You are right, it is event not CXF, but WSS4J restriction. WSS4J ConditionsBean element doesn't really support custom extensions like your delegate. CXF STS implementation uses WSS4J to parse SAMLCallback object into SAML Assertion. Not sure if it will be supported in WSS4J 2.0.
I see only way to customize it now - update SAML2 Assertion in AssertionWrapper created by WSS4J: assertion.getSaml2().getConditions() .... It will be necessary to subclass SAMLTokenProvider and add your logic to modify conditions element. Perhaps Colm will propose more elegant solution. I think CXF STS can provide callback to modify AssertionWrapper before signing (in method SAMLTokenProvider.createSamlToken()). Could you create Jira issues for CXF and also for WSS4J? Patches are also welcome. Cheers, Andrei. > -----Original Message----- > From: ychawla [mailto:[email protected]] > Sent: Dienstag, 27. November 2012 23:53 > To: [email protected] > Subject: Customizing Conditions in CXF STS > > Hello All, > I am looking to customize the 'Conditions' of a SAML assertion according to > the requirements I received. > > For a background on my CXF STS bean configuration, you can refer to this > post: > > http://cxf.547215.n5.nabble.com/Signing-SAML-token-in-STS-Namespace- > issue-tc5718851.html > > In my token provider, I manually create the conditions statement using DOM > prior to signing my Assertion. For example: > > <saml:Conditions NotBefore="2012-11-23T15:00:00.938Z" > NotOnOrAfter="2012-11-23T15:05:00.938Z"> > <saml:AudienceRestriction> > <saml:Audience>https://someCustomAudience</saml:Audience> > </saml:AudienceRestriction> > <saml:Condition > xmlns:delegate="urn:oasis:names:tc:SAML:2.0:conditions:delegation"> > <delegate:Delegate DelegationInstant="2012-11-23T15:00:19.938Z"> > <NameID>Some delegate Name ID of my choosing</NameID> > </delegate:Delegate> > </saml:Condition> > </saml:Conditions> > > However, these conditions are replaced by the DefaultConditionsProvider > after the assertion is signed. For example: > > <Conditions NotBefore="2012-11-21T17:11:06.315Z" > NotOnOrAfter="2012-11-21T17:16:06.315Z"/> > > I could implement my own ConditionsProvider: > http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts- > core/src/main/java/org/apache/cxf/sts/token/provider/ConditionsProvider. > java?view=markup > > However, the ConditionsBean only allows you to set AudienceURI, > notBefore, and notAfter. The ConditionsBean looks like it gets converted to > a SAML2 Conditions Object by the SAML2ComponentBuilder in the > createConditions method. I don't see any hooks in there to create a custom > element such as the delegate element. > > Is there any way using the CXF STS framework where I can customize the > 'Conditions' element in the Assertion. I can set the Audience Restriction, > Not > Before, Not After in a custom Conditions Provider but don't see how to > create a 'delegate' element. > > Thanks, > Yogesh > > > > > > -- > View this message in context: http://cxf.547215.n5.nabble.com/Customizing- > Conditions-in-CXF-STS-tp5719270.html > Sent from the cxf-user mailing list archive at Nabble.com.
