Hi, I'm working on JIRA issue[1]. In order to fix this I updated the STS custom WSDL with the four operations,(i.e issue, validate, renew and cancel) and added the soap request body schema. Previously though the WSDL was available in META-INF it got generated as per the service.xml. This was due to the wrong mapping of the service name and the wrong name used with the WSDL file, which is now fixed.
Previously the service.xml had only IssueToken operation defined, mapping all actions for this operation as below. <operation name="IssueToken" mep="http://www.w3.org/2006/01/wsdl/in-out";> <messageReceiver class="org.apache.rahas.STSMessageReceiver"/> <!-- Action mapping to accept SCT requests --> <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT</actionMapping> <actionMapping> http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</actionMapping> <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Renew</actionMapping> <actionMapping> http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Cancel</actionMapping> <actionMapping> http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel</actionMapping> <actionMapping> http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validate</actionMapping> <parameter name="token-dispatcher-configuration"> <token-dispatcher-configuration> <!--Issuers. You may have many issuers.--> <issuer class="org.apache.rahas.impl.SAMLTokenIssuer" default="true"> <configuration type="parameter">saml-issuer-config</configuration> <tokenType> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 </tokenType> </issuer> <issuer class="org.apache.rahas.impl.SAML2TokenIssuer" default="false"> <configuration type="parameter">saml-issuer-config</configuration> <tokenType> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 </tokenType> </issuer> <!--Only a single canceler is allowed--> <canceler class="org.apache.rahas.impl.TokenCancelerImpl"> <configuration type="parameter">token-canceler-config</configuration> </canceler> <!--Renewers. You may have many renewers--> <renewer class="org.apache.rahas.impl.SAMLTokenRenewer" default="true"> <configuration type="parameter">saml-issuer-config</configuration> <tokenType> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 </tokenType> </renewer> <validator class="org.apache.rahas.impl.SAMLTokenValidator" default="true"> <configuration type="parameter">saml-issuer-config</configuration> <tokenType> http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Status</tokenType> </validator> </token-dispatcher-configuration> </parameter> </operation> Yet this worked for all operations since the WSDL was generated. But after I changed the WSDL and fixed the problem of loading the original WSDL I had to define the other operations in the service.xml and add appropriate action mappings for them because the operation defined in the WSDL such as ValidateToken for http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validate action was not defined in the service.xml. Thus, this faulted with action not supported error. In order to fix this I changed the service.xml as below. <messageReceivers> <messageReceiver mep="http://www.w3.org/2004/08/wsdl/in-out"; class="org.apache.rahas.STSMessageReceiver"/> </messageReceivers> <parameter name="token-dispatcher-configuration"> <token-dispatcher-configuration> <!-- Issuers. You may have many issuers. --> <issuer class="org.apache.rahas.impl.SAMLTokenIssuer" default="true"> <configuration type="parameter">saml-issuer-config</configuration> <tokenType> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 </tokenType> </issuer> <issuer class="org.apache.rahas.impl.SAML2TokenIssuer" default="false"> <configuration type="parameter">saml-issuer-config</configuration> <tokenType> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0 </tokenType> </issuer> <!--Only a single canceler is allowed--> <canceler class="org.apache.rahas.impl.TokenCancelerImpl"> <configuration type="parameter">token-canceler-config</configuration> </canceler> <!--Renewers. You may have many renewers--> <renewer class="org.apache.rahas.impl.SAMLTokenRenewer" default="true"> <configuration type="parameter">saml-issuer-config</configuration> <tokenType> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 </tokenType> </renewer> <validator class="org.apache.rahas.impl.SAMLTokenValidator" default="true"> <configuration type="parameter">saml-issuer-config</configuration> <tokenType> http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Status</tokenType> </validator> </token-dispatcher-configuration> </parameter> <operation name="ValidateToken" mep=" http://www.w3.org/2006/01/wsdl/in-out";> <actionMapping> http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validate</actionMapping> </operation> <operation name="IssueToken" mep=" http://www.w3.org/2006/01/wsdl/in-out";> <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue </actionMapping> </operation> <operation name="CancelToken" mep=" http://www.w3.org/2006/01/wsdl/in-out";> <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Cancel </actionMapping> </operation> <operation name="RenewToken" mep=" http://www.w3.org/2006/01/wsdl/in-out";> <actionMapping>http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Renew </actionMapping> </operation> Here I moved the token-dispatcher-configuration to the service level and mapped the appropriate action mapping with each operation. I tested this on IS 5.1.0 on SAML 1.1 and this worked as same as before. But I noted below in both, i.e before and after my fix. - When I tried to cancel a token issued from STS by a Java client I got an unauthorized error. This is also reported in [2] org.apache.rahas.TrustException: Error occurred while trying to cancel token at org.apache.rahas.client.STSClient.cancelToken(STSClient.java:207) at org.wso2.carbon.identity.samples.sts.Client.run(Client.java:148) at org.wso2.carbon.identity.samples.sts.Client.main(Client.java:78) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:134) Caused by: org.apache.axis2.AxisFault: Transport error: 401 Error: Unauthorized at org.apache.axis2.transport.http.HTTPSender.handleResponse(HTTPSender.java:308) at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:194) at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:75) Trying this with SOAP UI gave a fault saying "Expected parameter missing : "token-canceler-config"" - It seems that WS-Addressing actions are not validated. As far as the soap body contains the proper request with the appropriate URI for <wst:RequestType> the service gives the response. Ex: We can validate a token issued by the STS by giving the WS-addressing action as http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue. As per WS-Trust specifications it's http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Validate, but the specification does not say it's a must. Highly appreciate your comments on this. [1] https://wso2.org/jira/browse/IDENTITY-2537 [2] https://wso2.org/jira/browse/IDENTITY-2048 Thanks, Malithi. -- *Malithi Edirisinghe* Senior Software Engineer WSO2 Inc. Mobile : +94 (0) 718176807 [email protected]
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
