cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Where to put <sp:Timestamp> in WS-Policy for RST/SCT Issue Request with Timestamp?
Date Thu, 06 Feb 2014 09:36:56 GMT
The problem is that your business service WSDL has both a SymmetricBinding
+ a TransportBinding policy. What exactly are you trying to achieve?

Colm.


On Thu, Feb 6, 2014 at 9:28 AM, bob45 <fuchs1231@gmx.de> wrote:

> Hi Colm,
>
> I added the TransportBindings to the policies. That solved the timestamp
> issue!
> Now I receive another error due to a policy violation from the RST/SCT
> Issue
> call:
>
> WARNING - PhaseInterceptorChain.doDefaultLogging(364) | Interceptor for
> {
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}SecureConversationTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}RequestSecurityToken
> has thrown exception, unwinding now:
> org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not
> be satisfied:
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}Layout
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding
>         at
>
> org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167)
>
>
> Below you can see the policies and the request.
> Can you tell me why the policy verification fails? Is there a way to get
> more precise information form the DEBUG output to better understand why the
> request fails?
>
>
> Policy STS
>
>
>   <wsp:Policy wsu:Id="UT_policy">
>         <wsp:ExactlyOne>
>         <wsp:All>
>             <wsap10:UsingAddressing/>
>
>                         <sp:TransportBinding
>                                 xmlns:sp="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>                                 <wsp:Policy>
>                                         <sp:TransportToken>
>                                                 <wsp:Policy>
>                                                         <sp:HttpsToken>
>
> <wsp:Policy />
>                                                         </sp:HttpsToken>
>                                                 </wsp:Policy>
>                                         </sp:TransportToken>
>                                         <sp:AlgorithmSuite>
>                                                 <wsp:Policy>
>                                                         <sp:Basic256 />
>                                                 </wsp:Policy>
>                                         </sp:AlgorithmSuite>
>                                         <sp:Layout>
>                                                 <wsp:Policy>
>                                                         <sp:Lax />
>                                                 </wsp:Policy>
>                                         </sp:Layout>
>                                         <sp:IncludeTimestamp />
>                                 </wsp:Policy>
>                         </sp:TransportBinding>
>
>                                 <sp:SupportingTokens
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>                                         <wsp:Policy>
>                                                 <sp:UsernameToken
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
>                                                         <wsp:Policy>
>
> <sp:WssUsernameToken11/>
>                                                         </wsp:Policy>
>                                                 </sp:UsernameToken>
>                                         </wsp:Policy>
>                                 </sp:SupportingTokens>
>             <sp:Wss11
>
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>                <wsp:Policy>
>                   <sp:MustSupportRefKeyIdentifier />
>                   <sp:MustSupportRefIssuerSerial />
>                   <sp:MustSupportRefThumbprint />
>                   <sp:MustSupportRefEncryptedKey />
>                </wsp:Policy>
>             </sp:Wss11>
>             <sp:Trust13
>
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>                <wsp:Policy>
>                   <sp:MustSupportIssuedTokens />
>                   <sp:RequireClientEntropy />
>                   <sp:RequireServerEntropy />
>                </wsp:Policy>
>             </sp:Trust13>
>         </wsp:All>
>         </wsp:ExactlyOne>
>   </wsp:Policy>
>
>
> Policy business service
>
>
>    <wsp:Policy xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing
> "
>                xmlns:wsp="http://www.w3.org/ns/ws-policy"
>
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
>
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
>                xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512
> "
>                xmlns:wsaw="http://www.w3.org/2005/08/addressing"
>                xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
>                xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"
>                xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"
>                wsu:Id="PoCAuthSecurityPolicy">
>       <wsp:ExactlyOne>
>          <wsp:All>
>            <wsap10:UsingAddressing/>
>
>                 <sp:TransportBinding
>                                 xmlns:sp="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
>                                 <wsp:Policy>
>                                         <sp:TransportToken>
>                                                 <wsp:Policy>
>                                                         <sp:HttpsToken>
>
> <wsp:Policy />
>                                                         </sp:HttpsToken>
>                                                 </wsp:Policy>
>                                         </sp:TransportToken>
>                                         <sp:AlgorithmSuite>
>                                                 <wsp:Policy>
>                                                         <sp:Basic256 />
>                                                 </wsp:Policy>
>                                         </sp:AlgorithmSuite>
>                                         <sp:Layout>
>                                                 <wsp:Policy>
>                                                         <sp:Lax />
>                                                 </wsp:Policy>
>                                         </sp:Layout>
>                                         <sp:IncludeTimestamp />
>                                 </wsp:Policy>
>                    </sp:TransportBinding>
>
>            <sp:SymmetricBinding>
>                 <wsp:Policy>
>                 <sp:ProtectionToken>
>                         <wsp:Policy>
>                         <sp:SecureConversationToken
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
>                            <wsp:Policy>
>                                <sp:RequireDerivedKeys />
>                                <sp:BootstrapPolicy>
>                                    <wsp:Policy>
>                                        <sp:SymmetricBinding>
>                                            <wsp:Policy>
>                                                <sp:ProtectionToken>
>                                                    <wsp:Policy>
>
>
> <sp:IssuedToken
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
>
> <sp:RequestSecurityTokenTemplate>
>
> <wst:TokenType>
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
> </wst:TokenType>
>
> <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
> </wst:KeyType>
>
> </sp:RequestSecurityTokenTemplate>
>
>
>  <wsp:Policy>
>
>
>  </wsp:Policy>
>
>                                                <sp:Issuer>
>
> <wsaw:Address>https://server:8443/sts</wsaw:Address>
>
> <wsaw:Metadata>
>
> <wsam:ServiceName
> EndpointName="UT_Port">wst:SecurityTokenService</wsam:ServiceName>
>
> </wsaw:Metadata>
>
>                                                </sp:Issuer>
>
>
> </sp:IssuedToken>
>                                                    </wsp:Policy>
>                                                </sp:ProtectionToken>
>                                                <sp:Layout>
>                                                    <wsp:Policy>
>                                                        <sp:Lax />
>                                                    </wsp:Policy>
>                                                </sp:Layout>
>                                                <sp:AlgorithmSuite>
>                                                    <wsp:Policy>
>                                                        <sp:Basic256 />
>                                                    </wsp:Policy>
>                                                </sp:AlgorithmSuite>
>                                            </wsp:Policy>
>                                        </sp:SymmetricBinding>
>                                    </wsp:Policy>
>                                </sp:BootstrapPolicy>
>                            </wsp:Policy>
>                        </sp:SecureConversationToken>
>                                         </wsp:Policy>
>                                 </sp:ProtectionToken>
>                 <sp:AlgorithmSuite>
>                    <wsp:Policy>
>                       <sp:Basic256/>
>                    </wsp:Policy>
>                 </sp:AlgorithmSuite>
>                         </wsp:Policy>
>                    </sp:SymmetricBinding>
>                    <sp:SignedParts>
>                 <sp:Body/>
>            </sp:SignedParts>
>            <sp:EncryptedElements>
>                 <sp:XPath>//*[local-name()='Data' and
> namespace-uri()='http://data']</sp:XPath>
>            </sp:EncryptedElements>
>          </wsp:All>
>       </wsp:ExactlyOne>
>    </wsp:Policy>
>
>
> SOAP Message with RST-Issue SCT
>
>
> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
> xmlns:a="http://www.w3.org/2005/08/addressing"
> xmlns:u="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
>    <s:Header>
>       <a:Action
> s:mustUnderstand="1">
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT</a:Action>
>
> <a:MessageID>urn:uuid:c4151332-8fe1-4111-a792-5bd668eb821e</a:MessageID>
>       <a:ReplyTo>
>
> <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
>       </a:ReplyTo>
>       <a:To s:mustUnderstand="1">https://192.168.1.47:8443/service</a:To>
>       <o:Security s:mustUnderstand="1"
> xmlns:o="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">
>          <u:Timestamp u:Id="_0">
>             <u:Created>2014-02-06T09:06:20.795Z</u:Created>
>             <u:Expires>2014-02-06T09:11:20.795Z</u:Expires>
>          </u:Timestamp>
>          <xenc:EncryptedData Id="ED-17"
> Type="http://www.w3.org/2001/04/xmlenc#Element"
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#">
>             <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
>             <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
>                <xenc:EncryptedKey
> Id="EK-B343A30ECED362416C139167757963318">
>                   <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p"/>
>                   <ds:KeyInfo>
>                      <wsse:SecurityTokenReference
> xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">
>                         <ds:X509Data>
>                            <ds:X509IssuerSerial>
>
> <ds:X509IssuerName>CN=Company</ds:X509IssuerName>
>
> <ds:X509SerialNumber>556889307</ds:X509SerialNumber>
>                            </ds:X509IssuerSerial>
>                         </ds:X509Data>
>                      </wsse:SecurityTokenReference>
>                   </ds:KeyInfo>
>                   <xenc:CipherData>
>                      <xenc:CipherValue>WuARdO...xenc:CipherValue>
>                   </xenc:CipherData>
>                </xenc:EncryptedKey>
>             </ds:KeyInfo>
>             <xenc:CipherData>
>                <xenc:CipherValue>2YYuHU0xZq5...</xenc:CipherValue>
>             </xenc:CipherData>
>          </xenc:EncryptedData>
>       </o:Security>
>    </s:Header>
>    <s:Body>
>       <trust:RequestSecurityToken
> xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
>
> <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
> </trust:RequestType>
>          <trust:Lifetime
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
>            <wsu:Created>2014-01-28T12:33:24.835Z</wsu:Created>
>            <wsu:Expires>2014-01-28T12:38:24.835Z</wsu:Expires>
>          </trust:Lifetime>
>
> <trust:TokenType>
> http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
> </trust:TokenType>
>          <trust:Entropy>
>             <trust:BinarySecret
> u:Id="uuid-ccb577a5-b787-4777-b52a-0387e70d5d34-1"
> Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce
> ">M0TLwBNGSzOrJAeafQOsrA/Fl48woeeuKDxwnD8Iicc=</trust:BinarySecret>
>          </trust:Entropy>
>          <trust:KeySize>256</trust:KeySize>
>
> <trust:ComputedKeyAlgorithm>
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/CK/PSHA1
> </trust:ComputedKeyAlgorithm>
>          <trust:Renewing/>
>       </trust:RequestSecurityToken>
>    </s:Body>
> </s:Envelope>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515p5739549.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message