You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Sergius Mohr (Jira)" <ji...@apache.org> on 2020/03/12 16:34:00 UTC

[jira] [Created] (CXF-8240) STSClient produces wrong element order for TokenType (issue, renew)

Sergius Mohr created CXF-8240:
---------------------------------

             Summary: STSClient produces wrong element order for TokenType (issue, renew)
                 Key: CXF-8240
                 URL: https://issues.apache.org/jira/browse/CXF-8240
             Project: CXF
          Issue Type: Bug
          Components: STS
    Affects Versions: 3.3.5
            Reporter: Sergius Mohr


Scenario: using STSClient to call a STS server via SOAP. Creating issue request according to WS-Trust spec.

I have read the WS-Trust sepcs from 1.0 to 1.4 and the elements under RequestSecurityToken should be in this order: TokenType, RequestType, etc.

see spec: [http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/errata01/os/ws-trust-1.4-errata01-os-complete.html#_Toc325658937]
{code:xml}
<wst:RequestSecurityToken Context="..." xmlns:wst="...">
   <wst:TokenType>...</wst:TokenType>
   <wst:RequestType>...</wst:RequestType>
       ...
</wst:RequestSecurityToken>
{code}
STSClient produces in most cases this element order:
{code:xml}
<wst:RequestSecurityToken Context="..." xmlns:wst="...">
   <wst:RequestType>...</wst:RequestType>
   <wst:TokenType>...</wst:TokenType>
       ...
</wst:RequestSecurityToken>
{code}
 

This produces a schema invalid request and is rejected by servers (like MS ADFS or IBM DataPower).

 

One Workaround is to override the addRequestType:
{code:java}
@Override
protected void addRequestType(String requestType, W3CDOMStreamWriter writer) throws XMLStreamException {
	//correction of the element order: TokenType first and then the RequestType
	addTokenType(writer);
	setTokenType(null);
	super.addRequestType(requestType, writer);
}
{code}
Another Workaround is to set the "template" to STSClient (no documentation found to this, i used OpenSAML3 code for this):
{code:java}
MarshallerFactory marshallerFactory = XMLObjectProviderRegistrySupport.getMarshallerFactory();

RequestSecurityToken requestSecurityTokenObject = new RequestSecurityTokenBuilder().buildObject();
TokenType tokenType = new TokenTypeBuilder().buildObject();
marshallerFactory.registerMarshaller(TokenType.ELEMENT_NAME, new TokenTypeMarshaller());
requestSecurityTokenObject.getUnknownXMLObjects().add(tokenType);
tokenType.setValue("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");

stsClient.setTemplate(new RequestSecurityTokenMarshaller().marshall(requestSecurityTokenObject));
{code}
It's not better.

 

Please fix this by moving the calling of addTokenType() method in AbstractSTSClient (in issue() and renew()) to before the addRequestType().



--
This message was sent by Atlassian Jira
(v8.3.4#803005)