You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by bimjoeipa <jo...@ipaustralia.gov.au> on 2014/01/16 06:42:59 UTC
STR-Transform for IssuedToken in WS-Policy
Hi,
We are currently using a particular ESB which requires that SAML tokens with
the Sender Vouches (SV) confirmation method must have a STR-Transform
signature in the security header. We use an STS that generates signed SAML
SV Tokens (we are using SV because we are exchanging a proprietary Single
Sign on Token for a SAML token).
I debugged
org.apache.cxf.systest.wssec.examples.saml.SamlTokenTest.testSymmetricSV()
compared with
org.apache.cxf.systest.wssec.examples.saml.SamlTokenTest.testSymmetricIssuedToken()
(I realise this example is HOK) and from what I can tell, it basically came
down to sp:IssuedToken's can't generate STR-Transforms, but the sp:SamlToken
does.
Does this sound correct, does CXF have a technical limitation that it won't
generate a STR-Transform for sp:IssuedToken's? I understand that
IssuedTokens are signed, so don't technically need another signature, but
our ESB is a bit stubborn in this area...
Thanks,
Joel
--
View this message in context: http://cxf.547215.n5.nabble.com/STR-Transform-for-IssuedToken-in-WS-Policy-tp5738605.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: STR-Transform for IssuedToken in WS-Policy
Posted by bimjoeipa <jo...@ipaustralia.gov.au>.
coheigea wrote
> Ok I've merged a fix for this for CXF 2.7.9:
>
> https://issues.apache.org/jira/browse/CXF-5503
Thanks Colm! Just tested it out locally and it worked perfectly!
--
View this message in context: http://cxf.547215.n5.nabble.com/STR-Transform-for-IssuedToken-in-WS-Policy-tp5738605p5738868.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: STR-Transform for IssuedToken in WS-Policy
Posted by Colm O hEigeartaigh <co...@apache.org>.
Ok I've merged a fix for this for CXF 2.7.9:
https://issues.apache.org/jira/browse/CXF-5503
Colm.
On Thu, Jan 16, 2014 at 11:55 PM, bimjoeipa <joel.pearson@ipaustralia.gov.au
> wrote:
> coheigea wrote
> > If I am understanding you correctly, the scenario is that you have an STS
> > issuing a (signed?) SenderVouches Assertion, and you expect the CXF
> client
> > to generate a new Signature, that signs the SAML Assertion via a
> > STR-Transform. Is this correct?
>
> Yes, that's correct, the STS issues a signed SenderVouches Assertion (via
> onBehalfOf). In fact, I basically want the exact same output as
>
> org.apache.cxf.systest.wssec.examples.saml.SamlTokenTest.testAsymmetricSigned(),
> except for it to use the issued token from the STS instead of generating
> it's own token.
>
>
> coheigea wrote
> > I you send the SecurityPolicy you are using I can take a look to see if
> > it's easy to implement.
>
> Sure, I have adapted the "DoubleItAsymmetricSignedPolicy" policy to include
> the IssuedToken component from "DoubleItSymmetricIssuedTokenPolicy" and
> called it DoubleItAsymmetricIssuedTokenPolicy.xml
> <
> http://cxf.547215.n5.nabble.com/file/n5738672/DoubleItAsymmetricIssuedTokenPolicy.xml
> >
> .
>
> Thanks,
>
> Joel
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/STR-Transform-for-IssuedToken-in-WS-Policy-tp5738605p5738672.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: STR-Transform for IssuedToken in WS-Policy
Posted by bimjoeipa <jo...@ipaustralia.gov.au>.
coheigea wrote
> If I am understanding you correctly, the scenario is that you have an STS
> issuing a (signed?) SenderVouches Assertion, and you expect the CXF client
> to generate a new Signature, that signs the SAML Assertion via a
> STR-Transform. Is this correct?
Yes, that's correct, the STS issues a signed SenderVouches Assertion (via
onBehalfOf). In fact, I basically want the exact same output as
org.apache.cxf.systest.wssec.examples.saml.SamlTokenTest.testAsymmetricSigned(),
except for it to use the issued token from the STS instead of generating
it's own token.
coheigea wrote
> I you send the SecurityPolicy you are using I can take a look to see if
> it's easy to implement.
Sure, I have adapted the "DoubleItAsymmetricSignedPolicy" policy to include
the IssuedToken component from "DoubleItSymmetricIssuedTokenPolicy" and
called it DoubleItAsymmetricIssuedTokenPolicy.xml
<http://cxf.547215.n5.nabble.com/file/n5738672/DoubleItAsymmetricIssuedTokenPolicy.xml>
.
Thanks,
Joel
--
View this message in context: http://cxf.547215.n5.nabble.com/STR-Transform-for-IssuedToken-in-WS-Policy-tp5738605p5738672.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: STR-Transform for IssuedToken in WS-Policy
Posted by Colm O hEigeartaigh <co...@apache.org>.
Correct, CXF currently is only designed/tested to work with STS-issued SAML
HolderOfKey + Bearer Assertions.
If I am understanding you correctly, the scenario is that you have an STS
issuing a (signed?) SenderVouches Assertion, and you expect the CXF client
to generate a new Signature, that signs the SAML Assertion via a
STR-Transform. Is this correct?
I you send the SecurityPolicy you are using I can take a look to see if
it's easy to implement.
Colm.
On Thu, Jan 16, 2014 at 5:42 AM, bimjoeipa
<jo...@ipaustralia.gov.au>wrote:
> Hi,
>
> We are currently using a particular ESB which requires that SAML tokens
> with
> the Sender Vouches (SV) confirmation method must have a STR-Transform
> signature in the security header. We use an STS that generates signed SAML
> SV Tokens (we are using SV because we are exchanging a proprietary Single
> Sign on Token for a SAML token).
>
> I debugged
> org.apache.cxf.systest.wssec.examples.saml.SamlTokenTest.testSymmetricSV()
> compared with
>
> org.apache.cxf.systest.wssec.examples.saml.SamlTokenTest.testSymmetricIssuedToken()
> (I realise this example is HOK) and from what I can tell, it basically came
> down to sp:IssuedToken's can't generate STR-Transforms, but the
> sp:SamlToken
> does.
>
> Does this sound correct, does CXF have a technical limitation that it won't
> generate a STR-Transform for sp:IssuedToken's? I understand that
> IssuedTokens are signed, so don't technically need another signature, but
> our ESB is a bit stubborn in this area...
>
> Thanks,
>
> Joel
>
>
>
> --
> View this message in context:
> http://cxf.547215.n5.nabble.com/STR-Transform-for-IssuedToken-in-WS-Policy-tp5738605.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com