Yes, this was when sending a signed SAML token to the Validate interface.
But it's also when, e.g., I send a certificate as a BST in OnBehalfOf.
The SAMLTokenValidator looks like it has a subjectConstraints property
that would do the trick, but when I configured it like this it didn't
work, I still got the "No Subject DN Constraints" message:
<bean id="bstSamlTokenValidator"
class="org.apache.cxf.sts.token.validator.SAMLTokenValidator">
<property name="subjectConstraints"
ref="embeddedCertConstraints"/>
</bean>
<util:list id="embeddedCertConstraints">
<value>.*</value> <!-- match anything -->
</util:list>
It looks like the validator should already have a CertConstraintsParser,
or is that not correct?
I guess that to handle the OnBehalfOf case that I would need to add a
CertConstraintsParser to an X509TokenValidator? Or would I have to do
something different there?
These are edge cases for me so I could live with the warnings if I had to,
but I'd like to at least run through my options to clean it up.
Thanx,
Stephen W. Chappell
From: Colm O hEigeartaigh <[email protected]>
ANG-B31, Information Security Branch
To: "[email protected]" <[email protected]>,
Date: 05/19/2014 07:05 AM
Subject: Re: Certificate constraints on non-signing certificates
Is this when validating a signed SAML Token? In this case, the warning is
a
bit misleading, as cert constraint validation happens in the STS itself
rather than in WSS4J, where the warning is logged. You can inject a
CertConstraintsParser object into the SAMLTokenValidator, which itself
contains a collection of contraints on the subject DN of the signing
certificate.
Colm.
On Fri, May 16, 2014 at 7:59 PM, <[email protected]> wrote:
> In my STS, I recently set up certificate constraints by setting
> ws-security.subject.cert.constraints on my jaxws:endpoint in my CXF
> config. This seems to work ok for the certificate that signs the RST
> messages I send up. But when the RST contains another, non-signing
> certificate - e.g., when using the Validate interface to validate a
> previously issued token - I get a warning in the log stating "No Subject
> DN Certificate Constraints were defined." I don't think this is an issue
> so much, but it does make me wonder if there is a way to set cert
> constraints for non-signing certificates?
>
>
> Stephen W. Chappell
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
