Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@cxf.apache.org
Date: Tue, 6 Mar 2012 08:08:58 +0000 (UTC)
From: "Jan Bernhardt (Commented) (JIRA)" <jira@apache.org>
To: issues@cxf.apache.org
Message-ID: 
 <473820048.26428.1331021338890.JavaMail.tomcat@hel.zones.apache.org>
In-Reply-To: 
 <673490365.76091.1327483242073.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] [Commented] (CXF-4062) Enabling custom claim parser
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


    [ https://issues.apache.org/jira/browse/CXF-4062?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13223078#comment-13223078 ] 

Jan Bernhardt commented on CXF-4062:
------------------------------------

Colm O hEigeartaigh commented on CXF-4062:
------------------------------------------

Hi Jan,


Sure, but is it meant to be used as a child of the wst:Claims Element? Can you point me to any examples of this?


Correct me if I'm wrong, but as far as I understand the WS-Trust spec:

* WS-Trust "Claims" element contains an attribute "Dialect" which indicates the type of claims contained in the WS-Trust Claims element.
* WS-Trust schema definition expects a sequence of ANY elements within Claims element
* If the dialect is set to "http://schemas.xmlsoap.org/ws/2005/05/identity" than any element defined in this namespace could appear with in WS-Trust Claims element. 

Since the element ClaimValue is defined in "http://schemas.xmlsoap.org/ws/2005/05/identity" namespace the following statement should be valid according to the specifications:

<sp:RequestSecurityTokenTemplate>
    <t:TokenType>http://...#SAMLV1.1</t:TokenType>
    <t:KeyType>http://.../PublicKey</t:KeyType>
    <t:Claims Dialect="http://.../identity" xmlns:ic="http://.../identity">
        <ic:ClaimValue Uri="http://.../claims/role">administrator</ic:ClaimValue>
    </t:Claims>
</sp:RequestSecurityTokenTemplate>

The usecase for this is, that a consumer needs a SAML Token containing _only_ a specific role attribute statement and not a list of all roles assigned to a given user. The STS would have to parse this Claim Request and check (via ClaimHandler) if the user is assigned to the requested role. If this is the case, a SAML Token will be created containing only this specifically requested role.

In the current version of CXF STS would not be able to parse such a STR, because it only expects a "ic:ClaimType" element within "t:Claims". Which is only a small subset of the dialect "http://schemas.xmlsoap.org/ws/2005/05/identity".

@Oli Role transformation would not solve this issue, since I do not want to transform a previously requested claim of a token, but instead request convermation for only a specific ClaimValue (here: administrator).

I hope this subject has become more clear now... ;-)

I'm looking forward for your reply to this message!

Best regards
Jan

                
> Enabling custom claim parser
> ----------------------------
>
>                 Key: CXF-4062
>                 URL: https://issues.apache.org/jira/browse/CXF-4062
>             Project: CXF
>          Issue Type: Improvement
>    Affects Versions: 2.5.2
>            Reporter: Jan Bernhardt
>              Labels: Claims, STS
>         Attachments: claimParer.patch
>
>
> STS-core:
> Currently there is now way to use a custom dialect in requested claims. Even http://schemas.xmlsoap.org/ws/2005/05/identity/claims is not fully supported (only ClaimType element).
> Therefore I introduced a new Interface ClaimParser, and a DefaultClaimParser with the current parsing logic. This parser is called by default within RequestParser, so that the normal cxf behavior has not changed. But to make this process more flexible it is possible (with this patch) to register any kind of ClaimParser supporting a specific dialect. I implemented a IdentityClaimParser which is currently able to parser CustomType and CustomValueType elements within the wst:claims element. Since the current RequestClaim does not support any claim values, except of the Uri attribute, I created a SubClass ClaimValueType to also pass the claim value to the claim handler.
> This patch is just a starting point. I think there should be a more complex redesign of the current claim handling implementation, because it is currently focused on only one Use-Case. The following improvements should be made:
> * The RequestClaim class should be replaced by a more flexible interface supporting any kind of parsing and handling custom dialects.
> * It should be possible to include/configure custom claimparser via spring config
> * A fully supported implementation of http://schemas.xmlsoap.org/ws/2005/05/identity/claims dialect would be great
> Here is an example of a claims STS request which is supported by applying this patch:
> <wst:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity" xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity">
>   <ic:ClaimValue Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"/>admin</ic:ClaimValue>
> </wst:Claims>
> Thank you for this great product!! I hope this patch can help to further improve CXF.
> Best regards
> Jan

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira