Could you also post the complete RSTR from the STS? Colm.
On Thu, Apr 24, 2014 at 6:58 PM, jeffc <[email protected]> wrote: > In regards to lifetime, we are using Layer 7 STS and have not configured > any > lifetime settings. But there is an option to set lifetime for the returned > security token in the Layer 7 STS RSTR configuration. But we currently > have this option unchecked. While greyed out, it does show 60 minutes so > perhaps that is the default. > > In looking at the code, I see that > IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor handleMessage > first > retrieves token from cache and if found calls renewToken. And in > renewToken > method is when expiry of token is checked and if not expired just returns > token and if expired it will use STSClient to renew token. > I also see that if the user has explicitly disabled renewing, then it calls > STSClient issue. > > Now it does not seem to be working as expected per this code, but I have no > idea where it breaks down without debugging into the CXF code. > > I wish that IssuedTokenInterceptorProvider provided some debug log > statements indicating things like found token in cache, expired datetime on > cached token, token expired removing from cache, calling renew or issue > token, etc. > > I also tried the below setting of allowRenewingAfterExpiry on STSClient and > had expected it to force an issue if the token was expired, but it did not > execute an issue even after token expiration passed, so my assumption is > that somehow IssuedTokenInterceptorProvider$IssuedTokenOutInterceptor is > not > seeing that token is expired. > > <property name="allowRenewingAfterExpiry" value="false"/> > > Here is how my STSClient is configured in my Spring config: > > <jaxws:client id="accountMaintenanceService" > serviceClass="com.mycompany.example.AccountMaintenance" > address="${myProps:web-services.accountMaintenance}" > > wsdlLocation="${myProps:web-services.accountMaintenance}?wsdl"> > <jaxws:properties> > <entry key="ws-security.sts.client"> > <bean class="org.apache.cxf.ws.security.trust.STSClient"> > <constructor-arg ref="cxf" /> > <property name="wsdlLocation" > value="${myProps:eaa_security.sts.sts_url}?wsdl"/> > <property name="serviceName" > value="{ > http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService"; > /> > <property name="endpointName" > value="{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}STS_Port"; /> > <property name="allowRenewingAfterExpiry" > value="false"/> > <property name="properties"> > <map> > <entry key="ws-security.callback-handler" > value="com.mycompany.myapp.common.config.ClientCallbackHandler" /> > <entry key="ws-security.username" > value="eaa0001" /> > <entry key="ws-security.encryption.properties" > value="clientKeystore.properties" /> > <entry key="ws-security.encryption.username" > value="mystskey" /> > </map> > </property> > </bean> > </entry> > </jaxws:properties> > </jaxws:client> > > Here is an RSTR from the STS on the Issue: > > <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";> > <soap:Header> > <wsse:Security soap:mustUnderstand="true" > xmlns:wsse=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd > "> > <wsse:UsernameToken > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > " > wsu:Id="UsernameToken-44DAA8C0A1395AB48313983608351381"> > <wsse:Username>eaa0001</wsse:Username> > <wsse:Password > Type=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText > ">XXXXXXX</wsse:Password> > </wsse:UsernameToken> > </wsse:Security> > </soap:Header> > <soap:Body> > <wst:RequestSecurityToken > xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512";> > <wst:SecondaryParameters> > <t:TokenType > xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512 > ">urn:oasis:names:tc:SAML:2.0:assertion</t:TokenType> > <t:KeyType > xmlns:t="http://docs.oasis-open.org/ws-sx/ws-trust/200512";> > http://docs.oasis-open.org/ws-sx/ws-trust/200512/Bearer</t:KeyType> > </wst:SecondaryParameters> > <wst:RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue > </wst:RequestType> > <wsp:AppliesTo xmlns:wsp="http://www.w3.org/ns/ws-policy";> > <wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing";> > <wsa:Address>http://localhost:9084/myapp/services/AccountMaintenance > </wsa:Address> > </wsa:EndpointReference> > </wsp:AppliesTo> > <wst:Renewing/> > </wst:RequestSecurityToken> > </soap:Body> > </soap:Envelope> > > Here is an example of SAML token from STS (edited long strings for brevity > and some URI,etc for privacy): > > NOTE: also my token expires after 7 minutes not 5 as I stated in first post > > <soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope";> > <soap:Body> > <wst:RequestSecurityTokenResponse > xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"; > xmlns:wsu=" > http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd > "> > <wst:RequestedSecurityToken> > <saml2:Assertion ID="SamlAssertion-e84f6febda7b2ab5ecdb8f47920c28b4" > IssueInstant="2014-04-24T15:42:21.083Z" Version="2.0" > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> > <saml2:Issuer>http://sts.dev.mycompany.com:8080/sts_ut</saml2:Issuer> > <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#";> > <ds:SignedInfo> > <ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1 > "/> > <ds:Reference URI="#SamlAssertion-e84f6febda7b2ab5ecdb8f47920c28b4"> > <ds:Transforms> > <ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> > <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> > </ds:Transforms> > <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> > <ds:DigestValue>ZdMOnDp6X...</ds:DigestValue> > </ds:Reference> > </ds:SignedInfo> > <ds:SignatureValue>1ZzjI3sozb...</ds:SignatureValue> > <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#";> > <X509Data> > <X509SubjectName>[email protected],CN=mystsserver.com > ,OU=ITG,O=Some > Company,L=Chicago,ST=Illinois,C=US</X509SubjectName> > <X509Certificate>MIIHmDCCBoCgAwIBAgIQFfS...</X509Certificate> > </X509Data> > </KeyInfo> > </ds:Signature> > <saml2:Subject> > <saml2:NameID > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" > NameQualifier="">EAA0001</saml2:NameID> > <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"/> > </saml2:Subject> > <saml2:Conditions NotBefore="2014-04-24T15:40:21.084Z" > NotOnOrAfter="2014-04-24T15:47:21.084Z"/> > <saml2:AttributeStatement> > <saml2:Attribute Name="cn" > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> > > <saml2:AttributeValue>cn=RFT,ou=SomeCompany,ou=Authorities,ou=SomeCompany,ou=SERVICES,o=INTLDAP</saml2:AttributeValue> > </saml2:Attribute> > </saml2:AttributeStatement> > <saml2:AuthnStatement AuthnInstant="2014-04-24T15:42:21.083Z"> > <saml2:SubjectLocality Address="10.99.99.99"/> > <saml2:AuthnContext> > > <saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef> > </saml2:AuthnContext> > </saml2:AuthnStatement> > </saml2:Assertion> > </wst:RequestedSecurityToken> > </wst:RequestSecurityTokenResponse> > </soap:Body> > </soap:Envelope> > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/Clarification-of-CXF-client-handling-of-expired-cached-tokens-tp5743216p5743258.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
