cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Schneider <>
Subject Re: Ideas for standardizing CXF authentication and authorization
Date Thu, 10 Jul 2014 12:02:10 GMT
I think it could still work at least partly.

In a project we had a similar requirement. The service call was 
authenticated using a SAML token from an STS server.
So we did the following. In a first step we mapped from the identity 
provided by the saml token to a username. Then we used a modified 
LdapLoginModule to do the JAAS login.
As the authentication already happened inside WS-Security we made the 
LdapLoginModule skip the password check and just establish the JAAS 
login context and add the roles of the user.

So the effect was that we had a JAAS login that could be used for 
authorization. So the authorization part was the same as with a username 
/ password based authentication.

I think our approach could event be improved. With a special LoginModule 
we could do the mapping from token identity to username inside the login 
module and perhaps even do the token validation.
Then we could also add the SAML token to the JAAS Subject.

This would then allow to use the JAAS login for a chained service call 
to another service. We could retrieve the SAML token there and use it to 
get an onBehalfOf token from STS. So we would be able to do chained 
service calls with full single sign on.

Another single sign on case would be to start with a local JAAS login 
with kerberos. The jaas context from this login could then be used on 
outgoing calls to authenticate against the STS using Spnego auth and 
retrieve a SAML token.

Both cases together would then support a complete single sign on from 
kerberos on the client (e.g. Windows Auth) to directly called service 
endpoints (SAML Token) as well as chained calls from there (onBehalfOf 
SAML token).

What do you think?


On 10.07.2014 11:55, Oliver Wulff wrote:
> Hi Christian
> I do support the ideas. I think it's important to include claims based authorization
concept as well as supported by Fediz, but primarely for Web SSO.
> JAAS is a good concept to seperate the transport (HTTP) and the access to the identity
store. But JAAS doesn't work for SSO approaches as supporting HTTP Basic Authorization Header
is not sufficient for SAML based protocols (SAML-P, WS-Federation).
> Thanks
> Oli
> ------
> Oliver Wulff
> Blog:
> Solution Architect
> Talend Application Integration Division

Christian Schneider

Open Source Architect

View raw message