cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Morein, Arnie" <Arnold.Mor...@dps.texas.gov>
Subject RE: [EXTERNAL] Re: Problem calling WCF MS service with security
Date Thu, 16 Feb 2017 18:41:50 GMT
Well, I looked in the WSDL and found:

<wsdl:port
            name="wsHttpEndPoint"
            binding="tns:wsHttpEndPoint"

at the bottom for the authentication service which I updated to:

    <jaxws:client id="aamva-authentication"
        name="{http://aamva.org/authentication/3.1.0}wsHttpEndPoint"
        createdFromAPI="true" 
    >

So I changed it. But still getting the same errors:

Feb16 12:20:16.425 WARN [PhaseInterceptorChain         ][::] - Interceptor for {http://schemas.xmlsoap.org/ws/2005/02/trust/wsdl}SecurityTokenService#{http://schemas.xmlsoap.org/ws/2005/02/trust/wsdl}RequestSecurityToken
has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Security configuration could not be detected. Potential
cause: Make sure jaxws:client element with name attribute value matching endpoint port is
defined as well as a security.signature.properties element within it.
...
Feb16 12:20:16.476 WARN [PhaseInterceptorChain         ][::] - Interceptor for {http://aamva.org/authentication/3.1.0}AuthenticationService#{http://aamva.org/authentication/3.1.0}Authenticate
has thrown exception, unwinding now
org.apache.cxf.interceptor.Fault: Security configuration could not be detected. Potential
cause: Make sure jaxws:client element with name attribute value matching endpoint port is
defined as well as a security.signature.properties element within it.

Even after setting up a client for the SecurityTokenService:

    <jaxws:client id="aamva-security-token-service"
        name="{http://schemas.xmlsoap.org/ws/2005/02/trust/wsdl}SecurityTokenService"
        createdFromAPI="true" 
    >
        <jaxws:properties>
            <entry
                key="ws-security.signature.properties"
                value="/META-INF/cxf/client-crypto.properties" />
            <entry
                key="ws-security.encryption.properties"
                value="/META-INF/cxf/client-crypto.properties" />
        </jaxws:properties>
    </jaxws:client>

That URL to the WSDL isn't valid any more so I'm not sure what the port name should actually
be. 

Nor do I understand why this is necessary. I thought this stuff was supposed to be automatic?

-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org] 
Sent: Thursday, February 16, 2017 10:46 AM
To: users@cxf.apache.org
Subject: [EXTERNAL] Re: Problem calling WCF MS service with security

Answer inline.

On Thu, Feb 16, 2017 at 2:02 PM, Morein, Arnie <Arnold.Morein@dps.texas.gov>
wrote:

> And that is part of the confusion. What is meant by PORT NAME?
>

The Port name in the WSDL. For example, from the ws-security-examples, system tests:

 <jaxws:client name="{
http://www.example.org/contract/DoubleIt}DoubleItPlaintextPort"
createdFromAPI="true">

matches the WSDL port:

<wsdl:port name="DoubleItPlaintextPort"
binding="tns:DoubleItPlaintextBinding">

You can use wildcards as well I believe to match multiple ports.

Colm.


>
> The Interface? I have tried:
>
> { http://aamva.org/authentication/3.1.0} IAuthenticationService
>
> And  the implementation (extends Service):
>
> { http://aamva.org/authentication/3.1.0} AuthenticationService
>
> Neither matches. What else could it be?
>
> I CERTAINLY hope that these jaxws:client constructs are NOT supposed 
> to be every METHOD in the server?!
>
> -----Original Message-----
> From: Morein, Arnie [mailto:Arnold.Morein@dps.texas.gov]
> Sent: Wednesday, February 15, 2017 4:29 PM
> To: users@cxf.apache.org
> Subject: [EXTERNAL] Problem calling WCF MS service with security
>
> I have to consume a web service that was written in .Net and requires 
> the security policies listed below. We develop in Java to a WAR. I 
> created a separate project for the WSDL's Java stubs using Maven's 
> cxf-codegen-plugin (3.1.10). It was added to the main WAR project and 
> compiles fine. But during initial access to the service, a CXF error occurs.
>
> The manual which came with the WSDL had the following to say about the 
> security features in use:
>
>
> Transport Layer Security
>
> Third party X.509 certificate and Tokens Client X.509 certificate
>
> We received a file from the vendor which was converted into a JKS. It 
> has two trustedCertEntry entries and one private key of X.509 type.
>
> As I understand the manual, the service does not use the user 
> name/password type of WS security. All traffic goes over HTTPS of 
> course, and the certificate is supposed to be used to encrypt the 
> message content both coming and going.
>
> I have tried to configure the necessary values for CXF to work but 
> always get the same error:
>
> Caused by: org.apache.cxf.ws.policy.PolicyException: Security 
> configuration could not be detected. Potential cause: Make sure 
> jaxws:client element with name attribute value matching endpoint port 
> is defined as well as a security.signature.properties element within it.
>
> I have tried setting the necessary (AFAIK) properties via API and 
> Spring XML configuration to no avail.
>
> I would greatly appreciate some guidance as to what CXF is looking for 
> (and where the file is supposed to be if configuration). Currently I 
> have the client-crypto.properties file under /WEB-INF/cxf along with 
> the jks file. Its contents:
>
> org.apache.ws.security.crypto.merlin.keystore.file=/WEB-INF/
> cxf/dlsKeystore.jks
> org.apache.ws.security.crypto.merlin.keystore.type=JKS
> org.apache.ws.security.crypto.merlin.keystore.alias=1
> org.apache.ws.security.crypto.merlin.keystore.password=****
> org.apache.ws.security.crypto.merlin.keystore.private.password=****
> org.apache.ws.security.crypto.merlin.truststore.file=/WEB-
> INF/cxf/dlsKeystore.jks
> org.apache.ws.security.crypto.merlin.truststore.type=JKS
> org.apache.ws.security.crypto.merlin.truststore.password=****
>
> Things I have tried setting via API:
>
> // set up ws-security
> /*HashMap<String, Object> crytoProperties = new HashMap<String, 
> Object>(); 
> crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.fil
> e", KEYSTORE_FILE); 
> crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.typ
> e", "JKS"); 
> crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.ali
> as", KEYSTORE_KEY_ALIAS); 
> crytoProperties.put("org.apache.ws.security.crypto.merlin.keystore.pas
> sword", KEYSTORE_PASSWORD); 
> crytoProperties.put("org.apache.ws.security.crypto.
> merlin.keystore.private.password", KEYSTORE_KEY_PASSWORD);
>
> crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.f
> ile", KEYSTORE_FILE); 
> crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.t
> ype", "JKS"); 
> crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.p
> assword", KEYSTORE_PASSWORD); 
> crytoProperties.put("org.apache.ws.security.crypto.merlin.truststore.a
> lias",
> KEYSTORE_KEY_ALIAS);
>
> Map<String, Object> ctx = ((BindingProvider) 
> port).getRequestContext(); ctx.putAll(crytoProperties);*/
>
> // activate ws-security
> /*org.apache.cxf.endpoint.Client client = 
> (org.apache.cxf.endpoint.Client) port; 
> org.apache.cxf.endpoint.Endpoint endpoint = client.getEndpoint();*/
>
> // add intercepters
> /*HashMap<String, Object> inProps = new HashMap<String, Object>(); 
> inProps.put(WSHandlerConstants.SIG_KEY_ID, KEYSTORE_KEY_ALIAS); 
> inProps.put(WSHandlerConstants.ENC_KEY_ID, KEYSTORE_KEY_ALIAS); 
> inProps.put(WSHandlerConstants.SIG_PROP_FILE, WSS4J_PROPERTIES); 
> inProps.put(WSHandlerConstants.ENC_PROP_FILE, WSS4J_PROPERTIES);
>
> endpoint.getInInterceptors().add(new WSS4JOutInterceptor(inProps)); 
> endpoint.getInInterceptors().add(new LoggingInInterceptor());
>
> HashMap<String, Object> outProps = new HashMap<String, Object>(); 
> outProps.put(WSHandlerConstants.SIG_KEY_ID, KEYSTORE_KEY_ALIAS); 
> outProps.put(WSHandlerConstants.ENC_KEY_ID, KEYSTORE_KEY_ALIAS); 
> outProps.put(WSHandlerConstants.ACTION, WSHandlerConstants.TIMESTAMP
>        + " " +  WSHandlerConstants.SIGNATURE + " " + 
> WSHandlerConstants.ENCRYPT); 
> outProps.put(WSHandlerConstants.SIG_PROP_FILE,
> WSS4J_PROPERTIES); outProps.put(WSHandlerConstants.ENC_PROP_FILE,
> WSS4J_PROPERTIES);
>
> outProps.put(WSHandlerConstants.PW_CALLBACK_REF,
> "txdps.dl.bpr.common.business.VlsCxfKeystorePasswordCallback");
>
> endpoint.getOutInterceptors().add(new WSS4JOutInterceptor(outProps)); 
> endpoint.getOutInterceptors().add(new LoggingOutInterceptor());*/
>
> // set options
> /*HTTPConduit httpConduit = (HTTPConduit) ClientProxy.getClient(port).
> getConduit();
> final HTTPClientPolicy httpClientPolicy = httpConduit.getClient(); 
> httpClientPolicy.setAllowChunking(false); // MS does not support 
> httpClientPolicy.setAutoRedirect(true); // hopefully httpClientPolicy.
> setConnection(ConnectionType.KEEP_ALIVE); // maybe
>
> TLSClientParameters tlsCP = new TLSClientParameters(); String 
> keyPassword = KEYSTORE_PASSWORD; KeyStore keyStore = 
> KeyStore.getInstance("JKS"); Resource aamvaJks = 
> applicationContext.getResource(KEYSTORE_FILE);
>
> keyStore.load(aamvaJks.getInputStream(), 
> KEYSTORE_PASSWORD.toCharArray()); KeyManager[] myKeyManagers = 
> getKeyManagers(keyStore, keyPassword); 
> tlsCP.setKeyManagers(myKeyManagers);
>
> KeyStore trustStore = KeyStore.getInstance("JKS"); aamvaJks = 
> applicationContext.getResource(KEYSTORE_FILE);
> trustStore.load(aamvaJks.getInputStream(), 
> KEYSTORE_PASSWORD.toCharArray()); TrustManager[] 
> myTrustStoreKeyManagers = getTrustManagers(trustStore); 
> tlsCP.setTrustManagers(myTrustStoreKeyManagers);
> httpConduit.setTlsClientParameters(tlsCP);*/
>
> Things I have tried setting via configuration (there are actually two 
> WSDLs compiled into one external jar).
>
>     <!-- ********************************************************* -->
>     <!-- * Configure the CXF Bus * -->
>     <!-- ********************************************************* -->
>     <import resource="classpath:META-INF/cxf/cxf.xml" />
>     <cxf:bus>
>         <cxf:features>
>             <p:policies />
>             <cxf:logging />
>         </cxf:features>
>     </cxf:bus>
>     <jaxws:client id="aamva-authentication"
>         
> name="{http://aamva.org/authentication/3.1.0}AuthenticationService
> "
>         createdFromAPI="true"
>     >
>         <jaxws:properties>
>             <entry
>                 key="ws-security.signature.properties"
>                 value="/WEB-INF/cxf/client-crypto.properties" />
>             <entry
>                 key="ws-security.encryption.properties"
>                 value="/WEB-INF/cxf/client-crypto.properties" />
>         </jaxws:properties>
>     </jaxws:client>
>     <jaxws:client id="aamva-vls3"
>         name="{http://uscis.gov/uscis/services/esb/vls/3.0}
> VerificationOfLawfulStatusService30"
>         createdFromAPI="true"
>     >
>         <jaxws:properties>
>             <entry
>                 key="ws-security.signature.properties"
>                 value="/WEB-INF/cxf/client-crypto.properties" />
>             <entry
>                 key="ws-security.encryption.properties"
>                 value="/WEB-INF/cxf/client-crypto.properties" />
>         </jaxws:properties>
>     </jaxws:client>
>
> WSDL policies:
>
>     <wsp:Policy wsu:Id="wsHttpEndPoint_policy">
>         <wsp:ExactlyOne>
>             <wsp:All>
>                 <sp:TransportBinding
>                     xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/
> securitypolicy"
>                 >
>                     <wsp:Policy>
>                         <sp:TransportToken>
>                             <wsp:Policy>
>                                 <sp:HttpsToken
>                                     RequireClientCertificate="false" />
>                             </wsp:Policy>
>                         </sp:TransportToken>
>                         <sp:AlgorithmSuite>
>                             <wsp:Policy>
>                                 <sp:Basic256 />
>                             </wsp:Policy>
>                         </sp:AlgorithmSuite>
>                         <sp:Layout>
>                             <wsp:Policy>
>                                 <sp:Strict />
>                             </wsp:Policy>
>                         </sp:Layout>
>                         <sp:IncludeTimestamp />
>                     </wsp:Policy>
>                 </sp:TransportBinding>
>                 <sp:EndorsingSupportingTokens
>                     xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/
> securitypolicy"
>                 >
>                     <wsp:Policy>
>                         <sp:SecureConversationToken
>                             sp:IncludeToken="http:// 
> schemas.xmlsoap.org/ws/2005/07/securitypolicy/
> IncludeToken/AlwaysToRecipient"
>                         >
>                             <wsp:Policy>
>                                 <sp:BootstrapPolicy>
>                                     <wsp:Policy>
>                                         <sp:SignedParts>
>                                             <sp:Body />
>                                             <sp:Header
>                                                 Name="To"
>                                                 Namespace="
> http://www.w3.org/2005/08/addressing" />
>                                             <sp:Header
>                                                 Name="From"
>                                                 Namespace="
> http://www.w3.org/2005/08/addressing" />
>                                             <sp:Header
>                                                 Name="FaultTo"
>                                                 Namespace="
> http://www.w3.org/2005/08/addressing" />
>                                             <sp:Header
>                                                 Name="ReplyTo"
>                                                 Namespace="
> http://www.w3.org/2005/08/addressing" />
>                                             <sp:Header
>                                                 Name="MessageID"
>                                                 Namespace="
> http://www.w3.org/2005/08/addressing" />
>                                             <sp:Header
>                                                 Name="RelatesTo"
>                                                 Namespace="
> http://www.w3.org/2005/08/addressing" />
>                                             <sp:Header
>                                                 Name="Action"
>                                                 Namespace="
> http://www.w3.org/2005/08/addressing" />
>                                         </sp:SignedParts>
>                                         <sp:EncryptedParts>
>                                             <sp:Body />
>                                         </sp:EncryptedParts>
>                                         <sp:TransportBinding>
>                                             <wsp:Policy>
>                                                 <sp:TransportToken>
>                                                     <wsp:Policy>
>                                                         <sp:HttpsToken
>
> RequireClientCertificate="false" />
>                                                     </wsp:Policy>
>                                                 </sp:TransportToken>
>                                                 <sp:AlgorithmSuite>
>                                                     <wsp:Policy>
>                                                         <sp:Basic256 />
>                                                     </wsp:Policy>
>                                                 </sp:AlgorithmSuite>
>                                                 <sp:Layout>
>                                                     <wsp:Policy>
>                                                         <sp:Strict />
>                                                     </wsp:Policy>
>                                                 </sp:Layout>
>                                                 <sp:IncludeTimestamp />
>                                             </wsp:Policy>
>                                         </sp:TransportBinding>
>                                         <sp:EndorsingSupportingTokens>
>                                             <wsp:Policy>
>                                                 <sp:X509Token
>                                                     sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/
> IncludeToken/AlwaysToRecipient"
>                                                 >
>                                                     <wsp:Policy>
>
> <sp:RequireThumbprintReference />
>
> <sp:WssX509V3Token10 />
>                                                     </wsp:Policy>
>                                                 </sp:X509Token>
>                                                 <sp:SignedParts>
>                                                     <sp:Header
>                                                         Name="To"
>                                                         Namespace="
> http://www.w3.org/2005/08/addressing" />
>                                                 </sp:SignedParts>
>                                             </wsp:Policy>
>                                         </sp:EndorsingSupportingTokens>
>                                         <sp:Wss11>
>                                             <wsp:Policy>
>
> <sp:MustSupportRefThumbprint />
>                                             </wsp:Policy>
>                                         </sp:Wss11>
>                                         <sp:Trust10>
>                                             <wsp:Policy>
>
> <sp:MustSupportIssuedTokens />
>                                                 <sp:RequireClientEntropy />
>                                                 <sp:RequireServerEntropy />
>                                             </wsp:Policy>
>                                         </sp:Trust10>
>                                     </wsp:Policy>
>                                 </sp:BootstrapPolicy>
>                             </wsp:Policy>
>                         </sp:SecureConversationToken>
>                     </wsp:Policy>
>                 </sp:EndorsingSupportingTokens>
>                 <sp:Wss11 
> xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/
> securitypolicy">
>                     <wsp:Policy />
>                 </sp:Wss11>
>                 <sp:Trust10
>                     xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/
> securitypolicy"
>                 >
>                     <wsp:Policy>
>                         <sp:MustSupportIssuedTokens />
>                         <sp:RequireClientEntropy />
>                         <sp:RequireServerEntropy />
>                     </wsp:Policy>
>                 </sp:Trust10>
>                 <wsaw:UsingAddressing />
>             </wsp:All>
>         </wsp:ExactlyOne>
>     </wsp:Policy>
>
>
>


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Mime
View raw message