cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <dk...@apache.org>
Subject Re: User credential delegation
Date Thu, 07 Apr 2011 17:15:25 GMT
On Monday 04 April 2011 3:29:21 AM Jérôme Revillard wrote:
> Hi Colm, all,
> 
> In our platform, the user needs to follow a specific
> authentication.authorization process in order to be able to access all
> the other resources. This process is handle by a specific authentication
> services. It's a bit complex because it needs to talk to many other
> services on behalf of the user identity. So that mean that this service
> needs to have access to the user private/public certificate (a proxy
> certificate with a limited lifetime).
> 
> To do so, in our previous implementation, we uses the java Globus
> toolkit:
> http://lists.globus.org/pipermail/gt-user/2011-January/009645.html. I just
> realized that this delegation was part of the
> WS-SecureConversation protocol inside globus. Do you know if I can do
> the same thing with CXF?

You "likely can", but it will likely require a bit of work and I really don't 
know enough about how the Globus stuff did it to make suggestions.

Most likely with WS-SecConv, the first request would include the client certs 
that would be required for the authentication.  The conversation token would 
be generated and returned to the client and used from there.   NORMALLY, we 
just discard the certs and such from the first request as it's not needed 
anymore.   However, you could write an intereceptor that would record that 
information for use later.   Subsequent requests could grab that infromation 
associated with the conversation token and use that for auth decisions and 
such.

Dan


> 
> Best,
> Jerome
> 
> Le 01/04/2011 18:01, Colm O hEigeartaigh a écrit :
> > Hi Jerome,
> > 
> > Could you explain in more detail what your use-case entails?
> > 
> > Colm.
> > 
> > On Fri, Apr 1, 2011 at 4:53 PM, Jérôme Revillard <jrevillard@maatg.com>

wrote:
> >> Dear all,
> >> 
> >> Is there a way with CXF to do credential delegation (get the user
> >> private key server side)? Can WS-Trust help for this?
> >> 
> >> Best,
> >> Jerome
> >> 
> >> --
> >> =====================================================
> >> Dr Jérôme Revillard
> >> CTO MAAT France
> >> www.maatg.com
> >> =====================================================

-- 
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog
Talend - http://www.talend.com

Mime
View raw message