cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <>
Subject Re: CXF STS
Date Fri, 10 Sep 2010 20:00:35 GMT
On Friday 10 September 2010 1:10:57 pm s_raghav wrote:
> I am currently trying to figure out a way to build a simple STS using CXF
> and SAML 2.0. From what I have seen so far ... i think this has not been
> implemented. It would be great if I could get a few pointers on how to do
> this. I know this can be accomplished on Netbeans using Metro and
> Glassfish/Tomcat but I'm looking for something using Eclipse, CXF and SAML
> 2.0 ..

One way to accomplish this might be to just create a Provider<Source> subclass 
in PAYLOAD mode that would handle the STS related messages.  The security 
policy runtime could handle all the complex message level encryption and such, 
but your Provider would just handle the few STS related messages and 
generation of the tokens and such. 

There is also some code at:
that I've never had time to look at to see what it may be good for.  If you 
wanted to grab that and work with it a bit and clean it up and such, that 
would be AWESOME.   It's something we could definitely include in CXF as a 
starting point.

> Also wanted to know if WSS4J interceptors support SAML 2.0.
> Any kind of help would be greatly appreciated.

That would potentially be a problem.  Right now, WSS4J doesn't support SAML 
2.0.  There are two patches to enable it, but neither are really usable for 
1.5.x.   We're hoping we can get a 1.6 version that does support SAML2 but I'm 
not sure when.

Daniel Kulp

View raw message