You are viewing a plain text version of this content. The canonical link for it is here.
Posted to rampart-dev@ws.apache.org by "Rasmus Rhein Helwigh (JIRA)" <ji...@apache.org> on 2008/04/24 13:57:21 UTC
[jira] Created: (RAMPART-156) org.apache.rahas.Token constructor
expects lifetimeelement to be present, but the element is optional
according to the standard.
org.apache.rahas.Token constructor expects lifetimeelement to be present, but the element is optional according to the standard.
--------------------------------------------------------------------------------------------------------------------------------
Key: RAMPART-156
URL: https://issues.apache.org/jira/browse/RAMPART-156
Project: Rampart
Issue Type: Bug
Components: rampart-trust
Environment: Latest trunk of rampart + wss4j on windows xp.
Reporter: Rasmus Rhein Helwigh
Assignee: Ruchith Udayanga Fernando
The org.apache.rahas.client.STSClient.processIssueResponse class tries to create a Token object with lifetime object as an argument. This lifetime object is optional, but the Token constructor fails if it's null.
Since SAML1.1 has it's own lifetime element build into the assertion, it doesn't need to use the Token lifetime element, so it would be nice if this element could be optional.
Index: C:/src/Main/java/Rampart-svn/modules/rampart-trust/src/main/java/org/apache/rahas/Token.java
===================================================================
--- C:/src/Main/java/Rampart-svn/modules/rampart-trust/src/main/java/org/apache/rahas/Token.java (revision 650441)
+++ C:/src/Main/java/Rampart-svn/modules/rampart-trust/src/main/java/org/apache/rahas/Token.java (working copy)
@@ -151,7 +151,8 @@
tokenElem.getXMLStreamReader());
stAXOMBuilder.setNamespaceURIInterning(true);
this.token = stAXOMBuilder.getDocumentElement();
- this.processLifeTime(lifetimeElem);
+ if ( lifetimeElem != null )
+ this.processLifeTime(lifetimeElem);
}
/**
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (RAMPART-156) org.apache.rahas.Token constructor
expects lifetimeelement to be present, but the element is optional
according to the standard.
Posted by "Nandana Mihindukulasooriya (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12597826#action_12597826 ]
Nandana Mihindukulasooriya commented on RAMPART-156:
----------------------------------------------------
I think this is bit tricky. As we can see, processTokenExpiry() in the org.apache.rahas.SimpleTokenStore uses "expires" value set by the processLifeTime(lifetimeElem) to set the State of the tokens. So the tokens state will be not properly set if the expires value of the token is not set correctly. Token state is used check the token validity.
eg. org.apache.rampart.util.RampartUtil#isTokenValid method
So we need to think of a way of setting the State or expires/created values in the above scenario.
thanks,
nandana
> org.apache.rahas.Token constructor expects lifetimeelement to be present, but the element is optional according to the standard.
> --------------------------------------------------------------------------------------------------------------------------------
>
> Key: RAMPART-156
> URL: https://issues.apache.org/jira/browse/RAMPART-156
> Project: Rampart
> Issue Type: Bug
> Components: rampart-trust
> Environment: Latest trunk of rampart + wss4j on windows xp.
> Reporter: Rasmus Rhein Helwigh
> Assignee: Nandana Mihindukulasooriya
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> The org.apache.rahas.client.STSClient.processIssueResponse class tries to create a Token object with lifetime object as an argument. This lifetime object is optional, but the Token constructor fails if it's null.
> Since SAML1.1 has it's own lifetime element build into the assertion, it doesn't need to use the Token lifetime element, so it would be nice if this element could be optional.
> Index: C:/src/Main/java/Rampart-svn/modules/rampart-trust/src/main/java/org/apache/rahas/Token.java
> ===================================================================
> --- C:/src/Main/java/Rampart-svn/modules/rampart-trust/src/main/java/org/apache/rahas/Token.java (revision 650441)
> +++ C:/src/Main/java/Rampart-svn/modules/rampart-trust/src/main/java/org/apache/rahas/Token.java (working copy)
> @@ -151,7 +151,8 @@
> tokenElem.getXMLStreamReader());
> stAXOMBuilder.setNamespaceURIInterning(true);
> this.token = stAXOMBuilder.getDocumentElement();
> - this.processLifeTime(lifetimeElem);
> + if ( lifetimeElem != null )
> + this.processLifeTime(lifetimeElem);
> }
>
> /**
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (RAMPART-156) org.apache.rahas.Token constructor
expects lifetimeelement to be present, but the element is optional
according to the standard.
Posted by "Rasmus Rhein Helwigh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12598244#action_12598244 ]
Rasmus Rhein Helwigh commented on RAMPART-156:
----------------------------------------------
The problem is that WCF's implementation of SAML Security Token, only sets these dates on the saml 1.1 assertion, and as I can see it is not possible to set the elements on the RSTR.
A solution to the problem could be to detect that the token contains a saml assertion, and then retrieve the ValidFrom / ValidTo from within this assertion? I can make a new patch with this fix if you like.
Note: There are a number of other issues that show up when using the SAML 1.1 Assertions. Right now I have a modified version of Rampart and WSS4J that works with SAML and WCF, but I don't know if it will break other features.
> org.apache.rahas.Token constructor expects lifetimeelement to be present, but the element is optional according to the standard.
> --------------------------------------------------------------------------------------------------------------------------------
>
> Key: RAMPART-156
> URL: https://issues.apache.org/jira/browse/RAMPART-156
> Project: Rampart
> Issue Type: Bug
> Components: rampart-trust
> Environment: Latest trunk of rampart + wss4j on windows xp.
> Reporter: Rasmus Rhein Helwigh
> Assignee: Nandana Mihindukulasooriya
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> The org.apache.rahas.client.STSClient.processIssueResponse class tries to create a Token object with lifetime object as an argument. This lifetime object is optional, but the Token constructor fails if it's null.
> Since SAML1.1 has it's own lifetime element build into the assertion, it doesn't need to use the Token lifetime element, so it would be nice if this element could be optional.
> Index: C:/src/Main/java/Rampart-svn/modules/rampart-trust/src/main/java/org/apache/rahas/Token.java
> ===================================================================
> --- C:/src/Main/java/Rampart-svn/modules/rampart-trust/src/main/java/org/apache/rahas/Token.java (revision 650441)
> +++ C:/src/Main/java/Rampart-svn/modules/rampart-trust/src/main/java/org/apache/rahas/Token.java (working copy)
> @@ -151,7 +151,8 @@
> tokenElem.getXMLStreamReader());
> stAXOMBuilder.setNamespaceURIInterning(true);
> this.token = stAXOMBuilder.getDocumentElement();
> - this.processLifeTime(lifetimeElem);
> + if ( lifetimeElem != null )
> + this.processLifeTime(lifetimeElem);
> }
>
> /**
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (RAMPART-156) org.apache.rahas.Token constructor
expects lifetimeelement to be present, but the element is optional
according to the standard.
Posted by "Nandana Mihindukulasooriya (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/RAMPART-156?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nandana Mihindukulasooriya reassigned RAMPART-156:
--------------------------------------------------
Assignee: Nandana Mihindukulasooriya (was: Ruchith Udayanga Fernando)
> org.apache.rahas.Token constructor expects lifetimeelement to be present, but the element is optional according to the standard.
> --------------------------------------------------------------------------------------------------------------------------------
>
> Key: RAMPART-156
> URL: https://issues.apache.org/jira/browse/RAMPART-156
> Project: Rampart
> Issue Type: Bug
> Components: rampart-trust
> Environment: Latest trunk of rampart + wss4j on windows xp.
> Reporter: Rasmus Rhein Helwigh
> Assignee: Nandana Mihindukulasooriya
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> The org.apache.rahas.client.STSClient.processIssueResponse class tries to create a Token object with lifetime object as an argument. This lifetime object is optional, but the Token constructor fails if it's null.
> Since SAML1.1 has it's own lifetime element build into the assertion, it doesn't need to use the Token lifetime element, so it would be nice if this element could be optional.
> Index: C:/src/Main/java/Rampart-svn/modules/rampart-trust/src/main/java/org/apache/rahas/Token.java
> ===================================================================
> --- C:/src/Main/java/Rampart-svn/modules/rampart-trust/src/main/java/org/apache/rahas/Token.java (revision 650441)
> +++ C:/src/Main/java/Rampart-svn/modules/rampart-trust/src/main/java/org/apache/rahas/Token.java (working copy)
> @@ -151,7 +151,8 @@
> tokenElem.getXMLStreamReader());
> stAXOMBuilder.setNamespaceURIInterning(true);
> this.token = stAXOMBuilder.getDocumentElement();
> - this.processLifeTime(lifetimeElem);
> + if ( lifetimeElem != null )
> + this.processLifeTime(lifetimeElem);
> }
>
> /**
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.