Hi there Let's assume a tomcat based web application is secured either with SAML-P or WS-Federation (passive requestor profile). The web application is calling web services on behalf of the original authenticated user. The web services have an IssuedToken assertion and expect a SAML 2.0 token - only Bearer subject confirmation method is applicable here.
The web application (CXF web service consumer) must communicate with an STS to get the SAML token issued on behalf of the original user. If SAML-P oder WS-Federation is used, Tomcat has access to the original token (or bootstrap token). So, the bootstrap token is put in the WS-Trust RST in the OnBehalfOf element. The question is how can we let CXF know that it acts as an intermediary and set the bootstrap token somehow? CXF already provides the option to access the incoming CXF message when a new outgoing message is created: PhaseInterceptorChain.PREVIOUS_MESSAGE In the above case, there is no PREVIOUS_MESSAGE because the incoming request is a web application request (HTML/HTTP). Therefore, the IssuedTokenOutInterceptor should provide an API/callback to let him know the bootstrap token. A custom servlet filter might then be able to read the incoming token from the TLS or Http Session and set it using the CXF API. The scope would be the current thread I think. I also think the thread which processes the web application request is the same as the IssuedTokenOutInterceptor even you use WS-RM or one-way. What do you think? Thanks Oli
