You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by St...@faa.gov on 2015/10/27 17:27:24 UTC
NotOnOrAfter in SAML Tokens with Advice
In our SAML profile, a SAML token issued with Advice should have a NotOnOrAfter condition that does not come after the Advice token's NotOnOrAfter condition. But apparently, the CXF STS (2.7.14) doesn't consider Advice conditions when issuing a new token? If it doesn't I can add that capability in a custom ConditionsProvider, but in looking things over it's not really obvious how I can retrieve that condition from either the Advice token or from the ActAs in the request from there. I'm sure there's an easy-ish way to do this that I am missing, if someone can point me in the right direction I'd appreciate it.
Stephen W. Chappell
RE: NotOnOrAfter in SAML Tokens with Advice
Posted by St...@faa.gov.
Yes, I saw that, but it is a ReceivedToken at that point, so unless I unmarshal it I can't get at the NotOnOrAfter time. Instead, I found that I could modify the conditions in my SAMLCustomHandler, which unmarshals the ActAs token in order to stick it in Advice. That seemed preferable to unmarshalling it twice.
Thanx,
Stephen W. Chappell
-----Original Message-----
From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Monday, November 02, 2015 10:33 AM
To: users@cxf.apache.org
Subject: Re: NotOnOrAfter in SAML Tokens with Advice
You can access the incoming "ActAs" token via "providerParameters.getTokenRequirements().getActAs()" in your ConditionsProvider implementation - that's probably the only way to do it.
Colm.
On Tue, Oct 27, 2015 at 4:27 PM, <St...@faa.gov> wrote:
> In our SAML profile, a SAML token issued with Advice should have a
> NotOnOrAfter condition that does not come after the Advice token's
> NotOnOrAfter condition. But apparently, the CXF STS (2.7.14) doesn't
> consider Advice conditions when issuing a new token? If it doesn't I
> can add that capability in a custom ConditionsProvider, but in looking
> things over it's not really obvious how I can retrieve that condition
> from either the Advice token or from the ActAs in the request from
> there. I'm sure there's an easy-ish way to do this that I am missing,
> if someone can point me in the right direction I'd appreciate it.
>
> Stephen W. Chappell
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: NotOnOrAfter in SAML Tokens with Advice
Posted by Colm O hEigeartaigh <co...@apache.org>.
You can access the incoming "ActAs" token via
"providerParameters.getTokenRequirements().getActAs()" in your
ConditionsProvider implementation - that's probably the only way to do it.
Colm.
On Tue, Oct 27, 2015 at 4:27 PM, <St...@faa.gov> wrote:
> In our SAML profile, a SAML token issued with Advice should have a
> NotOnOrAfter condition that does not come after the Advice token's
> NotOnOrAfter condition. But apparently, the CXF STS (2.7.14) doesn't
> consider Advice conditions when issuing a new token? If it doesn't I can
> add that capability in a custom ConditionsProvider, but in looking things
> over it's not really obvious how I can retrieve that condition from either
> the Advice token or from the ActAs in the request from there. I'm sure
> there's an easy-ish way to do this that I am missing, if someone can point
> me in the right direction I'd appreciate it.
>
> Stephen W. Chappell
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com