You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (Jira)" <ji...@apache.org> on 2020/04/21 13:32:00 UTC
[jira] [Assigned] (CXF-8236) Support signature challenges in the
STSClient
[ https://issues.apache.org/jira/browse/CXF-8236?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh reassigned CXF-8236:
----------------------------------------
Assignee: Colm O hEigeartaigh
> Support signature challenges in the STSClient
> ---------------------------------------------
>
> Key: CXF-8236
> URL: https://issues.apache.org/jira/browse/CXF-8236
> Project: CXF
> Issue Type: Improvement
> Components: STS
> Affects Versions: 3.3.5
> Reporter: Sergius Mohr
> Assignee: Colm O hEigeartaigh
> Priority: Minor
> Labels: sts-client
> Fix For: 3.4.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> WS-Trust 1.4 spec allows the process of obtaining a security token to consist not only of two messages (request for token, response with the token), but also to have some intermediate requests and responses. In these intermediate requests and responses, the STS may challenge the token requestor to answer a challenge (e.g. to sign a randomly generated string). Only after all challenges have been aswered correctly, would the STS sent a real token. See e.g. chapter 8.2 (Signature Challenges) of the WS-Trust spec.
> STSClient (v3.3.5) currently does not support a Issue/Challenge-Answer like this:
> {code:xml}
> <?xml version="1.0" encoding="UTF-8"?>
> <soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/">
> <soap11:Header>
> <wsa:ReplyTo xmlns:wsa="http://www.w3.org/2005/08/addressing">
> <wsa:Address>https://...ists.tgic.de/RST/Issue</wsa:Address>
> </wsa:ReplyTo>
> <wsa:Action xmlns:wsa="http://www.w3.org/2005/08/addressing">http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue</wsa:Action>
> <wsa:MessageID xmlns:wsa="http://www.w3.org/2005/08/addressing">uuid:44ef50f3-7991-48db-9cee-27e71e1082cd</wsa:MessageID>
> <wsa:RelatesTo xmlns:wsa="http://www.w3.org/2005/08/addressing">urn:uuid:2000fce3-36ee-4f12-9eb1-7f949b3f524b</wsa:RelatesTo>
> </soap11:Header>
> <soap11:Body>
> <wst:RequestSecurityTokenResponse Context="abcc2adc-ae05-43c3-ab09-e1ba71d5a157" xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
> <wst:SignChallenge>
> <wst:Challenge>7416357016</wst:Challenge>
> </wst:SignChallenge>
> </wst:RequestSecurityTokenResponse>
> </soap11:Body>
> </soap11:Envelope>
> {code}
> I am currently trying to implement this (dirty) by override some of the STSClient methods. I am not familiar enough with CXF code.
> This topic is on the rise in germany in the insurance industry ("TGIC" single sign on; electronic health card "ePA").
> Please implement this feature in a future release.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)