Return-Path: 
 <issues-return-33937-apmail-cxf-issues-archive=cxf.apache.org@cxf.apache.org>
X-Original-To: apmail-cxf-issues-archive@www.apache.org
Delivered-To: apmail-cxf-issues-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id BB19017DAC
	for <apmail-cxf-issues-archive@www.apache.org>;
 Wed,  8 Apr 2015 21:12:12 +0000 (UTC)
Received: (qmail 36924 invoked by uid 500); 8 Apr 2015 21:12:12 -0000
Delivered-To: apmail-cxf-issues-archive@cxf.apache.org
Received: (qmail 36875 invoked by uid 500); 8 Apr 2015 21:12:12 -0000
Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@cxf.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@cxf.apache.org>
List-Post: <mailto:issues@cxf.apache.org>
List-Id: <issues.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list issues@cxf.apache.org
Received: (qmail 36863 invoked by uid 99); 8 Apr 2015 21:12:12 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Apr 2015 21:12:12 +0000
Date: Wed, 8 Apr 2015 21:12:12 +0000 (UTC)
From: "Colm O hEigeartaigh (JIRA)" <jira@apache.org>
To: issues@cxf.apache.org
Message-ID: <JIRA.12604683.1345756009000.31801.1428527532551@Atlassian.JIRA>
In-Reply-To: <JIRA.12604683.1345756009000@Atlassian.JIRA>
References: <JIRA.12604683.1345756009000@Atlassian.JIRA>
 <JIRA.12604683.1345756009023@arcas>
Subject: [jira] [Assigned] (FEDIZ-23) Support different authentication
 mechanism
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


     [ https://issues.apache.org/jira/browse/FEDIZ-23?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh reassigned FEDIZ-23:
----------------------------------------

    Assignee: Colm O hEigeartaigh

> Support different authentication mechanism
> ------------------------------------------
>
>                 Key: FEDIZ-23
>                 URL: https://issues.apache.org/jira/browse/FEDIZ-23
>             Project: CXF-Fediz
>          Issue Type: Improvement
>          Components: IDP
>    Affects Versions: 1.0.0
>            Reporter: Oliver Wulff
>            Assignee: Colm O hEigeartaigh
>             Fix For: 1.2.0
>
>
> The IDP only supports basic authentication in the current setup.
> The IDP should introduce an interface to plugin a custom authentication mechanism.
> Per default, implementation for the following mechanism should be provided out of the box:
> - form based
> - certificate
> The authentication mechanism is chosen based on the wauth parameter passed in the signin request. If this parameter is missing the configured default is used.
> The following configuration snippet illustrate the idea. The FederationEntryPoint (already implemented but not yet used) reads the wauth Parameter and figures out the url which is protected by the appropriate authentication protocol. IDPs use different wauth values for the same authentication protocol and the IDP configuration allows to configure more than one wauth value for the same authentication protocol
> {code}
> String loginUri = idpConfig.getAuthenticationURIs().get(wauth);
> {code}
> After the redirect, the entrypoint of a specific http element configuration does the further processing.
> {code}
>     <security:http pattern="/federation/" auto-config="false" use-expressions="true"
>         entry-point-ref="federationEntryPoint">
>         <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
>         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
>         <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" />
>     </security:http>
>     <!-- Implemented but not yet used. Redirects to a dedicated http config -->
>     <!-- Then the entrypoint of username/password (/federation/up), kerberos (/federation/krb), certificate (/federation/cert), ...
>     <bean id="federationEntryPoint" class="org.apache.cxf.fediz.service.idp.FederationEntryPoint" />
>     <security:http pattern="/federation/krb" auto-config="false" use-expressions="true"
>         entry-point-ref="kerberosEntryPoint">
>         <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
>         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
>         <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" />
>         <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
>     </security:http>
>     <bean id="kerberosEntryPoint"
>           class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />
>     <security:http pattern="/federation/up" auto-config="false" use-expressions="true" entry-point-ref="">
>         <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
>         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
>         <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" />
>         <!-- MUST be http-basic thus systests run fine -->
>         <security:http-basic />
>         <!--<security:form-login />-->
>     </security:http>
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)