cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: Move JAX-RS claims classes to frontend independent module rt/security
Date Thu, 29 Mar 2012 21:32:02 GMT
Forgot the links:

http://svn.apache.org/viewvc?rev=1307112&view=rev
https://issues.apache.org/jira/browse/CXF-4215

Sergey

On 29/03/12 22:30, Sergey Beryozkin wrote:
> Hi Oli,
>
> I've moved the Claims annotations to the api module,
>
> to the "org.apache.cxf.security.claims.authorization" package with the
> idea that the "org.apache.cxf.security.claims" package will hold in time
> few common Claim data classes.
>
> I reckon it should be enough for you to start experimenting with
> enforcing the same Claim annotations at the JAX-WS/WS-Security end but
> using the Claim data classes declared in the ws-security module.
> ClaimsAuthorizingInterceptor can be copied for now.
>
> If we manage to quickly adapt the Claim class used in the
> rt-rs-security-xml to the one used in the ws-security module then I can
> move the rest of the authorization code to the api. That should be quite
> possible but I think if we do not manage to do it in time for 2.6 then
> we can do it for 2.6.1/2 because I guess the Claim data classes are not
> really visible to the application developers.
>
> FYI, I have the SAMLSecurityContext - can be renamed to
> ClaimsSecurityContext, I thought a bit about also introducing
> ClaimsPrincipal, but then I decided to stay with SAMLSecurityContext,
> it's kind of similar to the base SecurityContext (Principal + its
> roles), or Principal + Claims (roles and more)
>
> I stopped short of introducing a new module (rt-security), a bit tight
> for 2.6 :-), but indeed it would be easy enough to move various security
> related classes from api & rt/core to rt-security, except for may be for
> the base SecurityContext, AuthorizationPolicy, few other classes
>
> Thanks, Sergey
>
> On 29/03/12 13:00, Sergey Beryozkin wrote:
>> Hi Oli
>>
>> thanks for initiating this thread
>>
>> On 29/03/12 07:06, Oliver Wulff wrote:
>>> Hi all
>>>
>>> I'd like to start working on the RBAC (see mail "Role based access
>>> control with SAML in CXF") and the Claims support for JAX-WS. Sergey
>>> has already implemented that for JAX-RS.
>>>
>>> I'd propose to move these classes (claims, annotations) to a frontend
>>> independent module like rt/security thus it can be used by JAX-WS and
>>> JAX-RS. To get this done for 2.6 would be very good. Otherwise, we can
>>> do this for 2.7 earliest. I'd like to avoid in having different Claims
>>> classes for the same purpose when using JAX-RS or JAX-WS.
>>>
>>> What do you think?
>>>
>> +1.
>>
>> I think it might be a bit tight to get both the annotations & the actual
>> data classes representing Claims given that at the moment Claims data
>> classes used within the JAX-RS frontend are different from the ones
>> available in the WS Security module.
>>
>> We have 3 pieces to deal with:
>> - Annotations (visible at the application code level) [1]
>> - ClaimsAuthorizingInterceptor which enforces those annotations against
>> the incoming claims data available at runtime
>> - The actual Claim classes keeping the info about the claims
>>
>> Moving Annotations to the common package can be done quickly enough that
>> would let us have the JAX-WS & JAX-RS code using the same visible
>> annotations.
>> The interim solution for JAX-WS then is to provide its own
>> ClaimsAuthorizingInterceptor which will operate on WS specific Claim
>> classes. And then we can introduce at some stage the common interceptor
>> once we 'merge' the Claim data classes, I'd be OK adapting JAX-RS Claim
>> classes as close as possible to WS ones.
>>
>> But let me move the annotations first. Who knows may be we will also be
>> able to merge Claim data classes before 2.6 is out :-)
>>
>> Thanks, Sergey
>>
>> [1]
>> http://cxf.apache.org/docs/jax-rs-saml.html#JAX-RSSAML-SAMLAuthorization
>>
>>> Thanks
>>> Oli
>>>
>>>
>>>
>>>
>>> ------
>>>
>>> Oliver Wulff
>>>
>>> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
>>> Solution Architect
>>> http://coders.talend.com
>>>
>>> <http://coders.talend.com>Talend Application Integration Division
>>> http://www.talend.com
>>>
>>
>>
>
>

Mime
View raw message