wsit
  1. wsit
  2. WSIT-1073

STS does not support TruststoreCBH

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 1.3
    • Fix Version/s: 2.0
    • Component/s: trust
    • Labels:
      None
    • Environment:

      Operating System: All
      Platform: All

    • Issuezilla Id:
      1,073

      Description

      like reported in :
      http://forums.java.net/jive/thread.jspa?threadID=55608&tstart=0

      It's very important that STS endpoint information, like WSDLPort, is available
      in TruststoreCBH to know which truststore to provide.. May a new interface
      CallbackExtension in nessesary like it was with ValidatorExtension..

      Prio1 is apposite from my piont of view, because we need the dynamic way..

      Thanks a lot !
      Andre, Berlin

      --------------------------------
      Hello ,

      I am working on full dynamic WS-Trust. Everything is working well. Mex,
      Validators etc. At the last step, sharing providers certificates, it breakes in
      IssueSamlTokenContractImpl

      my STS wsdl : (STS-TrustoreCBH is set)

      <?xml version="1.0" encoding="UTF-8"?>
      <wsdl:definitions xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
      xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
      xmlns:i0="http://xmlsoap.org/DAB"
      xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"
      xmlns:tns="http://tempuri.org/" xmlns:q1="http://schemas.message.com/Message"
      xmlns:xsd="http://www.w3.org/2001/XMLSchema"
      xmlns:wsap10="http://www.w3.org/2006/05/addressing/wsdl"
      xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"
      xmlns:wsa10="http://www.w3.org/2005/08/addressing"
      xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
      xmlns:soap12="http://schemas.xmlsoap.org/wsdl/soap12/" name="MySTS"
      targetNamespace="http://tempuri.org/">
      <wsp:Policy wsu:Id="ISecurityTokenService_policy">
      <wsp:ExactlyOne>
      <wsp:All>
      <sp:SymmetricBinding
      xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
      <wsp:Policy>
      <sp:ProtectionToken>
      <wsp:Policy>
      <sp:X509Token
      sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
      <wsp:Policy>
      <sp:RequireDerivedKeys/>
      <sp:RequireThumbprintReference/>
      <sp:WssX509V3Token10/>
      </wsp:Policy>
      </sp:X509Token>
      </wsp:Policy>
      </sp:ProtectionToken>
      <sp:AlgorithmSuite>
      <wsp:Policy>
      <sp:Basic128/>
      </wsp:Policy>
      </sp:AlgorithmSuite>
      <sp:Layout>
      <wsp:Policy>
      <sp:Lax/>
      </wsp:Policy>
      </sp:Layout>
      <sp:IncludeTimestamp/>
      <sp:EncryptSignature/>
      <sp:OnlySignEntireHeadersAndBody/>
      </wsp:Policy>
      </sp:SymmetricBinding>
      <sp:SignedSupportingTokens
      xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
      <wsp:Policy>
      <sp:UsernameToken
      sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
      <wsp:Policy>
      <sp:WssUsernameToken10/>
      </wsp:Policy>
      </sp:UsernameToken>
      </wsp:Policy>
      </sp:SignedSupportingTokens>
      <sp:Wss11 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
      <wsp:Policy>
      <sp:MustSupportRefKeyIdentifier/>
      <sp:MustSupportRefIssuerSerial/>
      <sp:MustSupportRefThumbprint/>
      <sp:MustSupportRefEncryptedKey/>
      <!-sp:RequireSignatureConfirmation/->
      </wsp:Policy>
      </sp:Wss11>
      <sp:Trust10 xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
      <wsp:Policy>
      <sp:MustSupportIssuedTokens/>
      <sp:RequireClientEntropy/>
      <sp:RequireServerEntropy/>
      </wsp:Policy>
      </sp:Trust10>
      <!--sunsp:DisableStreamingSecurity
      xmlns:sunsp="http://schemas.sun.com/2006/03/wss/client"></sunsp:DisableStreamingSecurity--><tc:STSConfiguration
      xmlns:tc="http://schemas.sun.com/ws/2006/05/trust/server"
      encryptIssuedKey="true" encryptIssuedToken="false">
      <tc:LifeTime>36000</tc:LifeTime>
      <tc:Contract>com.sun.xml.ws.security.trust.impl.IssueSamlTokenContractImpl</tc:Contract>
      <tc:Issuer>InubitSTS</tc:Issuer>
      <tc:ServiceProviders>

      <tc:ServiceProvider endPoint="http://dualix:8000/ibis/ws/ServiceSecuredBySTS">
      <tc:CertAlias>bob</tc:CertAlias>
      <tc:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</tc:TokenType>
      </tc:ServiceProvider>

      </tc:ServiceProviders>
      </tc:STSConfiguration><sc:ValidatorConfiguration
      xmlns:sc="http://schemas.sun.com/2006/03/wss/server"
      xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
      wspp:visibility="private"><sc:Validator
      classname="com.inubit.ibis.plugins.webservice.wsx.security.UsernameValidator"
      name="usernameValidator"/><sc:Validator
      classname="com.inubit.ibis.plugins.webservice.wsx.security.CertificateValidator"
      name="certificateValidator"/><sc:Validator
      classname="com.inubit.ibis.plugins.webservice.wsx.security.SamlValidator"
      name="samlAssertionValidator"/></sc:ValidatorConfiguration><sc:KeyStore
      xmlns:sc="http://schemas.sun.com/2006/03/wss/server"
      xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
      aliasselector="com.inubit.ibis.plugins.webservice.wsx.security.AliasSelector"
      callbackHandler="com.inubit.ibis.plugins.webservice.wsx.security.KeyStoreCallback"
      type="JKS" wspp:visibility="private"></sc:KeyStore><sc:TrustStore
      xmlns:sc="http://schemas.sun.com/2006/03/wss/server"
      xmlns:wspp="http://java.sun.com/xml/ns/wsit/policy"
      callbackHandler="com.inubit.ibis.plugins.webservice.wsx.security.TrustStoreCallback"
      certselector="com.inubit.ibis.plugins.webservice.wsx.security.CertSelector"
      type="JKS" wspp:visibility="private"></sc:TrustStore>

      <wsap10:UsingAddressing/>
      </wsp:All>
      </wsp:ExactlyOne>
      </wsp:Policy>
      <wsp:Policy wsu:Id="ISecurityTokenService_IssueToken_Input_policy">
      <wsp:ExactlyOne>
      <wsp:All>
      <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
      <sp:Body/>
      <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
      <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
      <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>
      <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>
      <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>
      <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>
      <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>
      </sp:SignedParts>
      <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
      <sp:Body/>
      </sp:EncryptedParts>
      </wsp:All>
      </wsp:ExactlyOne>
      </wsp:Policy>
      <wsp:Policy wsu:Id="ISecurityTokenService_IssueToken_Output_policy">
      <wsp:ExactlyOne>
      <wsp:All>
      <sp:SignedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
      <sp:Body/>
      <sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
      <sp:Header Name="From" Namespace="http://www.w3.org/2005/08/addressing"/>
      <sp:Header Name="FaultTo" Namespace="http://www.w3.org/2005/08/addressing"/>
      <sp:Header Name="ReplyTo" Namespace="http://www.w3.org/2005/08/addressing"/>
      <sp:Header Name="MessageID" Namespace="http://www.w3.org/2005/08/addressing"/>
      <sp:Header Name="RelatesTo" Namespace="http://www.w3.org/2005/08/addressing"/>
      <sp:Header Name="Action" Namespace="http://www.w3.org/2005/08/addressing"/>
      </sp:SignedParts>
      <sp:EncryptedParts xmlns:sp="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy">
      <sp:Body/>
      </sp:EncryptedParts>
      </wsp:All>
      </wsp:ExactlyOne>
      </wsp:Policy>
      <wsdl:types>
      <xsd:schema targetNamespace="http://tempuri.org/Imports">
      <xs:complexType xmlns:xs="http://www.w3.org/2001/XMLSchema" name="MessageBody">
      <xs:sequence>
      <xs:any maxOccurs="unbounded" minOccurs="0" namespace="##any"/>
      </xs:sequence>
      </xs:complexType>
      </xsd:schema>
      </wsdl:types>
      <wsdl:message name="ISecurityTokenService_IssueToken_InputMessage">
      <wsdl:part name="rstMessage" type="q1:MessageBody">
      </wsdl:part>
      </wsdl:message>
      <wsdl:message name="ISecurityTokenService_IssueToken_OutputMessage">
      <wsdl:part name="IssueTokenResult" type="q1:MessageBody">
      </wsdl:part>
      </wsdl:message>
      <wsdl:portType name="ISecurityTokenService">
      <wsdl:operation name="IssueToken">
      <wsdl:input message="tns:ISecurityTokenService_IssueToken_InputMessage"
      wsap10:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue">
      </wsdl:input>
      <wsdl:output message="tns:ISecurityTokenService_IssueToken_OutputMessage"
      wsap10:Action="http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue">
      </wsdl:output>
      </wsdl:operation>
      </wsdl:portType>
      <wsdl:binding name="ISecurityTokenService_Binding" type="tns:ISecurityTokenService">
      <wsp:PolicyReference URI="#ISecurityTokenService_policy"/>
      <soap12:binding transport="http://schemas.xmlsoap.org/soap/http"/>
      <wsdl:operation name="IssueToken">
      <soap12:operation
      soapAction="http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue"
      style="document"/>
      <wsdl:input>
      <wsp:PolicyReference URI="#ISecurityTokenService_IssueToken_Input_policy"/>
      <soap12:body use="literal"/>
      </wsdl:input>
      <wsdl:output>
      <wsp:PolicyReference URI="#ISecurityTokenService_IssueToken_Output_policy"/>
      <soap12:body use="literal"/>
      </wsdl:output>
      </wsdl:operation>
      </wsdl:binding>
      <wsdl:service name="MySTS">
      <wsdl:port name="ISecurityTokenService_Port"
      binding="tns:ISecurityTokenService_Binding">
      <soap12:address location="will be set automaticly at webservice deployment"/>
      </wsdl:port>
      </wsdl:service>
      </wsdl:definitions>

      The NPE on STS side :
      SCHWERWIEGEND: com.sun.xml.ws.api.security.trust.WSTrustException:
      WST0033:Unable to get service certificate for the service
      http://dualix:8000/ibis/ws/ServiceSecuredBySTS.
      javax.xml.ws.WebServiceException:
      com.sun.xml.ws.api.security.trust.WSTrustException: WST0033:Unable to get
      service certificate for the service http://dualix:8000/ibis/ws/ServiceSecuredBySTS.
      at com.sun.xml.ws.security.trust.sts.BaseSTSImpl.invoke(BaseSTSImpl.java:197)
      at com.inubit.ibis.server.websvc.WSSTSProviderImpl.invoke(WSSTSProviderImpl.java:51)
      at com.inubit.ibis.server.websvc.WSSTSProviderImpl.invoke(WSSTSProviderImpl.java:38)
      at
      com.sun.xml.ws.api.server.InstanceResolver$1.invokeProvider(InstanceResolver.java:256)
      at com.sun.xml.ws.server.InvokerTube$2.invokeProvider(InvokerTube.java:156)
      at
      com.sun.xml.ws.server.provider.SyncProviderInvokerTube.processRequest(SyncProviderInvokerTube.java:78)
      at com.sun.xml.ws.api.pipe.Fiber.__doRun(Fiber.java:598)
      at com.sun.xml.ws.api.pipe.Fiber._doRun(Fiber.java:557)
      at com.sun.xml.ws.api.pipe.Fiber.doRun(Fiber.java:542)
      at com.sun.xml.ws.api.pipe.Fiber.runSync(Fiber.java:439)
      at com.sun.xml.ws.server.WSEndpointImpl$2.process(WSEndpointImpl.java:243)
      at
      com.sun.xml.ws.transport.http.HttpAdapter$HttpToolkit.handle(HttpAdapter.java:444)
      at com.sun.xml.ws.transport.http.HttpAdapter.handle(HttpAdapter.java:244)
      at
      com.sun.xml.ws.transport.http.servlet.ServletAdapter.handle(ServletAdapter.java:135)
      at
      com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doGet(WSServletDelegate.java:129)
      at
      com.sun.xml.ws.transport.http.servlet.WSServletDelegate.doPost(WSServletDelegate.java:160)
      at com.inubit.ibis.servlets.JAXWSServlet.doPost(JAXWSServlet.java:48)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
      at
      org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:269)
      at
      org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:188)
      at
      org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:210)
      at
      org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:174)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:151)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:870)
      at
      org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
      at
      org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
      at
      org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
      at
      org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:685)
      at java.lang.Thread.run(Thread.java:619)
      Caused by: com.sun.xml.ws.api.security.trust.WSTrustException: WST0033:Unable to
      get service certificate for the service
      http://dualix:8000/ibis/ws/ServiceSecuredBySTS.
      at
      com.sun.xml.ws.security.trust.impl.IssueSamlTokenContractImpl.getServiceCertificate(IssueSamlTokenContractImpl.java:306)
      at
      com.sun.xml.ws.security.trust.impl.IssueSamlTokenContractImpl.createSAMLAssertion(IssueSamlTokenContractImpl.java:137)
      at
      com.sun.xml.ws.security.trust.impl.IssueSamlTokenContract.issue(IssueSamlTokenContract.java:381)
      at
      com.sun.xml.ws.security.trust.impl.IssueSamlTokenContract.issue(IssueSamlTokenContract.java:97)
      at com.sun.xml.ws.security.trust.sts.BaseSTSImpl.issue(BaseSTSImpl.java:323)
      at com.sun.xml.ws.security.trust.sts.BaseSTSImpl.invoke(BaseSTSImpl.java:187)
      ... 32 more
      Caused by: com.sun.xml.wss.XWSSecurityException: java.lang.RuntimeException:
      java.lang.NullPointerException
      at
      com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getCertificate(DefaultSecurityEnvironmentImpl.java:380)
      at
      com.sun.xml.ws.security.trust.impl.IssueSamlTokenContractImpl.getServiceCertificate(IssueSamlTokenContractImpl.java:302)
      ... 37 more
      Caused by: java.lang.RuntimeException: java.lang.NullPointerException
      at
      com.sun.xml.wss.impl.misc.DefaultCallbackHandler.handle(DefaultCallbackHandler.java:603)
      at
      com.sun.xml.wss.impl.misc.DefaultSecurityEnvironmentImpl.getCertificate(DefaultSecurityEnvironmentImpl.java:375)
      ... 38 more
      Caused by: java.lang.NullPointerException
      at
      com.sun.xml.wss.impl.misc.DefaultCallbackHandler.handle(DefaultCallbackHandler.java:598)
      ... 39 more

      happen on metro 1.3, thanks for help, regards, Andre

        Activity

        Hide
        andre0815 added a comment -

        Hello,

        And we need a property to decide if its an consumer X509 authentication request
        or service-public-key request.

        Summary STS CBH @ SecuredServicePublicKeyRequest:

        • has no runtimeProperties
        • the WSDLPortImpl(STS) should be available
        • the secured service URI should be available
        • a flag that its a Service-PublicKey Request, not a consumer X509 auth request
          is needed

        Regards Andre

        Show
        andre0815 added a comment - Hello, And we need a property to decide if its an consumer X509 authentication request or service-public-key request. Summary STS CBH @ SecuredServicePublicKeyRequest: has no runtimeProperties the WSDLPortImpl(STS) should be available the secured service URI should be available a flag that its a Service-PublicKey Request, not a consumer X509 auth request is needed Regards Andre
        Hide
        jdg6688 added a comment -

        Set the target milestone to 2.0.

        Show
        jdg6688 added a comment - Set the target milestone to 2.0.
        Hide
        jdg6688 added a comment -

        Change QA contact.

        Show
        jdg6688 added a comment - Change QA contact.
        Hide
        jdg6688 added a comment -

        Started.

        Show
        jdg6688 added a comment - Started.
        Hide
        jdg6688 added a comment -

        Fixed.

        Show
        jdg6688 added a comment - Fixed.

          People

          • Assignee:
            jdg6688
            Reporter:
            andre0815
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: