cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Wulff <>
Subject STS, OnBehalfOf token validation, SAMLTokenProvider
Date Fri, 18 Nov 2011 07:22:09 GMT
Hi all

I've provided a patch for which supports to
issue a SAML token based on the onbehalfof element.

Some time back, I've  implemented a custom TokenProvider (also OnBehalfOf case) where I had
to validate the token in my TokenProvider implementation.

Due to separation of concern, wouldn't it make sense that the validation of OnBehalfOf (and
ActAs) is triggered in TokenIssueOperation?

Maybe we could use something similar to the ReceivedToken also for OnBehalfOf thus the TokenProvider
doesn't have to parse the token again?

What do you think about this proposal:
ReceivedToken is renamed to something like ProcessedToken which contains informations like:
- was it a token of ws-security header (like ReceivedToken), onbehalfof, actas
- successfully validated (it could be a token which depends on other constraints to be fully
- original DOM element
- transformed DOM element (used if the token is passed by ref, also supported by SAML spec)
- principal (mostly, you only need the principal to issue a new token)

What do you think?


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message