Thanks. That was it, using SignedEndorsingSupportingTokens instead of SignedSupportingTokens
On Wed, Mar 19, 2014 at 12:08 PM, coheigea [via CXF] < [email protected]> wrote: > For "Holder-of-Key", the client must show the service that it knows the > key > (in your case a Symmetric Key) in question. If you change your service > policy so that the parent of the IssuedToken policy is a > "SignedSupportingTokens" instead of "SignedEndorsingSupportingTokens" then > it should work. > > Colm. > > > On Wed, Mar 19, 2014 at 4:01 PM, rsearls <[hidden > email]<http://user/SendEmail.jtp?type=node&node=5741529&i=0>> > wrote: > > > I created this simple service that requires a HOK. > > The STS returns a SAML "IssuedToken". It was successfully created by > > SAMLTokenProcessor in which a BasicX509Credential() was created and the > > corresponding subject certificate was copied into. > > > > However, the processing of the IssuedToken fails in > > IssuedTokenPolicyValidator > > because signedResults is empty and tlsCerts is null. > > > > 103 if (!checkHolderOfKey(assertionWrapper, signedResults, tlsCerts)) > { > > 104 ai.setNotAsserted("Assertion fails holder-of-key > requirements"); > > 105 continue; > > 106 } > > > > I don't see why this dose not work? Any advise would be appreciated. > > > > > > --- service WSDL --- > > <?xml version="1.0" encoding="UTF-8" standalone="yes"?> > > <definitions > > targetNamespace=" > > http://www.jboss.org/jbossws/ws-extensions/holderofkeywssecuritypolicy"; > > name="HolderOfKeyService" > > > > xmlns:tns=" > > http://www.jboss.org/jbossws/ws-extensions/holderofkeywssecuritypolicy"; > > xmlns:xsd="http://www.w3.org/2001/XMLSchema"; > > xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; > > xmlns="http://schemas.xmlsoap.org/wsdl/"; > > xmlns:wsp="http://www.w3.org/ns/ws-policy"; > > xmlns:wsam=" > http://www.w3.org/2007/05/addressing/metadata"; > > > > xmlns:wsu=" > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > > " > > xmlns:wsaws="http://www.w3.org/2005/08/addressing"; > > xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"; > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; > > > xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512";> > > > > <types> > > <xsd:schema> > > <xsd:import > > namespace=" > > http://www.jboss.org/jbossws/ws-extensions/holderofkeywssecuritypolicy"; > > schemaLocation="HolderOfKeyService_schema1.xsd"/> > > </xsd:schema> > > </types> > > <message name="sayHello"> > > <part name="parameters" element="tns:sayHello"/> > > </message> > > <message name="sayHelloResponse"> > > <part name="parameters" element="tns:sayHelloResponse"/> > > </message> > > <portType name="HolderOfKeyIface"> > > <operation name="sayHello"> > > <input message="tns:sayHello"/> > > <output message="tns:sayHelloResponse"/> > > </operation> > > </portType> > > <binding name="HolderOfKeyServicePortBinding" > > type="tns:HolderOfKeyIface"> > > <wsp:PolicyReference URI="#TransportSAML2HolderOfKeyPolicy" /> > > <soap:binding transport="http://schemas.xmlsoap.org/soap/http"; > > style="document"/> > > <operation name="sayHello"> > > <soap:operation soapAction=""/> > > <input> > > <soap:body use="literal"/> > > </input> > > <output> > > <soap:body use="literal"/> > > </output> > > </operation> > > </binding> > > <service name="HolderOfKeyService"> > > <port name="HolderOfKeyServicePort" > > binding="tns:HolderOfKeyServicePortBinding"> > > <soap:address > > location="https://@jboss.bind.address@ > > :8443/jaxws-samples-wsse-policy-trust-holderofkey/HolderOfKeyService"/> > > </port> > > </service> > > > > > > <wsp:Policy wsu:Id="TransportSAML2HolderOfKeyPolicy"> > > <wsp:ExactlyOne> > > <wsp:All> > > <wsam:Addressing wsp:Optional="false"> > > <wsp:Policy /> > > </wsam:Addressing> > > > > > > > > > > <sp:TransportBinding > > > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > <wsp:Policy> > > <sp:TransportToken> > > <wsp:Policy> > > <sp:HttpsToken> > > <wsp:Policy/> > > </sp:HttpsToken> > > </wsp:Policy> > > </sp:TransportToken> > > <sp:AlgorithmSuite> > > <wsp:Policy> > > <sp:TripleDes /> > > </wsp:Policy> > > </sp:AlgorithmSuite> > > <sp:Layout> > > <wsp:Policy> > > <sp:Lax /> > > </wsp:Policy> > > </sp:Layout> > > <sp:IncludeTimestamp /> > > </wsp:Policy> > > </sp:TransportBinding> > > > > <sp:SignedSupportingTokens > > > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > <wsp:Policy> > > <sp:IssuedToken > > > > sp:IncludeToken=" > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > > "> > > <sp:RequestSecurityTokenTemplate> > > > > <t:TokenType> > > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 > > </t:TokenType> > > > > <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey > > </t:KeyType> > > </sp:RequestSecurityTokenTemplate> > > <wsp:Policy> > > <sp:RequireInternalReference /> > > </wsp:Policy> > > > > <sp:Issuer> > > > > <wsaws:Address>http://@jboss.bind.address@ > > > :8080/jaxws-samples-wsse-policy-trust-sts-holderofkey/SecurityTokenService</wsaws:Address> > > > <wsaws:Metadata > > xmlns:wsdli="http://www.w3.org/2006/01/wsdl-instance"; > > > > wsdli:wsdlLocation="http://@jboss.bind.address@ > > > :8080/jaxws-samples-wsse-policy-trust-sts-holderofkey/SecurityTokenService?wsdl"> > > > <wsaw:ServiceName > > xmlns:wsaw=" > http://www.w3.org/2006/05/addressing/wsdl"; > > > > xmlns:stsns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"; > > > > EndpointName="UT_Port">stsns:SecurityTokenService</wsaw:ServiceName> > > </wsaws:Metadata> > > </sp:Issuer> > > > > </sp:IssuedToken> > > </wsp:Policy> > > </sp:SignedSupportingTokens> > > > > <sp:Wss11> > > <wsp:Policy> > > <sp:MustSupportRefIssuerSerial /> > > <sp:MustSupportRefThumbprint /> > > <sp:MustSupportRefEncryptedKey /> > > </wsp:Policy> > > </sp:Wss11> > > <sp:Trust13> > > <wsp:Policy> > > <sp:MustSupportIssuedTokens /> > > <sp:RequireClientEntropy /> > > <sp:RequireServerEntropy /> > > </wsp:Policy> > > </sp:Trust13> > > </wsp:All> > > </wsp:ExactlyOne> > > </wsp:Policy> > > > > > > </definitions> > > > > > > > > > > > > ---- STS wsdl --- > > <?xml version="1.0" encoding="UTF-8"?> > > <wsdl:definitions > > targetNamespace="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"; > > xmlns:tns="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"; > > xmlns:wstrust="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"; > > xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"; > > xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"; > > xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"; > > > > xmlns:wsu=" > > > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > > " > > xmlns:wsp="http://www.w3.org/ns/ws-policy"; > > xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"; > > xmlns:xs="http://www.w3.org/2001/XMLSchema"; > > xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata";> > > > > <wsdl:types> > > <xs:schema elementFormDefault="qualified" > > > > targetNamespace='http://docs.oasis-open.org/ws-sx/ws-trust/200512'> > > > > <xs:element name='RequestSecurityToken' > > type='wst:AbstractRequestSecurityTokenType'/> > > <xs:element name='RequestSecurityTokenResponse' > > type='wst:AbstractRequestSecurityTokenType'/> > > > > <xs:complexType name='AbstractRequestSecurityTokenType'> > > <xs:sequence> > > <xs:any namespace='##any' processContents='lax' minOccurs='0' > > maxOccurs='unbounded'/> > > </xs:sequence> > > <xs:attribute name='Context' type='xs:anyURI' use='optional'/> > > <xs:anyAttribute namespace='##other' processContents='lax'/> > > </xs:complexType> > > <xs:element name='RequestSecurityTokenCollection' > > type='wst:RequestSecurityTokenCollectionType'/> > > <xs:complexType name='RequestSecurityTokenCollectionType'> > > <xs:sequence> > > <xs:element name='RequestSecurityToken' > > type='wst:AbstractRequestSecurityTokenType' > > minOccurs='2' > > maxOccurs='unbounded'/> > > </xs:sequence> > > </xs:complexType> > > > > <xs:element name='RequestSecurityTokenResponseCollection' > > > type='wst:RequestSecurityTokenResponseCollectionType'/> > > <xs:complexType name='RequestSecurityTokenResponseCollectionType'> > > <xs:sequence> > > <xs:element ref='wst:RequestSecurityTokenResponse' > minOccurs='1' > > maxOccurs='unbounded'/> > > </xs:sequence> > > <xs:anyAttribute namespace='##other' processContents='lax'/> > > </xs:complexType> > > > > </xs:schema> > > </wsdl:types> > > > > > > <wsdl:message name="RequestSecurityTokenMsg"> > > <wsdl:part name="request" element="wst:RequestSecurityToken"/> > > </wsdl:message> > > <wsdl:message name="RequestSecurityTokenResponseMsg"> > > <wsdl:part name="response" > > element="wst:RequestSecurityTokenResponse"/> > > </wsdl:message> > > <wsdl:message name="RequestSecurityTokenCollectionMsg"> > > <wsdl:part name="requestCollection" > > element="wst:RequestSecurityTokenCollection"/> > > </wsdl:message> > > <wsdl:message name="RequestSecurityTokenResponseCollectionMsg"> > > <wsdl:part name="responseCollection" > > element="wst:RequestSecurityTokenResponseCollection"/> > > </wsdl:message> > > > > > > <wsdl:portType name="WSSecurityRequestor"> > > <wsdl:operation name="Challenge"> > > <wsdl:input message="tns:RequestSecurityTokenResponseMsg"/> > > <wsdl:output message="tns:RequestSecurityTokenResponseMsg"/> > > </wsdl:operation> > > </wsdl:portType> > > > > > > <wsdl:portType name="STS"> > > <wsdl:operation name="Cancel"> > > <wsdl:input > > > > wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel"; > > > message="tns:RequestSecurityTokenMsg"/> > > <wsdl:output > > > > wsam:Action=" > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/CancelFinal"; > > message="tns:RequestSecurityTokenResponseMsg"/> > > </wsdl:operation> > > <wsdl:operation name="Issue"> > > <wsdl:input > > > > wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"; > > > message="tns:RequestSecurityTokenMsg"/> > > <wsdl:output > > > > wsam:Action=" > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTRC/IssueFinal"; > > message="tns:RequestSecurityTokenResponseCollectionMsg"/> > > </wsdl:operation> > > <wsdl:operation name="Renew"> > > <wsdl:input > > > > wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew"; > > > message="tns:RequestSecurityTokenMsg"/> > > <wsdl:output > > > > wsam:Action=" > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/RenewFinal"; > > message="tns:RequestSecurityTokenResponseMsg"/> > > </wsdl:operation> > > <wsdl:operation name="Validate"> > > <wsdl:input > > > > wsam:Action=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate > > " > > message="tns:RequestSecurityTokenMsg"/> > > <wsdl:output > > > > wsam:Action=" > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/ValidateFinal"; > > message="tns:RequestSecurityTokenResponseMsg"/> > > </wsdl:operation> > > <wsdl:operation name="KeyExchangeToken"> > > <wsdl:input > > > > wsam:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KET"; > > message="tns:RequestSecurityTokenMsg"/> > > <wsdl:output > > > > wsam:Action=" > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/KETFinal"; > > message="tns:RequestSecurityTokenResponseMsg"/> > > </wsdl:operation> > > <wsdl:operation name="RequestCollection"> > > <wsdl:input message="tns:RequestSecurityTokenCollectionMsg"/> > > <wsdl:output > > message="tns:RequestSecurityTokenResponseCollectionMsg"/> > > </wsdl:operation> > > </wsdl:portType> > > > > > > <wsdl:portType name="SecurityTokenResponseService"> > > <wsdl:operation name="RequestSecurityTokenResponse"> > > <wsdl:input message="tns:RequestSecurityTokenResponseMsg"/> > > </wsdl:operation> > > </wsdl:portType> > > > > <wsdl:binding name="UT_Binding" type="wstrust:STS"> > > <wsp:PolicyReference URI="#UT_policy"/> > > <soap:binding style="document" > > transport="http://schemas.xmlsoap.org/soap/http"/> > > <wsdl:operation name="Issue"> > > <soap:operation > > > > soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"/> > > > <wsdl:input> > > <wsp:PolicyReference > > URI="#Input_policy"/> > > <soap:body use="literal"/> > > </wsdl:input> > > <wsdl:output> > > <wsp:PolicyReference > > URI="#Output_policy"/> > > <soap:body use="literal"/> > > </wsdl:output> > > </wsdl:operation> > > <wsdl:operation name="Validate"> > > <soap:operation > > > > soapAction=" > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Validate > > "/> > > <wsdl:input> > > <wsp:PolicyReference > > URI="#Input_policy"/> > > <soap:body use="literal"/> > > </wsdl:input> > > <wsdl:output> > > <wsp:PolicyReference > > URI="#Output_policy"/> > > <soap:body use="literal"/> > > </wsdl:output> > > </wsdl:operation> > > <wsdl:operation name="Cancel"> > > <soap:operation > > > > soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Cancel"/> > > > <wsdl:input> > > <soap:body use="literal"/> > > </wsdl:input> > > <wsdl:output> > > <soap:body use="literal"/> > > </wsdl:output> > > </wsdl:operation> > > <wsdl:operation name="Renew"> > > <soap:operation > > > > soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Renew"/> > > > <wsdl:input> > > <soap:body use="literal"/> > > </wsdl:input> > > <wsdl:output> > > <soap:body use="literal"/> > > </wsdl:output> > > </wsdl:operation> > > <wsdl:operation name="KeyExchangeToken"> > > <soap:operation > > > > soapAction=" > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/KeyExchangeToken"/> > > > <wsdl:input> > > <soap:body use="literal"/> > > </wsdl:input> > > <wsdl:output> > > <soap:body use="literal"/> > > </wsdl:output> > > </wsdl:operation> > > <wsdl:operation name="RequestCollection"> > > <soap:operation > > > > soapAction=" > > http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/RequestCollection"/> > > > <wsdl:input> > > <soap:body use="literal"/> > > </wsdl:input> > > <wsdl:output> > > <soap:body use="literal"/> > > </wsdl:output> > > </wsdl:operation> > > </wsdl:binding> > > > > <wsdl:service name="SecurityTokenService"> > > <wsdl:port name="UT_Port" binding="tns:UT_Binding"> > > <soap:address > > location="http://localhost:8080/SecurityTokenService/UT"/> > > </wsdl:port> > > </wsdl:service> > > > > <wsp:Policy wsu:Id="UT_policy"> > > <wsp:ExactlyOne> > > <wsp:All> > > <wsap10:UsingAddressing/> > > <sp:SymmetricBinding > > > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > <wsp:Policy> > > <sp:ProtectionToken> > > <wsp:Policy> > > <sp:X509Token > > > > sp:IncludeToken=" > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never > > "> > > <wsp:Policy> > > <sp:RequireDerivedKeys/> > > <sp:RequireThumbprintReference/> > > <sp:WssX509V3Token10/> > > </wsp:Policy> > > </sp:X509Token> > > </wsp:Policy> > > </sp:ProtectionToken> > > <sp:AlgorithmSuite> > > <wsp:Policy> > > <sp:Basic256/> > > </wsp:Policy> > > </sp:AlgorithmSuite> > > <sp:Layout> > > <wsp:Policy> > > <sp:Lax/> > > </wsp:Policy> > > </sp:Layout> > > <sp:IncludeTimestamp/> > > <sp:EncryptSignature/> > > <sp:OnlySignEntireHeadersAndBody/> > > </wsp:Policy> > > </sp:SymmetricBinding> > > <sp:SignedSupportingTokens > > > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > <wsp:Policy> > > <sp:UsernameToken > > > > sp:IncludeToken=" > > > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient > > "> > > <wsp:Policy> > > <sp:WssUsernameToken10/> > > </wsp:Policy> > > </sp:UsernameToken> > > </wsp:Policy> > > </sp:SignedSupportingTokens> > > <sp:Wss11 > > > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > <wsp:Policy> > > <sp:MustSupportRefKeyIdentifier/> > > <sp:MustSupportRefIssuerSerial/> > > <sp:MustSupportRefThumbprint/> > > <sp:MustSupportRefEncryptedKey/> > > </wsp:Policy> > > </sp:Wss11> > > <sp:Trust13 > > > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > <wsp:Policy> > > <sp:MustSupportIssuedTokens/> > > <sp:RequireClientEntropy/> > > <sp:RequireServerEntropy/> > > </wsp:Policy> > > </sp:Trust13> > > </wsp:All> > > </wsp:ExactlyOne> > > </wsp:Policy> > > > > <wsp:Policy wsu:Id="Input_policy"> > > <wsp:ExactlyOne> > > <wsp:All> > > <sp:SignedParts > > > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > <sp:Body/> > > <sp:Header Name="To" > > Namespace="http://www.w3.org/2005/08/addressing"/> > > <sp:Header Name="From" > > Namespace="http://www.w3.org/2005/08/addressing"/> > > <sp:Header Name="FaultTo" > > Namespace="http://www.w3.org/2005/08/addressing"/> > > <sp:Header Name="ReplyTo" > > Namespace="http://www.w3.org/2005/08/addressing"/> > > <sp:Header Name="MessageID" > > Namespace="http://www.w3.org/2005/08/addressing"/> > > <sp:Header Name="RelatesTo" > > Namespace="http://www.w3.org/2005/08/addressing"/> > > <sp:Header Name="Action" > > Namespace="http://www.w3.org/2005/08/addressing"/> > > </sp:SignedParts> > > </wsp:All> > > </wsp:ExactlyOne> > > </wsp:Policy> > > > > <wsp:Policy wsu:Id="Output_policy"> > > <wsp:ExactlyOne> > > <wsp:All> > > <sp:SignedParts > > > > xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702";> > > <sp:Body/> > > <sp:Header Name="To" > > Namespace="http://www.w3.org/2005/08/addressing"/> > > <sp:Header Name="From" > > Namespace="http://www.w3.org/2005/08/addressing"/> > > <sp:Header Name="FaultTo" > > Namespace="http://www.w3.org/2005/08/addressing"/> > > <sp:Header Name="ReplyTo" > > Namespace="http://www.w3.org/2005/08/addressing"/> > > <sp:Header Name="MessageID" > > Namespace="http://www.w3.org/2005/08/addressing"/> > > <sp:Header Name="RelatesTo" > > Namespace="http://www.w3.org/2005/08/addressing"/> > > <sp:Header Name="Action" > > Namespace="http://www.w3.org/2005/08/addressing"/> > > </sp:SignedParts> > > </wsp:All> > > </wsp:ExactlyOne> > > </wsp:Policy> > > > > </wsdl:definitions> > > > > > > > > > > -- > > View this message in context: > > > http://cxf.547215.n5.nabble.com/HOK-response-not-recognized-tp5741528.html > > Sent from the cxf-user mailing list archive at Nabble.com. > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > > > ------------------------------ > If you reply to this email, your message will be added to the discussion > below: > > http://cxf.547215.n5.nabble.com/HOK-response-not-recognized-tp5741528p5741529.html > To unsubscribe from HOK response not recognized, click > here<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5741528&code=cnNlYXJsc0BnbWFpbC5jb218NTc0MTUyOHw5MjAxMjc5MTk=> > . > NAML<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> > -- View this message in context: http://cxf.547215.n5.nabble.com/HOK-response-not-recognized-tp5741528p5741533.html Sent from the cxf-user mailing list archive at Nabble.com.
