You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Freddy Exposito <ex...@gmail.com> on 2015/02/20 14:52:49 UTC

SCT Renew in Secure Conversation

Hi,

In Secure Conversation, CXF doesn't have implemented Renew in the "Mock" STS
that deals with SCT tokens. The java client just reissues after failing
renew but we are in an interop with .Net environment and the .Net client
just doesn't recover  after receiving a fail renewing the SCT.

Is there any specific reason why CXF doesn't have this implemented? 

We can provide a patch adding the renew functionality.

Thanks,
Freddy



--
View this message in context: http://cxf.547215.n5.nabble.com/SCT-Renew-in-Secure-Conversation-tp5754498.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: SCT Renew in Secure Conversation

Posted by Freddy Exposito <ex...@gmail.com>.

Hi Colm,

This is the JIRA: https://issues.apache.org/jira/browse/CXF-6272

About your comments:

a) I tried at first to use it as it was initially in the
handleMessageForAction() but got issues down the road in the
AbstractCommonBindingHandler.getSecurityToken() not finding the SCT in the
message context and with the change I did, just wanted it to follow the same
path as the 'issue' case. Maybe I am missing something there?

b) Just didn't want to be too 'invasive' with existing code. The patch I
just added in the JIRA ticket doesn't have the duplicates.

Thanks,
Freddy



--
View this message in context: http://cxf.547215.n5.nabble.com/SCT-Renew-in-Secure-Conversation-tp5754498p5754637.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: SCT Renew in Secure Conversation

Posted by Colm O hEigeartaigh <co...@apache.org>.

Hi Freddy,

The patch looks fine - can you create a new JIRA + attach the patch there?
Two things of note:

a) You've removed the existing behaviour of "signing with the token" for
renewing...is the response secured in any way?
b) There looks to be a lot of duplicate code between the issue + renew
operations in the SecureConversationInInterceptor

Colm.

On Wed, Feb 25, 2015 at 9:20 PM, Freddy Exposito <ex...@gmail.com> wrote:

> Hi Colm,
>
> This patch works for us.
>
> renew-in-secure-conversation.patch
> <
> http://cxf.547215.n5.nabble.com/file/n5754615/renew-in-secure-conversation.patch
> >
>
> Not sure why SecurityContextToken constructor doesn't set the ID when
> receiving uuid; that's why I added
>
>
> sct.setID(WSSConfig.getNewInstance().getIdAllocator().createSecureId("sctId-",
> sct.getElement()));
>
> Thanks,
> Freddy
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/SCT-Renew-in-Secure-Conversation-tp5754498p5754615.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>

-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Re: SCT Renew in Secure Conversation

Posted by Freddy Exposito <ex...@gmail.com>.

Hi Colm,

This patch works for us.

renew-in-secure-conversation.patch
<http://cxf.547215.n5.nabble.com/file/n5754615/renew-in-secure-conversation.patch>  

Not sure why SecurityContextToken constructor doesn't set the ID when
receiving uuid; that's why I added

sct.setID(WSSConfig.getNewInstance().getIdAllocator().createSecureId("sctId-",
sct.getElement()));

Thanks,
Freddy



--
View this message in context: http://cxf.547215.n5.nabble.com/SCT-Renew-in-Secure-Conversation-tp5754498p5754615.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: SCT Renew in Secure Conversation

Posted by Colm O hEigeartaigh <co...@apache.org>.

Hi Freddy,

There is no reason as far as I am aware of why renew isn't implemented.
Please contribute a patch + I will be happy to review it.

Colm.

On Fri, Feb 20, 2015 at 1:52 PM, Freddy Exposito <ex...@gmail.com> wrote:

> Hi,
>
> In Secure Conversation, CXF doesn't have implemented Renew in the "Mock"
> STS
> that deals with SCT tokens. The java client just reissues after failing
> renew but we are in an interop with .Net environment and the .Net client
> just doesn't recover  after receiving a fail renewing the SCT.
>
> Is there any specific reason why CXF doesn't have this implemented?
>
> We can provide a patch adding the renew functionality.
>
> Thanks,
> Freddy
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/SCT-Renew-in-Secure-Conversation-tp5754498.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com