Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-8240

STSClient produces wrong element order for TokenType (issue, renew)

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 3.3.5
    • 3.3.6, 3.4.0
    • STS
    • Novice

    Description

      Scenario: using STSClient to call a STS server via SOAP. Creating issue request according to WS-Trust spec.

      I have read the WS-Trust sepcs from 1.0 to 1.4 and the elements under RequestSecurityToken should be in this order: TokenType, RequestType, etc.

      see spec: http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/errata01/os/ws-trust-1.4-errata01-os-complete.html#_Toc325658937

      <wst:RequestSecurityToken Context="..." xmlns:wst="...">
         <wst:TokenType>...</wst:TokenType>
         <wst:RequestType>...</wst:RequestType>
             ...
      </wst:RequestSecurityToken>
      

      STSClient produces in most cases this element order:

      <wst:RequestSecurityToken Context="..." xmlns:wst="...">
         <wst:RequestType>...</wst:RequestType>
         <wst:TokenType>...</wst:TokenType>
             ...
      </wst:RequestSecurityToken>
      

       

      This produces a schema invalid request and is rejected by servers (like MS ADFS or IBM DataPower).

       

      One Workaround is to override the addRequestType:

      @Override
      protected void addRequestType(String requestType, W3CDOMStreamWriter writer) throws XMLStreamException {
      	//correction of the element order: TokenType first and then the RequestType
      	addTokenType(writer);
      	setTokenType(null);
      	super.addRequestType(requestType, writer);
      }
      

      Another Workaround is to set the "template" to STSClient (no documentation found to this, i used OpenSAML3 code for this):

      MarshallerFactory marshallerFactory = XMLObjectProviderRegistrySupport.getMarshallerFactory();
      
      RequestSecurityToken requestSecurityTokenObject = new RequestSecurityTokenBuilder().buildObject();
      TokenType tokenType = new TokenTypeBuilder().buildObject();
      marshallerFactory.registerMarshaller(TokenType.ELEMENT_NAME, new TokenTypeMarshaller());
      requestSecurityTokenObject.getUnknownXMLObjects().add(tokenType);
      tokenType.setValue("http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0");
      
      stsClient.setTemplate(new RequestSecurityTokenMarshaller().marshall(requestSecurityTokenObject));
      

      It's not better.

       

      Please fix this by moving the calling of addTokenType() method in AbstractSTSClient (in issue() and renew()) to before the addRequestType().

      Attachments

        Activity

          People

            coheigea Colm O hEigeartaigh
            SergiusMohr Sergius Mohr
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: