Skip to main content

ActAs Delegate not propagating original client user

3 replies [Last post]
smitty22s
Offline
Joined: 2009-07-08
Points: 0

Hello,

I'm trying to get the ActAs delegate working. What's happening is that the user at the last WS endpoint is coming out as the user by which we obtained the delegate token, rather than the user the client originally specified. Let me explain.

STS
/ |
Client --> WS --> WS1

Like the delegate example, assume the client user is 'alice' and that WS is configured to login as 'bob' to the STS. What I expect is that WS will ask for a new token as 'bob' to represent the original user 'alice'. And that when it gets to WS1, the principal subject will be 'alice'.

However, the Principal subject at WS1 is coming out as 'bob'. Any ideas why that might be?

In the STSAttributeProvider when getting the 2nd token for WS1, I never hit this case because the Claims parameter has zero claims:.

if ("true".equals(claims.getOtherAttributes().get(new QName("ActAs")))) //<<< always returns false

Thanks!
Silas

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
jdg6688
Offline
Joined: 2005-11-02
Points: 0

1. Make sure that in the STSConfigration in the sts wsdl, you have:
com.sun.xml.ws.security.trust.impl.WSTrustContractImpl

not IssueSamlTokenContractImpl.

In the delegate SAML assertion, the Subject contains the identity for "bob", but there is
an "ActAs" attribute in the AttributeStatement for 'alice"

Thanks!

Jiandong

smitty22s
Offline
Joined: 2009-07-08
Points: 0

Sweet, that was it.

The WSTrustContractImpl vs. IssueSamlTokenContractImpl should probably be called out in the notes on the delegate example somewhere -- I don't recall seeing it mentioned anywhere.

Anyway, thanks!

-Silas

smitty22s
Offline
Joined: 2009-07-08
Points: 0

It seems that the WebServiceFeature containing the ActAs token is being ignored when requesting the WS1 port. Regardless of whether I use the WebServiceFeature[] parameter version or the parameterless version, I get the same behavior.