You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by St...@faa.gov on 2014/05/06 14:09:47 UTC
CXF STS UseKey value
In my STS implementation, my RST messages are expected to contain a UseKey
element with an X.509 certificate, something like this:
<UseKey>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>some-encoded-cert</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</UseKey>
This works fine, mostly. But it will does not work if the certificate is
provided as a BinarySecurityToken, e.g.,
<UseKey>
<wsse:BinarySecurityToken EncodingType="..."
ValueType="...">some-encoded-cert</wsse:BinarySecurityToken>
</UseKey>
It's the same info either way, but I had thought that UseKey should accept
a BST. Is this an issue with the STS, or an issue with my understanding?
Thanx,
Stephen W. Chappell
Re: CXF STS UseKey value
Posted by St...@faa.gov.
No, not at all. It's not an issue for me either way, I mainly wanted to
confirm or correct my thinking on the matter.
Thanx,
Stephen W. Chappell
From: Colm O hEigeartaigh <co...@apache.org>
ANG-B31, Information Security Branch
To: "users@cxf.apache.org" <us...@cxf.apache.org>,
Date: 05/06/2014 09:35 AM
Subject: Re: CXF STS UseKey value
The CXF STS will accept either a KeyInfo/X509Data or a
wsse:SecurityTokenReference (possibly to a BinarySecurityToken in the
security header of the request). Technically, the UseKey element could
also
contain a BinarySecurityToken, however I've neither seen this before nor
have heard of a valid reason for supporting it. Do you have a compelling
reason to use a BinarySecurityToken here?
Colm.
On Tue, May 6, 2014 at 1:09 PM, <St...@faa.gov> wrote:
> In my STS implementation, my RST messages are expected to contain a
UseKey
> element with an X.509 certificate, something like this:
>
> <UseKey>
> <ds:KeyInfo>
> <ds:X509Data>
> <ds:X509Certificate>some-encoded-cert</ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </UseKey>
>
> This works fine, mostly. But it will does not work if the certificate is
> provided as a BinarySecurityToken, e.g.,
>
> <UseKey>
> <wsse:BinarySecurityToken EncodingType="..."
> ValueType="...">some-encoded-cert</wsse:BinarySecurityToken>
> </UseKey>
>
>
> It's the same info either way, but I had thought that UseKey should
accept
> a BST. Is this an issue with the STS, or an issue with my understanding?
>
> Thanx,
>
>
> Stephen W. Chappell
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: CXF STS UseKey value
Posted by Colm O hEigeartaigh <co...@apache.org>.
The CXF STS will accept either a KeyInfo/X509Data or a
wsse:SecurityTokenReference (possibly to a BinarySecurityToken in the
security header of the request). Technically, the UseKey element could also
contain a BinarySecurityToken, however I've neither seen this before nor
have heard of a valid reason for supporting it. Do you have a compelling
reason to use a BinarySecurityToken here?
Colm.
On Tue, May 6, 2014 at 1:09 PM, <St...@faa.gov> wrote:
> In my STS implementation, my RST messages are expected to contain a UseKey
> element with an X.509 certificate, something like this:
>
> <UseKey>
> <ds:KeyInfo>
> <ds:X509Data>
> <ds:X509Certificate>some-encoded-cert</ds:X509Certificate>
> </ds:X509Data>
> </ds:KeyInfo>
> </UseKey>
>
> This works fine, mostly. But it will does not work if the certificate is
> provided as a BinarySecurityToken, e.g.,
>
> <UseKey>
> <wsse:BinarySecurityToken EncodingType="..."
> ValueType="...">some-encoded-cert</wsse:BinarySecurityToken>
> </UseKey>
>
>
> It's the same info either way, but I had thought that UseKey should accept
> a BST. Is this an issue with the STS, or an issue with my understanding?
>
> Thanx,
>
>
> Stephen W. Chappell
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com