Hi, I created the following JIRA + will shortly merge a fix:
https://issues.apache.org/jira/browse/CXF-6401 You could workaround it by creating a custom interceptor, and parsing the WSS4J results yourself to override the security context that the WSS4JInInterceptor is creating. Colm. On Tue, May 12, 2015 at 7:09 AM, Stuart Charlton <stua...@mac.com> wrote: > Good day, > > I am dusting off my CXF after many years, trying to replace a Weblogic > SAML implementation with CXF. > > I’ve been trying out a WS-SecurityPolicy-described SAML invocation hello > world using some of the CXF systest code as the basis of my example. This > is an asymmetric sender-vouches call. > > I’ve noticed that the WebServiceContext in the service, when I call > getUserPrincipal() always returns me the x509 signature subject for the > message (alice), and never the SAML Subject Name that’s created on the > client callback (uid=sts-client,o=mock-sts.com <http://mock-sts.com/>). > > Is this as designed? Looking at the WSS4J and CXF code, I have seen code > paths that do create a Principal based on the SAML Subject but it seems > this never gets called if the signature principal is already set. I’ve > tried a variety of approaches but my unfamiliarity with CXF is showing. > > My only current thought is that I could workaround this by turning off > token validation and building a custom JAAS SAML Login Module that > validates the token and processes the login (similar to how WebLogic does > it with its SAML Identity Asserter), but wanted to see if there was a more > effective approach. > > Thanks, > Stu > > > Here are my code snippets. > > Client: > > > @Configuration > @EnableAutoConfiguration > @SpringBootApplication > public class Application { > > public static void main(String[] args) { > ApplicationContext ctx = SpringApplication.run(Application.class, > args); > } > > @Bean > public HelloWorld helloService() { > > JaxWsProxyFactoryBean factory = new JaxWsProxyFactoryBean(); > factory.setWsdlLocation("classpath:wsdl/hello.wsdl"); > factory.setAddress("http://myserver/ws-server-1.0/api/hello"); > factory.setServiceName(QName.valueOf("{ > http://service.spring.demo/}HelloWorldImplService")); > factory.setEndpointName(QName.valueOf("{ > http://service.spring.demo/}HelloWorldImplPort")); > factory.setServiceClass(HelloWorld.class); > > Map<String, Object> props = new HashMap<String, Object>(); > props.put("ws-security.callback-handler", new > KeystoreCallbackHandler()); > > props.put("ws-security.signature.username", "alice"); > props.put("ws-security.signature.properties", "alice.properties"); > > props.put("ws-security.saml-callback-handler", new > demo.spring.service.SamlCallbackHandler()); > factory.setProperties(props); > HelloWorld client = (HelloWorld) factory.create(); > return client; > } > } > > Client Callback (similar to systest callback): > > public void handle(Callback[] callbacks) throws IOException, > UnsupportedCallbackException { > // snip > callback.setIssuer("sts"); > String subjectName = "uid=sts-client,o=mock-sts.com"; > String subjectQualifier = "www.mock-sts.com"; > if (!saml2 && > SAML2Constants.CONF_SENDER_VOUCHES.equals(confirmationMethod)) { > confirmationMethod = > SAML1Constants.CONF_SENDER_VOUCHES; > } > SubjectBean subjectBean = > new SubjectBean( > subjectName, subjectQualifier, confirmationMethod > ); > callback.setSubject(subjectBean); > > try { > Crypto crypto = > CryptoFactory.getInstance(cryptoPropertiesFile); > callback.setIssuerCrypto(crypto); > callback.setIssuerKeyName(cryptoAlias); > callback.setIssuerKeyPassword(cryptoPassword); > callback.setSignAssertion(signAssertion); > } catch (WSSecurityException e) { > throw new IOException(e); > } > } > > > Service: > > @WebService(endpointInterface = "demo.spring.service.HelloWorld") > public class HelloWorldImpl implements HelloWorld { > > @Resource > WebServiceContext wsContext; > > public String sayHi(String text) { > Principal pr = wsContext.getUserPrincipal(); > String username = ""; > if (pr != null) username = pr.getName(); > System.out.println("sayHi called"); > return "Ping " + username + " - " + text; > } > } > > > This always prints “Ping -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com