We are currently working on a project where we need to access Sharepoint Foundation web service APIs within a Sharepoint 2016 site that uses Claims based authentication. The Security Token Service being used to provide the claims is ADFS 2.0 hosted on a Win2k12 server. The user is required to present his email address in order to authenticate and acquire a security token for further operations.
Note: Since this is a dev setup we are using a self-signed certificate for the ADFS endpoint
We are using Apache CXF 2.7.12 and JDK 8 as the client development stack for accessing this web service. When we request for a token there an exception related to HttpsToken assertion failure is logged at WARNING level and then nothing happens. The call does not complete and we have to kill the process.
Since this is the first time we are using CXF; request for some assistance and guidance in how to resolve this problem. We have referred to the following sites for an initial investigation but none of them seem to be helping us with this particular problem:
Using Apache CXF to connect CRM Dynamics
Apache CXF Client Configuration options
Below is the WS-Policy for the Sharepoint site as available on the URL
<wsp:Policy wsu:Id="UserNameWSTrustBinding_IWSTrust13Async_policy">
<wsp:ExactlyOne>
<wsp:All>
<sp:TransportBinding>
<wsp:Policy>
<sp:TransportToken>
<wsp:Policy>
<sp:HttpsToken/>
</wsp:Policy>
</sp:TransportToken>
<sp:AlgorithmSuite>
<wsp:Policy>
<sp:Basic256/>
</wsp:Policy>
</sp:AlgorithmSuite>
<sp:Layout>
<wsp:Policy>
<sp:Strict/>
</wsp:Policy>
</sp:Layout>
<sp:IncludeTimestamp/>
</wsp:Policy>
</sp:TransportBinding>
<sp:SignedEncryptedSupportingTokens>
<wsp:Policy>
<sp:UsernameToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
<wsp:Policy>
<sp:WssUsernameToken10/>
</wsp:Policy>
</sp:UsernameToken>
</wsp:Policy>
</sp:SignedEncryptedSupportingTokens>
<sp:EndorsingSupportingTokens>
<wsp:Policy>
<sp:KeyValueToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Never" wsp:Optional="true"/>
<sp:SignedParts>
<sp:Header Name="To" Namespace="http://www.w3.org/2005/08/addressing"/>
</sp:SignedParts>
</wsp:Policy>
</sp:EndorsingSupportingTokens>
<sp:Wss11>
<wsp:Policy/>
</sp:Wss11>
<sp:Trust13>
<wsp:Policy>
<sp:MustSupportIssuedTokens/>
<sp:RequireClientEntropy/>
<sp:RequireServerEntropy/>
</wsp:Policy></sp:Trust13>
<wsaw:UsingAddressing/>
</wsp:All>
</wsp:ExactlyOne>
</wsp:Policy>
We now configure the STSClient as follows :
STSClient spSTSClient = new STSClient(bus);
spSTSClient.setTrust(new Trust10(SP12Constants.INSTANCE));
spSTSClient.setSoap12();
//would we also also need to set the token type and key type?
// spSTSClient.setTokenType("urn:oasis:names:tc:SAML:2.0:assertion");
//spSTSClient.setKeyType("http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer");
spSTSClient.setWsdlLocation("https://myadfsserver.com/adfs/services/trust/mex");
spSTSClient.setServiceName("{http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}SecurityTokenService");
spSTSClient.setEndpointName("{http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}UserNameWSTrustBinding_IWSTrust13Async");
spSTSClient.setAddressingNamespace("http://www.w3.org/2005/08/addressing"); String sharePointUsername = “[email protected]";
String sharePointPassword = “foobar#”;
SecurityToken secToken = spsSTSClient.requestSecurityToken("http://mysharepointsite.com/_trust");
The requestSecurityToken call throws a warning which is shown below:
WARNING: Interceptor for {http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}SecurityTokenService#{http://schemas.microsoft.com/ws/2008/06/identity/securitytokenservice}Trust13IssueAsync has thrown exception, unwinding now
org.apache.cxf.ws.policy.PolicyException: Assertion of type {http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702}HttpsToken could not be asserted: Not an HTTPs connection
at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor.assertHttps(HttpsTokenInterceptorProvider.java:144)
at org.apache.cxf.ws.security.policy.interceptors.HttpsTokenInterceptorProvider$HttpsTokenOutInterceptor.handleMessage(HttpsTokenInterceptorProvider.java:87)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:570)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:479)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:382)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:335)
