I am implementing a policy driven WS-Trust Scenario with CXF. The policy of the called business service states that a WS-SecureConverstion SCT should be used to encrypt the payload and a SAML token issued by an STS should be used as bootstrap token. This is the policy:
<wsp:Policy xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"; xmlns:wsp="http://www.w3.org/ns/ws-policy"; xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"; xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"; xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"; xmlns:wsaw="http://www.w3.org/2005/08/addressing"; xmlns:wsam="http://www.w3.org/2007/05/addressing/metadata"; xmlns:wsx="http://schemas.xmlsoap.org/ws/2004/09/mex"; wsu:Id="SecPolicy"> <wsp:ExactlyOne> <wsp:All> <sp:SymmetricBinding> <wsp:Policy> <sp:ProtectionToken> <wsp:Policy> <sp:SecureConversationToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> <wsp:Policy> <sp:RequireDerivedKeys /> <sp:BootstrapPolicy> <wsp:Policy> <sp:SymmetricBinding> <wsp:Policy> <sp:ProtectionToken> <wsp:Policy> <sp:IssuedToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient";> <sp:RequestSecurityTokenTemplate> <wst:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0</wst:TokenType> <wst:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</wst:KeyType> </sp:RequestSecurityTokenTemplate> <sp:Issuer> <wsaw:Address>http://localhost:8080/sts</wsaw:Address> <wsaw:Metadata> <wsam:ServiceName EndpointName="STS_Port">wst:SecurityTokenService</wsam:ServiceName> </wsaw:Metadata> </sp:Issuer> <wsp:Policy/> </sp:IssuedToken> </wsp:Policy> </sp:ProtectionToken> <sp:Layout> <wsp:Policy> <sp:Lax /> </wsp:Policy> </sp:Layout> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256 /> </wsp:Policy> </sp:AlgorithmSuite> </wsp:Policy> </sp:SymmetricBinding> <sp:Wss11> <wsp:Policy> <sp:MustSupportRefIssuerSerial /> <sp:MustSupportRefThumbprint /> <sp:MustSupportRefEncryptedKey /> </wsp:Policy> </sp:Wss11> <sp:Trust13> <wsp:Policy> <sp:MustSupportIssuedTokens /> <sp:RequireClientEntropy /> <sp:RequireServerEntropy /> </wsp:Policy> </sp:Trust13> </wsp:Policy> </sp:BootstrapPolicy> </wsp:Policy> </sp:SecureConversationToken> </wsp:Policy> </sp:ProtectionToken> <sp:AlgorithmSuite> <wsp:Policy> <sp:Basic256/> </wsp:Policy> </sp:AlgorithmSuite> </wsp:Policy> </sp:SymmetricBinding> <sp:EncryptedParts> <sp:Body/> </sp:EncryptedParts> </wsp:All> </wsp:ExactlyOne> </wsp:Policy> Everything works fine. The SAML Token is only transmitted to the business service in the first call when the security context is established which makes sense. In the business service I access the (memory) token cache like this: WrappedMessageContext wrappedContext = (WrappedMessageContext) context.getMessageContext(); Exchange exchange = wrappedContext.getWrappedMessage().getExchange(); TokenStore tokenStore = ((TokenStore)exchange.get(Endpoint.class).getEndpointInfo().getProperty(TokenStore.class.getName())); As expected I see two tokens, an SCT and a SAML token. But I can't see that the SAML token belongs to the SCT. This causes problems when using mulitple users and security contexts. My question is: How can I determine that a particular SAML (bootstrap) token in the token cache is bound to an SCT? -- View this message in context: http://cxf.547215.n5.nabble.com/Correlating-SCT-and-SAML-bootstrap-tokens-tp5739277.html Sent from the cxf-user mailing list archive at Nabble.com.
