On Wednesday 14 April 2010 11:22:54 am Brandon Richins wrote: > Hi, > > I had a question regarding the Project Status page at > http://cxf.apache.org/project-status.html. It says "Client side done" for > WS-Trust. I was wondering what there is to implement on the server side > unless CXF were to implement it own STS server. From my limited > knowledge, the server side of WS-Trust is pretty much the WS-Security > stuff for encrypting and signing the messages to the client after the > client initially obtains the token from the STS. It seems like that part > is already complete for CXF.
For that basic use case, yes, that works fine. However, you can easily get into some complex scenarios where the STS is returning SAML tokens that you then want to have the server call back into the STS to have it verify the token and that the token is valid for that service and such like that. That stuff isn't really working. It's PARTIALLY due to WSS4J not really supporting SAML2 yet so it's not able to validate the assertion itself, but we also don't provide anything to then use that token for any furthur processing. Dan > Could you let me know what WS-Trust work still needs to be done for the > server side and if my previous assumption regarding the function of > participating services in WS-Trust is correct? > > Thanks, > > Brandon Richins -- Daniel Kulp [email protected] http://dankulp.com/blog
