Colm - That is great, thanx!
Stephen W. Chappell -----Original Message----- From: Colm O hEigeartaigh [mailto:[email protected]] Sent: Monday, May 26, 2014 9:47 AM To: [email protected] Subject: Re: Certificate constraints on non-signing certificates I've merged a fix to get rid of the extra WARNING you are seeing with certificate constraint validation. I've also added a CertConstraintParser to the X509TokenValidator, so that you can add cert constraints in the exact same way as for the SAMLTokenValidator. Colm. On Fri, May 23, 2014 at 5:52 PM, <[email protected]> wrote: > Yes, this was when sending a signed SAML token to the Validate interface. > But it's also when, e.g., I send a certificate as a BST in OnBehalfOf. > > The SAMLTokenValidator looks like it has a subjectConstraints property > that would do the trick, but when I configured it like this it didn't > work, I still got the "No Subject DN Constraints" message: > > <bean id="bstSamlTokenValidator" > class="org.apache.cxf.sts.token.validator.SAMLTokenValidator"> > <property name="subjectConstraints" > ref="embeddedCertConstraints"/> > </bean> > > <util:list id="embeddedCertConstraints"> > <value>.*</value> <!-- match anything --> > </util:list> > > It looks like the validator should already have a > CertConstraintsParser, or is that not correct? > > I guess that to handle the OnBehalfOf case that I would need to add a > CertConstraintsParser to an X509TokenValidator? Or would I have to do > something different there? > > These are edge cases for me so I could live with the warnings if I had > to, but I'd like to at least run through my options to clean it up. > > Thanx, > > Stephen W. Chappell > > > > > From: Colm O hEigeartaigh <[email protected]> > ANG-B31, Information Security Branch > To: "[email protected]" <[email protected]>, > Date: 05/19/2014 07:05 AM > Subject: Re: Certificate constraints on non-signing certificates > > > > Is this when validating a signed SAML Token? In this case, the warning > is a bit misleading, as cert constraint validation happens in the STS > itself rather than in WSS4J, where the warning is logged. You can > inject a CertConstraintsParser object into the SAMLTokenValidator, > which itself contains a collection of contraints on the subject DN of > the signing certificate. > > Colm. > > > On Fri, May 16, 2014 at 7:59 PM, <[email protected]> wrote: > > > In my STS, I recently set up certificate constraints by setting > > ws-security.subject.cert.constraints on my jaxws:endpoint in my CXF > > config. This seems to work ok for the certificate that signs the RST > > messages I send up. But when the RST contains another, non-signing > > certificate - e.g., when using the Validate interface to validate a > > previously issued token - I get a warning in the log stating "No > > Subject DN Certificate Constraints were defined." I don't think this > > is an issue so much, but it does make me wonder if there is a way to > > set cert constraints for non-signing certificates? > > > > > > Stephen W. Chappell > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
