> On Jun 1, 2015, at 9:07 AM, Steve Moyer <[email protected]> wrote: > > We definitely need #2 and #3 below ... we're working towards integrating > JavaEE security annotations into our back-end Fortress servers. Once we've > got all the pieces working (against our infrastructure), we'd be happy to > share any of the code that's useful with Realm. >
Steve, I was hoping you’d offer that code as a donation. :-) There are a couple of conferences, Spring 2GX (and possibly) JavaOne, that I’d like to demo your annotation code. My goal is to first get it working in separate github project, and once perfected, move it into the realm code base. > > On Jun 1, 2015, at 9:07 AM, Steve Moyer <[email protected]> wrote: > > I'm intrigued by Kiran's comment about using SAML for SSO ... I should also > point out that we're using OAuth2 and JWT so that we can secure our REST > resources via Fortress (RBAC) as well. > > Our SSO system provides the X-REMOTE-USER and X-REMOTE-REALM headers if the > user's authentication has already been performed (and hasn't timed out). > This makes our front-end pretty specific and actually hampers the whole > Fortress integration a bit. We're using Cosign for local users and Shibboleth > for remote (federated) users. OAuth2 is another possible target. All of these web security protocols fall under the category of 'web access management’. A key requirement will be identity assertion of incoming token into fortress for downstream authorization. I would really like to find a way in which the fortress realm (javaEE security) can be engaged to verify and assert the identity into the execution context. That way the SSO and identity assertion remains declarative and compatible with fortress core api usage. Shawn [email protected]
