I implemented a business service (transfer service) based on the cxf framework and spring boot. A user has to send to the business service a saml token, which is issued by the STS. The business service redirects the request via a security policy to the STS, which authenticates the user via Usernametoken. I test the business service and STS with the following client example:
https://github.com/coheigea/testcases/tree/master/apache/cxf/cxf-sts This example involves a SSO test for the business service and the STS. Everything worked fine but I have two questions, which I do not understand. 1) The issued SAML token is only valid for the transfer service if the token is first issued for the transfer service, isn’t it? If I have a second service (for example change user address service), this issued SAML token for the transfer service is not valid for the “change user address service”. Therefore, I think SSO is only valid for one service address if I use only one STS. Is there a possibility to establish SSO for various service addresses, which I am trust? 2) I implemented only an issue and validate operation for the STS and test the SSO with the following client code example: STSClient sts = new STSClient(bus); sts.setWsdlLocation("https://localhost:8443/services/SecurityTokenService?wsdl";); sts.setServiceName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}SecurityTokenService";); sts.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}UT_Port";); Map<String,Object> prop = new HashMap<String, Object>(); prop.put("security.sts.token.username", "myclientkey"); prop.put("security.sts.token.properties", "clientKeystore.properties"); prop.put("security.sts.usecert", true); ((BindingProvider) proxy).getRequestContext().put("ws-security.username", "anna"); ((BindingProvider) proxy).getRequestContext().put("ws-security.password", "anna123"); ((BindingProvider) proxy).getRequestContext().put("ws-security.sts.client", sts); ((BindingProvider) proxy).getRequestContext().put("ws-security.callback-handler", Testcallback.class.getName()); getshipment(proxy); ((BindingProvider) proxy).getRequestContext().remove("ws-security.username"); ((BindingProvider) proxy).getRequestContext().remove("ws-security.password"); for(int i=1;i<5;i++){ System.out.println("\n" + new Date()); getlistshipments(proxy); Thread.sleep(900000); } After a request I wait until 15 minutes and send then a new request. A token is standard 30 minutes valid. After sending the second request, the STS throw an exception because no renew operation is found. This is the behaviour, which I am expected. However, after the exception the STS authenticate the user again via a callback handler, which I do not understand. How is this possible because I remove the username and password? Maybe CXF stores elsewhere the username and password? -- Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
