cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Geer <ch...@cxtsoftware.com>
Subject Re: Ideas for standardizing CXF authentication and authorization
Date Sun, 13 Jul 2014 15:50:15 GMT
While authentication/authorization is being discussed it would also be good
if compatibility with Apache Shiro was kept in mind.

On Sunday, July 13, 2014, Andrei Shakirin <ashakirin@talend.com> wrote:

> Hi Christian,
>
> I find your ideas great, IMO it will be the step in the right direction.
> The JAAS helps to cleanly decouple authentication/authorization logic from
> business code.
>
> Some thoughts regarding that:
> 1. Authentication
>     Authentication scenarios can be collected in two large groups:
>     a) Service receives client credentials with request and it is
> responsibility either of custom code or container to authenticate the user.
>         For example: usernameToken, basic and digest authentication, SSL
> with client authentication, etc.
>     b) Client firstly communicates with some security server validating
> client credentials and issuing security token. Client injects this token
> into the request.  Service validates the token (by sending request to
> security server or itself). Samples are SAML token authentication, OAuth,
> Kerberos.
>
> Group (a) fits very good to JAAS concept, it is necessary: extract
> credentials from appropriate source (UT, AuthroizationPolicy, etc)
> depending on authentication mode, create CallbackHandler and invoke login
> context. Configured JAAS Login Modules will be used to authenticate user,
> create Subject and Principles. Most of this is already implemented in
> JAASLoginInterceptor.
>
> Group (b) is a bit tricky, because user is authenticated by security
> server and service should just validate the token. In this case JAAS Login
> Module can either take over token validation and fill Subject Principles
> based on token attributes (like Kerberos does) or skip validation step (if
> it is already done by CXF interceptors) and create Subject with Principles.
>
> 2. Authorization
> IMO the task fit good for JAAS is mapping user to role and creating Role
> Principles. Other authorization steps is either technology or container
> specific: using security annotations, container configuration, role-method
> maps, etc.
>
> By the way, JEE 6 introduced some extensions for JAAS in Java
> Specification Request 196 (
> http://docs.oracle.com/cd/E19575-01/820-3740/ghcwf/index.html). It is
> more message processing oriented, introduces agents for validating security
> tokens or signatures and determines a standard way to obtain user
> principals and group principals. The JSR is primarily designed for JEE
> application servers, but perhaps it makes sense to look in and use some
> ideas/API from that.
>
> Regards,
> Andrei.
>
> > -----Original Message-----
> > From: Christian Schneider [mailto:cschneider111@gmail.com <javascript:;>]
> On Behalf Of
> > Christian Schneider
> > Sent: Donnerstag, 10. Juli 2014 10:56
> > To: CXF Dev List
> > Subject: Ideas for standardizing CXF authentication and authorization
> >
> > CXF already supports a wide range of authentication and authorization
> > methods. Each of these has to be configured differently though and some
> are
> > almost unknown by users.
> >
> > So I would like to improve that by standardizing on a common approach
> that
> > covers all existing variants but makes them accessible in the same way.
> >
> > The only real java standard for authentication is JAAS. It is built into
> the jre and
> > quite flexible. Security frameworks normally also integrate well with
> JAAS.
> > So the idea is to standardize on JAAS for authentication.
> >
> > Authorization on the other hand has very diverse requirements and in
> fact is
> > not really directly coupled to CXF at all. After all the same kind of
> authorization
> > also has to happen in the UI and in the business code.
> > So the idea there is to solve authorization outside of CXF and base the
> > authorization on the JAAS login CXF provides.
> >
> > I have written down my ideas in detail on:
> >
> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=42568988
> >
> > I would be very interested in your feedback on my ideas.
> >
> > Christian
> >
> > --
> > Christian Schneider
> > http://www.liquid-reality.de
> >
> > Open Source Architect
> > http://www.talend.com
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message