[
https://issues.apache.org/jira/browse/CXF-5664?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13968341#comment-13968341
]
Stephen Chappell commented on CXF-5664:
---------------------------------------
It doesn't look like this is working. I've updated my pom file to point to
2.7.12-SNAPSHOT and switched back to the DefaultConditionsProvider, and had
this message exchange ...
--- Request ---
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:wsa="http://www.w3.org/2005/08/addressing";
xmlns:xs="http://www.w3.org/2001/XMLSchema";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<soapenv:Header>
<!-- Security stuff -->
</soapenv:Header>
<soapenv:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="id-16705926">
<RequestSecurityToken
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512"; Context="urn:itko.com">
<RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</RequestType>
<wsp:AppliesTo xmlns:wsp="http://www.w3.org/ns/ws-policy";>
<wsp:URI>http://cxf.apache.org/appliesto-uri</wsp:URI>
</wsp:AppliesTo>
<SecondaryParameters>
<TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType>
</SecondaryParameters>
<UseKey>
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Data>
<ds:X509Certificate><!-- Certificate
--></ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</UseKey>
<wst:Participants
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>
<wst:Primary>
<wsa:EndpointReference>
<wsa:Address>http://participant.primary/</wsa:Address>
</wsa:EndpointReference>
</wst:Primary>
<wst:Participant>
<wsa:EndpointReference>
<wsa:Address>http://participant.one/</wsa:Address>
</wsa:EndpointReference>
</wst:Participant>
<wst:Participant>
<wsa:EndpointReference>
<wsa:Address>http://participant.two/</wsa:Address>
</wsa:EndpointReference>
</wst:Participant>
<wst:Participant>
<wsa:EndpointReference>
<wsa:Address>http://participant.three/</wsa:Address>
</wsa:EndpointReference>
</wst:Participant>
</wst:Participants>
</RequestSecurityToken>
</soapenv:Body>
</soapenv:Envelope>
--- Response ---
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/";>
<soap:Header>
<!-- Security stuff -->
</soap:Header>
<soap:Body
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="_7BE22CA55D15A24479139748069244336">
<ns2:RequestSecurityTokenResponseCollection
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200802";
xmlns:ns2="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
xmlns:ns3="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
xmlns:ns4="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
xmlns:ns5="http://www.w3.org/2005/08/addressing";>
<ns2:RequestSecurityTokenResponse Context="urn:itko.com">
<ns2:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</ns2:TokenType>
<ns2:RequestedSecurityToken>
<saml2:Assertion
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
ID="_7BE22CA55D15A24479139748069243034" IssueInstant="2014-04-14T13:04:52.430Z"
Version="2.0" xsi:type="saml2:AssertionType">
<saml2:Issuer>FAAIAMIssuerSTS</saml2:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<!-- Signature -->
</ds:Signature>
<saml2:Subject>
<saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
NameQualifier="http://sts.acy.iam.idn.faa/";>CN=swdvrh032,OU=test,OU=swim,OU=National
Airspace System,OU=Federal Aviation Administration,OU=U.S. Department of
Transportation,O=U.S. Government,C=US</saml2:NameID>
<saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:holder-of-key">
<saml2:SubjectConfirmationData
xsi:type="saml2:KeyInfoConfirmationDataType">
<ds:KeyInfo
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:X509Data>
<ds:X509Certificate><!--
Certificate --></ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</saml2:SubjectConfirmationData>
</saml2:SubjectConfirmation>
</saml2:Subject>
<saml2:Conditions NotBefore="2014-04-14T13:04:52.431Z"
NotOnOrAfter="2014-04-14T13:09:52.431Z">
<saml2:AudienceRestriction>
<saml2:Audience>http://cxf.apache.org/appliesto-uri</saml2:Audience>
</saml2:AudienceRestriction>
</saml2:Conditions>
<saml2:AuthnStatement
AuthnInstant="2014-04-14T13:04:52.430Z">
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:X509</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</ns2:RequestedSecurityToken>
<wsp:AppliesTo
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
xmlns:wsp="http://www.w3.org/ns/ws-policy";>
<wsp:URI>http://cxf.apache.org/appliesto-uri</wsp:URI>
</wsp:AppliesTo>
<ns2:Lifetime>
<ns3:Created>2014-04-14T13:04:52.431Z</ns3:Created>
<ns3:Expires>2014-04-14T13:09:52.431Z</ns3:Expires>
</ns2:Lifetime>
</ns2:RequestSecurityTokenResponse>
</ns2:RequestSecurityTokenResponseCollection>
</soap:Body>
</soap:Envelope>
--- End Message Exchange ---
So it doesn't look like it is working, but it's certainly possible I'm missing
something. Any suggestions?
> CXF STS does not support wst:Participants
> -----------------------------------------
>
> Key: CXF-5664
> URL: https://issues.apache.org/jira/browse/CXF-5664
> Project: CXF
> Issue Type: Bug
> Components: STS
> Affects Versions: 2.7.8, 2.7.9, 2.7.10
> Reporter: Stephen Chappell
> Assignee: Colm O hEigeartaigh
> Labels: features, security
> Fix For: 2.7.12, 3.0.0
>
>
> The CXF STS does not recognize the wst:Participants element within a
> wst:RequestSecurityToken, and instead throws a BadRequest SOAP fault. The
> Participants element should be parsed and added to the list of
> AudienceRestrictions in the issued token.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
