cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (JIRA)" <j...@apache.org>
Subject [jira] [Assigned] (FEDIZ-23) Support different authentication mechanism
Date Wed, 08 Apr 2015 21:12:12 GMT

     [ https://issues.apache.org/jira/browse/FEDIZ-23?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Colm O hEigeartaigh reassigned FEDIZ-23:
----------------------------------------

    Assignee: Colm O hEigeartaigh

> Support different authentication mechanism
> ------------------------------------------
>
>                 Key: FEDIZ-23
>                 URL: https://issues.apache.org/jira/browse/FEDIZ-23
>             Project: CXF-Fediz
>          Issue Type: Improvement
>          Components: IDP
>    Affects Versions: 1.0.0
>            Reporter: Oliver Wulff
>            Assignee: Colm O hEigeartaigh
>             Fix For: 1.2.0
>
>
> The IDP only supports basic authentication in the current setup.
> The IDP should introduce an interface to plugin a custom authentication mechanism.
> Per default, implementation for the following mechanism should be provided out of the
box:
> - form based
> - certificate
> The authentication mechanism is chosen based on the wauth parameter passed in the signin
request. If this parameter is missing the configured default is used.
> The following configuration snippet illustrate the idea. The FederationEntryPoint (already
implemented but not yet used) reads the wauth Parameter and figures out the url which is protected
by the appropriate authentication protocol. IDPs use different wauth values for the same authentication
protocol and the IDP configuration allows to configure more than one wauth value for the same
authentication protocol
> {code}
> String loginUri = idpConfig.getAuthenticationURIs().get(wauth);
> {code}
> After the redirect, the entrypoint of a specific http element configuration does the
further processing.
> {code}
>     <security:http pattern="/federation/" auto-config="false" use-expressions="true"
>         entry-point-ref="federationEntryPoint">
>         <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
>         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
>         <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml"
access="isAnonymous() or isAuthenticated()" />
>     </security:http>
>     <!-- Implemented but not yet used. Redirects to a dedicated http config -->
>     <!-- Then the entrypoint of username/password (/federation/up), kerberos (/federation/krb),
certificate (/federation/cert), ...
>     <bean id="federationEntryPoint" class="org.apache.cxf.fediz.service.idp.FederationEntryPoint"
/>
>     <security:http pattern="/federation/krb" auto-config="false" use-expressions="true"
>         entry-point-ref="kerberosEntryPoint">
>         <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
>         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
>         <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml"
access="isAnonymous() or isAuthenticated()" />
>         <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER"
/>
>     </security:http>
>     <bean id="kerberosEntryPoint"
>           class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />
>     <security:http pattern="/federation/up" auto-config="false" use-expressions="true"
entry-point-ref="">
>         <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
>         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher"
/>
>         <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml"
access="isAnonymous() or isAuthenticated()" />
>         <!-- MUST be http-basic thus systests run fine -->
>         <security:http-basic />
>         <!--<security:form-login />-->
>     </security:http>
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message