cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <>
Subject Re: STSTokenValidator enhancements
Date Wed, 05 Feb 2014 21:13:24 GMT
Hi Oli
On 05/02/14 19:42, Oliver Wulff wrote:
> Hi there
> The STSTokenValidator is used to validate incoming credentials (ex. username/password)
against the STS. The STSTokenValidator can be used for authentication for web services as
well a REST services.
> REST security is already very enhanced to support claims based access control which requires
that the service provider knows the user claims like from a SAML token. This could also be
achieved for incoming username/passwords by issuing a SAML token with a configurable list
of claims.
> The STSTokenValidator uses the STS validate binding which doesn't support to validate
a token and provide additional claims in the returned SAML token.
> There are two options:
> 1) Make the binding configurable in the STSTokenValidator (validate/issue) and configure
the list of claims, appliesto element, lifetime etc. for the issue use case
> 2) Enhance the validate binding use case on the STS and in the STSTokenValidator to configure
the list of claims, appliesto element, lifetime etc.
It appears to me that STS is where the extra metadata like claims can be 
attached so I guess I'm more for the 2nd case, I looked at the code and 
apparently STSTokenValidator supports the case of STS transforming a token.
Look forward to Colm commenting on it

Thanks, Sergey

> Thanks
> Oli
> ------
> Oliver Wulff
> Blog:<>
> Solution Architect
> <>Talend Application Integration Division

View raw message