[SWS-856] Add ability to set SAMLIssuer on Wss4jSecurityInterceptor for securing messages with SAML tokens Created: 29/Dec/13  Updated: 28/Apr/14  Resolved: 25/Apr/14

Status: Resolved
Project: Spring Web Services
Component/s: Security
Affects Version/s: None
Fix Version/s: 2.2.RC1

Type: Improvement Priority: Minor
Reporter: jaminh Assignee: Arjen Poutsma
Resolution: Complete Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: Text File Fix-username-token-tests-that-were-broken-by-wss4j-u.patch    

Comment by jaminh [ 30/Dec/13 ]

This enhancement will allow users to configure SAML token properties without requiring a properties file on the classpath (see WSS-418). This will require using wss4j 1.6.12 or higher.

For an example of this being used I made simple rest service secured with SAML and a JUnit test that sends messages to the service, which can be found at https://github.com/jaminh/spring-saml-example-war.

Comment by Arjen Poutsma [ 07/Feb/14 ]

Unfortunately I can't upgrade to wss4j 1.6.12 as it breaks most of our unit tests. This feature will have to wait until I have the time to resolve that.

Comment by jaminh [ 07/Feb/14 ]

I thought I had that working before but I can take a look at it. When are you planning on releasing 2.1.5?

Comment by jaminh [ 16/Feb/14 ]

I figured out what is causing the tests to fail when updating the WSS4J version. The timestamp and username processing changed slightly because of this issue https://issues.apache.org/jira/browse/WSS-427. It looks like you can fix the timestamp validation by adding messageContext.setProperty(WSHandlerConstants.TTL_TIMESTAMP, Integer.toString(securementTimeToLive)); to the initializeRequestData(MessageContext messageContext) method. The username token tests are failing because as of 1.6.10 wss4j is checking the created date on the username token and since those dates are all static and set to some time way in the past they are being rejected.

Comment by Arjen Poutsma [ 17/Feb/14 ]

Thank you for your investigations. I will take a further look later today.

Comment by jaminh [ 24/Apr/14 ]

I was able to get all the tests passing with wss4j upgraded. I think those changes got added to the pull request I submitted for this issue but I will admit to not being an expert with git/Github so if that doesn't work I will include a patch for the changes I made.

Comment by Arjen Poutsma [ 25/Apr/14 ]

Thanks for the pull request and patch! I've update SWS accordingly, and the Wss4jSecurityInterceptor now has a SAMLIssuer property.

Could you try a snapshot (as of tomorrow) and let me know if it works for you?

Snapshots are available via our http://repo.spring.io/libs-snapshot repo, the version you'd want to use is 2.2.0.BUILD-SNAPSHOT.

Comment by jaminh [ 28/Apr/14 ]

My sample project worked with the snapshot version. Thanks!

Comment by Arjen Poutsma [ 28/Apr/14 ]

Great! Soon, we will release 2.2.0-RC1, which will contain this fix (and others).

Generated at Sat Dec 15 09:41:12 UTC 2018 using JIRA 7.9.2#79002-sha1:3bb15b68ecd99a30eb364c4c1a393359bcad6278.