You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by RobCodes <te...@gmail.com> on 2020/01/17 16:35:52 UTC

Set expected audience for checkAudienceRestrictions

We are currently implementing a client to consume an external SOAP service
which provides a SAML assertion in the response. The external service
controls both the SP and IDP thus our client receives a single response with
the data from the original request and a SAML assertion for use in
subsequent requests. 

Currently the checkAudienceRestrictions is failing on the response. We aware
of the post recommending an override of the SamlAssertionValidator class's
checkConditions method
(http://cxf.547215.n5.nabble.com/CXF-Support-in-quot-Audience-Restriction-quot-of-SAML-2-td5742313.html)
but are not certain this is the best approach for this problem. 

We have two goals.

1. Extract the audience being used by CXF to validate the audiences in the
response.
2. Overwrite the default or, add to the CXF audience list the audience we
expect from the SP.

From Colm's blog post (New SAML validation changes in Apache WSS4J and CXF)
we understand the ability to supply audience restrictions was implemented in
previous versions. Is this the better way to go about this and if so, how is
a list of audience restrictions supplied?

We are using AdoptOpenJDK 11 (LTS) and Apache CXF 3.3.4.

Thanks,
Rob



-----
Regards,
RobCodes
--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html

Re: Set expected audience for checkAudienceRestrictions

Posted by RobCodes <te...@gmail.com>.

Thanks, Colm. I was able to get past this hurdle and am on to the next one. 

For others experiencing the same hurdle, the link Colm provided above does
not include sample code. If you go to the WS-SecurityPolicy page
(http://cxf.apache.org/docs/ws-securitypolicy.html) you will see sample code
that shows one method of configuring properties that guided me to a
solution. 

If you are new to CXF as I am, you may be struggling with the various means
by which to set configurations. Here are two ways to configure an expected
audience for the client.

1. Set the configuration in the xml file. In our case we have a servlet.xml.

   <jaxws:client name="{http://cxf.apache.org}ThePortClassName"
      createdFromAPI="true">
      <jaxws:properties>
         <entry key="security.audience-restrictions"
             value="theExpectedAudience"/>
             ...
      </jaxws:properties>
   </jaxws:client>

2. Set the configuration in Java. In our case, the client class. And as a
bonus, I've included how to set the URL to the target service if for some
reason it is different than what the WSDL defines.

                URL  url = "path_to_the_wsdl";
                QName qName = new QName("http://service_url_from_the_wsdl",
"service_name_from_wsdl");
                ThePortClassName port;
		String newEndpointURL = "https://subdomain.domain.com/service_endpoint";

                Service service = new Service(url, qName);
                port = service.getService();

		BindingProvider bp = (BindingProvider) port;

		bp.getRequestContext().put(BindingProvider.ENDPOINT_ADDRESS_PROPERTY,
newEndpointURL);
		bp.getRequestContext().put("security.audience-restrictions",
"theExpectedAudience"); 

		Client client = ClientProxy.getClient(port);

Hopefully this helps save someone a few days of searching.






-----
Regards,
RobCodes
--
Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html

Re: Set expected audience for checkAudienceRestrictions

Posted by Colm O hEigeartaigh <co...@apache.org>.

Hi,

You can override the default SAML Audience restriction validation via the
"security.audience-restrictions" configuration property:

http://cxf.apache.org/docs/security-configuration.html
-----
security.audience-restrictions CXF 3.1.13

A comma separated String corresponding to a list of audience restriction
URIs. The default value for this property contains the request URL and the
Service QName. If the AUDIENCE_RESTRICTION_VALIDATION property is "true",
and if a received SAML Token contains audience restriction URIs, then one
of them must match one of the values specified in this property.
-----

Colm.

On Fri, Jan 17, 2020 at 4:34 PM RobCodes <te...@gmail.com> wrote:

> We are currently implementing a client to consume an external SOAP service
> which provides a SAML assertion in the response. The external service
> controls both the SP and IDP thus our client receives a single response
> with
> the data from the original request and a SAML assertion for use in
> subsequent requests.
>
> Currently the checkAudienceRestrictions is failing on the response. We
> aware
> of the post recommending an override of the SamlAssertionValidator class's
> checkConditions method
> (
> http://cxf.547215.n5.nabble.com/CXF-Support-in-quot-Audience-Restriction-quot-of-SAML-2-td5742313.html
> )
> but are not certain this is the best approach for this problem.
>
> We have two goals.
>
> 1. Extract the audience being used by CXF to validate the audiences in the
> response.
> 2. Overwrite the default or, add to the CXF audience list the audience we
> expect from the SP.
>
> From Colm's blog post (New SAML validation changes in Apache WSS4J and CXF)
> we understand the ability to supply audience restrictions was implemented
> in
> previous versions. Is this the better way to go about this and if so, how
> is
> a list of audience restrictions supplied?
>
> We are using AdoptOpenJDK 11 (LTS) and Apache CXF 3.3.4.
>
> Thanks,
> Rob
>
>
>
> -----
> Regards,
> RobCodes
> --
> Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
>