cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oliver Wulff (JIRA)" <>
Subject [jira] [Created] (CXF-3522) Enhance CXF security context with claims information
Date Mon, 16 May 2011 14:27:47 GMT
Enhance CXF security context with claims information

                 Key: CXF-3522
             Project: CXF
          Issue Type: New Feature
            Reporter: Oliver Wulff

Discussion around this feature started in the following thread:

The CXF SecurityContext provides the following two methods only:

If the received security token is a SAML token further data (claims) can be in the token which
might be relevant for authorization to implement the PEP/PDP in the application.

WS-Trust has the following definition of a claim:
A claim is a statement made about a client, service or other resource 

The following OASIS specification defines the URI for some claims like lastname, email, country,
etc. (chapter 7.5):

We could introduce a ClaimSecurityContext interface which extends the current SecurityContext
and introduces a new method like:
List<Claim> getClaims()

A Claim consists of the following properties:
ClaimType: URI (see spec mentioned above)
Value: String / Object

Additionally we can implement a ClaimsTranformer interface which depends on the security token
type and creates an object which implements ClaimSecurityContext (similar design approach
as for the validator implementation in WSS4J).

We could provide out-of-the-box implementation for SAML 1.1 and 2.0 which parse the AttributeStatement
and create the list of Claims object:

<AttributeStatement><Attribute Name=""><AttributeValue>John</AttributeValue></Attribute><Attribute

In addition to that, the SamlClaimsTransformer can provide a property to define the URI how
the role information is identified in the AttributeStatement. There is no standard claims
URI for roles. Each STS uses a different URI. For instance, Microsoft ADFS uses the following

This would allow an application to use RBAC when they use ADFS and CXF out-of-the-box by using
the isUserInRole of the WebServiceContext.

This message is automatically generated by JIRA.
For more information on JIRA, see:

View raw message