cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Wulff <owu...@talend.com>
Subject AW: Role based access control with SAML in CXF
Date Wed, 28 Mar 2012 13:40:34 GMT
Raised a separate JIRA for RBAC support for JAX-WS:
https://issues.apache.org/jira/browse/CXF-4212

------

Oliver Wulff

Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com

Talend Application Integration Division http://www.talend.com

________________________________________
Von: Colm O hEigeartaigh [coheigea@apache.org]
Gesendet: Mittwoch, 28. März 2012 13:19
Bis: dev@cxf.apache.org
Betreff: Re: Role based access control with SAML in CXF

+1 sounds good.

Colm.

On Wed, Mar 28, 2012 at 11:48 AM, Oliver Wulff <owulff@talend.com> wrote:
> Hi guys
>
>
>
> I'd like to look into the following JIRA:
>
> https://issues.apache.org/jira/browse/CXF-3522
>
>
>
> The CXF service provider gets a SAML token which contains an AttributeStatement with
claims information. One claim can be the roles.
>
>
>
> An initial fix (maybe I create a seperate JIRA) shall only look for the claim which provides
the role information thus we can instantiate the SecurityContext and provide the role information.
>
>
>
> I'd like to discuss one open point with respect how to represent several roles in a SAML
token. Right now, the CXF STS separates them by using a semicolon.
>
>
>
> I've verified what Microsoft is doing in this regard and found the following:
>
> http://blogs.msdn.com/b/sameersurve/archive/2012/01/19/how-sharepoint-2010-handles-multi-valued-claims.aspx
>
>
>
> I'd go with the same approach to support the following two:
>
>
>
> <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AttributeNamespace="http://schemas.xmlsoap.org/claims"
AttributeName="groups">
>
> <saml:AttributeValue>Value1</saml:AttributeValue>
>
> <saml:AttributeValue>Value2</saml:AttributeValue>
>
> </saml:Attribute>
>
>
>
>
>
> <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AttributeNamespace="http://schemas.xmlsoap.org/claims"
AttributeName="groups">
>
> <saml:AttributeValue>Value1</saml:AttributeValue>
>
> </saml:Attribute>
>
> <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AttributeNamespace="http://schemas.xmlsoap.org/claims"
AttributeName="groups">
>
> <saml:AttributeValue>Value2</saml:AttributeValue>
>
> </saml:Attribute>
>
>
>
>
>
> but for backwards compatibility also support to separate the values by a separator like
";".
>
>
>
> I'd add two properties for an endpoint to tell the URI of the attribute which provides
the role information (with some default) and optionally the separator. I'll add this functionality
to the STS as well.
>
>
>
> The STS will then allow to configure how to encode multi-value claims like "MULTI_VALUE",
"MULTI_CLAIM" or "SEPARATOR".
>
>
>
> Thoughts?
>
>
>
> Oli
>
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
> Solution Architect
> http://coders.talend.com
>
> <http://coders.talend.com>Talend Application Integration Division http://www.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Mime
View raw message