cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Wulff <owu...@talend.com>
Subject Role based access control with SAML in CXF
Date Wed, 28 Mar 2012 10:48:57 GMT
Hi guys



I'd like to look into the following JIRA:

https://issues.apache.org/jira/browse/CXF-3522



The CXF service provider gets a SAML token which contains an AttributeStatement with claims
information. One claim can be the roles.



An initial fix (maybe I create a seperate JIRA) shall only look for the claim which provides
the role information thus we can instantiate the SecurityContext and provide the role information.



I'd like to discuss one open point with respect how to represent several roles in a SAML token.
Right now, the CXF STS separates them by using a semicolon.



I've verified what Microsoft is doing in this regard and found the following:

http://blogs.msdn.com/b/sameersurve/archive/2012/01/19/how-sharepoint-2010-handles-multi-valued-claims.aspx



I'd go with the same approach to support the following two:



<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AttributeNamespace="http://schemas.xmlsoap.org/claims"
AttributeName="groups">

<saml:AttributeValue>Value1</saml:AttributeValue>

<saml:AttributeValue>Value2</saml:AttributeValue>

</saml:Attribute>





<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AttributeNamespace="http://schemas.xmlsoap.org/claims"
AttributeName="groups">

<saml:AttributeValue>Value1</saml:AttributeValue>

</saml:Attribute>

<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AttributeNamespace="http://schemas.xmlsoap.org/claims"
AttributeName="groups">

<saml:AttributeValue>Value2</saml:AttributeValue>

</saml:Attribute>





but for backwards compatibility also support to separate the values by a separator like ";".



I'd add two properties for an endpoint to tell the URI of the attribute which provides the
role information (with some default) and optionally the separator. I'll add this functionality
to the STS as well.



The STS will then allow to configure how to encode multi-value claims like "MULTI_VALUE",
"MULTI_CLAIM" or "SEPARATOR".



Thoughts?



Oli



------

Oliver Wulff

Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
Solution Architect
http://coders.talend.com

<http://coders.talend.com>Talend Application Integration Division http://www.talend.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message