> Does setting "ws-security.is-bsp-compliant" to "false" make Service Provider not to check wsse11:TokenType attribute?
Yes. > I set "ws-security.is-bsp-compliant" through client configuration file like bellow, but it didn't change any result. I am getting same exception. You were getting the error on the service provider side no? You would have to set it on the service provider endpoint in this case. Colm. On Mon, Jun 11, 2012 at 4:31 PM, Gina Choi <[email protected]> wrote: > Hi Colm, > > <<< > You can turn this off by setting the following jax-ws property > "ws-security.is-bsp-compliant" to "false" for the service provider. > >>> > > Does setting "ws-security.is-bsp-compliant" to "false" make Service > Provider not to check wsse11:TokenType attribute? ADFS2.0 doesn't enforce > wsse11:TokenType attribute, so the security token that I got from ADFS2.0 > wouldn't contain wsse11:TokenType attribute. I set > "ws-security.is-bsp-compliant" through client configuration file like > bellow, but it didn't change any result. I am getting same exception. > > > <jaxws:client name="{ > http://www.example.org/contract/DoubleIt}DoubleItPort"; > createdFromAPI="true"> > <jaxws:properties> > <entry key="ws-security.is-bsp-compliant" value="false"/> > > <entry key="ws-security.sts.client"> > <bean class="org.apache.cxf.ws.security.trust.STSClient"> > <constructor-arg ref="cxf"/> > <property name="wsdlLocation" value="adfs_new_simple.wsdl"/> > ........ > > > Gina > On Mon, Jun 11, 2012 at 5:02 AM, Colm O hEigeartaigh > <[email protected]>wrote: > >> CXF enforces the Basic Security Profile 1.1 spec: >> >> http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html >> >> "R6611 Any SECURITY_TOKEN_REFERENCE to a SAML_V1_1_TOKEN MUST contain a >> wsse11:TokenType attribute with a value of " >> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";. >> " >> >> You can turn this off by setting the following jax-ws property >> "ws-security.is-bsp-compliant" to "false" for the service provider. >> >> Colm. >> >> On Sat, Jun 9, 2012 at 12:00 AM, Gina Choi <[email protected]> wrote: >> >> > I did some research and looked at oasis specification( >> > >> > >> https://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf >> > ), >> > it looks like that wsse11:TokenType attribute is optional for SAML 1.1, >> but >> > should contain >> > >> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1. >> > >> > >> > <<< >> > >> > Now I am getting 'An invalid security token was provided (Bad TokenType >> > "")'. I debugged through code again and following is the issue. >> > org.apache.ws.security.str.BSPEnforcer.java(wss4j-1.6.6.jar) class Line >> 162 >> > - 169 >> > >> > String tokenType = secRef.getTokenType(); >> > if (assertion.getSaml1() != null && >> > !WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)) { >> > throw new WSSecurityException( >> > WSSecurityException.INVALID_SECURITY_TOKEN, >> > "invalidTokenType", >> > new Object[]{tokenType} >> > ); >> > } >> > The content of secRef object as follow. As you can see from above code, >> it >> > is looking for an attribute named "TokenType", whose value is " >> > >> > >> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1 >> > " but SecurityTokenReference doesn't have it. That's why it throws >> > exception. What we can do about this? I am going to update *CXF-4367 >> with >> > new content.* >> > >> > <o:SecurityTokenReference xmlns:o=" >> > >> > >> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd >> > "> >> > <o:KeyIdentifier ValueType=" >> > >> > >> http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID >> > "> >> > _ca94d3c5-0933-4af0-ac12-a83fd407310c</o:KeyIdentifier> >> > </o:SecurityTokenReference> >> > >> > >>>>>>>> >> > >> >> >> >> -- >> Colm O hEigeartaigh >> >> Talend Community Coder >> http://coders.talend.com >> > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
