You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by "Morein, Arnie" <Ar...@dps.texas.gov> on 2017/02/16 18:41:50 UTC
RE: [EXTERNAL] Re: Problem calling WCF MS service with security
Well, I looked in the WSDL and found:
<wsdl:port
name="wsHttpEndPoint"
binding="tns:wsHttpEndPoint"
at the bottom for the authentication service which I updated to:
<jaxws:client id="aamva-authentication"
name="{http://aamva.org/authentication/3.1.0}wsHttpEndPoint"
createdFromAPI="true"
>
So I changed it. But still getting the same errors:
Feb16 12:20:16.425 WARN [PhaseInterceptorChain ][::] - Interceptor for {http://schemas.xmlsoap.org/ws/2005/02/trust/wsdl}SecurityTokenService#{http://schemas.xmlsoap.org/ws/2005/02/trust/wsdl}RequestSecurityToken has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Security configuration could not be detected. Potential cause: Make sure jaxws:client element with name attribute value matching endpoint port is defined as well as a security.signature.properties element within it.
...
Feb16 12:20:16.476 WARN [PhaseInterceptorChain ][::] - Interceptor for {http://aamva.org/authentication/3.1.0}AuthenticationService#{http://aamva.org/authentication/3.1.0}Authenticate has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Security configuration could not be detected. Potential cause: Make sure jaxws:client element with name attribute value matching endpoint port is defined as well as a security.signature.properties element within it.
Even after setting up a client for the SecurityTokenService:
<jaxws:client id="aamva-security-token-service"
name="{http://schemas.xmlsoap.org/ws/2005/02/trust/wsdl}SecurityTokenService"
createdFromAPI="true"
>
<jaxws:properties>
<entry
key="ws-security.signature.properties"
value="/META-INF/cxf/client-crypto.properties" />
<entry
key="ws-security.encryption.properties"
value="/META-INF/cxf/client-crypto.properties" />
</jaxws:properties>
</jaxws:client>
That URL to the WSDL isn't valid any more so I'm not sure what the port name should actually be.
Nor do I understand why this is necessary. I thought this stuff was supposed to be automatic?
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Thursday, February 16, 2017 10:46 AM
To: users@cxf.apache.org
Subject: [EXTERNAL] Re: Problem calling WCF MS service with security
Answer inline.
On Thu, Feb 16, 2017 at 2:02 PM, Morein, Arnie <Ar...@dps.texas.gov>
wrote:
> And that is part of the confusion. What is meant by PORT NAME?
>
The Port name in the WSDL. For example, from the ws-security-examples, system tests:
<jaxws:client name="{
http://www.example.org/contract/DoubleIt}DoubleItPlaintextPort"
createdFromAPI="true">
matches the WSDL port:
<wsdl:port name="DoubleItPlaintextPort"
binding="tns:DoubleItPlaintextBinding">
You can use wildcards as well I believe to match multiple ports.
Colm.
>
> The Interface? I have tried:
>
> { http://aamva.org/authentication/3.1.0} IAuthenticationService
>
> And the implementation (extends Service):
>
> { http://aamva.org/authentication/3.1.0} AuthenticationService
>
> Neither matches. What else could it be?
>
> I CERTAINLY hope that these jaxws:client constructs are NOT supposed
> to be every METHOD in the server?!
>
> -----Original Message-----
> From: Morein, Arnie [mailto:Arnold.Morein@dps.texas.gov]
> Sent: Wednesday, February 15, 2017 4:29 PM
> To: users@cxf.apache.org
> Subject: [EXTERNAL] Problem calling WCF MS service with security
>
> I have to consume a web service that was written in .Net and requires
> the security policies listed below. We develop in Java to a WAR. I
> created a separate project for the WSDL's Java stubs using Maven's
> cxf-codegen-plugin (3.1.10). It was added to the main WAR project and
> compiles fine. But during initial access to the service, a CXF error occurs.
>
> The manual which came with the WSDL had the following to say about the
> security features in use:
>
>
> Transport Layer Security
>
> Third party X.509 certificate and Tokens Client X.509 certificate
>
> We received a file from the vendor which was converted into a JKS. It
> has two trustedCertEntry entries and one private key of X.509 type.
>
> As I understand the manual, the service does not use the user
> name/password type of WS security. All traffic goes over HTTPS of
> course, and the certificate is supposed to be used to encrypt the
> message content both coming and going.
>
> I have tried to configure the necessary values for CXF to work but
> always get the same error:
>
> Caused by: org.apache.cxf.ws.policy.PolicyException: Security
> configuration could not be detected. Potential cause: Make sure
> jaxws:client element with name attribute value matching endpoint port
> is defined as well as a security.signature.properties element within it.
>
> I have tried setting the necessary (AFAIK) properties via API and
> Spring XML configuration to no avail.
>
> I would greatly appreciate some guidance as to what CXF is looking for
> (and where the file is supposed to be if configuration). Currently I
> have the client-crypto.properties file under /WEB-INF/cxf along with
> the jks file. Its contents:
>
> org.apache.ws.security.crypto.merlin.keystore.file=/WEB-INF/
> cxf/dlsKeystore.jks
> org.apache.ws.security.crypto.merlin.keystore.type=JKS
> org.apache.ws.security.crypto.merlin.keystore.alias=1
> org.apache.ws.security.crypto.merlin.keystore.password=****
> org.apache.ws.security.crypto.merlin.keystore.private.password=****
> org.apache.ws.security.crypto.merlin.truststore.file=/WEB-
> INF/cxf/dlsKeystore.jks
> org.apache.ws.security.crypto.merlin.truststore.type=JKS
> org.apache.ws.security.crypto.merlin.truststore.password=****
>
> Things I have tried setting via API:
>
> // set up ws-security
> /*HashMap<String, Object> crytoProperties = new HashMap<String,
> Object>();
> crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.fil
> e", KEYSTORE_FILE);
> crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.typ
> e", "JKS");
> crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.ali
> as", KEYSTORE_KEY_ALIAS);
> crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.pas
> sword", KEYSTORE_PASSWORD);
> crytoProperties.put("org.apache.ws.security.crypto.
> merlin.keystore.private.password", KEYSTORE_KEY_PASSWORD);
>
> crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.f
> ile", KEYSTORE_FILE);
> crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.t
> ype", "JKS");
> crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.p
> assword", KEYSTORE_PASSWORD);
> crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.a
> lias",
> KEYSTORE_KEY_ALIAS);
>
> Map<String, Object> ctx = ((BindingProvider)
> port).getRequestContext(); ctx.putAll(crytoProperties);*/
>
> // activate ws-security
> /*org.apache.cxf.endpoint.Client client =
> (org.apache.cxf.endpoint.Client) port;
> org.apache.cxf.endpoint.Endpoint endpoint = client.getEndpoint();*/
>
> // add intercepters
> /*HashMap<String, Object> inProps = new HashMap<String, Object>();
> inProps.put(WSHandlerConstants.SIG_KEY_ID, KEYSTORE_KEY_ALIAS);
> inProps.put(WSHandlerConstants.ENC_KEY_ID, KEYSTORE_KEY_ALIAS);
> inProps.put(WSHandlerConstants.SIG_PROP_FILE, WSS4J_PROPERTIES);
> inProps.put(WSHandlerConstants.ENC_PROP_FILE, WSS4J_PROPERTIES);
>
> endpoint.getInInterceptors().add(new WSS4JOutInterceptor(inProps));
> endpoint.getInInterceptors().add(new LoggingInInterceptor());
>
> HashMap<String, Object> outProps = new HashMap<String, Object>();
> outProps.put(WSHandlerConstants.SIG_KEY_ID, KEYSTORE_KEY_ALIAS);
> outProps.put(WSHandlerConstants.ENC_KEY_ID, KEYSTORE_KEY_ALIAS);
> outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP
> + " " + WSHandlerConstants.SIGNATURE + " " +
> WSHandlerConstants.ENCRYPT);
> outProps.put(WSHandlerConstants.SIG_PROP_FILE,
> WSS4J_PROPERTIES); outProps.put(WSHandlerConstants.ENC_PROP_FILE,
> WSS4J_PROPERTIES);
>
> outProps.put(WSHandlerConstants.PW_CALLBACK_REF,
> "txdps.dl.bpr.common.business.VlsCxfKeystorePasswordCallback");
>
> endpoint.getOutInterceptors().add(new WSS4JOutInterceptor(outProps));
> endpoint.getOutInterceptors().add(new LoggingOutInterceptor());*/
>
> // set options
> /*HTTPConduit httpConduit = (HTTPConduit) ClientProxy.getClient(port).
> getConduit();
> final HTTPClientPolicy httpClientPolicy = httpConduit.getClient();
> httpClientPolicy.setAllowChunking(false); // MS does not support
> httpClientPolicy.setAutoRedirect(true); // hopefully httpClientPolicy.
> setConnection(ConnectionType.KEEP_ALIVE); // maybe
>
> TLSClientParameters tlsCP = new TLSClientParameters(); String
> keyPassword = KEYSTORE_PASSWORD; KeyStore keyStore =
> KeyStore.getInstance("JKS"); Resource aamvaJks =
> applicationContext.getResource(KEYSTORE_FILE);
>
> keyStore.load(aamvaJks.getInputStream(),
> KEYSTORE_PASSWORD.toCharArray()); KeyManager[] myKeyManagers =
> getKeyManagers(keyStore, keyPassword);
> tlsCP.setKeyManagers(myKeyManagers);
>
> KeyStore trustStore = KeyStore.getInstance("JKS"); aamvaJks =
> applicationContext.getResource(KEYSTORE_FILE);
> trustStore.load(aamvaJks.getInputStream(),
> KEYSTORE_PASSWORD.toCharArray()); TrustManager[]
> myTrustStoreKeyManagers = getTrustManagers(trustStore);
> tlsCP.setTrustManagers(myTrustStoreKeyManagers);
> httpConduit.setTlsClientParameters(tlsCP);*/
>
> Things I have tried setting via configuration (there are actually two
> WSDLs compiled into one external jar).
>
> <!-- ********************************************************* -->
> <!-- * Configure the CXF Bus * -->
> <!-- ********************************************************* -->
> <import resource="classpath:META-INF/cxf/cxf.xml" />
> <cxf:bus>
> <cxf:features>
> <p:policies />
> <cxf:logging />
> </cxf:features>
> </cxf:bus>
> <jaxws:client id="aamva-authentication"
>
> name="{http://aamva.org/authentication/3.1.0}AuthenticationService
> "
> createdFromAPI="true"
> >
> <jaxws:properties>
> <entry
> key="ws-security.signature.properties"
> value="/WEB-INF/cxf/client-crypto.properties" />
> <entry
> key="ws-security.encryption.properties"
> value="/WEB-INF/cxf/client-crypto.properties" />
> </jaxws:properties>
> </jaxws:client>
> <jaxws:client id="aamva-vls3"
> name="{http://uscis.gov/uscis/services/esb/vls/3.0}
> VerificationOfLawfulStatusService30"
> createdFromAPI="true"
> >
> <jaxws:properties>
> <entry
> key="ws-security.signature.properties"
> value="/WEB-INF/cxf/client-crypto.properties" />
> <entry
> key="ws-security.encryption.properties"
> value="/WEB-INF/cxf/client-crypto.properties" />
> </jaxws:properties>
> </jaxws:client>
>
> WSDL policies:
>
> <wsp:Policy wsu:Id="wsHttpEndPoint_policy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:TransportBinding
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/
> securitypolicy"
> >
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken
> RequireClientCertificate="false" />
> </wsp:Policy>
> </sp:TransportToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> </wsp:Policy>
> </sp:TransportBinding>
> <sp:EndorsingSupportingTokens
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/
> securitypolicy"
> >
> <wsp:Policy>
> <sp:SecureConversationToken
> sp:IncludeToken="http://
> schemas.xmlsoap.org/ws/2005/07/securitypolicy/
> IncludeToken/AlwaysToRecipient"
> >
> <wsp:Policy>
> <sp:BootstrapPolicy>
> <wsp:Policy>
> <sp:SignedParts>
> <sp:Body />
> <sp:Header
> Name="To"
> Namespace="
> http://www.w3.org/2005/08/addressing" />
> <sp:Header
> Name="From"
> Namespace="
> http://www.w3.org/2005/08/addressing" />
> <sp:Header
> Name="FaultTo"
> Namespace="
> http://www.w3.org/2005/08/addressing" />
> <sp:Header
> Name="ReplyTo"
> Namespace="
> http://www.w3.org/2005/08/addressing" />
> <sp:Header
> Name="MessageID"
> Namespace="
> http://www.w3.org/2005/08/addressing" />
> <sp:Header
> Name="RelatesTo"
> Namespace="
> http://www.w3.org/2005/08/addressing" />
> <sp:Header
> Name="Action"
> Namespace="
> http://www.w3.org/2005/08/addressing" />
> </sp:SignedParts>
> <sp:EncryptedParts>
> <sp:Body />
> </sp:EncryptedParts>
> <sp:TransportBinding>
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken
>
> RequireClientCertificate="false" />
> </wsp:Policy>
> </sp:TransportToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Strict />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> </wsp:Policy>
> </sp:TransportBinding>
> <sp:EndorsingSupportingTokens>
> <wsp:Policy>
> <sp:X509Token
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/
> IncludeToken/AlwaysToRecipient"
> >
> <wsp:Policy>
>
> <sp:RequireThumbprintReference />
>
> <sp:WssX509V3Token10 />
> </wsp:Policy>
> </sp:X509Token>
> <sp:SignedParts>
> <sp:Header
> Name="To"
> Namespace="
> http://www.w3.org/2005/08/addressing" />
> </sp:SignedParts>
> </wsp:Policy>
> </sp:EndorsingSupportingTokens>
> <sp:Wss11>
> <wsp:Policy>
>
> <sp:MustSupportRefThumbprint />
> </wsp:Policy>
> </sp:Wss11>
> <sp:Trust10>
> <wsp:Policy>
>
> <sp:MustSupportIssuedTokens />
> <sp:RequireClientEntropy />
> <sp:RequireServerEntropy />
> </wsp:Policy>
> </sp:Trust10>
> </wsp:Policy>
> </sp:BootstrapPolicy>
> </wsp:Policy>
> </sp:SecureConversationToken>
> </wsp:Policy>
> </sp:EndorsingSupportingTokens>
> <sp:Wss11
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/
> securitypolicy">
> <wsp:Policy />
> </sp:Wss11>
> <sp:Trust10
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/
> securitypolicy"
> >
> <wsp:Policy>
> <sp:MustSupportIssuedTokens />
> <sp:RequireClientEntropy />
> <sp:RequireServerEntropy />
> </wsp:Policy>
> </sp:Trust10>
> <wsaw:UsingAddressing />
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com