[
https://issues.apache.org/jira/browse/CXF-5664?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13957724#comment-13957724
]
Colm O hEigeartaigh commented on CXF-5664:
------------------------------------------
I've merged an update where the RequestParser parses a wst:Participants object
into a "Participants" class, which stores a primary participants (Object) and a
list of other participant (objects). This Participants object is available to
the token providers in the standard way.
> The Participants element should be parsed and added to the list of
> AudienceRestrictions in the issued token.
Currently we create a single AudienceRestriction from the AppliesTo URI sent in
the request (if applicable). I would suggest that we don't add the primary
participant to the AudienceRestrictions, as my interpretation of the spec is
that the primary participant here is the client.
The question is whether the other participants should be added under the same
AudienceRestriction as the AppliesTo address? Should we ignore the AppliesTo
address if we have explicit participants? If we have multiple participants,
should they go into the same AudienceRestriction Object (as multiple
audiences), or should we have multiple AudienceRestrictions per participant?
Colm.
> CXF STS does not support wst:Participants
> -----------------------------------------
>
> Key: CXF-5664
> URL: https://issues.apache.org/jira/browse/CXF-5664
> Project: CXF
> Issue Type: Bug
> Components: STS
> Affects Versions: 2.7.8, 2.7.9, 2.7.10
> Reporter: Stephen Chappell
> Labels: features, security
>
> The CXF STS does not recognize the wst:Participants element within a
> wst:RequestSecurityToken, and instead throws a BadRequest SOAP fault. The
> Participants element should be parsed and added to the list of
> AudienceRestrictions in the issued token.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
