[jira] Commented: (CXF-3224) WS-Trust: remove current wst:KeyType and wst:KeySize defaults

Fri, 31 Dec 2010 06:12:14 -0800 

    [ 
https://issues.apache.org/jira/browse/CXF-3224?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12976260#action_12976260
 ] 

Glen Mazza commented on CXF-3224:
---------------------------------

Willem, I'm not sure the KeyType and KeySize are fully useless, as the STS 
apparently also generates symmetric keys (or work with asymmetric ones) that 
the web service client uses to communicate with the web service provider:  
http://metro.1045641.n5.nabble.com/Question-on-SOAP-client-configuration-for-an-STS-tp1059660p1059668.html

.Net clients also add KeyType and KeySize, see here: 
http://metro.1045641.n5.nabble.com/Add-custom-element-in-RequestSecurityToken-td3248802.html

In this case, your STS probably generates the symmetric key by default 
("symmetric" is the default given in the WS-Trust spec), so other key types 
should probably return an error if your STS doesn't support it, but a KeyType 
of symmetric should be OK and permitted.  According to the WS-Trust spec, the 
KeySize, if given, can be fully ignored by the STS, but this field has meaning 
if the KeyType also has meaning.

As an aside, I just asked the Metro team how to decrypt the Metro STS request 
to see if it uses KeyType and KeySize:  
http://metro.1045641.n5.nabble.com/Viewing-the-STS-RequestSecurityToken-XML-td3323608.html
 , but the link I gave at the top of this comment suggests it already does.


> WS-Trust: remove current wst:KeyType and wst:KeySize defaults
> -------------------------------------------------------------
>
>                 Key: CXF-3224
>                 URL: https://issues.apache.org/jira/browse/CXF-3224
>             Project: CXF
>          Issue Type: Improvement
>          Components: WS-* Components
>    Affects Versions: 2.3.1
>            Reporter: Willem Salembier
>
> Currently the RST always contains a wst:KeyType and wst:KeySize field. The 
> WS-Trust 1.3 specification says these tags are optional.
> We like CXF to render the following simple RST to ask for a SAML v1.1 token.
>  <wst:RequestSecurityToken Context="abc" 
> xmlns:ns1="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
>  xmlns:auth="http://schemas.xmlsoap.org/ws/2006/12/authorization"; 
> xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>
>          
> <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</wst:TokenType>
>          
> <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
>          <wst:Claims 
> Dialect="http://schemas.xmlsoap.org/ws/2006/12/authorization/authclaims";>
>             <auth:ClaimType Uri="urn:be:my_claim_attribute">
>                <auth:Value>1234</auth:Value>
>             </auth:ClaimType>
>          </wst:Claims>
>       </wst:RequestSecurityToken>

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to