cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Wulff <owu...@talend.com>
Subject RE: STSTokenValidator enhancements
Date Thu, 06 Feb 2014 10:16:53 GMT
Hi Colm

There is only a claim setter/getter of type Element and a CallbackHandler. As the former is
not that nice for spring configuration, the callback handler could be used to set the element.

Or do you think in adding a setter to configure the claim list in a easier way. The only question
is which claim class definition to use. There is a claim annotation in jaxrs. Maybe we could
move this to a JAX-RS/JAX-WS neutral package and use that in the sts and in the cxf framework.

Thanks
Oli


------

Oliver Wulff

Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com

Talend Application Integration Division http://www.talend.com

________________________________________
From: Colm O hEigeartaigh [coheigea@apache.org]
Sent: 06 February 2014 10:42
To: dev@cxf.apache.org
Subject: Re: STSTokenValidator enhancements

As far as I know, all of this functionality is already available. Take a
look at the TransformationTest here:

http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/transformation/TransformationTest.java?view=markup

This uses the STSTokenValidator to transform a UsernameToken into a SAML
Assertion. Note the configuration of the service, you can just manually
configure an STSClient Object to send whatever Claims etc. you want:

http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/transformation/cxf-service.xml?view=markup

Colm.


On Wed, Feb 5, 2014 at 9:13 PM, Sergey Beryozkin <sberyozkin@gmail.com>wrote:

> Hi Oli
>
> On 05/02/14 19:42, Oliver Wulff wrote:
>
>> Hi there
>>
>> The STSTokenValidator is used to validate incoming credentials (ex.
>> username/password) against the STS. The STSTokenValidator can be used for
>> authentication for web services as well a REST services.
>>
>> REST security is already very enhanced to support claims based access
>> control which requires that the service provider knows the user claims like
>> from a SAML token. This could also be achieved for incoming
>> username/passwords by issuing a SAML token with a configurable list of
>> claims.
>>
>> The STSTokenValidator uses the STS validate binding which doesn't support
>> to validate a token and provide additional claims in the returned SAML
>> token.
>>
>> There are two options:
>>
>> 1) Make the binding configurable in the STSTokenValidator
>> (validate/issue) and configure the list of claims, appliesto element,
>> lifetime etc. for the issue use case
>>
>> 2) Enhance the validate binding use case on the STS and in the
>> STSTokenValidator to configure the list of claims, appliesto element,
>> lifetime etc.
>>
>> WDYT?
>>
>>  It appears to me that STS is where the extra metadata like claims can be
> attached so I guess I'm more for the 2nd case, I looked at the code and
> apparently STSTokenValidator supports the case of STS transforming a token.
> Look forward to Colm commenting on it
>
> Thanks, Sergey
>
>
>  Thanks
>> Oli
>>
>>
>>
>> ------
>>
>> Oliver Wulff
>>
>> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
>> Solution Architect
>> http://coders.talend.com
>>
>> <http://coders.talend.com>Talend Application Integration Division
>> http://www.talend.com
>>
>>


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
View raw message