cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oliver Wulff (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (FEDIZ-23) Support different authentication mechanism
Date Mon, 23 Mar 2015 20:46:52 GMT

     [ https://issues.apache.org/jira/browse/FEDIZ-23?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Oliver Wulff updated FEDIZ-23:
------------------------------
    Description: 
The IDP only supports basic authentication in the current setup.

The IDP should introduce an interface to plugin a custom authentication mechanism.

Per default, implementation for the following mechanism should be provided out of the box:

- form based
- certificate

The authentication mechanism is chosen based on the wauth parameter passed in the signin request.
If this parameter is missing the configured default is used.

The following configuration snippet illustrate the idea. The FederationEntryPoint (already
implemented but not yet used) reads the wauth Parameter and figures out the url which is protected
by the appropriate authentication protocol. IDPs use different wauth values for the same authentication
protocol and the IDP configuration allows to configure more than one wauth value for the same
authentication protocol
{code}
String loginUri = idpConfig.getAuthenticationURIs().get(wauth);
{code}

After the redirect, the entrypoint of a specific http element configuration does the further
processing.

{code}
    <security:http pattern="/federation/" auto-config="false" use-expressions="true"
        entry-point-ref="federationEntryPoint">
        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
        <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml"
access="isAnonymous() or isAuthenticated()" />
    </security:http>

    <!-- Implemented but not yet used. Redirects to a dedicated http config -->
    <!-- Then the entrypoint of username/password (/federation/up), kerberos (/federation/krb),
certificate (/federation/cert), ...
    <bean id="federationEntryPoint" class="org.apache.cxf.fediz.service.idp.FederationEntryPoint"
/>

    <security:http pattern="/federation/krb" auto-config="false" use-expressions="true"
        entry-point-ref="kerberosEntryPoint">
        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
        <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml"
access="isAnonymous() or isAuthenticated()" />

        <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER"
/>
    </security:http>

    <bean id="kerberosEntryPoint"
          class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />

    <security:http pattern="/federation/up" auto-config="false" use-expressions="true"
entry-point-ref="">
        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
        <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml"
access="isAnonymous() or isAuthenticated()" />

        <!-- MUST be http-basic thus systests run fine -->
        <security:http-basic />
        <!--<security:form-login />-->
    </security:http>

{code}

  was:
The IDP only supports basic authentication in the current setup.

The IDP should introduce an interface to plugin a custom authentication mechanism.

Per default, implementation for the following mechanism should be provided out of the box:

- form based
- certificate


The authentication mechanism is chosen based on the wauth parameter passed in the signin request.
If this parameter is missing the configured default is used.



> Support different authentication mechanism
> ------------------------------------------
>
>                 Key: FEDIZ-23
>                 URL: https://issues.apache.org/jira/browse/FEDIZ-23
>             Project: CXF-Fediz
>          Issue Type: Improvement
>          Components: IDP
>    Affects Versions: 1.0.0
>            Reporter: Oliver Wulff
>             Fix For: 1.2.0
>
>
> The IDP only supports basic authentication in the current setup.
> The IDP should introduce an interface to plugin a custom authentication mechanism.
> Per default, implementation for the following mechanism should be provided out of the
box:
> - form based
> - certificate
> The authentication mechanism is chosen based on the wauth parameter passed in the signin
request. If this parameter is missing the configured default is used.
> The following configuration snippet illustrate the idea. The FederationEntryPoint (already
implemented but not yet used) reads the wauth Parameter and figures out the url which is protected
by the appropriate authentication protocol. IDPs use different wauth values for the same authentication
protocol and the IDP configuration allows to configure more than one wauth value for the same
authentication protocol
> {code}
> String loginUri = idpConfig.getAuthenticationURIs().get(wauth);
> {code}
> After the redirect, the entrypoint of a specific http element configuration does the
further processing.
> {code}
>     <security:http pattern="/federation/" auto-config="false" use-expressions="true"
>         entry-point-ref="federationEntryPoint">
>         <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
>         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
>         <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml"
access="isAnonymous() or isAuthenticated()" />
>     </security:http>
>     <!-- Implemented but not yet used. Redirects to a dedicated http config -->
>     <!-- Then the entrypoint of username/password (/federation/up), kerberos (/federation/krb),
certificate (/federation/cert), ...
>     <bean id="federationEntryPoint" class="org.apache.cxf.fediz.service.idp.FederationEntryPoint"
/>
>     <security:http pattern="/federation/krb" auto-config="false" use-expressions="true"
>         entry-point-ref="kerberosEntryPoint">
>         <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
>         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
>         <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml"
access="isAnonymous() or isAuthenticated()" />
>         <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER"
/>
>     </security:http>
>     <bean id="kerberosEntryPoint"
>           class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />
>     <security:http pattern="/federation/up" auto-config="false" use-expressions="true"
entry-point-ref="">
>         <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
>         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
>         <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml"
access="isAnonymous() or isAuthenticated()" />
>         <!-- MUST be http-basic thus systests run fine -->
>         <security:http-basic />
>         <!--<security:form-login />-->
>     </security:http>
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message