Hi Łukasz
On 10/07/14 12:38, Łukasz Dywicki wrote:
Hey Christian,
Great you brought this discussion. I already started working on
integration between spring security (SS) and cxf, mainly because JAAS
was not sufficient in all our cases and SS provides nice cover to it
such AccessDecisionManager session controlling and so on. As Oliver
pointed out - currently CXF is bound to HTTP headers or WSS4J
callbacks requiring re-sending credentials for each invocation which
really limit users while working on more advanced APIs. I would love
to see support for login/logout operations and session handling within
CXF.
There are couple issues which can not be solved with current CXF code
- for example AbstractAuthorizingInInterceptor forces presence of
security context even if subject is not necessary and method is not
annotated with any secure annotation or is annotated with @PermitAll.
We fixed it yesterday
Cheers, Sergey
Best regards,
Łukasz
--
[email protected]
Twitter: ldywicki
Blog: http://dywicki.pl
Code-House - http://code-house.org
2014-07-10 11:55 GMT+02:00 Oliver Wulff <[email protected]>:
Hi Christian
I do support the ideas. I think it's important to include claims based
authorization concept as well as supported by Fediz, but primarely for Web SSO.
JAAS is a good concept to seperate the transport (HTTP) and the access to the
identity store. But JAAS doesn't work for SSO approaches as supporting HTTP
Basic Authorization Header is not sufficient for SAML based protocols (SAML-P,
WS-Federation).
WDYT?
Thanks
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: Christian Schneider [[email protected]] on behalf of Christian
Schneider [[email protected]]
Sent: 10 July 2014 10:55
To: CXF Dev List
Subject: Ideas for standardizing CXF authentication and authorization
CXF already supports a wide range of authentication and authorization
methods. Each of these has to be configured differently though
and some are almost unknown by users.
So I would like to improve that by standardizing on a common approach
that covers all existing variants but makes them accessible in the same way.
The only real java standard for authentication is JAAS. It is built into
the jre and quite flexible. Security frameworks normally also integrate
well with JAAS.
So the idea is to standardize on JAAS for authentication.
Authorization on the other hand has very diverse requirements and in
fact is not really directly coupled to CXF at all. After all the same
kind of authorization also has to happen in the UI and in the business code.
So the idea there is to solve authorization outside of CXF and base the
authorization on the JAAS login CXF provides.
I have written down my ideas in detail on:
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=42568988
I would be very interested in your feedback on my ideas.
Christian
--
Christian Schneider
http://www.liquid-reality.de
Open Source Architect
http://www.talend.com
