You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by ychawla <pr...@yahoo.com> on 2012/11/27 23:52:47 UTC
Customizing Conditions in CXF STS
Hello All,
I am looking to customize the 'Conditions' of a SAML assertion according to
the requirements I received.
For a background on my CXF STS bean configuration, you can refer to this
post:
http://cxf.547215.n5.nabble.com/Signing-SAML-token-in-STS-Namespace-issue-tc5718851.html
In my token provider, I manually create the conditions statement using DOM
prior to signing my Assertion. For example:
<saml:Conditions NotBefore="2012-11-23T15:00:00.938Z"
NotOnOrAfter="2012-11-23T15:05:00.938Z">
<saml:AudienceRestriction>
<saml:Audience>https://someCustomAudience</saml:Audience>
</saml:AudienceRestriction>
<saml:Condition
xmlns:delegate="urn:oasis:names:tc:SAML:2.0:conditions:delegation">
<delegate:Delegate DelegationInstant="2012-11-23T15:00:19.938Z">
<NameID>Some delegate Name ID of my choosing</NameID>
</delegate:Delegate>
</saml:Condition>
</saml:Conditions>
However, these conditions are replaced by the DefaultConditionsProvider
after the assertion is signed. For example:
<Conditions NotBefore="2012-11-21T17:11:06.315Z"
NotOnOrAfter="2012-11-21T17:16:06.315Z"/>
I could implement my own ConditionsProvider:
http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/ConditionsProvider.java?view=markup
However, the ConditionsBean only allows you to set AudienceURI, notBefore,
and notAfter. The ConditionsBean looks like it gets converted to a SAML2
Conditions Object by the SAML2ComponentBuilder in the createConditions
method. I don't see any hooks in there to create a custom element such as
the delegate element.
Is there any way using the CXF STS framework where I can customize the
'Conditions' element in the Assertion. I can set the Audience Restriction,
Not Before, Not After in a custom Conditions Provider but don't see how to
create a 'delegate' element.
Thanks,
Yogesh
--
View this message in context: http://cxf.547215.n5.nabble.com/Customizing-Conditions-in-CXF-STS-tp5719270.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Customizing Conditions in CXF STS
Posted by ychawla <pr...@yahoo.com>.
Hello All,
I filed a JIRA and reference this email thread:
https://issues.apache.org/jira/browse/WSS-416
Thanks,
Yogesh
--
View this message in context: http://cxf.547215.n5.nabble.com/Customizing-Conditions-in-CXF-STS-tp5719270p5719512.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Customizing Conditions in CXF STS
Posted by ychawla <pr...@yahoo.com>.
Hi Guys,
Thanks very much for the guidance. I have followed your advise and was able
to come up with a solution. I also want to post some ideas about possible
patches.
I already had a custom SAML Token provider and added custom conditions like
this:
AssertionWrapper assertion = new AssertionWrapper(recievedTokenElement);
//This is my custom method
Conditions conditions = createConditions(recievedTokenElement);
assertion.getSaml2().setConditions(conditions);
The 'createConditions' method is based off the WSS4J SAML2ComponentBuilder.
To add a delegate to it, I wrote a method:
private static DelegationRestrictionType
createDelegateRestriction(String nameID) {
if (delegationRestrictionBuilder == null) {
delegationRestrictionBuilder =
(SAMLObjectBuilder<DelegationRestrictionType>)
builderFactory.getBuilder(DelegationRestrictionType.TYPE_NAME);
}
if (delegateBuilder == null) {
delegateBuilder = (SAMLObjectBuilder<Delegate>)
builderFactory.getBuilder(Delegate.DEFAULT_ELEMENT_NAME);
}
DelegationRestrictionType delegateRestriction =
delegationRestrictionBuilder.buildObject();
Delegate delegate = delegateBuilder.buildObject();
DateTime delegateInstant = new DateTime();
log.debug("Not before time: " +
delegateInstant.toString("yyyy-MM-dd'T'HH:mm:ss.SSSZ"));
delegate.setDelegationInstant(delegateInstant);
//This 'createNameID' is a function based off the
SAML2ComponentBuilder, but a little stripped down
NameID testNameID = createNameID(nameID);
delegate.setNameID(testNameID);
delegateRestriction.getDelegates().add(delegate);
return delegateRestriction;
}
This delegate can then be added to the conditions:
DelegationRestrictionType delegateRestrictions =
createDelegateRestriction("test");
conditions.getConditions().add(delegateRestrictions);
To add support for the 'delegate' conditions, the conditionsBean could be
modified to have a String for the delegate NameID or have a complete
subjectBean so the 'createNameID' function in the builder could be used.
>From there, I think the only change would be to the 'createConditions'
method in SAML2ComponentBuilder to add the delegate condition.
I believe a similar approach could be used to support for OneTimeUse and
ProxyRestriction.
I will go ahead and create a JIRA.
Thanks!
Yogesh
--
View this message in context: http://cxf.547215.n5.nabble.com/Customizing-Conditions-in-CXF-STS-tp5719270p5719396.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Customizing Conditions in CXF STS
Posted by Colm O hEigeartaigh <co...@apache.org>.
> It will be necessary to subclass SAMLTokenProvider and add your logic to
modify conditions element.
Yup that's the only way I can see how it would work with the current code.
Please log a JIRA in WSS4J to be able to add this kind of functionality via
the ConditionsBean.
Colm.
On Wed, Nov 28, 2012 at 12:05 PM, Andrei Shakirin <as...@talend.com>wrote:
> You are right, it is event not CXF, but WSS4J restriction.
>
> WSS4J ConditionsBean element doesn't really support custom extensions like
> your delegate.
> CXF STS implementation uses WSS4J to parse SAMLCallback object into SAML
> Assertion.
> Not sure if it will be supported in WSS4J 2.0.
>
> I see only way to customize it now - update SAML2 Assertion in
> AssertionWrapper created by WSS4J:
> assertion.getSaml2().getConditions() ....
> It will be necessary to subclass SAMLTokenProvider and add your logic to
> modify conditions element.
>
> Perhaps Colm will propose more elegant solution.
>
> I think CXF STS can provide callback to modify AssertionWrapper before
> signing (in method SAMLTokenProvider.createSamlToken()).
> Could you create Jira issues for CXF and also for WSS4J? Patches are also
> welcome.
>
> Cheers,
> Andrei.
>
> > -----Original Message-----
> > From: ychawla [mailto:premiergeneration@yahoo.com]
> > Sent: Dienstag, 27. November 2012 23:53
> > To: users@cxf.apache.org
> > Subject: Customizing Conditions in CXF STS
> >
> > Hello All,
> > I am looking to customize the 'Conditions' of a SAML assertion according
> to
> > the requirements I received.
> >
> > For a background on my CXF STS bean configuration, you can refer to this
> > post:
> >
> > http://cxf.547215.n5.nabble.com/Signing-SAML-token-in-STS-Namespace-
> > issue-tc5718851.html
> >
> > In my token provider, I manually create the conditions statement using
> DOM
> > prior to signing my Assertion. For example:
> >
> > <saml:Conditions NotBefore="2012-11-23T15:00:00.938Z"
> > NotOnOrAfter="2012-11-23T15:05:00.938Z">
> > <saml:AudienceRestriction>
> > <saml:Audience>https://someCustomAudience</saml:Audience>
> > </saml:AudienceRestriction>
> > <saml:Condition
> > xmlns:delegate="urn:oasis:names:tc:SAML:2.0:conditions:delegation">
> > <delegate:Delegate DelegationInstant="2012-11-23T15:00:19.938Z">
> > <NameID>Some delegate Name ID of my choosing</NameID>
> > </delegate:Delegate>
> > </saml:Condition>
> > </saml:Conditions>
> >
> > However, these conditions are replaced by the DefaultConditionsProvider
> > after the assertion is signed. For example:
> >
> > <Conditions NotBefore="2012-11-21T17:11:06.315Z"
> > NotOnOrAfter="2012-11-21T17:16:06.315Z"/>
> >
> > I could implement my own ConditionsProvider:
> > http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-
> > core/src/main/java/org/apache/cxf/sts/token/provider/ConditionsProvider.
> > java?view=markup
> >
> > However, the ConditionsBean only allows you to set AudienceURI,
> > notBefore, and notAfter. The ConditionsBean looks like it gets
> converted to
> > a SAML2 Conditions Object by the SAML2ComponentBuilder in the
> > createConditions method. I don't see any hooks in there to create a
> custom
> > element such as the delegate element.
> >
> > Is there any way using the CXF STS framework where I can customize the
> > 'Conditions' element in the Assertion. I can set the Audience
> Restriction, Not
> > Before, Not After in a custom Conditions Provider but don't see how to
> > create a 'delegate' element.
> >
> > Thanks,
> > Yogesh
> >
> >
> >
> >
> >
> > --
> > View this message in context:
> http://cxf.547215.n5.nabble.com/Customizing-
> > Conditions-in-CXF-STS-tp5719270.html
> > Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
RE: Customizing Conditions in CXF STS
Posted by Andrei Shakirin <as...@talend.com>.
You are right, it is event not CXF, but WSS4J restriction.
WSS4J ConditionsBean element doesn't really support custom extensions like your delegate.
CXF STS implementation uses WSS4J to parse SAMLCallback object into SAML Assertion.
Not sure if it will be supported in WSS4J 2.0.
I see only way to customize it now - update SAML2 Assertion in AssertionWrapper created by WSS4J:
assertion.getSaml2().getConditions() ....
It will be necessary to subclass SAMLTokenProvider and add your logic to modify conditions element.
Perhaps Colm will propose more elegant solution.
I think CXF STS can provide callback to modify AssertionWrapper before signing (in method SAMLTokenProvider.createSamlToken()).
Could you create Jira issues for CXF and also for WSS4J? Patches are also welcome.
Cheers,
Andrei.
> -----Original Message-----
> From: ychawla [mailto:premiergeneration@yahoo.com]
> Sent: Dienstag, 27. November 2012 23:53
> To: users@cxf.apache.org
> Subject: Customizing Conditions in CXF STS
>
> Hello All,
> I am looking to customize the 'Conditions' of a SAML assertion according to
> the requirements I received.
>
> For a background on my CXF STS bean configuration, you can refer to this
> post:
>
> http://cxf.547215.n5.nabble.com/Signing-SAML-token-in-STS-Namespace-
> issue-tc5718851.html
>
> In my token provider, I manually create the conditions statement using DOM
> prior to signing my Assertion. For example:
>
> <saml:Conditions NotBefore="2012-11-23T15:00:00.938Z"
> NotOnOrAfter="2012-11-23T15:05:00.938Z">
> <saml:AudienceRestriction>
> <saml:Audience>https://someCustomAudience</saml:Audience>
> </saml:AudienceRestriction>
> <saml:Condition
> xmlns:delegate="urn:oasis:names:tc:SAML:2.0:conditions:delegation">
> <delegate:Delegate DelegationInstant="2012-11-23T15:00:19.938Z">
> <NameID>Some delegate Name ID of my choosing</NameID>
> </delegate:Delegate>
> </saml:Condition>
> </saml:Conditions>
>
> However, these conditions are replaced by the DefaultConditionsProvider
> after the assertion is signed. For example:
>
> <Conditions NotBefore="2012-11-21T17:11:06.315Z"
> NotOnOrAfter="2012-11-21T17:16:06.315Z"/>
>
> I could implement my own ConditionsProvider:
> http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-
> core/src/main/java/org/apache/cxf/sts/token/provider/ConditionsProvider.
> java?view=markup
>
> However, the ConditionsBean only allows you to set AudienceURI,
> notBefore, and notAfter. The ConditionsBean looks like it gets converted to
> a SAML2 Conditions Object by the SAML2ComponentBuilder in the
> createConditions method. I don't see any hooks in there to create a custom
> element such as the delegate element.
>
> Is there any way using the CXF STS framework where I can customize the
> 'Conditions' element in the Assertion. I can set the Audience Restriction, Not
> Before, Not After in a custom Conditions Provider but don't see how to
> create a 'delegate' element.
>
> Thanks,
> Yogesh
>
>
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Customizing-
> Conditions-in-CXF-STS-tp5719270.html
> Sent from the cxf-user mailing list archive at Nabble.com.