Return-Path: X-Original-To: apmail-directory-users-archive@www.apache.org Delivered-To: apmail-directory-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BFB1118126 for ; Tue, 27 Oct 2015 22:09:20 +0000 (UTC) Received: (qmail 89690 invoked by uid 500); 27 Oct 2015 22:09:15 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 89639 invoked by uid 500); 27 Oct 2015 22:09:15 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 89621 invoked by uid 99); 27 Oct 2015 22:09:15 -0000 Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 27 Oct 2015 22:09:15 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id CA7ECC3B8A for ; Tue, 27 Oct 2015 22:09:14 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.1 X-Spam-Level: X-Spam-Status: No, score=-0.1 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id xzFVnipcWN3Q for ; Tue, 27 Oct 2015 22:09:02 +0000 (UTC) Received: from mail-wm0-f54.google.com (mail-wm0-f54.google.com [74.125.82.54]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id D760A20927 for ; Tue, 27 Oct 2015 22:09:01 +0000 (UTC) Received: by wmeg8 with SMTP id g8so2105445wme.0 for ; Tue, 27 Oct 2015 15:09:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=Tbsq3VDK3TulR8gaXwEu1VY8ez9IoYTsrDLoCNH2m1g=; b=nwKJP9liU93hsJvQzj9/b5XBy/E5FdbxMEcCDyCAfZnjLTnYbAG3nYNuiKwK1ryJYq ortCizxIPwScHvFSJuSAh0ArezpoVYyt70zSvL2TkvqHc/kL7aj8TSpmv44QXDN6yZN8 MLl1uCCNz9czIuqqtWHdwhguDCL9PdjzuxfOxqsVAFbC2jgWgmIllUZzBtNL6op167q3 iVnurxxh5XWUtL85wtalyCGfxl3QEBSGGX2ivEKe7OT0knWo2fr1pMA/isEF1A77Bk2I gDJtOPQPcnT9h2VCXZ4ZVEJHZEs6cALNi7eq2C087rhIkbLzoBPDANk2hJ22j5FiUN8F oy4A== X-Received: by 10.28.6.206 with SMTP id 197mr3386933wmg.102.1445983741630; Tue, 27 Oct 2015 15:09:01 -0700 (PDT) Received: from [192.168.2.7] ([89.100.2.134]) by smtp.googlemail.com with ESMTPSA id lb2sm10081547wjc.15.2015.10.27.15.09.00 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 27 Oct 2015 15:09:00 -0700 (PDT) Subject: Re: Claims based authentication with ApacheDS To: users@cxf.apache.org, Apache Directory Users List References: <53f83db11dc64fb4b7db826a2c775563@IBSMSX2.ibs-ag.com> <562FB608.6080703@gmail.com> <6d63682d77e94b339b2fa2e58db82725@IBSMSX2.ibs-ag.com> <562FF587.3060307@gmail.com> From: Sergey Beryozkin Message-ID: <562FF5FC.6030302@gmail.com> Date: Tue, 27 Oct 2015 22:09:00 +0000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 MIME-Version: 1.0 In-Reply-To: <562FF587.3060307@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit That also works for JAX-WS if needed... Colm may have more info about it, once he gets back... Sergey On 27/10/15 22:07, Sergey Beryozkin wrote: > Hi > > I'm not sure if it is related but we have a claim-based access control, > with the claims representing some attributes from a SAML token (which > represents an authenticated client). That will need to be also mapped > for JWT assertions though... > > http://cxf.apache.org/docs/jax-rs-saml.html#JAX-RSSAML-ClaimsBasedAccessControl > > > Cheers, Sergey > On 27/10/15 22:00, Pierre Smits wrote: >> Carlo, >> >> You might have a look at Apache CXF, that might be a solution to help you >> out. >> >> Best regards, >> >> Pierre Smits >> >> *OFBiz Extensions Marketplace* >> http://oem.ofbizci.net/oci-2/ >> >> On Tue, Oct 27, 2015 at 7:00 PM, wrote: >> >>> Hi Emmanuel, ok thanks for making sense of it! Sounds like something >>> else >>> wedges between ApacheDS and an outside REST api. What that is we >>> don't know >>> yet :) >>> >>> >>> >>> -----Original Message----- >>> From: Emmanuel Lécharny [mailto:elecharny@gmail.com] >>> Sent: Tuesday, October 27, 2015 1:36 PM >>> To: users@directory.apache.org >>> Subject: Re: Claims based authentication with ApacheDS >>> >>> Le 27/10/15 16:16, Carlo.Accorsi@ibs-ag.com a écrit : >>>> Hi, >>>> >>>> We're starting to hear our customers ask for 'claims based >>> authentication' with our product which back end with ApacheDS. >>>> I've researched it a bit and it's clearly beyond the goals of an LDAP >>> server. >>>> My question is, are any of you trying to implement something like this? >>> If so, what is the stack you're using? >>>> What are challenges, benefits, risks? >>> >>> AFAIU what the 'Claims base authn' buzz is all about, it's nothing more >>> than some kind of Kerberos authn system, without the frightening >>> complexity >>> being exposed. The schema you can find on >>> http://gunnarpeipman.com/2013/07/what-is-claims-based-authentication/ is >>> similar to teh one you have on >>> http://www.funtoo.org/Kerberos_With_Funtoo, >>> with one big difference : in Kerberos, your application does noyt >>> have to >>> check on the authentication broker if the token is valid or not. >>> >>> In some way, it's a weaker protocol (weaker in a sense of the broker >>> will >>> not only be pounded by clients requesting a token, but also by the >>> application itself that need to check the token). It makes the broker >>> the >>> real SPOF of your system, when in Kerberos, at least, the ticket is >>> valid >>> for some period of time - ie, even if the AS is down, you can >>> continue to >>> work. >>> >>> But I can see where it all comes from : on the internet, and >>> especially on >>> the cloud, ommunicating using a protocol like kerberos is certainly not >>> convenient : each application has to be known by the Kerberos AS. >>> This is not convenient when talking to external services... (not even >>> for >>> internal services !). I can imagine how easier it is to deploy a >>> brand new >>> application, that only has to know where is the broker to check the >>> incoming tokens. >>> >>> So, yes, basically, it's inferior to Kerberos, at least from a technical >>> POV, but it's most certainly easier to use, especially now that we can >>> assume that the broker are able to sustain an extremelly high number of >>> incoming requests, something that was not the case decades ago when >>> Kerberos was specified (yes, decades : 22 years ago actually ;-) >>> >>> What's the possible relation with Apache DS ? Well, if you consider that >>> ApacheDS is capable of providing some Kerberos Authentication, there >>> is no >>> reason it should not be able to become a broker. All in all, it's just >>> about being able to accept incoming requests and answer them. >>> ApacheDS has been designed from the very beginning to be exactly that : >>> a layer on top of which you implement your protocol (and we have >>> successfully implemented LDAP, Kerberos, DHCP, DNS, NTP...) >>> >>> Now, the question is : how do we do that ! >>> >>> >>> >>> >> > >