javacxfws-trust

Configure CXF for STS/WS-Trust by code


I like to access a STS/WS-Trust protected SOAP service with CXF. As I am forced to reduce dependencies I use CXFBusFactory instead of spring configuration. This means I am forced to configure by code and this is quite less documentated and popular on the web.

Can anyone point out which configuration settings are missing and how to set them by code?

I got:

private static void testSo(String endpointUrl, String username, String password) {
    String busFactory = System.getProperty(BusFactory.BUS_FACTORY_PROPERTY_NAME);
    try {
        // Setup the system properties to use the CXFBusFactory not the SpringBusFactory
        System.setProperty(BusFactory.BUS_FACTORY_PROPERTY_NAME, "org.apache.cxf.bus.CXFBusFactory");

        CXFBusFactory bf = new CXFBusFactory();         
        Bus bus = bf.createBus();
        bus.getFeatures().add(new org.apache.cxf.feature.LoggingFeature());

        STSClient stsClient = new STSClient(bus);
        stsClient.setWsdlLocation("https://example.com/adfs/services/trust/mex");
        stsClient.setServiceName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService");
        stsClient.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}CustomBinding_IWSTrustFeb2005Async");

        bus.setProperty("ws-security.callback-handler", "com.example.ClientCallbackHandler");
        bus.setProperty("ws-security.username", username);
        bus.setProperty("ws-security.password", password);
        bus.setProperty("ws-security.sts.client", stsClient);

        BusFactory.setDefaultBus(bus);
        BusFactory.setThreadDefaultBus(bus);

        URL wsdlUrl = new URL(endpointUrl + "?singleWsdl");
        Service ss = OrganizationService.create(wsdlUrl, SERVICE_NAME);         
        IOrganizationService port = ss.getPort(IOrganizationService.class);

        ColumnSet cs = new ColumnSet();
        cs.setAllColumns(true);
        Entity e = port.retrieve("account", "323223", cs);          
    } catch (Exception ex) {
        ex.printStackTrace();
    } finally {
        // clean up the system properties
        if (busFactory != null) {
            System.setProperty(BusFactory.BUS_FACTORY_PROPERTY_NAME, busFactory);
        } else {
            System.clearProperty(BusFactory.BUS_FACTORY_PROPERTY_NAME);
        }
    }
}   

The target service is MS CRM 2013 if it matters.

This far I get from CXF logging:

Jul 25, 2014 12:24:55 PM org.apache.cxf.ws.policy.AssertionBuilderRegistryImpl handleNoRegisteredBuilder
WARNUNG: No assertion builder for type {http://schemas.microsoft.com/xrm/2011/Contracts/Services}AuthenticationPolicy registered.
Jul 25, 2014 12:24:55 PM org.apache.cxf.ws.security.policy.builders.HttpsTokenBuilder build
WARNUNG: sp:HttpsToken/wsp:Policy should have a value!

And then this exception:

javax.xml.ws.soap.SOAPFaultException: None of the policy alternatives can be satisfied.
    at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:158)
    at com.sun.proxy.$Proxy46.retrieve(Unknown Source)

Update 1: I believe the main problem is to set up sp:HttpsToken/wsp:Policy by code. Very often the web shows me this sample spring configuration but I do not see how to replicate with code (Client client = ClientProxy.getClient(port); gets me the client). Example:

  <sp:TransportBinding>
    <wsp:Policy>
        <sp:TransportToken>
            <wsp:Policy>
                <sp:HttpsToken/>
            </wsp:Policy>
        </sp:TransportToken>
        <sp:AlgorithmSuite>
            <wsp:Policy>
                <sp:Basic256/>
            </wsp:Policy>
        </sp:AlgorithmSuite>
        <sp:Layout>
            <wsp:Policy>
                <sp:Lax/>
            </wsp:Policy>
        </sp:Layout>
        <sp:IncludeTimestamp/>
    </wsp:Policy>
  </sp:TransportBinding>

Update 2: This is the WSDL policy of the service server:

<wsp:Policy wsu:Id="CustomBinding_IOrganizationService_policy">
<wsp:ExactlyOne>
<wsp:All>
<ms-xrm:AuthenticationPolicy xmlns:ms-xrm="http://schemas.microsoft.com/xrm/2011/Contracts/Services">
<ms-xrm:Authentication>Federation</ms-xrm:Authentication>
<ms-xrm:SecureTokenService>
<ms-xrm:Identifier>http://sts1.example.com/adfs/services/trust</ms-xrm:Identifier>
</ms-xrm:SecureTokenService>
</ms-xrm:AuthenticationPolicy>
<sp:TransportBinding xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:EndorsingSupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<Issuer xmlns="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<Address xmlns="http://www.w3.org/2005/08/addressing">http://www.w3.org/2005/08/addressing/anonymous</Address>
<Metadata xmlns="http://www.w3.org/2005/08/addressing">
<Metadata xmlns="http://schemas.xmlsoap.org/ws/2004/09/mex" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<wsx:MetadataSection xmlns="">
<wsx:MetadataReference>
<Address xmlns="http://www.w3.org/2005/08/addressing">https://sts1.edrcrm.com/adfs/services/trust/mex</Address>
</wsx:MetadataReference>
</wsx:MetadataSection>
</Metadata>
</Metadata>
</Issuer>
<sp:RequestSecurityTokenTemplate>
<trust:KeyType xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey
</trust:KeyType>
<trust:KeySize xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">256</trust:KeySize>
<trust:Claims xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512" Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity">
<wsid:ClaimType xmlns:wsid="http://schemas.xmlsoap.org/ws/2005/05/identity" Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"/>
</trust:Claims>
<trust:KeyWrapAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p</trust:KeyWrapAlgorithm>
<trust:EncryptWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptWith>
<trust:SignWith xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2000/09/xmldsig#hmac-sha1</trust:SignWith>
<trust:CanonicalizationAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/10/xml-exc-c14n#</trust:CanonicalizationAlgorithm>
<trust:EncryptionAlgorithm xmlns:trust="http://docs.oasis-open.org/ws-sx/ws-trust/200512">http://www.w3.org/2001/04/xmlenc#aes256-cbc</trust:EncryptionAlgorithm>
</sp:RequestSecurityTokenTemplate>
<wsp:Policy>
<sp:RequireInternalReference/>
</wsp:Policy>
</sp:IssuedToken>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy/>
</sp:Wss11>
<sp:Trust13 xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702">
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy>
</sp:Trust13>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

Solution

  • What does the request + response messages look like? What is the security policy of the STS? The HttpsToken thing is a red herring, it is just a warning that the security policy of the STS in this instance is not strictly spec compliant.

    Colm.