Securing STS with Username token (pure WSSE, no basic auth)
jarod68 Apr 30, 2013 4:13 AMHi,
I'm new with Picketlink and i need to set-up a STS service. I do that with the sample provided with the release but i can't secure my STS with a WSSE Security Token. It is only working with Http basic auth.
I tryed a to change the config but it's not working tells me "None of the policy alternatives can be satisfied". There is no help on internet, i hope somebody can help me or give some ressources.
I use jboss-7.1.1 and picketlink 2.1.6.Final
Here is the content of my confi files :
jboss-web.xml:
<?xml version="1.0" encoding="UTF-8"?> <jboss-web> <security-domain>picketlink-sts</security-domain> <context-root>picketlink-sts</context-root> </jboss-web>
jboss-wsse-server.xml :
<?xml version="1.0" encoding="UTF-8"?> <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd"> <config> <!-- Enable Authentication via Username Token. We do not care about the roles, but users should be authenticated! --> <authorize> <unchecked/> </authorize> <!-- Force presence of wsse:usernameToken header in requests --> <requires> <username/> </requires> </config> </jboss-ws-security>
web.xml :
<?xml version="1.0"?> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <servlet> <servlet-name>PicketLinkSTS</servlet-name> <servlet-class>org.picketlink.identity.federation.app.sts.PicketLinkSTService</servlet-class> </servlet> <servlet-mapping> <servlet-name>PicketLinkSTS</servlet-name> <url-pattern>/*</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> <web-resource-name>PicketLinkSTSService</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <!-- <auth-constraint><role-name>JBossAdmin</role-name><role-name>STSClient</role-name></auth-constraint>--> </security-constraint> <!-- <login-config><auth-method>BASIC</auth-method><realm-name>PicketLinkSTSRealm</realm-name></login-config>--> <security-role> <role-name>JBossAdmin</role-name> </security-role> <security-role> <role-name>STSClient</role-name> </security-role> </web-app>
standalone.xml : (only security-domain)
<security-domain name="picketlink-sts" cache-type="default"> <authentication> <login-module code="UsersRoles" flag="required"> <module-option name="usersProperties" value="users.properties"/> <module-option name="rolesProperties" value="roles.properties"/> <module-option name="unauthenticatedIdentity" value="anonymous"/> </login-module> </authentication> </security-domain>
wsdl :
<?xml version="1.0"?> <wsdl:definitions name="PicketLinkSTS" targetNamespace="urn:picketlink:identity-federation:sts" xmlns:sc="http://schemas.sun.com/2006/03/wss/server" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" xmlns:tns="urn:picketlink:identity-federation:sts" xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> <wsdl:types> <xs:schema elementFormDefault="qualified" targetNamespace="urn:picketlink:identity-federation:sts" version="1.0" xmlns:tns="urn:picketlink:identity-federation:sts" xmlns:xs="http://www.w3.org/2001/XMLSchema"> <xs:element name="MessageBody"> <xs:complexType> <xs:sequence> <xs:any maxOccurs="unbounded" minOccurs="0" namespace="##any"/> </xs:sequence> </xs:complexType> </xs:element> </xs:schema> </wsdl:types> <wsdl:message name="RequestSecurityToken"> <wsdl:part element="tns:MessageBody" name="rstMessage"/> </wsdl:message> <wsdl:message name="RequestSecurityTokenResponse"> <wsdl:part element="tns:MessageBody" name="rstrMessage"/> </wsdl:message> <wsdl:portType name="SecureTokenService"> <wsdl:operation name="IssueToken"> <wsdl:input message="tns:RequestSecurityToken" wsap10:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"/> <wsdl:output message="tns:RequestSecurityTokenResponse" wsap10:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue"/> </wsdl:operation> </wsdl:portType> <wsdl:binding name="STSBinding" type="tns:SecureTokenService"> <soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/> <wsp:Policy> <wsp:ExactlyOne> <wsp:All> <sp:SignedSupportingTokens> <wsp:Policy> <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> <wsp:Policy/> </sp:UsernameToken> </wsp:Policy> </sp:SignedSupportingTokens> <sc:ValidatorConfiguration wspp:visibility="private"> <sc:Validator classname="service.PlainTextPasswordValidator" name="usernameValidator"/> </sc:ValidatorConfiguration> <sp:Wss11/> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> <wsdl:operation name="IssueToken"> <soap12:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue" style="document"/> <wsdl:input> <soap12:body use="literal"/> </wsdl:input> <wsdl:output> <soap12:body use="literal"/> </wsdl:output> </wsdl:operation> </wsdl:binding> <wsdl:service name="PicketLinkSTS"> <wsdl:port binding="tns:STSBinding" name="PicketLinkSTSPort"> <soap12:address location="http://localhost:8080/picketlink-sts/PicketLinkSTS"/> </wsdl:port> </wsdl:service> </wsdl:definitions>
Request example (sent with SoapUI) :
<?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tns="urn:picketlink:identity-federation:sts" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/cd/ws-trust.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <soap:Header> <wsse:Security soap:mustUnderstand="1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"> <wsse:UsernameToken wsu:Id="token-1-1318770538053-1595417149"> <wsse:Username>admin</wsse:Username> <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:Password> </wsse:UsernameToken> </wsse:Security> </soap:Header> <soap:Body> <wst:RequestSecurityToken Context="context"> <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType> <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType> </wst:RequestSecurityToken> </soap:Body> </soap:Envelope>
And i get this response :
<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"> <soap:Body> <soap:Fault> <soap:Code> <soap:Value>soap:Receiver</soap:Value> </soap:Code> <soap:Reason> <soap:Text xml:lang="en">None of the policy alternatives can be satisfied.</soap:Text> </soap:Reason> </soap:Fault> </soap:Body> </soap:Envelope>
Regards,