Jan Bernhardt created CXF-5987:
----------------------------------
Summary: LdapClaimHandler Support for multipart usernames
Key: CXF-5987
URL: https://issues.apache.org/jira/browse/CXF-5987
Project: CXF
Issue Type: Improvement
Components: STS
Affects Versions: 3.0.1
Reporter: Jan Bernhardt
Fix For: 3.0.2, 3.1.0
Currently the LdapClaimHandler is only able to lookup attributes for user with
a direct match of the username and the username in the LDAP directory.
In case of Kerberos the username looks like this [email protected]. If the user
is authenticated with a Kerberos token at the STS, the LdapClaimHandler is able
to extract the username. But if the username comes from a different token type
(e.g. SAML token in a WS-Federation scenario with initial Kerberos
authentication) then the lookup fails.
Hy proposal would be to extend the LdapClaimHandler in such a way that it is
possible to define a DELIMITER (e.g. '@') which can be used on any token type
to extract the username. An even more generic way, would be to provide the
option for an callback handler to map the username. But for now I would go with
the simple solution of a delimiter. ;-)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
