You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@cxf.apache.org by Oliver Wulff <ow...@talend.com> on 2012/03/05 10:34:08 UTC

Support for identity mapping as part of issue token process

Hi all

I've raised the following issue some time back:
https://issues.apache.org/jira/browse/CXF-3520

Right now, the STS will map the identity or the claims of the identity in two cases:
- Issue request, onbehalfof (intermediary, proxy)
- Validate request, tokenType not equal to status

The above JIRA should support to send a SAML token in the WS-Security header. If the SAML token has been issued by another realm, either the identity is mapped or the claims transformed.

1)
The WS-Security headers are processed by WSS4J whereas the onbehalfof, validatetarget, actas elements are validated by the TokenValidators. The TokenProviderParameters interface provides the authenticated principal. How can I access the already parsed SAML token?

2)
Maybe we should add an instance of ReceivedToken for the token in the WS-Security header. Then, the token provider implementation can decide which information should be encoded within an issued token.

3)
I had a look to the testcases of WSS4J here:
http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/validate/ValidatorTest.java

What is the best way to add unit tests in sts-core (which is based on JAXB classes) where you can add a WS-Security header without using the whole SOAP/HTTP stack.


Thoughts?

Thanks
Oli






------

Oliver Wulff

http://owulff.blogspot.com<http://owulff.blogspot.com/>
Solution Architect
Talend Application Integration Division http://www.talend.com

Re: Support for identity mapping as part of issue token process

Posted by Colm O hEigeartaigh <co...@apache.org>.

> The WS-Security headers are processed by WSS4J whereas the onbehalfof, validatetarget, actas elements are validated by the TokenValidators.
> The TokenProviderParameters interface provides the authenticated principal. How can I access the already parsed SAML token?

Via the MessageContext. Take a look at RequestParser.fetchTokenFromReference:

MessageContext messageContext = wsContext.getMessageContext();
        final List<WSHandlerResult> handlerResults =
            CastUtils.cast((List<?>)
messageContext.get(WSHandlerConstants.RECV_RESULTS));
etc.

> Maybe we should add an instance of ReceivedToken for the token in the WS-Security header. Then, the token provider implementation can decide
> which information should be encoded within an issued token.

You mean just in the STS right? So go through the list above and build
up a ReceivedToken list?

> I had a look to the testcases of WSS4J here:
> http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/validate/ValidatorTest.java
>
> What is the best way to add unit tests in sts-core (which is based on JAXB classes) where you can add a WS-Security header without using the
> whole SOAP/HTTP stack.

Probably to build the security header using WSS4J directly as per the
unit tests in WSS4J.

Colm.

On Mon, Mar 5, 2012 at 9:34 AM, Oliver Wulff <ow...@talend.com> wrote:
> Hi all
>
> I've raised the following issue some time back:
> https://issues.apache.org/jira/browse/CXF-3520
>
> Right now, the STS will map the identity or the claims of the identity in two cases:
> - Issue request, onbehalfof (intermediary, proxy)
> - Validate request, tokenType not equal to status
>
> The above JIRA should support to send a SAML token in the WS-Security header. If the SAML token has been issued by another realm, either the identity is mapped or the claims transformed.
>
> 1)
> The WS-Security headers are processed by WSS4J whereas the onbehalfof, validatetarget, actas elements are validated by the TokenValidators. The TokenProviderParameters interface provides the authenticated principal. How can I access the already parsed SAML token?
>
> 2)
> Maybe we should add an instance of ReceivedToken for the token in the WS-Security header. Then, the token provider implementation can decide which information should be encoded within an issued token.
>
> 3)
> I had a look to the testcases of WSS4J here:
> http://svn.apache.org/viewvc/webservices/wss4j/trunk/src/test/java/org/apache/ws/security/validate/ValidatorTest.java
>
> What is the best way to add unit tests in sts-core (which is based on JAXB classes) where you can add a WS-Security header without using the whole SOAP/HTTP stack.
>
>
> Thoughts?
>
> Thanks
> Oli
>
>
>
>
>
>
> ------
>
> Oliver Wulff
>
> http://owulff.blogspot.com<http://owulff.blogspot.com/>
> Solution Architect
> Talend Application Integration Division http://www.talend.com



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com