You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Thomas Johansen <th...@gmail.com> on 2015/02/09 11:58:01 UTC

Advice for handling Microsoft specific assertions

Hi,

I have an STSClient communicating with Microsoft Server 2012 R2 Active
Directory Federation Services. This seems to work fine, except that I get
the following warnings logged on the client side:

*feb 09, 2015 11:29:56 AM
org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl
handleNoRegisteredBuilder*
*WARNING: No assertion builder for type
{http://schemas.microsoft.com/ws/06/2004/policy/http}NegotiateAuthentication
<http://schemas.microsoft.com/ws/06/2004/policy/http}NegotiateAuthentication>
registered.*
*feb 09, 2015 11:29:56 AM
org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl
handleNoRegisteredBuilder*
*WARNING: No assertion builder for type
{http://schemas.microsoft.com/ws/2005/07/securitypolicy}RsaToken
<http://schemas.microsoft.com/ws/2005/07/securitypolicy}RsaToken>
registered.*
feb 09, 2015 11:29:56 AM
org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider
getElementPolicy
WARNING: Failed to build the policy
'CustomBinding_IWSTrust13Async_policy':Invalid Policy
feb 09, 2015 11:29:56 AM
org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider
getElementPolicy
WARNING: Failed to build the policy
'CertificateWSTrustBinding_IWSTrust13Async_policy':Invalid Policy
feb 09, 2015 11:29:56 AM
org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider
getElementPolicy
WARNING: Failed to build the policy
'IssuedTokenWSTrustBinding_IWSTrust13Async_policy':Invalid Policy
feb 09, 2015 11:29:56 AM
org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider
getElementPolicy
WARNING: Failed to build the policy
'IssuedTokenWSTrustBinding_IWSTrust13Async1_policy':Invalid Policy

So I understand that AD FS' policy contains a couple of assertions that CXF
does not understand. The question is if I should try to handle this in a
way. At a minimum I want to get rid of the WARN logging, but is there
anything else I should consider doing? Does this affect security?

Also, should I do anything with these "Invalid Policy" warnings?

My STSClient configuration:

<bean id="stsClient" class="org.apache.cxf.ws.security.trust.STSClient">
    <constructor-arg ref="cxf"/>
    <property name="tokenType" value="urn:oasis:names:tc:SAML:2.0:assertion"/>
    <property name="wsdlLocation" value="https://XXX/adfs/services/trust/mex"/>
    <property name="serviceName"
value="{http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}SecurityTokenService"/>
    <property name="endpointName"
value="{http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}UserNameWSTrustBinding_IWSTrust13Async"/>
    <property name="sendRenewing" value="false"/>
    <property name="allowRenewing" value="false"/>
    <property name="enableLifetime" value="true"/>
    <property name="ttl" value="30"/>
    <property name="outInterceptors">
        <!-- This will ask for user name and password on the console
and set them on the message context properties
             'ws-security.username'/'ws-security.password', which
STSClient then will use for generating UsernameToken
             which is requested by ADFS' policy on the endpoint
configured above ('endpointName' property) -->
        <bean class="XXX.CredentialsInterceptor"/>
    </property>
</bean>


Regards,
Thomas Johansen

RE: Advice for handling Microsoft specific assertions

Posted by Andrei Shakirin <as...@talend.com>.

Hi,

Yes, the problem is that NegotiateAuthentication and RsaToken are Microsoft specific assertions and aren't recognized by CXF.
I don't know exactly what these assertions are doing, as workaround you can register custom dummy handlers for both assertions: http://cxf.apache.org/using-ws-policy-in-cxf-projects .

Regards,
Andrei.


> -----Original Message-----
> From: Thomas Johansen [mailto:thxmasj@gmail.com]
> Sent: Montag, 9. Februar 2015 11:58
> To: users@cxf.apache.org
> Subject: Advice for handling Microsoft specific assertions
> 
> Hi,
> 
> I have an STSClient communicating with Microsoft Server 2012 R2 Active
> Directory Federation Services. This seems to work fine, except that I get the
> following warnings logged on the client side:
> 
> *feb 09, 2015 11:29:56 AM
> org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl
> handleNoRegisteredBuilder*
> *WARNING: No assertion builder for type
> {http://schemas.microsoft.com/ws/06/2004/policy/http}NegotiateAuthenticatio
> n
> <http://schemas.microsoft.com/ws/06/2004/policy/http}NegotiateAuthenticatio
> n>
> registered.*
> *feb 09, 2015 11:29:56 AM
> org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl
> handleNoRegisteredBuilder*
> *WARNING: No assertion builder for type
> {http://schemas.microsoft.com/ws/2005/07/securitypolicy}RsaToken
> <http://schemas.microsoft.com/ws/2005/07/securitypolicy}RsaToken>
> registered.*
> feb 09, 2015 11:29:56 AM
> org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider
> getElementPolicy
> WARNING: Failed to build the policy
> 'CustomBinding_IWSTrust13Async_policy':Invalid Policy feb 09, 2015 11:29:56
> AM
> org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider
> getElementPolicy
> WARNING: Failed to build the policy
> 'CertificateWSTrustBinding_IWSTrust13Async_policy':Invalid Policy feb 09, 2015
> 11:29:56 AM
> org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider
> getElementPolicy
> WARNING: Failed to build the policy
> 'IssuedTokenWSTrustBinding_IWSTrust13Async_policy':Invalid Policy feb 09,
> 2015 11:29:56 AM
> org.apache.cxf.ws.policy.attachment.wsdl11.Wsdl11AttachmentPolicyProvider
> getElementPolicy
> WARNING: Failed to build the policy
> 'IssuedTokenWSTrustBinding_IWSTrust13Async1_policy':Invalid Policy
> 
> So I understand that AD FS' policy contains a couple of assertions that CXF does
> not understand. The question is if I should try to handle this in a way. At a
> minimum I want to get rid of the WARN logging, but is there anything else I
> should consider doing? Does this affect security?
> 
> Also, should I do anything with these "Invalid Policy" warnings?
> 
> My STSClient configuration:
> 
> <bean id="stsClient" class="org.apache.cxf.ws.security.trust.STSClient">
>     <constructor-arg ref="cxf"/>
>     <property name="tokenType"
> value="urn:oasis:names:tc:SAML:2.0:assertion"/>
>     <property name="wsdlLocation"
> value="https://XXX/adfs/services/trust/mex"/>
>     <property name="serviceName"
> value="{http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservic
> e}SecurityTokenService"/>
>     <property name="endpointName"
> value="{http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservic
> e}UserNameWSTrustBinding_IWSTrust13Async"/>
>     <property name="sendRenewing" value="false"/>
>     <property name="allowRenewing" value="false"/>
>     <property name="enableLifetime" value="true"/>
>     <property name="ttl" value="30"/>
>     <property name="outInterceptors">
>         <!-- This will ask for user name and password on the console and set them
> on the message context properties
>              'ws-security.username'/'ws-security.password', which STSClient then
> will use for generating UsernameToken
>              which is requested by ADFS' policy on the endpoint configured above
> ('endpointName' property) -->
>         <bean class="XXX.CredentialsInterceptor"/>
>     </property>
> </bean>
> 
> 
> Regards,
> Thomas Johansen