Re: Ideas for standardizing CXF authentication and authorization

Thu, 10 Jul 2014 05:02:58 -0700 

I think it could still work at least partly.
In a project we had a similar requirement. The service call was authenticated using a SAML token from an STS server. So we did the following. In a first step we mapped from the identity provided by the saml token to a username. Then we used a modified LdapLoginModule to do the JAAS login. As the authentication already happened inside WS-Security we made the LdapLoginModule skip the password check and just establish the JAAS login context and add the roles of the user. 


So the effect was that we had a JAAS login that could be used for 
authorization. So the authorization part was the same as with a username 
/ password based authentication.



I think our approach could event be improved. With a special LoginModule 
we could do the mapping from token identity to username inside the login 
module and perhaps even do the token validation.

Then we could also add the SAML token to the JAAS Subject.


This would then allow to use the JAAS login for a chained service call 
to another service. We could retrieve the SAML token there and use it to 
get an onBehalfOf token from STS. So we would be able to do chained 
service calls with full single sign on.



Another single sign on case would be to start with a local JAAS login 
with kerberos. The jaas context from this login could then be used on 
outgoing calls to authenticate against the STS using Spnego auth and 
retrieve a SAML token.



Both cases together would then support a complete single sign on from 
kerberos on the client (e.g. Windows Auth) to directly called service 
endpoints (SAML Token) as well as chained calls from there (onBehalfOf 
SAML token).


What do you think?

Christian

On 10.07.2014 11:55, Oliver Wulff wrote:

Hi Christian

I do support the ideas. I think it's important to include claims based 
authorization concept as well as supported by Fediz, but primarely for Web SSO.

JAAS is a good concept to seperate the transport (HTTP) and the access to the 
identity store. But JAAS doesn't work for SSO approaches as supporting HTTP 
Basic Authorization Header is not sufficient for SAML based protocols (SAML-P, 
WS-Federation).

WDYT?

Thanks
Oli


------

Oliver Wulff

Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com

Talend Application Integration Division http://www.talend.com



--
Christian Schneider
http://www.liquid-reality.de

Open Source Architect
http://www.talend.com























					Reply via email to