Return-Path: X-Original-To: apmail-cxf-dev-archive@www.apache.org Delivered-To: apmail-cxf-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id DA79B91EE for ; Wed, 9 May 2012 21:33:36 +0000 (UTC) Received: (qmail 15890 invoked by uid 500); 9 May 2012 21:33:36 -0000 Delivered-To: apmail-cxf-dev-archive@cxf.apache.org Received: (qmail 15650 invoked by uid 500); 9 May 2012 21:33:36 -0000 Mailing-List: contact dev-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list dev@cxf.apache.org Received: (qmail 15640 invoked by uid 99); 9 May 2012 21:33:36 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 May 2012 21:33:36 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of sberyozkin@gmail.com designates 74.125.82.41 as permitted sender) Received: from [74.125.82.41] (HELO mail-wg0-f41.google.com) (74.125.82.41) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 May 2012 21:33:28 +0000 Received: by wgbds1 with SMTP id ds1so2009916wgb.0 for ; Wed, 09 May 2012 14:33:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=vdBrXTHtbHrKyx1HaKSpDtpEsU2Jt0AzCmWtuhy9NHk=; b=w1uMy0iJpCrNNh0R1xDh8dTQdTsHruuMj+WYt6J1+3sCpo16GE8EWEMVhd9xoXRVuU paqXtr0VAdaWnkIpOKfnSkdXfNreuR3o7BkGcofqOMumS+bvOl3BXnDXiDtM8+jZsS2v GBuJhc/ok2gwHTL9f/Vh12T41G30spJVor2nEs8m9LQRtoZGL2cUcI6eqzcLfej+zNl2 DrDzcLvF0RjbY+tammrzPufgZdlDSNG1JaF4ndAb8TIKP9hqIKQQP0XtCCG/uicWXonF jxxZhvDzl4jKHvzj1FpH3Zje8mmn2szzsChWZykJBdiF2CeILhnrn1gak6ZcVGKaQv/R KQXg== Received: by 10.180.81.37 with SMTP id w5mr663556wix.16.1336599187500; Wed, 09 May 2012 14:33:07 -0700 (PDT) Received: from [192.168.2.3] ([89.100.141.106]) by mx.google.com with ESMTPS id ff9sm39117276wib.2.2012.05.09.14.33.06 (version=SSLv3 cipher=OTHER); Wed, 09 May 2012 14:33:06 -0700 (PDT) Message-ID: <4FAAE291.50004@gmail.com> Date: Wed, 09 May 2012 22:33:05 +0100 From: Sergey Beryozkin User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1 MIME-Version: 1.0 To: CXF Dev Subject: Moving the SAML SSO SP code to its own module Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Hi Colm and myself have been working recently on the initial support for the SAML-based Web SSO support on the Service Provider (SP) side. What we've got at the moment is the filters which can enforce the security context and redirect via GET or POST to the IDP, validate SAMLResponse and set the security context. There's still a bit of work that needs to be completed, to do with the better security context population on the actual application path, more sophisticated support for the session management, supporting the delegation of the SAMLResponse validation. Then going forward we can think about the logout support, artifact resolution support, etc, etc... Right now, the code lives in rt/rs/security/xml, I started prototyping the code there simply because it already contained the support for SAML-based validation of SAML assertions, etc. However, given a number of enhancements that are expected to be added for the SSO-based support, we thought with Colm that it would make sense to move the relevant code to its own dedicated module. As I said earlier I believe this code should work with different IDPs, so for now I'm not sure that it should be moved to the Fediz sub-project. I guess the possibility of moving to Fediz can be reviewed later on again, but right now I'd suggest creating a module such as cxf-rt-rs-security-sso-saml under rt/rs/security/sso/saml with the idea that perhaps some other SSO techologies will be supported at the CXF RS level in the future Comments are welcome. Cheers, Sergey