Hi All, I'm working on JIRA issue[1]. There's a comment saying that the policy generated by the STS when secured with Username Token is incorrect. As per the WS-Policy specification the default version of the username token is the wsse:UsernameToken as defined in [WSS: Username Token Profile 1.0], and defining additional requirements of UsernameToken assertion as below is optional.
<sp:SignedSupportingTokens xmlns:sp=" http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:UsernameToken sp:IncludeToken=" http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient "> <wsp:Policy> <sp:WssUsernameToken10/> </wsp:Policy> </sp:UsernameToken> </wsp:Policy> </sp:SignedSupportingTokens> I tried to add this to the policy since it's been requested. For that I added above to the scenario1-policy.xml of org.wso2.carbon.security.mgt component at [2]. However though the updated policy file can be also seen in the registry (/_system/config/repository/components/org.wso2.carbon.security.mgt/policy/scenario1) when applying UsernameToken security to the STS the WSDL of the STS does not show the additional requirements added to Username Token assertion. It just contains the assertion below. <sp:SignedSupportingTokens xmlns:sp=" http://schemas.xmlsoap.org/ws/2005/07/securitypolicy";> <wsp:Policy> <sp:UsernameToken sp:IncludeToken=" http://schemas.xmlsoap.org/ws/2005/07/securitypolicy/IncludeToken/AlwaysToRecipient "/> </wsp:Policy> </sp:SignedSupportingTokens> I have also tried associating the policy file that is in the registry when applying security to the STS. Yet is shows the same. Then I updated the org.wso2.carbon.sts.xml file at <PRODUCT_HOME>/repository/deployment/server/servicemetafiles/ with the addition. Neither this changed the WSDL of STS. Could somebody please help me to solve this problem or point out if I'm doing something wrong here. [1] https://wso2.org/jira/browse/IDENTITY-2537 [2] https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/security/org.wso2.carbon.security.mgt/4.2.5/ Thanks, Malithi. -- *Malithi Edirisinghe* Senior Software Engineer WSO2 Inc. Mobile : +94 (0) 718176807 [email protected]
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
