Thanks for your reply. 1) See the following blog post:
http://coheigea.blogspot.ie/2011/10/apache-cxf-sts-documentation-part-iv.html Sections 3.3 -> 3.5. So for example to add an Authorization Assertion, you implement the following interface: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/AuthDecisionStatementProvider.java?view=markup and plug it into the SAMLTokenProvider. I really appreciate the explanation, how we have to implement/customize the authorization/authentication stuff, but as a newbie, i am thinking to run the sample with these changes. Also, what are the changes i have to do, like which configuration file i have to change, if i implement the interface AuthDecisioinStatementProvider, how can i say at run time to use this new implementation 4)I don't understand the question. The WSP is configured with the public key of the STS and will use it to verify trust in a received signed Assertion. It also verifies the Lifetime of the Assertion. My question was, if WSC sends request with saml token to WSP after the lifetime of the assertion, how WSP handles the situation. e.g. <saml:Conditions NotBefore="2013-02-08T14:53:55.786Z" NotOnOrAfter="2013-02-08T14:55:55.786Z" /> @the WSP side, do we need to write the code to handle this situation or WSP will contact the STS to validate the saml token? 5) The logging feature is enabled in the examples already, so it's just a matter of configuring logging via logging.properties or something. I have looked at the STS sample, but everything is coming on the commandline prompt. But how do i specify the logging properties in this example, to generate the requests/responses that are coming STS, WSC,WSP to write the message in a file. i believe STS uses some jar files, will not show us actual request/response . Do we need to write any logging interceptors and plug in to the STS,WSC and WSP? -- View this message in context: http://cxf.547215.n5.nabble.com/STS-newbie-questions-tp5722949p5722952.html Sent from the cxf-user mailing list archive at Nabble.com.
