cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: STSTokenValidator enhancements
Date Thu, 06 Feb 2014 10:33:09 GMT
Hi Oli,

Ok I will consider this as part of a planned refactor of the Claims code.

Colm.


On Thu, Feb 6, 2014 at 10:16 AM, Oliver Wulff <owulff@talend.com> wrote:

> Hi Colm
>
> There is only a claim setter/getter of type Element and a CallbackHandler.
> As the former is not that nice for spring configuration, the callback
> handler could be used to set the element.
>
> Or do you think in adding a setter to configure the claim list in a easier
> way. The only question is which claim class definition to use. There is a
> claim annotation in jaxrs. Maybe we could move this to a JAX-RS/JAX-WS
> neutral package and use that in the sts and in the cxf framework.
>
> Thanks
> Oli
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com
> Solution Architect
> http://coders.talend.com
>
> Talend Application Integration Division http://www.talend.com
>
> ________________________________________
> From: Colm O hEigeartaigh [coheigea@apache.org]
> Sent: 06 February 2014 10:42
> To: dev@cxf.apache.org
> Subject: Re: STSTokenValidator enhancements
>
> As far as I know, all of this functionality is already available. Take a
> look at the TransformationTest here:
>
>
> http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/transformation/TransformationTest.java?view=markup
>
> This uses the STSTokenValidator to transform a UsernameToken into a SAML
> Assertion. Note the configuration of the service, you can just manually
> configure an STSClient Object to send whatever Claims etc. you want:
>
>
> http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/transformation/cxf-service.xml?view=markup
>
> Colm.
>
>
> On Wed, Feb 5, 2014 at 9:13 PM, Sergey Beryozkin <sberyozkin@gmail.com
> >wrote:
>
> > Hi Oli
> >
> > On 05/02/14 19:42, Oliver Wulff wrote:
> >
> >> Hi there
> >>
> >> The STSTokenValidator is used to validate incoming credentials (ex.
> >> username/password) against the STS. The STSTokenValidator can be used
> for
> >> authentication for web services as well a REST services.
> >>
> >> REST security is already very enhanced to support claims based access
> >> control which requires that the service provider knows the user claims
> like
> >> from a SAML token. This could also be achieved for incoming
> >> username/passwords by issuing a SAML token with a configurable list of
> >> claims.
> >>
> >> The STSTokenValidator uses the STS validate binding which doesn't
> support
> >> to validate a token and provide additional claims in the returned SAML
> >> token.
> >>
> >> There are two options:
> >>
> >> 1) Make the binding configurable in the STSTokenValidator
> >> (validate/issue) and configure the list of claims, appliesto element,
> >> lifetime etc. for the issue use case
> >>
> >> 2) Enhance the validate binding use case on the STS and in the
> >> STSTokenValidator to configure the list of claims, appliesto element,
> >> lifetime etc.
> >>
> >> WDYT?
> >>
> >>  It appears to me that STS is where the extra metadata like claims can
> be
> > attached so I guess I'm more for the 2nd case, I looked at the code and
> > apparently STSTokenValidator supports the case of STS transforming a
> token.
> > Look forward to Colm commenting on it
> >
> > Thanks, Sergey
> >
> >
> >  Thanks
> >> Oli
> >>
> >>
> >>
> >> ------
> >>
> >> Oliver Wulff
> >>
> >> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
> >> Solution Architect
> >> http://coders.talend.com
> >>
> >> <http://coders.talend.com>Talend Application Integration Division
> >> http://www.talend.com
> >>
> >>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message