Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-3928

Add token validation for OnBehalfOf element in TokenIssueOperation

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.5
    • Fix Version/s: 2.5.1
    • Component/s: Services
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      Tokens passed in OnBehalfOf element are not validated. It's the responsibility of the TokenProvider implementation to validate that.

      A proposal has been discussed here:
      http://cxf.547215.n5.nabble.com/STS-OnBehalfOf-token-validation-SAMLTokenProvider-td5003544.html

      OnBehalfOf token validation is moved to the TokenIssueOperation and the ReceivedToken is enhanced with the following attributes:

      • was it a token of ws-security header (like ReceivedToken), onbehalfof, actas
      • successfully validated (it could be a token which depends on other constraints to be fully accepted)
      • original DOM element
      • transformed DOM element (used if the token is passed by ref, also supported by SAML spec)
      • principal (mostly, you only need the principal to issue a new token)

        Attachments

        1. git.diff.patch
          55 kB
          Oliver Wulff
        2. git.diff.patch
          24 kB
          Oliver Wulff

          Issue Links

            Activity

              People

              • Assignee:
                coheigea Colm O hEigeartaigh
                Reporter:
                owulff Oliver Wulff
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: