cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christian Schneider (Confluence)" <conflue...@apache.org>
Subject [CONF] Apache CXF Documentation > Standardized Authentication / Authorization
Date Thu, 10 Jul 2014 08:27:00 GMT
<html>
    <head>
        <meta name="viewport" content="width=device-width" />
        <base href="https://cwiki.apache.org/confluence" />
        <style type="text/css">
    body, #email-content, #email-content-inner { font-family: Arial,FreeSans,Helvetica,sans-serif;
}
    body, p, blockquote, pre, code, td, th, li, dt, dd { font-size: 13px; }
    small { font-size: 11px; }

    body { width:100% !important; -webkit-font-smoothing: antialiased; }

    body,
    #email-wrapper { background-color: #f0f0f0; }
    #email-wrapper-inner { padding: 20px; text-align: center; }
    #email-content-inner { background-color: #fff; border: 1px solid #bbb; color: $menuTxtColour;
padding:20px; text-align:left; }
    #email-wrapper-inner > table { width: 100%; }
    #email-wrapper-inner.thin > table { margin: 0 auto; width: 50%; }
    #email-footer { padding: 0 16px 32px 16px; margin: 0; }

    .email-indent { margin: 8px 0 16px 0; }
    .email-comment { margin: 0 0 0 56px; }
    .email-comment.removed { background-color: #ffe7e7; border: 1px solid #df9898; padding:
0 8px;}

    #email-title-avatar { text-align: left; vertical-align: top; width: 48px; padding-right:
8px; }
    #email-title-flavor { margin: 0; padding: 0 0 4px 0; }
    #email-title-heading { font-size: 16px; line-height: 20px; min-height: 20px; margin: 0;
padding: 0; }
    #email-title .icon { border: 0; padding: 0 5px 0 0; text-align: left; vertical-align:
middle; }

    #email-actions { border-top: 1px solid #bbb; color: #505050; margin: 8px 0 0 0; padding:
0; }
    #email-actions td { padding-top: 8px; }
    #email-actions .left { max-width: 45%; text-align: left; }
    #email-actions .right { text-align: right; }
    .email-reply-divider { border-top: 1px solid #bbb; color: #505050; margin: 32px 0 8px
0; padding: 8px 0; }
    .email-section-title { border-bottom: 1px solid #bbb; margin: 8px 0; padding: 8px 0 0
0; }

    .email-metadata { color: #505050; }

    a { color: #326ca6; text-decoration: none; }
    a:hover { color: #336ca6; text-decoration: underline; }
    a:active {color: #326ca6; }

    a.email-footer-link { color: #505050; font-size: 11px; }

    .email-item-list { list-style: none; margin: 4px 0; padding-left: 0; }
    .email-item-list li { list-style: none; margin: 0; padding: 4px 0; }
    .email-list-divider { color: #505050; padding: 0 0.35em; }
    .email-operation-icon { padding-right: 5px; }

    .avatar { -ms-interpolation-mode: bicubic; border-radius: 3px;}
    .avatar-link { margin: 2px; }

    .tableview th { border-bottom: 1px solid #69C; font-weight: bold; text-align: left; }
    .tableview td { border-bottom: 1px solid #bbbbbb; text-align: left; padding: 4px 16px
4px 0; }

    .aui-message {  margin: 1em 0; padding: 8px; }
    .aui-message.info { background-color: #e0f0ff; border: 1px solid #9eb6d4; }
    .aui-message.success { background-color: #ddfade; border: 1px solid #93c49f; }
    .aui-message.error,
    .aui-message.removed { background-color: #ffe7e7; border: 1px solid #df9898; color: #000;
}

    .call-to-action-table { margin: 10px 1px 1px 1px;}
    .call-to-cancel-container, .call-to-action-container { padding: 5px 20px; }
    .call-to-cancel-container { border: 1px solid #aaa; background-color: #eee; border-radius:
3px; }
    .call-to-cancel-container a.call-to-cancel-button { background-color: #eee; font-size:
14px; line-height: 1; padding: 0; margin: 0; color: #666; font-family: sans-serif;}
    .call-to-action-container { border: 1px solid #486582;  background-color: #3068A2; border-radius:
3px; padding: 4px 10px; }
    .call-to-action-container a.call-to-action-button { background-color: #3068A2; font-size:
14px; line-height: 1; padding: 0; margin: 0; color: #fff; font-weight: bold; font-family:
sans-serif; }

    /** The span around the inline task checkbox image */
    .diff-inline-task-overlay {
        display: inline-block;
        text-align: center;
        height: 1.5em;
        padding: 5px 0px 1px 5px;
        margin-right: 5px;
        /** Unfortunately, the negative margin-left is stripped out in gmail */
        margin-left: -5px;
    }

            @media handheld, only screen and (max-device-width: 480px) {
        div, a, p, td, th, li, dt, dd { -webkit-text-size-adjust: auto; }
        small, small a { -webkit-text-size-adjust: 90%; }

        td[id=email-wrapper-inner] { padding: 2px !important; }
        td[id=email-content-inner] { padding: 8px !important; }
        td[id="email-wrapper-inner"][class="thin"] > table { text-align: left !important;
width: 100% !important; }
        td[id=email-footer] { padding: 8px 12px !important; }
        div[class=email-indent] { margin: 8px 0px !important; }
        div[class=email-comment] { margin: 0 !important; }

        p[id=email-title-flavor] a { display: block; } /* puts the username and the action
on separate lines */
        p[id=email-permalink] { padding: 4px 0 0 0 !important; }

        table[id=email-actions] td { padding-top: 0 !important; }
        table[id=email-actions] td.right { text-align: right !important; }
        table[id=email-actions] .email-list-item { display: block; margin: 1em 0 !important;
word-wrap: normal !important; }
        span[class=email-list-divider] { display: none; }
    }



        </style>
    </head>
    <body style="font-family: Arial, FreeSans, Helvetica, sans-serif; font-size: 13px;
width: 100%; -webkit-font-smoothing: antialiased; background-color: #f0f0f0">
        <table id="email-wrapper" width="100%" cellspacing="0" cellpadding="0" border="0"
style="background-color: #f0f0f0">
            <tbody>
                <tr valign="middle">
                    <td id="email-wrapper-inner" style="font-size: 13px; padding: 20px;
text-align: center">
                        <table id="email-content" cellspacing="0" cellpadding="0" border="0"
style="font-family: Arial, FreeSans, Helvetica, sans-serif; width: 100%">
                            <tbody>
                                <tr valign="top">
                                    <td id="email-content-inner" align="left" style="font-family:
Arial, FreeSans, Helvetica, sans-serif; font-size: 13px; background-color: #fff; border: 1px
solid #bbb; padding: 20px; text-align: left">
                                        <table id="email-title" cellpadding="0" cellspacing="0"
border="0" width="100%">
                                            <tbody>
                                                <tr>
                                                    <td id="email-title-avatar" rowspan="2"
style="font-size: 13px; text-align: left; vertical-align: top; width: 48px; padding-right:
8px"> <img class="avatar" src="cid:avatar_20a517c9414511790f2eeb3ec277a81b" border="0"
height="48" width="48" style="-ms-interpolation-mode: bicubic; border-radius: 3px" /> </td>
                                                    <td valign="top" style="font-size:
13px">
                                                        <div id="email-title-flavor" class="email-metadata"
style="margin: 0; padding: 0 0 4px 0; color: #505050">
                                                            <a href="    https://cwiki.apache.org/confluence/display/~christian+schneider
" style="color:#326ca6;text-decoration:none;; color: #326ca6; text-decoration: none">Christian
Schneider</a> edited the page:
                                                        </div> </td>
                                                </tr>
                                                <tr>
                                                    <td valign="top" style="font-size:
13px"> <h2 id="email-title-heading" style="font-size: 16px; line-height: 20px; min-height:
20px; margin: 0; padding: 0"> <a href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=42568988"
style="color: #326ca6; text-decoration: none"> <img class="icon" src="cid:page-icon"
alt="" style="border: 0; padding: 0 5px 0 0; text-align: left; vertical-align: middle" />
<strong style="font-size:16px;line-height:20px;vertical-align:top;">Standardized Authentication
/ Authorization</strong> </a> </h2> </td>
                                                </tr>
                                            </tbody>
                                        </table>
                                        <div class="email-indent" style="margin: 8px 0
16px 0">
                                            <div class="email-diff">
                                                <div id="page-diffs" class="wiki-content">
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span class="diff-html-added" id="added-diff-0" style="font-size:
100%; background-color: #ddfade;">&nbsp;</span> </p>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">&nbsp;</span> </p>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">&nbsp;</span> </p>
                                                    <table class="diff-macro diff-block-context"
style="background-color: #f0f0f0;border: 1px solid #dddddd;margin: 10px 1px;padding: 0 2px
2px;width: 100%;">
                                                        <thead>
                                                            <tr>
                                                                <th class="diff-macro-title"
style="background-color: transparent; text-align: left; font-weight: normal;padding: 5px;;
font-size: 13px"><span class="icon macro-placeholder-icon" style="background-color:
;line-height: 20px;"><img src="https://cwiki.apache.org/confluence/s/en_GB-1988229788/4109/76e0dbb30bc8580e459c201f3535d84f9283a9ac.1/_/images/icons/macrobrowser/dropdown/info.png"
style="padding-right: 5px; vertical-align: text-bottom;" /> </span>Info</th>
                                                            </tr>
                                                        </thead>
                                                        <tbody>
                                                            <tr>
                                                                <td class="diff-macro-body"
style="background-color: #fff;border: 1px solid #dddddd;padding: 10px;; font-size: 13px">Ideas
/ Proposal</td>
                                                            </tr>
                                                        </tbody>
                                                    </table>
                                                    <p class="diff-block-context" style="font-size:
13px">&nbsp;</p>
                                                    <p class="diff-block-context" style="font-size:
13px">CXF already supports a wide range of authentication and authorization approaches.
Unfortunately they are all configured differently and do not integrate well with each other.</p>
                                                    <p class="diff-context-placeholder"
style="font-size: 13px">...</p>
                                                    <p class="diff-block-context" style="font-size:
13px">An XACML policy enforcement point can retrieve the JAAS login data and do authorization
against an XACML Policy Decision Point (PDP).</p>
                                                    <h2 id="StandardizedAuthentication/Authorization-SeparatingAuthorizationfromCXF"
class="diff-block-target diff-block-context"> <span class="diff-html-added" id="added-diff-1"
style="font-size: 100%; background-color: #ddfade;">Separating Authorization from CXF</span>
</h2>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">As authorization is not only relevant for webservices it makes sense to keep
the authorization code separate from cxf too. So one way to implement authorization would
be to put it into a blueprint extension. Of course this would cover only OSGi and blueprint
but it would be a start.</span> </p>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">It could work similar to the XA transaction support. Unlike in tx support we
could scan all beans for security annotations like @RolesAllowed. Then for each bean that
has this annotation we could proxy it with a class that does the security check. This would
allow to have minimal xml configuration.</span> </p>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">Another approach is to mark beans for security checks using xml like in tx support.
This variant then would also work nicely for XACML authorization as in that case there would
be no annotation to scan for.</span> </p>
                                                    <h3 id="StandardizedAuthentication/Authorization-KarafrolebasedOSGiserviceAuthorization"
class="diff-block-context">Karaf role based OSGi service Authorization</h3>
                                                    <p class="diff-block-target" style="font-size:
13px">Karaf 3 already supports authorization on the OSGi service level and uses JAAS for
authentication. So if we do a JAAS login in CXF and the service impl code calls an OSGi service
then the Karaf role based securtiy should already work out of the box.<span class="diff-html-added"
id="added-diff-2" style="font-size: 100%; background-color: #ddfade;">We could add annotation
based Authorization to karaf code to make it even better and require less config.</span>
</p>
                                                    <h2 id="StandardizedAuthentication/Authorization-Exceptionhandlingandanswergeneration"
class="diff-block-context">Exception handling and answer generation</h2>
                                                    <p class="diff-context-placeholder"
style="font-size: 13px">...</p>
                                                    <ul class="diff-block-target">
                                                        <li style="font-size: 13px">Failure
at Authentication: javax.security.auth.login.LoginException could also be more specific like
AccountLockedException</li>
                                                        <li style="font-size: 13px">Failure
at Authorization: org.apache.cxf.interceptor.security.AccessDeniedException or java.security.AccessControlException<span
class="diff-html-added" id="added-diff-3" style="font-size: 100%; background-color: #ddfade;">.
The later one is better for code separate from cxf as it does not depend on CXF.</span>
</li>
                                                    </ul>
                                                    <p class="diff-block-context" style="font-size:
13px">Then in the transport like the http transport we map the exception to the defined
status code and http response:</p>
                                                    <ul class="diff-block-context">
                                                        <li style="font-size: 13px">LoginException:
HTTP Code 401</li>
                                                        <li style="font-size: 13px">AccessDeniedException,
AccessControlException: HTTP Code 403</li>
                                                    </ul>
                                                    <h2 id="StandardizedAuthentication/Authorization-Karafintegration"
class="diff-block-target diff-block-context"> <span class="diff-html-removed" id="removed-diff-0"
style="font-size: 100%; background-color: #ffe7e7; text-decoration: line-through;">Karaf
integration</span> </h2>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span class="diff-html-added" id="added-diff-4" style="font-size:
100%; background-color: #ddfade;">Unfortunately CXF currently does not handle the status
code generation in the transport. The exception is already mapped into a Fault at PhaseInterceptorChain.
The Fault then holds the statusCode which is by default 500. So one simple way to do the mapping
isto map from exception type to fault code in the Fault constructor. This is not extensible
but would do for the start.</span> </p>
                                                    <h2 id="StandardizedAuthentication/Authorization-JAASFeature"
class="diff-block-target diff-block-context"> <span class="diff-html-added" style="font-size:
100%; background-color: #ddfade;">JAAS Feature</span> </h2>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">The JAAS feature needs some configuration like the jaas context name. So it makes
sense to integrate it with config admin in OSGi and publish it as an OSGi service. So we can
keep the JAAS configuration centralized and keep it out of each bundle.</span> </p>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">As long as the configs are very limited we could of course also integrate it
in each bundles cxf bus. This would have the advantage that it also works outside OSGi.</span>
</p>
                                                    <h2 id="StandardizedAuthentication/Authorization-Authenticationactivation"
class="diff-block-target diff-block-context"> <span class="diff-html-added" style="font-size:
100%; background-color: #ddfade;">Authentication activation</span> </h2>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px">Ideally we should integrate the new authentication / authorization
model in a way that enable the user to switch on authentication for the karaf server without
specific configurations in the user bundles that implement the services. <span class="diff-html-added"
id="added-diff-5" style="font-size: 100%; background-color: #ddfade;">One problem with
this very loosely coupled approach is that switching on authentication would secure all services
but perhaps some are expected to work without. The other problem is that the services might
start before the auth module and then run unsecured.</span> </p>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px">So we <span class="diff-html-removed" id="removed-diff-1" style="font-size:
100%; background-color: #ffe7e7; text-decoration: line-through;">could have a config setting
for the CXF OSGi servlet to enable JAAS authentication and set a JAAS config. This would then
enable authentication for all services using the named JAAS config from karaf. We could then
also switch on the annotaion based authorization. So users could leverage this for their service
by just supplying the annotations and doing no other configs on the service level.A further
approach would be to let the user configure named features on the CXF servlet level (which
are then retrieved as OSGi services). So the user can even attach his own extensions on the
server level like for ecxample integrating a custom XACML PEP</span><span class="diff-html-added"
id="added-diff-6" style="font-size: 100%; background-color: #ddfade;">need a way to mark
services that need authentication. One existing way to do so is to bind the auhorization Feature
as an OSGi service and add it to the features &quot;by hand&quot;. This is a bit verbose
but on the other hand it is very clear what happens.</span> </p>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">One other approach would be to publish the feature as a an OSGi service with
a unique ID (which is already present for features). Then we could have a new Element for
cxf:bus and endpoints like that:</span> </p>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">&lt;namedFeatures&gt;authentication, xacmlAuthorization&lt;/namedFeatures&gt;</span>
</p>
                                                    <p class="diff-block-target diff-block-context"
style="font-size: 13px"> <span class="diff-html-added" style="font-size: 100%; background-color:
#ddfade;">This Element would mean that cxf will only publish the endpoint once both of
these named features are present and will add the features to the endpoint /bus</span>.</p>
                                                    <h2 id="StandardizedAuthentication/Authorization-Problems"
class="diff-block-context">Problems</h2>
                                                    <p class="diff-block-context" style="font-size:
13px">Doing a full JAAS login requires to use subject.doAs to populate the AcessControlContext.
This is not possible in a CXF interceptor as the interceptor only works on a message but can
not call the next interceptor for doAs. So the question is where to do the JAAS login and
the doAs?</p>
                                                    <p class="diff-context-placeholder"
style="font-size: 13px">...</p>
                                                </div>
                                            </div>
                                        </div>
                                        <table id="email-actions" class="email-metadata"
cellspacing="0" cellpadding="0" border="0" width="100%" style="border-top: 1px solid #bbb;
color: #505050; margin: 8px 0 0 0; padding: 0; color: #505050">
                                            <tbody>
                                                <tr>
                                                    <td class="left" valign="top" style="font-size:
13px; padding-top: 8px; max-width: 45%; text-align: left"> <span class="email-list-item"><a
href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=42568988" style="color:
#326ca6; text-decoration: none">View Online</a> </span> <span class="email-list-divider"
style="color: #505050; padding: 0 0.350em">&middot;</span> <span class="email-list-item"><a
href="https://cwiki.apache.org/confluence/plugins/likes/like.action?contentId=42568988" style="color:
#326ca6; text-decoration: none">Like</a> </span> <span class="email-list-divider"
style="color: #505050; padding: 0 0.350em">&middot;</span> <span class="email-list-item"><a
href="https://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=42568988&amp;revisedVersion=3&amp;originalVersion=2"
style="color: #326ca6; text-decoration: none">View Changes</a> </span> </td>
                                                    <td class="right" width="50%" valign="top"
style="font-size: 13px; padding-top: 8px; text-align: right"> <span class="email-list-item"><a
href="https://cwiki.apache.org/confluence/users/removespacenotification.action?spaceKey=CXF20DOC"
style="color: #326ca6; text-decoration: none">Stop watching space</a> </span>
<span class="email-list-divider" style="color: #505050; padding: 0 0.350em">&middot;</span>
<span class="email-list-item"><a href="https://cwiki.apache.org/confluence/users/editmyemailsettings.action"
style="color: #326ca6; text-decoration: none">Manage Notifications</a> </span>
</td>
                                                </tr>
                                            </tbody>
                                        </table> </td>
                                </tr>
                            </tbody>
                        </table> </td>
                </tr>
                <tr>
                    <td id="email-footer" align="center" style="font-size: 13px; padding:
0 16px 32px 16px; margin: 0"> <small style="font-size: 11px"> This message was sent
by <a class="email-footer-link" style="color:#505050;font-size:11px;text-decoration:none;;
color: #326ca6; text-decoration: none; color: #505050; font-size: 11px" href="http://www.atlassian.com/software/confluence">Atlassian
Confluence</a> 5.0.3, <a class="email-footer-link" style="color:#505050;font-size:11px;text-decoration:none;;
color: #326ca6; text-decoration: none; color: #505050; font-size: 11px" href="http://www.atlassian.com/software/confluence/overview/team-collaboration-software?utm_source=email-footer">Team
Collaboration Software</a> </small> </td>
                </tr>
            </tbody>
        </table>
    </body>
</html>
Mime
View raw message