fix up ws-securitypolicy stream saml test #2
Conversation
| </wsp:Policy> | ||
| </sp:AlgorithmSuite> | ||
| </wsp:Policy> | ||
| </sp:TransportBinding> |
There was a problem hiding this comment.
TransportBinding, AsymmetricBinding and SymmetricBinding are security bindings, they are different ways to protect the message.
TransportBinding is the transport level(HTTPS) to protect message, while AsymmetricBinding and SymmetricBinding are mesasge encoding ways to protect the message.
As in quarkus applications, we configure the HTTPS at platform vertx sevlet level(in the application.properties), so here in the ws-secuirtypolicy xml, we shouldn't have TransportBinding. Plus, I believe in CXF we only support one security binding in ws-secuirtypolicy xml, it should be either TransportBinding, AsymmetricBinding or SymmetricBinding. Though I can't find concrete definition of this in ws-secuirtypolicy specification, I make this conclusion by reading the related code in CXF, also I found this from
https://access.redhat.com/documentation/en-us/red_hat_jboss_fuse/6.3/html-single/apache_cxf_security_guide/index
As described in the WS-SecurityPolicy specification, one of the following binding types can be used to protect SOAP messages:
So this means TansportBinding and AsymmetricBinding shouldn't co-exist, this is the reason that in stream mode the AsymmetricBinding is ignored because CXF picks up TansportBinding. While in Dom mode it works because CXF picks AsymmetricBinding precede the TansportBinding. So here the behaviour is different between Dom and Stream mode, but only one Security Binding(TransportBinding, AsymmetricBinding or SymmetricBinding) will be used in both mode.
| <sp:AsymmetricBinding> | ||
| <wsp:Policy> | ||
| <sp:InitiatorToken> | ||
| <wsp:Policy> | ||
| <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always"> | ||
| <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> | ||
| <wsp:Policy> | ||
| <sp:WssX509V3Token10/> | ||
| <sp:RequireEmbeddedTokenReference/> |
There was a problem hiding this comment.
The policy xml will be used both at client and server side. And InitiatorToken only sign the request message from client to server, so we should be more specific that this token is included only for the request message from client to server.
| @@ -41,7 +19,7 @@ | |||
| </sp:InitiatorToken> | |||
| <sp:RecipientToken> | |||
| <wsp:Policy> | |||
| <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always"> | |||
| <sp:X509Token sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToInitiator"> | |||
| <wsp:Policy> | |||
| <sp:WssX509V3Token10/> | |||
| <sp:RequireEmbeddedTokenReference/> | |||
There was a problem hiding this comment.
The policy xml will be used both at client and server side. And RecipientToken only sign the response message from server to client, so we should be more specific that this token is included only for the response message from server to client
| <sp:SupportingTokens xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> | ||
| <wsp:Policy> | ||
| <sp:SamlToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient"> | ||
| <sp:SamlToken sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/Always"> | ||
| <wsp:Policy> |
There was a problem hiding this comment.
Similarly, as this policy xml will be shared between client and server, and it specifies to sign the SAML assertion element, so the SAML token should be available for both request and response message.
I think here we may want separate policy xml for client and server to avoid this workaround.
| @@ -5,33 +5,11 @@ | |||
| xmlns:sp="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702"> | |||
There was a problem hiding this comment.
The modification here is the same reason as saml1-policy.xml
| @@ -70,6 +70,8 @@ quarkus.cxf.endpoint."/helloSaml1".security.signature.properties."org.apache.ws. | |||
| quarkus.cxf.endpoint."/helloSaml1".security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.password" = password | |||
| quarkus.cxf.endpoint."/helloSaml1".security.signature.properties."org.apache.ws.security.crypto.merlin.keystore.alias" = bob | |||
| quarkus.cxf.endpoint."/helloSaml1".security.signature.properties."org.apache.ws.security.crypto.merlin.file" = bob.${keystore.type} | |||
| quarkus.cxf.endpoint."/helloSaml1".security.saml-callback-handler = #saml1CallbackHandler | |||
|
|
|||
|
|
|||
There was a problem hiding this comment.
Both client and server need the samlCallbackHandler to insert saml token(which needs to be signed) because in the test we share the same policy xml between the client and server.
|
Hi @ppalaga , I just sent a PR to fix up broken test here, more details please see my comments in the PR. Cheers |
No description provided.