All,
I would like to initiate a discussion on contributing a STS (Security
Token Service) framework implementation to CXF. CXF currently has an
STS framework in the ws-security module, and ships with a simple
implementation in the examples. Talend would like to contribute a more
sophisticated implementation of the STS framework to the community. It
supports the following standards:
STS support
- WS-Trust 1.3/1.4
- WS-SecurityPolicy
Supports the following mechanism to authenticate an RST:
- UsernameToken
- SAML token (1.1/2.0)
- KerberosToken
- X509 Token
Following security bindings are supported:
- Symmetric
- Asymmetric
- Transport
Supports Issue/Validate and Cancel binding
Can issue the following tokens:
- SAML 1.1/2.0
- Holder-Of-Key
- Bearer
- custom tokens
Issued token can be encrypted
Validate binding supports issuing a new token.
Custom Validator can be implemented
Creation of SAML tokens can be customized:
- authenticationstatement
- attributestatements
Advanced RST elements:
- KeyType (Public, Symmetric, Bearer)
- Entropy (Symmetric, Public)
- OnBehalfOf
- ActAs
- Claims
- SecondaryParameters
- Custom ClaimsHandler
In my opinion, this implementation will greatly enhance CXF's security
story and will help to drive new users to the product. I would like to
ask the CXF community for their opinion on this contribution (+1/-1?).
I would also like to ask for opinions on where it should go in the
source - a new services module, or perhaps a subproject?
Colm.
--
Colm O hEigeartaigh
http://coheigea.blogspot.com/
Talend - http://www.talend.com
