Actually, the UsernameTokenInterceptor (which is used when there is no security binding) does not support Nonce + Created. I've added support here:
https://issues.apache.org/jira/browse/CXF-6051 Colm. On Tue, Oct 14, 2014 at 2:12 PM, Chris <[email protected]> wrote: > I have not yet been able to build a simple test case, but it seems clear > that > the <sp13:Created /> and > <sp13:Nonce /> elements are ignored in the client code. As I mentioned in a > previous message > < > http://cxf.547215.n5.nabble.com/CXF-client-send-nonce-and-timestamp-tp5749743p5749800.html > > > these are being read correctly by the > > AssertionInfoMap aim = message.get(AssertionInfoMap.class); > > at the beginning of > protected UsernameToken assertTokens(SoapMessage message, String > localname, boolean signed) > > in org.apache.cxf.ws.security.wss4j.UsernameTokenInterceptor > > but not being returned in the token produced by that method. > > Meanwhile I came up with a "fix" by modifying the UsernameTokenInterceptor: > > / protected void addToken(SoapMessage message) { > UsernameToken tok = assertTokens(message); > > Header h = findSecurityHeader(message, true); > WSSecUsernameToken utBuilder = > addUsernameToken(message, tok); > if (utBuilder == null) { > AssertionInfoMap aim = message.get(AssertionInfoMap.class); > Collection<AssertionInfo> ais = > getAllAssertionsByLocalname(aim, > SPConstants.USERNAME_TOKEN); > for (AssertionInfo ai : ais) { > if (ai.isAsserted()) { > ai.setAsserted(false); > } > } > return; > } > > //*************************** > // Beginning of Modification > //*************************** > AssertionInfoMap aim = message.get(AssertionInfoMap.class); > boolean haveNonce = false; > boolean haveCreated = false; > > Collection<AssertionInfo> nonces = > aim.getAssertionInfo(SP13Constants.NONCE); > for(AssertionInfo nonce: nonces) { > if (nonce.isAsserted()) { > haveNonce = true; > } > > } > > Collection<AssertionInfo> createds = > aim.getAssertionInfo(SP13Constants.CREATED); > for(AssertionInfo created: createds) { > if(created.isAsserted()) { > haveCreated = true; > } > } > > if (haveCreated) { > utBuilder.addCreated(); > } > > if (haveNonce) { > utBuilder.addNonce(); > } > > //*************************** > // End of modification > //*************************** > > Element el = (Element)h.getObject(); > utBuilder.prepare(el.getOwnerDocument()); > el.appendChild(utBuilder.getUsernameTokenElement()); > } > / > > > So I thought "all well and good" and then tried the username token with > message protection only to find that it uses a totally different class to > generate the embedded username token, and the changed code is not called! > As > soon as I set the server to "created time and nonce required" it fails! > This > also appears to be much more complex processing so finding where to fix the > code is a little difficult. > > BTW I know that my "fix" is probably not the right way to do it, fixing the > underlying code to produce the correct values in the token, then passing > that through to the builder looked like much to much work within our > timescales > > > > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/CXF-client-send-nonce-and-timestamp-tp5749743p5749873.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
