[ https://issues.apache.org/jira/browse/CXF-4062?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13223133#comment-13223133 ]
Oliver Wulff commented on
I guess I understand. The user can work with your application in different roles (administrator,user) but only with one role at the time. When the SAML token is requested, the user must have decided for a role in which context he wants to work with the application. Your ClaimsHandler must have to verify that the user has really assigned this role. Is this correct?
Yes, this is correct!!
I finally got understood
You agree that there is no new claims dialect required because "http://schemas.xmlsoap.org/ws/2005/05/identity" can cover your requirements:
This was my point from the very beginning!
I do not need a new Dialect, just CXF is currently not able to fully support this identity dialect. That’s where the idea of my patch came from...
<xs:element name="ClaimValue" type="tns:ClaimValueType"/> <xs:complexType name="ClaimValueType">
<xs:element name="Value" type="tns:StringMaxLength684"/>
The ClaimValueType is a sub-type of BaseClaimType.
What do you think about the introduction of a subclass of RequestClaimValue or add set/getClaimValue to the RequestClaim class. This would work for 2.5.x too.
This is what I did in my provided patch, to ensure backwards compatibility. But I think this behavior is still not a good design, since WS-Trust would allow one to use any kind of dialects, even those not providing a ClaimType URI.
So my suggestion would be to introduce a new Claim Interface to be more flexible for any kind of claims.
Could you also add a testcase for this new feature?
Yes, I try to get this done within next couple of days.