[jira] [Updated] (CXF-8236) Support signature challenges in the STSClient

Tue, 21 Apr 2020 06:32:19 -0700 


     [ 
https://issues.apache.org/jira/browse/CXF-8236?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh updated CXF-8236:
-------------------------------------
    Fix Version/s: 3.4.0

> Support signature challenges in the STSClient
> ---------------------------------------------
>
>                 Key: CXF-8236
>                 URL: https://issues.apache.org/jira/browse/CXF-8236
>             Project: CXF
>          Issue Type: Improvement
>          Components: STS
>    Affects Versions: 3.3.5
>            Reporter: Sergius Mohr
>            Priority: Minor
>              Labels: sts-client
>             Fix For: 3.4.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> WS-Trust 1.4 spec allows the process of obtaining a security token to consist 
> not only of two messages (request for token, response with the token), but 
> also to have some intermediate requests and responses. In these intermediate 
> requests and responses, the STS may challenge the token requestor to answer a 
> challenge (e.g. to sign a randomly generated string). Only after all 
> challenges have been aswered correctly, would the STS sent a real token. See 
> e.g. chapter 8.2 (Signature Challenges) of the WS-Trust spec.
> STSClient (v3.3.5) currently does not support a Issue/Challenge-Answer like 
> this:
> {code:xml}
> <?xml version="1.0" encoding="UTF-8"?>
> <soap11:Envelope xmlns:soap11="http://schemas.xmlsoap.org/soap/envelope/";>
>   <soap11:Header>
>     <wsa:ReplyTo xmlns:wsa="http://www.w3.org/2005/08/addressing";>
>       <wsa:Address>https://...ists.tgic.de/RST/Issue</wsa:Address>
>     </wsa:ReplyTo>
>     <wsa:Action 
> xmlns:wsa="http://www.w3.org/2005/08/addressing";>http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Issue</wsa:Action>
>     <wsa:MessageID 
> xmlns:wsa="http://www.w3.org/2005/08/addressing";>uuid:44ef50f3-7991-48db-9cee-27e71e1082cd</wsa:MessageID>
>     <wsa:RelatesTo 
> xmlns:wsa="http://www.w3.org/2005/08/addressing";>urn:uuid:2000fce3-36ee-4f12-9eb1-7f949b3f524b</wsa:RelatesTo>
>   </soap11:Header>
>   <soap11:Body>
>     <wst:RequestSecurityTokenResponse 
> Context="abcc2adc-ae05-43c3-ab09-e1ba71d5a157" 
> xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>
>       <wst:SignChallenge>
>         <wst:Challenge>7416357016</wst:Challenge>
>       </wst:SignChallenge>
>     </wst:RequestSecurityTokenResponse>
>   </soap11:Body>
> </soap11:Envelope>
> {code}
> I am currently trying to implement this (dirty) by override some of the 
> STSClient methods. I am not familiar enough with CXF code.
> This topic is on the rise in germany in the insurance industry ("TGIC" single 
> sign on; electronic health card "ePA").
> Please implement this feature in a future release.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to