cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Wulff <>
Subject RE: STSTokenValidator enhancements
Date Thu, 06 Feb 2014 10:16:53 GMT
Hi Colm

There is only a claim setter/getter of type Element and a CallbackHandler. As the former is
not that nice for spring configuration, the callback handler could be used to set the element.

Or do you think in adding a setter to configure the claim list in a easier way. The only question
is which claim class definition to use. There is a claim annotation in jaxrs. Maybe we could
move this to a JAX-RS/JAX-WS neutral package and use that in the sts and in the cxf framework.



Oliver Wulff

Solution Architect

Talend Application Integration Division

From: Colm O hEigeartaigh []
Sent: 06 February 2014 10:42
Subject: Re: STSTokenValidator enhancements

As far as I know, all of this functionality is already available. Take a
look at the TransformationTest here:

This uses the STSTokenValidator to transform a UsernameToken into a SAML
Assertion. Note the configuration of the service, you can just manually
configure an STSClient Object to send whatever Claims etc. you want:


On Wed, Feb 5, 2014 at 9:13 PM, Sergey Beryozkin <>wrote:

> Hi Oli
> On 05/02/14 19:42, Oliver Wulff wrote:
>> Hi there
>> The STSTokenValidator is used to validate incoming credentials (ex.
>> username/password) against the STS. The STSTokenValidator can be used for
>> authentication for web services as well a REST services.
>> REST security is already very enhanced to support claims based access
>> control which requires that the service provider knows the user claims like
>> from a SAML token. This could also be achieved for incoming
>> username/passwords by issuing a SAML token with a configurable list of
>> claims.
>> The STSTokenValidator uses the STS validate binding which doesn't support
>> to validate a token and provide additional claims in the returned SAML
>> token.
>> There are two options:
>> 1) Make the binding configurable in the STSTokenValidator
>> (validate/issue) and configure the list of claims, appliesto element,
>> lifetime etc. for the issue use case
>> 2) Enhance the validate binding use case on the STS and in the
>> STSTokenValidator to configure the list of claims, appliesto element,
>> lifetime etc.
>> WDYT?
>>  It appears to me that STS is where the extra metadata like claims can be
> attached so I guess I'm more for the 2nd case, I looked at the code and
> apparently STSTokenValidator supports the case of STS transforming a token.
> Look forward to Colm commenting on it
> Thanks, Sergey
>  Thanks
>> Oli
>> ------
>> Oliver Wulff
>> Blog:<>
>> Solution Architect
>> <>Talend Application Integration Division

Colm O hEigeartaigh

Talend Community Coder

View raw message