Forgot the links:
http://svn.apache.org/viewvc?rev=1307112&view=rev
https://issues.apache.org/jira/browse/CXF-4215
Sergey
On 29/03/12 22:30, Sergey Beryozkin wrote:
Hi Oli,
I've moved the Claims annotations to the api module,
to the "org.apache.cxf.security.claims.authorization" package with the
idea that the "org.apache.cxf.security.claims" package will hold in time
few common Claim data classes.
I reckon it should be enough for you to start experimenting with
enforcing the same Claim annotations at the JAX-WS/WS-Security end but
using the Claim data classes declared in the ws-security module.
ClaimsAuthorizingInterceptor can be copied for now.
If we manage to quickly adapt the Claim class used in the
rt-rs-security-xml to the one used in the ws-security module then I can
move the rest of the authorization code to the api. That should be quite
possible but I think if we do not manage to do it in time for 2.6 then
we can do it for 2.6.1/2 because I guess the Claim data classes are not
really visible to the application developers.
FYI, I have the SAMLSecurityContext - can be renamed to
ClaimsSecurityContext, I thought a bit about also introducing
ClaimsPrincipal, but then I decided to stay with SAMLSecurityContext,
it's kind of similar to the base SecurityContext (Principal + its
roles), or Principal + Claims (roles and more)
I stopped short of introducing a new module (rt-security), a bit tight
for 2.6 :-), but indeed it would be easy enough to move various security
related classes from api & rt/core to rt-security, except for may be for
the base SecurityContext, AuthorizationPolicy, few other classes
Thanks, Sergey
On 29/03/12 13:00, Sergey Beryozkin wrote:
Hi Oli
thanks for initiating this thread
On 29/03/12 07:06, Oliver Wulff wrote:
Hi all
I'd like to start working on the RBAC (see mail "Role based access
control with SAML in CXF") and the Claims support for JAX-WS. Sergey
has already implemented that for JAX-RS.
I'd propose to move these classes (claims, annotations) to a frontend
independent module like rt/security thus it can be used by JAX-WS and
JAX-RS. To get this done for 2.6 would be very good. Otherwise, we can
do this for 2.7 earliest. I'd like to avoid in having different Claims
classes for the same purpose when using JAX-RS or JAX-WS.
What do you think?
+1.
I think it might be a bit tight to get both the annotations & the actual
data classes representing Claims given that at the moment Claims data
classes used within the JAX-RS frontend are different from the ones
available in the WS Security module.
We have 3 pieces to deal with:
- Annotations (visible at the application code level) [1]
- ClaimsAuthorizingInterceptor which enforces those annotations against
the incoming claims data available at runtime
- The actual Claim classes keeping the info about the claims
Moving Annotations to the common package can be done quickly enough that
would let us have the JAX-WS & JAX-RS code using the same visible
annotations.
The interim solution for JAX-WS then is to provide its own
ClaimsAuthorizingInterceptor which will operate on WS specific Claim
classes. And then we can introduce at some stage the common interceptor
once we 'merge' the Claim data classes, I'd be OK adapting JAX-RS Claim
classes as close as possible to WS ones.
But let me move the annotations first. Who knows may be we will also be
able to merge Claim data classes before 2.6 is out :-)
Thanks, Sergey
[1]
http://cxf.apache.org/docs/jax-rs-saml.html#JAX-RSSAML-SAMLAuthorization
Thanks
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/>
Solution Architect
http://coders.talend.com
<http://coders.talend.com>Talend Application Integration Division
http://www.talend.com
