CXF STS - RequestSecurityTokenResponse and RequestType

Thu, 06 Dec 2012 09:03:09 -0800 

Hello All,
I am working on an STS and I have a requirement that my
RequestSecurityTokenResponse includes a RequestType in it.  The current
generated response by CXF produces:

<RequestSecurityTokenResponse>
  
<TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</TokenType>
      <RequestedSecurityToken>


I looked at the WS-Trust schema here:

http://docs.oasis-open.org/ws-sx/ws-trust/200512/ws-trust-1.3.xsd

The 'RequestSecurityTokenResponseType' basically allows xs:any.  Here is
their exact language with Request Type bolded:

/Actual content model is non-deterministic, hence wildcard. The following
shows intended content model:

        <xs:element ref='wst:TokenType' minOccurs='0' />
        *<xs:element ref='wst:RequestType' />*
        <xs:element ref='wst:RequestedSecurityToken'  minOccurs='0' />
/
MinOccurs is not set on RequestType so it would default to one.  I have
looked online and I have seen many token issues without this value set but
it seems like it wouldn't hurt to set it.

In the 'TokenIssueOperation' class, the following lines which are bolded can
be added to the 'createResponse' private method:

        RequestSecurityTokenResponseType response = 
           
QNameConstants.WS_TRUST_FACTORY.createRequestSecurityTokenResponseType();

        String context = tokenRequirements.getContext();
        if (context != null) {
            response.setContext(context);
        }

*        // RequestType
        JAXBElement<String> jaxbRequestType = 
           
QNameConstants.WS_TRUST_FACTORY.createRequestType("http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue";);
        response.getAny().add(jaxbRequestType);
*        
        // TokenType
        JAXBElement<String> jaxbTokenType = 
           
QNameConstants.WS_TRUST_FACTORY.createTokenType(tokenRequirements.getTokenType());
        response.getAny().add(jaxbTokenType); 

What do you think?  I can also make this configurable similar to what is
done with 'returnReferences' but I think the RequestType should be added by
default.

I can submit a JIRA and patch for this.

Thanks,
Yogesh



--
View this message in context: 
http://cxf.547215.n5.nabble.com/CXF-STS-RequestSecurityTokenResponse-and-RequestType-tp5719848.html
Sent from the cxf-user mailing list archive at Nabble.com.

Reply via email to