Mar 11th, 2013, 10:47 AM
Authorization with WS-Trust ans SAML
This is a great addition to Spring Security. The sample app helped a great deal in implementing SAML based security in ws-federation scenario with ADFS2. However, I am having trouble using the extension in a situation where I need to secure a stateless web service with ws-policy specified security, that trusts a particular STS (STS certificate imported into local keystore). Is the spring security saml extension suitable for that purpose?
Has anyone attempted something similar?
Mar 13th, 2013, 04:57 AM
Thank you for feedback.
What web-service stack are you using (Metro, CXF, Axis2)? The extension doesn't have any direct support for these use-cases, but we're looking into adding it. Any input on what exactly would be helpful in your case might help us to define the right requirements.
The WS implementations contain support for WS-Security, WS-SecurityPolicy and WS-Trust and typically have plug-in modules for validation of the used tokens. Is such a validator + configuration support for e.g. trust what you're looking for?
Mar 14th, 2013, 08:14 AM
I am using Metro. The best case scenario would be if spring security SAML extension could either enforce WS-Policy in the wsdl, or something like XwsSecurityInterceptor in Spring-WS security where it refers to an external policy file.
I am aware of Metro's WS-Trust support, and have used CXF's WS security implementation, but am having trouble interacting with Spring Security Context. I will explore using some sort of a preauth filter and try to use spring security for authorization and not authentication.
If you have some ideas please don't hold back
Last edited by agent075; Mar 14th, 2013 at 08:47 AM.