The STS syntax for it (also good for WSP) is as line #75 here:
https://github.com/gmazza/blog-samples/blob/master/cxf_sts_tutorial/sts-war/src/main/webapp/WEB-INF/cxf-servlet.xml
This worked for me with Metro clients that don't provide a TokenType.
Glen
On 06/11/2012 11:31 AM, Gina Choi wrote:
Hi Colm,
<<<
You can turn this off by setting the following jax-ws property
"ws-security.is-bsp-compliant" to "false" for the service provider.
Does setting "ws-security.is-bsp-compliant" to "false" make Service
Provider not to check wsse11:TokenType attribute? ADFS2.0 doesn't enforce
wsse11:TokenType attribute, so the security token that I got from ADFS2.0
wouldn't contain wsse11:TokenType attribute. I set
"ws-security.is-bsp-compliant" through client configuration file like
bellow, but it didn't change any result. I am getting same exception.
<jaxws:client name="{
http://www.example.org/contract/DoubleIt}DoubleItPort";
createdFromAPI="true">
<jaxws:properties>
<entry key="ws-security.is-bsp-compliant" value="false"/>
<entry key="ws-security.sts.client">
<bean class="org.apache.cxf.ws.security.trust.STSClient">
<constructor-arg ref="cxf"/>
<property name="wsdlLocation" value="adfs_new_simple.wsdl"/>
........
Gina
On Mon, Jun 11, 2012 at 5:02 AM, Colm O hEigeartaigh<[email protected]>wrote:
CXF enforces the Basic Security Profile 1.1 spec:
http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html
"R6611 Any SECURITY_TOKEN_REFERENCE to a SAML_V1_1_TOKEN MUST contain a
wsse11:TokenType attribute with a value of "
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1";.
"
You can turn this off by setting the following jax-ws property
"ws-security.is-bsp-compliant" to "false" for the service provider.
Colm.
On Sat, Jun 9, 2012 at 12:00 AM, Gina Choi<[email protected]> wrote:
I did some research and looked at oasis specification(
https://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf
),
it looks like that wsse11:TokenType attribute is optional for SAML 1.1,
but
should contain
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
.
<<<
Now I am getting 'An invalid security token was provided (Bad TokenType
"")'. I debugged through code again and following is the issue.
org.apache.ws.security.str.BSPEnforcer.java(wss4j-1.6.6.jar) class Line
162
- 169
String tokenType = secRef.getTokenType();
if (assertion.getSaml1() != null&&
!WSConstants.WSS_SAML_TOKEN_TYPE.equals(tokenType)) {
throw new WSSecurityException(
WSSecurityException.INVALID_SECURITY_TOKEN,
"invalidTokenType",
new Object[]{tokenType}
);
}
The content of secRef object as follow. As you can see from above code,
it
is looking for an attribute named "TokenType", whose value is "
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
" but SecurityTokenReference doesn't have it. That's why it throws
exception. What we can do about this? I am going to update *CXF-4367 with
new content.*
<o:SecurityTokenReference xmlns:o="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
">
<o:KeyIdentifier ValueType="
http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
">
_ca94d3c5-0933-4af0-ac12-a83fd407310c</o:KeyIdentifier>
</o:SecurityTokenReference>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
--
Glen Mazza
Talend Community Coders
coders.talend.com
blog: www.jroller.com/gmazza
