基于SAML版本的cxf DefaultSecurityTokenServiceProvider响应

Question

I am newly working with CXF STS and came across below requirements, which I am unable to proceed

1 How can the DefaultSecurityTokenServiceProvider from CXF STS provide SAML assertion of different versions say 1.1 or 2.0 . I have an assumption on it.Please correct me if am wrong. The bean property for DefaultSecurityTokenServiceProvider:services

<property name="services" ref="myServiceList" />
<bean id="myServiceList" class="org.apache.cxf.sts.service.StaticService">
    <property name="endpoints" ref="wspAllowedEndpoints" />
</bean>
<util:list id="wspAllowedEndpoints">
    <value>http://localhost:8080/doubleit/services/doubleit.*</value>
</util:list>

It requests the wsdl for all allowed services, reads the policy element,

<sp:RequestSecurityTokenTemplate>
                          <t:TokenType>http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1</t:TokenType>
                          <t:KeyType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/SymmetricKey</t:KeyType>
                          <t:KeySize>256</t:KeySize>
                       </sp:RequestSecurityTokenTemplate>

ans based on SAMLV1.1 or SAMLV2.0 it determines which version of SAML assertion to be sent in response

2 How can I read the SAML assertion from org.apache.cxf.ws.security.trust.STSClient as text

**saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" ID="s2b7afe8e21a0910d027dfbc94ec4b862e1fbbd9ab" IssueInstant="2007-12-10T11:39:48Z"**

so I can put them in header and work with SOAPUI as client?

Answer 1

The STS will issue a SAML 1.1 or 2.0 token by default depending on the TokenType that is sent. Thus to support both 1.1 + 2.0, no action is needed in terms of the STS configuration.

The STSClient will return a SecurityToken Object. You can get the DOM representation of the returned token via stsClient.getToken(). You can then use something like WSS4J's DOM2Writer.nodeToString(node) to convert to a String.

Colm.