Hi Andrei, The question though (as Dan pointed out) is whether the SAML Token will be available on the security context, if it is used in the context of SecureConversation.
Dan, I recommend starting with an existing test: http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/java/org/apache/cxf/systest/sts/symmetric/SymmetricBindingTest.java?view=markup http://svn.apache.org/viewvc/cxf/branches/2.7.x-fixes/services/sts/systests/basic/src/test/resources/org/apache/cxf/systest/sts/symmetric/DoubleIt.wsdl?view=markup The last test there uses SecureConversation with an IssuedToken policy. Colm. On Tue, Jun 4, 2013 at 10:41 AM, Andrei Shakirin <[email protected]>wrote: > > Once you get to 2.7.5, you should be able to grab the principal and such > from > > the context. I think that is fine, but Colm would definitely need to > weigh in > > on this. (although it's a public holiday in Ireland today) > > Yep, the code looks like: > > SecurityContext sc = message.get(SecurityContext.class); > Principal user = sc.getUserPrincipal(); > > if (!(user instanceof SAMLTokenPrincipal)) { > // other type of token: error > } > SAMLTokenPrincipal saml = ((SAMLTokenPrincipal) user).getToken(); > List<org.opensaml.saml2.core.Statement> statements = > saml.getSaml2().getStatements(); > for (Statement s : statements) { > // Loop through the attribute statements > } > > Regards, > Andrei. > > > -----Original Message----- > > From: Daniel Kulp [mailto:[email protected]] > > Sent: Montag, 3. Juni 2013 19:06 > > To: [email protected]; DTaylor > > Subject: Re: WS-SecureConversation and SAML assertions > > > > > > On Jun 3, 2013, at 11:03 AM, DTaylor <[email protected]> wrote: > > > > > We're now attempting to utilize WS-SecureConversation and SAML tokens > > > for negotiating security sessions in our applications. > > > > > > Currently, we are on CXF 2.6.2 (we are looking at moving to CXF 2.7.5) > > > and are curious about the status about WS-SecureConversation with a > > > set of SAML assertions. > > > > > > We are curious about the status of WS-SecureConversation and SAML > > > assertions and, if relevant, accessing the SAML assertions. > > > > > > As far as the status of WS-SC & SAML assertions, from this Jira: > CXF-4457 > > > <https://issues.apache.org/jira/browse/CXF-4457> , it appears as > > > though the use of a SAML token with WS-SecureConversation is not > > > currently supported by CXF. > > > > I think that JIRA needs closing. I'll double check. Thanks for the > pointer. > > > > > > > However, we also came across this Jira: CXF-4977 > > > <https://issues.apache.org/jira/browse/CXF-4977> which seems to > > indicate > > > that WS-SecureConversation with WS-Trust is now supported in CXF post > > 2.6.2. > > > Is it accurate to assume this is now supported or is it only partially > > > supported or not at all? > > > > Well, with 2.6.2, it would be partially supported. It's likely with > config, you > > can get the SAML stuff to work to get the WS-SecureConversation token. > > However, after the initial negotiation of the token, you would not have > > access to the SAML token again as we would not have recorded it in the > > session. Thus, if you need to make any decisions within your own code > > about actions to take based on the SAML assertion, you would not be able > > to. You would need to update to 2.7.5 for that support. > > > > > If it is supported, the other question we have is in regards to > > > accessing the claims from the SAML assertions. Is there some manner > > > to access the SAML assertions in the interceptor chain, or will we > > > need to create a custom method of accessing the assertions? > > > > Once you get to 2.7.5, you should be able to grab the principal and such > from > > the context. I think that is fine, but Colm would definitely need to > weigh in > > on this. (although it's a public holiday in Ireland today) > > > > Dan > > > > > > > > Thanks, > > > > > > Dan > > > > > > > > > > > > -- > > > View this message in context: > > > http://cxf.547215.n5.nabble.com/WS-SecureConversation-and-SAML- > > asserti > > > ons-tp5728643.html Sent from the cxf-user mailing list archive at > > > Nabble.com. > > > > -- > > Daniel Kulp > > [email protected] - http://dankulp.com/blog Talend Community Coder - > > http://coders.talend.com > > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
