cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: CXF SecureConversationTest - Fails to renew SCT, no examples or tests.
Date Tue, 08 Jul 2014 10:39:57 GMT
Hi,

> This test seems to work - but I'm unclear - by the comment:
> >> The service endpoint must contact the STS to validate the received SCT
> org.apache.cxf.systest.sts.secure_conv.SecureConversationTest

SecureConversation is supported in two ways in CXF. The first is where the
STS is created by a service endpoint + co-located with it. The STS in
question is a kind of mock STS that just supports simple issuing of tokens.
The second is that you can instead use the full power of the CXF STS to
issue tokens via SecureConversation. This is not as efficient as the first
method, as it is not co-located with the service endpoint. This means that
when the service gets the secured request, it needs to call out to the STS
to ask it if the received SecurityContextToken is actually valid or not (+
to retrieve the associated secret). The first method does not have this
problem as the STS is co-located with the service endpoint.

> Seems SCT are not being renewed correctly ?

Renew is not supported for SecurityContextTokens (in either the co-located
or full STS). However, I've just merged a fix that makes the client call
out to "Issue" if "Renew" fails. Does this meet your requirements? If not
the CXF STS allows you to plug in custom implementations to handling
renewing tokens.

Colm.



On Mon, Jul 7, 2014 at 11:53 PM, Frank Misa <frankmisa@hotmail.com> wrote:

> Hi,
> I'm struggling to get a client to renew SCT in a (SAML1.1 + SCT) scenario.
> Very little documentation or test examples on this.
>
> Using the current CXF trunk codebase - I've modified some tests to
> delay/expire security token between calls.
>
> This test seems to work - but I'm unclear - by the comment:
> >> The service endpoint must contact the STS to validate the received SCT
> org.apache.cxf.systest.sts.secure_conv.SecureConversationTest
>
> This test, however, fails - in a very similar fashion - to my more
> complicated (SAML1.1 + SCT) case:
> org.apache.cxf.systest.wssec.examples.secconv.SecureConversationTest
>
> I've modified the test:
>     @org.junit.Test
>     public void testSecureConversation() throws Exception {
> ...
>         samlPort.doubleIt(25);
>
>         delay(5); //delay 5 minutes
>
>         samlPort.doubleIt(50);
> ...
> }
>
> Seems SCT are not being renewed correctly ?
>
> Question:
> * Shouldn't the above test - renew SCT if tokens expired between calls ?
> * Are there any tests or documentation on SCT renewal  in a (SAML1.1 + SCT)
> scenario ?
>
> Hope to hear from someone.
>
> Thanks
> Frank
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/CXF-SecureConversationTest-Fails-to-renew-SCT-no-examples-or-tests-tp5746139.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message