Oops! Sorry, I used the wrong property names in the original post. I meant to say:
ws-security.sts.token.properties ws-security.sts.token.properties.decrypt See below the fold for the corrected posting. Fintan Bolton wrote: > > Hi, > > I'm having a hard time getting to grips with WS-Trust in CXF. The > interoperability demo works just fine, but I find it difficult to > understand exactly what is going on. > > The following properties don't seem to be documented anywhere on the CXF > Web site: > > ws-security.sts.token.properties > ws-security.sts.token.properties.decrypt > > So I had a peek at the source code to try and figure out what these > properties are for. I could not really figure out how the > ws-security.sts.token.properties.decrypt property is meant to be used. To > be specific, I need to talk about a particular scenario. > > The scenario I am currently looking at is > Scenario_7_IssuedTokenOverTransport_UsernameOverTransport. Briefly, this > WS-Trust scenario has the following characteristics: > > * Uses HTTPS transport. > * Client authenticates itself to STS using UsernameToken credentials. > * Client requests SAML token from STS. > * Client's certificate is Alice, STS certificate is WssIP, Service's > certificate is Bob. > * STS has the public key from the Service's certificate and the Service > has the public key from the STS certificate. [This is according to the > scenario description document from the WCF Interoperability Lab.] > > In the client configuration, the ws-security.sts.token.properties.decrypt > property references Bob's PKCS#12 certificate (which includes both a > public key and a private key). As far as I can tell from the source code, > the client uses this certificate to decrypt the SAML token received from > the STS. Now if the STS has only got Bob's public key, the STS must be > using Bob's public key to encrypt the SAML token and that suggests that > the client is using Bob's *private* key to decrypt the SAML token. > > This is where I get confused. In a real deployment, it seems to me that > the client would not have access to Bob's private key (it belongs to the > remote service). Have I interpreted the source code correctly? > > Cheers, > Fintan > -- View this message in context: http://www.nabble.com/Understanding-the-WS-Trust-client-tp24204404p24204603.html Sent from the cxf-user mailing list archive at Nabble.com.
