cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Valeri (JIRA)" <j...@apache.org>
Subject [jira] Commented: (CXF-2909) WS-T / WS-SP sp:RequestSecurityTokenTemplate not using > wst:SecondaryParameters
Date Mon, 26 Jul 2010 20:16:16 GMT

    [ https://issues.apache.org/jira/browse/CXF-2909?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12892445#action_12892445
] 

David Valeri commented on CXF-2909:
-----------------------------------

Interopfest wstrust13 module does not work due to relocation of Microsoft STS and change to
TLS certificate.  The STS WSDL moved to 131.107.153.205:8080.  The STS HTTPS port is 8443.
 While this port is properly reflected in the WSDLs, the certificate on that port is self-issued
and not part of the OSASIS interop certificate hierarchy in the downloaded certs zip.

The following changes were implemented to test this issues fix:

1) Change download script to use port 8080
2) Manually adding the self-issued cert to the certs/WssIP.pfx extracted from the downloaded
zip
3) Reconfiguring the HTTP conduits in client.xml to use certs/WssIP.pfx instead of the bob.pfx
file

Even with these changes, a TLS related exception is still created for one of the interop scenarios.
 The fix for this issue is observed to be working during execution of the functioning tests
in wstrust13 and the other interop samples.





> WS-T / WS-SP sp:RequestSecurityTokenTemplate not using  > wst:SecondaryParameters
> ---------------------------------------------------------------------------------
>
>                 Key: CXF-2909
>                 URL: https://issues.apache.org/jira/browse/CXF-2909
>             Project: CXF
>          Issue Type: Bug
>          Components: WS-* Components
>    Affects Versions: 2.3, 2.2.10
>            Reporter: David Valeri
>             Fix For: 2.3, 2.2.10
>
>
> Per the WS-SP 1.2 spec, section 5.4.2, "This required element contains elements which
MUST be copied into the wst:SecondaryParameters of the RST request sent to the specified issuer.
Note: the initiator is not required to understand the contents of this element."
> The STS client copies these values directly into the body of the wst:RequestSecurityToken
element in the request to the STS.
> So this policy:
> {code:xml}
> <sp:IssuedTokensp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always">
>   <sp:RequestSecurityTokenTemplate>
>     <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType>
>     <wst:AppliesTo>
>       <wsp:URI>service-1</wsp:URI>
>     </wst:AppliesTo>
>     <wst:Participants>
>       <wst:Participant>
>         <wsp:URI>service-1</wsp:URI>
>       </wst:Participant>
>     </wst:Participants>
>     <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</wst:KeyType>
>   </sp:RequestSecurityTokenTemplate>
> </sp:IssuedToken>
> {code}
> Becomes this request:
> {code:xml}
> <wst:RequestSecurityToken>
>   ...
>   <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType>
>   <wst:AppliesTo>
>     <wsp:URI>service-1</wsp:URI>
>   </wst:AppliesTo>
>   <wst:Participants>
>     <wst:Participant>
>       <wsp:URI>service-1</wsp:URI>
>     </wst:Participant>
>   </wst:Participants>
>   <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</wst:KeyType>
>   ...
> </wst:RequestSecurityToken>
> {code}
> Instead of: 
> {code}
> <wst:RequestSecurityToken>
>   ...
>   <wst:SecondaryParameters>
>   <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType>
>     <wst:AppliesTo>
>       <wsp:URI>service-1</wsp:URI>
>     </wst:AppliesTo>
>     <wst:Participants>
>       <wst:Participant>
>         <wsp:URI>service-1</wsp:URI>
>       </wst:Participant>
>     </wst:Participants>
>     <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</wst:KeyType>
>   </wst:SecondaryParameters>
>   ...
> </wst:RequestSecurityToken>
> {code}
> WS-Trust 1.0 and WS-SP 1.0 do not support the wst:SecondaryParameters element so backwards
compatibility should be retained per the interopfest samples.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message