cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: STSTokenValidator enhancements
Date Thu, 06 Feb 2014 09:42:06 GMT
As far as I know, all of this functionality is already available. Take a
look at the TransformationTest here:

http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/transformation/TransformationTest.java?view=markup

This uses the STSTokenValidator to transform a UsernameToken into a SAML
Assertion. Note the configuration of the service, you can just manually
configure an STSClient Object to send whatever Claims etc. you want:

http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/transformation/cxf-service.xml?view=markup

Colm.


On Wed, Feb 5, 2014 at 9:13 PM, Sergey Beryozkin <sberyozkin@gmail.com>wrote:

> Hi Oli
>
> On 05/02/14 19:42, Oliver Wulff wrote:
>
>> Hi there
>>
>> The STSTokenValidator is used to validate incoming credentials (ex.
>> username/password) against the STS. The STSTokenValidator can be used for
>> authentication for web services as well a REST services.
>>
>> REST security is already very enhanced to support claims based access
>> control which requires that the service provider knows the user claims like
>> from a SAML token. This could also be achieved for incoming
>> username/passwords by issuing a SAML token with a configurable list of
>> claims.
>>
>> The STSTokenValidator uses the STS validate binding which doesn't support
>> to validate a token and provide additional claims in the returned SAML
>> token.
>>
>> There are two options:
>>
>> 1) Make the binding configurable in the STSTokenValidator
>> (validate/issue) and configure the list of claims, appliesto element,
>> lifetime etc. for the issue use case
>>
>> 2) Enhance the validate binding use case on the STS and in the
>> STSTokenValidator to configure the list of claims, appliesto element,
>> lifetime etc.
>>
>> WDYT?
>>
>>  It appears to me that STS is where the extra metadata like claims can be
> attached so I guess I'm more for the 2nd case, I looked at the code and
> apparently STSTokenValidator supports the case of STS transforming a token.
> Look forward to Colm commenting on it
>
> Thanks, Sergey
>
>
>  Thanks
>> Oli
>>
>>
>>
>> ------
>>
>> Oliver Wulff
>>
>> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
>> Solution Architect
>> http://coders.talend.com
>>
>> <http://coders.talend.com>Talend Application Integration Division
>> http://www.talend.com
>>
>>


-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message