Thanks for the answer, I'll paste wsdl here. What I have been trying is use wss4j interceptors as I can see in some examples. I imported both certificates on my keystore and I can see debugging that the password handler get the keys from that. My problem right now is that CXF is expecting an initial token ( of a class SecurityToken ) on the request context property ws-security.token. I saw it debugging. Is correct to use this property? I saw in ws security samples that only set properties on the interceptors and not in the requestcontext of the client. And if this behavior is correct, How can I create this token? Should I use another property?
Wsdl is below, any idea? Thanks! <?xml version="1.0" encoding="utf-8"?> <wsdl:definitions xmlns:wsap="http://schemas.xmlsoap.org/ws/2004/08/addressing/policy"; xmlns:wsa10="http://www.w3.org/2005/08/addressing"; xmlns:tns="http://tempuri.org/"; xmlns:msc="http://schemas.microsoft.com/ws/2005/12/wsdl/contract"; xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"; xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"; xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"; xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"; xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/"; xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"; xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"; xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurit y-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema"; name="SecGtwService" targetNamespace="http://tempuri.org/"; xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/";> <wsp:Policy wsu:Id="CertificateEndPoint_policy"> <wsp:ExactlyOne> <wsp:All> <sp:SymmetricBinding xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:ProtectionToken> <wsp:Policy> <sp:SecureConversationToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/Includ eToken/AlwaysToRecipient"> <wsp:Policy> <sp:RequireDerivedKeys /> <sp:BootstrapPolicy> <wsp:Policy> <sp:SignedParts> <sp:Body /> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"; /> </sp:SignedParts> <sp:EncryptedParts> <sp:Body /> </sp:EncryptedParts> <sp:SymmetricBinding> <wsp:Policy> <sp:ProtectionToken> <wsp:Policy> <mssp:SslContextToken sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/Includ eToken/AlwaysToRecipient" xmlns:mssp="http://schemas.microsoft.com/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:RequireDerivedKeys /> <mssp:RequireClientCertificate /> </wsp:Policy> </mssp:SslContextToken> </wsp:Policy> </sp:ProtectionToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256 /> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict /> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp /> <sp:EncryptSignature /> <sp:OnlySignEntireHeadersAndBody /> </wsp:Policy> </sp:SymmetricBinding> <sp:Wss11> <wsp:Policy /> </sp:Wss11> <sp:Trust10> <wsp:Policy> <sp:MustSupportIssuedTokens /> <sp:RequireClientEntropy /> <sp:RequireServerEntropy /> </wsp:Policy> </sp:Trust10> </wsp:Policy> </sp:BootstrapPolicy> </wsp:Policy> </sp:SecureConversationToken> </wsp:Policy> </sp:ProtectionToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256 /> </wsp:Policy> </sp:AlgorithmSuite> <sp:Layout> <wsp:Policy> <sp:Strict /> </wsp:Policy> </sp:Layout> <sp:IncludeTimestamp /> <sp:EncryptSignature /> <sp:OnlySignEntireHeadersAndBody /> </wsp:Policy> </sp:SymmetricBinding> <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy /> </sp:Wss11> <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:MustSupportIssuedTokens /> <sp:RequireClientEntropy /> <sp:RequireServerEntropy /> </wsp:Policy> </sp:Trust10> <wsaw:UsingAddressing /> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <wsp:Policy wsu:Id="CertificateEndPoint_AuthenticateService_Input_policy"> <wsp:ExactlyOne> <wsp:All> <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body /> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"; /> </sp:SignedParts> <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body /> </sp:EncryptedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <wsp:Policy wsu:Id="CertificateEndPoint_AuthenticateService_output_policy"> <wsp:ExactlyOne> <wsp:All> <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body /> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"; /> </sp:SignedParts> <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body /> </sp:EncryptedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <wsp:Policy wsu:Id="CertificateEndPoint_ValidadeTokenService_Input_policy"> <wsp:ExactlyOne> <wsp:All> <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body /> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"; /> </sp:SignedParts> <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body /> </sp:EncryptedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <wsp:Policy wsu:Id="CertificateEndPoint_ValidadeTokenService_output_policy"> <wsp:ExactlyOne> <wsp:All> <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body /> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"; /> </sp:SignedParts> <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body /> </sp:EncryptedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <wsp:Policy wsu:Id="CertificateEndPoint_WhoIAm_Input_policy"> <wsp:ExactlyOne> <wsp:All> <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body /> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"; /> </sp:SignedParts> <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body /> </sp:EncryptedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <wsp:Policy wsu:Id="CertificateEndPoint_WhoIAm_output_policy"> <wsp:ExactlyOne> <wsp:All> <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body /> <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"; /> <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"; /> </sp:SignedParts> <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <sp:Body /> </sp:EncryptedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <wsdl:types> <xsd:schema targetNamespace="http://tempuri.org/Imports";> <xsd:import schemaLocation="http://nrio0230dco.pactual.net/services/SecureGateway/Calyps oGatewayCert/SecGtwServiceHost.svc?xsd=xsd0" namespace="http://tempuri.org/"; /> <xsd:import schemaLocation="http://nrio0230dco.pactual.net/services/SecureGateway/Calyps oGatewayCert/SecGtwServiceHost.svc?xsd=xsd1" namespace="http://schemas.microsoft.com/2003/10/Serialization/"; /> <xsd:import schemaLocation="http://nrio0230dco.pactual.net/services/SecureGateway/Calyps oGatewayCert/SecGtwServiceHost.svc?xsd=xsd2" namespace="http://schemas.datacontract.org/2004/07/Pactual.SecureGateway.Ser vices.Contracts" /> </xsd:schema> </wsdl:types> <wsdl:message name="ISecGtwServiceContract_AuthenticateService_InputMessage"> <wsdl:part name="parameters" element="tns:AuthenticateService" /> </wsdl:message> <wsdl:message name="ISecGtwServiceContract_AuthenticateService_OutputMessage"> <wsdl:part name="parameters" element="tns:AuthenticateServiceResponse" /> </wsdl:message> <wsdl:message name="ISecGtwServiceContract_ValidadeTokenService_InputMessage"> <wsdl:part name="parameters" element="tns:ValidadeTokenService" /> </wsdl:message> <wsdl:message name="ISecGtwServiceContract_ValidadeTokenService_OutputMessage"> <wsdl:part name="parameters" element="tns:ValidadeTokenServiceResponse" /> </wsdl:message> <wsdl:message name="ISecGtwServiceContract_WhoIAm_InputMessage"> <wsdl:part name="parameters" element="tns:WhoIAm" /> </wsdl:message> <wsdl:message name="ISecGtwServiceContract_WhoIAm_OutputMessage"> <wsdl:part name="parameters" element="tns:WhoIAmResponse" /> </wsdl:message> <wsdl:portType name="ISecGtwServiceContract"> <wsdl:operation name="AuthenticateService"> <wsdl:input wsaw:Action="http://tempuri.org/ISecGtwServiceContract/AuthenticateService"; message="tns:ISecGtwServiceContract_AuthenticateService_InputMessage" /> <wsdl:output wsaw:Action="http://tempuri.org/ISecGtwServiceContract/AuthenticateServiceRe sponse" message="tns:ISecGtwServiceContract_AuthenticateService_OutputMessage" /> </wsdl:operation> <wsdl:operation name="ValidadeTokenService"> <wsdl:input wsaw:Action="http://tempuri.org/ISecGtwServiceContract/ValidadeTokenService"; message="tns:ISecGtwServiceContract_ValidadeTokenService_InputMessage" /> <wsdl:output wsaw:Action="http://tempuri.org/ISecGtwServiceContract/ValidadeTokenServiceR esponse" message="tns:ISecGtwServiceContract_ValidadeTokenService_OutputMessage" /> </wsdl:operation> <wsdl:operation name="WhoIAm"> <wsdl:input wsaw:Action="http://tempuri.org/ISecGtwServiceContract/WhoIAm"; message="tns:ISecGtwServiceContract_WhoIAm_InputMessage" /> <wsdl:output wsaw:Action="http://tempuri.org/ISecGtwServiceContract/WhoIAmResponse"; message="tns:ISecGtwServiceContract_WhoIAm_OutputMessage" /> </wsdl:operation> </wsdl:portType> <wsdl:binding name="CertificateEndPoint" type="tns:ISecGtwServiceContract"> <wsp:PolicyReference URI="#CertificateEndPoint_policy" /> <soap12:binding transport="http://schemas.xmlsoap.org/soap/http"; /> <wsdl:operation name="AuthenticateService"> <soap12:operation soapAction="http://tempuri.org/ISecGtwServiceContract/AuthenticateService"; style="document" /> <wsdl:input> <wsp:PolicyReference URI="#CertificateEndPoint_AuthenticateService_Input_policy" /> <soap12:body use="literal" /> </wsdl:input> <wsdl:output> <wsp:PolicyReference URI="#CertificateEndPoint_AuthenticateService_output_policy" /> <soap12:body use="literal" /> </wsdl:output> </wsdl:operation> <wsdl:operation name="ValidadeTokenService"> <soap12:operation soapAction="http://tempuri.org/ISecGtwServiceContract/ValidadeTokenService"; style="document" /> <wsdl:input> <wsp:PolicyReference URI="#CertificateEndPoint_ValidadeTokenService_Input_policy" /> <soap12:body use="literal" /> </wsdl:input> <wsdl:output> <wsp:PolicyReference URI="#CertificateEndPoint_ValidadeTokenService_output_policy" /> <soap12:body use="literal" /> </wsdl:output> </wsdl:operation> <wsdl:operation name="WhoIAm"> <soap12:operation soapAction="http://tempuri.org/ISecGtwServiceContract/WhoIAm"; style="document" /> <wsdl:input> <wsp:PolicyReference URI="#CertificateEndPoint_WhoIAm_Input_policy" /> <soap12:body use="literal" /> </wsdl:input> <wsdl:output> <wsp:PolicyReference URI="#CertificateEndPoint_WhoIAm_output_policy" /> <soap12:body use="literal" /> </wsdl:output> </wsdl:operation> </wsdl:binding> <wsdl:service name="SecGtwService"> <wsdl:port name="CertificateEndPoint" binding="tns:CertificateEndPoint"> <soap12:address location="http://nrio0230dco.pactual.net/services/SecureGateway/CalypsoGatew ayCert/SecGtwServiceHost.svc" /> <wsa10:EndpointReference> <wsa10:Address>http://nrio0230dco.pactual.net/services/SecureGateway/Calypso GatewayCert/SecGtwServiceHost.svc</wsa10:Address> <Identity xmlns="http://schemas.xmlsoap.org/ws/2006/02/addressingidentity";> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> <X509Data> <X509Certificate>MIIBxTCCAXOgAwIBAgIQoF4m3EAEm4RCITdLvQ/MxTAJBgUrDgMCHQUAMBY xFDASBgNVBAMTC1Jvb3QgQWdlbmN5MB4XDTEyMDcxODAwMjQzN1oXDTM5MTIzMTIzNTk1OVowKDE mMCQGA1UEAxMdUGFjdHVhbC5TZWN1cmVHYXRld2F5LlNlcnZpY2UwgZ8wDQYJKoZIhvcNAQEBBQA DgY0AMIGJAoGBAN7Bng23dMbhRgzQ3KuD1uox0MriWjJON3DL1tQsHqGqjE9ZiTeVnijDEWxre93 8+/sELJ+Ru3mdoQae+ICfn3guBEwg80MBqeQlpNmWMssaKVWJAK5ur2YCo3UNoju2d+ZEgD073tQ 4MLp68a3TfUEKrzrBbXZQbFak8opoyCPhAgMBAAGjSzBJMEcGA1UdAQRAMD6AEBLkCS0GHR1PAI1 hIdwWZGOhGDAWMRQwEgYDVQQDEwtSb290IEFnZW5jeYIQBjdsAKoAZIoRz7jUqlw19DAJBgUrDgM CHQUAA0EAVL4d3PW6GhtrfEyYBghg5SIzwrsaKUvOsudIEPuOH8xWPbkgyFszcxKJpOj2dxawvNv srBo8D62D9xUTMexQHw==</X509Certificate> </X509Data> </KeyInfo> </Identity> </wsa10:EndpointReference> </wsdl:port> </wsdl:service> </wsdl:definitions> -----Mensagem original----- De: Colm O hEigeartaigh [mailto:[email protected]] Enviada: terça-feira, 28 de agosto de 2012 14:45 Para: [email protected] Assunto: Re: Using cxf with X509v3 certificates Yes, CXF supports this configuration. Your WSDL did not make it through though so I can't tell what the problem is. Try just copying and pasting the security binding directly into an email? Colm. On Tue, Aug 28, 2012 at 6:20 PM, Nícolas Fontenele <[email protected]> wrote: > Hi all,**** > > ** ** > > Im developing a client service to consume a .net service with x509v3 > certificate using ws-security.**** > > The Service uses symmetric binding, with > includeToken=prefix/AlwaysToRecipient and a > <sp:ProtectionToken>.**** > > I have two certificates, a *.pfx file and *.cer which I have to use to > access.**** > > My wsdl is attached.**** > > My question is Does cxf supports this configuration?**** > > ** ** > > Best Regards,**** > > ** ** > > ** ** > > *Nícolas Fontenele* > > ** ** > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
