...and the example is: https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/saml/server/server.xml;h=6db3fea1daf792472aeeab88b95794cb45161182;hb=refs/heads/2.7.x-fixes
Colm. On Wed, Apr 2, 2014 at 3:03 PM, Colm O hEigeartaigh <[email protected]>wrote: > Hi, > > > > Is the specification part related to "Audience Restriction" implemented > by CXF such that if a SAML token in SOAP request does > > not contain the "correct" audience restriction URI then the SAML token > validation will fail? How does CXF determine the > > audience restriction URI of the service provider? > > It is not implemented - for the reason you outline. If you wish to support > this kind of functionality, you need to extend the SamlAssertionValidator > in WSS4J + override the "checkConditions(AssertionWrapper)" method. You can > get the audience restriction URIs from > "assertion.getSaml2().getConditions().getAudienceRestrictions()" etc. > > Here is the SamlAssertionValidator: > > > http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/SamlAssertionValidator.java?view=markup > > Here is a spring example of how to override the SamlAssertionValidator via > the "ws-security.saml2.validator" jaxws-property. > > Colm. > > > On Wed, Apr 2, 2014 at 1:14 PM, Yossi Cohen <[email protected]> wrote: > >> Hi, >> >> We are implementing SOAP web services using CXF 2.7.8 / WSS4J SAML 2.0 >> implementation. >> >> Question: >> Is the specification part related to "Audience Restriction" implemented >> by CXF such that if a SAML token in SOAP request does not contain the >> "correct" audience restriction URI then the SAML token validation will >> fail? How does CXF determine the audience restriction URI of the service >> provider? >> >> "Audience Restriction" as described in SAML specification: >> >> "The <AudienceRestriction> element specifies that the assertion is >> addressed to one or more specific audiences identified by <Audience> >> elements. Although a SAML relying party that is outside the audiences >> specified is capable of drawing conclusions from an assertion, the SAML >> asserting party explicitly makes no representation as to accuracy or >> trustworthiness to such a party" >> >> Best Regards, >> >> Yossi Cohen >> >> This message and the information contained herein is proprietary and >> confidential and subject to the Amdocs policy statement, >> you may review at http://www.amdocs.com/email_disclaimer.asp >> > > > > -- > Colm O hEigeartaigh > > Talend Community Coder > http://coders.talend.com > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
