cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: Ideas for standardizing CXF authentication and authorization
Date Thu, 10 Jul 2014 12:57:01 GMT
Hi Łukasz

On 10/07/14 12:38, Łukasz Dywicki wrote:
> Hey Christian,
> Great you brought this discussion. I already started working on
> integration between spring security (SS) and cxf, mainly because JAAS
> was not sufficient in all our cases and SS provides nice cover to it
> such AccessDecisionManager session controlling and so on. As Oliver
> pointed out - currently CXF is bound to HTTP headers or WSS4J
> callbacks requiring re-sending credentials for each invocation which
> really limit users while working on more advanced APIs. I would love
> to see support for login/logout operations and session handling within
> CXF.
>
> There are couple issues which can not be solved with current CXF code
> - for example AbstractAuthorizingInInterceptor forces presence of
> security context even if subject is not necessary and method is not
> annotated with any secure annotation or is annotated with @PermitAll.
We fixed it yesterday

Cheers, Sergey
>
> Best regards,
> Łukasz
> --
> luke@code-house.org
> Twitter: ldywicki
> Blog: http://dywicki.pl
> Code-House - http://code-house.org
>
>
> 2014-07-10 11:55 GMT+02:00 Oliver Wulff <owulff@talend.com>:
>> Hi Christian
>>
>> I do support the ideas. I think it's important to include claims based authorization
concept as well as supported by Fediz, but primarely for Web SSO.
>>
>> JAAS is a good concept to seperate the transport (HTTP) and the access to the identity
store. But JAAS doesn't work for SSO approaches as supporting HTTP Basic Authorization Header
is not sufficient for SAML based protocols (SAML-P, WS-Federation).
>>
>> WDYT?
>>
>> Thanks
>> Oli
>>
>>
>> ------
>>
>> Oliver Wulff
>>
>> Blog: http://owulff.blogspot.com
>> Solution Architect
>> http://coders.talend.com
>>
>> Talend Application Integration Division http://www.talend.com
>>
>> ________________________________________
>> From: Christian Schneider [cschneider111@gmail.com] on behalf of Christian Schneider
[chris@die-schneider.net]
>> Sent: 10 July 2014 10:55
>> To: CXF Dev List
>> Subject: Ideas for standardizing CXF authentication and authorization
>>
>> CXF already supports a wide range of authentication and authorization
>> methods. Each of these has to be configured differently though
>> and some are almost unknown by users.
>>
>> So I would like to improve that by standardizing on a common approach
>> that covers all existing variants but makes them accessible in the same way.
>>
>> The only real java standard for authentication is JAAS. It is built into
>> the jre and quite flexible. Security frameworks normally also integrate
>> well with JAAS.
>> So the idea is to standardize on JAAS for authentication.
>>
>> Authorization on the other hand has very diverse requirements and in
>> fact is not really directly coupled to CXF at all. After all the same
>> kind of authorization also has to happen in the UI and in the business code.
>> So the idea there is to solve authorization outside of CXF and base the
>> authorization on the JAAS login CXF provides.
>>
>> I have written down my ideas in detail on:
>> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=42568988
>>
>> I would be very interested in your feedback on my ideas.
>>
>> Christian
>>
>> --
>> Christian Schneider
>> http://www.liquid-reality.de
>>
>> Open Source Architect
>> http://www.talend.com
>>


Mime
View raw message