You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "David Valeri (JIRA)" <ji...@apache.org> on 2010/07/26 22:16:16 UTC
[jira] Commented: (CXF-2909) WS-T / WS-SP
sp:RequestSecurityTokenTemplate not using > wst:SecondaryParameters
[ https://issues.apache.org/jira/browse/CXF-2909?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12892445#action_12892445 ]
David Valeri commented on CXF-2909:
-----------------------------------
Interopfest wstrust13 module does not work due to relocation of Microsoft STS and change to TLS certificate. The STS WSDL moved to 131.107.153.205:8080. The STS HTTPS port is 8443. While this port is properly reflected in the WSDLs, the certificate on that port is self-issued and not part of the OSASIS interop certificate hierarchy in the downloaded certs zip.
The following changes were implemented to test this issues fix:
1) Change download script to use port 8080
2) Manually adding the self-issued cert to the certs/WssIP.pfx extracted from the downloaded zip
3) Reconfiguring the HTTP conduits in client.xml to use certs/WssIP.pfx instead of the bob.pfx file
Even with these changes, a TLS related exception is still created for one of the interop scenarios. The fix for this issue is observed to be working during execution of the functioning tests in wstrust13 and the other interop samples.
> WS-T / WS-SP sp:RequestSecurityTokenTemplate not using > wst:SecondaryParameters
> ---------------------------------------------------------------------------------
>
> Key: CXF-2909
> URL: https://issues.apache.org/jira/browse/CXF-2909
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.3, 2.2.10
> Reporter: David Valeri
> Fix For: 2.3, 2.2.10
>
>
> Per the WS-SP 1.2 spec, section 5.4.2, "This required element contains elements which MUST be copied into the wst:SecondaryParameters of the RST request sent to the specified issuer. Note: the initiator is not required to understand the contents of this element."
> The STS client copies these values directly into the body of the wst:RequestSecurityToken element in the request to the STS.
> So this policy:
> {code:xml}
> <sp:IssuedTokensp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always">
> <sp:RequestSecurityTokenTemplate>
> <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType>
> <wst:AppliesTo>
> <wsp:URI>service-1</wsp:URI>
> </wst:AppliesTo>
> <wst:Participants>
> <wst:Participant>
> <wsp:URI>service-1</wsp:URI>
> </wst:Participant>
> </wst:Participants>
> <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</wst:KeyType>
> </sp:RequestSecurityTokenTemplate>
> </sp:IssuedToken>
> {code}
> Becomes this request:
> {code:xml}
> <wst:RequestSecurityToken>
> ...
> <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType>
> <wst:AppliesTo>
> <wsp:URI>service-1</wsp:URI>
> </wst:AppliesTo>
> <wst:Participants>
> <wst:Participant>
> <wsp:URI>service-1</wsp:URI>
> </wst:Participant>
> </wst:Participants>
> <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</wst:KeyType>
> ...
> </wst:RequestSecurityToken>
> {code}
> Instead of:
> {code}
> <wst:RequestSecurityToken>
> ...
> <wst:SecondaryParameters>
> <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType>
> <wst:AppliesTo>
> <wsp:URI>service-1</wsp:URI>
> </wst:AppliesTo>
> <wst:Participants>
> <wst:Participant>
> <wsp:URI>service-1</wsp:URI>
> </wst:Participant>
> </wst:Participants>
> <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/PublicKey</wst:KeyType>
> </wst:SecondaryParameters>
> ...
> </wst:RequestSecurityToken>
> {code}
> WS-Trust 1.0 and WS-SP 1.0 do not support the wst:SecondaryParameters element so backwards compatibility should be retained per the interopfest samples.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.