[
https://issues.apache.org/jira/browse/CXF-3928?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Oliver Wulff updated CXF-3928:
------------------------------
Attachment: git.diff.patch
Implemented the changes and added a unit test where the on-behalf-of token has
been issued by SAML realm A and the issued token is a SAML token of realm B
> Add token validation for OnBehalfOf element in TokenIssueOperation
> ------------------------------------------------------------------
>
> Key: CXF-3928
> URL: https://issues.apache.org/jira/browse/CXF-3928
> Project: CXF
> Issue Type: Improvement
> Components: Services
> Affects Versions: 2.5
> Reporter: Oliver Wulff
> Attachments: git.diff.patch, git.diff.patch
>
>
> Tokens passed in OnBehalfOf element are not validated. It's the
> responsibility of the TokenProvider implementation to validate that.
> A proposal has been discussed here:
> http://cxf.547215.n5.nabble.com/STS-OnBehalfOf-token-validation-SAMLTokenProvider-td5003544.html
> OnBehalfOf token validation is moved to the TokenIssueOperation and the
> ReceivedToken is enhanced with the following attributes:
> - was it a token of ws-security header (like ReceivedToken), onbehalfof, actas
> - successfully validated (it could be a token which depends on other
> constraints to be fully accepted)
> - original DOM element
> - transformed DOM element (used if the token is passed by ref, also supported
> by SAML spec)
> - principal (mostly, you only need the principal to issue a new token)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
