cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Populating security context principal from actAs attribute
Date Thu, 27 Jul 2017 11:28:27 GMT
Hi Andreas,

Yes, you can simply override the DefaultSubjectProvider.getPrincipal method
+ return the principal from
providerParameters.getTokenRequirements().getActAs() instead:

https://github.com/apache/cxf/blob/master/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java#L122

Then set this new implementation on the SAMLTokenProvider:

https://github.com/apache/cxf/blob/master/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java#L229

Colm.

On Wed, Jul 26, 2017 at 10:47 PM, Andreas Vallen <andreas.vallen@gmail.com>
wrote:

> Hi,
>
> after upgrading from cxd-fediz 3.1.1 to 3.1.2, and to cxd 3.1.11 in the
> process our service which consumes actAs tokens issued by the STS broke
> because the security context principal is now being initialized with the
> identity of the requestor which is the system that requested the
> IssuedToken - identified by the DN of its public key.
>
> The cause of this issue likely is the fix done by
> https://issues.apache.org/jira/browse/CXF-7099 - before that the actual
> actAs user was set as the subject NameID value of the issued token.
>
> Is the a way to configure the service to evaluate the actAs attribute
> instead of the subject NameID as before in order to determine the user
> identity?
>
> Best,
> Andreas
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message