cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Correlating SCT and SAML bootstrap tokens
Date Thu, 30 Jan 2014 15:40:13 GMT
There does not appear to be a way to do this at the moment. I've filed +
fixed the following JIRA:

https://issues.apache.org/jira/browse/CXF-5533

You should now be able to retrieve a SecurityToken Object corresponding to
the SecurityContextToken, and get the Id of the Bootstrap (SAML) Token via
the properties Object. You can then retrieve this other token from the
TokenStore. Unfortunately this has made it in too late for CXF 2.7.9, so it
will have to wait until CXF 2.7.10 or 3.0.0.

Colm.


On Thu, Jan 30, 2014 at 10:35 AM, bob45 <fuchs1231@gmx.de> wrote:

> I am implementing a policy driven WS-Trust Scenario with CXF.
> The policy of the called business service states that a
> WS-SecureConverstion
> SCT should be used to encrypt the payload and a SAML token issued by an STS
> should be used as bootstrap token. This is the policy:
>
>  <wsp:Policy xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
>                xmlns:wsp="http://www.w3.org/ns/ws-policy"
>
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
>
> xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"
>                xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512
> "
>                xmlns:wsaw="http://www.w3.org/2005/08/addressing"
>                xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"
>                xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"
>                wsu:Id="SecPolicy">
>       <wsp:ExactlyOne>
>          <wsp:All>
>            <sp:SymmetricBinding>
>                 <wsp:Policy>
>                 <sp:ProtectionToken>
>                         <wsp:Policy>
>                         <sp:SecureConversationToken
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
>                            <wsp:Policy>
>                                <sp:RequireDerivedKeys />
>                                <sp:BootstrapPolicy>
>                                    <wsp:Policy>
>                                        <sp:SymmetricBinding>
>                                            <wsp:Policy>
>                                                <sp:ProtectionToken>
>                                                    <wsp:Policy>
>                         <sp:IssuedToken
> sp:IncludeToken="
> http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient
> ">
>                              <sp:RequestSecurityTokenTemplate>
>
> <wst:TokenType>
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
> </wst:TokenType>
>
> <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer
> </wst:KeyType>
>                              </sp:RequestSecurityTokenTemplate>
> <sp:Issuer>
> <wsaw:Address>http://localhost:8080/sts</wsaw:Address>
> <wsaw:Metadata>
>                                    <wsam:ServiceName
> EndpointName="STS_Port">wst:SecurityTokenService</wsam:ServiceName>
> </wsaw:Metadata>
> </sp:Issuer>
>                                  <wsp:Policy/>
>                         </sp:IssuedToken>
>                                                    </wsp:Policy>
>                                                </sp:ProtectionToken>
>                                                <sp:Layout>
>                                                    <wsp:Policy>
>                                                        <sp:Lax />
>                                                    </wsp:Policy>
>                                                </sp:Layout>
>                                                <sp:AlgorithmSuite>
>                                                    <wsp:Policy>
>                                                        <sp:Basic256 />
>                                                    </wsp:Policy>
>                                                </sp:AlgorithmSuite>
>                                            </wsp:Policy>
>                                        </sp:SymmetricBinding>
>                                        <sp:Wss11>
>                                            <wsp:Policy>
>
> <sp:MustSupportRefIssuerSerial />
>                                                <sp:MustSupportRefThumbprint
> />
>
> <sp:MustSupportRefEncryptedKey />
>                                            </wsp:Policy>
>                                        </sp:Wss11>
>                                        <sp:Trust13>
>                                            <wsp:Policy>
>                                                <sp:MustSupportIssuedTokens
> />
>                                                <sp:RequireClientEntropy />
>                                                <sp:RequireServerEntropy />
>                                            </wsp:Policy>
>                                        </sp:Trust13>
>                                    </wsp:Policy>
>                                </sp:BootstrapPolicy>
>                            </wsp:Policy>
>                        </sp:SecureConversationToken>
>                                         </wsp:Policy>
>                                 </sp:ProtectionToken>
>                 <sp:AlgorithmSuite>
>                    <wsp:Policy>
>                       <sp:Basic256/>
>                    </wsp:Policy>
>                 </sp:AlgorithmSuite>
>                         </wsp:Policy>
>                    </sp:SymmetricBinding>
>                    <sp:EncryptedParts>
>                 <sp:Body/>
>            </sp:EncryptedParts>
>          </wsp:All>
>       </wsp:ExactlyOne>
>    </wsp:Policy>
>
> Everything works fine. The SAML Token is only transmitted to the business
> service in the first call when the security context is established which
> makes sense.
> In the business service I access the (memory) token cache like this:
>
> WrappedMessageContext wrappedContext = (WrappedMessageContext)
> context.getMessageContext();
> Exchange exchange = wrappedContext.getWrappedMessage().getExchange();
> TokenStore tokenStore =
>
> ((TokenStore)exchange.get(Endpoint.class).getEndpointInfo().getProperty(TokenStore.class.getName()));
>
> As expected I see two tokens, an SCT and a SAML token.
>
> But I can't see that the SAML token belongs to the SCT. This causes
> problems
> when using mulitple users and security contexts.
>
> My question is:
> How can I determine that a particular SAML (bootstrap) token in the token
> cache is bound to an SCT?
>
>
>
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Correlating-SCT-and-SAML-bootstrap-tokens-tp5739277.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message