[
https://issues.apache.org/jira/browse/CXF-3940?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13159255#comment-13159255
]
Colm O hEigeartaigh commented on CXF-3940:
------------------------------------------
Hi Jan,
Just to clarify - are you reacting to the patch for the parent issue, or to the
2.5.0 code?
Looking at the patch again, I think there is a bug for the non-SAML case, where
it just takes the principal of the provider parameters, instead of taking the
principal from the received token. Is this what you are objecting to?
Colm.
> A SAML Token requested OnBehalfOf should hide the actual requestor and should
> only contain the OnBehalfOf Identity
> ------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-3940
> URL: https://issues.apache.org/jira/browse/CXF-3940
> Project: CXF
> Issue Type: Sub-task
> Components: Services
> Affects Versions: 2.5
> Reporter: Jan Bernhardt
> Labels: SAML, WS-Trust, sts
> Fix For: 2.5.1
>
> Original Estimate: 48h
> Remaining Estimate: 48h
>
> As far as I know, to request an OnBehalfOf Token should not simply result in
> adding a related SAML Attribute (as it would be ok for ActAs). OnBehalfOf
> should deliver a Token where "only" the OnBehalfOf Principal is contained.
> Therefor the SAML Subject should match the requested OnBehalfOf Principal and
> not the Principal which was authenticated based on the security token sent in
> the WS-Security header...
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
