I've merged a fix to get rid of the extra WARNING you are seeing with certificate constraint validation. I've also added a CertConstraintParser to the X509TokenValidator, so that you can add cert constraints in the exact same way as for the SAMLTokenValidator.
Colm. On Fri, May 23, 2014 at 5:52 PM, <[email protected]> wrote: > Yes, this was when sending a signed SAML token to the Validate interface. > But it's also when, e.g., I send a certificate as a BST in OnBehalfOf. > > The SAMLTokenValidator looks like it has a subjectConstraints property > that would do the trick, but when I configured it like this it didn't > work, I still got the "No Subject DN Constraints" message: > > <bean id="bstSamlTokenValidator" > class="org.apache.cxf.sts.token.validator.SAMLTokenValidator"> > <property name="subjectConstraints" > ref="embeddedCertConstraints"/> > </bean> > > <util:list id="embeddedCertConstraints"> > <value>.*</value> <!-- match anything --> > </util:list> > > It looks like the validator should already have a CertConstraintsParser, > or is that not correct? > > I guess that to handle the OnBehalfOf case that I would need to add a > CertConstraintsParser to an X509TokenValidator? Or would I have to do > something different there? > > These are edge cases for me so I could live with the warnings if I had to, > but I'd like to at least run through my options to clean it up. > > Thanx, > > Stephen W. Chappell > > > > > From: Colm O hEigeartaigh <[email protected]> > ANG-B31, Information Security Branch > To: "[email protected]" <[email protected]>, > Date: 05/19/2014 07:05 AM > Subject: Re: Certificate constraints on non-signing certificates > > > > Is this when validating a signed SAML Token? In this case, the warning is > a > bit misleading, as cert constraint validation happens in the STS itself > rather than in WSS4J, where the warning is logged. You can inject a > CertConstraintsParser object into the SAMLTokenValidator, which itself > contains a collection of contraints on the subject DN of the signing > certificate. > > Colm. > > > On Fri, May 16, 2014 at 7:59 PM, <[email protected]> wrote: > > > In my STS, I recently set up certificate constraints by setting > > ws-security.subject.cert.constraints on my jaxws:endpoint in my CXF > > config. This seems to work ok for the certificate that signs the RST > > messages I send up. But when the RST contains another, non-signing > > certificate - e.g., when using the Validate interface to validate a > > previously issued token - I get a warning in the log stating "No Subject > > DN Certificate Constraints were defined." I don't think this is an issue > > so much, but it does make me wonder if there is a way to set cert > > constraints for non-signing certificates? > > > > > > Stephen W. Chappell > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
