cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: Move JAX-RS claims classes to frontend independent module rt/security
Date Thu, 29 Mar 2012 21:30:51 GMT
Hi Oli,

I've moved the Claims annotations to the api module,

to the "org.apache.cxf.security.claims.authorization" package with the 
idea that the "org.apache.cxf.security.claims" package will hold in time 
few common Claim data classes.

I reckon it should be enough for you to start experimenting with 
enforcing the same Claim annotations at the JAX-WS/WS-Security end but 
using the Claim data classes declared in the ws-security module.
ClaimsAuthorizingInterceptor can be copied for now.

If we manage to quickly adapt the Claim class used in the 
rt-rs-security-xml to the one used in the ws-security module then I can 
move the rest of the authorization code to the api. That should be quite 
possible but I think if we do not manage to do it in time for 2.6 then 
we can do it for 2.6.1/2 because I guess the Claim data classes are not 
really visible to the application developers.

FYI, I have the SAMLSecurityContext - can be renamed to 
ClaimsSecurityContext, I thought a bit about also introducing 
ClaimsPrincipal, but then I decided to stay with SAMLSecurityContext, 
it's kind of similar to the base SecurityContext (Principal + its 
roles), or Principal + Claims (roles and more)

I stopped short of introducing a new module (rt-security), a bit tight 
for 2.6 :-), but indeed it would be easy enough to move various security 
related classes from api & rt/core to rt-security, except for may be for 
the base SecurityContext, AuthorizationPolicy, few other classes

Thanks, Sergey

On 29/03/12 13:00, Sergey Beryozkin wrote:
> Hi Oli
>
> thanks for initiating this thread
>
> On 29/03/12 07:06, Oliver Wulff wrote:
>> Hi all
>>
>> I'd like to start working on the RBAC (see mail "Role based access
>> control with SAML in CXF") and the Claims support for JAX-WS. Sergey
>> has already implemented that for JAX-RS.
>>
>> I'd propose to move these classes (claims, annotations) to a frontend
>> independent module like rt/security thus it can be used by JAX-WS and
>> JAX-RS. To get this done for 2.6 would be very good. Otherwise, we can
>> do this for 2.7 earliest. I'd like to avoid in having different Claims
>> classes for the same purpose when using JAX-RS or JAX-WS.
>>
>> What do you think?
>>
> +1.
>
> I think it might be a bit tight to get both the annotations & the actual
> data classes representing Claims given that at the moment Claims data
> classes used within the JAX-RS frontend are different from the ones
> available in the WS Security module.
>
> We have 3 pieces to deal with:
> - Annotations (visible at the application code level) [1]
> - ClaimsAuthorizingInterceptor which enforces those annotations against
> the incoming claims data available at runtime
> - The actual Claim classes keeping the info about the claims
>
> Moving Annotations to the common package can be done quickly enough that
> would let us have the JAX-WS & JAX-RS code using the same visible
> annotations.
> The interim solution for JAX-WS then is to provide its own
> ClaimsAuthorizingInterceptor which will operate on WS specific Claim
> classes. And then we can introduce at some stage the common interceptor
> once we 'merge' the Claim data classes, I'd be OK adapting JAX-RS Claim
> classes as close as possible to WS ones.
>
> But let me move the annotations first. Who knows may be we will also be
> able to merge Claim data classes before 2.6 is out :-)
>
> Thanks, Sergey
>
> [1]
> http://cxf.apache.org/docs/jax-rs-saml.html#JAX-RSSAML-SAMLAuthorization
>
>> Thanks
>> Oli
>>
>>
>>
>>
>> ------
>>
>> Oliver Wulff
>>
>> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
>> Solution Architect
>> http://coders.talend.com
>>
>> <http://coders.talend.com>Talend Application Integration Division
>> http://www.talend.com
>>
>
>



Mime
View raw message