[jira] [Commented] (CXF-8240) STSClient produces wrong element order for TokenType (issue, renew)

Thu, 12 Mar 2020 10:30:12 -0700 


    [ 
https://issues.apache.org/jira/browse/CXF-8240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17058126#comment-17058126
 ] 

Sergius Mohr commented on CXF-8240:
-----------------------------------

Thanks. Without workarounds i receive this error:
{code:xml}
<?xml version="1.0" encoding="UTF-8"?>
<soap11:Envelope 
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
 xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/";>
  <soap11:Body>
    <soap11:Fault>
      <faultcode>soap11:Client</faultcode>
      <faultstring>Client Error</faultstring>
      <detail>
        <istserror:Error 
xmlns:istserror="http://www.tgic.de/intern/itc/ISTSError/1.1";>
          <Details Code="3009">
            <Type>soap11:Client</Type>
            <Reason>Der Sender verwendet ein ungueltiges 
Nachrichtenschema</Reason>
            <Detail>WSDL-Konformitaetspruefung der eingehenden Nachricht 
fehlgeschlagen: http://exttest-ists-v2.tgic.de:80/RST/Issue: cvc-particle 3.1: 
in element 
{http://docs.oasis-open.org/ws-sx/ws-trust/200512}RequestSecurityToken of type 
{http://docs.oasis-open.org/ws-sx/ws-trust/200512}RequestSecurityTokenType, 
found &lt;wst:RequestType> (in namespace 
http://docs.oasis-open.org/ws-sx/ws-trust/200512), but next item should be 
{http://docs.oasis-open.org/ws-sx/ws-trust/200512}TokenType</Detail>
          </Details>
          <SupportInfo 
ReferenceId="ists-core-v2-93d045a4-c2a2-4a71-b456-27e71e106add">
            <Instance>BB-SG-ETU-01</Instance>
            <SessionId>4622fdd8-f289-43f4-b84a-27e71e10043c</SessionId>
            <Timestamp>2020-03-12T17:11:14Z</Timestamp>
          </SupportInfo>
        </istserror:Error>
      </detail>
    </soap11:Fault>
  </soap11:Body>
</soap11:Envelope>
{code}

I believe, this provider made some changes on XSDs:

{code:xml}
  <!-- 
      Tailored for ISTS
      =================
   
      - IssueRequestRST
      - CancelRequestRST
      - ValidateRequestRST
  -->
  <xs:complexType name="IssueRequestRST">
    <xs:sequence>
      <xs:element name="RequestSecurityToken" type="ists:tIssueRequestRST" />
    </xs:sequence>
  </xs:complexType>
  
  <!-- ISTS-specific types and enumerations for WS-Trust 1.3 -->
  
  <xsd:complexType name='tIssueRequestRST' >
      <xsd:sequence>
          <xsd:element ref='wst:TokenType' />
          <xsd:element ref='wst:RequestType' />
          <xsd:element ref='wsp:AppliesTo' />
          <xsd:element ref='wst:Claims' />
          <xsd:element ref='wst:Lifetime' minOccurs='0' />
          <xsd:element ref='wst:AuthenticationType' minOccurs='0' />
      </xsd:sequence>
      <xsd:attribute name='Context' type='xsd:anyURI' use='optional' />
  </xsd:complexType>
{code}

"sequence" made the order mandatory.

> STSClient produces wrong element order for TokenType (issue, renew)
> -------------------------------------------------------------------
>
>                 Key: CXF-8240
>                 URL: https://issues.apache.org/jira/browse/CXF-8240
>             Project: CXF
>          Issue Type: Bug
>          Components: STS
>    Affects Versions: 3.3.5
>            Reporter: Sergius Mohr
>            Assignee: Colm O hEigeartaigh
>            Priority: Minor
>              Labels: sts-client
>             Fix For: 3.4.0, 3.3.6
>
>
> Scenario: using STSClient to call a STS server via SOAP. Creating issue 
> request according to WS-Trust spec.
> I have read the WS-Trust sepcs from 1.0 to 1.4 and the elements under 
> RequestSecurityToken should be in this order: TokenType, RequestType, etc.
> see spec: 
> [http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/errata01/os/ws-trust-1.4-errata01-os-complete.html#_Toc325658937]
> {code:xml}
> <wst:RequestSecurityToken Context="..." xmlns:wst="...">
>    <wst:TokenType>...</wst:TokenType>
>    <wst:RequestType>...</wst:RequestType>
>        ...
> </wst:RequestSecurityToken>
> {code}
> STSClient produces in most cases this element order:
> {code:xml}
> <wst:RequestSecurityToken Context="..." xmlns:wst="...">
>    <wst:RequestType>...</wst:RequestType>
>    <wst:TokenType>...</wst:TokenType>
>        ...
> </wst:RequestSecurityToken>
> {code}
>  
> This produces a schema invalid request and is rejected by servers (like MS 
> ADFS or IBM DataPower).
>  
> One Workaround is to override the addRequestType:
> {code:java}
> @Override
> protected void addRequestType(String requestType, W3CDOMStreamWriter writer) 
> throws XMLStreamException {
>       //correction of the element order: TokenType first and then the 
> RequestType
>       addTokenType(writer);
>       setTokenType(null);
>       super.addRequestType(requestType, writer);
> }
> {code}
> Another Workaround is to set the "template" to STSClient (no documentation 
> found to this, i used OpenSAML3 code for this):
> {code:java}
> MarshallerFactory marshallerFactory = 
> XMLObjectProviderRegistrySupport.getMarshallerFactory();
> RequestSecurityToken requestSecurityTokenObject = new 
> RequestSecurityTokenBuilder().buildObject();
> TokenType tokenType = new TokenTypeBuilder().buildObject();
> marshallerFactory.registerMarshaller(TokenType.ELEMENT_NAME, new 
> TokenTypeMarshaller());
> requestSecurityTokenObject.getUnknownXMLObjects().add(tokenType);
> tokenType.setValue("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";);
> stsClient.setTemplate(new 
> RequestSecurityTokenMarshaller().marshall(requestSecurityTokenObject));
> {code}
> It's not better.
>  
> Please fix this by moving the calling of addTokenType() method in 
> AbstractSTSClient (in issue() and renew()) to before the addRequestType().



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to