Hi Colm, Yep, it could be a solution for Susan's scenario. Only thing disturbing me a bit in SAML SymmetricKey HolderOfKey is that STS should know all services certificates for which he issues the tokens. If I deploy a new service, it is necessary to: a) add service certificate into STS keystore as trusted entry; b) configure alias (encryptionUserName) in appropriate STS Service/ServiceMBean
I think XKMS can useful even for SAML SymmetricKey HolderOfKey scenario to resolve certificates lookup. Perhaps we can extend XKMS with new ApplicationId, that service certificates can be searched on the base of service endpoint. WDYT? Regards, Andrei. > -----Original Message----- > From: Colm O hEigeartaigh [mailto:cohei...@apache.org] > Sent: Freitag, 18. Oktober 2013 13:34 > To: users@cxf.apache.org > Cc: Susan Liebeskind > Subject: Re: CXF WS-Trust/WS-SecureConversation security policy questions > > Hi Susan, > > Just looking at your original requirements again, I think a scenario based on > SAML SymmetricKey HolderOfKey might meet your requirements. The idea > is that the service has an IssuedToken policy, that requires a SAML Token > with a "SymmetricKey" KeyType. The client gets such a token from the STS, > which contains the secret key encrypted using the certificate of the service. > The client also obtains the secret key from the STS by key negotation. The > client then sends the SAML Token to the service + secures the request with > the secret key. > > This way you have authentication + the client doesn't need to be configured > with the service certificate. > > Colm. > > > On Tue, Oct 15, 2013 at 3:09 PM, Andrei Shakirin > <ashaki...@talend.com>wrote: > > > Hi Susan, > > > > > -----Original Message----- > > > From: Susan Liebeskind [mailto:susan.liebesk...@gtri.gatech.edu] > > > Sent: Dienstag, 15. Oktober 2013 14:07 > > > To: Andrei Shakirin > > > Subject: Re: CXF WS-Trust/WS-SecureConversation security policy > > > questions > > > > > > Hi Andrei, > > > > > > I have tried 3 times to post this to the CXF list, and 3 times it > > > has > > been > > > rejected as spam for no reason I can determine. I have been having > > > this problem since I joined the list, and mailed to > > users-ow...@cxf.apache.org, > > > but not gotten a response. Therefore, I am replying just to you... > > > > Hmm ... this is a bit strange. > > > > > > > > But do you know who manages the list so I could figure out what > > > could be triggering this false positive from the Apache spam > > > monitor? It's pretty frustrating. The message I get looks like this... > > > > > > > > > > I'm sorry to inform you that the message below could not be delivered. > > > > When delivery was attempted, the following error was returned. > > > > > > > > > > > > <users@cxf.apache.org>: host mx1.eu.apache.org[192.87.106.230] said: > > > 552 spam > > > > score (5.7) exceeded threshold > > > > > > > > (HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_NONE,SPF_PASS > > > (in reply to end > > > > of DATA command) > > > > > > -- snip snip snip - the post I cannot get on the list --- > > > > > > > I have no idea what happens. It seems that the number of emails from > > your account exceed threshold, but do not know why. > > Could you create appropriate issue for CXF project? > > > > > > > > Hi Andrei, > > > > > > > > > >> Do .NET clients play well with an XKMS server? Interoperability > > > >> with .NET clients is an important concern for me. > > > > I never tried XKMS in .Net, but as far as it is W3C standard, it > > should work > > > also with .Net: > > > > http://msdn.microsoft.com/en-us/library/ms972954.aspx > > > > http://www.w3.org/2001/07/xkms- > > > ws/dillaway/XKMSWorkshop_files/frame.ht > > > > m http://pages.infinit.net/ctech/xkms-part2.html > > > Yes but...it is not uncommon to have incompatible implementations of > > > the standards, as we all know too well from bitter personal experience. > > > Seeing how old some of these references are (one from July 2001), I > > > am rather dubious that we can assume the same level of support > > > appears in today's .NET 4.x Framework. > > > > Sure, it very probably require some testing, configuration/adaptation > > efforts. > > But XKMS seems to be the right way to get and validate the > > certificates in enterprise service environments. > > > > > > > > I say this having gotten burned badly on something that worked with > > > .NET > > > 3.5 but not with .NET 4.0, something in the web service arena that > > Microsoft > > > apparently invented. The issue in question pertains to the > > > doc/literal/wrapped style of writing WSDL. While the historical > > > record suggests that doc/literal/wrapped was invented by Microsoft, > > > as of .NET > > 4.0, > > > the Microsoft equiv of WSDL2Java cannot generate proxy code from a > > > doc/literal/wrapped WSDL. You have to "unwrap" the WSDL in order to > > > get generated code now. > > > > > > Point is: if Microsoft gave up on something they pushed into the web > > service > > > community, color me dubious they'd keep up with support for one of > > > the XML standards that never really gained much traction. > > > >> XKMS does sound interesting, but it also sounds like XKMS would > > > >> replace the certs issues by our existing PKI, and that wouldn't > > > >> work for us. > > > > XKMS doesn't replace PKI, but provide the façade for PKI: > > > > http://ashakirin.blogspot.de/2013/04/cxf-security-getting-certific > > > > ates > > > > -from.html > > > > > > > > That means you can easily plug own lookup and validators into CXF > > > > XKMS > > > implementation which will speak with your PKI. > > > Easily is a matter of opinion - *nothing* involving PKI has ever > > > proved > > easy :- > > > ) > > > > > > For me, the potential risk of incompatible .NET issues, the use of > > > an old standard which doesn't have tons of support, compared with > > > the cost of having to distribute a few certificates (like we are > > > already used > > to)..well, it > > > tips the scale in terms of staying with what I have. I agree that > > > what > > you are > > > talking about sounds like good match on paper for my requirements, > > > but > > the > > > tradeoff of time/energy/risk, I cannot recommend this approach for > > > the work I'm doing between now and November While I am curious to > > > know if it could be made to work, I'd have to do that on my own > > > time, not company time. > > > > > > > Ok, I understand your point. > > > > > Thanks, Andrei - I would never have even known about this option > > > unless you and Dennis hadn't brought it up. > > > > You are welcome! > > > > > > > > Cheers, > > > Susan > > > > Regards, > > Andrei. > > > > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com
