You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by coheigea <co...@apache.org> on 2014/07/01 17:09:57 UTC
Re: Issue with WS-Trust using security tokens/SAML assertions
roband915 wrote
> Nice work Colm! I´ll try It out right away for sure!
> But when using the "ws-security.sts.client" again then I suspect that an
> old problem will occur. The "wsdlLocation" will not work because I don't
> have two STS's. Only ADFS and that uses only ws-mex. So probably I will
> recieve the StackOverflow-exception that you helped me with earlier in
> this thread.
>
> /Robert
In a previous post, you indicated that there were in fact two STS instances?
roband915 wrote
> The somewhat complex environment consist of the web application (on
> Tomcat) that is configured using a proxy Shibboleth SP (on an Apache) and
> this in turn is configured to request a SAML-assertion from the ADFS.
The idea here is that the CXF client uses WS-MEX (via the service WSDL) to
get the WSDL of the ADFS STS instance. This in turn has an IssuedToken
policy, so the CXF client needs to get a token from "some other" STS
instance and send it in turn to the ADFS STS. So the STSClient configuration
you configure via "<entry key="ws-security.sts.client">..." is the STS that
you get the first IssuedToken from. It is assumed that you know the WSDL of
this STS instance.
You also need to set the property I mentioned previously to ensure that CXF
ignored the "ws-security.sts.client" configuration for the ADFS STS
communication (via WS-MEX).
Colm.
--
View this message in context: http://cxf.547215.n5.nabble.com/Issue-with-WS-Trust-using-security-tokens-SAML-assertions-tp5744142p5745822.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Issue with WS-Trust using security tokens/SAML assertions
Posted by "niranjana.murthy" <ni...@gmail.com>.
Hi,
could you please elaborate the solution provided. Sample code of
some sort will help.
[I am grappling with the exact same problem, any solution with concrete
examples will be great help.]
--
View this message in context: http://cxf.547215.n5.nabble.com/Issue-with-WS-Trust-using-security-tokens-SAML-assertions-tp5744142p5749072.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Issue with WS-Trust using security tokens/SAML assertions
Posted by Colm O hEigeartaigh <co...@apache.org>.
Ok I think I understand the use-case. So the idea is that the service
receives a SAML Token + you want to use this as the "internal" IssuedToken?
In this case, I think you can achieve it with a small modification of the
STSClient. CXF has some functionality to use received tokens in
ActAs/OnBehalfOf calls. See here how to extract security tokens from a
request:
https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob_plain;f=rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/ReceivedTokenCallbackHandler.java;hb=HEAD
So I suggest you extend the existing STSClient + use the functionality
above to just return a SecurityToken Object containing the received token.
Colm.
On Mon, Jul 7, 2014 at 10:00 AM, coheigea <co...@apache.org> wrote:
> Sorry, I don't follow you. Could you outline how you expect the token flow
> to work in detail? From my POV, if the STS requires an IssuedToken, the
> client must obtain this token from another STS instance.
>
> Colm.
>
>
> On Mon, Jul 7, 2014 at 7:47 AM, roband915 [via CXF] <
> ml-node+s547215n5746057h94@n5.nabble.com> wrote:
>
> > The Shibboleth SP that we're using actually communicates with the same
> STS
> > as the webapplication should do. So there is only one STS.
> >
> > When my Shibboleth SP recieves the token from the ADFS, Isn't the ADFS
> > then "aware" that there is a valid token sent to this client? So when I
> via
> > the webapplication call the "Issued-token" on the ADFS it can respond
> with
> > the already existing token?
> >
> >
> >
> > ------------------------------
> > If you reply to this email, your message will be added to the discussion
> > below:
> >
> >
> http://cxf.547215.n5.nabble.com/Issue-with-WS-Trust-using-security-tokens-SAML-assertions-tp5744142p5746057.html
> > To unsubscribe from Issue with WS-Trust using security tokens/SAML
> > assertions, click here
> > <
> http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5744142&code=Y29oZWlnZWFAYXBhY2hlLm9yZ3w1NzQ0MTQyfC0xOTcwMzMwNTMz
> >
> > .
> > NAML
> > <
> http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml
> >
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/Issue-with-WS-Trust-using-security-tokens-SAML-assertions-tp5744142p5746062.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: Issue with WS-Trust using security tokens/SAML assertions
Posted by coheigea <co...@apache.org>.
Sorry, I don't follow you. Could you outline how you expect the token flow
to work in detail? From my POV, if the STS requires an IssuedToken, the
client must obtain this token from another STS instance.
Colm.
On Mon, Jul 7, 2014 at 7:47 AM, roband915 [via CXF] <
ml-node+s547215n5746057h94@n5.nabble.com> wrote:
> The Shibboleth SP that we're using actually communicates with the same STS
> as the webapplication should do. So there is only one STS.
>
> When my Shibboleth SP recieves the token from the ADFS, Isn't the ADFS
> then "aware" that there is a valid token sent to this client? So when I via
> the webapplication call the "Issued-token" on the ADFS it can respond with
> the already existing token?
>
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://cxf.547215.n5.nabble.com/Issue-with-WS-Trust-using-security-tokens-SAML-assertions-tp5744142p5746057.html
> To unsubscribe from Issue with WS-Trust using security tokens/SAML
> assertions, click here
> <http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5744142&code=Y29oZWlnZWFAYXBhY2hlLm9yZ3w1NzQ0MTQyfC0xOTcwMzMwNTMz>
> .
> NAML
> <http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
--
View this message in context: http://cxf.547215.n5.nabble.com/Issue-with-WS-Trust-using-security-tokens-SAML-assertions-tp5744142p5746062.html
Sent from the cxf-user mailing list archive at Nabble.com.