cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Clarification of CXF client handling of expired cached tokens
Date Thu, 24 Apr 2014 18:01:43 GMT
Could you also post the complete RSTR from the STS?

Colm.


On Thu, Apr 24, 2014 at 6:58 PM, jeffc <jeff_carbello@bcbsil.com> wrote:

> In regards to lifetime, we are using Layer 7 STS and have not configured
> any
> lifetime settings.  But there is an option to set lifetime for the returned
> security token in the Layer 7 STS RSTR configuration.   But we currently
> have this option unchecked.  While greyed out, it does show 60 minutes so
> perhaps that is the default.
>
> In looking at the code, I see that
> IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor handleMessage
> first
> retrieves token from cache and if found calls renewToken.  And in
> renewToken
> method is when expiry of token is checked and if not expired just returns
> token and if expired it will use STSClient to renew token.
> I also see that if the user has explicitly disabled renewing, then it calls
> STSClient issue.
>
> Now it does not seem to be working as expected per this code, but I have no
> idea where it breaks down without debugging into the CXF code.
>
> I wish that IssuedTokenInterceptorProvider provided some debug log
> statements indicating things like found token in cache, expired datetime on
> cached token, token expired removing from cache, calling renew or issue
> token, etc.
>
> I also tried the below setting of allowRenewingAfterExpiry on STSClient and
> had expected it to force an issue if the token was expired, but it did not
> execute an issue even after token expiration passed, so my assumption is
> that somehow IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor is
> not
> seeing that token is expired.
>
> <property name="allowRenewingAfterExpiry" value="false"/>
>
> Here is how my STSClient is configured in my Spring config:
>
>         <jaxws:client id="accountMaintenanceService"
>                 serviceClass="com.mycompany.example.AccountMaintenance"
>                 address="${myProps:web-services.accountMaintenance}"
>
> wsdlLocation="${myProps:web-services.accountMaintenance}?wsdl">
>             <jaxws:properties>
>             <entry key="ws-security.sts.client">
>                 <bean class="org.apache.cxf.ws.security.trust.STSClient">
>                     <constructor-arg ref="cxf" />
>                     <property name="wsdlLocation"
> value="${myProps:eaa_security.sts.sts_url}?wsdl"/>
>                     <property name="serviceName"
> value="{
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"
> />
>                     <property name="endpointName"
> value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}STS_Port" />
>                     <property name="allowRenewingAfterExpiry"
> value="false"/>
>                     <property name="properties">
>                         <map>
>                             <entry key="ws-security.callback-handler"
> value="com.mycompany.myapp.common.config.ClientCallbackHandler" />
>                             <entry key="ws-security.username"
> value="eaa0001" />
>                             <entry key="ws-security.encryption.properties"
> value="clientKeystore.properties" />
>                             <entry key="ws-security.encryption.username"
> value="mystskey" />
>                         </map>
>                     </property>
>                 </bean>
>             </entry>
>         </jaxws:properties>
>     </jaxws:client>
>
> Here is an RSTR from the STS on the Issue:
>
> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
> <soap:Header>
> <wsse:Security soap:mustUnderstand="true"
> xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">
> <wsse:UsernameToken
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> "
> wsu:Id="UsernameToken-44DAA8C0A1395AB48313983608351381">
> <wsse:Username>eaa0001</wsse:Username>
> <wsse:Password
> Type="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText
> ">XXXXXXX</wsse:Password>
> </wsse:UsernameToken>
> </wsse:Security>
> </soap:Header>
> <soap:Body>
> <wst:RequestSecurityToken
> xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
> <wst:SecondaryParameters>
> <t:TokenType
> xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512
> ">urn:oasis:names:tc:SAML:2.0:assertion</t:TokenType>
> <t:KeyType
> xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
> http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</t:KeyType>
> </wst:SecondaryParameters>
> <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue
> </wst:RequestType>
> <wsp:AppliesTo xmlns:wsp="http://www.w3.org/ns/ws-policy">
> <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing">
> <wsa:Address>http://localhost:9084/myapp/services/AccountMaintenance
> </wsa:Address>
> </wsa:EndpointReference>
> </wsp:AppliesTo>
> <wst:Renewing/>
> </wst:RequestSecurityToken>
> </soap:Body>
> </soap:Envelope>
>
> Here is an example of SAML token from STS (edited long strings for brevity
> and some URI,etc for privacy):
>
> NOTE: also my token expires after 7 minutes not 5 as I stated in first post
>
> <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope">
> <soap:Body>
> <wst:RequestSecurityTokenResponse
> xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
> xmlns:wsu="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
> ">
> <wst:RequestedSecurityToken>
> <saml2:Assertion ID="SamlAssertion-e84f6febda7b2ab5ecdb8f47920c28b4"
> IssueInstant="2014-04-24T15:42:21.083Z" Version="2.0"
> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
> <saml2:Issuer>http://sts.dev.mycompany.com:8080/sts_ut</saml2:Issuer>
> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
> <ds:SignedInfo>
> <ds:CanonicalizationMethod
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1
> "/>
> <ds:Reference URI="#SamlAssertion-e84f6febda7b2ab5ecdb8f47920c28b4">
> <ds:Transforms>
> <ds:Transform
> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
> </ds:Transforms>
> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
> <ds:DigestValue>ZdMOnDp6X...</ds:DigestValue>
> </ds:Reference>
> </ds:SignedInfo>
> <ds:SignatureValue>1ZzjI3sozb...</ds:SignatureValue>
> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
> <X509Data>
> <X509SubjectName>EMAILADDRESS=ecsldaps@mycompany.com,CN=mystsserver.com
> ,OU=ITG,O=Some
> Company,L=Chicago,ST=Illinois,C=US</X509SubjectName>
> <X509Certificate>MIIHmDCCBoCgAwIBAgIQFfS...</X509Certificate>
> </X509Data>
> </KeyInfo>
> </ds:Signature>
> <saml2:Subject>
> <saml2:NameID
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
> NameQualifier="">EAA0001</saml2:NameID>
> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
> </saml2:Subject>
> <saml2:Conditions NotBefore="2014-04-24T15:40:21.084Z"
> NotOnOrAfter="2014-04-24T15:47:21.084Z"/>
> <saml2:AttributeStatement>
> <saml2:Attribute Name="cn"
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
>
> <saml2:AttributeValue>cn=RFT,ou=SomeCompany,ou=Authorities,ou=SomeCompany,ou=SERVICES,o=INTLDAP</saml2:AttributeValue>
> </saml2:Attribute>
> </saml2:AttributeStatement>
> <saml2:AuthnStatement AuthnInstant="2014-04-24T15:42:21.083Z">
> <saml2:SubjectLocality Address="10.99.99.99"/>
> <saml2:AuthnContext>
>
> <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
> </saml2:AuthnContext>
> </saml2:AuthnStatement>
> </saml2:Assertion>
> </wst:RequestedSecurityToken>
> </wst:RequestSecurityTokenResponse>
> </soap:Body>
> </soap:Envelope>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Clarification-of-CXF-client-handling-of-expired-cached-tokens-tp5743216p5743258.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message