[jira] [Resolved] (CXF-8240) STSClient produces wrong element order for TokenType (issue, renew)

Fri, 13 Mar 2020 02:16:46 -0700 


     [ 
https://issues.apache.org/jira/browse/CXF-8240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh resolved CXF-8240.
--------------------------------------
    Resolution: Fixed

> STSClient produces wrong element order for TokenType (issue, renew)
> -------------------------------------------------------------------
>
>                 Key: CXF-8240
>                 URL: https://issues.apache.org/jira/browse/CXF-8240
>             Project: CXF
>          Issue Type: Bug
>          Components: STS
>    Affects Versions: 3.3.5
>            Reporter: Sergius Mohr
>            Assignee: Colm O hEigeartaigh
>            Priority: Minor
>              Labels: sts-client
>             Fix For: 3.4.0, 3.3.6
>
>
> Scenario: using STSClient to call a STS server via SOAP. Creating issue 
> request according to WS-Trust spec.
> I have read the WS-Trust sepcs from 1.0 to 1.4 and the elements under 
> RequestSecurityToken should be in this order: TokenType, RequestType, etc.
> see spec: 
> [http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/errata01/os/ws-trust-1.4-errata01-os-complete.html#_Toc325658937]
> {code:xml}
> <wst:RequestSecurityToken Context="..." xmlns:wst="...">
>    <wst:TokenType>...</wst:TokenType>
>    <wst:RequestType>...</wst:RequestType>
>        ...
> </wst:RequestSecurityToken>
> {code}
> STSClient produces in most cases this element order:
> {code:xml}
> <wst:RequestSecurityToken Context="..." xmlns:wst="...">
>    <wst:RequestType>...</wst:RequestType>
>    <wst:TokenType>...</wst:TokenType>
>        ...
> </wst:RequestSecurityToken>
> {code}
>  
> This produces a schema invalid request and is rejected by servers (like MS 
> ADFS or IBM DataPower).
>  
> One Workaround is to override the addRequestType:
> {code:java}
> @Override
> protected void addRequestType(String requestType, W3CDOMStreamWriter writer) 
> throws XMLStreamException {
>       //correction of the element order: TokenType first and then the 
> RequestType
>       addTokenType(writer);
>       setTokenType(null);
>       super.addRequestType(requestType, writer);
> }
> {code}
> Another Workaround is to set the "template" to STSClient (no documentation 
> found to this, i used OpenSAML3 code for this):
> {code:java}
> MarshallerFactory marshallerFactory = 
> XMLObjectProviderRegistrySupport.getMarshallerFactory();
> RequestSecurityToken requestSecurityTokenObject = new 
> RequestSecurityTokenBuilder().buildObject();
> TokenType tokenType = new TokenTypeBuilder().buildObject();
> marshallerFactory.registerMarshaller(TokenType.ELEMENT_NAME, new 
> TokenTypeMarshaller());
> requestSecurityTokenObject.getUnknownXMLObjects().add(tokenType);
> tokenType.setValue("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0";);
> stsClient.setTemplate(new 
> RequestSecurityTokenMarshaller().marshall(requestSecurityTokenObject));
> {code}
> It's not better.
>  
> Please fix this by moving the calling of addTokenType() method in 
> AbstractSTSClient (in issue() and renew()) to before the addRequestType().



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to