You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Sumit Pathak <su...@gmail.com> on 2011/07/06 18:28:20 UTC

Re: SpnegoContextToken - Security Token support for CXF

coheigea wrote:
> 
> Hi Sumit,
> 
> Please submit a patch and I'll be happy to review it.
> 
> Here is the patch https://issues.apache.org/jira/browse/CXF-3635
> 
>> f) Also the security token received from service is encrypted as per
>> http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap, and WSS4j
>> dosent
>> support it, so you need to wite logic to decrypt it.
> 
> I'd prefer to push this out to WSS4J rather than implement it in CXF
> if possible.
> 
> Currently it is with the STS client, feel free to push it to WSS4j.
> 
> Thanks,
> 
> Colm.
> 
> On Sun, Jun 26, 2011 at 5:18 AM, Sumit Pathak
> &lt;sumitpathakin@gmail.com&gt; wrote:
>> I have this working:-
>> a) What i was doing wrong is using Spnego token straight as security
>> token
>> to sign and encrypt, and passing that as a Binary header.
>> b Where as this token should be used to get the secure token from the end
>> point, see spec
>> http://schemas.xmlsoap.org/ws/2005/02/trust/spnego/WSTrustForSPNego.pdf,
>> for
>> more details.
>> c) Also see
>> http://blog.facilelogin.com/2008/11/secure-conversation-with-wcf.html to
>> see
>> the message exchnage between the client and secrvice for the security
>> token
>> issue.
>> d) If you set context.requestMutualAuth(Boolean.FALSE) while setting up
>> the
>> context between the client during GSS API calls, than only one pass
>> initialization , would happen and you will get the security token.
>> e) Make sure to Base64 decode the security token received from the
>> service.
>> f) Also the security token received from service is encrypted as per
>> http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap, and WSS4j
>> dosent
>> support it, so you need to wite logic to decrypt it.
>> g) Decrypting that token is as simple as calling context.unwrap() method
>> on
>> the received token.
>>
>> I think most of the things are supported in cxf for secure conversation
>> get
>> used here, we just need to provide correct hooking, i am more than happy
>> to
>> push this stuff into cxf, let me know if this is needed.
>>
>> Let me know in case if anybody needs any other info.
>>
>>
>> --
>> View this message in context:
>> http://cxf.547215.n5.nabble.com/SpnegoContextToken-Security-Token-support-for-CXF-tp569273p4525041.html
>> Sent from the cxf-user mailing list archive at Nabble.com.
>>
> 
> 
> 
> -- 
> Colm O hEigeartaigh
> 
> http://coheigea.blogspot.com/
> Talend - http://www.talend.com
> 


--
View this message in context: http://cxf.547215.n5.nabble.com/SpnegoContextToken-Security-Token-support-for-CXF-tp569273p4557310.html
Sent from the cxf-user mailing list archive at Nabble.com.