Hi Christian I do support the ideas. I think it's important to include claims based authorization concept as well as supported by Fediz, but primarely for Web SSO.
JAAS is a good concept to seperate the transport (HTTP) and the access to the identity store. But JAAS doesn't work for SSO approaches as supporting HTTP Basic Authorization Header is not sufficient for SAML based protocols (SAML-P, WS-Federation). WDYT? Thanks Oli ------ Oliver Wulff Blog: http://owulff.blogspot.com Solution Architect http://coders.talend.com Talend Application Integration Division http://www.talend.com ________________________________________ From: Christian Schneider [[email protected]] on behalf of Christian Schneider [[email protected]] Sent: 10 July 2014 10:55 To: CXF Dev List Subject: Ideas for standardizing CXF authentication and authorization CXF already supports a wide range of authentication and authorization methods. Each of these has to be configured differently though and some are almost unknown by users. So I would like to improve that by standardizing on a common approach that covers all existing variants but makes them accessible in the same way. The only real java standard for authentication is JAAS. It is built into the jre and quite flexible. Security frameworks normally also integrate well with JAAS. So the idea is to standardize on JAAS for authentication. Authorization on the other hand has very diverse requirements and in fact is not really directly coupled to CXF at all. After all the same kind of authorization also has to happen in the UI and in the business code. So the idea there is to solve authorization outside of CXF and base the authorization on the JAAS login CXF provides. I have written down my ideas in detail on: https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=42568988 I would be very interested in your feedback on my ideas. Christian -- Christian Schneider http://www.liquid-reality.de Open Source Architect http://www.talend.com
