You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by SRog <sr...@outlook.de> on 2014/08/27 13:04:35 UTC
BiPRO Security-Token-Service
Hi there,
I will give that a new try because I am not sure whats the problem.
I have a STS which provides a SCT.
My business service policy is described like this (BiPRO-standard):
<wsp:Policy wsu:Id="BiPROAuthSecurityPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken
RequireClientCertificate="false" />
</wsp:Policy>
</sp:TransportToken>
</wsp:Policy>
</sp:TransportBinding>
<sp:SupportingTokens>
<wsp:Policy>
<sp:SecureConversationToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<sp:Issuer>
<wsa:Address>http://localhost:8080/DoubleItSTS/STS</wsa:Address>
</sp:Issuer>
</sp:SecureConversationToken>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Now I tried to call the business service with a request header like this:
<soapenv:Header>
<wsse:Security>
<wsc:SecurityContextToken
xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc">
<wsc:Identifier>uuid:D47D9C3E74F30DF5BE14090688057401</wsc:Identifier>
</wsc:SecurityContextToken>
</wsse:Security>
</soapenv:Header>
I thought that a call with a header like this has correct format to get
processed but instead I got this message:
These policy alternatives can not be satisfied:
{http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient}SecureConversationToken
Whats wrong with the request? How can I fix this issue?
Regards,
SRog
--
View this message in context: http://cxf.547215.n5.nabble.com/BiPRO-Security-Token-Service-tp5748199.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: BiPRO Security-Token-Service
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Stefan,
Take a look at the following test that I committed:
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=commit;h=288259b2
It uses a roughly similar security policy to yours - the client gets a SCT
from the STS and sends it to the service, which in turn dispatches it to
the STS for validation. The test-case you create is using a old version of
CXF that is no longer supported. Please try again with a more recent
version...
Colm.
On Fri, Aug 29, 2014 at 5:53 PM, Stefan Rogge <sr...@outlook.de> wrote:
> Hi Colm,
> its done. I created a test case, wich contains the business service and
> the sts. Also there are SoapUI-projects to call the services.
> I would be glad if you could take a look at it.
>
> Thanks,
> SRog
>
> > Date: Wed, 27 Aug 2014 16:10:30 +0100
> > Subject: Re: BiPRO Security-Token-Service
> > From: coheigea@apache.org
> > To: users@cxf.apache.org
> >
> > Could you create a test-case + I will take a look? Normally,
> > SecureConversationToken is used with a BootstrapPolicy, which it isn't in
> > this case.
> >
> > Colm.
> >
> > On Wed, Aug 27, 2014 at 12:04 PM, SRog <sr...@outlook.de> wrote:
> >
> > > Hi there,
> > > I will give that a new try because I am not sure whats the problem.
> > >
> > > I have a STS which provides a SCT.
> > >
> > > My business service policy is described like this (BiPRO-standard):
> > >
> > > <wsp:Policy wsu:Id="BiPROAuthSecurityPolicy">
> > > <wsp:ExactlyOne>
> > > <wsp:All>
> > > <sp:TransportBinding>
> > > <wsp:Policy>
> > > <sp:TransportToken>
> > > <wsp:Policy>
> > > <sp:HttpsToken
> > > RequireClientCertificate="false" />
> > > </wsp:Policy>
> > > </sp:TransportToken>
> > > </wsp:Policy>
> > > </sp:TransportBinding>
> > > <sp:SupportingTokens>
> > > <wsp:Policy>
> > > <sp:SecureConversationToken
> > >
> > > sp:IncludeToken="
> > >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > > ">
> > > <sp:Issuer>
> > >
> > > <wsa:Address>http://localhost:8080/DoubleItSTS/STS</wsa:Address>
> > > </sp:Issuer>
> > > </sp:SecureConversationToken>
> > > </wsp:Policy>
> > > </sp:SupportingTokens>
> > > </wsp:All>
> > > </wsp:ExactlyOne>
> > > </wsp:Policy>
> > >
> > > Now I tried to call the business service with a request header like
> this:
> > >
> > > <soapenv:Header>
> > > <wsse:Security>
> > > <wsc:SecurityContextToken
> > > xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc">
> > >
> > > <wsc:Identifier>uuid:D47D9C3E74F30DF5BE14090688057401</wsc:Identifier>
> > > </wsc:SecurityContextToken>
> > > </wsse:Security>
> > > </soapenv:Header>
> > >
> > > I thought that a call with a header like this has correct format to get
> > > processed but instead I got this message:
> > >
> > > These policy alternatives can not be satisfied:
> > > {
> > >
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient}SecureConversationToken
> > >
> > > Whats wrong with the request? How can I fix this issue?
> > >
> > > Regards,
> > > SRog
> > >
> > >
> > >
> > > --
> > > View this message in context:
> > >
> http://cxf.547215.n5.nabble.com/BiPRO-Security-Token-Service-tp5748199.html
> > > Sent from the cxf-user mailing list archive at Nabble.com.
> > >
> >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: BiPRO Security-Token-Service
Posted by Stefan Rogge <sr...@outlook.de>.
Hi Colm,
its done. I created a test case, wich contains the business service and the sts. Also there are SoapUI-projects to call the services.
I would be glad if you could take a look at it.
Thanks,
SRog
> Date: Wed, 27 Aug 2014 16:10:30 +0100
> Subject: Re: BiPRO Security-Token-Service
> From: coheigea@apache.org
> To: users@cxf.apache.org
>
> Could you create a test-case + I will take a look? Normally,
> SecureConversationToken is used with a BootstrapPolicy, which it isn't in
> this case.
>
> Colm.
>
> On Wed, Aug 27, 2014 at 12:04 PM, SRog <sr...@outlook.de> wrote:
>
> > Hi there,
> > I will give that a new try because I am not sure whats the problem.
> >
> > I have a STS which provides a SCT.
> >
> > My business service policy is described like this (BiPRO-standard):
> >
> > <wsp:Policy wsu:Id="BiPROAuthSecurityPolicy">
> > <wsp:ExactlyOne>
> > <wsp:All>
> > <sp:TransportBinding>
> > <wsp:Policy>
> > <sp:TransportToken>
> > <wsp:Policy>
> > <sp:HttpsToken
> > RequireClientCertificate="false" />
> > </wsp:Policy>
> > </sp:TransportToken>
> > </wsp:Policy>
> > </sp:TransportBinding>
> > <sp:SupportingTokens>
> > <wsp:Policy>
> > <sp:SecureConversationToken
> >
> > sp:IncludeToken="
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> > ">
> > <sp:Issuer>
> >
> > <wsa:Address>http://localhost:8080/DoubleItSTS/STS</wsa:Address>
> > </sp:Issuer>
> > </sp:SecureConversationToken>
> > </wsp:Policy>
> > </sp:SupportingTokens>
> > </wsp:All>
> > </wsp:ExactlyOne>
> > </wsp:Policy>
> >
> > Now I tried to call the business service with a request header like this:
> >
> > <soapenv:Header>
> > <wsse:Security>
> > <wsc:SecurityContextToken
> > xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc">
> >
> > <wsc:Identifier>uuid:D47D9C3E74F30DF5BE14090688057401</wsc:Identifier>
> > </wsc:SecurityContextToken>
> > </wsse:Security>
> > </soapenv:Header>
> >
> > I thought that a call with a header like this has correct format to get
> > processed but instead I got this message:
> >
> > These policy alternatives can not be satisfied:
> > {
> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient}SecureConversationToken
> >
> > Whats wrong with the request? How can I fix this issue?
> >
> > Regards,
> > SRog
> >
> >
> >
> > --
> > View this message in context:
> > http://cxf.547215.n5.nabble.com/BiPRO-Security-Token-Service-tp5748199.html
> > Sent from the cxf-user mailing list archive at Nabble.com.
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
Re: BiPRO Security-Token-Service
Posted by Colm O hEigeartaigh <co...@apache.org>.
Could you create a test-case + I will take a look? Normally,
SecureConversationToken is used with a BootstrapPolicy, which it isn't in
this case.
Colm.
On Wed, Aug 27, 2014 at 12:04 PM, SRog <sr...@outlook.de> wrote:
> Hi there,
> I will give that a new try because I am not sure whats the problem.
>
> I have a STS which provides a SCT.
>
> My business service policy is described like this (BiPRO-standard):
>
> <wsp:Policy wsu:Id="BiPROAuthSecurityPolicy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:TransportBinding>
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken
> RequireClientCertificate="false" />
> </wsp:Policy>
> </sp:TransportToken>
> </wsp:Policy>
> </sp:TransportBinding>
> <sp:SupportingTokens>
> <wsp:Policy>
> <sp:SecureConversationToken
>
> sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> ">
> <sp:Issuer>
>
> <wsa:Address>http://localhost:8080/DoubleItSTS/STS</wsa:Address>
> </sp:Issuer>
> </sp:SecureConversationToken>
> </wsp:Policy>
> </sp:SupportingTokens>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
>
> Now I tried to call the business service with a request header like this:
>
> <soapenv:Header>
> <wsse:Security>
> <wsc:SecurityContextToken
> xmlns:wsc="http://schemas.xmlsoap.org/ws/2005/02/sc">
>
> <wsc:Identifier>uuid:D47D9C3E74F30DF5BE14090688057401</wsc:Identifier>
> </wsc:SecurityContextToken>
> </wsse:Security>
> </soapenv:Header>
>
> I thought that a call with a header like this has correct format to get
> processed but instead I got this message:
>
> These policy alternatives can not be satisfied:
> {
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient}SecureConversationToken
>
> Whats wrong with the request? How can I fix this issue?
>
> Regards,
> SRog
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/BiPRO-Security-Token-Service-tp5748199.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com