[jira] [Created] (CXF-8240) STSClient produces wrong element order for TokenType (issue, renew)

Thu, 12 Mar 2020 09:34:14 -0700 

Sergius Mohr created CXF-8240:
---------------------------------

             Summary: STSClient produces wrong element order for TokenType 
(issue, renew)
                 Key: CXF-8240
                 URL: https://issues.apache.org/jira/browse/CXF-8240
             Project: CXF
          Issue Type: Bug
          Components: STS
    Affects Versions: 3.3.5
            Reporter: Sergius Mohr


Scenario: using STSClient to call a STS server via SOAP. Creating issue request 
according to WS-Trust spec.

I have read the WS-Trust sepcs from 1.0 to 1.4 and the elements under 
RequestSecurityToken should be in this order: TokenType, RequestType, etc.

see spec: 
[http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/errata01/os/ws-trust-1.4-errata01-os-complete.html#_Toc325658937]
{code:xml}
<wst:RequestSecurityToken Context="..." xmlns:wst="...">
   <wst:TokenType>...</wst:TokenType>
   <wst:RequestType>...</wst:RequestType>
       ...
</wst:RequestSecurityToken>
{code}
STSClient produces in most cases this element order:
{code:xml}
<wst:RequestSecurityToken Context="..." xmlns:wst="...">
   <wst:RequestType>...</wst:RequestType>
   <wst:TokenType>...</wst:TokenType>
       ...
</wst:RequestSecurityToken>
{code}
 

This produces a schema invalid request and is rejected by servers (like MS ADFS 
or IBM DataPower).

 

One Workaround is to override the addRequestType:
{code:java}
@Override
protected void addRequestType(String requestType, W3CDOMStreamWriter writer) 
throws XMLStreamException {
        //correction of the element order: TokenType first and then the 
RequestType
        addTokenType(writer);
        setTokenType(null);
        super.addRequestType(requestType, writer);
}
{code}
Another Workaround is to set the "template" to STSClient (no documentation 
found to this, i used OpenSAML3 code for this):
{code:java}
MarshallerFactory marshallerFactory = 
XMLObjectProviderRegistrySupport.getMarshallerFactory();

RequestSecurityToken requestSecurityTokenObject = new 
RequestSecurityTokenBuilder().buildObject();
TokenType tokenType = new TokenTypeBuilder().buildObject();
marshallerFactory.registerMarshaller(TokenType.ELEMENT_NAME, new 
TokenTypeMarshaller());
requestSecurityTokenObject.getUnknownXMLObjects().add(tokenType);
tokenType.setValue("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";);

stsClient.setTemplate(new 
RequestSecurityTokenMarshaller().marshall(requestSecurityTokenObject));
{code}
It's not better.

 

Please fix this by moving the calling of addTokenType() method in 
AbstractSTSClient (in issue() and renew()) to before the addRequestType().



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to