cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Łukasz Dywicki <>
Subject Re: Ideas for standardizing CXF authentication and authorization
Date Thu, 10 Jul 2014 11:38:15 GMT
Hey Christian,
Great you brought this discussion. I already started working on
integration between spring security (SS) and cxf, mainly because JAAS
was not sufficient in all our cases and SS provides nice cover to it
such AccessDecisionManager session controlling and so on. As Oliver
pointed out - currently CXF is bound to HTTP headers or WSS4J
callbacks requiring re-sending credentials for each invocation which
really limit users while working on more advanced APIs. I would love
to see support for login/logout operations and session handling within

There are couple issues which can not be solved with current CXF code
- for example AbstractAuthorizingInInterceptor forces presence of
security context even if subject is not necessary and method is not
annotated with any secure annotation or is annotated with @PermitAll.

Best regards,
Twitter: ldywicki
Code-House -

2014-07-10 11:55 GMT+02:00 Oliver Wulff <>:
> Hi Christian
> I do support the ideas. I think it's important to include claims based authorization
concept as well as supported by Fediz, but primarely for Web SSO.
> JAAS is a good concept to seperate the transport (HTTP) and the access to the identity
store. But JAAS doesn't work for SSO approaches as supporting HTTP Basic Authorization Header
is not sufficient for SAML based protocols (SAML-P, WS-Federation).
> Thanks
> Oli
> ------
> Oliver Wulff
> Blog:
> Solution Architect
> Talend Application Integration Division
> ________________________________________
> From: Christian Schneider [] on behalf of Christian Schneider
> Sent: 10 July 2014 10:55
> To: CXF Dev List
> Subject: Ideas for standardizing CXF authentication and authorization
> CXF already supports a wide range of authentication and authorization
> methods. Each of these has to be configured differently though
> and some are almost unknown by users.
> So I would like to improve that by standardizing on a common approach
> that covers all existing variants but makes them accessible in the same way.
> The only real java standard for authentication is JAAS. It is built into
> the jre and quite flexible. Security frameworks normally also integrate
> well with JAAS.
> So the idea is to standardize on JAAS for authentication.
> Authorization on the other hand has very diverse requirements and in
> fact is not really directly coupled to CXF at all. After all the same
> kind of authorization also has to happen in the UI and in the business code.
> So the idea there is to solve authorization outside of CXF and base the
> authorization on the JAAS login CXF provides.
> I have written down my ideas in detail on:
> I would be very interested in your feedback on my ideas.
> Christian
> --
> Christian Schneider
> Open Source Architect

View raw message