[GitHub] [cxf] coheigea commented on a change in pull request #651: [CXF-8236] add support of signature challenges in the STSClient

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[GitHub] [cxf] coheigea commented on a change in pull request #651: [CXF-8236] add support of signature challenges in the STSClient

GitBox

coheigea commented on a change in pull request #651:
URL: https://github.com/apache/cxf/pull/651#discussion_r412185623



##########
File path: rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/STSClient.java
##########
@@ -87,6 +93,76 @@ public SecurityToken requestSecurityToken(
         }
         return token;
     }
+    
+    /**
+     * see WS-Trust 1.4 chapter 8:
+     * http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/errata01/os/ws-trust-1.4-errata01-os-complete.html#_Toc325658962
+     *
+     * Creating of (manually triggered second) request with a
+     * RequestSecurityTokenResponse Object
+     * <wst:RequestSecurityTokenResponse xmlns:wst=
+     * "http://docs.oasis-open.org/ws-sx/ws-trust/200512" Context=
+     * "d956dafc-1da5-4661-bab7-834640e659ec"> <wst:SignChallengeResponse>
+     * <wst:Challenge>4451658898</wst:Challenge> </wst:SignChallengeResponse>
+     * </wst:RequestSecurityTokenResponse>
+     *
+     * @param action
+     * @param challengeValue the challenge value that was received by first
+     *                       issue-response
+     * @return SecurityToken
+     * @throws Exception
+     */
+    public SecurityToken requestSecurityTokenResponse(String action, String challengeValue) throws Exception {

Review comment:
       I think I'd prefer to remove this method altogether. Instead, refactor "issue" so that it can work for both cases. The only difference should be "RequestSecurityTokenResponse" instead of "RequestSecurityToken" for the normal issue case. Maybe the writing out of the Challenge itself could be delegated to the Challenge class itself.
   
   Then in SecurityToken.requestSecurityToken, I think we could handle the SignChallenge case automatically. If the SecurityToken that is returned from the STS contains a SignChallenge then invoke again on the STS with the challenge.

##########
File path: rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/AbstractSTSClient.java
##########
@@ -1491,6 +1491,16 @@ protected SecurityToken createSecurityToken(Element el, byte[] requestorEntropy)
                     tt = DOMUtils.getContent(el);
                 } else if ("KeySize".equals(ln)) {
                     retKeySize = DOMUtils.getContent(el);
+                } else if ("SignChallenge".equals(ln)) {
+                    el = DOMUtils.getFirstElement(el);
+                    if ("Challenge".equals(el.getLocalName())) {
+                        // maybe another implementation of the return object is more useful.
+                        // We need to transport only two values:
+                        // challengeValue and a marker for the kind of response (SignChallenge response)
+                        SecurityToken token = new SecurityToken(DOMUtils.getContent(el));
+                        token.setTokenType("SignChallenge");
+                        return token;
+                    }

Review comment:
       I think we could have a new Challenge class which is referenced in SecurityToken. Challenge could have an enum describing the type, maybe just SIGNATURE for now.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[hidden email]