Return-Path: X-Original-To: apmail-cxf-users-archive@www.apache.org Delivered-To: apmail-cxf-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7E5ACD572 for ; Tue, 24 Jul 2012 14:28:40 +0000 (UTC) Received: (qmail 87297 invoked by uid 500); 24 Jul 2012 14:28:39 -0000 Delivered-To: apmail-cxf-users-archive@cxf.apache.org Received: (qmail 87231 invoked by uid 500); 24 Jul 2012 14:28:39 -0000 Mailing-List: contact users-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@cxf.apache.org Delivered-To: mailing list users@cxf.apache.org Received: (qmail 87221 invoked by uid 99); 24 Jul 2012 14:28:39 -0000 Received: from minotaur.apache.org (HELO minotaur.apache.org) (140.211.11.9) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 Jul 2012 14:28:39 +0000 Received: from localhost (HELO mail-lb0-f169.google.com) (127.0.0.1) (smtp-auth username coheigea, mechanism plain) by minotaur.apache.org (qpsmtpd/0.29) with ESMTP; Tue, 24 Jul 2012 14:28:38 +0000 Received: by lbjn8 with SMTP id n8so10924830lbj.0 for ; Tue, 24 Jul 2012 07:28:36 -0700 (PDT) MIME-Version: 1.0 Received: by 10.152.110.70 with SMTP id hy6mr12131338lab.44.1343140116583; Tue, 24 Jul 2012 07:28:36 -0700 (PDT) Reply-To: coheigea@apache.org Received: by 10.112.41.100 with HTTP; Tue, 24 Jul 2012 07:28:36 -0700 (PDT) In-Reply-To: References: <1343058117990-5711426.post@n5.nabble.com> Date: Tue, 24 Jul 2012 15:28:36 +0100 Message-ID: Subject: Re: RequestSecurityToken without Encrypting and Signing From: Colm O hEigeartaigh To: Gina Choi Cc: users@cxf.apache.org Content-Type: multipart/alternative; boundary=bcaec54ee7b88855c904c5942d9c --bcaec54ee7b88855c904c5942d9c Content-Type: text/plain; charset=ISO-8859-1 What security policy are you using for the TransportUT_Port? It sounds like the WS-SecurityPolicy layer is not getting invoked. Colm. On Tue, Jul 24, 2012 at 2:35 PM, Gina Choi wrote: > Hi Colm, > > Alex and I working together to get this work. I am responsible to > configure Fediz STS for him. Could you take a look following exceptions > from Alex's RST. We decided to use TransportUT_Port. I think that is being > used for WS-Federation SSO as well. Anyway, please ignore previous our > emails. Could you tell us what is wrong with his RST? > > > ID: 1 > Address: https://wkqasv0805.global.sdl.corp:9443/fedizidpsts/STSService > Encoding: UTF-8 > Http-Method: POST > Content-Type: application/soap+xml; charset=utf-8 > Headers: {accept-encoding=[gzip, deflate], connection=[Keep-Alive], > Content-Length=[1908], content-type=[application/soap+xml; charset=utf-8], > expect= > [100-continue], host=[wkqasv0805.global.sdl.corp:9443]} > Payload: xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u=" > http://docs.oasis-open. > org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> s:mustUnderstand="1">http://docs.oasis-open.org/ws-sx/ws-trust/200512 > > /RST/Issueurn:uuid:24a48857-71ec-466e-bfe6-675c08f84c6e > http://www.w3.org/2005/08/addressin > g/anonymousuIDPo8DHZtWXyK1J > n2JxXCS85z4AAAAAlruHm4rOAUCcZNvbjFb/PND3aSmMn0JLk9BMBxOE9WoACQAA s:mustUnderstand="1">https://wkqasv0805.global.sdl.cor > p:9443/fedizidpsts/STSService xmlns:o=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secex > t-1.0.xsd"> u:Id="_0">2012-07-24T13:27:55.050Z2012-07-24T13:32:55.050Z ameToken > u:Id="uuid-64599397-270f-4886-975c-086f44f45f27-1">gchoi Type="http://docs.oasis-open.org/wss/2004/01/oas > > is-200401-wss-username-token-profile-1.0#PasswordText">gchoi xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512"> xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"> erence>https://medevasarafia01.global.sdl.corp/Agency/ > > http://docs.oasis-op > en.org/ws-sx/ws-trust/200512/Bearer > http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue > > :TokenType>urn:oasis:names:tc:SAML:1.0:assertion > -------------------------------------- > SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder". > SLF4J: Defaulting to no-operation (NOP) logger implementation > SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further > details. > [LdapLoginModule] authentication-only mode; SSL disabled > [LdapLoginModule] user provider: > ldap://wkqasv0805.global.sdl.corp:389/ou=People,dc=maxcrc,dc=com > [LdapLoginModule] attempting to authenticate user: gchoi > [LdapLoginModule] authentication succeeded > [LdapLoginModule] added LdapPrincipal > "cn=gchoi,ou=People,dc=maxcrc,dc=com" to Subject > [LdapLoginModule] added UserPrincipal "gchoi" to Subject > Jul 24, 2012 9:28:00 AM org.apache.cxf.phase.PhaseInterceptorChain > doDefaultLogging > WARNING: Interceptor for { > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Va > lidate has thrown exception, unwinding now > org.apache.cxf.binding.soap.SoapFault: MustUnderstand headers: [{ > http://www.w3.org/2005/08/addressing}Action, { > http://www.w3.org/2005/08/addressing}To > ] are not understood. > at > org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.checkUltimateReceiverHeaders(MustUnderstandInterceptor.java:150) > at > org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:96) > at > org.apache.cxf.binding.soap.interceptor.MustUnderstandInterceptor.handleMessage(MustUnderstandInterceptor.java:49) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:262) > at > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:122) > at > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:211) > at > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:213) > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:193) > at > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:129) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:187) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:110) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:641) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:166) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565) > at > org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:307) > at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown > Source) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown > Source) > at java.lang.Thread.run(Unknown Source) > Jul 24, 2012 9:28:00 AM > org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInternal > handleMessage > INFO: class > org.apache.cxf.binding.soap.interceptor.Soap12FaultOutInterceptor$Soap12FaultOutInterceptorInternalapplication/soap+xml > Jul 24, 2012 9:28:00 AM > org.apache.cxf.services.SecurityTokenService.TransportUT_Port.STS > INFO: Outbound Message > --------------------------- > ID: 1 > Response-Code: 500 > Encoding: UTF-8 > Content-Type: application/soap+xml > Headers: {} > Payload: soap:MustUnderstand alue>MustUnderstand > headers: [{http://www.w3.org/2005/08/addressing}Action, { > http://www.w3.org/2005/ > 08/addressing}To] are not > understood. > -------------------------------------- > > > On Tue, Jul 24, 2012 at 8:58 AM, Gina Choi wrote: > >> Hi Colm, >> >> I would like to confirm if I understand you correctly. So, do we need to >> add following content to Fediz STS wsdl file to issue a token? At this >> point we mostly interested in(minimum) issuing a a token. I am not sure if >> we need to "Validate" operation to issue a RSTR. >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > transport="http://schemas.xmlsoap.org/soap/http" /> >> >> >> >> >> >> >> >> >> >> >> >> >> Thanks. >> >> Gina >> >> On Tue, Jul 24, 2012 at 6:34 AM, Colm O hEigeartaigh > > wrote: >> >>> You could use a SecurityPolicy that just requires a UsernameToken >>> without a >>> binding. For example see the policy "" starting on line 214: >>> >>> >>> http://svn.apache.org/viewvc/cxf/trunk/systests/ws-security-examples/src/test/resources/org/apache/cxf/systest/wssec/examples/ut/DoubleItUt.wsdl?view=markup >>> >>> Of course, in practise one would combine a UsernameToken with the >>> Transport >>> binding to secure the message exchange... >>> >>> Colm. >>> >>> On Mon, Jul 23, 2012 at 4:41 PM, Sarafian >> >wrote: >>> >>> > I have a C# code that asks the STS for a token using username password >>> > credentials. >>> > I'm using the UT or UTEncrypted endpoints but I get this error: >>> > >>> > These policy alternatives can not be satisfied: >>> > { >>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken >>> > { >>> > >>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}IncludeTimestamp >>> > : >>> > Received Timestamp does not match the requirements >>> > { >>> > >>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding >>> > : >>> > Received Timestamp does not match the requirements >>> > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SignedParts >>> : >>> > {http://schemas.xmlsoap.org/soap/envelope/}Body not SIGNED >>> > { >>> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}EncryptedParts >>> : >>> > {http://schemas.xmlsoap.org/soap/envelope/}Body not ENCRYPTED >>> > >>> > Is there a way for the STS to be configured not to apply the above >>> > policies? >>> > Is there another endpoint for these kind of things? >>> > >>> > I simply want to use a username/password credential combination to >>> request >>> > a >>> > security token. >>> > >>> > >>> > >>> > >>> > -- >>> > View this message in context: >>> > >>> http://cxf.547215.n5.nabble.com/RequestSecurityToken-without-Encrypting-and-Signing-tp5711426.html >>> > Sent from the cxf-user mailing list archive at Nabble.com. >>> > >>> >>> >>> >>> -- >>> Colm O hEigeartaigh >>> >>> Talend Community Coder >>> http://coders.talend.com >>> >> >> > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com --bcaec54ee7b88855c904c5942d9c--