Hi Colm,
<<<
You can turn this off by setting the following jax-ws property
"ws-security.is-bsp-compliant" to "false" for the service provider.
>>>
Does setting "ws-security.is-bsp-compliant" to "false" make Service
Provider not to check wsse11:TokenType attribute? ADFS2.0 doesn't enforce
wsse11:TokenType attribute, so the security token that I got from ADFS2.0
wouldn't contain wsse11:TokenType attribute. I set
"ws-security.is-bsp-compliant" through client configuration file like
bellow, but it didn't change any result. I am getting same exception.
<jaxws:client name="{
http://www.example.org/contract/DoubleIt}DoubleItPort";
createdFromAPI="true">
<jaxws:properties>
<entry key="ws-security.is-bsp-compliant" value="false"/>
<entry key="ws-security.sts.client">
<bean class="org.apache.cxf.ws.security.trust.STSClient">
<constructor-arg ref="cxf"/>
<property name="wsdlLocation" value="adfs_new_simple.wsdl"/>
........
Gina
On Mon, Jun 11, 2012 at 5:02 AM, Colm O hEigeartaigh <[email protected]>wrote:
> CXF enforces the Basic Security Profile 1.1 spec:
>
> http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html
>
> "R6611 Any SECURITY_TOKEN_REFERENCE to a SAML_V1_1_TOKEN MUST contain a
> wsse11:TokenType attribute with a value of "
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";.
> "
>
> You can turn this off by setting the following jax-ws property
> "ws-security.is-bsp-compliant" to "false" for the service provider.
>
> Colm.
>
> On Sat, Jun 9, 2012 at 12:00 AM, Gina Choi <[email protected]> wrote:
>
> > I did some research and looked at oasis specification(
> >
> >
> https://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf
> > ),
> > it looks like that wsse11:TokenType attribute is optional for SAML 1.1,
> but
> > should contain
> > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
> .
> >
> >
> > <<<
> >
> > Now I am getting 'An invalid security token was provided (Bad TokenType
> > "")'. I debugged through code again and following is the issue.
> > org.apache.ws.security.str.BSPEnforcer.java(wss4j-1.6.6.jar) class Line
> 162
> > - 169
> >
> > String tokenType = secRef.getTokenType();
> > if (assertion.getSaml1() != null &&
> > !WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)) {
> > throw new WSSecurityException(
> > WSSecurityException.INVALID_SECURITY_TOKEN,
> > "invalidTokenType",
> > new Object[]{tokenType}
> > );
> > }
> > The content of secRef object as follow. As you can see from above code,
> it
> > is looking for an attribute named "TokenType", whose value is "
> >
> > http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
> > " but SecurityTokenReference doesn't have it. That's why it throws
> > exception. What we can do about this? I am going to update *CXF-4367 with
> > new content.*
> >
> > <o:SecurityTokenReference xmlns:o="
> >
> >
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> > ">
> > <o:KeyIdentifier ValueType="
> >
> >
> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
> > ">
> > _ca94d3c5-0933-4af0-ac12-a83fd407310c</o:KeyIdentifier>
> > </o:SecurityTokenReference>
> >
> > >>>>>>>>
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
