > <wsdl:operation name="Validate">
> > <soap:operation
> >
> > soapAction="
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate
> > "/>
> > <wsdl:input>
> > <wsp:PolicyReference
> > URI="#Input_policy"/>
> > <soap:body use="literal"/>
> > </wsdl:input>
> > <wsdl:output>
> > <wsp:PolicyReference
> > URI="#Output_policy"/>
> > <soap:body use="literal"/>
> > </wsdl:output>
> > </wsdl:operation>
> > <wsdl:operation name="Cancel">
> > <soap:operation
> >
> > soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel"/>
>
> > <wsdl:input>
> > <soap:body use="literal"/>
> > </wsdl:input>
> > <wsdl:output>
> > <soap:body use="literal"/>
> > </wsdl:output>
> > </wsdl:operation>
> > <wsdl:operation name="Renew">
> > <soap:operation
> >
> > soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew"/>
>
> > <wsdl:input>
> > <soap:body use="literal"/>
> > </wsdl:input>
> > <wsdl:output>
> > <soap:body use="literal"/>
> > </wsdl:output>
> > </wsdl:operation>
> > <wsdl:operation name="KeyExchangeToken">
> > <soap:operation
> >
> > soapAction="
> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KeyExchangeToken"/>
>
> > <wsdl:input>
> > <soap:body use="literal"/>
> > </wsdl:input>
> > <wsdl:output>
> > <soap:body use="literal"/>
> > </wsdl:output>
> > </wsdl:operation>
> > <wsdl:operation name="RequestCollection">
> > <soap:operation
> >
> > soapAction="
> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/RequestCollection"/>
>
> > <wsdl:input>
> > <soap:body use="literal"/>
> > </wsdl:input>
> > <wsdl:output>
> > <soap:body use="literal"/>
> > </wsdl:output>
> > </wsdl:operation>
> > </wsdl:binding>
> >
> > <wsdl:service name="SecurityTokenService">
> > <wsdl:port name="UT_Port" binding="tns:UT_Binding">
> > <soap:address
> > location="http://localhost:8080/SecurityTokenService/UT"/>
> > </wsdl:port>
> > </wsdl:service>
> >
> > <wsp:Policy wsu:Id="UT_policy">
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <wsap10:UsingAddressing/>
> > <sp:SymmetricBinding
> >
> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> > <wsp:Policy>
> > <sp:ProtectionToken>
> > <wsp:Policy>
> > <sp:X509Token
> >
> > sp:IncludeToken="
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
> > ">
> > <wsp:Policy>
> > <sp:RequireDerivedKeys/>
> > <sp:RequireThumbprintReference/>
> > <sp:WssX509V3Token10/>
> > </wsp:Policy>
> > </sp:X509Token>
> > </wsp:Policy>
> > </sp:ProtectionToken>
> > <sp:AlgorithmSuite>
> > <wsp:Policy>
> > <sp:Basic256/>
> > </wsp:Policy>
> > </sp:AlgorithmSuite>
> > <sp:Layout>
> > <wsp:Policy>
> > <sp:Lax/>
> > </wsp:Policy>
> > </sp:Layout>
> > <sp:IncludeTimestamp/>
> > <sp:EncryptSignature/>
> > <sp:OnlySignEntireHeadersAndBody/>
> > </wsp:Policy>
> > </sp:SymmetricBinding>
> > <sp:SignedSupportingTokens
> >
> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> > <wsp:Policy>
> > <sp:UsernameToken
> >
> > sp:IncludeToken="
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> > ">
> > <wsp:Policy>
> > <sp:WssUsernameToken10/>
> > </wsp:Policy>
> > </sp:UsernameToken>
> > </wsp:Policy>
> > </sp:SignedSupportingTokens>
> > <sp:Wss11
> >
> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> > <wsp:Policy>
> > <sp:MustSupportRefKeyIdentifier/>
> > <sp:MustSupportRefIssuerSerial/>
> > <sp:MustSupportRefThumbprint/>
> > <sp:MustSupportRefEncryptedKey/>
> > </wsp:Policy>
> > </sp:Wss11>
> > <sp:Trust13
> >
> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> > <wsp:Policy>
> > <sp:MustSupportIssuedTokens/>
> > <sp:RequireClientEntropy/>
> > <sp:RequireServerEntropy/>
> > </wsp:Policy>
> > </sp:Trust13>
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> > <wsp:Policy wsu:Id="Input_policy">
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <sp:SignedParts
> >
> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> > <sp:Body/>
> > <sp:Header Name="To"
> > Namespace="http://www.w3.org/2005/08/addressing"/>
> > <sp:Header Name="From"
> > Namespace="http://www.w3.org/2005/08/addressing"/>
> > <sp:Header Name="FaultTo"
> > Namespace="http://www.w3.org/2005/08/addressing"/>
> > <sp:Header Name="ReplyTo"
> > Namespace="http://www.w3.org/2005/08/addressing"/>
> > <sp:Header Name="MessageID"
> > Namespace="http://www.w3.org/2005/08/addressing"/>
> > <sp:Header Name="RelatesTo"
> > Namespace="http://www.w3.org/2005/08/addressing"/>
> > <sp:Header Name="Action"
> > Namespace="http://www.w3.org/2005/08/addressing"/>
> > </sp:SignedParts>
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> > <wsp:Policy wsu:Id="Output_policy">
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <sp:SignedParts
> >
> > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> > <sp:Body/>
> > <sp:Header Name="To"
> > Namespace="http://www.w3.org/2005/08/addressing"/>
> > <sp:Header Name="From"
> > Namespace="http://www.w3.org/2005/08/addressing"/>
> > <sp:Header Name="FaultTo"
> > Namespace="http://www.w3.org/2005/08/addressing"/>
> > <sp:Header Name="ReplyTo"
> > Namespace="http://www.w3.org/2005/08/addressing"/>
> > <sp:Header Name="MessageID"
> > Namespace="http://www.w3.org/2005/08/addressing"/>
> > <sp:Header Name="RelatesTo"
> > Namespace="http://www.w3.org/2005/08/addressing"/>
> > <sp:Header Name="Action"
> > Namespace="http://www.w3.org/2005/08/addressing"/>
> > </sp:SignedParts>
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> > </wsdl:definitions>
> >
> >
> >
> >
> > --
> > View this message in context:
> >
> http://cxf.547215.n5.nabble.com/HOK-response-not-recognized-tp5741528.html
> > Sent from the cxf-user mailing list archive at Nabble.com.
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://cxf.547215.n5.nabble.com/HOK-response-not-recognized-tp5741528p5741529.html
> To unsubscribe from HOK response not recognized, click here<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5741528&code=cnNlYXJsc0BnbWFpbC5jb218NTc0MTUyOHw5MjAxMjc5MTk=>
> .
> NAML<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://cxf.547215.n5.nabble.com/HOK-response-not-recognized-tp5741528p5741533.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: HOK response not recognized
Posted by Colm O hEigeartaigh <co...@apache.org>.
For "Holder-of-Key", the client must show the service that it knows the key
(in your case a Symmetric Key) in question. If you change your service
policy so that the parent of the IssuedToken policy is a
"SignedSupportingTokens" instead of "SignedEndorsingSupportingTokens" then
it should work.
Colm.
On Wed, Mar 19, 2014 at 4:01 PM, rsearls <rs...@gmail.com> wrote:
> I created this simple service that requires a HOK.
> The STS returns a SAML "IssuedToken". It was successfully created by
> SAMLTokenProcessor in which a BasicX509Credential() was created and the
> corresponding subject certificate was copied into.
>
> However, the processing of the IssuedToken fails in
> IssuedTokenPolicyValidator
> because signedResults is empty and tlsCerts is null.
>
> 103 if (!checkHolderOfKey(assertionWrapper, signedResults, tlsCerts)) {
> 104 ai.setNotAsserted("Assertion fails holder-of-key requirements");
> 105 continue;
> 106 }
>
> I don't see why this dose not work? Any advise would be appreciated.
>
>
> --- service WSDL ---
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <definitions
> targetNamespace="
> http://www.jboss.org/jbossws/ws-extensions/holderofkeywssecuritypolicy"
> name="HolderOfKeyService"
>
> xmlns:tns="
> http://www.jboss.org/jbossws/ws-extensions/holderofkeywssecuritypolicy"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
> xmlns="http://schemas.xmlsoap.org/wsdl/"
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
>
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> xmlns:wsaws="http://www.w3.org/2005/08/addressing"
> xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
> xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
>
> <types>
> <xsd:schema>
> <xsd:import
> namespace="
> http://www.jboss.org/jbossws/ws-extensions/holderofkeywssecuritypolicy"
> schemaLocation="HolderOfKeyService_schema1.xsd"/>
> </xsd:schema>
> </types>
> <message name="sayHello">
> <part name="parameters" element="tns:sayHello"/>
> </message>
> <message name="sayHelloResponse">
> <part name="parameters" element="tns:sayHelloResponse"/>
> </message>
> <portType name="HolderOfKeyIface">
> <operation name="sayHello">
> <input message="tns:sayHello"/>
> <output message="tns:sayHelloResponse"/>
> </operation>
> </portType>
> <binding name="HolderOfKeyServicePortBinding"
> type="tns:HolderOfKeyIface">
> <wsp:PolicyReference URI="#TransportSAML2HolderOfKeyPolicy" />
> <soap:binding transport="http://schemas.xmlsoap.org/soap/http"
> style="document"/>
> <operation name="sayHello">
> <soap:operation soapAction=""/>
> <input>
> <soap:body use="literal"/>
> </input>
> <output>
> <soap:body use="literal"/>
> </output>
> </operation>
> </binding>
> <service name="HolderOfKeyService">
> <port name="HolderOfKeyServicePort"
> binding="tns:HolderOfKeyServicePortBinding">
> <soap:address
> location="https://@jboss.bind.address@
> :8443/jaxws-samples-wsse-policy-trust-holderofkey/HolderOfKeyService"/>
> </port>
> </service>
>
>
> <wsp:Policy wsu:Id="TransportSAML2HolderOfKeyPolicy">
> <wsp:ExactlyOne>
> <wsp:All>
> <wsam:Addressing wsp:Optional="false">
> <wsp:Policy />
> </wsam:Addressing>
>
>
>
>
> <sp:TransportBinding
>
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken>
> <wsp:Policy/>
> </sp:HttpsToken>
> </wsp:Policy>
> </sp:TransportToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:TripleDes />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> </wsp:Policy>
> </sp:TransportBinding>
>
> <sp:SignedSupportingTokens
>
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:IssuedToken
>
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
> <sp:RequestSecurityTokenTemplate>
>
> <t:TokenType>
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
> </t:TokenType>
>
> <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
> </t:KeyType>
> </sp:RequestSecurityTokenTemplate>
> <wsp:Policy>
> <sp:RequireInternalReference />
> </wsp:Policy>
>
> <sp:Issuer>
>
> <wsaws:Address>http://@jboss.bind.address@
> :8080/jaxws-samples-wsse-policy-trust-sts-holderofkey/SecurityTokenService</wsaws:Address>
> <wsaws:Metadata
> xmlns:wsdli="http://www.w3.org/2006/01/wsdl-instance"
>
> wsdli:wsdlLocation="http://@jboss.bind.address@
> :8080/jaxws-samples-wsse-policy-trust-sts-holderofkey/SecurityTokenService?wsdl">
> <wsaw:ServiceName
> xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"
>
> xmlns:stsns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
>
> EndpointName="UT_Port">stsns:SecurityTokenService</wsaw:ServiceName>
> </wsaws:Metadata>
> </sp:Issuer>
>
> </sp:IssuedToken>
> </wsp:Policy>
> </sp:SignedSupportingTokens>
>
> <sp:Wss11>
> <wsp:Policy>
> <sp:MustSupportRefIssuerSerial />
> <sp:MustSupportRefThumbprint />
> <sp:MustSupportRefEncryptedKey />
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust13>
> <wsp:Policy>
> <sp:MustSupportIssuedTokens />
> <sp:RequireClientEntropy />
> <sp:RequireServerEntropy />
> </wsp:Policy>
> </sp:Trust13>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
>
> </definitions>
>
>
>
>
>
> ---- STS wsdl ---
> <?xml version="1.0" encoding="UTF-8"?>
> <wsdl:definitions
> targetNamespace="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
> xmlns:tns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
> xmlns:wstrust="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
> xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"
>
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> xmlns:wsp="http://www.w3.org/ns/ws-policy"
> xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
> xmlns:xs="http://www.w3.org/2001/XMLSchema"
> xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata">
>
> <wsdl:types>
> <xs:schema elementFormDefault="qualified"
>
> targetNamespace='http://docs.oasis-open.org/ws-sx/ws-trust/200512'>
>
> <xs:element name='RequestSecurityToken'
> type='wst:AbstractRequestSecurityTokenType'/>
> <xs:element name='RequestSecurityTokenResponse'
> type='wst:AbstractRequestSecurityTokenType'/>
>
> <xs:complexType name='AbstractRequestSecurityTokenType'>
> <xs:sequence>
> <xs:any namespace='##any' processContents='lax' minOccurs='0'
> maxOccurs='unbounded'/>
> </xs:sequence>
> <xs:attribute name='Context' type='xs:anyURI' use='optional'/>
> <xs:anyAttribute namespace='##other' processContents='lax'/>
> </xs:complexType>
> <xs:element name='RequestSecurityTokenCollection'
> type='wst:RequestSecurityTokenCollectionType'/>
> <xs:complexType name='RequestSecurityTokenCollectionType'>
> <xs:sequence>
> <xs:element name='RequestSecurityToken'
> type='wst:AbstractRequestSecurityTokenType'
> minOccurs='2'
> maxOccurs='unbounded'/>
> </xs:sequence>
> </xs:complexType>
>
> <xs:element name='RequestSecurityTokenResponseCollection'
> type='wst:RequestSecurityTokenResponseCollectionType'/>
> <xs:complexType name='RequestSecurityTokenResponseCollectionType'>
> <xs:sequence>
> <xs:element ref='wst:RequestSecurityTokenResponse' minOccurs='1'
> maxOccurs='unbounded'/>
> </xs:sequence>
> <xs:anyAttribute namespace='##other' processContents='lax'/>
> </xs:complexType>
>
> </xs:schema>
> </wsdl:types>
>
>
> <wsdl:message name="RequestSecurityTokenMsg">
> <wsdl:part name="request" element="wst:RequestSecurityToken"/>
> </wsdl:message>
> <wsdl:message name="RequestSecurityTokenResponseMsg">
> <wsdl:part name="response"
> element="wst:RequestSecurityTokenResponse"/>
> </wsdl:message>
> <wsdl:message name="RequestSecurityTokenCollectionMsg">
> <wsdl:part name="requestCollection"
> element="wst:RequestSecurityTokenCollection"/>
> </wsdl:message>
> <wsdl:message name="RequestSecurityTokenResponseCollectionMsg">
> <wsdl:part name="responseCollection"
> element="wst:RequestSecurityTokenResponseCollection"/>
> </wsdl:message>
>
>
> <wsdl:portType name="WSSecurityRequestor">
> <wsdl:operation name="Challenge">
> <wsdl:input message="tns:RequestSecurityTokenResponseMsg"/>
> <wsdl:output message="tns:RequestSecurityTokenResponseMsg"/>
> </wsdl:operation>
> </wsdl:portType>
>
>
> <wsdl:portType name="STS">
> <wsdl:operation name="Cancel">
> <wsdl:input
>
> wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel"
> message="tns:RequestSecurityTokenMsg"/>
> <wsdl:output
>
> wsam:Action="
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal"
> message="tns:RequestSecurityTokenResponseMsg"/>
> </wsdl:operation>
> <wsdl:operation name="Issue">
> <wsdl:input
>
> wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"
> message="tns:RequestSecurityTokenMsg"/>
> <wsdl:output
>
> wsam:Action="
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal"
> message="tns:RequestSecurityTokenResponseCollectionMsg"/>
> </wsdl:operation>
> <wsdl:operation name="Renew">
> <wsdl:input
>
> wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew"
> message="tns:RequestSecurityTokenMsg"/>
> <wsdl:output
>
> wsam:Action="
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal"
> message="tns:RequestSecurityTokenResponseMsg"/>
> </wsdl:operation>
> <wsdl:operation name="Validate">
> <wsdl:input
>
> wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate
> "
> message="tns:RequestSecurityTokenMsg"/>
> <wsdl:output
>
> wsam:Action="
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal"
> message="tns:RequestSecurityTokenResponseMsg"/>
> </wsdl:operation>
> <wsdl:operation name="KeyExchangeToken">
> <wsdl:input
>
> wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KET"
> message="tns:RequestSecurityTokenMsg"/>
> <wsdl:output
>
> wsam:Action="
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/KETFinal"
> message="tns:RequestSecurityTokenResponseMsg"/>
> </wsdl:operation>
> <wsdl:operation name="RequestCollection">
> <wsdl:input message="tns:RequestSecurityTokenCollectionMsg"/>
> <wsdl:output
> message="tns:RequestSecurityTokenResponseCollectionMsg"/>
> </wsdl:operation>
> </wsdl:portType>
>
>
> <wsdl:portType name="SecurityTokenResponseService">
> <wsdl:operation name="RequestSecurityTokenResponse">
> <wsdl:input message="tns:RequestSecurityTokenResponseMsg"/>
> </wsdl:operation>
> </wsdl:portType>
>
> <wsdl:binding name="UT_Binding" type="wstrust:STS">
> <wsp:PolicyReference URI="#UT_policy"/>
> <soap:binding style="document"
> transport="http://schemas.xmlsoap.org/soap/http"/>
> <wsdl:operation name="Issue">
> <soap:operation
>
> soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"/>
> <wsdl:input>
> <wsp:PolicyReference
> URI="#Input_policy"/>
> <soap:body use="literal"/>
> </wsdl:input>
> <wsdl:output>
> <wsp:PolicyReference
> URI="#Output_policy"/>
> <soap:body use="literal"/>
> </wsdl:output>
> </wsdl:operation>
> <wsdl:operation name="Validate">
> <soap:operation
>
> soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate
> "/>
> <wsdl:input>
> <wsp:PolicyReference
> URI="#Input_policy"/>
> <soap:body use="literal"/>
> </wsdl:input>
> <wsdl:output>
> <wsp:PolicyReference
> URI="#Output_policy"/>
> <soap:body use="literal"/>
> </wsdl:output>
> </wsdl:operation>
> <wsdl:operation name="Cancel">
> <soap:operation
>
> soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel"/>
> <wsdl:input>
> <soap:body use="literal"/>
> </wsdl:input>
> <wsdl:output>
> <soap:body use="literal"/>
> </wsdl:output>
> </wsdl:operation>
> <wsdl:operation name="Renew">
> <soap:operation
>
> soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew"/>
> <wsdl:input>
> <soap:body use="literal"/>
> </wsdl:input>
> <wsdl:output>
> <soap:body use="literal"/>
> </wsdl:output>
> </wsdl:operation>
> <wsdl:operation name="KeyExchangeToken">
> <soap:operation
>
> soapAction="
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KeyExchangeToken"/>
> <wsdl:input>
> <soap:body use="literal"/>
> </wsdl:input>
> <wsdl:output>
> <soap:body use="literal"/>
> </wsdl:output>
> </wsdl:operation>
> <wsdl:operation name="RequestCollection">
> <soap:operation
>
> soapAction="
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/RequestCollection"/>
> <wsdl:input>
> <soap:body use="literal"/>
> </wsdl:input>
> <wsdl:output>
> <soap:body use="literal"/>
> </wsdl:output>
> </wsdl:operation>
> </wsdl:binding>
>
> <wsdl:service name="SecurityTokenService">
> <wsdl:port name="UT_Port" binding="tns:UT_Binding">
> <soap:address
> location="http://localhost:8080/SecurityTokenService/UT"/>
> </wsdl:port>
> </wsdl:service>
>
> <wsp:Policy wsu:Id="UT_policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <wsap10:UsingAddressing/>
> <sp:SymmetricBinding
>
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:ProtectionToken>
> <wsp:Policy>
> <sp:X509Token
>
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never
> ">
> <wsp:Policy>
> <sp:RequireDerivedKeys/>
> <sp:RequireThumbprintReference/>
> <sp:WssX509V3Token10/>
> </wsp:Policy>
> </sp:X509Token>
> </wsp:Policy>
> </sp:ProtectionToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256/>
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax/>
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp/>
> <sp:EncryptSignature/>
> <sp:OnlySignEntireHeadersAndBody/>
> </wsp:Policy>
> </sp:SymmetricBinding>
> <sp:SignedSupportingTokens
>
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:UsernameToken
>
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
> <wsp:Policy>
> <sp:WssUsernameToken10/>
> </wsp:Policy>
> </sp:UsernameToken>
> </wsp:Policy>
> </sp:SignedSupportingTokens>
> <sp:Wss11
>
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier/>
> <sp:MustSupportRefIssuerSerial/>
> <sp:MustSupportRefThumbprint/>
> <sp:MustSupportRefEncryptedKey/>
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust13
>
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <wsp:Policy>
> <sp:MustSupportIssuedTokens/>
> <sp:RequireClientEntropy/>
> <sp:RequireServerEntropy/>
> </wsp:Policy>
> </sp:Trust13>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> <wsp:Policy wsu:Id="Input_policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SignedParts
>
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:Body/>
> <sp:Header Name="To"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="From"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="FaultTo"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="ReplyTo"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="MessageID"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="RelatesTo"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="Action"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> <wsp:Policy wsu:Id="Output_policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:SignedParts
>
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
> <sp:Body/>
> <sp:Header Name="To"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="From"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="FaultTo"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="ReplyTo"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="MessageID"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="RelatesTo"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> <sp:Header Name="Action"
> Namespace="http://www.w3.org/2005/08/addressing"/>
> </sp:SignedParts>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> </wsdl:definitions>
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/HOK-response-not-recognized-tp5741528.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com