cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francisco Serrano <francisco.serr...@mimacom.com>
Subject Re: IDP resolver feature
Date Tue, 31 Jan 2012 14:58:50 GMT
Hi Oliver, great thanks,

>From my understanding this would let us to use it even before the IDP resolution mechanism
so we could gain even more control, right?

I think this would be a good extension point as with the request we get with the callback
we could manage to do the redirect to the corresponding IDP depending on the request URL.


Is this correct?

Thanks again Oliver.

Fran.

El 27/01/2012, a las 10:44, Oliver Wulff escribió:

> Hi Fran
> 
> What do you think about the following proposal?
> 
> I'd like to use the callback api's provided by Java to add this extension point which
means that you have to implement a CallbackHandler implementation. In the handle method you
get a specific Callback object like this one:
> 
>>>> 
> import javax.security.auth.callback.Callback;
> import javax.servlet.http.HttpServletRequest;
> 
> 
> public class IDPCallback implements Callback {
> 
>    private HttpServletRequest request = null;
>    private URL issuerUrl = null;
>    private String trustedIssuer = null;
> 
>    public IDPCallback(HttpServletRequest request) {
>        super();
>        this.request = request;
>    }
> 
>    public IDPCallback(HttpServletRequest request, URL issuerUrl,
>            String trustedIssuer) {
>        super();
>        this.request = request;
>        this.issuerUrl = issuerUrl;
>        this.trustedIssuer = trustedIssuer;
>    }
> 
>    public HttpServletRequest getRequest() {
>        return request;
>    }
>    public void setRequest(HttpServletRequest request) {
>        this.request = request;
>    }
>    public URL getIssuerUrl() {
>        return issuerUrl;
>    }
>    public void setIssuerUrl(URL issuerUrl) {
>        this.issuerUrl = issuerUrl;
>    }
>    public String getTrustedIssuer() {
>        return trustedIssuer;
>    }
>    public void setTrustedIssuer(String trustedIssuer) {
>        this.trustedIssuer = trustedIssuer;
>    }
> 
> }
>>>> 
> 
> Your custom callback handler could be implemented like this:
> 
>>>> 
> import java.io.IOException;
> 
> import javax.security.auth.callback.Callback;
> import javax.security.auth.callback.CallbackHandler;
> import javax.security.auth.callback.UnsupportedCallbackException;
> 
> 
> public class DummyCallbackHandler implements CallbackHandler {
> 
>    public void handle(Callback[] callbacks) throws IOException,
>    UnsupportedCallbackException {
> 
>        for (int i = 0; i < callbacks.length; i++) {
>            if (callbacks[i] instanceof IDPCallback) { 
>                IDPCallback pc = (IDPCallback) callbacks[i];
> 
>                //todo
>            }
>        }
>    }
> }
>>>> 
> 
> The callback handler will be configured in the valve.
> 
> What do you think?
> 
> 
> ------
> 
> Oliver Wulff
> 
> http://owulff.blogspot.com
> Solution Architect
> Talend Application Integration Division http://www.talend.com
> 
> ________________________________________
> Von: Oliver Wulff [owulff@talend.com]
> Gesendet: Mittwoch, 25. Januar 2012 08:11
> Bis: users@cxf.apache.org
> Betreff: AW: IDP resolver feature
> 
> Hi Fran
> 
> This is the so called "home realm discovery" mechanism which is usually deployed in the
resource idp. I get back to you asap. This plugin mechanism can then be configured either
in the relying party or within the resource idp.
> 
> Thanks
> Oli
> 
> 
> ------
> 
> Oliver Wulff
> 
> http://owulff.blogspot.com
> Solution Architect
> Talend Application Integration Division http://www.talend.com
> 
> ________________________________________
> Von: Francisco Serrano [francisco.serrano@mimacom.com]
> Gesendet: Freitag, 20. Januar 2012 19:34
> Bis: users@cxf.apache.org
> Betreff: IDP resolver feature
> 
> Hi List!
> 
> Regarding the last post I wrote in this mailing list (two approaches for the IDP resolution
depending on which application is asking for the token), I think it would be a great and "reusable"
idea that the Tomcat plugin for the token processing and IDP redirection was able to be configured
in a separated file, where you could write which IDP would be the correct to challenge the
user depending on, for example, the pattern of the request URL.
> For example, if an application tries to access a secured resource like "http://www.mydomain.com/internal",
as "internal" is a substring of the requested URL, it would be resolved to IDP1, while for
a request like "http://www.otherdomain.com/external" would resolve against a second IDP.
> 
> As a proposal, the valve could be configured referring an IDP resolver bean with all
the mappings needed for the resolution. Given the default configuration in the valve:
> 
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 
> <Context> <Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
issuerURL="https://localhost:9443/fedizidp/" truststoreFile="conf/stsstore.jks" truststorePassword="thepass"
trustedIssu er=".*CN=www.mydomain.com.*" /> </Context>
> 
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 
> An approach could be to have an extension point like being able to specify the "idpResolverConfig"
instead of the issuerURL, and this idpResolverConfig would keep the information needed to
to the appropiate redirect in another spring configuration xml file (for example):
> 
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 
> <Context> <Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"
idpResolverConfig ="conf/idpResolverMapping.xml" truststoreFile="conf/stsstore.jks" truststorePassword="thepass"
trustedIssu er=".*CN=www.mydomain.com.*" /> </Context>
> 
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 
> Then, this idpResolverMapping.xml could look like this:
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <beans xmlns="http://www.springframework.org/schema/beans"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:util="http://www.springframework.org/schema/util"
> xsi:schemaLocation="
>        http://www.springframework.org/schema/beans
>        http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
>        http://www.springframework.org/schema/util
>        http://www.springframework.org/schema/util/spring-util-2.0.xsd">
> 
> <util:map id="idpMappings">
> <entry key="/internal/*"
> value="http://idp1.mydomain.com" />
> <entry key="/external/*"
> value="http://idp2.mydomain.com" />
> </util:map>
> 
> </beans>
> 
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 
> 
> What do you think?
> 
> Thanks in advance for any feedback on this subject.
> 
> Kind regards,
> 
> Fran.
> 
> 



Mime
View raw message