[
https://issues.apache.org/jira/browse/CXF-4062?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13223078#comment-13223078
]
Jan Bernhardt commented on CXF-4062:
------------------------------------
Colm O hEigeartaigh commented on CXF-4062:
------------------------------------------
Hi Jan,
Sure, but is it meant to be used as a child of the wst:Claims Element? Can you
point me to any examples of this?
Correct me if I'm wrong, but as far as I understand the WS-Trust spec:
* WS-Trust "Claims" element contains an attribute "Dialect" which indicates the
type of claims contained in the WS-Trust Claims element.
* WS-Trust schema definition expects a sequence of ANY elements within Claims
element
* If the dialect is set to "http://schemas.xmlsoap.org/ws/2005/05/identity";
than any element defined in this namespace could appear with in WS-Trust Claims
element.
Since the element ClaimValue is defined in
"http://schemas.xmlsoap.org/ws/2005/05/identity"; namespace the following
statement should be valid according to the specifications:
<sp:RequestSecurityTokenTemplate>
<t:TokenType>http://...#SAMLV1.1</t:TokenType>
<t:KeyType>http://.../PublicKey</t:KeyType>
<t:Claims Dialect="http://.../identity"; xmlns:ic="http://.../identity";>
<ic:ClaimValue
Uri="http://.../claims/role";>administrator</ic:ClaimValue>
</t:Claims>
</sp:RequestSecurityTokenTemplate>
The usecase for this is, that a consumer needs a SAML Token containing _only_ a
specific role attribute statement and not a list of all roles assigned to a
given user. The STS would have to parse this Claim Request and check (via
ClaimHandler) if the user is assigned to the requested role. If this is the
case, a SAML Token will be created containing only this specifically requested
role.
In the current version of CXF STS would not be able to parse such a STR,
because it only expects a "ic:ClaimType" element within "t:Claims". Which is
only a small subset of the dialect
"http://schemas.xmlsoap.org/ws/2005/05/identity";.
@Oli Role transformation would not solve this issue, since I do not want to
transform a previously requested claim of a token, but instead request
convermation for only a specific ClaimValue (here: administrator).
I hope this subject has become more clear now... ;-)
I'm looking forward for your reply to this message!
Best regards
Jan
> Enabling custom claim parser
> ----------------------------
>
> Key: CXF-4062
> URL: https://issues.apache.org/jira/browse/CXF-4062
> Project: CXF
> Issue Type: Improvement
> Affects Versions: 2.5.2
> Reporter: Jan Bernhardt
> Labels: Claims, STS
> Attachments: claimParer.patch
>
>
> STS-core:
> Currently there is now way to use a custom dialect in requested claims. Even
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims is not fully supported
> (only ClaimType element).
> Therefore I introduced a new Interface ClaimParser, and a DefaultClaimParser
> with the current parsing logic. This parser is called by default within
> RequestParser, so that the normal cxf behavior has not changed. But to make
> this process more flexible it is possible (with this patch) to register any
> kind of ClaimParser supporting a specific dialect. I implemented a
> IdentityClaimParser which is currently able to parser CustomType and
> CustomValueType elements within the wst:claims element. Since the current
> RequestClaim does not support any claim values, except of the Uri attribute,
> I created a SubClass ClaimValueType to also pass the claim value to the claim
> handler.
> This patch is just a starting point. I think there should be a more complex
> redesign of the current claim handling implementation, because it is
> currently focused on only one Use-Case. The following improvements should be
> made:
> * The RequestClaim class should be replaced by a more flexible interface
> supporting any kind of parsing and handling custom dialects.
> * It should be possible to include/configure custom claimparser via spring
> config
> * A fully supported implementation of
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims dialect would be great
> Here is an example of a claims STS request which is supported by applying
> this patch:
> <wst:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity";
> xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity";>
> <ic:ClaimValue
> Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"/>admin</ic:ClaimValue>
> </wst:Claims>
> Thank you for this great product!! I hope this patch can help to further
> improve CXF.
> Best regards
> Jan
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
