cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Oliver Wulff <owu...@talend.com>
Subject AW: AW: User credential delegation
Date Thu, 07 Apr 2011 20:09:25 GMT
Bonsoir Jérôme

>>>
I have to say that I don't understand exactly what you mean. I know SAML
but not very well and I honestly did not had time to look carefully to
WS-Trust yet.
>>>
WS-Trust and SAML gives you so many options for authentication and security token transformation.
So it really depends on the requirements you have like:
- Is it secure enough for users to authenticate using username/password? Or does each user
require a certificate? Is it required that the security token attached to the web servcie
requests is protected against a man-in-the-middle attack which grabs this token and sends
requests on behalf of the other user. Sometimes, it's enough to use HTTPS but in some cases,
the service provider wants to proof whether the caller is in the possession of a key which
is only known to him (and not to the "man-in-the-middle"). Then, you require SAML Holder-Of-Key
(HOK) subject confirmation.
- what are the requirements for the communication between the gateway and the target services?
Of course, you can't just delegate the SAML HOK token because the intermediary is not in the
possession of the secret.

>>>
Do you have any documentation that I could use to
understand properly your explanation? (if the documentation uses CXF
it's even better ;-)).
>>>
CXF 2.4 will have a lot of new functionality with respect to improved support for SAML and
WS-Trust. I'm currently working within a project where we want to solve similar security challenges
where it is a requirement that the target service knows the original user.

>>>
Concerning the STS, should I create one?
>>>
I'm looking into OpenAM (successor of Sun's OpenSSO) right now.

Thanks
Oli

________________________________________
Von: Jérôme Revillard [jrevillard@maatg.com]
Gesendet: Donnerstag, 7. April 2011 21:19
An: Oliver Wulff
Cc: users@cxf.apache.org; coheigea@apache.org
Betreff: Re: AW: User credential delegation

Bonjour Olivier,

Le 07/04/2011 20:53, Oliver Wulff a écrit :
> Salut Jérôme
>
> As I understand your scenario, globus is acting as an intermediary where the http(s)
connection is terminated. Globus does some processing with the message and must call other
services on behalf of the original user which triggered the call. Am I right?

Yes. In fact this is not Globus that needs to call other services on
behalf of the original user but one service that was developed with the
Globus toolkit framework and that I'm migrating to Apache CXF. But
that's basically the same.

> If yes, WS-Trust addresses this use case. The intermediary (Globus) can get issued a
security token from the stst on behalf of the original caller. This means that you could use
SAML HOK between the original application and the intermediary and SAML Bearer (including
the original user id) to the target services.
>
> Does this make sense to you?

I have to say that I don't understand exactly what you mean. I know SAML
but not very well and I honestly did not had time to look carefully to
WS-Trust yet. Do you have any documentation that I could use to
understand properly your explanation? (if the documentation uses CXF
it's even better ;-)).

Concerning the STS, should I create one?

Thanks for your help,
Best,
Jerome



> Thanks
> Oli
>
> ________________________________________
> Von: Daniel Kulp [dkulp@apache.org]
> Gesendet: Donnerstag, 7. April 2011 19:15
> An: users@cxf.apache.org
> Cc: Jérôme Revillard; coheigea@apache.org
> Betreff: Re: User credential delegation
>
> On Monday 04 April 2011 3:29:21 AM Jérôme Revillard wrote:
>> Hi Colm, all,
>>
>> In our platform, the user needs to follow a specific
>> authentication.authorization process in order to be able to access all
>> the other resources. This process is handle by a specific authentication
>> services. It's a bit complex because it needs to talk to many other
>> services on behalf of the user identity. So that mean that this service
>> needs to have access to the user private/public certificate (a proxy
>> certificate with a limited lifetime).
>>
>> To do so, in our previous implementation, we uses the java Globus
>> toolkit:
>> http://lists.globus.org/pipermail/gt-user/2011-January/009645.html. I just
>> realized that this delegation was part of the
>> WS-SecureConversation protocol inside globus. Do you know if I can do
>> the same thing with CXF?
> You "likely can", but it will likely require a bit of work and I really don't
> know enough about how the Globus stuff did it to make suggestions.
>
> Most likely with WS-SecConv, the first request would include the client certs
> that would be required for the authentication.  The conversation token would
> be generated and returned to the client and used from there.   NORMALLY, we
> just discard the certs and such from the first request as it's not needed
> anymore.   However, you could write an intereceptor that would record that
> information for use later.   Subsequent requests could grab that infromation
> associated with the conversation token and use that for auth decisions and
> such.
>
> Dan
>
>
>> Best,
>> Jerome
>>
>> Le 01/04/2011 18:01, Colm O hEigeartaigh a écrit :
>>> Hi Jerome,
>>>
>>> Could you explain in more detail what your use-case entails?
>>>
>>> Colm.
>>>
>>> On Fri, Apr 1, 2011 at 4:53 PM, Jérôme Revillard <jrevillard@maatg.com>
> wrote:
>>>> Dear all,
>>>>
>>>> Is there a way with CXF to do credential delegation (get the user
>>>> private key server side)? Can WS-Trust help for this?
>>>>
>>>> Best,
>>>> Jerome
>>>>
>>>> --
>>>> =====================================================
>>>> Dr Jérôme Revillard
>>>> CTO MAAT France
>>>> www.maatg.com
>>>> =====================================================
> --
> Daniel Kulp
> dkulp@apache.org
> http://dankulp.com/blog
> Talend - http://www.talend.com

--
=====================================================
Dr Jérôme Revillard
CTO MAAT France
www.maatg.com

Immeuble Alliance Entree A,
74160 Archamps (France)

Mob.    0034 607 700 106
Tel.    0033 450 439 602
Fax.    0033 450 439 601
=====================================================
Mime
View raw message