[
https://issues.apache.org/jira/browse/CXF-4062?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13223142#comment-13223142
]
Jan Bernhardt commented on CXF-4062:
------------------------------------
[
https://issues.apache.org/jira/browse/CXF-4062?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13223133#comment-13223133
]
Oliver Wulff commented on CXF-4062:
-----------------------------------
I guess I understand. The user can work with your application in different
roles (administrator,user) but only with one role at the time. When the SAML
token is requested, the user must have decided for a role in which context he
wants to work with the application. Your ClaimsHandler must have to verify that
the user has really assigned this role. Is this correct?
Yes, this is correct!!
I finally got understood ;-)
You agree that there is no new claims dialect required because
"http://schemas.xmlsoap.org/ws/2005/05/identity"; can cover your requirements:
This was my point from the very beginning! ;-)
I do not need a new Dialect, just CXF is currently not able to fully support
this identity dialect. That’s where the idea of my patch came from...
<xs:element name="ClaimValue" type="tns:ClaimValueType"/> <xs:complexType
name="ClaimValueType">
<xs:complexContent>
<xs:extension base="tns:BaseClaimType">
<xs:sequence>
<xs:element name="Value" type="tns:StringMaxLength684"/>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
The ClaimValueType is a sub-type of BaseClaimType.
What do you think about the introduction of a subclass of RequestClaimValue or
add set/getClaimValue to the RequestClaim class. This would work for 2.5.x too.
This is what I did in my provided patch, to ensure backwards compatibility. But
I think this behavior is still not a good design, since WS-Trust would allow
one to use any kind of dialects, even those not providing a ClaimType URI.
So my suggestion would be to introduce a new Claim Interface to be more
flexible for any kind of claims.
Could you also add a testcase for this new feature?
Yes, I try to get this done within next couple of days.
Best regards
Jan
> Enabling custom claim parser
> ----------------------------
>
> Key: CXF-4062
> URL: https://issues.apache.org/jira/browse/CXF-4062
> Project: CXF
> Issue Type: Improvement
> Affects Versions: 2.5.2
> Reporter: Jan Bernhardt
> Labels: Claims, STS
> Attachments: claimParer.patch
>
>
> STS-core:
> Currently there is now way to use a custom dialect in requested claims. Even
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims is not fully supported
> (only ClaimType element).
> Therefore I introduced a new Interface ClaimParser, and a DefaultClaimParser
> with the current parsing logic. This parser is called by default within
> RequestParser, so that the normal cxf behavior has not changed. But to make
> this process more flexible it is possible (with this patch) to register any
> kind of ClaimParser supporting a specific dialect. I implemented a
> IdentityClaimParser which is currently able to parser CustomType and
> CustomValueType elements within the wst:claims element. Since the current
> RequestClaim does not support any claim values, except of the Uri attribute,
> I created a SubClass ClaimValueType to also pass the claim value to the claim
> handler.
> This patch is just a starting point. I think there should be a more complex
> redesign of the current claim handling implementation, because it is
> currently focused on only one Use-Case. The following improvements should be
> made:
> * The RequestClaim class should be replaced by a more flexible interface
> supporting any kind of parsing and handling custom dialects.
> * It should be possible to include/configure custom claimparser via spring
> config
> * A fully supported implementation of
> http://schemas.xmlsoap.org/ws/2005/05/identity/claims dialect would be great
> Here is an example of a claims STS request which is supported by applying
> this patch:
> <wst:Claims Dialect="http://schemas.xmlsoap.org/ws/2005/05/identity";
> xmlns:ic="http://schemas.xmlsoap.org/ws/2005/05/identity";>
> <ic:ClaimValue
> Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role"/>admin</ic:ClaimValue>
> </wst:Claims>
> Thank you for this great product!! I hope this patch can help to further
> improve CXF.
> Best regards
> Jan
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
