cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jan Bernhardt (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (CXF-6387) External SAML References for SOAP Messages
Date Mon, 04 May 2015 14:16:06 GMT

     [ https://issues.apache.org/jira/browse/CXF-6387?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jan Bernhardt updated CXF-6387:
-------------------------------
    Description: 
The current implementation of CXF supports SAML token references only inside the same SOAP
message. This causes a great overhead, if the actual payload is relatively small.

The WSS 1.2 specification [1] allows to define a {{RequireExternalReference}} policy assertion.
AAccording to the SAMLTokenProfile [2] this external reference could look like this: 

{code}
<ds:KeyInfo xmlns:ds="...">
  <wsse:SecurityTokenReference
              xmlns:wsse="..." xmlns:wsu="..." xmlns:wsse11="..."
           wsu:id="STR1"
           wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
    <wsse:Reference
           wsu:id="…"
       URI="https://saml.example.edu/assertion-authority?ID=abcde">
         </wsse:Reference>
  </wsse:SecurityTokenReference>
</ds:KeyInfo>
{code}

This would require that the STS caches all issued tokens and makes them available via REST
API.

[1] http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/ws-securitypolicy-1.2-spec-cd-01.html#_IssuedToken_Assertion

[2] http://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SAMLTokenProfile-v1.1.1-os.html#_Toc295507774

  was:
The current implementation of CXF supports SAML token references only inside the same SOAP
message. This causes a great overhead, if the actual payload is relatively small.

The WSS 1.2 specification [1] allows to define a {{RequireExternalReference}} policy assertion.
AAccording to the SAMLTokenProfile [2] this external reference could look like this: 

{code}
<ds:KeyInfo xmlns:ds="...">
  <wsse:SecurityTokenReference
              xmlns:wsse="..." xmlns:wsu="..." xmlns:wsse11="..."
           wsu:id=”STR1”
           wsse11:TokenType=”http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0”>
    <wsse:Reference
           wsu:id=”…”
       URI=”https://saml.example.edu/assertion-authority?ID=abcde”>
         </wsse:Reference>
  </wsse:SecurityTokenReference>
</ds:KeyInfo>
{code}

This would require that the STS caches all issued tokens and makes them available via REST
API.

[1] http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/ws-securitypolicy-1.2-spec-cd-01.html#_IssuedToken_Assertion

[2] http://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SAMLTokenProfile-v1.1.1-os.html#_Toc295507774


> External SAML References for SOAP Messages
> ------------------------------------------
>
>                 Key: CXF-6387
>                 URL: https://issues.apache.org/jira/browse/CXF-6387
>             Project: CXF
>          Issue Type: Improvement
>          Components: STS
>    Affects Versions: 3.0.4
>            Reporter: Jan Bernhardt
>
> The current implementation of CXF supports SAML token references only inside the same
SOAP message. This causes a great overhead, if the actual payload is relatively small.
> The WSS 1.2 specification [1] allows to define a {{RequireExternalReference}} policy
assertion. AAccording to the SAMLTokenProfile [2] this external reference could look like
this: 
> {code}
> <ds:KeyInfo xmlns:ds="...">
>   <wsse:SecurityTokenReference
>               xmlns:wsse="..." xmlns:wsu="..." xmlns:wsse11="..."
>            wsu:id="STR1"
>            wsse11:TokenType="http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0">
>     <wsse:Reference
>            wsu:id="…"
>        URI="https://saml.example.edu/assertion-authority?ID=abcde">
>          </wsse:Reference>
>   </wsse:SecurityTokenReference>
> </ds:KeyInfo>
> {code}
> This would require that the STS caches all issued tokens and makes them available via
REST API.
> [1] http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200512/ws-securitypolicy-1.2-spec-cd-01.html#_IssuedToken_Assertion
> [2] http://docs.oasis-open.org/wss-m/wss/v1.1.1/os/wss-SAMLTokenProfile-v1.1.1-os.html#_Toc295507774



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message