Return-Path: X-Original-To: apmail-cxf-issues-archive@www.apache.org Delivered-To: apmail-cxf-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id F3A407634 for ; Tue, 29 Nov 2011 14:44:01 +0000 (UTC) Received: (qmail 94899 invoked by uid 500); 29 Nov 2011 14:44:01 -0000 Delivered-To: apmail-cxf-issues-archive@cxf.apache.org Received: (qmail 94794 invoked by uid 500); 29 Nov 2011 14:44:01 -0000 Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list issues@cxf.apache.org Received: (qmail 94658 invoked by uid 99); 29 Nov 2011 14:44:01 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 29 Nov 2011 14:44:01 +0000 X-ASF-Spam-Status: No, hits=-2001.2 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 29 Nov 2011 14:44:00 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id 74DD6A6407 for ; Tue, 29 Nov 2011 14:43:40 +0000 (UTC) Date: Tue, 29 Nov 2011 14:43:40 +0000 (UTC) From: "Jan Bernhardt (Commented) (JIRA)" To: issues@cxf.apache.org Message-ID: <886808137.21996.1322577820480.JavaMail.tomcat@hel.zones.apache.org> In-Reply-To: <1621388794.21797.1322572660783.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Commented] (CXF-3940) A SAML Token requested OnBehalfOf should hide the actual requestor and should only contain the OnBehalfOf Identity MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/CXF-3940?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13159292#comment-13159292 ] Jan Bernhardt commented on CXF-3940: ------------------------------------ Ok, now I was able to take a look at the changes in the DefaultSubjectProvider. I discovered two issues: 1) Only SAML Token are handled. Handling of UsernameToken is missing (as you already mentioned) 2) The check wether or not it is a SAML Token is based on "receivedToken.isDOMElement()". This is confusing, since a UsernamePasswordToken would also be a valid DOMElemenet... Jan > A SAML Token requested OnBehalfOf should hide the actual requestor and should only contain the OnBehalfOf Identity > ------------------------------------------------------------------------------------------------------------------ > > Key: CXF-3940 > URL: https://issues.apache.org/jira/browse/CXF-3940 > Project: CXF > Issue Type: Sub-task > Components: Services > Affects Versions: 2.5 > Reporter: Jan Bernhardt > Labels: SAML, WS-Trust, sts > Fix For: 2.5.1 > > Original Estimate: 48h > Remaining Estimate: 48h > > As far as I know, to request an OnBehalfOf Token should not simply result in adding a related SAML Attribute (as it would be ok for ActAs). OnBehalfOf should deliver a Token where "only" the OnBehalfOf Principal is contained. Therefor the SAML Subject should match the requested OnBehalfOf Principal and not the Principal which was authenticated based on the security token sent in the WS-Security header... -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira