cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christian Schneider (Confluence)" <conflue...@apache.org>
Subject [CONF] Apache CXF Documentation > Standardized Authentication / Authorization
Date Tue, 08 Jul 2014 08:38:00 GMT
<html>
    <head>
        <meta name="viewport" content="width=device-width" />
        <base href="https://cwiki.apache.org/confluence" />
        <style type="text/css">
    body, #email-content, #email-content-inner { font-family: Arial,FreeSans,Helvetica,sans-serif;
}
    body, p, blockquote, pre, code, td, th, li, dt, dd { font-size: 13px; }
    small { font-size: 11px; }

    body { width:100% !important; -webkit-font-smoothing: antialiased; }

    body,
    #email-wrapper { background-color: #f0f0f0; }
    #email-wrapper-inner { padding: 20px; text-align: center; }
    #email-content-inner { background-color: #fff; border: 1px solid #bbb; color: $menuTxtColour;
padding:20px; text-align:left; }
    #email-wrapper-inner > table { width: 100%; }
    #email-wrapper-inner.thin > table { margin: 0 auto; width: 50%; }
    #email-footer { padding: 0 16px 32px 16px; margin: 0; }

    .email-indent { margin: 8px 0 16px 0; }
    .email-comment { margin: 0 0 0 56px; }
    .email-comment.removed { background-color: #ffe7e7; border: 1px solid #df9898; padding:
0 8px;}

    #email-title-avatar { text-align: left; vertical-align: top; width: 48px; padding-right:
8px; }
    #email-title-flavor { margin: 0; padding: 0 0 4px 0; }
    #email-title-heading { font-size: 16px; line-height: 20px; min-height: 20px; margin: 0;
padding: 0; }
    #email-title .icon { border: 0; padding: 0 5px 0 0; text-align: left; vertical-align:
middle; }

    #email-actions { border-top: 1px solid #bbb; color: #505050; margin: 8px 0 0 0; padding:
0; }
    #email-actions td { padding-top: 8px; }
    #email-actions .left { max-width: 45%; text-align: left; }
    #email-actions .right { text-align: right; }
    .email-reply-divider { border-top: 1px solid #bbb; color: #505050; margin: 32px 0 8px
0; padding: 8px 0; }
    .email-section-title { border-bottom: 1px solid #bbb; margin: 8px 0; padding: 8px 0 0
0; }

    .email-metadata { color: #505050; }

    a { color: #326ca6; text-decoration: none; }
    a:hover { color: #336ca6; text-decoration: underline; }
    a:active {color: #326ca6; }

    a.email-footer-link { color: #505050; font-size: 11px; }

    .email-item-list { list-style: none; margin: 4px 0; padding-left: 0; }
    .email-item-list li { list-style: none; margin: 0; padding: 4px 0; }
    .email-list-divider { color: #505050; padding: 0 0.35em; }
    .email-operation-icon { padding-right: 5px; }

    .avatar { -ms-interpolation-mode: bicubic; border-radius: 3px;}
    .avatar-link { margin: 2px; }

    .tableview th { border-bottom: 1px solid #69C; font-weight: bold; text-align: left; }
    .tableview td { border-bottom: 1px solid #bbbbbb; text-align: left; padding: 4px 16px
4px 0; }

    .aui-message {  margin: 1em 0; padding: 8px; }
    .aui-message.info { background-color: #e0f0ff; border: 1px solid #9eb6d4; }
    .aui-message.success { background-color: #ddfade; border: 1px solid #93c49f; }
    .aui-message.error,
    .aui-message.removed { background-color: #ffe7e7; border: 1px solid #df9898; color: #000;
}

    .call-to-action-table { margin: 10px 1px 1px 1px;}
    .call-to-cancel-container, .call-to-action-container { padding: 5px 20px; }
    .call-to-cancel-container { border: 1px solid #aaa; background-color: #eee; border-radius:
3px; }
    .call-to-cancel-container a.call-to-cancel-button { background-color: #eee; font-size:
14px; line-height: 1; padding: 0; margin: 0; color: #666; font-family: sans-serif;}
    .call-to-action-container { border: 1px solid #486582;  background-color: #3068A2; border-radius:
3px; padding: 4px 10px; }
    .call-to-action-container a.call-to-action-button { background-color: #3068A2; font-size:
14px; line-height: 1; padding: 0; margin: 0; color: #fff; font-weight: bold; font-family:
sans-serif; }

    /** The span around the inline task checkbox image */
    .diff-inline-task-overlay {
        display: inline-block;
        text-align: center;
        height: 1.5em;
        padding: 5px 0px 1px 5px;
        margin-right: 5px;
        /** Unfortunately, the negative margin-left is stripped out in gmail */
        margin-left: -5px;
    }

            @media handheld, only screen and (max-device-width: 480px) {
        div, a, p, td, th, li, dt, dd { -webkit-text-size-adjust: auto; }
        small, small a { -webkit-text-size-adjust: 90%; }

        td[id=email-wrapper-inner] { padding: 2px !important; }
        td[id=email-content-inner] { padding: 8px !important; }
        td[id="email-wrapper-inner"][class="thin"] > table { text-align: left !important;
width: 100% !important; }
        td[id=email-footer] { padding: 8px 12px !important; }
        div[class=email-indent] { margin: 8px 0px !important; }
        div[class=email-comment] { margin: 0 !important; }

        p[id=email-title-flavor] a { display: block; } /* puts the username and the action
on separate lines */
        p[id=email-permalink] { padding: 4px 0 0 0 !important; }

        table[id=email-actions] td { padding-top: 0 !important; }
        table[id=email-actions] td.right { text-align: right !important; }
        table[id=email-actions] .email-list-item { display: block; margin: 1em 0 !important;
word-wrap: normal !important; }
        span[class=email-list-divider] { display: none; }
    }



        </style>
    </head>
    <body style="font-family: Arial, FreeSans, Helvetica, sans-serif; font-size: 13px;
width: 100%; -webkit-font-smoothing: antialiased; background-color: #f0f0f0">
        <table id="email-wrapper" width="100%" cellspacing="0" cellpadding="0" border="0"
style="background-color: #f0f0f0">
            <tbody>
                <tr valign="middle">
                    <td id="email-wrapper-inner" style="font-size: 13px; padding: 20px;
text-align: center">
                        <table id="email-content" cellspacing="0" cellpadding="0" border="0"
style="font-family: Arial, FreeSans, Helvetica, sans-serif; width: 100%">
                            <tbody>
                                <tr valign="top">
                                    <td id="email-content-inner" align="left" style="font-family:
Arial, FreeSans, Helvetica, sans-serif; font-size: 13px; background-color: #fff; border: 1px
solid #bbb; padding: 20px; text-align: left">
                                        <table id="email-title" cellpadding="0" cellspacing="0"
border="0" width="100%">
                                            <tbody>
                                                <tr>
                                                    <td id="email-title-avatar" rowspan="2"
style="font-size: 13px; text-align: left; vertical-align: top; width: 48px; padding-right:
8px"> <img class="avatar" src="cid:avatar_20a517c9414511790f2eeb3ec277a81b" border="0"
height="48" width="48" style="-ms-interpolation-mode: bicubic; border-radius: 3px" /> </td>
                                                    <td valign="top" style="font-size:
13px">
                                                        <div id="email-title-flavor" class="email-metadata"
style="margin: 0; padding: 0 0 4px 0; color: #505050">
                                                            <a href="    https://cwiki.apache.org/confluence/display/~christian+schneider
" style="color:#326ca6;text-decoration:none;; color: #326ca6; text-decoration: none">Christian
Schneider</a> hat eine Seite erstellt:
                                                        </div> </td>
                                                </tr>
                                                <tr>
                                                    <td valign="top" style="font-size:
13px"> <h2 id="email-title-heading" style="font-size: 16px; line-height: 20px; min-height:
20px; margin: 0; padding: 0"> <a href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=42568988"
style="color: #326ca6; text-decoration: none"> <img class="icon" src="cid:page-icon"
alt="" style="border: 0; padding: 0 5px 0 0; text-align: left; vertical-align: middle" />
<strong style="font-size:16px;line-height:20px;vertical-align:top;">Standardized Authentication
/ Authorization</strong> </a> </h2> </td>
                                                </tr>
                                            </tbody>
                                        </table>
                                        <div class="email-indent" style="margin: 8px 0
16px 0">
                                            <div class="email-page">
                                                <div class="aui-message hint shadowed information-macro"
style="margin: 1em 0; padding: 8px">
                                                    <span class="aui-icon icon-hint">Icon</span>
                                                    <div class="message-content">
                                                         Ideas / Proposal
                                                    </div>
                                                </div>
                                                <p style="font-size: 13px">&nbsp;</p>
                                                <p style="font-size: 13px">CXF already
supports a wide range of authentication and authorization approaches. Unfortunately they are
all configured differently and do not integrate well with each other.</p>
                                                <p style="font-size: 13px">So the idea
is to create one standardized authentication / authorization flow in CXF where the modules
can then fit in. There are a lot of security frameworks out there that could be used as a
basis for this. The problem is though that each framework&nbsp; (like Shiro or Spring
Security) uses its own mechanisms which are not standardized. So by choosing one framework
we would force our users to depend on this.</p>
                                                <p style="font-size: 13px">The best
standardized security framework in java is JAAS. It is already included in Java and most security
frameworks can be hooked into it. So let&acute;s investigate what we could do with JAAS.</p>
                                                <h2 id="StandardizedAuthentication/Authorization-AuthenticationusingJAAS">Authentication
using JAAS</h2>
                                                <p style="font-size: 13px">JAAS authentication
is done by creating a LoginContext and doing a login on it. Things to configure is the name
of the login config and the Callback Handlers. So CXF needs mechanisms for the user to set
the config name and needs to provide CallBackHandlers to supply credentials.</p>
                                                <h2 id="StandardizedAuthentication/Authorization-CallbackHandlers">CallbackHandlers</h2>
                                                <p style="font-size: 13px">CXF needs
to supply different data to identify the users depending on the chosen authentication variant.</p>
                                                <p style="font-size: 13px">Basic Auth:
username and password from HTTP header</p>
                                                <p style="font-size: 13px">WS-Security
UserNameToken: Username and password from SOAP header</p>
                                                <p style="font-size: 13px">Spnego: Kerberos
token from HTTP header</p>
                                                <p style="font-size: 13px">HTTPS client
cert: Certificate information</p>
                                                <p style="font-size: 13px">We could
simply detect what information is provided and configure the Callbackhandlers for each variant.</p>
                                                <h2 id="StandardizedAuthentication/Authorization-JAASconfiguration">JAAS
configuration</h2>
                                                <p style="font-size: 13px">The JAAS
configuration is supplied differently depending on the runtime CXF runs in.</p>
                                                <p style="font-size: 13px">Standalone:
For standalone usage the JAAS config can simply come from a file.</p>
                                                <p style="font-size: 13px">Servlet Container:
Not sure. Is there a standard approach for this?</p>
                                                <p style="font-size: 13px">Apache Karaf:
Karaf already provides a JAAS integration so we just have to configure the JAAS config name
and supply a suitable config in karaf</p>
                                                <h2 id="StandardizedAuthentication/Authorization-SupplyingRoleandUserinformation">Supplying
Role and User information</h2>
                                                <p style="font-size: 13px">JAAS stores
identity information in the JAAS subject. The method getPrincipals returns Principal objects
which can be users, roles or even other identity information. To differentiate between roles
and users there are two common approaches.</p>
                                                <ol>
                                                    <li style="font-size: 13px">different
Classes like a UserPrincipal or RolePrincipal. Unfortunately there are no standard interfaces</li>
                                                    <li style="font-size: 13px">prefixes.
So for example roles start with role- . Again there is no standard</li>
                                                </ol>
                                                <h2 id="StandardizedAuthentication/Authorization-Authorization">Authorization</h2>
                                                <p style="font-size: 13px">Authorization
has very diverse requirements. So we need to make sure we integrate well with different approaches.</p>
                                                <p style="font-size: 13px">Generally
the idea is to base the Authorization on the JAAS login data. After a JAAS login the JAAS
subject can be retrieved in a standard way:</p>
                                                <div class="code panel pdl" style="border-width:
1px;">
                                                    <div class="codeContent panelContent
pdl">
                                                        <pre class="theme: Default; brush:
java; gutter: false" style="font-size:12px;; font-size: 13px">AccessControlContext acc
= AccesController.getContext();
Subject subject = Subject.getSubject(acc);</pre>
                                                    </div>
                                                </div>
                                                <p style="font-size: 13px">So the idea
is that we provide certain default authorization variants that rely on the above to retrieve
authentication information in a standardized way. So authorization is nicely decoupled from
authentication and fully standards based.</p>
                                                <p style="font-size: 13px">This then
also provides a nice interface for users or other frameworks to access authentication information
and provide custom authorization variants.</p>
                                                <h2 id="StandardizedAuthentication/Authorization-DefaultAuthorizationVariants">Default
Authorization Variants</h2>
                                                <h3 id="StandardizedAuthentication/Authorization-JEEannotations">JEE
annotations</h3>
                                                <p style="font-size: 13px">Java EE provides
some standard annotations like @RolesAllowed. We can provide an interceptor that reads the
annotations of serivce impls and provides authorization like in a JEE container.</p>
                                                <h3 id="StandardizedAuthentication/Authorization-XACMLPEP">XACML
PEP</h3>
                                                <p style="font-size: 13px">An XACML
policy enforcement point can retrieve the JAAS login data and do authorization against an
XACML Policy Decision Point (PDP).</p>
                                                <h3 id="StandardizedAuthentication/Authorization-KarafrolebasedOSGiserviceAuthorization">Karaf
role based OSGi service Authorization</h3>
                                                <p style="font-size: 13px">Karaf 3 already
supports authorization on the OSGi service level and uses JAAS for authentication. So if we
do a JAAS login in CXF and the service impl code calls an OSGi service then the Karaf role
based securtiy should already work out of the box.</p>
                                                <h2 id="StandardizedAuthentication/Authorization-Karafintegration">Karaf
integration</h2>
                                                <p style="font-size: 13px">Ideally we
should integrate the new authentication / authorization model in a way that enable the user
to switch on authentication for the karaf server without specific configurations in the user
bundles that implement the services.</p>
                                                <p style="font-size: 13px">So we could
have a config setting for the CXF OSGi servlet to enable JAAS authentication and set a JAAS
config. This would then enable authentication for all services using the named JAAS config
from karaf. We could then also switch on the annotaion based authorization. So users could
leverage this for their service by just supplying the annotations and doing no other configs
on the service level.</p>
                                                <p style="font-size: 13px">A further
approach would be to let the user configure named features on the CXF servlet level (which
are then retrieved as OSGi services). So the user can even attach his own extensions on the
server level like for ecxample integrating a custom XACML PEP.</p>
                                                <h2 id="StandardizedAuthentication/Authorization-Problems">Problems</h2>
                                                <p style="font-size: 13px">Doing a full
JAAS login requires to use subject.doAs to populate the AcessControlContext. This is not possible
in a CXF interceptor as the interceptor only works on a message but can not call the next
interceptor for doAs. So the question is where to do the JAAS login and the doAs?</p>
                                                <p style="font-size: 13px">&nbsp;</p>
                                            </div>
                                        </div>
                                        <table id="email-actions" class="email-metadata"
cellspacing="0" cellpadding="0" border="0" width="100%" style="border-top: 1px solid #bbb;
color: #505050; margin: 8px 0 0 0; padding: 0; color: #505050">
                                            <tbody>
                                                <tr>
                                                    <td class="left" valign="top" style="font-size:
13px; padding-top: 8px; max-width: 45%; text-align: left"> <span class="email-list-item"><a
href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=42568988" style="color:
#326ca6; text-decoration: none">Online anzeigen</a> </span> <span class="email-list-divider"
style="color: #505050; padding: 0 0.350em">&middot;</span> <span class="email-list-item"><a
href="https://cwiki.apache.org/confluence/plugins/likes/like.action?contentId=42568988" style="color:
#326ca6; text-decoration: none">Gef&auml;llt mir</a> </span> </td>
                                                    <td class="right" width="50%" valign="top"
style="font-size: 13px; padding-top: 8px; text-align: right"> <span class="email-list-item"><a
href="https://cwiki.apache.org/confluence/users/removespacenotification.action?spaceKey=CXF20DOC"
style="color: #326ca6; text-decoration: none">&Uuml;berwachung des Bereichs beenden</a>
</span> <span class="email-list-divider" style="color: #505050; padding: 0 0.350em">&middot;</span>
<span class="email-list-item"><a href="https://cwiki.apache.org/confluence/users/editmyemailsettings.action"
style="color: #326ca6; text-decoration: none">Benachrichtigungen verwalten</a> </span>
</td>
                                                </tr>
                                            </tbody>
                                        </table> </td>
                                </tr>
                            </tbody>
                        </table> </td>
                </tr>
                <tr>
                    <td id="email-footer" align="center" style="font-size: 13px; padding:
0 16px 32px 16px; margin: 0"> <small style="font-size: 11px"> Diese Nachricht wurde
von <a class="email-footer-link" style="color:#505050;font-size:11px;text-decoration:none;;
color: #326ca6; text-decoration: none; color: #505050; font-size: 11px" href="http://www.atlassian.com/software/confluence">Atlassian
Confluence</a> 5.0.3, <a class="email-footer-link" style="color:#505050;font-size:11px;text-decoration:none;;
color: #326ca6; text-decoration: none; color: #505050; font-size: 11px" href="http://www.atlassian.com/software/confluence/overview/team-collaboration-software?utm_source=email-footer">der
Kollaborationssoftware f&uuml;r Teams</a>, gesendet </small> </td>
                </tr>
            </tbody>
        </table>
    </body>
</html>
Mime
View raw message