What is the requirement in the second STS request? Is the EncryptedData
Element in the security header of the sample request taken directly from
the "RequestedSecurityToken" of the first STS response? In other words, is
the requirement to copy this EncryptedData Element verbatim from the first
STS response, and to paste it into the security header of the second
request?
Colm.
On Tue, Dec 3, 2013 at 11:58 PM, qatada.abbas <qmoham...@whispir.com> wrote:
> Hi
>
> I am very new WS Trus security system. I have been trying to write a
> STSClient for a webservice client.
> The security system requires us to get token from one server then use that
> token to get token from another server. And the final token could be used
> to
> call the actual webservice.
>
> The first service works based on username and password and i was able to
> write STSClient for that and get the token my code looks like the following
>
>
> Bus bus = BusFactory.getDefaultBus();
>
> List<AbstractFeature> features = new
> ArrayList<AbstractFeature>();
> features.add(new WSAddressingFeature());
> features.add(new LoggingFeature());
> WSPolicyFeature featuren = new WSPolicyFeature();
> features.add(new WSPolicyFeature());
> for(AbstractFeature feature : features) {
> feature.initialize(bus);
> }
>
>
> STSClient client = new STSClient(bus);
>
> client.setLocation("https://
> ****/logon/Service.svc/Username");
> client.setRequiresEntropy(false);
>
> Map<String, Object> properties = new HashMap<String, Object>();
> properties.put("user","username");
> properties.put("passwordCallbackRef",new
> ClientCallbackHandler());
> properties.put("passwordType", "PasswordText");
> properties.put("action", "UsernameToken");
>
>
> List interceptorList= new ArrayList();
> WSS4JOutInterceptor interceptor = new
> WSS4JOutInterceptor(properties);
> interceptorList.add(interceptor);
>
>
> client.setOutInterceptors(interceptorList);
>
> client.setEnableLifetime(true);
> client.setEnableAppliesTo(true);
> client.getProperties().putAll(properties);
> client.setFeatures(features);
> client.setSoap12();
>
> client.setWspNamespace(null);
>
> client.setAddressingNamespace("http://www.w3.org/2005/08/addressing";);
> client.setTrust(new Trust13(SP11Constants.INSTANCE));
>
> SecurityToken securityToken =
> client.requestSecurityToken("***/trust13
> issuedtokenmixedsymmetricbasic256");
>
> The SOAP response looks like
>
>
> </o:Security>
> </s:Header>
> <s:Body>
> <trust:RequestSecurityTokenResponseCollection
> xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>
> <trust:RequestSecurityTokenResponse>
> <trust:KeySize>256</trust:KeySize>
> <trust:Lifetime>
> <wsu:Created
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">2013-12-01T23:23:12.755Z</wsu:Created>
> <wsu:Expires
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">2013-12-02T07:23:12.755Z</wsu:Expires>
> </trust:Lifetime>
> <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
> <a:EndpointReference>
>
> <a:Address>.../adfs/services/trust/13/issuedtokenmixedsymmetricbasic256</a:Address>
> </a:EndpointReference>
> </wsp:AppliesTo>
> <trust:RequestedSecurityToken>
> <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element";
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
> <e:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference
> xmlns:o="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">
> <X509Data>
> <X509IssuerSerial>
> <X509IssuerName>....</X509IssuerName>
> <X509SerialNumber>....</X509SerialNumber>
> </X509IssuerSerial>
> </X509Data>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>..CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> <xenc:CipherData>
> <xenc:CipherValue>...</xenc:CipherValue></xenc:CipherData>
> </xenc:EncryptedData>
> </trust:RequestedSecurityToken>
> <trust:RequestedProofToken>
>
> <trust:BinarySecret>QJKlX/UMNc9zJTbMYlDnbXyHSecGO3mdgjmTv+5GIFE=</trust:BinarySecret>
> </trust:RequestedProofToken>
> <trust:RequestedAttachedReference>
> <o:SecurityTokenReference
> k:TokenType="
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
> xmlns:o="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
> xmlns:k="
> http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";>
> <o:KeyIdentifier
> ValueType="
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
> ">_327fd82f-fa0b-4abc-94ce-3bea10be98f8</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </trust:RequestedAttachedReference>
> <trust:RequestedUnattachedReference>
> <o:SecurityTokenReference
> k:TokenType="
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
> xmlns:o="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> "
> xmlns:k="
> http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";>
> <o:KeyIdentifier
> ValueType="
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
> ">...</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </trust:RequestedUnattachedReference>
> <trust:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</trust:TokenType>
> <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
> </trust:RequestType>
> <trust:KeyType>
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
> </trust:KeyType>
> </trust:RequestSecurityTokenResponse>
> </trust:RequestSecurityTokenResponseCollection>
> </s:Body>
> </s:Envelope>
>
>
> I have to use the information got in this toke and send a SOAP message to
> another service which looks like
>
>
> <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope";
> xmlns:a="http://www.w3.org/2005/08/addressing";
> xmlns:u="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
> <s:Header>
> <a:Action
> s:mustUnderstand="1">
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue</a:Action>
> <a:MessageID>urn:uuid:eb64f20c-b70c-49f3-8deb-1cd1113d025d</a:MessageID>
> <a:ReplyTo>
> <a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
> </a:ReplyTo>
> <a:To
> s:mustUnderstand="1">https://
> ..../adfs/services/trust/13/issuedtokenmixedsymmetricbasic256</a:To>
> <o:Security s:mustUnderstand="1"
> xmlns:o="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">
> <u:Timestamp u:Id="_0">
> <u:Created>2013-12-01T23:23:13.407Z</u:Created>
> <u:Expires>2013-12-01T23:28:13.407Z</u:Expires>
> </u:Timestamp>
> <xenc:EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element";
> xmlns:xenc="http://www.w3.org/2001/04/xmlenc#";>
> <xenc:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#aes256-cbc"/>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
> <e:EncryptedKey xmlns:e="http://www.w3.org/2001/04/xmlenc#";>
> <e:EncryptionMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p";>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> </e:EncryptionMethod>
> <KeyInfo>
> <o:SecurityTokenReference>
> <X509Data>
> <X509IssuerSerial>
> <X509IssuerName>....</X509IssuerName>
> <X509SerialNumber>.....</X509SerialNumber>
> </X509IssuerSerial>
> </X509Data>
> </o:SecurityTokenReference>
> </KeyInfo>
> <e:CipherData>
> <e:CipherValue>.....</e:CipherValue>
> </e:CipherData>
> </e:EncryptedKey>
> </KeyInfo>
> <xenc:CipherData>
> <xenc:CipherValue>.........</xenc:CipherValue></xenc:CipherData>
> </xenc:EncryptedData>
> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#";>
> <SignedInfo>
> <CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1"/>
> <Reference URI="#_0">
> <Transforms>
> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </Transforms>
> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <DigestValue>.....</DigestValue>
> </Reference>
> </SignedInfo>
> <SignatureValue>......</SignatureValue>
> <KeyInfo>
> <o:SecurityTokenReference
> k:TokenType="
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";
> xmlns:k="
> http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";>
> <o:KeyIdentifier
> ValueType="
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
> ">_327fd82f-fa0b-4abc-94ce-3bea10be98f8</o:KeyIdentifier>
> </o:SecurityTokenReference>
> </KeyInfo>
> </Signature>
> </o:Security>
> </s:Header>
> <s:Body>
> <trust:RequestSecurityToken
> xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>
> <wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy";>
> <a:EndpointReference>
> <a:Address>https://ecsn.gov.au/ESC/</a:Address>
> </a:EndpointReference>
> </wsp:AppliesTo>
> <trust:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
> </trust:RequestType>
> <trust:TokenType>urn:oasis:names:tc:SAML:2.0:assertion</trust:TokenType>
> </trust:RequestSecurityToken>
> </s:Body>
> </s:Envelope>
>
>
> Is there any way the above could be done using STSClient
>
>
>
>
>
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-STSClient-tp5737337.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
