CXF already supports a wide range of authentication and authorization
methods. Each of these has to be configured differently though
and some are almost unknown by users.
So I would like to improve that by standardizing on a common approach
that covers all existing variants but makes them accessible in the same way.
The only real java standard for authentication is JAAS. It is built into
the jre and quite flexible. Security frameworks normally also integrate
well with JAAS.
So the idea is to standardize on JAAS for authentication.
Authorization on the other hand has very diverse requirements and in
fact is not really directly coupled to CXF at all. After all the same
kind of authorization also has to happen in the UI and in the business code.
So the idea there is to solve authorization outside of CXF and base the
authorization on the JAAS login CXF provides.
I have written down my ideas in detail on:
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=42568988
I would be very interested in your feedback on my ideas.
Christian
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
http://www.talend.com
