-
1. Re: Either STSClient.issueTokenOnBehalfOf is broken or I don't have something configured correctly.
dlaprade Jan 12, 2012 12:44 PM (in response to trfoye)I am having a similar issue, and after some digging into the source code this is what I found:
STSClient:
private RequestSecurityToken setOnBehalfOf(Principal principal, RequestSecurityToken request)
{
if (principal != null)
request.setOnBehalfOf(WSTrustUtil.createOnBehalfOfWithUsername(principal.getName(), null));
return request;
}
WSTrustUtil:
public static OnBehalfOfType createOnBehalfOfWithUsername(String username, String id)
{
AttributedString attrString = new AttributedString();
attrString.setValue(username);
UsernameTokenType usernameToken = new UsernameTokenType();
usernameToken.setId(id);
usernameToken.setUsername(attrString);
// create the OnBehalfOfType and set the UsernameTokenType.
OnBehalfOfType onBehalfOf = new OnBehalfOfType();
onBehalfOf.add(usernameToken);
return onBehalfOf;
}
The STSClient calls WSTrustRequestWriter.write, which calls WSSecurityWriter.write
public void write(UsernameTokenType usernameToken) throws ProcessingException
{
StaxUtil.writeStartElement(writer, WSSE_PREFIX, USERNAME_TOKEN, WSSE_NS);
StaxUtil.writeNameSpace(writer, WSSE_PREFIX, WSSE_NS);
String id = usernameToken.getId();
if (StringUtil.isNullOrEmpty(id))
throw new ProcessingException(ErrorCodes.NULL_VALUE + "Id on the UsernameToken");
...
...
...
Since STSClient passed null in the call to WSTrustUtil.createOnBehalfOfWithUsername, the usernameToken ID is null, causing WSSecurityWriter.write to throw a ProcessingException(ErrorCodes.NULL_VALUE + "Id on the UsernameToken");
I can not seem to figure out how to get around this issue, can anyone help?
-
2. Re: Either STSClient.issueTokenOnBehalfOf is broken or I don't have something configured correctly.
trfoye Jan 13, 2012 1:09 PM (in response to dlaprade)dlaprade,
Your digging led me to a solution.
I created a custom login module that extends STSIssuingLoginModule.
@Override
public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> sharedState, Map<String, ?> options) {
super.initialize(subject, callbackHandler, sharedState, options);
endpointURI = (String) options.get(ENDPOINT_OPTION);
if (endpointURI == null) {
endpointURI = (String) options.get(ENDPOINT_ADDRESS); //base class
}
tokenType = (String) options.get(TOKEN_TYPE_OPTION);
if (tokenType == null) {
tokenType = SAMLUtil.SAML2_TOKEN_TYPE;
}
}
@Override
public Element invokeSTS(STSClient stsClient) throws WSTrustException {
SimpleGroup principal = new SimpleGroup(ServiceProviderSAMLContext.getUserName());
return stsClient.issueTokenOnBehalfOf(endpointURI, tokenType, principal);
}
I also modified STSClient changing setOnBehalfOf to
private RequestSecurityToken setOnBehalfOf(Principal principal, RequestSecurityToken request) {
if (principal != null) {
request.setOnBehalfOf(WSTrustUtil.createOnBehalfOfWithUsername(principal.getName(), UUID.randomUUID().toString()));
}
return request;
}
A user who is authenticated through the SSO system (SP and IDP) can now have a token issued to him. Through login module configuration a user that the STS trusts requests a token for the authenticated user. The token comes back with the authenticated user for the NameID though he has the trusted STS user's roles. I can remove the roles through STS configuration and get them by other means downstream.
This leads to a couple more questions.
Is the change I made to STSClient valid?
Does it make sense (and is it secure) for the SP to issue a token for an authenticated user using another set of credentials?
Ted
-
3. Re: Either STSClient.issueTokenOnBehalfOf is broken or I don't have something configured correctly.
dlaprade Jan 16, 2012 9:42 AM (in response to trfoye)Ted,
I found a class:
WSTrustClient
that contains a method:
issueTokenOnBehalfOf()
that does what you are trying to do when calling the:
WSTrustUtil.createOnBehalfOfWithUsername() :
by defaulting the ID:
request.setOnBehalfOf(WSTrustUtil.createOnBehalfOfWithUsername(principal.getName(), "ID"));
I am not sure what the difference between the two classes: WSTrustClient and STSClient....
-
4. Re: Either STSClient.issueTokenOnBehalfOf is broken or I don't have something configured correctly.
mposolda Jan 27, 2012 9:04 AM (in response to dlaprade)Hi,
the part with
{code}
STSClient:
private RequestSecurityToken setOnBehalfOf(Principal principal, RequestSecurityToken request)
{
if (principal != null)
request.setOnBehalfOf(WSTrustUtil.createOnBehalfOfWithUsername(principal.getName(), null));
return request;
}
{code}
is obviously a bug, which causes that STSClient.issueTokenOnBehalfOf always ends with exception . I created a JIRA for it and it's fixed in latest Picketlink federation trunk. You can check JIRA https://issues.jboss.org/browse/PLFED-260 .
Thanks for pointing out this!
Marek