2 Replies Latest reply on Jul 22, 2013 9:27 AM by asoldano

    Securing STS with Username token (pure WSSE, no basic auth)

    jarod68

      Hi,

       

      I'm new with Picketlink and i need to set-up a STS service. I do that with the sample provided with the release but i can't secure my STS with a WSSE Security Token. It is only working with Http basic auth.

      I tryed a to change the config but it's not working tells me "None of the policy alternatives can be satisfied". There is no help on internet, i hope somebody can help me or give some ressources.

      I use jboss-7.1.1 and picketlink 2.1.6.Final

       

      Here is the content of my confi files :

       

       

      jboss-web.xml:

      <?xml version="1.0" encoding="UTF-8"?>
      
      
      <jboss-web>
        <security-domain>picketlink-sts</security-domain>
       <context-root>picketlink-sts</context-root>
      </jboss-web>
      

       

      jboss-wsse-server.xml :

      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-ws-security xmlns="http://www.jboss.com/ws-security/config" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/ws-security/config http://www.jboss.com/ws-security/schema/jboss-ws-security_1_0.xsd">
                <config>
                          <!-- Enable Authentication via Username Token. We do not care about the roles, but users should be authenticated! -->
                          <authorize>
                                    <unchecked/>
                          </authorize>
                          <!-- Force presence of wsse:usernameToken header in requests -->
                          <requires>
                                    <username/>
                          </requires>
                </config>
      </jboss-ws-security>
      

       

      web.xml :

      <?xml version="1.0"?>
      <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
                <servlet>
                          <servlet-name>PicketLinkSTS</servlet-name>
                          <servlet-class>org.picketlink.identity.federation.app.sts.PicketLinkSTService</servlet-class>
                </servlet>
                <servlet-mapping>
                          <servlet-name>PicketLinkSTS</servlet-name>
                          <url-pattern>/*</url-pattern>
                </servlet-mapping>
                <security-constraint>
                          <web-resource-collection>
                                    <web-resource-name>PicketLinkSTSService</web-resource-name>
                                    <url-pattern>/*</url-pattern>
                          </web-resource-collection>
                          <!--                      <auth-constraint><role-name>JBossAdmin</role-name><role-name>STSClient</role-name></auth-constraint>-->
                </security-constraint>
                <!--           <login-config><auth-method>BASIC</auth-method><realm-name>PicketLinkSTSRealm</realm-name></login-config>-->
                <security-role>
                          <role-name>JBossAdmin</role-name>
                </security-role>
                <security-role>
                          <role-name>STSClient</role-name>
                </security-role>
      </web-app>
      

       

      standalone.xml : (only security-domain)

       <security-domain name="picketlink-sts" cache-type="default">
                          <authentication>
                              <login-module code="UsersRoles" flag="required">
                                  <module-option name="usersProperties" value="users.properties"/>
                                  <module-option name="rolesProperties" value="roles.properties"/>
                                  <module-option name="unauthenticatedIdentity" value="anonymous"/>
                              </login-module>
                          </authentication>
                      </security-domain>
      

       

       

      wsdl :

      <?xml version="1.0"?>
      <wsdl:definitions name="PicketLinkSTS" targetNamespace="urn:picketlink:identity-federation:sts" xmlns:sc="http://schemas.sun.com/2006/03/wss/server" xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702" xmlns:tns="urn:picketlink:identity-federation:sts" xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:wsp="http://www.w3.org/ns/ws-policy" xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <wsdl:types>
          <xs:schema elementFormDefault="qualified" targetNamespace="urn:picketlink:identity-federation:sts" version="1.0" xmlns:tns="urn:picketlink:identity-federation:sts" xmlns:xs="http://www.w3.org/2001/XMLSchema">
            <xs:element name="MessageBody">
              <xs:complexType>
                <xs:sequence>
                  <xs:any maxOccurs="unbounded" minOccurs="0" namespace="##any"/>
                </xs:sequence>
              </xs:complexType>
            </xs:element>
          </xs:schema>
        </wsdl:types>
        <wsdl:message name="RequestSecurityToken">
          <wsdl:part element="tns:MessageBody" name="rstMessage"/>
        </wsdl:message>
        <wsdl:message name="RequestSecurityTokenResponse">
          <wsdl:part element="tns:MessageBody" name="rstrMessage"/>
        </wsdl:message>
        <wsdl:portType name="SecureTokenService">
          <wsdl:operation name="IssueToken">
            <wsdl:input message="tns:RequestSecurityToken" wsap10:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue"/>
            <wsdl:output message="tns:RequestSecurityTokenResponse" wsap10:Action="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue"/>
          </wsdl:operation>
        </wsdl:portType>
        <wsdl:binding name="STSBinding" type="tns:SecureTokenService">
          <soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>
          <wsp:Policy>
            <wsp:ExactlyOne>
              <wsp:All>
                <sp:SignedSupportingTokens>
                  <wsp:Policy>
                    <sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                      <wsp:Policy/>
                    </sp:UsernameToken>
                  </wsp:Policy>
                </sp:SignedSupportingTokens>
                <sc:ValidatorConfiguration wspp:visibility="private">
                  <sc:Validator classname="service.PlainTextPasswordValidator" name="usernameValidator"/>
                </sc:ValidatorConfiguration>
                <sp:Wss11/>
              </wsp:All>
            </wsp:ExactlyOne>
          </wsp:Policy>
          <wsdl:operation name="IssueToken">
            <soap12:operation soapAction="http://docs.oasis-open.org/ws-sx/ws-trust/200512/RST/Issue" style="document"/>
            <wsdl:input>
              <soap12:body use="literal"/>
            </wsdl:input>
            <wsdl:output>
              <soap12:body use="literal"/>
            </wsdl:output>
          </wsdl:operation>
        </wsdl:binding>
        <wsdl:service name="PicketLinkSTS">
          <wsdl:port binding="tns:STSBinding" name="PicketLinkSTSPort">
            <soap12:address location="http://localhost:8080/picketlink-sts/PicketLinkSTS"/>
          </wsdl:port>
        </wsdl:service>
      </wsdl:definitions>
      

       

      Request example (sent with SoapUI) :

      <?xml version="1.0" encoding="utf-8"?>
      <soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:tns="urn:picketlink:identity-federation:sts" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/cd/ws-trust.xsd" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
                <soap:Header>
                          <wsse:Security soap:mustUnderstand="1" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
                                    <wsse:UsernameToken wsu:Id="token-1-1318770538053-1595417149">
                                              <wsse:Username>admin</wsse:Username>
                                              <wsse:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">admin</wsse:Password>
                                    </wsse:UsernameToken>
                          </wsse:Security>
                </soap:Header>
                <soap:Body>
                          <wst:RequestSecurityToken Context="context">
                                    <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType>
                                    <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
                          </wst:RequestSecurityToken>
                </soap:Body>
      </soap:Envelope>
      

       

      And i get this response :

      <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
         <soap:Body>
            <soap:Fault>
               <soap:Code>
                  <soap:Value>soap:Receiver</soap:Value>
               </soap:Code>
               <soap:Reason>
                  <soap:Text xml:lang="en">None of the policy alternatives can be satisfied.</soap:Text>
               </soap:Reason>
            </soap:Fault>
         </soap:Body>
      </soap:Envelope>
      

       

       

      Regards,