While authentication/authorization is being discussed it would also be good if compatibility with Apache Shiro was kept in mind.
On Sunday, July 13, 2014, Andrei Shakirin <[email protected]> wrote: > Hi Christian, > > I find your ideas great, IMO it will be the step in the right direction. > The JAAS helps to cleanly decouple authentication/authorization logic from > business code. > > Some thoughts regarding that: > 1. Authentication > Authentication scenarios can be collected in two large groups: > a) Service receives client credentials with request and it is > responsibility either of custom code or container to authenticate the user. > For example: usernameToken, basic and digest authentication, SSL > with client authentication, etc. > b) Client firstly communicates with some security server validating > client credentials and issuing security token. Client injects this token > into the request. Service validates the token (by sending request to > security server or itself). Samples are SAML token authentication, OAuth, > Kerberos. > > Group (a) fits very good to JAAS concept, it is necessary: extract > credentials from appropriate source (UT, AuthroizationPolicy, etc) > depending on authentication mode, create CallbackHandler and invoke login > context. Configured JAAS Login Modules will be used to authenticate user, > create Subject and Principles. Most of this is already implemented in > JAASLoginInterceptor. > > Group (b) is a bit tricky, because user is authenticated by security > server and service should just validate the token. In this case JAAS Login > Module can either take over token validation and fill Subject Principles > based on token attributes (like Kerberos does) or skip validation step (if > it is already done by CXF interceptors) and create Subject with Principles. > > 2. Authorization > IMO the task fit good for JAAS is mapping user to role and creating Role > Principles. Other authorization steps is either technology or container > specific: using security annotations, container configuration, role-method > maps, etc. > > By the way, JEE 6 introduced some extensions for JAAS in Java > Specification Request 196 ( > http://docs.oracle.com/cd/E19575-01/820-3740/ghcwf/index.html). It is > more message processing oriented, introduces agents for validating security > tokens or signatures and determines a standard way to obtain user > principals and group principals. The JSR is primarily designed for JEE > application servers, but perhaps it makes sense to look in and use some > ideas/API from that. > > Regards, > Andrei. > > > -----Original Message----- > > From: Christian Schneider [mailto:[email protected] <javascript:;>] > On Behalf Of > > Christian Schneider > > Sent: Donnerstag, 10. Juli 2014 10:56 > > To: CXF Dev List > > Subject: Ideas for standardizing CXF authentication and authorization > > > > CXF already supports a wide range of authentication and authorization > > methods. Each of these has to be configured differently though and some > are > > almost unknown by users. > > > > So I would like to improve that by standardizing on a common approach > that > > covers all existing variants but makes them accessible in the same way. > > > > The only real java standard for authentication is JAAS. It is built into > the jre and > > quite flexible. Security frameworks normally also integrate well with > JAAS. > > So the idea is to standardize on JAAS for authentication. > > > > Authorization on the other hand has very diverse requirements and in > fact is > > not really directly coupled to CXF at all. After all the same kind of > authorization > > also has to happen in the UI and in the business code. > > So the idea there is to solve authorization outside of CXF and base the > > authorization on the JAAS login CXF provides. > > > > I have written down my ideas in detail on: > > > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=42568988 > > > > I would be very interested in your feedback on my ideas. > > > > Christian > > > > -- > > Christian Schneider > > http://www.liquid-reality.de > > > > Open Source Architect > > http://www.talend.com > >
