[jira] [Created] (CXF-8236) Support signature challenges in the STSClient

Tue, 10 Mar 2020 14:40:11 -0700 

Sergius Mohr created CXF-8236:
---------------------------------

             Summary: Support signature challenges in the STSClient
                 Key: CXF-8236
                 URL: https://issues.apache.org/jira/browse/CXF-8236
             Project: CXF
          Issue Type: Improvement
          Components: STS
    Affects Versions: 3.3.5
            Reporter: Sergius Mohr


WS-Trust 1.4 spec allows the process of obtaining a security token to consist 
not only of two messages (request for token, response with the token), but also 
to have some intermediate requests and responses. In these intermediate 
requests and responses, the STS may challenge the token requestor to answer a 
challenge (e.g. to sign a randomly generated string). Only after all challenges 
have been aswered correctly, would the STS sent a real token. See e.g. chapter 
8.2 (Signature Challenges) of the WS-Trust spec.

STSClient (v3.3.5) currently does not support a Issue/Challenge-Answer like 
this:
{code:xml}
<?xml version="1.0" encoding="UTF-8"?>
<soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/";>
  <soap11:Header>
    <wsa:ReplyTo xmlns:wsa="http://www.w3.org/2005/08/addressing";>
      <wsa:Address>https://...ists.tgic.de/RST/Issue</wsa:Address>
    </wsa:ReplyTo>
    <wsa:Action 
xmlns:wsa="http://www.w3.org/2005/08/addressing";>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue</wsa:Action>
    <wsa:MessageID 
xmlns:wsa="http://www.w3.org/2005/08/addressing";>uuid:44ef50f3-7991-48db-9cee-27e71e1082cd</wsa:MessageID>
    <wsa:RelatesTo 
xmlns:wsa="http://www.w3.org/2005/08/addressing";>urn:uuid:2000fce3-36ee-4f12-9eb1-7f949b3f524b</wsa:RelatesTo>
  </soap11:Header>
  <soap11:Body>
    <wst:RequestSecurityTokenResponse 
Context="abcc2adc-ae05-43c3-ab09-e1ba71d5a157" 
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>
      <wst:SignChallenge>
        <wst:Challenge>7416357016</wst:Challenge>
      </wst:SignChallenge>
    </wst:RequestSecurityTokenResponse>
  </soap11:Body>
</soap11:Envelope>
{code}
I am currently trying to implement this (dirty) by override some of the 
STSClient methods. I am not familiar enough with CXF code.

This topic is on the rise in germany in the insurance industry ("TGIC" single 
sign on; electronic health card "ePA").

Please implement this feature in a future release.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to