[jboss-dev-forums] [JBoss ESB Development] - Re: SAML Token Support

beve do-not-reply at jboss.com
Fri Oct 23 02:53:32 EDT 2009 

Hi Anil, 

anonymous wrote : Currently the STS Action is creating a token (via the STS) but updates the current security context with the new SC. The SC that the action was invoked is lost. Kevin asserts and I agree that the new SAML token should just augment the security context that currently exists rather than switching. If you want to switch the SC, then that should be a configurable option. 
Good point and actually this was configurable at one stage during development but this was a bad call on my part to remove it.

anonymous wrote : The STS action should be replaced by a pluggable SAMLTokenIssuingLoginModule such that you can just either push it in a new SecurityAction that does JAAS internally or you need to plugin the LM in the current JAAS framework wherever it is in the ESB infrastructure. Kevin mentioned that the JAAS layer already exists.  
Sounds good. Can you point me to an example of using new SecurityAction as I'm not sure what you mean here.

anonymous wrote : So the STS action is not a replacement here.
Do you mean that we should remove the STS action or that it could still be there as an alternative option, but be updated to use the SAMLTokenIssuingLoginModule. I think you mean the later but I just want to make sure I understand:)
Kev, what is you view on this?

anonymous wrote : On the SAML token validation end, the current LM is fine. 
The JBossSTSLoginModule that we have currently has some code specific to the ESB but this could be refactored out. Kev asked me if this could not be donated to the security project if you want it.
anonymous wrote : 
  | Now the SAMLTokenIssuingLM will contact the STS for a new token. Then update the JAAS subject with this new token. You can choose either to make it a principal or a credential.
We currently have the token stored as a credential (SamlCredential). This was a principal to begin with but later changed as I though it would be more appropriate as a credential but I was not really 100% sure which it should really be. So I'm glad to hear either would be OK. 

I appreciate the time you've both spent discussing this as I know you both are very busy at the moment. 

Thanks,

/Daniel 


View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4261814#4261814

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4261814

More information about the jboss-dev-forums mailing list