Hi Oli, Ok I will consider this as part of a planned refactor of the Claims code.
Colm. On Thu, Feb 6, 2014 at 10:16 AM, Oliver Wulff <[email protected]> wrote: > Hi Colm > > There is only a claim setter/getter of type Element and a CallbackHandler. > As the former is not that nice for spring configuration, the callback > handler could be used to set the element. > > Or do you think in adding a setter to configure the claim list in a easier > way. The only question is which claim class definition to use. There is a > claim annotation in jaxrs. Maybe we could move this to a JAX-RS/JAX-WS > neutral package and use that in the sts and in the cxf framework. > > Thanks > Oli > > > ------ > > Oliver Wulff > > Blog: http://owulff.blogspot.com > Solution Architect > http://coders.talend.com > > Talend Application Integration Division http://www.talend.com > > ________________________________________ > From: Colm O hEigeartaigh [[email protected]] > Sent: 06 February 2014 10:42 > To: [email protected] > Subject: Re: STSTokenValidator enhancements > > As far as I know, all of this functionality is already available. Take a > look at the TransformationTest here: > > > http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/java/org/apache/cxf/systest/sts/transformation/TransformationTest.java?view=markup > > This uses the STSTokenValidator to transform a UsernameToken into a SAML > Assertion. Note the configuration of the service, you can just manually > configure an STSClient Object to send whatever Claims etc. you want: > > > http://svn.apache.org/viewvc/cxf/trunk/services/sts/systests/advanced/src/test/resources/org/apache/cxf/systest/sts/transformation/cxf-service.xml?view=markup > > Colm. > > > On Wed, Feb 5, 2014 at 9:13 PM, Sergey Beryozkin <[email protected] > >wrote: > > > Hi Oli > > > > On 05/02/14 19:42, Oliver Wulff wrote: > > > >> Hi there > >> > >> The STSTokenValidator is used to validate incoming credentials (ex. > >> username/password) against the STS. The STSTokenValidator can be used > for > >> authentication for web services as well a REST services. > >> > >> REST security is already very enhanced to support claims based access > >> control which requires that the service provider knows the user claims > like > >> from a SAML token. This could also be achieved for incoming > >> username/passwords by issuing a SAML token with a configurable list of > >> claims. > >> > >> The STSTokenValidator uses the STS validate binding which doesn't > support > >> to validate a token and provide additional claims in the returned SAML > >> token. > >> > >> There are two options: > >> > >> 1) Make the binding configurable in the STSTokenValidator > >> (validate/issue) and configure the list of claims, appliesto element, > >> lifetime etc. for the issue use case > >> > >> 2) Enhance the validate binding use case on the STS and in the > >> STSTokenValidator to configure the list of claims, appliesto element, > >> lifetime etc. > >> > >> WDYT? > >> > >> It appears to me that STS is where the extra metadata like claims can > be > > attached so I guess I'm more for the 2nd case, I looked at the code and > > apparently STSTokenValidator supports the case of STS transforming a > token. > > Look forward to Colm commenting on it > > > > Thanks, Sergey > > > > > > Thanks > >> Oli > >> > >> > >> > >> ------ > >> > >> Oliver Wulff > >> > >> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/> > >> Solution Architect > >> http://coders.talend.com > >> > >> <http://coders.talend.com>Talend Application Integration Division > >> http://www.talend.com > >> > >> > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
