The audienceUris/audienceItem check I was thinking of was in SAMLTokenValidator, having taken another look I realized it was grabbing the audienceRestrictions from the SAMLToken itself for later evaluation.
I'm not using the Tomcat or Jetty plugins. I'm using Spring Security. I can't find where the Spring code even checks the AudienceRestrictions. Is that baked into Spring Security itself or is it simply not done? It will be one application at multiple locations. My goal is to be able to build app.war and drop it on my tomcat test server and once it's passed testing I want to take the same app.war file without recompiling and put it on my production server. Hope that makes sense, Tom P.S. I went ahead yesterday and created a JIRA yesterday with a patch to add a REALM callback. https://issues.apache.org/jira/browse/FEDIZ-64 -----Original Message----- From: Oliver Wulff [mailto:[email protected]] Sent: Wednesday, July 17, 2013 3:26 AM To: [email protected] Subject: RE: Another Programmatic Fediz configuration question >>> Looking over the code for SAMLTokenValidator it appears that, I can just Add all my trusted issuers to the file and as long as it finds one that matches I'm good to go. >>> That's correct. >>> However, for the audienceUris/audienceItem check it only looks at the first entry. Is this by design? Does it break the "standard" to check all of them and look for a match? >>> Where do you see that? The check is not (yet) done within the core but within the plugin for the container. See here: http://svn.apache.org/viewvc/cxf/fediz/trunk/plugins/tomcat/src/main/java/org/apache/cxf/fediz/tomcat/FederationAuthenticator.java?view=markup I will move it to fediz-core thus it doesn't have to be reimplemented in each container plugin. >>> Which still leaves: realm. >>> Hmmm... interesting... the realm identifies the application. Are you planning to have different applications within one war? Thanks Oli ------ Oliver Wulff Blog: http://owulff.blogspot.com Solution Architect http://coders.talend.com Talend Application Integration Division http://www.talend.com ________________________________________ From: Burton, Tom F (DOR) [[email protected]] Sent: 16 July 2013 21:10 To: [email protected] Subject: RE: Another Programmatic Fediz configuration question Looking over the code for SAMLTokenValidator it appears that, I can just Add all my trusted issuers to the file and as long as it finds one that matches I'm good to go. However, for the audienceUris/audienceItem check it only looks at the first entry. Is this by design? Does it break the "standard" to check all of them and look for a match? Taking another look through everything I found IDPCallBack, which has been there for a while, so issuer is taken care of. Which still leaves: realm. Would I be out of line Filing a JIRA/patch for realm callback support? Thanks again, Tom Burton -----Original Message----- From: Burton, Tom F (DOR) [mailto:[email protected]] Sent: Monday, July 15, 2013 4:55 PM To: [email protected] Subject: Another Programmatic Fediz configuration question So in my fediz_config.xml file the following values all relate to my the Dev system. <audienceUris> <audienceItem> <!-- referred to as: <audienceUris><add value="[goes here]" /></audienceUris> in .NET --> https://cssdappstst.state.ak.us:8443/newhirereporting/ </audienceItem> </audienceUris> <trustedIssuers> <!-- TODO: programmatically change this on deploy --> <issuer subject=".*" certificateValidation="ChainTrust" name="mydev-sign.alaska.gov" /> </trustedIssuers> <protocol xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="federationProtocolType" version="1.0.0"> <realm>https://cssdappstst.state.ak.us:8443/newhirereporting/</realm> <issuer>https://mydev.alaska.gov/adfs/ls/</issuer> <!-- everything else --> </protocol> I have created a CallBackHandler for SignInQuery to add my per request Customizations. However I don't believe the listed tags have Callbacks. Also for audienceItem, and issuer, would it work to have both the Development values and production values in there normally, since they look like the can hold more than one value. The end goal is to not have to recompile when moving a build that has passed tests into production. Thanks again, Tom Burton Confidentiality Notice: This e-mail message including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
