Answers inline.
On Tue, Jan 16, 2018 at 12:55 PM, pat7 <[email protected]> wrote:
>
>
> 1) The issued SAML token is only valid for the transfer service if the
> token
> is first issued for the transfer service, isn’t it? If I have a second
> service (for example change user address service), this issued SAML token
> for the transfer service is not valid for the “change user address
> service”.
> Therefore, I think SSO is only valid for one service address if I use only
> one STS.
> Is there a possibility to establish SSO for various service addresses,
> which
> I am trust?
>
Yep correct. The client sends an "AppliesTo" address (which is the address
of the remote service by default) to the STS which embeds it in the issued
SAML token. The token is only valid for this recipient then. You can weaken
this if you want to by setting the "enableAppliesTo" property of the
STSClient to "false".
> 2) I implemented only an issue and validate operation for the STS and test
> the SSO with the following client code example:
>
> STSClient sts = new STSClient(bus);
> sts.setWsdlLocation("https://localhost:8443/services/
> SecurityTokenService?wsdl");
> sts.setServiceName("{http://docs.oasis-open.org/ws-sx/ws-trust/200512/}
> SecurityTokenService");
> sts.setEndpointName("{http://docs.oasis-open.org/ws-sx/ws-
> trust/200512/}UT_Port");
>
> Map<String,Object> prop = new HashMap<String, Object>();
> prop.put("security.sts.token.username", "myclientkey");
> prop.put("security.sts.token.properties", "clientKeystore.properties");
> prop.put("security.sts.usecert", true);
>
> ((BindingProvider) proxy).getRequestContext().put("ws-security.username",
> "anna");
> ((BindingProvider) proxy).getRequestContext().put("ws-security.password",
> "anna123");
> ((BindingProvider) proxy).getRequestContext().
> put("ws-security.sts.client",
> sts);
> ((BindingProvider)
> proxy).getRequestContext().put("ws-security.callback-handler",
> Testcallback.class.getName());
>
> getshipment(proxy);
>
> ((BindingProvider)
> proxy).getRequestContext().remove("ws-security.username");
> ((BindingProvider)
> proxy).getRequestContext().remove("ws-security.password");
> for(int i=1;i<5;i++){
> System.out.println("\n" + new Date());
> getlistshipments(proxy);
> Thread.sleep(900000);
> }
>
> After a request I wait until 15 minutes and send then a new request. A
> token
> is standard 30 minutes valid. After sending the second request, the STS
> throw an exception because no renew operation is found. This is the
> behaviour, which I am expected. However, after the exception the STS
> authenticate the user again via a callback handler, which I do not
> understand. How is this possible because I remove the username and
> password?
> Maybe CXF stores elsewhere the username and password?
>
Are you sure that a second request is actually being sent? The client
should cache the token and re-use it as long as it is valid, and only then
request a new token from the STS.
Colm.
>
>
>
>
> --
> Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
