cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <>
Subject Re: REST security enhancements
Date Wed, 05 Feb 2014 21:21:46 GMT
Hi Oli
On 05/02/14 19:56, Oliver Wulff wrote:
> Hi there
> For the REST services of the Fediz IDP I'd like to support initially three security use
> 1) Basic Authentication, Username/Password validated against the STS
> 2) Basic Authentication, Username/Password validated with JAAS
I guess realistically, in case of Basic, it is either 1 or 2

> 3) SAML token in Basic Authorization header
> In CXF 3.0, each REST security interceptor enforces the security credentials it supports.
Therefore, you can't just configure all interceptors like:
> The interceptors should not throw an exception but instead assert the token (similar
the policy) and finally an interceptor checks whether one token was provided and successfully
> Other ideas?
I'll be OK with the individual interceptors enforcing it. Otherwise we'd 
need to chain them, etc, but having a basic delegating interceptor which 
would check the authorization scheme and do something like:

public void handleMessage(Message message) {
if (isBasic(message.get(Message.REQUEST_HEADERS))) {
} else {

Some basic policy support can be thought of as well, as you said, for 
example, we can have a BasicAuthJaas policy - this will use JAAS 
interceptor, etc. I think the policies are more interesting when we can 
expect some interoperability but also when a series of interceptors is 
needed to validate a single requirement...

So I'd start with the direct coding first
Cheers, Sergey

> Thanks
> Oli
> ------
> Oliver Wulff
> Blog:<>
> Solution Architect
> <>Talend Application Integration Division

Sergey Beryozkin

Talend Community Coders


View raw message