Hi Glen, So, if I set up "ws-security.is-bsp-**compliant" in STS config, STS will generate a token without TokenType attribute, but in WSP side, I still need to set up "ws-security.is-bsp-**compliant"=false to turn off checking "ws-security.is-bsp-**compliant" attribute, correct?
Thanks. Gina On Mon, Jun 11, 2012 at 1:10 PM, Glen Mazza <[email protected]> wrote: > The STS syntax for it (also good for WSP) is as line #75 here: > https://github.com/gmazza/**blog-samples/blob/master/cxf_** > sts_tutorial/sts-war/src/main/**webapp/WEB-INF/cxf-servlet.xml<https://github.com/gmazza/blog-samples/blob/master/cxf_sts_tutorial/sts-war/src/main/webapp/WEB-INF/cxf-servlet.xml> > > This worked for me with Metro clients that don't provide a TokenType. > > Glen > > > On 06/11/2012 11:31 AM, Gina Choi wrote: > >> Hi Colm, >> >> <<< >> You can turn this off by setting the following jax-ws property >> "ws-security.is-bsp-compliant" to "false" for the service provider. >> Does setting "ws-security.is-bsp-compliant" to "false" make Service >> Provider not to check wsse11:TokenType attribute? ADFS2.0 doesn't enforce >> wsse11:TokenType attribute, so the security token that I got from ADFS2.0 >> wouldn't contain wsse11:TokenType attribute. I set >> "ws-security.is-bsp-compliant" through client configuration file like >> bellow, but it didn't change any result. I am getting same exception. >> >> >> <jaxws:client name="{ >> http://www.example.org/**contract/DoubleIt}DoubleItPort<http://www.example.org/contract/DoubleIt%7DDoubleItPort> >> **" >> createdFromAPI="true"> >> <jaxws:properties> >> <entry key="ws-security.is-bsp-**compliant" value="false"/> >> <entry key="ws-security.sts.client"> >> <bean class="org.apache.cxf.ws.** >> security.trust.STSClient"> >> <constructor-arg ref="cxf"/> >> <property name="wsdlLocation" value="adfs_new_simple.wsdl"/> >> ........ >> >> >> Gina >> On Mon, Jun 11, 2012 at 5:02 AM, Colm O hEigeartaigh<coheigea@apache.** >> org <[email protected]>>wrote: >> >> CXF enforces the Basic Security Profile 1.1 spec: >>> >>> http://www.ws-i.org/profiles/**basicsecurityprofile-1.1.html<http://www.ws-i.org/profiles/basicsecurityprofile-1.1.html> >>> >>> "R6611 Any SECURITY_TOKEN_REFERENCE to a SAML_V1_1_TOKEN MUST contain a >>> wsse11:TokenType attribute with a value of " >>> http://docs.oasis-open.org/**wss/oasis-wss-saml-token-** >>> profile-1.1#SAMLV1.1<http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1> >>> ". >>> " >>> >>> You can turn this off by setting the following jax-ws property >>> "ws-security.is-bsp-compliant" to "false" for the service provider. >>> >>> Colm. >>> >>> On Sat, Jun 9, 2012 at 12:00 AM, Gina Choi<[email protected]> wrote: >>> >>> I did some research and looked at oasis specification( >>>> >>>> >>>> https://www.oasis-open.org/**committees/download.php/16768/** >>> wss-v1.1-spec-os-**SAMLTokenProfile.pdf<https://www.oasis-open.org/committees/download.php/16768/wss-v1.1-spec-os-SAMLTokenProfile.pdf> >>> >>>> ), >>>> it looks like that wsse11:TokenType attribute is optional for SAML 1.1, >>>> >>> but >>> >>>> should contain >>>> http://docs.oasis-open.org/**wss/oasis-wss-saml-token-** >>>> profile-1.1#SAMLV1.1<http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1> >>>> >>> . >>> >>>> >>>> <<< >>>> >>>> Now I am getting 'An invalid security token was provided (Bad TokenType >>>> "")'. I debugged through code again and following is the issue. >>>> org.apache.ws.security.str.**BSPEnforcer.java(wss4j-1.6.6.**jar) class >>>> Line >>>> >>> 162 >>> >>>> - 169 >>>> >>>> String tokenType = secRef.getTokenType(); >>>> if (assertion.getSaml1() != null&& >>>> !WSConstants.WSS_SAML_TOKEN_**TYPE.equals(tokenType)) { >>>> throw new WSSecurityException( >>>> WSSecurityException.INVALID_**SECURITY_TOKEN, >>>> "invalidTokenType", >>>> new Object[]{tokenType} >>>> ); >>>> } >>>> The content of secRef object as follow. As you can see from above code, >>>> >>> it >>> >>>> is looking for an attribute named "TokenType", whose value is " >>>> >>>> http://docs.oasis-open.org/**wss/oasis-wss-saml-token-** >>>> profile-1.1#SAMLV1.1<http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1> >>>> " but SecurityTokenReference doesn't have it. That's why it throws >>>> exception. What we can do about this? I am going to update *CXF-4367 >>>> with >>>> new content.* >>>> >>>> <o:SecurityTokenReference xmlns:o=" >>>> >>>> >>>> http://docs.oasis-open.org/**wss/2004/01/oasis-200401-wss-** >>> wssecurity-secext-1.0.xsd<http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd> >>> >>>> "> >>>> <o:KeyIdentifier ValueType=" >>>> >>>> >>>> http://docs.oasis-open.org/**wss/oasis-wss-saml-token-** >>> profile-1.0#SAMLAssertionID<http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID> >>> >>>> "> >>>> _ca94d3c5-0933-4af0-ac12-**a83fd407310c</o:KeyIdentifier> >>>> </o:SecurityTokenReference> >>>> >>>> >>> >>> -- >>> Colm O hEigeartaigh >>> >>> Talend Community Coder >>> http://coders.talend.com >>> >>> > > -- > Glen Mazza > Talend Community Coders > coders.talend.com > blog: www.jroller.com/gmazza > >
