Hi Oli, Does the fix I commited for CXF-3565 meet your needs?
https://issues.apache.org/jira/browse/CXF-3565 See for example this CallbackHandler implementation I added for setting an OnBehalfOf element from the SecurityConstants.USERNAME value: http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/trust/delegation/WSSUsernameCallbackHandler.java?view=markup The CallbackHandler has access to the current message. You can load the callback handler via the "onBehalfOf" property of the STSClient. Colm. On Fri, Jun 3, 2011 at 10:58 AM, Oliver Wulff <[email protected]> wrote: > Hi there > > Let's assume a tomcat based web application is secured either with SAML-P or > WS-Federation (passive requestor profile). The web application is calling web > services on behalf of the original authenticated user. The web services have > an IssuedToken assertion and expect a SAML 2.0 token - only Bearer subject > confirmation method is applicable here. > > The web application (CXF web service consumer) must communicate with an STS > to get the SAML token issued on behalf of the original user. If SAML-P oder > WS-Federation is used, Tomcat has access to the original token (or bootstrap > token). So, the bootstrap token is put in the WS-Trust RST in the OnBehalfOf > element. > The question is how can we let CXF know that it acts as an intermediary and > set the bootstrap token somehow? > > CXF already provides the option to access the incoming CXF message when a new > outgoing message is created: > PhaseInterceptorChain.PREVIOUS_MESSAGE > > In the above case, there is no PREVIOUS_MESSAGE because the incoming request > is a web application request (HTML/HTTP). Therefore, the > IssuedTokenOutInterceptor should provide an API/callback to let him know the > bootstrap token. > > A custom servlet filter might then be able to read the incoming token from > the TLS or Http Session and set it using the CXF API. The scope would be the > current thread I think. I also think the thread which processes the web > application request is the same as the IssuedTokenOutInterceptor even you use > WS-RM or one-way. > > What do you think? > > Thanks > Oli > -- Colm O hEigeartaigh http://coheigea.blogspot.com/ Talend - http://www.talend.com
