You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Stephen Langella <st...@inventrio.com> on 2009/08/18 19:06:23 UTC
WS SecurityPolicy
I am trying to configure my service to use WS SecurityPolicy for
specifying a transport binding policy for HTTPS. I have added a
TransportBinding policy to my WSDL and created a transport binding
policy and binded it to an endpoint policy subject. At first I
configured the server (through the WS-SecurityPolicy in the WSDL) to
not require the client to provide a certificate. This worked fine,
second I changed the server to require a client certificate
(<sp:HttpsToken RequireClientCertificate="true"/>). In testing this
I tried my client without providing a certificate and it still
worked. This seems to suggest that either the WS-SecurityPolicy is
not being applied or that CXF is not enforcing that a client
certificate be provided. Any ideas what I might be doing wrong?
Below I have provided my WSDL for reference, thanks in advance.
<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions name="HelloWorld"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:tns="http://www.cagrid.org/HelloWorld"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
"
targetNamespace="http://www.cagrid.org/HelloWorld">
<wsdl:types>
<xsd:schema targetNamespace="http://www.cagrid.org/HelloWorld">
<xsd:element name="SayHelloRequest" type="xsd:string" />
<xsd:element name="SayHelloResponse" type="xsd:string" />
</xsd:schema>
</wsdl:types>
<wsdl:message name="SayHelloRequest">
<wsdl:part element="tns:SayHelloRequest" name="parameters" />
</wsdl:message>
<wsdl:message name="SayHelloResponse">
<wsdl:part element="tns:SayHelloResponse" name="parameters" />
</wsdl:message>
<wsdl:portType name="HelloWorld">
<wsdl:operation name="SayHello">
<wsdl:input message="tns:SayHelloRequest"
name="sayHelloRequest" />
<wsdl:output message="tns:SayHelloResponse"
name="sayHelloResponse" />
</wsdl:operation>
</wsdl:portType>
<wsdl:binding name="HelloWorldBinding" type="tns:HelloWorld">
<wsp:PolicyReference URI="#HelloWorldSecureTransportPolicy"/>
<soap:binding style="document"
transport="http://schemas.xmlsoap.org/soap/http" />
<wsdl:operation name="SayHello">
<soap:operation soapAction="" style="document" />
<wsdl:input name="sayHelloRequest">
<soap:body use="literal" />
</wsdl:input>
<wsdl:output name="sayHelloResponse">
<soap:body use="literal" />
</wsdl:output>
</wsdl:operation>
</wsdl:binding>
<wsdl:service name="HelloWorldService">
<wsdl:port name="HelloWorldPort"
binding="tns:HelloWorldBinding">
<soap:address location="https://llanowar:9001/HelloWorldService
" />
</wsdl:port>
</wsdl:service>
<wsp:Policy wsu:Id="HelloWorldSecureTransportPolicy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken
RequireClientCertificate="true" />
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Lax />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
</wsp:Policy>
</sp:TransportBinding>
<sp:Wss10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy
">
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
</wsp:Policy>
</sp:Wss10>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</wsdl:definitions>
--Steve
Stephen Langella
Co-Founder
Inventrio, LLC
www.inventrio.com
Stephen.Langella@inventrio.com
Re: WS SecurityPolicy
Posted by Stephen Langella <st...@inventrio.com>.
Dan,
In performing this I was using Java 5, then I had to context
switch to something else that required Java 6. In context switching
back to this issue, I tried running the same scenario as I described
below with Java 6 and now I run into a different issue. When the
client tries to connect I get the following error:
java.lang.IllegalStateException: connection not yet open
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getLocalCertificates
(AbstractDelegateHttpsURLConnection.java:213)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getLocalCertificates
(HttpsURLConnectionImpl.java:167)
at
org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider
$HttpsTokenOutInterceptor.assertHttps
(HttpsTokenInterceptorProvider.java:101)
at
org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider
$HttpsTokenOutInterceptor.handleMessage
(HttpsTokenInterceptorProvider.java:81)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept
(PhaseInterceptorChain.java:236)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:472)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:302)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:254)
at org.apache.cxf.frontend.ClientProxy.invokeSync
(ClientProxy.java:73)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke
(JaxWsClientProxy.java:123)
at $Proxy37.sayHello(Unknown Source)
at org.cagrid.helloworld.client.SpringClient3.main
(SpringClient3.java:69)
Invocation failed with the following: java.lang.IllegalStateException:
connection not yet open
I should mention that I only get this error if
RequireClientCertificate="true", if RequireClientCertificate="false"
everything works fine. I still plan on debugging in Java 5 as you
suggested but I thought I would mention this because I find it
concerning that I see different behaviors between Java 5 and Java 6.
I also was hoping that the error I provide above might be familiar to
you or ring a bell. BTW, I did switch back to Java 5 and encountered
the original problem I posted. Please let me know if you have other
suggestions given this additional information. I appreciate you help,
thanks in advance.
--Steve
Stephen Langella
Co-Founder
Inventrio, LLC
www.inventrio.com
Stephen.Langella@inventrio.com
On Aug 19, 2009, at 4:09 PM, Daniel Kulp wrote:
>
>
> Hmm... it definitely should be asserted. Is there any way you
> can run this
> in a debugger? If you could put a break point on line 174 of
> HttpsTokenInterceptorProvider, that would be a big help. At that
> point, I'd
> like to see the contents of TLSSessionInfo and make sure the certs
> are correct
> in there. The other place to breakpoint is line 550 of SSLUtils
> where the
> SSL certs and stuff are pulled from the request. If you can check
> that the
> correct information is pulled from there, that would also be a big
> help.
>
> Dan
>
>
>
> On Tue August 18 2009 1:06:23 pm Stephen Langella wrote:
>> I am trying to configure my service to use WS SecurityPolicy for
>> specifying a transport binding policy for HTTPS. I have added a
>> TransportBinding policy to my WSDL and created a transport binding
>> policy and binded it to an endpoint policy subject. At first I
>> configured the server (through the WS-SecurityPolicy in the WSDL) to
>> not require the client to provide a certificate. This worked fine,
>> second I changed the server to require a client certificate
>> (<sp:HttpsToken RequireClientCertificate="true"/>). In testing this
>> I tried my client without providing a certificate and it still
>> worked. This seems to suggest that either the WS-SecurityPolicy is
>> not being applied or that CXF is not enforcing that a client
>> certificate be provided. Any ideas what I might be doing wrong?
>> Below I have provided my WSDL for reference, thanks in advance.
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <wsdl:definitions name="HelloWorld"
>> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
>> xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
>> xmlns:tns="http://www.cagrid.org/HelloWorld"
>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
>>
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
>> ty-utility-1.0.xsd "
>> targetNamespace="http://www.cagrid.org/HelloWorld">
>> <wsdl:types>
>> <xsd:schema targetNamespace="http://www.cagrid.org/
>> HelloWorld">
>> <xsd:element name="SayHelloRequest" type="xsd:string" />
>> <xsd:element name="SayHelloResponse" type="xsd:string" />
>> </xsd:schema>
>> </wsdl:types>
>> <wsdl:message name="SayHelloRequest">
>> <wsdl:part element="tns:SayHelloRequest" name="parameters" />
>> </wsdl:message>
>> <wsdl:message name="SayHelloResponse">
>> <wsdl:part element="tns:SayHelloResponse" name="parameters" />
>> </wsdl:message>
>> <wsdl:portType name="HelloWorld">
>> <wsdl:operation name="SayHello">
>> <wsdl:input message="tns:SayHelloRequest"
>> name="sayHelloRequest" />
>> <wsdl:output message="tns:SayHelloResponse"
>> name="sayHelloResponse" />
>> </wsdl:operation>
>> </wsdl:portType>
>> <wsdl:binding name="HelloWorldBinding" type="tns:HelloWorld">
>> <wsp:PolicyReference URI="#HelloWorldSecureTransportPolicy"/>
>> <soap:binding style="document"
>> transport="http://schemas.xmlsoap.org/soap/http" />
>> <wsdl:operation name="SayHello">
>> <soap:operation soapAction="" style="document" />
>> <wsdl:input name="sayHelloRequest">
>> <soap:body use="literal" />
>> </wsdl:input>
>> <wsdl:output name="sayHelloResponse">
>> <soap:body use="literal" />
>> </wsdl:output>
>> </wsdl:operation>
>> </wsdl:binding>
>> <wsdl:service name="HelloWorldService">
>> <wsdl:port name="HelloWorldPort"
>> binding="tns:HelloWorldBinding">
>> <soap:address location="https://llanowar:9001/HelloWorldService
>> " />
>> </wsdl:port>
>> </wsdl:service>
>>
>> <wsp:Policy wsu:Id="HelloWorldSecureTransportPolicy">
>> <wsp:ExactlyOne>
>> <wsp:All>
>> <sp:TransportBinding
>>
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy ">
>> <wsp:Policy>
>> <sp:TransportToken>
>> <wsp:Policy>
>> <sp:HttpsToken
>> RequireClientCertificate="true" />
>> </wsp:Policy>
>> </sp:TransportToken>
>> <sp:AlgorithmSuite>
>> <wsp:Policy>
>> <sp:Basic256 />
>> </wsp:Policy>
>> </sp:AlgorithmSuite>
>> <sp:Layout>
>> <wsp:Policy>
>> <sp:Lax />
>> </wsp:Policy>
>> </sp:Layout>
>> <sp:IncludeTimestamp />
>> </wsp:Policy>
>> </sp:TransportBinding>
>> <sp:Wss10
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy ">
>> <wsp:Policy>
>> <sp:MustSupportRefKeyIdentifier />
>> <sp:MustSupportRefIssuerSerial />
>> </wsp:Policy>
>> </sp:Wss10>
>> </wsp:All>
>> </wsp:ExactlyOne>
>> </wsp:Policy>
>> </wsdl:definitions>
>>
>>
>> --Steve
>>
>> Stephen Langella
>> Co-Founder
>> Inventrio, LLC
>> www.inventrio.com
>>
>> Stephen.Langella@inventrio.com
>
> --
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog
Re: WS SecurityPolicy
Posted by Daniel Kulp <dk...@apache.org>.
No idea on that one. Sounds like with Java 6, it's delaying opening the
connection (and thus establishing the trust) a bit longer than with java 5.
Is there any way you could write a quick "hello world" type test case? That
would be a big help to me.
Dan
On Sat August 22 2009 5:42:44 pm Stephen Langella wrote:
> Dan,
>
> In performing this I was using Java 5, then I had to context switch to
> something else that required Java 6. In context switching back to this
> issue, I tried running the same scenario as I described below with Java 6
> and now I run into a different issue. When the client tries to connect I
> get the following error:
>
> java.lang.IllegalStateException: connection not yet open
> at
> sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getLocalCerti
>f icates(AbstractDelegateHttpsURLConnection.java:213)
> at
> sun.net.www.protocol.https.HttpsURLConnectionImpl.getLocalCertificates(Http
>s URLConnectionImpl.java:167)
> at
> org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvide
>r
> $HttpsTokenOutInterceptor.assertHttps(HttpsTokenInterceptorProvider.java:10
>1 )
> at
> org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvide
>r
> $HttpsTokenOutInterceptor.handleMessage(HttpsTokenInterceptorProvider.java:
>8 1)
> at
> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChai
>n .java:236)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:472)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:302)
> at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:254)
> at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
> at
> org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:123)
> at $Proxy37.sayHello(Unknown Source)
> at
> org.cagrid.helloworld.client.SpringClient3.main(SpringClient3.java:69)
> Invocation failed with the following: java.lang.IllegalStateException:
> connection not yet open
>
>
> I should mention that I only get this error if
> RequireClientCertificate="true", if RequireClientCertificate="false"
> everything works fine. I still plan on debugging in Java 5 as you
> suggested but I thought I would mention this because I find it concerning
> that I see different behaviors between Java 5 and Java 6. I also was
> hoping that the error I provide above might be familiar to you or ring a
> bell. BTW, I did switch back to Java 5 and encountered the original
> problem I posted. Please let me know if you have other suggestions given
> this additional information. I appreciate you help, thanks in advance.
>
> --Steve
>
> Stephen Langella
> Co-Director
> Software Research Institute
> Center for IT Innovations in Healthcare
> Ohio State University
>
> Senior Researcher
> Department of Biomedical Informatics
> Ohio State University
>
> Office: (614) 293-9534
> Lab: (614) 292-8420
> Stephen.Langella@osumc.edu
>
> > From: Daniel Kulp <dk...@apache.org>
> > Reply-To: <us...@cxf.apache.org>
> > Date: Wed, 19 Aug 2009 16:09:20 -0400
> > To: <us...@cxf.apache.org>
> > Cc: Stephen Langella <St...@inventrio.com>
> > Subject: Re: WS SecurityPolicy
> >
> >
> >
> > Hmm... it definitely should be asserted. Is there any way you can run
> > this in a debugger? If you could put a break point on line 174 of
> > HttpsTokenInterceptorProvider, that would be a big help. At that point,
> > I'd like to see the contents of TLSSessionInfo and make sure the certs
> > are correct in there. The other place to breakpoint is line 550 of
> > SSLUtils where the SSL certs and stuff are pulled from the request. If
> > you can check that the correct information is pulled from there, that
> > would also be a big help.
> >
> > Dan
> >
> > On Tue August 18 2009 1:06:23 pm Stephen Langella wrote:
> >> I am trying to configure my service to use WS SecurityPolicy for
> >> specifying a transport binding policy for HTTPS. I have added a
> >> TransportBinding policy to my WSDL and created a transport binding
> >> policy and binded it to an endpoint policy subject. At first I
> >> configured the server (through the WS-SecurityPolicy in the WSDL) to
> >> not require the client to provide a certificate. This worked fine,
> >> second I changed the server to require a client certificate
> >> (<sp:HttpsToken RequireClientCertificate="true"/>). In testing this
> >> I tried my client without providing a certificate and it still
> >> worked. This seems to suggest that either the WS-SecurityPolicy is
> >> not being applied or that CXF is not enforcing that a client
> >> certificate be provided. Any ideas what I might be doing wrong?
> >> Below I have provided my WSDL for reference, thanks in advance.
> >>
> >> <?xml version="1.0" encoding="UTF-8"?>
> >> <wsdl:definitions name="HelloWorld"
> >> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> >> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> >> xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
> >> xmlns:tns="http://www.cagrid.org/HelloWorld"
> >> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
> >>
> >> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssec
> >>uri ty-utility-1.0.xsd "
> >> targetNamespace="http://www.cagrid.org/HelloWorld">
> >> <wsdl:types>
> >> <xsd:schema targetNamespace="http://www.cagrid.org/HelloWorld">
> >> <xsd:element name="SayHelloRequest" type="xsd:string" />
> >> <xsd:element name="SayHelloResponse" type="xsd:string" />
> >> </xsd:schema>
> >> </wsdl:types>
> >> <wsdl:message name="SayHelloRequest">
> >> <wsdl:part element="tns:SayHelloRequest" name="parameters" />
> >> </wsdl:message>
> >> <wsdl:message name="SayHelloResponse">
> >> <wsdl:part element="tns:SayHelloResponse" name="parameters" />
> >> </wsdl:message>
> >> <wsdl:portType name="HelloWorld">
> >> <wsdl:operation name="SayHello">
> >> <wsdl:input message="tns:SayHelloRequest"
> >> name="sayHelloRequest" />
> >> <wsdl:output message="tns:SayHelloResponse"
> >> name="sayHelloResponse" />
> >> </wsdl:operation>
> >> </wsdl:portType>
> >> <wsdl:binding name="HelloWorldBinding" type="tns:HelloWorld">
> >> <wsp:PolicyReference URI="#HelloWorldSecureTransportPolicy"/>
> >> <soap:binding style="document"
> >> transport="http://schemas.xmlsoap.org/soap/http" />
> >> <wsdl:operation name="SayHello">
> >> <soap:operation soapAction="" style="document" />
> >> <wsdl:input name="sayHelloRequest">
> >> <soap:body use="literal" />
> >> </wsdl:input>
> >> <wsdl:output name="sayHelloResponse">
> >> <soap:body use="literal" />
> >> </wsdl:output>
> >> </wsdl:operation>
> >> </wsdl:binding>
> >> <wsdl:service name="HelloWorldService">
> >> <wsdl:port name="HelloWorldPort"
> >> binding="tns:HelloWorldBinding">
> >> <soap:address
> >> location="https://llanowar:9001/HelloWorldService " />
> >> </wsdl:port>
> >> </wsdl:service>
> >>
> >> <wsp:Policy wsu:Id="HelloWorldSecureTransportPolicy">
> >> <wsp:ExactlyOne>
> >> <wsp:All>
> >> <sp:TransportBinding
> >>
> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy ">
> >> <wsp:Policy>
> >> <sp:TransportToken>
> >> <wsp:Policy>
> >> <sp:HttpsToken
> >> RequireClientCertificate="true" />
> >> </wsp:Policy>
> >> </sp:TransportToken>
> >> <sp:AlgorithmSuite>
> >> <wsp:Policy>
> >> <sp:Basic256 />
> >> </wsp:Policy>
> >> </sp:AlgorithmSuite>
> >> <sp:Layout>
> >> <wsp:Policy>
> >> <sp:Lax />
> >> </wsp:Policy>
> >> </sp:Layout>
> >> <sp:IncludeTimestamp />
> >> </wsp:Policy>
> >> </sp:TransportBinding>
> >> <sp:Wss10
> >> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy ">
> >> <wsp:Policy>
> >> <sp:MustSupportRefKeyIdentifier />
> >> <sp:MustSupportRefIssuerSerial />
> >> </wsp:Policy>
> >> </sp:Wss10>
> >> </wsp:All>
> >> </wsp:ExactlyOne>
> >> </wsp:Policy>
> >> </wsdl:definitions>
> >>
> >>
> >> --Steve
> >>
> >> Stephen Langella
> >> Co-Founder
> >> Inventrio, LLC
> >> www.inventrio.com
> >>
> >> Stephen.Langella@inventrio.com
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
Re: WS SecurityPolicy
Posted by Stephen Langella <St...@osumc.edu>.
Dan,
In performing this I was using Java 5, then I had to context switch to
something else that required Java 6. In context switching back to this
issue, I tried running the same scenario as I described below with Java 6
and now I run into a different issue. When the client tries to connect I
get the following error:
java.lang.IllegalStateException: connection not yet open
at
sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getLocalCertif
icates(AbstractDelegateHttpsURLConnection.java:213)
at
sun.net.www.protocol.https.HttpsURLConnectionImpl.getLocalCertificates(Https
URLConnectionImpl.java:167)
at
org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider
$HttpsTokenOutInterceptor.assertHttps(HttpsTokenInterceptorProvider.java:101
)
at
org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider
$HttpsTokenOutInterceptor.handleMessage(HttpsTokenInterceptorProvider.java:8
1)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain
.java:236)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:472)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:302)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:254)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:73)
at
org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:123)
at $Proxy37.sayHello(Unknown Source)
at
org.cagrid.helloworld.client.SpringClient3.main(SpringClient3.java:69)
Invocation failed with the following: java.lang.IllegalStateException:
connection not yet open
I should mention that I only get this error if
RequireClientCertificate="true", if RequireClientCertificate="false"
everything works fine. I still plan on debugging in Java 5 as you
suggested but I thought I would mention this because I find it concerning
that I see different behaviors between Java 5 and Java 6. I also was
hoping that the error I provide above might be familiar to you or ring a
bell. BTW, I did switch back to Java 5 and encountered the original problem
I posted. Please let me know if you have other suggestions given this
additional information. I appreciate you help, thanks in advance.
--Steve
Stephen Langella
Co-Director
Software Research Institute
Center for IT Innovations in Healthcare
Ohio State University
Senior Researcher
Department of Biomedical Informatics
Ohio State University
Office: (614) 293-9534
Lab: (614) 292-8420
Stephen.Langella@osumc.edu
> From: Daniel Kulp <dk...@apache.org>
> Reply-To: <us...@cxf.apache.org>
> Date: Wed, 19 Aug 2009 16:09:20 -0400
> To: <us...@cxf.apache.org>
> Cc: Stephen Langella <St...@inventrio.com>
> Subject: Re: WS SecurityPolicy
>
>
>
> Hmm... it definitely should be asserted. Is there any way you can run this
> in a debugger? If you could put a break point on line 174 of
> HttpsTokenInterceptorProvider, that would be a big help. At that point, I'd
> like to see the contents of TLSSessionInfo and make sure the certs are correct
> in there. The other place to breakpoint is line 550 of SSLUtils where the
> SSL certs and stuff are pulled from the request. If you can check that the
> correct information is pulled from there, that would also be a big help.
>
> Dan
>
>
>
> On Tue August 18 2009 1:06:23 pm Stephen Langella wrote:
>> I am trying to configure my service to use WS SecurityPolicy for
>> specifying a transport binding policy for HTTPS. I have added a
>> TransportBinding policy to my WSDL and created a transport binding
>> policy and binded it to an endpoint policy subject. At first I
>> configured the server (through the WS-SecurityPolicy in the WSDL) to
>> not require the client to provide a certificate. This worked fine,
>> second I changed the server to require a client certificate
>> (<sp:HttpsToken RequireClientCertificate="true"/>). In testing this
>> I tried my client without providing a certificate and it still
>> worked. This seems to suggest that either the WS-SecurityPolicy is
>> not being applied or that CXF is not enforcing that a client
>> certificate be provided. Any ideas what I might be doing wrong?
>> Below I have provided my WSDL for reference, thanks in advance.
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <wsdl:definitions name="HelloWorld"
>> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
>> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
>> xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
>> xmlns:tns="http://www.cagrid.org/HelloWorld"
>> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
>>
>> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
>> ty-utility-1.0.xsd "
>> targetNamespace="http://www.cagrid.org/HelloWorld">
>> <wsdl:types>
>> <xsd:schema targetNamespace="http://www.cagrid.org/HelloWorld">
>> <xsd:element name="SayHelloRequest" type="xsd:string" />
>> <xsd:element name="SayHelloResponse" type="xsd:string" />
>> </xsd:schema>
>> </wsdl:types>
>> <wsdl:message name="SayHelloRequest">
>> <wsdl:part element="tns:SayHelloRequest" name="parameters" />
>> </wsdl:message>
>> <wsdl:message name="SayHelloResponse">
>> <wsdl:part element="tns:SayHelloResponse" name="parameters" />
>> </wsdl:message>
>> <wsdl:portType name="HelloWorld">
>> <wsdl:operation name="SayHello">
>> <wsdl:input message="tns:SayHelloRequest"
>> name="sayHelloRequest" />
>> <wsdl:output message="tns:SayHelloResponse"
>> name="sayHelloResponse" />
>> </wsdl:operation>
>> </wsdl:portType>
>> <wsdl:binding name="HelloWorldBinding" type="tns:HelloWorld">
>> <wsp:PolicyReference URI="#HelloWorldSecureTransportPolicy"/>
>> <soap:binding style="document"
>> transport="http://schemas.xmlsoap.org/soap/http" />
>> <wsdl:operation name="SayHello">
>> <soap:operation soapAction="" style="document" />
>> <wsdl:input name="sayHelloRequest">
>> <soap:body use="literal" />
>> </wsdl:input>
>> <wsdl:output name="sayHelloResponse">
>> <soap:body use="literal" />
>> </wsdl:output>
>> </wsdl:operation>
>> </wsdl:binding>
>> <wsdl:service name="HelloWorldService">
>> <wsdl:port name="HelloWorldPort"
>> binding="tns:HelloWorldBinding">
>> <soap:address location="https://llanowar:9001/HelloWorldService
>> " />
>> </wsdl:port>
>> </wsdl:service>
>>
>> <wsp:Policy wsu:Id="HelloWorldSecureTransportPolicy">
>> <wsp:ExactlyOne>
>> <wsp:All>
>> <sp:TransportBinding
>>
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy ">
>> <wsp:Policy>
>> <sp:TransportToken>
>> <wsp:Policy>
>> <sp:HttpsToken
>> RequireClientCertificate="true" />
>> </wsp:Policy>
>> </sp:TransportToken>
>> <sp:AlgorithmSuite>
>> <wsp:Policy>
>> <sp:Basic256 />
>> </wsp:Policy>
>> </sp:AlgorithmSuite>
>> <sp:Layout>
>> <wsp:Policy>
>> <sp:Lax />
>> </wsp:Policy>
>> </sp:Layout>
>> <sp:IncludeTimestamp />
>> </wsp:Policy>
>> </sp:TransportBinding>
>> <sp:Wss10
>> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy ">
>> <wsp:Policy>
>> <sp:MustSupportRefKeyIdentifier />
>> <sp:MustSupportRefIssuerSerial />
>> </wsp:Policy>
>> </sp:Wss10>
>> </wsp:All>
>> </wsp:ExactlyOne>
>> </wsp:Policy>
>> </wsdl:definitions>
>>
>>
>> --Steve
>>
>> Stephen Langella
>> Co-Founder
>> Inventrio, LLC
>> www.inventrio.com
>>
>> Stephen.Langella@inventrio.com
>
> --
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog
Re: WS SecurityPolicy
Posted by Daniel Kulp <dk...@apache.org>.
Hmm... it definitely should be asserted. Is there any way you can run this
in a debugger? If you could put a break point on line 174 of
HttpsTokenInterceptorProvider, that would be a big help. At that point, I'd
like to see the contents of TLSSessionInfo and make sure the certs are correct
in there. The other place to breakpoint is line 550 of SSLUtils where the
SSL certs and stuff are pulled from the request. If you can check that the
correct information is pulled from there, that would also be a big help.
Dan
On Tue August 18 2009 1:06:23 pm Stephen Langella wrote:
> I am trying to configure my service to use WS SecurityPolicy for
> specifying a transport binding policy for HTTPS. I have added a
> TransportBinding policy to my WSDL and created a transport binding
> policy and binded it to an endpoint policy subject. At first I
> configured the server (through the WS-SecurityPolicy in the WSDL) to
> not require the client to provide a certificate. This worked fine,
> second I changed the server to require a client certificate
> (<sp:HttpsToken RequireClientCertificate="true"/>). In testing this
> I tried my client without providing a certificate and it still
> worked. This seems to suggest that either the WS-SecurityPolicy is
> not being applied or that CXF is not enforcing that a client
> certificate be provided. Any ideas what I might be doing wrong?
> Below I have provided my WSDL for reference, thanks in advance.
>
> <?xml version="1.0" encoding="UTF-8"?>
> <wsdl:definitions name="HelloWorld"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
> xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
> xmlns:tns="http://www.cagrid.org/HelloWorld"
> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"
>
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecuri
>ty-utility-1.0.xsd "
> targetNamespace="http://www.cagrid.org/HelloWorld">
> <wsdl:types>
> <xsd:schema targetNamespace="http://www.cagrid.org/HelloWorld">
> <xsd:element name="SayHelloRequest" type="xsd:string" />
> <xsd:element name="SayHelloResponse" type="xsd:string" />
> </xsd:schema>
> </wsdl:types>
> <wsdl:message name="SayHelloRequest">
> <wsdl:part element="tns:SayHelloRequest" name="parameters" />
> </wsdl:message>
> <wsdl:message name="SayHelloResponse">
> <wsdl:part element="tns:SayHelloResponse" name="parameters" />
> </wsdl:message>
> <wsdl:portType name="HelloWorld">
> <wsdl:operation name="SayHello">
> <wsdl:input message="tns:SayHelloRequest"
> name="sayHelloRequest" />
> <wsdl:output message="tns:SayHelloResponse"
> name="sayHelloResponse" />
> </wsdl:operation>
> </wsdl:portType>
> <wsdl:binding name="HelloWorldBinding" type="tns:HelloWorld">
> <wsp:PolicyReference URI="#HelloWorldSecureTransportPolicy"/>
> <soap:binding style="document"
> transport="http://schemas.xmlsoap.org/soap/http" />
> <wsdl:operation name="SayHello">
> <soap:operation soapAction="" style="document" />
> <wsdl:input name="sayHelloRequest">
> <soap:body use="literal" />
> </wsdl:input>
> <wsdl:output name="sayHelloResponse">
> <soap:body use="literal" />
> </wsdl:output>
> </wsdl:operation>
> </wsdl:binding>
> <wsdl:service name="HelloWorldService">
> <wsdl:port name="HelloWorldPort"
> binding="tns:HelloWorldBinding">
> <soap:address location="https://llanowar:9001/HelloWorldService
> " />
> </wsdl:port>
> </wsdl:service>
>
> <wsp:Policy wsu:Id="HelloWorldSecureTransportPolicy">
> <wsp:ExactlyOne>
> <wsp:All>
> <sp:TransportBinding
>
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy ">
> <wsp:Policy>
> <sp:TransportToken>
> <wsp:Policy>
> <sp:HttpsToken
> RequireClientCertificate="true" />
> </wsp:Policy>
> </sp:TransportToken>
> <sp:AlgorithmSuite>
> <wsp:Policy>
> <sp:Basic256 />
> </wsp:Policy>
> </sp:AlgorithmSuite>
> <sp:Layout>
> <wsp:Policy>
> <sp:Lax />
> </wsp:Policy>
> </sp:Layout>
> <sp:IncludeTimestamp />
> </wsp:Policy>
> </sp:TransportBinding>
> <sp:Wss10
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy ">
> <wsp:Policy>
> <sp:MustSupportRefKeyIdentifier />
> <sp:MustSupportRefIssuerSerial />
> </wsp:Policy>
> </sp:Wss10>
> </wsp:All>
> </wsp:ExactlyOne>
> </wsp:Policy>
> </wsdl:definitions>
>
>
> --Steve
>
> Stephen Langella
> Co-Founder
> Inventrio, LLC
> www.inventrio.com
>
> Stephen.Langella@inventrio.com
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog