Search code examples
javajbosscxfws-security

How to use CXF STS and X509v3 BinarySecurityToken


I am trying to make CXF STS work with 509v3 token. It works fine, if only a username token is configured, but it fails on X509.

I am using CXF inside of JBOSS EAP 6.3.1

Maven Dependencies

<dependency>
  <groupId>org.apache.cxf.services.sts</groupId>
  <artifactId>cxf-services-sts-core</artifactId>
  <version>2.7.11.redhat-3</version>
</dependency>

<dependency>
  <groupId>org.jboss.ws.cxf</groupId>
  <artifactId>jbossws-cxf-server</artifactId>
  <version>4.3.0.Final-redhat-3</version>
  <scope>provided</scope>
</dependency>

My WSDL:

...
 <wsp:Policy wsu:Id="UT_policy">
        <wsp:ExactlyOne>
            <wsp:All>
                <!--  
                Disabled for testing - I use SoapUI for sending the request
                <sp:TransportBinding>
                    <wsp:Policy>
                        <sp:TransportToken>
                            <wsp:Policy>
                                <sp:HttpsToken RequireClientCertificate="false"/>
                            </wsp:Policy>
                        </sp:TransportToken>
                    </wsp:Policy>
                </sp:TransportBinding>              
                -->
                <sp:SupportingTokens>               
                    <wsp:Policy>
                        <wsp:ExactlyOne>
                            <wsp:All>
                                <sp:X509Token IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
                                    <wsp:Policy>
                                        <sp:WssX509V3Token10 wsu:Id="token"/>
                                    </wsp:Policy>
                                </sp:X509Token>
                            </wsp:All>
<!--                         
Disabled for Testing. If I activate both, neither work. Somehow CXF ignores the ExactlyOne Element.   
                             <wsp:All>
                                <sp:UsernameToken wsu:Id="BiPROBasicToken"/>
                            </wsp:All>-->
                        </wsp:ExactlyOne>
                    </wsp:Policy>       
                </sp:SupportingTokens>      
            </wsp:All>
        </wsp:ExactlyOne>
    </wsp:Policy>

Example Request:

<SOAPENV:Envelope xmlns:SOAPENV='http://schemas.xmlsoap.org/soap/envelope/'>
 <SOAPENV:Header>
  <wsse:Security xmlns:wsse='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
   <wsse:BinarySecurityToken EncodingType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary' ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3' wsu:Id='Token'>
MIIDMTCCApqgAwI....3aairt
93OqNtk=
</wsse:BinarySecurityToken>
   <Signature xmlns='http://www.w3.org/2000/09/xmldsig#'>
    <SignedInfo>
     <CanonicalizationMethod Algorithm='http://www.w3.org/TR/2001/REC-xml-c14n-20010315'/>
     <SignatureMethod Algorithm='http://www.w3.org/2000/09/xmldsig#rsa-sha1'/>
     <Reference URI='#body'>
      <Transforms>
       <Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'/>
      </Transforms>
      <DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
      <DigestValue>WbLbIc...k=</DigestValue>
     </Reference>
     <Reference URI='#Timestamp'>
      <Transforms>
       <Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'/>
      </Transforms>
      <DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
      <DigestValue>z3q....9w=</DigestValue>
     </Reference>
     <Reference URI='#Token'>
      <Transforms>
       <Transform Algorithm='http://www.w3.org/2000/09/xmldsig#enveloped-signature'/>
      </Transforms>
      <DigestMethod Algorithm='http://www.w3.org/2000/09/xmldsig#sha1'/>
      <DigestValue>ypE6U....slo=</DigestValue>
     </Reference>
    </SignedInfo>
    <SignatureValue>lW1....Tc=</SignatureValue>
    <KeyInfo>
     <wsse:SecurityTokenReference>
      <wsse:Reference URI='#Token' ValueType='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3'/>
     </wsse:SecurityTokenReference>
    </KeyInfo>
   </Signature>
   <wsu:Timestamp wsu:Id='Timestamp'>
    <wsu:Created>2015-02-09T13:03:11Z</wsu:Created>
    <wsu:Expires>2015-02-09T13:13:13Z</wsu:Expires>
   </wsu:Timestamp>
  </wsse:Security>
 </SOAPENV:Header>
 <SOAPENV:Body wsu:Id='body' xmlns:wsu='http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd'>
  <wst:RequestSecurityToken xmlns:wst='http://schemas.xmlsoap.org/ws/2005/02/trust'>
   <wst:TokenType>http://schemas.xmlsoap.org/ws/2005/02/sc/sct</wst:TokenType>
   <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
  </wst:RequestSecurityToken>
 </SOAPENV:Body>
</SOAPENV:Envelope>

The request is valid and can not be changed -> it is generated by another program.

Response:

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
   <soap:Body>
      <soap:Fault>
         <faultcode>soap:Server</faultcode>
         <faultstring>These policy alternatives can not be satisfied: 
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}SupportingTokens
{http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}X509Token</faultstring>
      </soap:Fault>
   </soap:Body>
</soap:Envelope>

I have no clue, if my policydefinition is wrong, or my sts class.

STS Class

package net.example;

import java.util.Arrays;
import java.util.LinkedList;
import java.util.List;
import javax.xml.transform.Source;
import javax.xml.ws.WebServiceProvider;
import net.example.STSCallbackHandler;
import org.apache.cxf.annotations.EndpointProperties;
import org.apache.cxf.annotations.EndpointProperty;
import org.apache.cxf.sts.StaticSTSProperties;
import org.apache.cxf.sts.operation.TokenIssueOperation;
import org.apache.cxf.sts.operation.TokenValidateOperation;
import org.apache.cxf.sts.service.ServiceMBean;
import org.apache.cxf.sts.service.StaticService;
import org.apache.cxf.sts.token.provider.SCTProvider;
import org.apache.cxf.sts.token.validator.SCTValidator;
import org.apache.cxf.sts.token.validator.X509TokenValidator;
import org.apache.cxf.ws.security.sts.provider.SecurityTokenServiceProvider;
import org.apache.cxf.ws.security.tokenstore.MemoryTokenStore;

@WebServiceProvider(serviceName = "SecurityTokenService",
        portName = "UT_Port",
        targetNamespace = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/",
        wsdlLocation = "WEB-INF/wsdl/ws-trust-1.4-service.wsdl")
@EndpointProperties(value = {
    @EndpointProperty(key = "ws-security.signature.username", value = "mystskey"),
    @EndpointProperty(key = "ws-security.encryption.username", value = "mystskey"),
    @EndpointProperty(key = "ws-security.signature.properties", value = "stsKeystore.properties"),
    @EndpointProperty(key = "ws-security.callback-handler", value = "net.example.STSCallbackHandler") 
})
public class SampleSTS extends SecurityTokenServiceProvider {

    @Override
    public Source invoke(Source request) {
        return super.invoke(request); //To change body of generated methods, choose Tools | Templates.
    }

    public SampleSTS() throws Exception {
        super();
        final StaticSTSProperties props = new StaticSTSProperties();
        props.setCallbackHandlerClass(STSCallbackHandler.class.getName());

        //X509?
        props.setSignaturePropertiesFile("stsKeystore.properties");
        props.setSignatureUsername("mystskey");
        //????
        props.setIssuer("mystskey");

        final List<ServiceMBean> services = new LinkedList<ServiceMBean>();
        StaticService service = new StaticService();
        service.setEndpoints(Arrays.asList(
                "http://\\[0:0:0:0:0:0:0:1\\]:(\\d)*/sts4/SecurityService"
        ));
        services.add(service);

        final TokenIssueOperation issueOperation = new TokenIssueOperation();
        issueOperation.setServices(services);
        issueOperation.getTokenProviders().add(new SCTProvider());
        issueOperation.setStsProperties(props);
        issueOperation.setTokenStore(new MemoryTokenStore());

        final TokenValidateOperation validateOperation = new TokenValidateOperation();
        validateOperation.getTokenValidators().add(new SCTValidator());
        validateOperation.getTokenValidators().add(new X509TokenValidator());
        validateOperation.setStsProperties(props);

        this.setIssueOperation(issueOperation);
        this.setValidateOperation(validateOperation);

    }
}

Solution

  • CXF doesn't support the concept of an X.509 SupportingToken with no security binding. As you are using Asymmetric Signature, you should use an AsymmetricBinding security policy instead, with a SignedParts policy to cover the message parts that should be signed.