cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gina Choi <ginacho...@gmail.com>
Subject Re: RequestSecurityToken without Encrypting and Signing
Date Tue, 24 Jul 2012 12:58:15 GMT
Hi Colm,

I would like to confirm if I understand you correctly. So, do we need to
add following content to Fediz STS wsdl file to issue a token? At this
point we mostly interested in(minimum) issuing a a token. I am not sure if
we need to "Validate" operation to issue a RSTR.


<!-- 2.1.1.3 UsernameToken with timestamp, nonce and password hash -->
<wsp:Policy wsu:Id="DoubleItDigestPolicy">
  <sp:SupportingTokens>
    <wsp:Policy>
      <sp:UsernameToken sp:IncludeToken="
http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
">
        <wsp:Policy>
          <sp:HashPassword />
        </wsp:Policy>
      </sp:UsernameToken>
    </wsp:Policy>
  </sp:SupportingTokens>
</wsp:Policy>
<wsdl:binding name="DoubleItDigestBinding" type="tns:DoubleItPortType">
  <wsp:PolicyReference URI="#DoubleItDigestPolicy" />
  <soap:binding style="document"
  transport="http://schemas.xmlsoap.org/soap/http" />
  <wsdl:operation name="Issue">
    <soap:operation soapAction="
http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue" />
    <wsdl:input>
      <soap:body use="literal" />
    </wsdl:input>
    <wsdl:output>
      <soap:body use="literal" />
    </wsdl:output>
  </wsdl:operation>
</wsdl:binding>


Thanks.

Gina
On Tue, Jul 24, 2012 at 6:34 AM, Colm O hEigeartaigh <coheigea@apache.org>wrote:

> You could use a SecurityPolicy that just requires a UsernameToken without a
> binding. For example see the policy "<!-- 2.1.1.3 UsernameToken with
> timestamp, nonce and password hash -->" starting on line 214:
>
>
> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/DoubleItUt.wsdl?view=markup
>
> Of course, in practise one would combine a UsernameToken with the Transport
> binding to secure the message exchange...
>
> Colm.
>
> On Mon, Jul 23, 2012 at 4:41 PM, Sarafian <sarafian_developer@yahoo.gr
> >wrote:
>
> > I have a C# code that asks the STS for a token using username password
> > credentials.
> > I'm using the UT or UTEncrypted endpoints but I get this error:
> >
> > These policy alternatives can not be satisfied:
> > {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken
> > {
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp
> > :
> > Received Timestamp does not match the requirements
> > {
> >
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding
> > :
> > Received Timestamp does not match the requirements
> > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts:
> > {http://schemas.xmlsoap.org/soap/envelope/}Body not SIGNED
> > {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts:
> > {http://schemas.xmlsoap.org/soap/envelope/}Body not ENCRYPTED
> >
> > Is there a way for the STS to be configured not to apply the above
> > policies?
> > Is there another endpoint for these kind of things?
> >
> > I simply want to use a username/password credential combination to
> request
> > a
> > security token.
> >
> >
> >
> >
> > --
> > View this message in context:
> >
> http://cxf.547215.n5.nabble.com/RequestSecurityToken-without-Encrypting-and-Signing-tp5711426.html
> > Sent from the cxf-user mailing list archive at Nabble.com.
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message