cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: STSTokenValidator enhancements
Date Wed, 05 Feb 2014 21:13:24 GMT
Hi Oli
On 05/02/14 19:42, Oliver Wulff wrote:
> Hi there
>
> The STSTokenValidator is used to validate incoming credentials (ex. username/password)
against the STS. The STSTokenValidator can be used for authentication for web services as
well a REST services.
>
> REST security is already very enhanced to support claims based access control which requires
that the service provider knows the user claims like from a SAML token. This could also be
achieved for incoming username/passwords by issuing a SAML token with a configurable list
of claims.
>
> The STSTokenValidator uses the STS validate binding which doesn't support to validate
a token and provide additional claims in the returned SAML token.
>
> There are two options:
>
> 1) Make the binding configurable in the STSTokenValidator (validate/issue) and configure
the list of claims, appliesto element, lifetime etc. for the issue use case
>
> 2) Enhance the validate binding use case on the STS and in the STSTokenValidator to configure
the list of claims, appliesto element, lifetime etc.
>
> WDYT?
>
It appears to me that STS is where the extra metadata like claims can be 
attached so I guess I'm more for the 2nd case, I looked at the code and 
apparently STSTokenValidator supports the case of STS transforming a token.
Look forward to Colm commenting on it

Thanks, Sergey

> Thanks
> Oli
>
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
> Solution Architect
> http://coders.talend.com
>
> <http://coders.talend.com>Talend Application Integration Division http://www.talend.com
>

Mime
View raw message