You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Colm O hEigeartaigh <co...@apache.org> on 2019/07/17 11:55:55 UTC

Re: CXF client STSClient token chaining

Sorry for the delay in looking into this. I've fixed the infinite loop when
a WSDL references an IssuedToken policy that ends up pointing the STSClient
back to the same STS (https://issues.apache.org/jira/browse/CXF-8076).

With regards to your use-case, I updated the CrossDomainTest to get it to
work. The trick is to supply two STSClient configurations - a "Default" one
that gets used when talking to the first STS, and a second one which is
used for the call to the second STS (it's configured using a "name" that
corresponds to that of the first STS):

https://github.com/apache/cxf/blob/master/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/cross_domain/cxf-client.xml

Colm.

On Thu, May 30, 2019 at 1:11 PM Sölvi Páll Ásgeirsson <so...@gmail.com>
wrote:

> Yes, exactly.
> The relevant policy is here:
> https://gist.github.com/solvip/c842a5a13a43c24e94abf9073039cab5
>
> Cheers
> Sölvi
>
> On Thu, May 30, 2019 at 10:56 AM Colm O hEigeartaigh
> <co...@apache.org> wrote:
> >
> > What does the security policy of vendor-sts look like? I guess it
> contains
> > an IssuedToken policy to result in an infinite loop in the STSClient?
> >
> > Colm.
> >
> > On Thu, May 23, 2019 at 10:59 AM Sölvi Páll Ásgeirsson <solvip@gmail.com
> >
> > wrote:
> >
> > > Hello
> > >
> > > I'm trying to use CXF as a client towards a set of WCF services
> > > provided by a third party.
> > > The WCF services are protected with WS-Trust and they trust tokens
> > > issued/signed by a certain STS, vendor-sts.  The vendor-sts is a MS
> > > ADFS 2.0(I think) service.
> > >
> > > I cannot authenticate directly towards the vendor-sts, but must
> > > instead use the issuedtokenmixedsymmetricbasic256 endpoint of the
> > > vendor-sts.  The vendor-sts trusts tokens signed by a certificate of
> > > mine and issues new ones which I can pass on to their services.
> > >
> > > I have (somewhat) configured CXF to be a client towards these
> > > services, as in this gist:
> > > https://gist.github.com/solvip/1a70f3422a67ceb7a8d66a11f740f600
> > >
> > > However, this naturally results in an infinite loop as the STSClient
> > > tries to fetch a token from vendor-sts to satisfy the vendor-sts
> > > policy for that endpoint.
> > >
> > > How can I tell CXF to first contact my STS for a token to pass on
> > > towards the vendor-sts?  I've looked at the cxf sts cross_domain test;
> > > but I'm not sure that it applies to my use case as I have no control
> > > over the vendor STS or vendor service configuration.
> > >
> > > Many thanks & best regards
> > > Sölvi
> > >
> >
> >
> > --
> > Colm O hEigeartaigh
> >
> > Talend Community Coder
> > http://coders.talend.com
>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com