There are two requests to the STS. The first request is sent only once with username/password of the browser user (TransportBinding policy with UsernameToken as SupportingToken). The second request is on-behalf-of the browser user where there is no WS-Security header sent but you must provide a valid token. I think we should fix that.
The easiest solution would be to configure the IDP cert/private key (must be generated, not part of distribution) and configure the public key in the truststore of the tomcat connector. The policy engine (update transport binding to requireClientCert) will validate whether a trusted certificate was used on HTTPS. Thanks Oli ________________________________________ From: Glen Mazza [[email protected]] Sent: 07 May 2013 12:31 To: [email protected] Subject: Re: Fediz STS - how does it know where to find the public certs for verifying the UsernameToken in the IDP request? Would this answer your question: http://svn.apache.org/viewvc/cxf/fediz/trunk/examples/samplekeys/HowToGenerateKeysREADME.html?revision=1364769&view=co Glen On 05/07/2013 06:22 AM, snowch wrote: > Hi Glen, > > Thanks for the response. > > How does the CXF STS know where to look for the truststore? > > Looking through the following configuration > (/fediz-idp-sts/src/main/webapp/WEB-INF/cxf-transport.xml), it seems that > only the outgoing encryption/signing is being configured: > > <bean id="transportSTSProperties" > class="org.apache.cxf.sts.StaticSTSProperties"> > <property name="signaturePropertiesFile" > value="stsKeystore.properties" /> > <property name="signatureUsername" value="mystskey" /> > <property name="callbackHandlerClass" > value="org.apache.cxf.fediz.service.sts.PasswordCallbackHandler" /> > <property name="encryptionPropertiesFile" > value="stsKeystore.properties" > /> > <property name="issuer" value="DoubleItSTSIssuer" /> > <property name="encryptionUsername" value="myservicekey" /> > </bean> > > Unless some of the above setters are configuring the incoming > decryption/signature verification? > > Many thanks, > > Chris > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Fediz-STS-how-does-it-know-where-to-find-the-public-certs-for-verifying-the-UsernameToken-in-the-IDP-tp5727184p5727336.html > Sent from the cxf-user mailing list archive at Nabble.com.
