Hi,
I try to configure a simple STS which satisfys the need of BiPRO (a standard
to transfer insurance data) with Secure Conversation.
In WSDL of the STS the BiPRO defines a policy like this for
username/password authentication:
<wsp:Policy wsu:Id="BiPROAuthSecurityPolicy"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
</wsp:Policy>
</sp:TransportBinding>
<sp:SupportingTokens>
<wsp:Policy>
<wsp:ExactlyOne>
<wsp:All>
<sp:UsernameToken wsu:Id="BiPROBasicToken"/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Then I configured the service in cxf-servlet.xml like this:
...
<bean id="mySTSProviderBean"
class="org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider">
<property name="issueSingleOperation" ref="transportIssueDelegate"/>
<property name="validateOperation" ref="transportValidateDelegate"/>
<property name="cancelOperation" ref="transportCancelDelegate"/>
</bean>
<bean id="transportIssueDelegate"
class="org.apache.cxf.sts.operation.TokenIssueOperation">
<property name="tokenProviders" ref="transportTokenProviders"/>
<property name="services" ref="transportService"/>
<property name="stsProperties" ref="transportSTSProperties"/>
<property name="tokenStore" ref="defaultTokenStore"/>
<property name="returnReferences" value="false" />
</bean>
<bean id="transportValidateDelegate"
class="org.apache.cxf.sts.operation.TokenValidateOperation">
<property name="tokenProviders" ref="transportTokenProviders"/>
<property name="tokenValidators" ref="transportTokenValidators"/>
<property name="stsProperties" ref="transportSTSProperties"/>
<property name="tokenStore" ref="defaultTokenStore"/>
</bean>
<bean id="transportCancelDelegate"
class="org.apache.cxf.sts.operation.TokenCancelOperation">
<property name="tokenCancellers" ref="transportTokenCancellers"/>
<property name="stsProperties" ref="transportSTSProperties"/>
<property name="tokenStore" ref="defaultTokenStore"/>
</bean>
<util:list id="transportTokenProviders">
<ref bean="transportSCTProvider"/>
</util:list>
<util:list id="transportTokenValidators">
<ref bean="transportSCTValidator"/>
</util:list>
<util:list id="transportTokenCancellers">
<ref bean="transportSCTCanceller"/>
</util:list>
<bean id="transportSCTProvider" class="sts.BiPROTokenProvider">
<property name="returnEntropy" value="false" />
</bean>
<bean id="transportSCTValidator"
class="org.apache.cxf.sts.token.validator.SCTValidator">
</bean>
<bean id="transportSCTCanceller"
class="org.apache.cxf.sts.token.canceller.SCTCanceller">
</bean>
<bean id="transportService"
class="org.apache.cxf.sts.service.StaticService">
<property name="endpoints" ref="transportEndpoints"/>
</bean>
<util:list id="transportEndpoints">
<value>http://localhost:(\d)*/doubleit/services/doubleit.*
</value>
</util:list>
<bean id="defaultTokenStore"
class="org.apache.cxf.sts.cache.DefaultInMemoryTokenStore">
</bean>
<bean id="encProperties"
class="org.apache.cxf.sts.service.EncryptionProperties">
<property name="encryptionAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
</bean>
<bean id="transportSTSProperties"
class="org.apache.cxf.sts.StaticSTSProperties">
</bean>
<bean id="sctInterceptor"
class="org.apache.cxf.sts.interceptor.SCTInInterceptor"/>
<bean id="sctOutInterceptor"
class="org.apache.cxf.sts.interceptor.SCTOutInterceptor"/>
<jaxws:endpoint id="CXFSTS" implementor="#mySTSProviderBean"
address="/STS"
wsdlLocation="/WEB-INF/wsdl/bipro/SecurityTokenService-2.5.0.1.0.wsdl"
xmlns:ns1="http://www.bipro.net/namespace"
serviceName="ns1:SecurityTokenService_2.5.0.1.0"
endpointName="ns1:UserPasswordLogin">
<jaxws:inInterceptors>
<ref bean="sctInterceptor"/>
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<ref bean="sctOutInterceptor"/>
</jaxws:outInterceptors>
<jaxws:outFaultInterceptors>
<ref bean="sctOutInterceptor"/>
</jaxws:outFaultInterceptors>
<jaxws:properties>
<entry key="ws-security.callback-handler"
value="sts.PasswordCallbackHandler" />
<entry key="org.apache.cxf.ws.security.tokenstore.TokenStore">
<ref bean="defaultTokenStore"/>
</entry>
</jaxws:properties>
<jaxws:features>
<logging xmlns="http://cxf.apache.org/core" />
<ref bean="transformFeature" />
</jaxws:features>
</jaxws:endpoint>
If I try to acces the services with a request containing username and pwd I
got the message "*None of the policy alternatives can be satisfied.*"
The request:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
<soap:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:bipro="http://www.bipro.net/namespace">
<wsse:Username>alice</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-387
username-token-profile-1.0#PasswordText">clarinet</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
<wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</wst:TokenType>
</wst:RequestSecurityToken>
<soap:Body>
<soap:Envelope>
What I have to configure in cxf-servlet.xml to get things working? I could
not change the WSDL while this is standard BiPRO.
Thanks for your response,
SRog
I try to configure a simple STS which satisfys the need of BiPRO (a standard
to transfer insurance data) with Secure Conversation.
In WSDL of the STS the BiPRO defines a policy like this for
username/password authentication:
<wsp:Policy wsu:Id="BiPROAuthSecurityPolicy"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken RequireClientCertificate="false"/>
</wsp:Policy>
</sp:TransportToken>
</wsp:Policy>
</sp:TransportBinding>
<sp:SupportingTokens>
<wsp:Policy>
<wsp:ExactlyOne>
<wsp:All>
<sp:UsernameToken wsu:Id="BiPROBasicToken"/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
</sp:SupportingTokens>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
Then I configured the service in cxf-servlet.xml like this:
...
<bean id="mySTSProviderBean"
class="org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider">
<property name="issueSingleOperation" ref="transportIssueDelegate"/>
<property name="validateOperation" ref="transportValidateDelegate"/>
<property name="cancelOperation" ref="transportCancelDelegate"/>
</bean>
<bean id="transportIssueDelegate"
class="org.apache.cxf.sts.operation.TokenIssueOperation">
<property name="tokenProviders" ref="transportTokenProviders"/>
<property name="services" ref="transportService"/>
<property name="stsProperties" ref="transportSTSProperties"/>
<property name="tokenStore" ref="defaultTokenStore"/>
<property name="returnReferences" value="false" />
</bean>
<bean id="transportValidateDelegate"
class="org.apache.cxf.sts.operation.TokenValidateOperation">
<property name="tokenProviders" ref="transportTokenProviders"/>
<property name="tokenValidators" ref="transportTokenValidators"/>
<property name="stsProperties" ref="transportSTSProperties"/>
<property name="tokenStore" ref="defaultTokenStore"/>
</bean>
<bean id="transportCancelDelegate"
class="org.apache.cxf.sts.operation.TokenCancelOperation">
<property name="tokenCancellers" ref="transportTokenCancellers"/>
<property name="stsProperties" ref="transportSTSProperties"/>
<property name="tokenStore" ref="defaultTokenStore"/>
</bean>
<util:list id="transportTokenProviders">
<ref bean="transportSCTProvider"/>
</util:list>
<util:list id="transportTokenValidators">
<ref bean="transportSCTValidator"/>
</util:list>
<util:list id="transportTokenCancellers">
<ref bean="transportSCTCanceller"/>
</util:list>
<bean id="transportSCTProvider" class="sts.BiPROTokenProvider">
<property name="returnEntropy" value="false" />
</bean>
<bean id="transportSCTValidator"
class="org.apache.cxf.sts.token.validator.SCTValidator">
</bean>
<bean id="transportSCTCanceller"
class="org.apache.cxf.sts.token.canceller.SCTCanceller">
</bean>
<bean id="transportService"
class="org.apache.cxf.sts.service.StaticService">
<property name="endpoints" ref="transportEndpoints"/>
</bean>
<util:list id="transportEndpoints">
<value>http://localhost:(\d)*/doubleit/services/doubleit.*
</value>
</util:list>
<bean id="defaultTokenStore"
class="org.apache.cxf.sts.cache.DefaultInMemoryTokenStore">
</bean>
<bean id="encProperties"
class="org.apache.cxf.sts.service.EncryptionProperties">
<property name="encryptionAlgorithm"
value="http://www.w3.org/2001/04/xmlenc#aes128-cbc"/>
</bean>
<bean id="transportSTSProperties"
class="org.apache.cxf.sts.StaticSTSProperties">
</bean>
<bean id="sctInterceptor"
class="org.apache.cxf.sts.interceptor.SCTInInterceptor"/>
<bean id="sctOutInterceptor"
class="org.apache.cxf.sts.interceptor.SCTOutInterceptor"/>
<jaxws:endpoint id="CXFSTS" implementor="#mySTSProviderBean"
address="/STS"
wsdlLocation="/WEB-INF/wsdl/bipro/SecurityTokenService-2.5.0.1.0.wsdl"
xmlns:ns1="http://www.bipro.net/namespace"
serviceName="ns1:SecurityTokenService_2.5.0.1.0"
endpointName="ns1:UserPasswordLogin">
<jaxws:inInterceptors>
<ref bean="sctInterceptor"/>
</jaxws:inInterceptors>
<jaxws:outInterceptors>
<ref bean="sctOutInterceptor"/>
</jaxws:outInterceptors>
<jaxws:outFaultInterceptors>
<ref bean="sctOutInterceptor"/>
</jaxws:outFaultInterceptors>
<jaxws:properties>
<entry key="ws-security.callback-handler"
value="sts.PasswordCallbackHandler" />
<entry key="org.apache.cxf.ws.security.tokenstore.TokenStore">
<ref bean="defaultTokenStore"/>
</entry>
</jaxws:properties>
<jaxws:features>
<logging xmlns="http://cxf.apache.org/core" />
<ref bean="transformFeature" />
</jaxws:features>
</jaxws:endpoint>
If I try to acces the services with a request containing username and pwd I
got the message "*None of the policy alternatives can be satisfied.*"
The request:
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust">
<soap:Header>
<wsse:Security
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<wsse:UsernameToken
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:bipro="http://www.bipro.net/namespace">
<wsse:Username>alice</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-387
username-token-profile-1.0#PasswordText">clarinet</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
<wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</wst:TokenType>
</wst:RequestSecurityToken>
<soap:Body>
<soap:Envelope>
What I have to configure in cxf-servlet.xml to get things working? I could
not change the WSDL while this is standard BiPRO.
Thanks for your response,
SRog