Details
-
Bug
-
Status: Closed
-
Minor
-
Resolution: Fixed
-
3.3.5
-
Novice
Description
Scenario: using STSClient to call a STS server via SOAP. Creating issue request according to WS-Trust spec.
I have read the WS-Trust sepcs from 1.0 to 1.4 and the elements under RequestSecurityToken should be in this order: TokenType, RequestType, etc.
<wst:RequestSecurityToken Context="..." xmlns:wst="..."> <wst:TokenType>...</wst:TokenType> <wst:RequestType>...</wst:RequestType> ... </wst:RequestSecurityToken>
STSClient produces in most cases this element order:
<wst:RequestSecurityToken Context="..." xmlns:wst="..."> <wst:RequestType>...</wst:RequestType> <wst:TokenType>...</wst:TokenType> ... </wst:RequestSecurityToken>
This produces a schema invalid request and is rejected by servers (like MS ADFS or IBM DataPower).
One Workaround is to override the addRequestType:
@Override protected void addRequestType(String requestType, W3CDOMStreamWriter writer) throws XMLStreamException { //correction of the element order: TokenType first and then the RequestType addTokenType(writer); setTokenType(null); super.addRequestType(requestType, writer); }
Another Workaround is to set the "template" to STSClient (no documentation found to this, i used OpenSAML3 code for this):
MarshallerFactory marshallerFactory = XMLObjectProviderRegistrySupport.getMarshallerFactory(); RequestSecurityToken requestSecurityTokenObject = new RequestSecurityTokenBuilder().buildObject(); TokenType tokenType = new TokenTypeBuilder().buildObject(); marshallerFactory.registerMarshaller(TokenType.ELEMENT_NAME, new TokenTypeMarshaller()); requestSecurityTokenObject.getUnknownXMLObjects().add(tokenType); tokenType.setValue("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0"); stsClient.setTemplate(new RequestSecurityTokenMarshaller().marshall(requestSecurityTokenObject));
It's not better.
Please fix this by moving the calling of addTokenType() method in AbstractSTSClient (in issue() and renew()) to before the addRequestType().