[jira] [Updated] (CXF-3928) Add token validation for OnBehalfOf element in TokenIssueOperation

Fri, 25 Nov 2011 01:47:10 -0800 

     [ 
https://issues.apache.org/jira/browse/CXF-3928?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Oliver Wulff updated CXF-3928:
------------------------------

    Attachment: git.diff.patch

I've applied an initial patch but due to several changes I'd like to get your 
opinion on it.

Semantic changes:
1) so far, the principal is written into the TokenValidatorResponse if 
validation was succeesful
I changed this thus the principal is available if parsing was successful. If 
validation fails the ReceivedToken has the state set to INVALID.

Therefore I had to change:
- DefaultSubjectProvider
- SAMLTokenValidator
- UsernameTokenValidator

Notes:
- attribute tokenContext of ReceivedToken not yet used.
- I'd like to add an additional testcase of issue onbehalfof where 
IdentityMapper is required (but would like your feedback first)


                
> Add token validation for OnBehalfOf element in TokenIssueOperation
> ------------------------------------------------------------------
>
>                 Key: CXF-3928
>                 URL: https://issues.apache.org/jira/browse/CXF-3928
>             Project: CXF
>          Issue Type: Improvement
>          Components: Services
>    Affects Versions: 2.5
>            Reporter: Oliver Wulff
>         Attachments: git.diff.patch
>
>
> Tokens passed in OnBehalfOf element are not validated. It's the 
> responsibility of the TokenProvider implementation to validate that.
> A proposal has been discussed here:
> http://cxf.547215.n5.nabble.com/STS-OnBehalfOf-token-validation-SAMLTokenProvider-td5003544.html
> OnBehalfOf token validation is moved to the TokenIssueOperation and the 
> ReceivedToken is enhanced with the following attributes:
> - was it a token of ws-security header (like ReceivedToken), onbehalfof, actas
> - successfully validated (it could be a token which depends on other 
> constraints to be fully accepted)
> - original DOM element
> - transformed DOM element (used if the token is passed by ref, also supported 
> by SAML spec)
> - principal (mostly, you only need the principal to issue a new token)

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to