Skip to main content

Multiple EndorsingSupportokens

Please note these java.net forums are being decommissioned and use the new and improved forums at https://community.oracle.com/community/java.
1 reply [Last post]
flo_
Offline
Joined: 2009-06-11

Hi,

I have a problem with multiple EndorsingSupportingTokens. I have a STS protected by a SecureConversationToken. The SecureConversationToken use a SymmetricBinding and is protected by a X.509 Token. Now I need two additional EndorsingSupportingTokens with a X.509 Token in the SecureConversationToken.

The Policy looks like this:

<wsp:Policy
wsu:Id="STS_Policy">
<wsp:ExactlyOne>
<wsp:All>
<wspe:Utf816FFFECharacterEncoding
xmlns:wspe="http://schemas.xmlsoap.org/ws/2004/09/policy/encoding" />
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:SecureConversationToken
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:RequireDerivedKeys />
<sp:BootstrapPolicy>
<wsp:Policy>
<sp:SymmetricBinding>
<wsp:Policy>
<sp:ProtectionToken>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireDerivedKeys />
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:ProtectionToken>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
</wsp:Policy>
</sp:SymmetricBinding>
<sp:EndorsingSupportingTokens>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireDerivedKeys />
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:EndorsingSupportingTokens>
<wsp:Policy>
<sp:X509Token
sp:IncludeToken="http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/Never">
<wsp:Policy>
<sp:RequireDerivedKeys />
<sp:RequireThumbprintReference />
<sp:WssX509V3Token10 />
</wsp:Policy>
</sp:X509Token>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
</wsp:Policy>
</sp:Wss11>
<sp:EncryptedParts>
<sp:Body />
</sp:EncryptedParts>
<sp:SignedParts>
<sp:Body />
<sp:Header
Name="To"
Namespace="http://www.w3.org/2005/08/addressing" />
...
<sp:Header
Name="Action"
Namespace="http://www.w3.org/2005/08/addressing" />
</sp:SignedParts>
</wsp:Policy>
</sp:BootstrapPolicy>
</wsp:Policy>
</sp:SecureConversationToken>
</wsp:Policy>
</sp:ProtectionToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic128 />
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict />
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp />
<sp:OnlySignEntireHeadersAndBody />
</wsp:Policy>
</sp:SymmetricBinding>

<sp:Wss11>
<wsp:Policy>
<sp:MustSupportRefKeyIdentifier />
<sp:MustSupportRefIssuerSerial />
<sp:MustSupportRefThumbprint />
<sp:MustSupportRefEncryptedKey />
<sp:RequireSignatureConfirmation />
</wsp:Policy>
</sp:Wss11>
<sp:Trust10>
<wsp:Policy>
<sp:MustSupportIssuedTokens />
</wsp:Policy>
</sp:Trust10>
... <!-- Keystore and STSConfiguration -->
<wsap10:UsingAddressing />
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>

I specified on client side a XWSSCallbackHandler which define a KeyStoreCallbackHandler to select the Key for the EndorsingSupportingTokens. If the Policy containts only one EndorsingSupportingToken the XWSSCallbackHandler and the KeystoreCallbackHandler gets called twice. First of all I do not understand this behaviour but it seems to work. If I define multiple EndorsingSupportingTokens like in the policy above the number of calls to the XWSSCallbackHandler and KeystoreCallbackHandler did not change.

Any ideas what I am doing wrong?

I use metro Build-Version: WSIT-Runtime 2.1-02/07/2010 06:26 PM(java_re)-SNAPSHOT Major-Version: 2.1
together with glassfish 3.0.1.

Regards,
Flo

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
flo_
Offline
Joined: 2009-06-11

Hi,
I solved my problem. First due to two webservice-rt.jars in my classpath i get the two calls of XWSSCallbackhandler and KeystorecallbackHandler. I don't get it run with two EndorsingSupportingTokens so I use a EndorsingSupportingToken and a SignedEndorsingSupportingToken. The XWSSCallbackhandler gets called twice with two SignatureKeyCallbackHandler and two EncryptionKeyCallbackhandler. I fill both requests with different certificates and the corresponding private keys. Now my SecurityContextTokenRequest has 3 Signatures (One from ProtectionToken and the symmetric Key, and the two SupportingTokens) and two BinarySecurityTokens.
Of course it is not a right solution because 3 or more EndorsingSupportingTokens did not work but for my scenario its ok.
Regards,
Flo