Hi Andreas, Yes, you can simply override the DefaultSubjectProvider.getPrincipal method + return the principal from providerParameters.getTokenRequirements().getActAs() instead:
https://github.com/apache/cxf/blob/master/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/DefaultSubjectProvider.java#L122 Then set this new implementation on the SAMLTokenProvider: https://github.com/apache/cxf/blob/master/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/provider/SAMLTokenProvider.java#L229 Colm. On Wed, Jul 26, 2017 at 10:47 PM, Andreas Vallen <[email protected]> wrote: > Hi, > > after upgrading from cxd-fediz 3.1.1 to 3.1.2, and to cxd 3.1.11 in the > process our service which consumes actAs tokens issued by the STS broke > because the security context principal is now being initialized with the > identity of the requestor which is the system that requested the > IssuedToken - identified by the DN of its public key. > > The cause of this issue likely is the fix done by > https://issues.apache.org/jira/browse/CXF-7099 - before that the actual > actAs user was set as the subject NameID value of the issued token. > > Is the a way to configure the service to evaluate the actAs attribute > instead of the subject NameID as before in order to determine the user > identity? > > Best, > Andreas > -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
