Hey Christian, Great you brought this discussion. I already started working on integration between spring security (SS) and cxf, mainly because JAAS was not sufficient in all our cases and SS provides nice cover to it such AccessDecisionManager session controlling and so on. As Oliver pointed out - currently CXF is bound to HTTP headers or WSS4J callbacks requiring re-sending credentials for each invocation which really limit users while working on more advanced APIs. I would love to see support for login/logout operations and session handling within CXF.
There are couple issues which can not be solved with current CXF code - for example AbstractAuthorizingInInterceptor forces presence of security context even if subject is not necessary and method is not annotated with any secure annotation or is annotated with @PermitAll. Best regards, Łukasz -- [email protected] Twitter: ldywicki Blog: http://dywicki.pl Code-House - http://code-house.org 2014-07-10 11:55 GMT+02:00 Oliver Wulff <[email protected]>: > Hi Christian > > I do support the ideas. I think it's important to include claims based > authorization concept as well as supported by Fediz, but primarely for Web > SSO. > > JAAS is a good concept to seperate the transport (HTTP) and the access to the > identity store. But JAAS doesn't work for SSO approaches as supporting HTTP > Basic Authorization Header is not sufficient for SAML based protocols > (SAML-P, WS-Federation). > > WDYT? > > Thanks > Oli > > > ------ > > Oliver Wulff > > Blog: http://owulff.blogspot.com > Solution Architect > http://coders.talend.com > > Talend Application Integration Division http://www.talend.com > > ________________________________________ > From: Christian Schneider [[email protected]] on behalf of Christian > Schneider [[email protected]] > Sent: 10 July 2014 10:55 > To: CXF Dev List > Subject: Ideas for standardizing CXF authentication and authorization > > CXF already supports a wide range of authentication and authorization > methods. Each of these has to be configured differently though > and some are almost unknown by users. > > So I would like to improve that by standardizing on a common approach > that covers all existing variants but makes them accessible in the same way. > > The only real java standard for authentication is JAAS. It is built into > the jre and quite flexible. Security frameworks normally also integrate > well with JAAS. > So the idea is to standardize on JAAS for authentication. > > Authorization on the other hand has very diverse requirements and in > fact is not really directly coupled to CXF at all. After all the same > kind of authorization also has to happen in the UI and in the business code. > So the idea there is to solve authorization outside of CXF and base the > authorization on the JAAS login CXF provides. > > I have written down my ideas in detail on: > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=42568988 > > I would be very interested in your feedback on my ideas. > > Christian > > -- > Christian Schneider > http://www.liquid-reality.de > > Open Source Architect > http://www.talend.com >
