[GitHub] [cxf] coheigea commented on a change in pull request #651: [CXF-8236] add support of signature challenges in the STSClient

[GitBox]

coheigea commented on a change in pull request #651:
URL: https://github.com/apache/cxf/pull/651#discussion_r412185623



##########
File path: 
rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java
##########
@@ -87,6 +93,76 @@ public SecurityToken requestSecurityToken(
         }
         return token;
     }
+    
+    /**
+     * see WS-Trust 1.4 chapter 8:
+     * 
http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/errata01/os/ws-trust-1.4-errata01-os-complete.html#_Toc325658962
+     * 
+     * Creating of (manually triggered second) request with a
+     * RequestSecurityTokenResponse Object
+     * <wst:RequestSecurityTokenResponse xmlns:wst=
+     * "http://docs.oasis-open.org/ws-sx/ws-trust/200512"; Context=
+     * "d956dafc-1da5-4661-bab7-834640e659ec"> <wst:SignChallengeResponse>
+     * <wst:Challenge>4451658898</wst:Challenge> </wst:SignChallengeResponse>
+     * </wst:RequestSecurityTokenResponse>
+     * 
+     * @param action
+     * @param challengeValue the challenge value that was received by first
+     *                       issue-response
+     * @return SecurityToken
+     * @throws Exception
+     */
+    public SecurityToken requestSecurityTokenResponse(String action, String 
challengeValue) throws Exception {

Review comment:
       I think I'd prefer to remove this method altogether. Instead, refactor 
"issue" so that it can work for both cases. The only difference should be 
"RequestSecurityTokenResponse" instead of "RequestSecurityToken" for the normal 
issue case. Maybe the writing out of the Challenge itself could be delegated to 
the Challenge class itself.
   
   Then in SecurityToken.requestSecurityToken, I think we could handle the 
SignChallenge case automatically. If the SecurityToken that is returned from 
the STS contains a SignChallenge then invoke again on the STS with the 
challenge.

##########
File path: 
rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
##########
@@ -1491,6 +1491,16 @@ protected SecurityToken createSecurityToken(Element el, 
byte[] requestorEntropy)
                     tt = DOMUtils.getContent(el);
                 } else if ("KeySize".equals(ln)) {
                     retKeySize = DOMUtils.getContent(el);
+                } else if ("SignChallenge".equals(ln)) {
+                    el = DOMUtils.getFirstElement(el);
+                    if ("Challenge".equals(el.getLocalName())) {
+                        // maybe another implementation of the return object 
is more useful. 
+                        // We need to transport only two values: 
+                        // challengeValue and a marker for the kind of 
response (SignChallenge response)
+                        SecurityToken token = new 
SecurityToken(DOMUtils.getContent(el));
+                        token.setTokenType("SignChallenge");
+                        return token;
+                    }

Review comment:
       I think we could have a new Challenge class which is referenced in 
SecurityToken. Challenge could have an enum describing the type, maybe just 
SIGNATURE for now.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org