You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by "Morris Jr, David P" <da...@lmco.com> on 2011/03/03 20:35:24 UTC

WS-Policy EndorsingSupportingTokens

Is there SamlToken support in WS-Policy in the current release of CXF? Or is this still under development?

Example:
                  <wsp:Policy>
...
            <sp:EndorsingSupportingTokens>
                  <wsp:Policy>
                        <sp:SamlToken
                              sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
                              <wsp:Policy>
                                    <sp:WssSamlV20Token11 />
                              </wsp:Policy>
                        </sp:SamlToken>
                  </wsp:Policy>
            </sp:EndorsingSupportingTokens>
...
                  </wsp:Policy>

Re: WS-Policy EndorsingSupportingTokens

Posted by Daniel Kulp <dk...@apache.org>.

On Thursday 03 March 2011 2:35:24 PM Morris Jr, David P wrote:
> Is there SamlToken support in WS-Policy in the current release of CXF? Or
> is this still under development?

We currently don't support it.  (Neither does Rampart BTW)     If you would 
like to help out, I can definitely provide pointers as to where to start.   
It's likely not a huge amount of work if you would like tackle it.    
Basically, you would need to add an Assertion and AssertionBuilder for it 
(relatively easy) and then update a few places in the 
org.apache.cxf.ws.security.wss4j.policyhandlers package to support it.   Most 
likely, a grep for IssuedToken would provide pointers for where to start.

Dan

> 
> Example:
>                   <wsp:Policy>
> ...
>             <sp:EndorsingSupportingTokens>
>                   <wsp:Policy>
>                         <sp:SamlToken
>                              
> sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702
> /IncludeToken/AlwaysToRecipient"> <wsp:Policy>
>                                     <sp:WssSamlV20Token11 />
>                               </wsp:Policy>
>                         </sp:SamlToken>
>                   </wsp:Policy>
>             </sp:EndorsingSupportingTokens>
> ...
>                   </wsp:Policy>

-- 
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog
Talend - http://www.talend.com

Re: WS-Policy EndorsingSupportingTokens

Posted by Colm O hEigeartaigh <co...@apache.org>.

There is some limited SAML Token support in the current CXF release.
There will be much better support in the forthcoming CXF 2.4.0
release, as it will pick up WSS4J 1.6, which will have full support
for SAML 2 assertions.

Using a SAML Token as an Endorsing Token seems like an unusual
use-case to me, which I doubt the security policy runtime supports. I
would expect it to work for a Supporting, or SignedSupporting, policy
assertion though.

The WS-SecurityPolicy stuff is so complicated that really the best way
to see if something is supported is to try it, and then log a JIRA if
it doesn't seem like it's supported.

Colm.

On Thu, Mar 3, 2011 at 7:35 PM, Morris Jr, David P
<da...@lmco.com> wrote:
> Is there SamlToken support in WS-Policy in the current release of CXF? Or is this still under development?
>
> Example:
>                  <wsp:Policy>
> ...
>            <sp:EndorsingSupportingTokens>
>                  <wsp:Policy>
>                        <sp:SamlToken
>                              sp:IncludeToken="http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702/IncludeToken/AlwaysToRecipient">
>                              <wsp:Policy>
>                                    <sp:WssSamlV20Token11 />
>                              </wsp:Policy>
>                        </sp:SamlToken>
>                  </wsp:Policy>
>            </sp:EndorsingSupportingTokens>
> ...
>                  </wsp:Policy>
>
>