[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: soap header for XACMLAuthzDecisionQuery



Stijn Lievens <stijn.lievens@xxxxxxxxx> said:
> I am using ZXID version 1.02
> 
> When making a callout to an external PDP the following SOAP header is
> produced:
> 
> <e:Header>
> <wsse:Security
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
>     e:actor="http://schemas.xmlsoap.org/soap/actor/next";
> e:mustUnderstand="1">
>    <wsu:Timestamp
> xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";>
> <wsu:Created/>
> </wsu:Timestamp></wsse:Security></e:Header>
> 
> 
> As you can see the wsu:Created element is empty; this is probably not
> correct.

It is supposed to be filled in at IDWSF layer. But for calling PDP this might get
bypassed as zxid_soap_call_hdr_body() is used directly, see zxidpep.c:339.

But there is a lot more missing in that wsse:Security header. There should
be a token. If you study the code in zxidpep.c:269-278 you can see that
session is expected to contain tgta7n, etc. All this fails to work if you have a
session that is missing this information. The timestamp could be fixed by
adding on line 274 something like

  zx_add_content(cf->ctx, &sec->Timestamp->Created->gg, zxid_date_time(cf, time(0)));

You may also notice that there is AZ_OPT option to disable the wsse:Security
header feature, but then you would also loose the token.

> Second, I don't see what value this header actually adds to the
> XACMLAuthzDecisionQuery request because this already has an IssueInstant
> attribute and also has a signature on it.

The main motivation for the wsse:Security header is to pass the identity token (which
may contain discovery bootstrap). The timestamp is there mainly to ensure
consistency to other uses of wsse:Security header. If you do not want
to pass token, you might as well disable the header.

> Is it possible to simply have an empty SOAP header on such requests?

It is, see AZ_OPT.

However, provided that the timestamp would be properly populated, would
having the header cause you any problem?

Cheers,
--Sampo

> Regards,
> 
> Stijn.