cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Where to put <sp:Timestamp> in WS-Policy for RST/SCT Issue Request with Timestamp?
Date Wed, 05 Feb 2014 15:43:51 GMT
It should go in the BootstrapPolicy as a child of the SymmetricBinding
policy, e.g. after the sp:Layout assertion.

Colm.


On Wed, Feb 5, 2014 at 3:24 PM, bob45 <fuchs1231@gmx.de> wrote:

> Hi,
>
> I am trying to send a RST-Issue to my business service to get an SCT. The
> header contains a SAML bootstrap token. When I send the message without
> <u:Timestamp> in the security header everything works fine. But when I add
> the timestamp header the service complains:
>
> WARNING - PhaseInterceptorChain.doDefaultLogging(364) | Interceptor for
> {
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}SecureConversationTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/wsdl}RequestSecurityToken
> has thrown exception, unwinding now:
> org.apache.cxf.ws.policy.PolicyException: *These policy alternatives can
> not
> be satisfied:
> {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}ProtectionToken
> {
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SymmetricBinding
> :
> Received Timestamp does not match the requirements*     at
>
> org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:167)
>         at
>
> org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101)
>         at
>
> org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
>
> Ok, that makes sense as the timestamp ist not part of the service policy.
> So I tried to add <sp:IncludeTimestamp> at various places in the policy
> without effect.
> Please see the message and policy below.
>
> My question is where to put the <sp:IncludeTimestamp> in the policy to
> match
> the incoming message?
>
> Message (including timestamp header):
>
>
> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
>         xmlns:a="http://www.w3.org/2005/08/addressing"
>
> xmlns:u="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
>         <s:Header>
>                 <a:Action
> s:mustUnderstand="1">
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/SCT</a:Action>
>
> <a:MessageID>urn:uuid:f878193d-b3b7-4b54-ba02-c11a01285348</a:MessageID>
>                 <a:ReplyTo>
>                         <a:Address>
> http://www.w3.org/2005/08/addressing/anonymous</a:Address>
>                 </a:ReplyTo>
>                 <a:To
> s:mustUnderstand="1">https://192.168.1.47:8443/businessservice/komposit
> </a:To>
>                 <o:Security s:mustUnderstand="1"
>
> xmlns:o="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">
>                         <u:Timestamp u:Id="_0">
>
> <u:Created>2014-02-05T15:02:02.694Z</u:Created>
>
> <u:Expires>2014-02-05T15:07:02.694Z</u:Expires>
>                         </u:Timestamp>
>                         <xenc:EncryptedData Id="ED-4">
>                         ENCRYPTED SAML TOKEN
>                         </xenc:EncryptedData>
>                 </o:Security>
>         </s:Header>
>         <s:Body>
>                 <trust:RequestSecurityToken
>                         xmlns:trust="
> http://docs.oasis-open.org/ws-sx/ws-trust/200512">
>
> <trust:TokenType>
> http://docs.oasis-open.org/ws-sx/ws-secureconversation/200512/sct
>                         </trust:TokenType>
>
> <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
> </trust:RequestType>
>                         <trust:Entropy>
>                                 <trust:BinarySecret
> u:Id="uuid-c604a73d-5045-4b75-859f-778aefc62d70-1"
>
> Type="http://docs.oasis-open.org/ws-sx/ws-trust/200512/Nonce
> ">8Ae+h7iuAVGlxCOH5FtdIu0NPI+R52AtdtVecEPIGBA=</trust:BinarySecret>
>                         </trust:Entropy>
>                         <trust:KeySize>256</trust:KeySize>
>                 </trust:RequestSecurityToken>
>         </s:Body>
> </s:Envelope>
>
> WS-Policy:
>
>
> <wsp:Policy xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
>         xmlns:wsp="http://www.w3.org/ns/ws-policy"
>
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
>         xmlns:sp="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
>         xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
>         xmlns:wsaw="http://www.w3.org/2005/08/addressing"
> xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
>         xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"
> xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"
>         wsu:Id="PoCAuthSecurityPolicy">
>         <wsp:ExactlyOne>
>                 <wsp:All>
>                         <wsap10:UsingAddressing />
>                         <sp:SymmetricBinding>
>                                 <wsp:Policy>
>                                         <sp:ProtectionToken>
>                                                 <wsp:Policy>
>
> <sp:SecureConversationToken
>
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
>
> <wsp:Policy>
>
> <sp:RequireDerivedKeys />
>
> <sp:BootstrapPolicy>
>
>       <wsp:Policy>
>
>               <sp:SymmetricBinding>
>
>                       <wsp:Policy>
>
>                               <sp:ProtectionToken>
>
>                                       <wsp:Policy>
>
>                                               <sp:IssuedToken
>
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
>
>
> <sp:RequestSecurityTokenTemplate>
>
> <wst:TokenType>
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
>
>
> </wst:TokenType>
>
> <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
> </wst:KeyType>
>
>
> </sp:RequestSecurityTokenTemplate>
>
>                                                       <wsp:Policy>
>
>
>                                                       </wsp:Policy>
>
>                                                       <sp:Issuer>
>
>                                                               <wsaw:Address>
> http://localhost:8080/sts/sts
>
>
> </wsaw:Address>
>
>
> <wsaw:Metadata>
>
>
> <wsam:ServiceName
> EndpointName="UT_Port">wst:SecurityTokenService</wsam:ServiceName>
>
>
> </wsaw:Metadata>
>
>                                                       </sp:Issuer>
>
>                                               </sp:IssuedToken>
>
>                                       </wsp:Policy>
>
>                               </sp:ProtectionToken>
>
>                               <sp:Layout>
>
>                                       <wsp:Policy>
>
>                                               <sp:Lax />
>
>                                       </wsp:Policy>
>
>                               </sp:Layout>
>
>                               <sp:AlgorithmSuite>
>
>                                       <wsp:Policy>
>
>                                               <sp:Basic256 />
>
>                                       </wsp:Policy>
>
>                               </sp:AlgorithmSuite>
>
>                       </wsp:Policy>
>
>               </sp:SymmetricBinding>
>
>               <sp:Wss11>
>
>                       <wsp:Policy>
>
>                               <sp:MustSupportRefIssuerSerial />
>
>                               <sp:MustSupportRefThumbprint />
>
>                               <sp:MustSupportRefEncryptedKey />
>
>                       </wsp:Policy>
>
>               </sp:Wss11>
>
>               <sp:Trust13>
>
>                       <wsp:Policy>
>
>                               <sp:MustSupportIssuedTokens />
>
>                               <sp:RequireClientEntropy />
>
>                               <sp:RequireServerEntropy />
>
>                       </wsp:Policy>
>
>               </sp:Trust13>
>
>       </wsp:Policy>
>
> </sp:BootstrapPolicy>
>
> </wsp:Policy>
>
> </sp:SecureConversationToken>
>                                                 </wsp:Policy>
>                                         </sp:ProtectionToken>
>                                         <sp:AlgorithmSuite>
>                                                 <wsp:Policy>
>                                                         <sp:Basic256 />
>                                                 </wsp:Policy>
>                                         </sp:AlgorithmSuite>
>                                 </wsp:Policy>
>                         </sp:SymmetricBinding>
>                 </wsp:All>
>         </wsp:ExactlyOne>
> </wsp:Policy>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Where-to-put-sp-Timestamp-in-WS-Policy-for-RST-SCT-Issue-Request-with-Timestamp-tp5739515.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message