I have my client and and service working without issue for Username tokens
use case and return SAML token from STS. But when I change my configuration
so that the STS accepts Binary Security Token of a custom value type, I am
getting the error: policy alternatives can not be satisfied SupportingTokens
The BST is of a custom value type since it holds an SMSESSION token
(Siteminder token) and the STS we are using (Layer 7) will validate the
SMSESSION and then return a SAML 2 token. Now the STSClient does call the
STS and it processes the request and returns the SAML 2 token in the
response as expected. But it throws this exception before calling service.
I believe this has something to do with this warning I see in logs:
org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl.handleNoRegisteredBuilder(AssertionBuilderRegistryImpl.java:109)
WARN : No assertion builder for type
{http://schemas.hcsc.com/ws/securitypolicy}SmSessionToken registered.
ERROR:
WARN : Interceptor for
{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
has thrown exception, unwinding now
org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not
be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SupportingTokens
at
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179)
at
org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101)
at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:835)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1606)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1502)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1309)
at
org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:50)
at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:223)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:627)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
at
org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:759)
The supporting token in STS WSDL is defined as:
<wsp:Policy wsu:Id="BST_Policy">
<sp:SupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<hcsc:SmSessionToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"
xmlns:hcsc="http://schemas.hcsc.com/ws/securitypolicy"/>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:Policy>
This is what the incoming ws-trust message to STS looks like:
2014-04-29 22:18:25,603 [WebContainer : 1]
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:269)
DEBUG : Invoking handleMessage on interceptor
org.apache.cxf.interceptor.BareOutInterceptor [ at ] 1acf0376
2014-04-29 22:18:25,603 [WebContainer : 1]
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:269)
DEBUG : Invoking handleMessage on interceptor
org.apache.cxf.ws.policy.PolicyVerificationOutInterceptor [ at ] 58abd51a
2014-04-29 22:18:25,603 [WebContainer : 1]
org.apache.cxf.ws.policy.PolicyVerificationOutInterceptor.handle(PolicyVerificationOutInterceptor.java:72)
DEBUG : An exception was thrown when verifying that the effective policy
for this request was satisfied. However, this exception will not result in
a fault. The exception raised is: org.apache.cxf.ws.policy.PolicyException:
These policy alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SupportingTokens
2014-04-29 22:18:25,613 [WebContainer : 1]
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:269)
DEBUG : Invoking handleMessage on interceptor
org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor$SoapOutEndingInterceptor [ at ] c88f07ad
2014-04-29 22:18:25,613 [WebContainer : 1]
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:269)
DEBUG : Invoking handleMessage on interceptor
org.apache.cxf.interceptor.StaxOutEndingInterceptor [ at ] 9e81798
2014-04-29 22:18:25,613 [WebContainer : 1]
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:269)
DEBUG : Invoking handleMessage on interceptor
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor [ at ] a1c14891
2014-04-29 22:18:25,613 [WebContainer : 1]
org.apache.cxf.interceptor.AbstractLoggingInterceptor.log(AbstractLoggingInterceptor.java:234)
INFO : Outbound Message
ID: 1
Address: http://mysts.dev.mycompany.com:8080/eaa_sts
Encoding: UTF-8
Http-Method: POST
Content-Type: application/soap+xml;
action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"
Headers: {Accept=[*/*]}
Payload:
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<wsse:Security soap:mustUnderstand="true"
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext">
<wsse:BinarySecurityToken
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://schemas.hcsc.com/ws/securitypolicy/token-profile#SMSESSION"
wsu:Id="SecurityToken">YwjtLDRg...</wsse:BinarySecurityToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wst:SecondaryParameters>
<t:TokenType
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512">urn:oasis:names:tc:SAML:2.0:assertion</t:TokenType>
<t:KeyType
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</t:KeyType>
</wst:SecondaryParameters>
<wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
<wsp:AppliesTo xmlns:wsp="http://www.w3.org/ns/ws-policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>http://localhost:9084/myapp/services/AccountMaintenance</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:Renewing Allow="false"/>
</wst:RequestSecurityToken>
</soap:Body>
</soap:Envelope>
use case and return SAML token from STS. But when I change my configuration
so that the STS accepts Binary Security Token of a custom value type, I am
getting the error: policy alternatives can not be satisfied SupportingTokens
The BST is of a custom value type since it holds an SMSESSION token
(Siteminder token) and the STS we are using (Layer 7) will validate the
SMSESSION and then return a SAML 2 token. Now the STSClient does call the
STS and it processes the request and returns the SAML 2 token in the
response as expected. But it throws this exception before calling service.
I believe this has something to do with this warning I see in logs:
org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl.handleNoRegisteredBuilder(AssertionBuilderRegistryImpl.java:109)
WARN : No assertion builder for type
{http://schemas.hcsc.com/ws/securitypolicy}SmSessionToken registered.
ERROR:
WARN : Interceptor for
{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService#{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}Issue
has thrown exception, unwinding now
org.apache.cxf.ws.policy.PolicyException: These policy alternatives can not
be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SupportingTokens
at
org.apache.cxf.ws.policy.AssertionInfoMap.checkEffectivePolicy(AssertionInfoMap.java:179)
at
org.apache.cxf.ws.policy.PolicyVerificationInInterceptor.handle(PolicyVerificationInInterceptor.java:101)
at
org.apache.cxf.ws.policy.AbstractPolicyInterceptor.handleMessage(AbstractPolicyInterceptor.java:44)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.onMessage(ClientImpl.java:835)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponseInternal(HTTPConduit.java:1606)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleResponse(HTTPConduit.java:1502)
at
org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1309)
at
org.apache.cxf.io.CacheAndWriteOutputStream.postClose(CacheAndWriteOutputStream.java:50)
at org.apache.cxf.io.CachedOutputStream.close(CachedOutputStream.java:223)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:627)
at
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
at
org.apache.cxf.ws.security.trust.AbstractSTSClient.issue(AbstractSTSClient.java:759)
The supporting token in STS WSDL is defined as:
<wsp:Policy wsu:Id="BST_Policy">
<sp:SupportingTokens
xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
<wsp:Policy>
<hcsc:SmSessionToken
sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"
xmlns:hcsc="http://schemas.hcsc.com/ws/securitypolicy"/>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:Policy>
This is what the incoming ws-trust message to STS looks like:
2014-04-29 22:18:25,603 [WebContainer : 1]
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:269)
DEBUG : Invoking handleMessage on interceptor
org.apache.cxf.interceptor.BareOutInterceptor [ at ] 1acf0376
2014-04-29 22:18:25,603 [WebContainer : 1]
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:269)
DEBUG : Invoking handleMessage on interceptor
org.apache.cxf.ws.policy.PolicyVerificationOutInterceptor [ at ] 58abd51a
2014-04-29 22:18:25,603 [WebContainer : 1]
org.apache.cxf.ws.policy.PolicyVerificationOutInterceptor.handle(PolicyVerificationOutInterceptor.java:72)
DEBUG : An exception was thrown when verifying that the effective policy
for this request was satisfied. However, this exception will not result in
a fault. The exception raised is: org.apache.cxf.ws.policy.PolicyException:
These policy alternatives can not be satisfied:
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SupportingTokens
2014-04-29 22:18:25,613 [WebContainer : 1]
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:269)
DEBUG : Invoking handleMessage on interceptor
org.apache.cxf.binding.soap.interceptor.SoapOutInterceptor$SoapOutEndingInterceptor [ at ] c88f07ad
2014-04-29 22:18:25,613 [WebContainer : 1]
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:269)
DEBUG : Invoking handleMessage on interceptor
org.apache.cxf.interceptor.StaxOutEndingInterceptor [ at ] 9e81798
2014-04-29 22:18:25,613 [WebContainer : 1]
org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:269)
DEBUG : Invoking handleMessage on interceptor
org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor [ at ] a1c14891
2014-04-29 22:18:25,613 [WebContainer : 1]
org.apache.cxf.interceptor.AbstractLoggingInterceptor.log(AbstractLoggingInterceptor.java:234)
INFO : Outbound Message
ID: 1
Address: http://mysts.dev.mycompany.com:8080/eaa_sts
Encoding: UTF-8
Http-Method: POST
Content-Type: application/soap+xml;
action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"
Headers: {Accept=[*/*]}
Payload:
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
<soap:Header>
<wsse:Security soap:mustUnderstand="true"
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext">
<wsse:BinarySecurityToken
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/04/secext"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary"
ValueType="http://schemas.hcsc.com/ws/securitypolicy/token-profile#SMSESSION"
wsu:Id="SecurityToken">YwjtLDRg...</wsse:BinarySecurityToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wst:SecondaryParameters>
<t:TokenType
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512">urn:oasis:names:tc:SAML:2.0:assertion</t:TokenType>
<t:KeyType
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</t:KeyType>
</wst:SecondaryParameters>
<wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
<wsp:AppliesTo xmlns:wsp="http://www.w3.org/ns/ws-policy">
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
<wsa:Address>http://localhost:9084/myapp/services/AccountMaintenance</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:Renewing Allow="false"/>
</wst:RequestSecurityToken>
</soap:Body>
</soap:Envelope>