Hi Andrei, Yes, this makes sense to me. One minor point, you could use a regular expression in your configuration to match the AppliesTo address. In this way you wouldn't need to explicitly change the configuration for a new service.
Colm. On Mon, Oct 21, 2013 at 8:28 AM, Andrei Shakirin <[email protected]>wrote: > Hi Colm, > > Yep, it could be a solution for Susan's scenario. > Only thing disturbing me a bit in SAML SymmetricKey HolderOfKey is that > STS should know all services certificates for which he issues the tokens. > If I deploy a new service, it is necessary to: > a) add service certificate into STS keystore as trusted entry; > b) configure alias (encryptionUserName) in appropriate STS > Service/ServiceMBean > > I think XKMS can useful even for SAML SymmetricKey HolderOfKey scenario to > resolve certificates lookup. > > Perhaps we can extend XKMS with new ApplicationId, that service > certificates can be searched on the base of service endpoint. > WDYT? > > Regards, > Andrei. > > > -----Original Message----- > > From: Colm O hEigeartaigh [mailto:[email protected]] > > Sent: Freitag, 18. Oktober 2013 13:34 > > To: [email protected] > > Cc: Susan Liebeskind > > Subject: Re: CXF WS-Trust/WS-SecureConversation security policy questions > > > > Hi Susan, > > > > Just looking at your original requirements again, I think a scenario > based on > > SAML SymmetricKey HolderOfKey might meet your requirements. The idea > > is that the service has an IssuedToken policy, that requires a SAML Token > > with a "SymmetricKey" KeyType. The client gets such a token from the STS, > > which contains the secret key encrypted using the certificate of the > service. > > The client also obtains the secret key from the STS by key negotation. > The > > client then sends the SAML Token to the service + secures the request > with > > the secret key. > > > > This way you have authentication + the client doesn't need to be > configured > > with the service certificate. > > > > Colm. > > > > > > On Tue, Oct 15, 2013 at 3:09 PM, Andrei Shakirin > > <[email protected]>wrote: > > > > > Hi Susan, > > > > > > > -----Original Message----- > > > > From: Susan Liebeskind [mailto:[email protected]] > > > > Sent: Dienstag, 15. Oktober 2013 14:07 > > > > To: Andrei Shakirin > > > > Subject: Re: CXF WS-Trust/WS-SecureConversation security policy > > > > questions > > > > > > > > Hi Andrei, > > > > > > > > I have tried 3 times to post this to the CXF list, and 3 times it > > > > has > > > been > > > > rejected as spam for no reason I can determine. I have been having > > > > this problem since I joined the list, and mailed to > > > [email protected], > > > > but not gotten a response. Therefore, I am replying just to you... > > > > > > Hmm ... this is a bit strange. > > > > > > > > > > > But do you know who manages the list so I could figure out what > > > > could be triggering this false positive from the Apache spam > > > > monitor? It's pretty frustrating. The message I get looks like > this... > > > > > > > > > > > > > I'm sorry to inform you that the message below could not be > delivered. > > > > > When delivery was attempted, the following error was returned. > > > > > > > > > > > > > > > <[email protected]>: host mx1.eu.apache.org[192.87.106.230] > said: > > > > 552 spam > > > > > score (5.7) exceeded threshold > > > > > > > > > > > (HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_NONE,SPF_PASS > > > > (in reply to end > > > > > of DATA command) > > > > > > > > -- snip snip snip - the post I cannot get on the list --- > > > > > > > > > > I have no idea what happens. It seems that the number of emails from > > > your account exceed threshold, but do not know why. > > > Could you create appropriate issue for CXF project? > > > > > > > > > > > Hi Andrei, > > > > > > > > > > > > >> Do .NET clients play well with an XKMS server? Interoperability > > > > >> with .NET clients is an important concern for me. > > > > > I never tried XKMS in .Net, but as far as it is W3C standard, it > > > should work > > > > also with .Net: > > > > > http://msdn.microsoft.com/en-us/library/ms972954.aspx > > > > > http://www.w3.org/2001/07/xkms- > > > > ws/dillaway/XKMSWorkshop_files/frame.ht > > > > > m http://pages.infinit.net/ctech/xkms-part2.html > > > > Yes but...it is not uncommon to have incompatible implementations of > > > > the standards, as we all know too well from bitter personal > experience. > > > > Seeing how old some of these references are (one from July 2001), I > > > > am rather dubious that we can assume the same level of support > > > > appears in today's .NET 4.x Framework. > > > > > > Sure, it very probably require some testing, configuration/adaptation > > > efforts. > > > But XKMS seems to be the right way to get and validate the > > > certificates in enterprise service environments. > > > > > > > > > > > I say this having gotten burned badly on something that worked with > > > > .NET > > > > 3.5 but not with .NET 4.0, something in the web service arena that > > > Microsoft > > > > apparently invented. The issue in question pertains to the > > > > doc/literal/wrapped style of writing WSDL. While the historical > > > > record suggests that doc/literal/wrapped was invented by Microsoft, > > > > as of .NET > > > 4.0, > > > > the Microsoft equiv of WSDL2Java cannot generate proxy code from a > > > > doc/literal/wrapped WSDL. You have to "unwrap" the WSDL in order to > > > > get generated code now. > > > > > > > > Point is: if Microsoft gave up on something they pushed into the web > > > service > > > > community, color me dubious they'd keep up with support for one of > > > > the XML standards that never really gained much traction. > > > > >> XKMS does sound interesting, but it also sounds like XKMS would > > > > >> replace the certs issues by our existing PKI, and that wouldn't > > > > >> work for us. > > > > > XKMS doesn't replace PKI, but provide the façade for PKI: > > > > > http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certific > > > > > ates > > > > > -from.html > > > > > > > > > > That means you can easily plug own lookup and validators into CXF > > > > > XKMS > > > > implementation which will speak with your PKI. > > > > Easily is a matter of opinion - *nothing* involving PKI has ever > > > > proved > > > easy :- > > > > ) > > > > > > > > For me, the potential risk of incompatible .NET issues, the use of > > > > an old standard which doesn't have tons of support, compared with > > > > the cost of having to distribute a few certificates (like we are > > > > already used > > > to)..well, it > > > > tips the scale in terms of staying with what I have. I agree that > > > > what > > > you are > > > > talking about sounds like good match on paper for my requirements, > > > > but > > > the > > > > tradeoff of time/energy/risk, I cannot recommend this approach for > > > > the work I'm doing between now and November While I am curious to > > > > know if it could be made to work, I'd have to do that on my own > > > > time, not company time. > > > > > > > > > > Ok, I understand your point. > > > > > > > Thanks, Andrei - I would never have even known about this option > > > > unless you and Dennis hadn't brought it up. > > > > > > You are welcome! > > > > > > > > > > > Cheers, > > > > Susan > > > > > > Regards, > > > Andrei. > > > > > > > > > > > > -- > > Colm O hEigeartaigh > > > > Talend Community Coder > > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
