cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Romain Manni-Bucau <rmannibu...@gmail.com>
Subject Re: fediz & SSO?
Date Tue, 21 Aug 2012 11:05:25 GMT
not sure i get it,

currently if you come from another rp that the one which logged in the user
it need the password *again*

*Romain Manni-Bucau*
*Twitter: @rmannibucau*
*Blog: http://rmannibucau.wordpress.com*




2012/8/21 Sergey Beryozkin <sberyozkin@gmail.com>

> On 21/08/12 11:53, Romain Manni-Bucau wrote:
>
>> from what i saw (IdpServlet) it doesn't keep it and need the password (but
>> i maybe missed sthg):
>> http://svn.apache.org/repos/**asf/cxf/fediz/trunk/services/**
>> idp/src/main/java/org/apache/**cxf/fediz/service/idp/**IdpServlet.java<http://svn.apache.org/repos/asf/cxf/fediz/trunk/services/idp/src/main/java/org/apache/cxf/fediz/service/idp/IdpServlet.java>
>>
> This is what I was saying, IDP manages the actual login and hence it needs
> a user to actually log on (using Basic Auth - password, client cert,
> whatever), whereas SP (or RP) applications have to manage the state which
> would let them validate via some back channel (using WS-Fed in Fediz's
> case) that the log-in is active...
>
> IDP need to keep a state of their own in order to let user avoid entering
> the password again, while the session is active, in cases when say the RP
> has been restarted and redirected the user back to IDP to log on, I guess
> IdpServlet can handle that and if not then it could require a minor update,
> but I think, as far as multiple RP applications are concerned and their
> state, it's not what IdpServlet itself will manage
>
> Cheers, Sergey
>
>
>> *Romain Manni-Bucau*
>> *Twitter: @rmannibucau*
>> *Blog: http://rmannibucau.wordpress.**com<http://rmannibucau.wordpress.com>
>> *
>>
>>
>>
>>
>> 2012/8/21 Sergey Beryozkin<sberyozkin@gmail.com**>
>>
>>  Hi
>>>
>>> On 21/08/12 11:42, Romain Manni-Bucau wrote:
>>>
>>>  well i thought of some distributed solutions but for me that's not a
>>>> solution since you keep the password instead of keeping the token, i
>>>> think
>>>> the current logic flow is not matching this requirement (but is it a
>>>> fediz
>>>> requirement?)
>>>>
>>>>
>>>>  My understanding that it is only IDP that keeps, indirectly, the
>>> password
>>> and the state management at the RP side is all about getting the login
>>> token shared, but I'm not sure yet how Fediz does it, shame I haven't
>>> debugged it yet, need to do it asap :-)
>>>
>>> Cheers, Sergey
>>>
>>>   *Romain Manni-Bucau*
>>>
>>>> *Twitter: @rmannibucau*
>>>> *Blog: http://rmannibucau.wordpress.****com<http://rmannibucau.**
>>>> wordpress.com <http://rmannibucau.wordpress.com>>
>>>> *
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> 2012/8/21 Sergey Beryozkin<sberyozkin@gmail.com****>
>>>>
>>>>   On 20/08/12 22:17, Romain Manni-Bucau wrote:
>>>>
>>>>>
>>>>>   two distinct RP webapps (let say in different tomcat).
>>>>>
>>>>>>
>>>>>> currently it "almost works" because with 401 the client (browser)
will
>>>>>> cache authorization header so it will seem it work but since you
>>>>>> change
>>>>>> the
>>>>>> way you login (and the user/pass is no more in headers) it can't
work
>>>>>> anymore (typically a form).
>>>>>>
>>>>>>
>>>>>>  This seems like a state management issue to me. Fediz currently
>>>>> relies on
>>>>> the servlet container to manage the session state, so if you say have
>>>>> the
>>>>> single application running on two Tomcat containers then Tomcat has to
>>>>> be
>>>>> configured to get the state shared between multiple containers, I
>>>>> recall
>>>>> I
>>>>> saw some material on the web on how to do it,
>>>>>
>>>>> Alternatively, the state can be managed by Fediz itself (similarly to
>>>>> the
>>>>> way we do it with Web profile), may be we can support that too once
>>>>> CXF-centric extensions are added
>>>>>
>>>>> Cheers, Sergey
>>>>>
>>>>>
>>>>>   The point today is "what's next' in IDP? I mean, does fediz aims to
>>>>>
>>>>>> provide
>>>>>> extensibility or will user need to fork the IDP to get some custom
>>>>>> features
>>>>>> (i know the answer will not be yes or no ;), but a state is important
>>>>>> IMO)?
>>>>>>
>>>>>> *Romain Manni-Bucau*
>>>>>> *Twitter: @rmannibucau*
>>>>>> *Blog: http://rmannibucau.wordpress.******com<http://rmannibucau.**
>>>>>> wordpress.com<http://**rmannibucau.wordpress.com<http://rmannibucau.wordpress.com>
>>>>>> >>
>>>>>>
>>>>>>
>>>>>> *
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> 2012/8/20 Oliver Wulff<owulff@talend.com>
>>>>>>
>>>>>>    Hi Romain
>>>>>>
>>>>>>
>>>>>>> The IDP has a lot of potential for new features. At the very
>>>>>>> beginning,
>>>>>>> the Fediz IDP was intended to mock an IDP and test your application
>>>>>>> but
>>>>>>> it
>>>>>>> has grown as you can meanwhile attach LDAP for authentication
and
>>>>>>> claims
>>>>>>> support.
>>>>>>>
>>>>>>> I'm not sure what you mean by classical SSO between two web apps?
>>>>>>>
>>>>>>> Thanks
>>>>>>> Oli
>>>>>>>
>>>>>>> ------
>>>>>>>
>>>>>>> Oliver Wulff
>>>>>>>
>>>>>>> Blog: http://owulff.blogspot.com
>>>>>>> Solution Architect
>>>>>>> http://coders.talend.com
>>>>>>>
>>>>>>> Talend Application Integration Division http://www.talend.com
>>>>>>>
>>>>>>> ______________________________******__________
>>>>>>>
>>>>>>>
>>>>>>> From: Romain Manni-Bucau [rmannibucau@gmail.com]
>>>>>>> Sent: 17 August 2012 15:13
>>>>>>> To: dev@cxf.apache.org
>>>>>>> Subject: Re: fediz&    SSO?
>>>>>>>
>>>>>>>
>>>>>>> ok, great, so i'll wait some news from fediz ;)
>>>>>>>
>>>>>>> thanks for the answer
>>>>>>>
>>>>>>> *Romain Manni-Bucau*
>>>>>>> *Twitter: @rmannibucau*
>>>>>>> *Blog: http://rmannibucau.wordpress.******com<http://rmannibucau.**
>>>>>>> wordpress.com<http://**rmannibucau.wordpress.com<http://rmannibucau.wordpress.com>
>>>>>>> >>
>>>>>>> *
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> 2012/8/17 Sergey Beryozkin<sberyozkin@gmail.com******>
>>>>>>>
>>>>>>>    Hi
>>>>>>>
>>>>>>>
>>>>>>>> On 17/08/12 09:11, Romain Manni-Bucau wrote:
>>>>>>>>
>>>>>>>>    Hi,
>>>>>>>>
>>>>>>>>
>>>>>>>>> i didn't see anything in the roadmap of fediz regarding
the
>>>>>>>>> 'classical'
>>>>>>>>> SSO
>>>>>>>>> (between 2 webapps with GUI).
>>>>>>>>>
>>>>>>>>> It doesn't seem to currently work (well that's not a
big surprise
>>>>>>>>> but
>>>>>>>>> that's a big problem for real applications which have
GUI + WS).
>>>>>>>>>
>>>>>>>>> Any information about it?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>    Colm and myself worked on implementing SAML SSO Web
Profile at
>>>>>>>>> the
>>>>>>>>> SP
>>>>>>>>>
>>>>>>>>>
>>>>>>>>   side
>>>>>>>>
>>>>>>>
>>>>>>>   only, currently in CXF, implemented with the help of JAX-RS
>>>>>>>
>>>>>>>> filters/endpoints. I hope we can come to some agreement soon
enough
>>>>>>>> on
>>>>>>>>
>>>>>>>>   how
>>>>>>>>
>>>>>>>
>>>>>>>   to get it linked with Fediz
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>     Another question is the GUI used for the login, a 401
is rarely
>>>>>>>> what
>>>>>>>> an
>>>>>>>>
>>>>>>>>   application wants, any way to use a form or is th eonly
way to
>>>>>>>>
>>>>>>>>> achieve
>>>>>>>>>
>>>>>>>>>   it
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>       forking the existing servlets?
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>>   The login form is offered by IDP (Fediz in this case).
We've
>>>>>>>>> chatted
>>>>>>>>>
>>>>>>>> with
>>>>>>>> Oli few months ago on providing CXF-centric Fediz extensions,
when
>>>>>>>> we
>>>>>>>> do
>>>>>>>>
>>>>>>>>   it
>>>>>>>>
>>>>>>>
>>>>>>>   we will be able to utilize JAX-RS RequestDispatcherProvider
which
>>>>>>>
>>>>>>>> links
>>>>>>>>
>>>>>>>>   the
>>>>>>>>
>>>>>>>
>>>>>>>   data with JSP/other view handlers - this is how we do SAML
SSO Post
>>>>>>>
>>>>>>>> Redirect support too
>>>>>>>>
>>>>>>>> Cheers, Sergey
>>>>>>>>
>>>>>>>>
>>>>>>>>    *Romain Manni-Bucau*
>>>>>>>>
>>>>>>>>  *Twitter: @rmannibucau*
>>>>>>>>> *Blog: http://rmannibucau.wordpress.********com<
>>>>>>>>>
>>>>>>>>>   http://rmannibucau.wordpress.******com<http://rmannibucau.**
>>>>>>>>>
>>>>>>>> wordpress.com<http://**rmannibucau.wordpress.com<http://rmannibucau.wordpress.com>
>>>>>>>> >>>
>>>>>>>>
>>>>>>>>
>>>>>>>   *
>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>   --
>>>>>>>>>
>>>>>>>> Sergey Beryozkin
>>>>>>>>
>>>>>>>> Talend Community Coders
>>>>>>>> http://coders.talend.com/
>>>>>>>>
>>>>>>>> Blog: http://sberyozkin.blogspot.com
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>
>>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message