For "Holder-of-Key", the client must show the service that it knows the key (in your case a Symmetric Key) in question. If you change your service policy so that the parent of the IssuedToken policy is a "SignedSupportingTokens" instead of "SignedEndorsingSupportingTokens" then it should work.
Colm. On Wed, Mar 19, 2014 at 4:01 PM, rsearls <[email protected]> wrote: > I created this simple service that requires a HOK. > The STS returns a SAML "IssuedToken". It was successfully created by > SAMLTokenProcessor in which a BasicX509Credential() was created and the > corresponding subject certificate was copied into. > > However, the processing of the IssuedToken fails in > IssuedTokenPolicyValidator > because signedResults is empty and tlsCerts is null. > > 103 if (!checkHolderOfKey(assertionWrapper, signedResults, tlsCerts)) { > 104 ai.setNotAsserted("Assertion fails holder-of-key requirements"); > 105 continue; > 106 } > > I don't see why this dose not work? Any advise would be appreciated. > > > --- service WSDL --- > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > <definitions > targetNamespace=" > http://www.jboss.org/jbossws/ws-extensions/holderofkeywssecuritypolicy"; > name="HolderOfKeyService" > > xmlns:tns=" > http://www.jboss.org/jbossws/ws-extensions/holderofkeywssecuritypolicy"; > xmlns:xsd="http://www.w3.org/2001/XMLSchema"; > xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; > xmlns="http://schemas.xmlsoap.org/wsdl/"; > xmlns:wsp="http://www.w3.org/ns/ws-policy"; > xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"; > > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > xmlns:wsaws="http://www.w3.org/2005/08/addressing"; > xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"; > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; > xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512";> > > <types> > <xsd:schema> > <xsd:import > namespace=" > http://www.jboss.org/jbossws/ws-extensions/holderofkeywssecuritypolicy"; > schemaLocation="HolderOfKeyService_schema1.xsd"/> > </xsd:schema> > </types> > <message name="sayHello"> > <part name="parameters" element="tns:sayHello"/> > </message> > <message name="sayHelloResponse"> > <part name="parameters" element="tns:sayHelloResponse"/> > </message> > <portType name="HolderOfKeyIface"> > <operation name="sayHello"> > <input message="tns:sayHello"/> > <output message="tns:sayHelloResponse"/> > </operation> > </portType> > <binding name="HolderOfKeyServicePortBinding" > type="tns:HolderOfKeyIface"> > <wsp:PolicyReference URI="#TransportSAML2HolderOfKeyPolicy" /> > <soap:binding transport="http://schemas.xmlsoap.org/soap/http"; > style="document"/> > <operation name="sayHello"> > <soap:operation soapAction=""/> > <input> > <soap:body use="literal"/> > </input> > <output> > <soap:body use="literal"/> > </output> > </operation> > </binding> > <service name="HolderOfKeyService"> > <port name="HolderOfKeyServicePort" > binding="tns:HolderOfKeyServicePortBinding"> > <soap:address > location="https://@jboss.bind.address@ > :8443/jaxws-samples-wsse-policy-trust-holderofkey/HolderOfKeyService"/> > </port> > </service> > > > <wsp:Policy wsu:Id="TransportSAML2HolderOfKeyPolicy"> > <wsp:ExactlyOne> > <wsp:All> > <wsam:Addressing wsp:Optional="false"> > <wsp:Policy /> > </wsam:Addressing> > > > > > <sp:TransportBinding > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:TransportToken> > <wsp:Policy> > <sp:HttpsToken> > <wsp:Policy/> > </sp:HttpsToken> > </wsp:Policy> > </sp:TransportToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:TripleDes /> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Lax /> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp /> > </wsp:Policy> > </sp:TransportBinding> > > <sp:SignedSupportingTokens > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:IssuedToken > > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > <sp:RequestSecurityTokenTemplate> > > <t:TokenType> > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 > </t:TokenType> > > <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey > </t:KeyType> > </sp:RequestSecurityTokenTemplate> > <wsp:Policy> > <sp:RequireInternalReference /> > </wsp:Policy> > > <sp:Issuer> > > <wsaws:Address>http://@jboss.bind.address@ > :8080/jaxws-samples-wsse-policy-trust-sts-holderofkey/SecurityTokenService</wsaws:Address> > <wsaws:Metadata > xmlns:wsdli="http://www.w3.org/2006/01/wsdl-instance"; > > wsdli:wsdlLocation="http://@jboss.bind.address@ > :8080/jaxws-samples-wsse-policy-trust-sts-holderofkey/SecurityTokenService?wsdl"> > <wsaw:ServiceName > xmlns:wsaw="http://www.w3.org/2006/05/addressing/wsdl"; > > xmlns:stsns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"; > > EndpointName="UT_Port">stsns:SecurityTokenService</wsaw:ServiceName> > </wsaws:Metadata> > </sp:Issuer> > > </sp:IssuedToken> > </wsp:Policy> > </sp:SignedSupportingTokens> > > <sp:Wss11> > <wsp:Policy> > <sp:MustSupportRefIssuerSerial /> > <sp:MustSupportRefThumbprint /> > <sp:MustSupportRefEncryptedKey /> > </wsp:Policy> > </sp:Wss11> > <sp:Trust13> > <wsp:Policy> > <sp:MustSupportIssuedTokens /> > <sp:RequireClientEntropy /> > <sp:RequireServerEntropy /> > </wsp:Policy> > </sp:Trust13> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > > </definitions> > > > > > > ---- STS wsdl --- > <?xml version="1.0" encoding="UTF-8"?> > <wsdl:definitions > targetNamespace="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"; > xmlns:tns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"; > xmlns:wstrust="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"; > xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"; > xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; > xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"; > > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > xmlns:wsp="http://www.w3.org/ns/ws-policy"; > xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"; > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata";> > > <wsdl:types> > <xs:schema elementFormDefault="qualified" > > targetNamespace='http://docs.oasis-open.org/ws-sx/ws-trust/200512'> > > <xs:element name='RequestSecurityToken' > type='wst:AbstractRequestSecurityTokenType'/> > <xs:element name='RequestSecurityTokenResponse' > type='wst:AbstractRequestSecurityTokenType'/> > > <xs:complexType name='AbstractRequestSecurityTokenType'> > <xs:sequence> > <xs:any namespace='##any' processContents='lax' minOccurs='0' > maxOccurs='unbounded'/> > </xs:sequence> > <xs:attribute name='Context' type='xs:anyURI' use='optional'/> > <xs:anyAttribute namespace='##other' processContents='lax'/> > </xs:complexType> > <xs:element name='RequestSecurityTokenCollection' > type='wst:RequestSecurityTokenCollectionType'/> > <xs:complexType name='RequestSecurityTokenCollectionType'> > <xs:sequence> > <xs:element name='RequestSecurityToken' > type='wst:AbstractRequestSecurityTokenType' > minOccurs='2' > maxOccurs='unbounded'/> > </xs:sequence> > </xs:complexType> > > <xs:element name='RequestSecurityTokenResponseCollection' > type='wst:RequestSecurityTokenResponseCollectionType'/> > <xs:complexType name='RequestSecurityTokenResponseCollectionType'> > <xs:sequence> > <xs:element ref='wst:RequestSecurityTokenResponse' minOccurs='1' > maxOccurs='unbounded'/> > </xs:sequence> > <xs:anyAttribute namespace='##other' processContents='lax'/> > </xs:complexType> > > </xs:schema> > </wsdl:types> > > > <wsdl:message name="RequestSecurityTokenMsg"> > <wsdl:part name="request" element="wst:RequestSecurityToken"/> > </wsdl:message> > <wsdl:message name="RequestSecurityTokenResponseMsg"> > <wsdl:part name="response" > element="wst:RequestSecurityTokenResponse"/> > </wsdl:message> > <wsdl:message name="RequestSecurityTokenCollectionMsg"> > <wsdl:part name="requestCollection" > element="wst:RequestSecurityTokenCollection"/> > </wsdl:message> > <wsdl:message name="RequestSecurityTokenResponseCollectionMsg"> > <wsdl:part name="responseCollection" > element="wst:RequestSecurityTokenResponseCollection"/> > </wsdl:message> > > > <wsdl:portType name="WSSecurityRequestor"> > <wsdl:operation name="Challenge"> > <wsdl:input message="tns:RequestSecurityTokenResponseMsg"/> > <wsdl:output message="tns:RequestSecurityTokenResponseMsg"/> > </wsdl:operation> > </wsdl:portType> > > > <wsdl:portType name="STS"> > <wsdl:operation name="Cancel"> > <wsdl:input > > wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel"; > message="tns:RequestSecurityTokenMsg"/> > <wsdl:output > > wsam:Action=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal"; > message="tns:RequestSecurityTokenResponseMsg"/> > </wsdl:operation> > <wsdl:operation name="Issue"> > <wsdl:input > > wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; > message="tns:RequestSecurityTokenMsg"/> > <wsdl:output > > wsam:Action=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal"; > message="tns:RequestSecurityTokenResponseCollectionMsg"/> > </wsdl:operation> > <wsdl:operation name="Renew"> > <wsdl:input > > wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew"; > message="tns:RequestSecurityTokenMsg"/> > <wsdl:output > > wsam:Action=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal"; > message="tns:RequestSecurityTokenResponseMsg"/> > </wsdl:operation> > <wsdl:operation name="Validate"> > <wsdl:input > > wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate > " > message="tns:RequestSecurityTokenMsg"/> > <wsdl:output > > wsam:Action=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal"; > message="tns:RequestSecurityTokenResponseMsg"/> > </wsdl:operation> > <wsdl:operation name="KeyExchangeToken"> > <wsdl:input > > wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KET"; > message="tns:RequestSecurityTokenMsg"/> > <wsdl:output > > wsam:Action=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/KETFinal"; > message="tns:RequestSecurityTokenResponseMsg"/> > </wsdl:operation> > <wsdl:operation name="RequestCollection"> > <wsdl:input message="tns:RequestSecurityTokenCollectionMsg"/> > <wsdl:output > message="tns:RequestSecurityTokenResponseCollectionMsg"/> > </wsdl:operation> > </wsdl:portType> > > > <wsdl:portType name="SecurityTokenResponseService"> > <wsdl:operation name="RequestSecurityTokenResponse"> > <wsdl:input message="tns:RequestSecurityTokenResponseMsg"/> > </wsdl:operation> > </wsdl:portType> > > <wsdl:binding name="UT_Binding" type="wstrust:STS"> > <wsp:PolicyReference URI="#UT_policy"/> > <soap:binding style="document" > transport="http://schemas.xmlsoap.org/soap/http"/> > <wsdl:operation name="Issue"> > <soap:operation > > soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"/> > <wsdl:input> > <wsp:PolicyReference > URI="#Input_policy"/> > <soap:body use="literal"/> > </wsdl:input> > <wsdl:output> > <wsp:PolicyReference > URI="#Output_policy"/> > <soap:body use="literal"/> > </wsdl:output> > </wsdl:operation> > <wsdl:operation name="Validate"> > <soap:operation > > soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate > "/> > <wsdl:input> > <wsp:PolicyReference > URI="#Input_policy"/> > <soap:body use="literal"/> > </wsdl:input> > <wsdl:output> > <wsp:PolicyReference > URI="#Output_policy"/> > <soap:body use="literal"/> > </wsdl:output> > </wsdl:operation> > <wsdl:operation name="Cancel"> > <soap:operation > > soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel"/> > <wsdl:input> > <soap:body use="literal"/> > </wsdl:input> > <wsdl:output> > <soap:body use="literal"/> > </wsdl:output> > </wsdl:operation> > <wsdl:operation name="Renew"> > <soap:operation > > soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew"/> > <wsdl:input> > <soap:body use="literal"/> > </wsdl:input> > <wsdl:output> > <soap:body use="literal"/> > </wsdl:output> > </wsdl:operation> > <wsdl:operation name="KeyExchangeToken"> > <soap:operation > > soapAction=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KeyExchangeToken"/> > <wsdl:input> > <soap:body use="literal"/> > </wsdl:input> > <wsdl:output> > <soap:body use="literal"/> > </wsdl:output> > </wsdl:operation> > <wsdl:operation name="RequestCollection"> > <soap:operation > > soapAction=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/RequestCollection"/> > <wsdl:input> > <soap:body use="literal"/> > </wsdl:input> > <wsdl:output> > <soap:body use="literal"/> > </wsdl:output> > </wsdl:operation> > </wsdl:binding> > > <wsdl:service name="SecurityTokenService"> > <wsdl:port name="UT_Port" binding="tns:UT_Binding"> > <soap:address > location="http://localhost:8080/SecurityTokenService/UT"/> > </wsdl:port> > </wsdl:service> > > <wsp:Policy wsu:Id="UT_policy"> > <wsp:ExactlyOne> > <wsp:All> > <wsap10:UsingAddressing/> > <sp:SymmetricBinding > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:ProtectionToken> > <wsp:Policy> > <sp:X509Token > > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never > "> > <wsp:Policy> > <sp:RequireDerivedKeys/> > <sp:RequireThumbprintReference/> > <sp:WssX509V3Token10/> > </wsp:Policy> > </sp:X509Token> > </wsp:Policy> > </sp:ProtectionToken> > <sp:AlgorithmSuite> > <wsp:Policy> > <sp:Basic256/> > </wsp:Policy> > </sp:AlgorithmSuite> > <sp:Layout> > <wsp:Policy> > <sp:Lax/> > </wsp:Policy> > </sp:Layout> > <sp:IncludeTimestamp/> > <sp:EncryptSignature/> > <sp:OnlySignEntireHeadersAndBody/> > </wsp:Policy> > </sp:SymmetricBinding> > <sp:SignedSupportingTokens > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:UsernameToken > > sp:IncludeToken=" > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > "> > <wsp:Policy> > <sp:WssUsernameToken10/> > </wsp:Policy> > </sp:UsernameToken> > </wsp:Policy> > </sp:SignedSupportingTokens> > <sp:Wss11 > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:MustSupportRefKeyIdentifier/> > <sp:MustSupportRefIssuerSerial/> > <sp:MustSupportRefThumbprint/> > <sp:MustSupportRefEncryptedKey/> > </wsp:Policy> > </sp:Wss11> > <sp:Trust13 > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <wsp:Policy> > <sp:MustSupportIssuedTokens/> > <sp:RequireClientEntropy/> > <sp:RequireServerEntropy/> > </wsp:Policy> > </sp:Trust13> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > <wsp:Policy wsu:Id="Input_policy"> > <wsp:ExactlyOne> > <wsp:All> > <sp:SignedParts > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <sp:Body/> > <sp:Header Name="To" > Namespace="http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="From" > Namespace="http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="FaultTo" > Namespace="http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="ReplyTo" > Namespace="http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="MessageID" > Namespace="http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="RelatesTo" > Namespace="http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="Action" > Namespace="http://www.w3.org/2005/08/addressing"/> > </sp:SignedParts> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > <wsp:Policy wsu:Id="Output_policy"> > <wsp:ExactlyOne> > <wsp:All> > <sp:SignedParts > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > <sp:Body/> > <sp:Header Name="To" > Namespace="http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="From" > Namespace="http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="FaultTo" > Namespace="http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="ReplyTo" > Namespace="http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="MessageID" > Namespace="http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="RelatesTo" > Namespace="http://www.w3.org/2005/08/addressing"/> > <sp:Header Name="Action" > Namespace="http://www.w3.org/2005/08/addressing"/> > </sp:SignedParts> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > > </wsdl:definitions> > > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/HOK-response-not-recognized-tp5741528.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
