Hi Christian,
I find your ideas great, IMO it will be the step in the right direction. The
JAAS helps to cleanly decouple authentication/authorization logic from business
code.
Some thoughts regarding that:
1. Authentication
Authentication scenarios can be collected in two large groups:
a) Service receives client credentials with request and it is
responsibility either of custom code or container to authenticate the user.
For example: usernameToken, basic and digest authentication, SSL with
client authentication, etc.
b) Client firstly communicates with some security server validating client
credentials and issuing security token. Client injects this token into the
request. Service validates the token (by sending request to security server or
itself). Samples are SAML token authentication, OAuth, Kerberos.
Group (a) fits very good to JAAS concept, it is necessary: extract credentials
from appropriate source (UT, AuthroizationPolicy, etc) depending on
authentication mode, create CallbackHandler and invoke login context.
Configured JAAS Login Modules will be used to authenticate user, create Subject
and Principles. Most of this is already implemented in JAASLoginInterceptor.
Group (b) is a bit tricky, because user is authenticated by security server and
service should just validate the token. In this case JAAS Login Module can
either take over token validation and fill Subject Principles based on token
attributes (like Kerberos does) or skip validation step (if it is already done
by CXF interceptors) and create Subject with Principles.
2. Authorization
IMO the task fit good for JAAS is mapping user to role and creating Role
Principles. Other authorization steps is either technology or container
specific: using security annotations, container configuration, role-method
maps, etc.
By the way, JEE 6 introduced some extensions for JAAS in Java Specification
Request 196 (http://docs.oracle.com/cd/E19575-01/820-3740/ghcwf/index.html). It
is more message processing oriented, introduces agents for validating security
tokens or signatures and determines a standard way to obtain user principals
and group principals. The JSR is primarily designed for JEE application
servers, but perhaps it makes sense to look in and use some ideas/API from that.
Regards,
Andrei.
> -----Original Message-----
> From: Christian Schneider [mailto:[email protected]] On Behalf Of
> Christian Schneider
> Sent: Donnerstag, 10. Juli 2014 10:56
> To: CXF Dev List
> Subject: Ideas for standardizing CXF authentication and authorization
>
> CXF already supports a wide range of authentication and authorization
> methods. Each of these has to be configured differently though and some are
> almost unknown by users.
>
> So I would like to improve that by standardizing on a common approach that
> covers all existing variants but makes them accessible in the same way.
>
> The only real java standard for authentication is JAAS. It is built into the
> jre and
> quite flexible. Security frameworks normally also integrate well with JAAS.
> So the idea is to standardize on JAAS for authentication.
>
> Authorization on the other hand has very diverse requirements and in fact is
> not really directly coupled to CXF at all. After all the same kind of
> authorization
> also has to happen in the UI and in the business code.
> So the idea there is to solve authorization outside of CXF and base the
> authorization on the JAAS login CXF provides.
>
> I have written down my ideas in detail on:
> https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=42568988
>
> I would be very interested in your feedback on my ideas.
>
> Christian
>
> --
> Christian Schneider
> http://www.liquid-reality.de
>
> Open Source Architect
> http://www.talend.com
