IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Remove XML Tag from JWT returned from STS

    Posted Wed February 12, 2020 05:12 PM
    Hello,

    I am trying to send a JWT token down a junction without using TFIMSSO.  The data is coming via SAML federation token which I then use a mapping rule to update my credentials.   In the mapping rule, I applied code to invoke the STS chain to generate the JWT token and then I return that JWT token back to the ISAM via EAI.  Finally now that it is in the session, I configured an Extended Attribute which sends it down the junction.

    I have gotten everything to work as I outlined above.  However, the JWT token contains some XML tags that is surrounding it.

    Below is an example of what I see (note: JWT.TOKEN.DATA is valid data I want to keep):

    <wss:BinarySecurityToken+wss:EncodingType="http://ibm.com/2004/01/itfim/base64encode"+wss:ValueType="urn:com:ibm:JWT">JWT.TOKEN.DATA</wss:BinarySecurityToken>

    How do I update my mapping rule to remove those XML tags on each side of my JWT Token?

    Below is my code I got this to work:

    var JWT_TOKEN = ""
    var base_element = stsuu.toXML().getDocumentElement();
    //Call STS to get JWT Token
    var res = LocalSTSClient.doRequest("http://schemas.xmlsoap.org/ws/2005/02/trust/Issue", "TT:STSUU:2:JWT", "TT:ISAM", base_element, null); 

    if (res.errorMessage == null) {     
      JWT_TOKEN = IDMappingExtUtils.xmlElementToString(res.token);     
      IDMappingExtUtils.traceString("Issued JWT Token: : " + JWT_TOKEN); }
    else {     
      IDMappingExtUtils.traceString("JWT Token Error : " + res.errorMessage);  
     }

    if(JWT_TOKEN  != null){
      var JWTAttr = new Attribute("com-transamerica-jwt","urn:ibm:names:ITFIM:5.1:accessmanager", JWT_TOKEN );
      stsuu.addAttribute(JWTAttr);

    }


    My focus has been on the IDMappingExtUtils object hoping to find something that will return the data and exclude the tags.  But so far no good.  Any help would be appreciated as I track this down.


  • 2.  RE: Remove XML Tag from JWT returned from STS

    Posted Wed February 12, 2020 06:53 PM
    Hi Troy,

    to remove those XML tags, you need to add a setting to the WebSEAL config that defines the call to STS. 

    preserve-xml-token = false

    check this for more detail:
    https://www.ibm.com/blogs/sweeden/isam-9-0-2-the-jwt-sts-module-and-junction-sso-to-websphere-liberty/

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 3.  RE: Remove XML Tag from JWT returned from STS

    Posted Wed February 12, 2020 07:17 PM
    Hi Jon.

    Well sorta perfect timing.  Right as you submitted this, I came up with another fix.  I basically found some javascript that will find XML tags and do a replace with an empty string.  Here is the function:

    function removeTags(str) {
    var newString = new String(str);
    if ((newString===null) || (newString==='')) {
    return false;
    }
    else {
    newString = newString.replace(/<[^>]*>/g,'');
    }
    return newString;
    }


    Here is how I invoke it:

    JWT_TOKEN = removeTags(IDMappingExtUtils.xmlElementToString(res.token));

    It now sends the JWT as expected.  The question is, what is the proper way moving forward?  Use the function I wrote or update preserve-xml-token = false in the webseal.conf (which I have not tested)?




    ------------------------------
    Troy Burkle
    ------------------------------

    Original Message


  • 4.  RE: Remove XML Tag from JWT returned from STS

    Posted Wed February 12, 2020 09:33 PM
    There is an example in post mapping rule to create JWT UserInfo.
    Look for keyword `var produce_jwt_userinfo = false`
    There is a utility to extract JWT from the STS response.

    var jwtToken = IDMappingExtUtils.extractBinarySecurityToken(rsp);

    Maybe you can try this way.



    ------------------------------
    Adrian Rinaldi Sasmita
    ------------------------------

    Original Message


  • 5.  RE: Remove XML Tag from JWT returned from STS

    Posted Wed February 12, 2020 10:51 PM
    Hi Adrian,

    That looks like something I will try out.  I was wondering if there is something else I could use in the IDMappingExtUtils object but couldn't find the API documentation.

    I will try this out in the next day or two.

    ------------------------------
    Troy Burkle
    ------------------------------

    Original Message


  • 6.  RE: Remove XML Tag from JWT returned from STS

    Posted Thu February 13, 2020 02:10 AM
    Hi Troy,

    In case you're using the LocalSTSClient helper class, the return value from "doRequest()" is a "com.tivoli.am.fim.fedmgr2.trust.util.LocalSTSClient.LocalSTSClientResult".

    In this class, you can either call the property "errorMessage" which is a String, or "token" which is a "org.w3c.dom.Element". This information can also be found in ISAM's JavaDoc, which is available in the "File Downloads" section of your appliance.

    As such, you can do:
    // The STS Request
var res = LocalSTSClient.doRequest("http://schemas.xmlsoap.org/ws/2005/02/trust/Issue", "TT:STSUU:2:JWT", "TT:ISAM", base_element, null);
// The "plain" JWT token
var jwtToken = res.token.getTextContent();


    Reference for "org.w3c.dom.Element" can easily be found online by the way:
    https://docs.oracle.com/javase/7/docs/api/org/w3c/dom/Element.html, which inherits it from "org.w3c.dom.Node": https://docs.oracle.com/javase/7/docs/api/org/w3c/dom/Node.html#getTextContent().

    Hope it helps.


    Dries

    ------------------------------
    Dries Eestermans
    IS4U
    ------------------------------

    Original Message


Related Content