Return-Path: X-Original-To: apmail-cxf-dev-archive@www.apache.org Delivered-To: apmail-cxf-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id EFEF31097C for ; Wed, 5 Feb 2014 21:14:14 +0000 (UTC) Received: (qmail 12259 invoked by uid 500); 5 Feb 2014 21:14:13 -0000 Delivered-To: apmail-cxf-dev-archive@cxf.apache.org Received: (qmail 12204 invoked by uid 500); 5 Feb 2014 21:14:12 -0000 Mailing-List: contact dev-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list dev@cxf.apache.org Received: (qmail 12196 invoked by uid 99); 5 Feb 2014 21:14:12 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Feb 2014 21:14:12 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of sberyozkin@gmail.com designates 74.125.82.43 as permitted sender) Received: from [74.125.82.43] (HELO mail-wg0-f43.google.com) (74.125.82.43) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Feb 2014 21:14:07 +0000 Received: by mail-wg0-f43.google.com with SMTP id y10so685474wgg.34 for ; Wed, 05 Feb 2014 13:13:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=nG/rgwz1irCsJDcmq0iyD1ytViatPIKdCrhyJwn1ZaM=; b=CKWL0XrDNB9qL5T8JL4mvIh+Ii94n1FU+vViNrCA8Jv0aFTCli5aexG1MxqSlbGdo3 u4QHV/jlJXe8lgvNfSCgc+iK2RksSstITAXlp4hQZVn+MhXqlTaB0AhRbW29fE8KBCwN TfPOjCpkQlrkbBxrljUETLqR2jhWhsmRbm+Q/nStRjOhrJzPXs3T+ggN2U2Ev4TvA9B2 C9oFmanh6VKVWn/9W7MllS+ujK4h83X2qrZqaJINlz1yLpWgc+aLDvIG0Y+8p9VE8cxp rE4MRdaxOEf34h8HSVRJHktkx6jNX03bT3BIooKZr4eE0a5Z/MrVo12Y+V8CJynSmlLZ upZg== X-Received: by 10.194.22.232 with SMTP id h8mr2957236wjf.53.1391634826042; Wed, 05 Feb 2014 13:13:46 -0800 (PST) Received: from [192.168.2.6] ([89.100.190.21]) by mx.google.com with ESMTPSA id ua8sm64419838wjc.4.2014.02.05.13.13.44 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 05 Feb 2014 13:13:45 -0800 (PST) Message-ID: <52F2A974.70208@gmail.com> Date: Wed, 05 Feb 2014 21:13:24 +0000 From: Sergey Beryozkin User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: dev@cxf.apache.org Subject: Re: STSTokenValidator enhancements References: <79AB4452999C844D9920E0363533273111A8BEB7@S10BE002.SH10.lan> In-Reply-To: <79AB4452999C844D9920E0363533273111A8BEB7@S10BE002.SH10.lan> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Hi Oli On 05/02/14 19:42, Oliver Wulff wrote: > Hi there > > The STSTokenValidator is used to validate incoming credentials (ex. username/password) against the STS. The STSTokenValidator can be used for authentication for web services as well a REST services. > > REST security is already very enhanced to support claims based access control which requires that the service provider knows the user claims like from a SAML token. This could also be achieved for incoming username/passwords by issuing a SAML token with a configurable list of claims. > > The STSTokenValidator uses the STS validate binding which doesn't support to validate a token and provide additional claims in the returned SAML token. > > There are two options: > > 1) Make the binding configurable in the STSTokenValidator (validate/issue) and configure the list of claims, appliesto element, lifetime etc. for the issue use case > > 2) Enhance the validate binding use case on the STS and in the STSTokenValidator to configure the list of claims, appliesto element, lifetime etc. > > WDYT? > It appears to me that STS is where the extra metadata like claims can be attached so I guess I'm more for the 2nd case, I looked at the code and apparently STSTokenValidator supports the case of STS transforming a token. Look forward to Colm commenting on it Thanks, Sergey > Thanks > Oli > > > > ------ > > Oliver Wulff > > Blog: http://owulff.blogspot.com > Solution Architect > http://coders.talend.com > > Talend Application Integration Division http://www.talend.com >