Using CXF with Ws-Trust

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Using CXF with Ws-Trust

Leonardo Battagli

Hi all,

I am trying to use CXF with ws-trust and I am trying to use it with simple java code without Spring.

I have the policy configuration with sp:SignedSupportingTokens and sp:UserNameToken but after settings property on the STSClient and putting in the Bus I have is a empty body (</wsa:Action></soap:Header><soap:Body/></soap:Envelope).

Output message has been logged with LoggingInterceptor.

The STS service I am sending it to is answering that RST is missing (<env:Text xml:lang="en">The required element wst:RequestSecurityToken is missing</env:Text>)

I configured the STSClient on the bus and I set it with its property (ws-security.sts.client) but how can I dig out why this STSClient does not get called ?

Is it possible to use CXF Ws-Trust support without Spring ? I can't understand what is missing

I am attaching URL of XValueSTS JunitTest.

https://github.com/Leonets/XValueSTS.git

GitHub project contains WSDL of the server, URI of the server is not available because it is on a private VPN.

Best Regards

Leonardo

--

Leonardo Battagli
IT Solution
Direzione PAC/Sanità
[hidden email]

Engineering Ingegneria Informatica SpA
Via Torre degli Agli, 48 - I- 50144 Firenze - ITALY
Tel. +39-055.4365454
Interno 5454
Mobile +39-

www.eng.it

Rispetta l'ambiente. Non stampare questa e-mail se non necessario.
Respect the environment. Please don't print this e-mail unless you really need to.

Le informazioni trasmesse sono destinate esclusivamente alla persona o alla società in indirizzo e sono da intendersi confidenziali e riservate. Ogni trasmissione, inoltro, diffusione o altro uso di queste informazioni a persone o società differenti dal destinatario è proibita. Se ricevete questa comunicazione per errore, contattate il mittente e cancellate le informazioni da ogni computer.
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.

Reply | Threaded
Open this post in threaded view
|

Re: Using CXF with Ws-Trust

coheigea
Administrator
Hi Leonardo,

Here is an example of a system test in CXF that uses the STSClient, rather
than configuring it in Spring, perhaps this might help you:

https://github.com/apache/cxf/blob/fc89f35c1f80863d8500eef359ba6259fac49e44/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/template/TemplateTest.java#L124

Colm.

On Mon, Jan 20, 2020 at 4:27 PM Leonardo Battagli <[hidden email]>
wrote:

> Hi all,
>
> I am trying to use CXF with ws-trust and I am trying to use it with simple
> java code without Spring.
>
> I have the policy configuration with sp:SignedSupportingTokens and
> sp:UserNameToken but after settings property on the STSClient and putting
> in the Bus I have is a empty body (</wsa:Action></soap:Header><*soap:Body*
> /></soap:Envelope).
>
> Output message has been logged with LoggingInterceptor.
>
> The STS service I am sending it to is answering that RST is missing
> (<env:Text xml:lang="en">The required element wst:RequestSecurityToken is
> missing</env:Text>)
>
> I configured the STSClient on the bus and I set it with its property
> (ws-security.sts.client) but how can I dig out why this STSClient does not
> get called ?
>
> Is it possible to use CXF Ws-Trust support without Spring ? I can't
> understand what is missing
>
> I am attaching URL of XValueSTS JunitTest.
>
> https://github.com/Leonets/XValueSTS.git
>
> GitHub project contains WSDL of the server, URI of the server is not
> available because it is on a private VPN.
>
> Best Regards
>
> Leonardo
> --
>
> *Leonardo Battagli*
> IT Solution
> Direzione PAC/Sanità
> [hidden email]
>
> *Engineering Ingegneria Informatica SpA*
> Via Torre degli Agli, 48 - I- 50144 Firenze - ITALY
> Tel. +39-055.4365454
> Interno 5454
> Mobile +39-
>
> www.eng.it
>
> [image: cid:image002.gif@01D06319.54B56290]
>
> Rispetta l'ambiente. Non stampare questa e-mail se non necessario.
> Respect the environment. Please don't print this e-mail unless you really
> need to.
>
> Le informazioni trasmesse sono destinate esclusivamente alla persona o
> alla società in indirizzo e sono da intendersi confidenziali e riservate.
> Ogni trasmissione, inoltro, diffusione o altro uso di queste informazioni a
> persone o società differenti dal destinatario è proibita. Se ricevete
> questa comunicazione per errore, contattate il mittente e cancellate le
> informazioni da ogni computer.
> The information transmitted is intended only for the person or entity to
> which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you received
> this in error, please contact the sender and delete the material from any
> computer.
>
Reply | Threaded
Open this post in threaded view
|

Re: Using CXF with Ws-Trust

Leonardo Battagli
Hi Colm,

I tried the unit test you are referring then I added my operation/port type/binding in the wsdl they are using (double.wsdl) and added a new method to try it but the result is the same (output message body cames out empty).

One difference I can look at is the securityPolicy.

Mine test contains 'usernameToken'

            <sp:SignedSupportingTokens xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>>
               <wsp:Policy>
                  <sp:UsernameToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient"<http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient>/>
               </wsp:Policy>
            </sp:SignedSupportingTokens>

while the others contains a policy with the inner tag 'RSTTemplate'

                <sp:SignedEndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"<http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702>>
                    <wsp:Policy>
                        <sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"<http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient>>
                            <sp:RequestSecurityTokenTemplate>
                                <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</t:TokenType>
                                <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
                            </sp:RequestSecurityTokenTemplate>
                            <wsp:Policy>
                                <sp:RequireInternalReference/>
                            </wsp:Policy>
                        </sp:IssuedToken>
                    </wsp:Policy>
                </sp:SignedEndorsingSupportingTokens>

could perhaps be this the cause of the null body ?

Leonardo


On 29/01/2020 11:43, Colm O hEigeartaigh wrote:

Hi Leonardo,

Here is an example of a system test in CXF that uses the STSClient, rather
than configuring it in Spring, perhaps this might help you:

https://github.com/apache/cxf/blob/fc89f35c1f80863d8500eef359ba6259fac49e44/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/template/TemplateTest.java#L124

Colm.

On Mon, Jan 20, 2020 at 4:27 PM Leonardo Battagli <[hidden email]><mailto:[hidden email]>
wrote:



Hi all,

I am trying to use CXF with ws-trust and I am trying to use it with simple
java code without Spring.

I have the policy configuration with sp:SignedSupportingTokens and
sp:UserNameToken but after settings property on the STSClient and putting
in the Bus I have is a empty body (</wsa:Action></soap:Header><*soap:Body*
/></soap:Envelope).

Output message has been logged with LoggingInterceptor.

The STS service I am sending it to is answering that RST is missing
(<env:Text xml:lang="en">The required element wst:RequestSecurityToken is
missing</env:Text>)

I configured the STSClient on the bus and I set it with its property
(ws-security.sts.client) but how can I dig out why this STSClient does not
get called ?

Is it possible to use CXF Ws-Trust support without Spring ? I can't
understand what is missing

I am attaching URL of XValueSTS JunitTest.

https://github.com/Leonets/XValueSTS.git

GitHub project contains WSDL of the server, URI of the server is not
available because it is on a private VPN.

Best Regards

Leonardo
--

*Leonardo Battagli*
IT Solution
Direzione PAC/Sanità
[hidden email]<mailto:[hidden email]>

*Engineering Ingegneria Informatica SpA*
Via Torre degli Agli, 48 - I- 50144 Firenze - ITALY
Tel. +39-055.4365454
Interno 5454
Mobile +39-

www.eng.it<http://www.eng.it>

[image: cid:image002.gif@01D06319.54B56290]

Rispetta l'ambiente. Non stampare questa e-mail se non necessario.
Respect the environment. Please don't print this e-mail unless you really
need to.

Le informazioni trasmesse sono destinate esclusivamente alla persona o
alla società in indirizzo e sono da intendersi confidenziali e riservate.
Ogni trasmissione, inoltro, diffusione o altro uso di queste informazioni a
persone o società differenti dal destinatario è proibita. Se ricevete
questa comunicazione per errore, contattate il mittente e cancellate le
informazioni da ogni computer.
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited. If you received
this in error, please contact the sender and delete the material from any
computer.





Reply | Threaded
Open this post in threaded view
|

Re: Using CXF with Ws-Trust

coheigea
Administrator
Hi Leonardo,

You need an IssuedToken policy in the normal use-case. The other solution
is to manually use STSClient to get a token from the STS and manually
append it to the headers of the request.

Colm.

On Thu, Jan 30, 2020 at 3:20 PM Leonardo Battagli <[hidden email]>
wrote:

> Hi Colm,
>
> I tried the unit test you are referring then I added my operation/port
> type/binding in the wsdl they are using (double.wsdl) and added a new
> method to try it but the result is the same (output message body cames out
> empty).
>
> One difference I can look at is the securityPolicy.
>
> Mine test contains 'usernameToken'
>
>             <sp:SignedSupportingTokens xmlns:sp="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy"<
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy>>
>                <wsp:Policy>
>                   <sp:UsernameToken sp:IncludeToken="
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> "<
> http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient
> >/>
>                </wsp:Policy>
>             </sp:SignedSupportingTokens>
>
> while the others contains a policy with the inner tag 'RSTTemplate'
>
>                 <sp:SignedEndorsingSupportingTokens xmlns:sp="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"<
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702>>
>                     <wsp:Policy>
>                         <sp:IssuedToken sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> "<
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> >>
>                             <sp:RequestSecurityTokenTemplate>
>                                 <t:TokenType>
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
> </t:TokenType>
>                                 <t:KeyType>
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</t:KeyType>
>                             </sp:RequestSecurityTokenTemplate>
>                             <wsp:Policy>
>                                 <sp:RequireInternalReference/>
>                             </wsp:Policy>
>                         </sp:IssuedToken>
>                     </wsp:Policy>
>                 </sp:SignedEndorsingSupportingTokens>
>
> could perhaps be this the cause of the null body ?
>
> Leonardo
>
>
> On 29/01/2020 11:43, Colm O hEigeartaigh wrote:
>
> Hi Leonardo,
>
> Here is an example of a system test in CXF that uses the STSClient, rather
> than configuring it in Spring, perhaps this might help you:
>
>
> https://github.com/apache/cxf/blob/fc89f35c1f80863d8500eef359ba6259fac49e44/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/template/TemplateTest.java#L124
>
> Colm.
>
> On Mon, Jan 20, 2020 at 4:27 PM Leonardo Battagli <
> [hidden email]><mailto:[hidden email]>
> wrote:
>
>
>
> Hi all,
>
> I am trying to use CXF with ws-trust and I am trying to use it with simple
> java code without Spring.
>
> I have the policy configuration with sp:SignedSupportingTokens and
> sp:UserNameToken but after settings property on the STSClient and putting
> in the Bus I have is a empty body (</wsa:Action></soap:Header><*soap:Body*
> /></soap:Envelope).
>
> Output message has been logged with LoggingInterceptor.
>
> The STS service I am sending it to is answering that RST is missing
> (<env:Text xml:lang="en">The required element wst:RequestSecurityToken is
> missing</env:Text>)
>
> I configured the STSClient on the bus and I set it with its property
> (ws-security.sts.client) but how can I dig out why this STSClient does not
> get called ?
>
> Is it possible to use CXF Ws-Trust support without Spring ? I can't
> understand what is missing
>
> I am attaching URL of XValueSTS JunitTest.
>
> https://github.com/Leonets/XValueSTS.git
>
> GitHub project contains WSDL of the server, URI of the server is not
> available because it is on a private VPN.
>
> Best Regards
>
> Leonardo
> --
>
> *Leonardo Battagli*
> IT Solution
> Direzione PAC/Sanità
> [hidden email]<mailto:[hidden email]>
>
> *Engineering Ingegneria Informatica SpA*
> Via Torre degli Agli, 48 - I- 50144 Firenze - ITALY
> Tel. +39-055.4365454
> Interno 5454
> Mobile +39-
>
> www.eng.it<http://www.eng.it>
>
> [image: cid:image002.gif@01D06319.54B56290]
>
> Rispetta l'ambiente. Non stampare questa e-mail se non necessario.
> Respect the environment. Please don't print this e-mail unless you really
> need to.
>
> Le informazioni trasmesse sono destinate esclusivamente alla persona o
> alla società in indirizzo e sono da intendersi confidenziali e riservate.
> Ogni trasmissione, inoltro, diffusione o altro uso di queste informazioni a
> persone o società differenti dal destinatario è proibita. Se ricevete
> questa comunicazione per errore, contattate il mittente e cancellate le
> informazioni da ogni computer.
> The information transmitted is intended only for the person or entity to
> which it is addressed and may contain confidential and/or privileged
> material. Any review, retransmission, dissemination or other use of, or
> taking of any action in reliance upon, this information by persons or
> entities other than the intended recipient is prohibited. If you received
> this in error, please contact the sender and delete the material from any
> computer.
>
>
>
>
>
>