You could try with a more recent version of CXF. There some fixes based around policy alternatives that didn't make it into CXF 2.6.6 which is what you are using (iirc).
Secondly, you will need to write an interceptor to assert the appropriate policies for the X.509 case. The main policy driven code in CXF only kicks in when there is a security binding. However, there are separate non-binding interceptors to work with USernameTokens, Kerberos + SAML tokens. Not X.509 tokens though. Colm. On Wed, Oct 22, 2014 at 12:16 PM, SRog <[email protected]> wrote: > Hi Colm, > I took the next steps to get things working. The authentication with > username and pwd works on STS. Now I have to get x.509 authentication > working, too. > > The Policy in WSDL looks like this: > > <sp:SupportingTokens > xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> > <wsp:Policy> > <wsp:ExactlyOne> > > <wsp:All> > > <sp:UsernameToken wsu:Id="BiPROBasicToken"/> > </wsp:All> > > <wsp:All> > > <sp:X509Token > sp:IncludeToken=" > http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient > "> > > <wsp:Policy> > > <sp:WssX509V3Token11/> > > </wsp:Policy> > > </sp:X509Token> > </wsp:All> > </wsp:ExactlyOne> > </wsp:Policy> > </sp:SupportingTokens> > > The configuration in cxf-servlet.xml: > > <jaxws:endpoint id="CXFSTS" implementor="#mySTSProviderBean" > address="/STS" > wsdlLocation="/WEB-INF/wsdl/bipro/SecurityTokenService-2.5.0.1.0.wsdl" > xmlns:ns1="http://www.bipro.net/namespace"; > serviceName="ns1:SecurityTokenService_2.5.0.1.0" > endpointName="ns1:UserPasswordLogin"> > > <jaxws:properties> > <entry key="ws-security.callback-handler" > value="sts.PasswordCallbackHandler" /> > <entry key="ws-security.signature.properties" > value="stsKeystore.properties" /> > <entry key="ws-security.signature.username" > value="test-zertifikat" /> > <entry key="ws-security.encryption.username" > value="useReqSigCert" /> > </jaxws:properties> > <jaxws:features> > <logging xmlns="http://cxf.apache.org/core"; /> > <ref bean="transformFeature" /> > </jaxws:features> > > If I try to access the service with a request like the following, I got the > message "*These policy alternatives can not be satisfied: > { > http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SupportingTokens > {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}UsernameToken*"; > > > <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/ > " > xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust";> > <soapenv:Header> > <wsse:Security > xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > " > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > "> > <wsse:BinarySecurityToken > EncodingType=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary > " > ValueType=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 > " > > wsu:Id="X509-9BECC0307376C4B7A6141396887568237">MIIDjjCCAnagAwIBAgIFBTaKnOswDQYJKoZIhvcNAQEFBQAwPjELMAkGA1UEBhMCREUxFjAUBgNVBAoTDUFsbGlhbnogR3JvdXAxFzAVBgNVBAMTDkFsbGlhbnogVXNlckNBMB4XDTEzMDIyODE1MTM0MloXDTE1MDIyODE1MTM0MlowUjELMAkGA1UEBhMCREUxEDAOBgNVBAoTB0FsbGlhbnoxFTATBgNVBAsTDE1ha2xlcnBvcnRhbDEaMBgGA1UEAxMRUm9iZXJ0IEZyZWlsaW5nZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/s+UF8S6imHKg9y31GdzvcML6XoDCjgzzv2IVbVFD+33pSuf4KSWjctcSng6TtfxtaWHZlbAMk3PdD9vCKJgi7Mm9Fnxw33e9z5dolpZ5WUCkfiIFl8cH8YbTKLUDwU5zYNnYSpYDYzmrs7hSDWStnssaryi+YdtpZXUd4RiZrWi2DjfXmRHxH0yO7mJwSzotxjdJaJSWhMvJ5HAyhUDD9vfnSkT24riXiSQQtKE0Jf22xlZSgown98u0V2wEDjOnEklyjQkx0NqVXrJuZ2ave3HwhmGLHqXtr2jMSbZf2hGrWCWbleE2sqMDu5UFsVRikoi7Z2WnXzXoBXzNThM/AgMBAAGjfzB9MA4GA1UdDwEB/wQEAwIHgDAfBgNVHSMEGDAWgBTexNb/epBIwBRzv/5vG7L09Yj4bDATBgNVHSUEDDAKBggrBgEFBQcDAjA1BgNVHR8ELjAsMCqgKKAmhiRodHRwOi8vcm9vdGNhLmFsbGlhbnouY29tL3VzZXJjYS5jcmwwDQYJKoZIhvcNAQEFBQADggEBAFjzt/0e53CECiTnI6zQgbFOG7HiClvAaQykukdwIDuCJQpBjr158H/NMBpJEWV+dzRx3ZCl4KkvNPw3PhsqP98G42L+ZPTBtwVCtBwjGqFmXTncQ64A7bu8uLkJJz7ubjlXrLt04tFTSeu8O4UbQgv8M8FD+vm2Nf7FvKLwcFJcKPq92uJ8X2GoImbm88BVLLzstiBmJzKDMs/ZnhErPd/d6Sjl/B6JTAfcwZNuI2D+wBPCDj2xZI0q4rfJZHaBf+d97rjn1dfY9HdCYsY0wi3G0eYG7aNeW3iNkeQ3tnaUg4h+QqDKFBCi36A436cfqpQis3sPzNiqJBWYhDNh32U=</wsse:BinarySecurityToken> > <ds:Signature Id="SIG-39" > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces PrefixList="soapenv wst" > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:CanonicalizationMethod> > <ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> > <ds:Reference URI="#id-38"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces PrefixList="wst" > xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <ds:DigestValue>3AEvtITIY5+7+G5NVea7HCOcsD0=</ds:DigestValue> > </ds:Reference> > <ds:Reference URI="#TS-37"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";> > <ec:InclusiveNamespaces PrefixList="wsse soapenv > wst" xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transform> > </ds:Transforms> > <ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > > <ds:DigestValue>XzpIOxUqhq6GObJrWn3U24KOP4M=</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > > > <ds:SignatureValue>CsPndMeeOv4XaHa9dsoWs80t8L6O2kMSZgJG1MTqa7FCKomYvPdQbhJc9bg//RcQFsM1E2ujjInn > > moi70YYpld5JvFZvVnhC5i/wPCJ63ZfFIjtp5H36o4StfJB4q03vmfgF+qH7skq3P6PWbDt1QtLF > > 2KjuEx15nNyJU0s4OOBje5FYx4KqVSrdJeo4oqUvjML5jcEVd/Ymj4Oy0fydEHNkSt52WI8zaiB0 > > Du0ZfEIrwFJe8zrhxBQNGWJoHRo4LJ2Be5j97FttyVtTUbxsfJIPvZAsDAl222100y+xUDUpfChy > ZcRDqW8gE9/aU+Y9tTdIy7i//bfKvi5YNQGbdw==</ds:SignatureValue> > <ds:KeyInfo Id="KI-9BECC0307376C4B7A6141396887568238"> > <wsse:SecurityTokenReference > wsu:Id="STR-9BECC0307376C4B7A6141396887568239"> > <wsse:Reference > URI="#X509-9BECC0307376C4B7A6141396887568237" > ValueType=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3 > "/> > </wsse:SecurityTokenReference> > </ds:KeyInfo> > </ds:Signature> > <wsu:Timestamp wsu:Id="TS-37"> > <wsu:Created>2014-10-22T09:07:55.682Z</wsu:Created> > <wsu:Expires>2014-10-22T11:54:35.682Z</wsu:Expires> > </wsu:Timestamp> > </wsse:Security> > </soapenv:Header> > <soapenv:Body wsu:Id="id-38" > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > "> > <wst:RequestSecurityToken> > > <wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct > </wst:TokenType> > > <wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue > </wst:RequestType> > </wst:RequestSecurityToken> > </soapenv:Body> > </soapenv:Envelope> > > Something I missed in configuration? > > Thanks, > SRog > > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Username-PWD-on-STS-tp5750076p5750188.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
