Return-Path: 
 <dev-return-12185-apmail-cxf-dev-archive=cxf.apache.org@cxf.apache.org>
X-Original-To: apmail-cxf-dev-archive@www.apache.org
Delivered-To: apmail-cxf-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id AF7509B6F
	for <apmail-cxf-dev-archive@www.apache.org>;
 Wed, 28 Mar 2012 13:41:02 +0000 (UTC)
Received: (qmail 88432 invoked by uid 500); 28 Mar 2012 13:41:02 -0000
Delivered-To: apmail-cxf-dev-archive@cxf.apache.org
Received: (qmail 88379 invoked by uid 500); 28 Mar 2012 13:41:02 -0000
Mailing-List: contact dev-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@cxf.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@cxf.apache.org>
List-Post: <mailto:dev@cxf.apache.org>
List-Id: <dev.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list dev@cxf.apache.org
Received: (qmail 88371 invoked by uid 99); 28 Mar 2012 13:41:02 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 28 Mar 2012 13:41:02 +0000
X-ASF-Spam-Status: No, hits=0.7 required=5.0
	tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [64.95.72.241] (HELO mxout.myoutlookonline.com) (64.95.72.241)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 28 Mar 2012 13:40:57 +0000
Received: from mxout.myoutlookonline.com (localhost [127.0.0.1])
	by mxout.myoutlookonline.com (Postfix) with ESMTP id C98208BE4EC;
	Wed, 28 Mar 2012 09:40:35 -0400 (EDT)
X-Virus-Scanned: by SpamTitan at mail.lan
Received: from S10HUB001.SH10.lan (unknown [10.110.2.1])
	(using TLSv1 with cipher AES128-SHA (128/128 bits))
	(No client certificate requested)
	by mxout.myoutlookonline.com (Postfix) with ESMTPS id 5747F8BEC70;
	Wed, 28 Mar 2012 09:40:35 -0400 (EDT)
Received: from S10BE002.SH10.lan ([::1]) by S10HUB001.SH10.lan ([::1]) with
 mapi id 14.01.0289.001; Wed, 28 Mar 2012 09:40:35 -0400
From: Oliver Wulff <owulff@talend.com>
To: "dev@cxf.apache.org" <dev@cxf.apache.org>, "coheigea@apache.org"
	<coheigea@apache.org>
Subject: AW: Role based access control with SAML in CXF
Thread-Topic: Role based access control with SAML in CXF
Thread-Index: Ac0Mz2945OiPsOn6RoqcWwq+/cUHAQAJrGYA///kVBE=
Date: Wed, 28 Mar 2012 13:40:34 +0000
Message-ID: <79AB4452999C844D9920E0363533273111FACD@S10BE002.SH10.lan>
References: 
 <79AB4452999C844D9920E0363533273111F983@S10BE002.SH10.lan>,<CAB8XdGDjG_6SK4t5h6O6Hs3wOdfS2QCTxr3ZTvP_X+eAOS9uZQ@mail.gmail.com>
In-Reply-To: 
 <CAB8XdGDjG_6SK4t5h6O6Hs3wOdfS2QCTxr3ZTvP_X+eAOS9uZQ@mail.gmail.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [195.28.224.59]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Virus-Checked: Checked by ClamAV on apache.org

Raised a separate JIRA for RBAC support for JAX-WS:
https://issues.apache.org/jira/browse/CXF-4212

------

Oliver Wulff

Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com

Talend Application Integration Division http://www.talend.com

________________________________________
Von: Colm O hEigeartaigh [coheigea@apache.org]
Gesendet: Mittwoch, 28. M=E4rz 2012 13:19
Bis: dev@cxf.apache.org
Betreff: Re: Role based access control with SAML in CXF

+1 sounds good.

Colm.

On Wed, Mar 28, 2012 at 11:48 AM, Oliver Wulff <owulff@talend.com> wrote:
> Hi guys
>
>
>
> I'd like to look into the following JIRA:
>
> https://issues.apache.org/jira/browse/CXF-3522
>
>
>
> The CXF service provider gets a SAML token which contains an AttributeSta=
tement with claims information. One claim can be the roles.
>
>
>
> An initial fix (maybe I create a seperate JIRA) shall only look for the c=
laim which provides the role information thus we can instantiate the Securi=
tyContext and provide the role information.
>
>
>
> I'd like to discuss one open point with respect how to represent several =
roles in a SAML token. Right now, the CXF STS separates them by using a sem=
icolon.
>
>
>
> I've verified what Microsoft is doing in this regard and found the follow=
ing:
>
> http://blogs.msdn.com/b/sameersurve/archive/2012/01/19/how-sharepoint-201=
0-handles-multi-valued-claims.aspx
>
>
>
> I'd go with the same approach to support the following two:
>
>
>
> <saml:Attribute xmlns:saml=3D"urn:oasis:names:tc:SAML:1.0:assertion" Attr=
ibuteNamespace=3D"http://schemas.xmlsoap.org/claims" AttributeName=3D"group=
s">
>
> <saml:AttributeValue>Value1</saml:AttributeValue>
>
> <saml:AttributeValue>Value2</saml:AttributeValue>
>
> </saml:Attribute>
>
>
>
>
>
> <saml:Attribute xmlns:saml=3D"urn:oasis:names:tc:SAML:1.0:assertion" Attr=
ibuteNamespace=3D"http://schemas.xmlsoap.org/claims" AttributeName=3D"group=
s">
>
> <saml:AttributeValue>Value1</saml:AttributeValue>
>
> </saml:Attribute>
>
> <saml:Attribute xmlns:saml=3D"urn:oasis:names:tc:SAML:1.0:assertion" Attr=
ibuteNamespace=3D"http://schemas.xmlsoap.org/claims" AttributeName=3D"group=
s">
>
> <saml:AttributeValue>Value2</saml:AttributeValue>
>
> </saml:Attribute>
>
>
>
>
>
> but for backwards compatibility also support to separate the values by a =
separator like ";".
>
>
>
> I'd add two properties for an endpoint to tell the URI of the attribute w=
hich provides the role information (with some default) and optionally the s=
eparator. I'll add this functionality to the STS as well.
>
>
>
> The STS will then allow to configure how to encode multi-value claims lik=
e "MULTI_VALUE", "MULTI_CLAIM" or "SEPARATOR".
>
>
>
> Thoughts?
>
>
>
> Oli
>
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
> Solution Architect
> http://coders.talend.com
>
> <http://coders.talend.com>Talend Application Integration Division http://=
www.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com=