Re: Clarification of CXF client handling of expired cached tokens

[jeffc]

In regards to lifetime, we are using Layer 7 STS and have not configured any
lifetime settings.  But there is an option to set lifetime for the returned
security token in the Layer 7 STS RSTR configuration.   But we currently
have this option unchecked.  While greyed out, it does show 60 minutes so
perhaps that is the default.

In looking at the code, I see that
IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor handleMessage first
retrieves token from cache and if found calls renewToken.  And in renewToken
method is when expiry of token is checked and if not expired just returns
token and if expired it will use STSClient to renew token.
I also see that if the user has explicitly disabled renewing, then it calls
STSClient issue.

Now it does not seem to be working as expected per this code, but I have no
idea where it breaks down without debugging into the CXF code.

I wish that IssuedTokenInterceptorProvider provided some debug log
statements indicating things like found token in cache, expired datetime on
cached token, token expired removing from cache, calling renew or issue
token, etc.

I also tried the below setting of allowRenewingAfterExpiry on STSClient and
had expected it to force an issue if the token was expired, but it did not
execute an issue even after token expiration passed, so my assumption is
that somehow IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor is not
seeing that token is expired.

<property name="allowRenewingAfterExpiry" value="false"/>

Here is how my STSClient is configured in my Spring config:

        <jaxws:client id="accountMaintenanceService"
                serviceClass="com.mycompany.example.AccountMaintenance"
                address="${myProps:web-services.accountMaintenance}"
                wsdlLocation="${myProps:web-services.accountMaintenance}?wsdl">
            <jaxws:properties>
            <entry key="ws-security.sts.client">
                <bean class="org.apache.cxf.ws.security.trust.STSClient">
                    <constructor-arg ref="cxf" />
                    <property name="wsdlLocation"
value="${myProps:eaa_security.sts.sts_url}?wsdl"/>
                    <property name="serviceName"
value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService";
/> 
                    <property name="endpointName"
value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}STS_Port"; />   
                    <property name="allowRenewingAfterExpiry"
value="false"/>           
                    <property name="properties">
                        <map>
                            <entry key="ws-security.callback-handler"
value="com.mycompany.myapp.common.config.ClientCallbackHandler" />
                            <entry key="ws-security.username"
value="eaa0001" />
                            <entry key="ws-security.encryption.properties"
value="clientKeystore.properties" />
                            <entry key="ws-security.encryption.username"
value="mystskey" />
                        </map>
                    </property>
                </bean>
            </entry>
        </jaxws:properties>
    </jaxws:client>

Here is an RSTR from the STS on the Issue:

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";>
<soap:Header>
<wsse:Security soap:mustUnderstand="true"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";>
<wsse:UsernameToken
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
wsu:Id="UsernameToken-44DAA8C0A1395AB48313983608351381">
<wsse:Username>eaa0001</wsse:Username>
<wsse:Password
Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText";>XXXXXXX</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
</soap:Header>
<soap:Body>
<wst:RequestSecurityToken
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>
<wst:SecondaryParameters>
<t:TokenType
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>urn:oasis:names:tc:SAML:2.0:assertion</t:TokenType>
<t:KeyType
xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512";>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</t:KeyType>
</wst:SecondaryParameters>
<wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
<wsp:AppliesTo xmlns:wsp="http://www.w3.org/ns/ws-policy";>
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing";>
<wsa:Address>http://localhost:9084/myapp/services/AccountMaintenance</wsa:Address>
</wsa:EndpointReference>
</wsp:AppliesTo>
<wst:Renewing/>
</wst:RequestSecurityToken>
</soap:Body>
</soap:Envelope>

Here is an example of SAML token from STS (edited long strings for brevity
and some URI,etc for privacy):

NOTE: also my token expires after 7 minutes not 5 as I stated in first post

<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";>
<soap:Body>
<wst:RequestSecurityTokenResponse
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
<wst:RequestedSecurityToken>
<saml2:Assertion ID="SamlAssertion-e84f6febda7b2ab5ecdb8f47920c28b4"
IssueInstant="2014-04-24T15:42:21.083Z" Version="2.0"
xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">
<saml2:Issuer>http://sts.dev.mycompany.com:8080/sts_ut</saml2:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";>
<ds:SignedInfo>
<ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#SamlAssertion-e84f6febda7b2ab5ecdb8f47920c28b4">
<ds:Transforms>
<ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>ZdMOnDp6X...</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>1ZzjI3sozb...</ds:SignatureValue>
<KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";>
<X509Data>
<X509SubjectName>EMAILADDRESS=ecsld...@mycompany.com,CN=mystsserver.com,OU=ITG,O=Some
Company,L=Chicago,ST=Illinois,C=US</X509SubjectName>
<X509Certificate>MIIHmDCCBoCgAwIBAgIQFfS...</X509Certificate>
</X509Data>
</KeyInfo>
</ds:Signature>
<saml2:Subject>
<saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
NameQualifier="">EAA0001</saml2:NameID>
<saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/>
</saml2:Subject>
<saml2:Conditions NotBefore="2014-04-24T15:40:21.084Z"
NotOnOrAfter="2014-04-24T15:47:21.084Z"/>
<saml2:AttributeStatement>
<saml2:Attribute Name="cn"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<saml2:AttributeValue>cn=RFT,ou=SomeCompany,ou=Authorities,ou=SomeCompany,ou=SERVICES,o=INTLDAP</saml2:AttributeValue>
</saml2:Attribute>
</saml2:AttributeStatement>
<saml2:AuthnStatement AuthnInstant="2014-04-24T15:42:21.083Z">
<saml2:SubjectLocality Address="10.99.99.99"/>
<saml2:AuthnContext>
<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef>
</saml2:AuthnContext>
</saml2:AuthnStatement>
</saml2:Assertion>
</wst:RequestedSecurityToken>
</wst:RequestSecurityTokenResponse>
</soap:Body>
</soap:Envelope>



--
View this message in context: 
http://cxf.547215.n5.nabble.com/Clarification-of-CXF-client-handling-of-expired-cached-tokens-tp5743216p5743258.html
Sent from the cxf-user mailing list archive at Nabble.com.