You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Pröls, Stefan <s....@pharmatechnik.de> on 2015/09/10 12:50:10 UTC

WS-Security: DerivedKeyToken for IssuedToken

Hi,

I'm trying to write an Apache CXF client for this Webservice:

https://rheaavs.element44.net/AvsMpsService_R1_Variante2.wsdl

The Webservice makes extensive use of WS-Security and WS-Trust features.

The problem is, that I just can't get the service to accept my requests.
It answers all of them with an InvalidSecurity SOAP-Fault and I don't
understand whats wrong with my requests.

I've attached 2 sample requests. req-cxf.xml is generated with the
current GIT version of Apache CXF 3.1.3 (the git version contains fixes
for problems I've already identified with this Webservice). This request
is answered by an InvalidSecurity SOAP-Fault.

The second sample, req-dotnet.xml, which I've attached for comparison,
has been created by a .Net client and this requests is accepted by the
server.

Analyzing the differences between the requests generated by CXF and
.Net, an interesting difference is that .Net generates a DerivedKeyToken
for the IssuedToken returned from the STS. Why does it do that? There is
no RequireDerivedKeys for this token its WS-Security Policy and I cannot
find any other reason why a DerivedKeyToken might have to be generated
for this token.

To see if this difference might be the cause of the problem, I've tried
to add a RequireDerivedKeys to the IssuedToken's Policy. However, CXF
still won't generate a DerivedKeyToken for this token. Is this a bug or
am I missing something? How can I force CXF to generate a
DerivedKeyToken for the IssedToken?


Best regards,
Stefan Pröls

________________________________

PHARMATECHNIK GmbH und Co. KG
Münchner Strasse 15
D-82319 Starnberg

Sitz der Gesellschaft: Starnberg
HRA: 64434, HRB: 66369, Amtsgericht München
Geschäftsführer: Dr. Detlef Graessner, Cornelia Graessner-Neiss, Stephan Jörgens

Re: WS-Security: DerivedKeyToken for IssuedToken

Posted by Pröls, Stefan <s....@pharmatechnik.de>.

Hi Colm,

thanks! Yes, the DerivedKeyToken is generated now when
RequireDerivedKeys is included in the policy.

That didn't make my client work, though. I fear I won't be able to debug
this without more information from the server logs...


Best regards,
Stefan


Am 14.09.2015 um 16:27 schrieb Colm O hEigeartaigh:
> Hi Stefan,
>
> I noticed a bug with the previous fix + merged a fix. Can you try again?
> This time you should see the DerivedKeyToken associated with the
> IssuedToken policy (if you include a RequireDerivedKeys policy for it).
>
> Colm.
>
> On Thu, Sep 10, 2015 at 11:50 AM, Pröls, Stefan <s....@pharmatechnik.de>
> wrote:
>
>> Hi,
>>
>> I'm trying to write an Apache CXF client for this Webservice:
>>
>> https://rheaavs.element44.net/AvsMpsService_R1_Variante2.wsdl
>>
>> The Webservice makes extensive use of WS-Security and WS-Trust features.
>>
>> The problem is, that I just can't get the service to accept my requests.
>> It answers all of them with an InvalidSecurity SOAP-Fault and I don't
>> understand whats wrong with my requests.
>>
>> I've attached 2 sample requests. req-cxf.xml is generated with the
>> current GIT version of Apache CXF 3.1.3 (the git version contains fixes
>> for problems I've already identified with this Webservice). This request
>> is answered by an InvalidSecurity SOAP-Fault.
>>
>> The second sample, req-dotnet.xml, which I've attached for comparison,
>> has been created by a .Net client and this requests is accepted by the
>> server.
>>
>> Analyzing the differences between the requests generated by CXF and
>> .Net, an interesting difference is that .Net generates a DerivedKeyToken
>> for the IssuedToken returned from the STS. Why does it do that? There is
>> no RequireDerivedKeys for this token its WS-Security Policy and I cannot
>> find any other reason why a DerivedKeyToken might have to be generated
>> for this token.
>>
>> To see if this difference might be the cause of the problem, I've tried
>> to add a RequireDerivedKeys to the IssuedToken's Policy. However, CXF
>> still won't generate a DerivedKeyToken for this token. Is this a bug or
>> am I missing something? How can I force CXF to generate a
>> DerivedKeyToken for the IssedToken?
>>
>>
>> Best regards,
>> Stefan Pröls
>>
>> ________________________________
>>
>> PHARMATECHNIK GmbH und Co. KG
>> Münchner Strasse 15
>> D-82319 Starnberg
>>
>> Sitz der Gesellschaft: Starnberg
>> HRA: 64434, HRB: 66369, Amtsgericht München
>> Geschäftsführer: Dr. Detlef Graessner, Cornelia Graessner-Neiss, Stephan
>> Jörgens
>>
>
>

________________________________

PHARMATECHNIK GmbH und Co. KG
Münchner Strasse 15
D-82319 Starnberg

Sitz der Gesellschaft: Starnberg
HRA: 64434, HRB: 66369, Amtsgericht München
Geschäftsführer: Dr. Detlef Graessner, Cornelia Graessner-Neiss, Stephan Jörgens

Re: WS-Security: DerivedKeyToken for IssuedToken

Posted by Colm O hEigeartaigh <co...@apache.org>.

Hi Stefan,

I noticed a bug with the previous fix + merged a fix. Can you try again?
This time you should see the DerivedKeyToken associated with the
IssuedToken policy (if you include a RequireDerivedKeys policy for it).

Colm.

On Thu, Sep 10, 2015 at 11:50 AM, Pröls, Stefan <s....@pharmatechnik.de>
wrote:

> Hi,
>
> I'm trying to write an Apache CXF client for this Webservice:
>
> https://rheaavs.element44.net/AvsMpsService_R1_Variante2.wsdl
>
> The Webservice makes extensive use of WS-Security and WS-Trust features.
>
> The problem is, that I just can't get the service to accept my requests.
> It answers all of them with an InvalidSecurity SOAP-Fault and I don't
> understand whats wrong with my requests.
>
> I've attached 2 sample requests. req-cxf.xml is generated with the
> current GIT version of Apache CXF 3.1.3 (the git version contains fixes
> for problems I've already identified with this Webservice). This request
> is answered by an InvalidSecurity SOAP-Fault.
>
> The second sample, req-dotnet.xml, which I've attached for comparison,
> has been created by a .Net client and this requests is accepted by the
> server.
>
> Analyzing the differences between the requests generated by CXF and
> .Net, an interesting difference is that .Net generates a DerivedKeyToken
> for the IssuedToken returned from the STS. Why does it do that? There is
> no RequireDerivedKeys for this token its WS-Security Policy and I cannot
> find any other reason why a DerivedKeyToken might have to be generated
> for this token.
>
> To see if this difference might be the cause of the problem, I've tried
> to add a RequireDerivedKeys to the IssuedToken's Policy. However, CXF
> still won't generate a DerivedKeyToken for this token. Is this a bug or
> am I missing something? How can I force CXF to generate a
> DerivedKeyToken for the IssedToken?
>
>
> Best regards,
> Stefan Pröls
>
> ________________________________
>
> PHARMATECHNIK GmbH und Co. KG
> Münchner Strasse 15
> D-82319 Starnberg
>
> Sitz der Gesellschaft: Starnberg
> HRA: 64434, HRB: 66369, Amtsgericht München
> Geschäftsführer: Dr. Detlef Graessner, Cornelia Graessner-Neiss, Stephan
> Jörgens
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com