[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: soap header for XACMLAuthzDecisionQuery
Stijn Lievens <stijn.lievens@xxxxxxxxx> said:
> I am using ZXID version 1.02
> When making a callout to an external PDP the following SOAP header is
> As you can see the wsu:Created element is empty; this is probably not
It is supposed to be filled in at IDWSF layer. But for calling PDP this might get
bypassed as zxid_soap_call_hdr_body() is used directly, see zxidpep.c:339.
But there is a lot more missing in that wsse:Security header. There should
be a token. If you study the code in zxidpep.c:269-278 you can see that
session is expected to contain tgta7n, etc. All this fails to work if you have a
session that is missing this information. The timestamp could be fixed by
adding on line 274 something like
zx_add_content(cf->ctx, &sec->Timestamp->Created->gg, zxid_date_time(cf, time(0)));
You may also notice that there is AZ_OPT option to disable the wsse:Security
header feature, but then you would also loose the token.
> Second, I don't see what value this header actually adds to the
> XACMLAuthzDecisionQuery request because this already has an IssueInstant
> attribute and also has a signature on it.
The main motivation for the wsse:Security header is to pass the identity token (which
may contain discovery bootstrap). The timestamp is there mainly to ensure
consistency to other uses of wsse:Security header. If you do not want
to pass token, you might as well disable the header.
> Is it possible to simply have an empty SOAP header on such requests?
It is, see AZ_OPT.
However, provided that the timestamp would be properly populated, would
having the header cause you any problem?