Dennis, Thank-you.
John On Fri, Dec 24, 2010 at 7:49 PM, Dennis Sosnoski <[email protected]> wrote: > The SslContextToken part of the policy is a Microsoft-defined extension > to the standard which is not widely (or at all?) supported by Java > stacks. It provides a way for the client to get a server certificate at > the time of setting up a connection, rather than having it in advance in > a truststore (the normal scenario). This page discusses it in more > detail, including telling the Microsoft developers how to turn it off in > their configuration: > > http://webservices20.blogspot.com/2008/10/interoperability-gotcha-sslcontexttoken.html > > As to implementing support for it in CXF, it's probably going to be > fairly involved. AFAIK there's no existing case of runtime certificate > negotiation you could use as the basis for your code, so you'd have to > implement the negotiation part yourself, then add the server certificate > to a truststore for use by the WSS4J security implementation code - but > only for the duration of the secure conversation. > > - Dennis > > > On 12/25/2010 08:35 AM, John Franey wrote: > > On Thu, Dec 23, 2010 at 6:00 PM, Dennis Sosnoski <[email protected]> > wrote: > > > > > >> John, you might try downloading the sample code from the > >> SymmetricBinding article referenced by Glen > >> (http://www.ibm.com/developerworks/java/library/j-jws17/index.html) as > a > >> basis for trying your policy. First build and test the supplied sample > >> using your CXF installation, then substitute your policy for the one in > >> the sample code WSDL. Hopefully that could help you find the cause of > >> the problems. > >> > >> > >> > > OK, using cxf 2.2.8, I make the policy substitution, and get this, with > > scencr: > > > > [java] Dec 24, 2010 1:55:01 PM > > org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl build > > [java] WARNING: No assertion builder for type { > > > http://schemas.microsoft.com/ws/2005/07/securitypolicy}SslContextTokenregistered > . > > [java] Dec 24, 2010 1:55:02 PM > > org.apache.cxf.phase.PhaseInterceptorChain doDefaultLogging > > [java] WARNING: Interceptor for { > > > http://schemas.xmlsoap.org/ws/2005/02/trust/wsdl}SecurityTokenService#{http://schemas.xmlsoap.org/ws/2005/02/trust/wsdl}RequestSecurityTokenhas > > thrown exception, unwinding now > > [java] org.apache.cxf.interceptor.Fault: No signature token > > [java] at > > > org.apache.cxf.ws.security.wss4j.policyhandlers.SymmetricBindingHandler.doSignBeforeEncrypt(SymmetricBindingHandler.java:384) > > > > I interpret the first warning to mean an 'assertion builder' needs to be > > implemented and registered for this type. Is this 'builder' a pluggable > > component? How would I find out if a builder for this type already > exists? > > Is implementing a builder a complex task? Is this work reserved to cxf > > developers or are users of the library expected to provide these as they > > need? If I get one, or write one, how do I register it? Is it easier to > > beg the service provider to change the policy and if so, how can I > express > > that in their terms (I am an alien to the .net environment)? > > > > I interpret the second warning to mean that I did not satisfy the > > configuration requirement of the policy. In this case, it is missing its > > signature token. I need to discover the name of this property, and how > to > > set it, and what value to set it to. > > > > So, I guess I have some digging through the cxf pages. Am I asking the > > right questions? and do you expect the cxf web pages will give me > answers? > > > > Thanks, > > John > > > > > > The comment from the article that "CXF was the only stack that worked > > > >> with the policy as written." only applied to the WS-SecureConversation > >> policy shown in Listing 2. WS-SC configurations tend to be more > >> failure-prone than regular WS-Security configurations, in my experience, > >> since there are more "moving parts" involved in the operation. All three > >> of the stacks I tried were able to handle the basic SymmetricBinding > >> configuration. > >> > >> - Dennis > >> > >> Dennis M. Sosnoski > >> Java SOA and Web Services Consulting < > http://www.sosnoski.com/consult.html > >> > >>> > >> Axis2/CXF/Metro SOA and Web Services Training > >> <http://www.sosnoski.com/training.html> > >> Web Services Jump-Start <http://www.sosnoski.com/jumpstart.html> > >> > >> > >> On 12/24/2010 10:26 AM, Glen Mazza wrote: > >> > >>> If *could* be your service provider is not detecting the > >>> SymmetricBinding tag because two additional libraries need to be > >>> declared in your web.xml: > >>> http://www.jroller.com/gmazza/entry/cxf_x509_profile_secpol (see the > >>> section on |contextConfigLocation|, it will point you to a username > >>> token article.) > >>> > >>> HTH, > >>> Glen > >>> > >>> > >>> > >>> > >>> On 23.12.2010 16:20, John Franey wrote: > >>> > >>>> Thanks. > >>>> > >>>> On Thu, Dec 23, 2010 at 4:01 PM, Glen Mazza<[email protected]> > >>>> wrote: > >>>> > >>>> > >>>>> On http://www.sosnoski.com/articles.html, I think you'll want the > 2nd > >>>>> article:WS-Security without client certificates< > >>>>> http://www.ibm.com/developerworks/java/library/j-jws17/index.html> > >>>>> > >>>>> This statement from that article is why I am wanting to use CXF: > >>>>> "CXF was > >>>>> > >>>> the only stack that worked with the policy as written." > >>>> > >>>> The policy I am consuming looks much like the ones in his article. > >>>> So, I'm > >>>> expecting success. I believe symmetric binding is supported. > >>>> > >>>> Should I conclude that the 'right wsdl' is enough to activate > symmetric > >>>> binding? or is there some other configuration needed? > >>>> > >>>> The message "SymmetricBinding not supported" implies the latter, I > >>>> think. > >>>> > >>>> > >>>> HTH, > >>>> > >>>>> Glen > >>>>> > >>>>> > >>>>> > >>>>> On 23.12.2010 15:32, John Franey wrote: > >>>>> > >>>>> > >>>>>> I believe symmetric binding policy is supported in cxf 2.3.1, but > >>>>>> this log > >>>>>> message says no: > >>>>>> > >>>>>> [PolicyEngineImpl] Alternative { > >>>>>> > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy}SymmetricBinding > >>>>>> > >> < > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy%7DSymmetricBinding > >> > >>> is > >>> > >>>>>> not > >>>>>> supported > >>>>>> > >>>>>> I've been working over the cxf documentation for over a day. I am > >>>>>> stumped. > >>>>>> > >>>>>> What do I have to do to turn on support for symmetric binding? > >>>>>> > >>>>>> I'm writing a client that will run in jbossws-cxf 3.4.0. > >>>>>> > >>>>>> Thanks, > >>>>>> John > >>>>>> > >>>>>> > >>>>>> > >>>>> -- > >>>>> > >>>>> Glen Mazza > >>>>> gmazza at apache dot org > >>>>> http://www.jroller.com/gmazza > >>>>> > >>>>> > >>> > >>> > >> > > >
