You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Sumit Pathak <su...@gmail.com> on 2011/06/19 20:40:52 UTC
Re: SpnegoContextToken - Security Token support for CXF
I am also working on for the same project, and given first stab to it:-
a) Define a SpnegoContextToken, this can extend SecureConversationToken.
b) Define builder and Interceptor provider to build SpnegoToken from the
xml.
c) Register both the builder and Interceptor in your client code:-
AssertionBuilderRegistry reg = bus
.getExtension(AssertionBuilderRegistry.class);
PolicyInterceptorProviderRegistry pipr = bus
.getExtension(PolicyInterceptorProviderRegistry.class);
reg.register(new SpnegoContextTokenBuilder());
pipr.register(new SpnegoContextTokenInterceptorProvider(
new SpnegoContextTokenInterceptor()));
d) Write logic to generate SpnegoToken in SpnegoContextTokenInterceptor(),
this is not difficult, you can also look at SpengoAuthSupplier class in cxf
2.4 to acheive this. Only tricky thing is configuration that is generating
login.conf file kbr5.ini file, let me know if some body needs more info
around it.
e) This Token need to be added as binary security token and also used to
sign and encypt message, so provide that logic in the handle message method.
You can consult this unit test to see how to do that:-
http://svn.apache.org/repos/asf//webservices/wss4j/tags/1_6_0-alpha/src/test/java/org/apache/ws/security/message/token/BSTKerberosTest.java
f) Make sure the constructor SpnegoContextTokenInterceptor() has this line
super(Phase.POST_PROTOCOL);.
e) I am still having some security issues while getting incoming message
from .Net web service, will update once i am able to resolve that.
--
View this message in context: http://cxf.547215.n5.nabble.com/SpnegoContextToken-Security-Token-support-for-CXF-tp569273p4504120.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: SpnegoContextToken - Security Token support for CXF
Posted by Sumit Pathak <su...@gmail.com>.
coheigea wrote:
>
> Hi Sumit,
>
> Please submit a patch and I'll be happy to review it.
>
> Here is the patch https://issues.apache.org/jira/browse/CXF-3635
>
>> f) Also the security token received from service is encrypted as per
>> http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap, and WSS4j
>> dosent
>> support it, so you need to wite logic to decrypt it.
>
> I'd prefer to push this out to WSS4J rather than implement it in CXF
> if possible.
>
> Currently it is with the STS client, feel free to push it to WSS4j.
>
> Thanks,
>
> Colm.
>
> On Sun, Jun 26, 2011 at 5:18 AM, Sumit Pathak
> <sumitpathakin@gmail.com> wrote:
>> I have this working:-
>> a) What i was doing wrong is using Spnego token straight as security
>> token
>> to sign and encrypt, and passing that as a Binary header.
>> b Where as this token should be used to get the secure token from the end
>> point, see spec
>> http://schemas.xmlsoap.org/ws/2005/02/trust/spnego/WSTrustForSPNego.pdf,
>> for
>> more details.
>> c) Also see
>> http://blog.facilelogin.com/2008/11/secure-conversation-with-wcf.html to
>> see
>> the message exchnage between the client and secrvice for the security
>> token
>> issue.
>> d) If you set context.requestMutualAuth(Boolean.FALSE) while setting up
>> the
>> context between the client during GSS API calls, than only one pass
>> initialization , would happen and you will get the security token.
>> e) Make sure to Base64 decode the security token received from the
>> service.
>> f) Also the security token received from service is encrypted as per
>> http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap, and WSS4j
>> dosent
>> support it, so you need to wite logic to decrypt it.
>> g) Decrypting that token is as simple as calling context.unwrap() method
>> on
>> the received token.
>>
>> I think most of the things are supported in cxf for secure conversation
>> get
>> used here, we just need to provide correct hooking, i am more than happy
>> to
>> push this stuff into cxf, let me know if this is needed.
>>
>> Let me know in case if anybody needs any other info.
>>
>>
>> --
>> View this message in context:
>> http://cxf.547215.n5.nabble.com/SpnegoContextToken-Security-Token-support-for-CXF-tp569273p4525041.html
>> Sent from the cxf-user mailing list archive at Nabble.com.
>>
>
>
>
> --
> Colm O hEigeartaigh
>
> http://coheigea.blogspot.com/
> Talend - http://www.talend.com
>
--
View this message in context: http://cxf.547215.n5.nabble.com/SpnegoContextToken-Security-Token-support-for-CXF-tp569273p4557310.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: SpnegoContextToken - Security Token support for CXF
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Sumit,
Please submit a patch and I'll be happy to review it.
> f) Also the security token received from service is encrypted as per
> http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap, and WSS4j dosent
> support it, so you need to wite logic to decrypt it.
I'd prefer to push this out to WSS4J rather than implement it in CXF
if possible.
Thanks,
Colm.
On Sun, Jun 26, 2011 at 5:18 AM, Sumit Pathak <su...@gmail.com> wrote:
> I have this working:-
> a) What i was doing wrong is using Spnego token straight as security token
> to sign and encrypt, and passing that as a Binary header.
> b Where as this token should be used to get the secure token from the end
> point, see spec
> http://schemas.xmlsoap.org/ws/2005/02/trust/spnego/WSTrustForSPNego.pdf, for
> more details.
> c) Also see
> http://blog.facilelogin.com/2008/11/secure-conversation-with-wcf.html to see
> the message exchnage between the client and secrvice for the security token
> issue.
> d) If you set context.requestMutualAuth(Boolean.FALSE) while setting up the
> context between the client during GSS API calls, than only one pass
> initialization , would happen and you will get the security token.
> e) Make sure to Base64 decode the security token received from the service.
> f) Also the security token received from service is encrypted as per
> http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap, and WSS4j dosent
> support it, so you need to wite logic to decrypt it.
> g) Decrypting that token is as simple as calling context.unwrap() method on
> the received token.
>
> I think most of the things are supported in cxf for secure conversation get
> used here, we just need to provide correct hooking, i am more than happy to
> push this stuff into cxf, let me know if this is needed.
>
> Let me know in case if anybody needs any other info.
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/SpnegoContextToken-Security-Token-support-for-CXF-tp569273p4525041.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
http://coheigea.blogspot.com/
Talend - http://www.talend.com
Re: SpnegoContextToken - Security Token support for CXF
Posted by Sumit Pathak <su...@gmail.com>.
Dan, any word on this please.
--
View this message in context: http://cxf.547215.n5.nabble.com/SpnegoContextToken-Security-Token-support-for-CXF-tp569273p4959934.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: SpnegoContextToken - Security Token support for CXF
Posted by Sumit Pathak <su...@gmail.com>.
Dan we are noticing one issue in our spnego implementation, because of some
unknown reason security token issued from Microsoft Dynamics CRM is getting
expired well before its expiry time (that is 10 hrs.)
As per Microsoft folks we need to handle security token expiration exception
and try reauthentication, i am not sure where to do this and how to do this.
Is this something we have built in, in cxf atleast for for
issuedtokeninterecptor or secureconversationtokeninterceptor, than i can
take a look.
I can see that WS trust spec says :-
A Fault code (wsu:MessageExpired) is provided if the recipient wants to
inform the requestor that its security semantics were expired. A service
MAY issue a Fault indicating the security semantics have expired.
But i am not sure how to handle this at client or do we have support for
this with in cxf framework.
Any help here will be highly appreciated.
--
View this message in context: http://cxf.547215.n5.nabble.com/SpnegoContextToken-Security-Token-support-for-CXF-tp569273p4896977.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: SpnegoContextToken - Security Token support for CXF
Posted by Daniel Kulp <dk...@apache.org>.
On Sunday, June 26, 2011 7:21:47 PM Sumit Pathak wrote:
> I need to confirm on one thing here, Can Dan or any other cxf expert help
> me, please:-
> a) Curerntly while sending message to end point for secure token, i need to
> add header explicitly
> can anybody point me where cxf does add headers in outgoing message, so that
> i can take a look that why its not happening in my case.
SOAP header or HTTP header?
For soap header, it would NORMALLY be SoapOutInterceptor where it grabs the
various headers from the message and writes them out. That said, things like
WS-Security and such run after this and thus headers can sometime get
manipulated or changed after this point.
For HTTP, there is a "Headers" utility class in org.apache.cxf.transport.http
which handles much of the mappings.
--
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog
Talend - http://www.talend.com
Re: SpnegoContextToken - Security Token support for CXF
Posted by Sumit Pathak <su...@gmail.com>.
I need to confirm on one thing here, Can Dan or any other cxf expert help me,
please:-
a) Curerntly while sending message to end point for secure token, i need to
add header explicitly
can anybody point me where cxf does add headers in outgoing message, so that
i can take a look that why its not happening in my case.
--
View this message in context: http://cxf.547215.n5.nabble.com/SpnegoContextToken-Security-Token-support-for-CXF-tp569273p4526895.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: SpnegoContextToken - Security Token support for CXF
Posted by Sumit Pathak <su...@gmail.com>.
I have this working:-
a) What i was doing wrong is using Spnego token straight as security token
to sign and encrypt, and passing that as a Binary header.
b Where as this token should be used to get the secure token from the end
point, see spec
http://schemas.xmlsoap.org/ws/2005/02/trust/spnego/WSTrustForSPNego.pdf, for
more details.
c) Also see
http://blog.facilelogin.com/2008/11/secure-conversation-with-wcf.html to see
the message exchnage between the client and secrvice for the security token
issue.
d) If you set context.requestMutualAuth(Boolean.FALSE) while setting up the
context between the client during GSS API calls, than only one pass
initialization , would happen and you will get the security token.
e) Make sure to Base64 decode the security token received from the service.
f) Also the security token received from service is encrypted as per
http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap, and WSS4j dosent
support it, so you need to wite logic to decrypt it.
g) Decrypting that token is as simple as calling context.unwrap() method on
the received token.
I think most of the things are supported in cxf for secure conversation get
used here, we just need to provide correct hooking, i am more than happy to
push this stuff into cxf, let me know if this is needed.
Let me know in case if anybody needs any other info.
--
View this message in context: http://cxf.547215.n5.nabble.com/SpnegoContextToken-Security-Token-support-for-CXF-tp569273p4525041.html
Sent from the cxf-user mailing list archive at Nabble.com.