cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: REST security enhancements
Date Wed, 05 Feb 2014 21:21:46 GMT
Hi Oli
On 05/02/14 19:56, Oliver Wulff wrote:
> Hi there
>
> For the REST services of the Fediz IDP I'd like to support initially three security use
cases.
>
> 1) Basic Authentication, Username/Password validated against the STS
> 2) Basic Authentication, Username/Password validated with JAAS
I guess realistically, in case of Basic, it is either 1 or 2

> 3) SAML token in Basic Authorization header
>
> In CXF 3.0, each REST security interceptor enforces the security credentials it supports.
Therefore, you can't just configure all interceptors like:
> org.apache.cxf.ws.security.trust.AuthPolicyValidatingInterceptor
> org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler
> org.apache.cxf.jaxrs.security.JAASAuthenticationFilter
>
> The interceptors should not throw an exception but instead assert the token (similar
the policy) and finally an interceptor checks whether one token was provided and successfully
validated.
>
> Other ideas?
>
I'll be OK with the individual interceptors enforcing it. Otherwise we'd 
need to chain them, etc, but having a basic delegating interceptor which 
would check the authorization scheme and do something like:

public void handleMessage(Message message) {
if (isBasic(message.get(Message.REQUEST_HEADERS))) {
     basicAuthInterceptor.handleMessage(message);
} else {
     samlInterceptor.handleMessage(message);
}

Some basic policy support can be thought of as well, as you said, for 
example, we can have a BasicAuthJaas policy - this will use JAAS 
interceptor, etc. I think the policies are more interesting when we can 
expect some interoperability but also when a series of interceptors is 
needed to validate a single requirement...

So I'd start with the direct coding first
Cheers, Sergey



> Thanks
> Oli
>
>
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
> Solution Architect
> http://coders.talend.com
>
> <http://coders.talend.com>Talend Application Integration Division http://www.talend.com
>


-- 
Sergey Beryozkin

Talend Community Coders
http://coders.talend.com/

Blog: http://sberyozkin.blogspot.com

Mime
View raw message