cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrei Shakirin <ashaki...@talend.com>
Subject RE: (Fediz) STS - passing info from LoginModule to ClaimsHandler
Date Fri, 24 Jan 2014 13:30:35 GMT
Hi,

I used ThreadLocal not in LoginModule itself, but in STS validator invoking JAAS for login:

    <bean id="validator" class="org.sopera.csg.tesbext.sts.jaas.JAASValidator">
        <argument value="sts-ut" />
    </bean>

    <jaxws:endpoint id="utSTS" implementor="#stsProvider"
        address="/SecurityTokenService/UT" wsdlLocation="wsdl/ws-trust-1.4-service.wsdl"
        xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512/"
        serviceName="wst:SecurityTokenService" endpointName="wst:UT_Port">
        <jaxws:properties>
            <entry key="ws-security.ut.validator" value-ref="validator" />
        </jaxws:properties>
    </jaxws:endpoint>

public class JAASValidator implements Validator {
...
    @Override
    public Credential validate(Credential credential, RequestData data) throws WSSecurityException
{
        UsernameToken userNameToken = credential.getUsernametoken();
        validateUserNameToken(userNameToken);
        try {
            STSCallBackHandler callbackHandler = new STSCallBackHandler(userNameToken, null);
            LoginContext lc = new LoginContext(this.contextName, callbackHandler);
            lc.login();
            Subject subject = lc.getSubject();
            SecContext.setSubject(subject);
...
        } catch (LoginException e) {
            throw new WSSecurityException(e.getMessage(), e);
        }
    }

The validator is always called in the same thread with ClaimsHandler , but not sure is this
a solution for you.

The clean way will be to extend CalimsHandler.retrieveClaimValues() with the security context
subject argument and pass it through.

@Colm: do you see more elegant way to proceed that?

Regards,
Andrei.

> -----Original Message-----
> From: Hoefer, Filip [mailto:filip.hofer@atos.net]
> Sent: Freitag, 24. Januar 2014 12:56
> To: users@cxf.apache.org
> Subject: RE: (Fediz) STS - passing info from LoginModule to ClaimsHandler
> 
> Hello,
> 
> Unfortunately, it appears that the LoginModule and the ClaimsHandler
> sometimes each use a different thread to handle a single request. Therefore,
> a ThreadLocal variable does not reliably facilitate state sharing.
> 
> @Andrei: Did you get it running in your environment?
> 
> @others: Any other ideas?
> 
> Thank you
> 
>     Filip
> 
> -----Original Message-----
> From: Hoefer, Filip [mailto:filip.hofer@atos.net]
> Sent: Wednesday, January 22, 2014 4:59 PM
> To: users@cxf.apache.org
> Subject: RE: (Fediz) STS - passing info from LoginModule to ClaimsHandler
> 
> 
> Hi Andrei,
> 
> Many thanks for your response! Your suggestion really appears to be the
> only viable solution at this time. It also occurred to us that we could use the
> subject Name to carry an internal ID from LoginModule to ClaimsHandler and
> then rewrite it to an external ID in ClaimsHandler. Unfortunately, rewriting
> the NameID value in ClaimsHandler has no effect. So I think I will go ahead
> with your suggestion.
> 
>    Filip
> 
> -----Original Message-----
> From: Andrei Shakirin [mailto:ashakirin@talend.com]
> Sent: Wednesday, January 22, 2014 10:36 AM
> To: users@cxf.apache.org
> Subject: RE: (Fediz) STS - passing info from LoginModule to ClaimsHandler
> 
> 
> Hi,
> 
> Yep, I had the similar case in STS: custom claims handler should validate user
> role received in RST as claim.
> However user role is determined in LoginModule through JAAS (invoked by
> ws-security.ut.validator validator).
> Therefore it was necessary to pass Subject/Principle from the LoginModule
> to ClaimHandler for validation.
> 
> We did not find better solution as introducing custom SecurityContext with
> ThreadLocal:
> 
> public final class SecContext {
>     static ThreadLocal<Subject> subject = new ThreadLocal<Subject>();
>     private SecContext() {
>     }
>     public static void setSubject(Subject subject2) {
>         SecContext.subject.set(subject2);
>     }
>     public static Subject getSubject() {
>         return subject.get();
>     }
> }
> 
> Validator:
>             LoginContext lc = new LoginContext(this.contextName,
> callbackHandler);
>             lc.login();
>             Subject subject = lc.getSubject();
>             SecContext.setSubject(subject);
> 
> Claim Handler:
>             Subject subject = SecContext.getSubject();
>             Set<Principal> groups = subject.getPrincipals();
>             List<String> roles = new ArrayList<String>();
>             for (Principal group : groups) {
>                 if
> ("org.apache.karaf.jaas.boot.principal.RolePrincipal".equals(group.getClass()
>                     .getName())) {
>                     roles.add(group.getName());
>                 }
>             }
> ...
> 
> I think it will be nice to provide a possibility to access all custom Principles in
> ClaimsHandler - will think about that.
> 
> Regards,
> Andrei.
> 
> > -----Original Message-----
> > From: Hoefer, Filip [mailto:filip.hofer@atos.net]
> > Sent: Dienstag, 21. Januar 2014 13:16
> > To: users@cxf.apache.org
> > Subject: (Fediz) STS - passing info from LoginModule to ClaimsHandler
> >
> > Hello,
> >
> > I am implementing a custom LoginModule and a custom ClaimsHandler for
> > the Fediz STS. The custom classes are integrated into Fediz via config
> > files, no problem. However, I do not know how to pass information from
> > my LoginModule to my ClaimsHandler. I create a custom Principal (with
> > custom
> > claims) in the LoginModule based on authentication via an external
> > security server. The problem is that the ClaimsHandler always only
> > receives a SAMLTokenPrincipal which will not give me access to the
> > custom claims. So far, do not see any alternative to accessing user
> > account via the identifier from SAMLTokenPrincipal.getName(). But that
> > only gives me access to the static user account, not to the transient state
> created during login.
> >
> > Please let me know if I oversee something, any help is appreciated.
> >
> > Kind regards,
> >
> >     Filip Hofer

Mime
View raw message