Thanks for your reply. 1) See the following blog post:
http://coheigea.blogspot.ie/2011/10/apache-cxf-sts-documentation-part-iv.html Sections 3.3 -> 3.5. So for example to add an Authorization Assertion, you implement the following interface: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/AuthDecisionStatementProvider.java?view=markup and plug it into the SAMLTokenProvider. I really appreciate the explanation, how we have to implement/customize the authorization/authentication stuff, but as a newbie, i am thinking to run the sample with these changes. Also, what are the changes i have to do, like which configuration file i have to change, if i implement the interface AuthDecisioinStatementProvider, how can i say at run time to use this new implementation 4)I don't understand the question. The WSP is configured with the public key of the STS and will use it to verify trust in a received signed Assertion. It also verifies the Lifetime of the Assertion. My question was, if WSC sends request with saml token to WSP after the lifetime of the assertion, how WSP handles the situation. e.g. <saml:Conditions NotBefore="2013-02-08T14:53:55.786Z" NotOnOrAfter="2013-02-08T14:55:55.786Z" /> @the WSP side, do we need to write the code to handle this situation or WSP will contact the STS to validate the saml token? 5) The logging feature is enabled in the examples already, so it's just a matter of configuring logging via logging.properties or something. I have looked at the STS sample, but everything is coming on the commandline prompt. But how do i specify the logging properties in this example, to generate the requests/responses that are coming STS, WSC,WSP to write the message in a file. i believe STS uses some jar files, will not show us actual request/response . Do we need to write any logging interceptors and plug in to the STS,WSC and WSP? ________________________________ From: coheigea [via CXF] <[email protected]> To: kk31 <[email protected]> Sent: Friday, February 8, 2013 11:15 AM Subject: Re: STS newbie questions > 1. When STS generates the saml token, how do i control, whether > authorization assertion or authentication assertions statements should be > generated in the SAML Token See the following blog post: http://coheigea.blogspot.ie/2011/10/apache-cxf-sts-documentation-part-iv.html Sections 3.3 -> 3.5. So for example to add an Authorization Assertion, you implement the following interface: http://svn.apache.org/viewvc/cxf/trunk/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/AuthDecisionStatementProvider.java?view=markup and plug it into the SAMLTokenProvider. > 2. How can we specify to sign only authorization or authorization statements only The SAMLTokenProvider doesn't work this way. You can configure a number of authorization/attribute/authentication statement to add to the SAML Token, and it's statically configured whether it signs them or not. It doesn't have the ability to generate say an authorization Assertion depending on some condition, or an attribute Assertion depending on another condition. > 3. How can we connect to ldap and verify the client user credentials and > what are the attributes he has and updated in the authentication and > authorization assertions It depends on what the client user credentials are. For the case of a UsernameToken, you can plug the JAASUsernameTokenValidator in WSS4J in. There is also an LdapClaimsHandler in the STS will will retrieve attributes from an LDAP backend for insertion into the Assertion. > 4. How does the WSP will validate the STS, i mean, the saml token generated is valid during particular period of time I don't understand the question. The WSP is configured with the public key of the STS and will use it to verify trust in a received signed Assertion. It also verifies the Lifetime of the Assertion. > 5. I want log each message(RST,RSTR) that is coming to STS, WSP(soap request > /response with token) and WSC(RST,RSTR,SOAP request/response to wsp ). The logging feature is enabled in the examples already, so it's just a matter of configuring logging via logging.properties or something. Colm. On Fri, Feb 8, 2013 at 5:04 PM, kk31 <[hidden email]> wrote: > Hi, > i have installed apache-cxf-2.7.2, maven 3.0. i am successful in running > the sample that was given as part of the distribution. > > I have couple of questions on STS . > > > 1. When STS generates the saml token, how do i control, whether > authorization assertion or authentication assertions statements should be > generated in the SAML Token > . > 2. How can we specify to sign only authorization or authorization > statements only > > 3. How can we connect to ldap and verify the client user credentials and > what are the attributes he has and updated in the authentication and > authorization assertions > > 4. How does the WSP will validate the STS, i mean, the saml token > generated > is valid during particular period of time > > 5. I want log each message(RST,RSTR) that is coming to STS, WSP(soap > request > /response with token) and WSC(RST,RSTR,SOAP request/response to wsp ). do i > need to write any interceptor or handler for logging , if so what are the > changes i have to make to the sample > i can't user wireshark for this as it is local machine and its very hard > to interpret them too > > > Thanks > kk > > > > -- > View this message in context: > http://cxf.547215.n5.nabble.com/STS-newbie-questions-tp5722949.html > Sent from the cxf-user mailing list archive at Nabble.com. > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com ________________________________ If you reply to this email, your message will be added to the discussion below: http://cxf.547215.n5.nabble.com/STS-newbie-questions-tp5722949p5722950.html To unsubscribe from STS newbie questions, click here. NAML -- View this message in context: http://cxf.547215.n5.nabble.com/STS-newbie-questions-tp5722949p5722955.html Sent from the cxf-user mailing list archive at Nabble.com.
