[jira] [Updated] (FEDIZ-23) Support different authentication mechanism

Oliver Wulff (JIRA) Mon, 23 Mar 2015 13:47:20 -0700

     [ 
https://issues.apache.org/jira/browse/FEDIZ-23?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Oliver Wulff updated FEDIZ-23:
------------------------------
    Description: 
The IDP only supports basic authentication in the current setup.

The IDP should introduce an interface to plugin a custom authentication 
mechanism.

Per default, implementation for the following mechanism should be provided out 
of the box:

- form based
- certificate

The authentication mechanism is chosen based on the wauth parameter passed in 
the signin request. If this parameter is missing the configured default is used.

The following configuration snippet illustrate the idea. The 
FederationEntryPoint (already implemented but not yet used) reads the wauth 
Parameter and figures out the url which is protected by the appropriate 
authentication protocol. IDPs use different wauth values for the same 
authentication protocol and the IDP configuration allows to configure more than 
one wauth value for the same authentication protocol
{code}
String loginUri = idpConfig.getAuthenticationURIs().get(wauth);
{code}

After the redirect, the entrypoint of a specific http element configuration 
does the further processing.

{code}
    <security:http pattern="/federation/" auto-config="false" 
use-expressions="true"
        entry-point-ref="federationEntryPoint">
        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" 
ref="entitlementsEnricher" />
        <security:intercept-url 
pattern="/FederationMetadata/2007-06/FederationMetadata.xml" 
access="isAnonymous() or isAuthenticated()" />
    </security:http>

    <!-- Implemented but not yet used. Redirects to a dedicated http config -->
    <!-- Then the entrypoint of username/password (/federation/up), kerberos 
(/federation/krb), certificate (/federation/cert), ...
    <bean id="federationEntryPoint" 
class="org.apache.cxf.fediz.service.idp.FederationEntryPoint" />

    <security:http pattern="/federation/krb" auto-config="false" 
use-expressions="true"
        entry-point-ref="kerberosEntryPoint">
        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" 
ref="entitlementsEnricher" />
        <security:intercept-url 
pattern="/FederationMetadata/2007-06/FederationMetadata.xml" 
access="isAnonymous() or isAuthenticated()" />

        <security:custom-filter ref="kerberosAuthenticationProcessingFilter" 
position="BASIC_AUTH_FILTER" />
    </security:http>

    <bean id="kerberosEntryPoint"
          class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" 
/>

    <security:http pattern="/federation/up" auto-config="false" 
use-expressions="true" entry-point-ref="">
        <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
        <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" 
ref="entitlementsEnricher" />
        <security:intercept-url 
pattern="/FederationMetadata/2007-06/FederationMetadata.xml" 
access="isAnonymous() or isAuthenticated()" />

        <!-- MUST be http-basic thus systests run fine -->
        <security:http-basic />
        <!--<security:form-login />-->
    </security:http>

{code}

  was:
The IDP only supports basic authentication in the current setup.

The IDP should introduce an interface to plugin a custom authentication 
mechanism.

Per default, implementation for the following mechanism should be provided out 
of the box:

- form based
- certificate


The authentication mechanism is chosen based on the wauth parameter passed in 
the signin request. If this parameter is missing the configured default is used.



> Support different authentication mechanism
> ------------------------------------------
>
>                 Key: FEDIZ-23
>                 URL: https://issues.apache.org/jira/browse/FEDIZ-23
>             Project: CXF-Fediz
>          Issue Type: Improvement
>          Components: IDP
>    Affects Versions: 1.0.0
>            Reporter: Oliver Wulff
>             Fix For: 1.2.0
>
>
> The IDP only supports basic authentication in the current setup.
> The IDP should introduce an interface to plugin a custom authentication 
> mechanism.
> Per default, implementation for the following mechanism should be provided 
> out of the box:
> - form based
> - certificate
> The authentication mechanism is chosen based on the wauth parameter passed in 
> the signin request. If this parameter is missing the configured default is 
> used.
> The following configuration snippet illustrate the idea. The 
> FederationEntryPoint (already implemented but not yet used) reads the wauth 
> Parameter and figures out the url which is protected by the appropriate 
> authentication protocol. IDPs use different wauth values for the same 
> authentication protocol and the IDP configuration allows to configure more 
> than one wauth value for the same authentication protocol
> {code}
> String loginUri = idpConfig.getAuthenticationURIs().get(wauth);
> {code}
> After the redirect, the entrypoint of a specific http element configuration 
> does the further processing.
> {code}
>     <security:http pattern="/federation/" auto-config="false" 
> use-expressions="true"
>         entry-point-ref="federationEntryPoint">
>         <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
>         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" 
> ref="entitlementsEnricher" />
>         <security:intercept-url 
> pattern="/FederationMetadata/2007-06/FederationMetadata.xml" 
> access="isAnonymous() or isAuthenticated()" />
>     </security:http>
>     <!-- Implemented but not yet used. Redirects to a dedicated http config 
> -->
>     <!-- Then the entrypoint of username/password (/federation/up), kerberos 
> (/federation/krb), certificate (/federation/cert), ...
>     <bean id="federationEntryPoint" 
> class="org.apache.cxf.fediz.service.idp.FederationEntryPoint" />
>     <security:http pattern="/federation/krb" auto-config="false" 
> use-expressions="true"
>         entry-point-ref="kerberosEntryPoint">
>         <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
>         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" 
> ref="entitlementsEnricher" />
>         <security:intercept-url 
> pattern="/FederationMetadata/2007-06/FederationMetadata.xml" 
> access="isAnonymous() or isAuthenticated()" />
>         <security:custom-filter ref="kerberosAuthenticationProcessingFilter" 
> position="BASIC_AUTH_FILTER" />
>     </security:http>
>     <bean id="kerberosEntryPoint"
>           
> class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />
>     <security:http pattern="/federation/up" auto-config="false" 
> use-expressions="true" entry-point-ref="">
>         <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
>         <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" 
> ref="entitlementsEnricher" />
>         <security:intercept-url 
> pattern="/FederationMetadata/2007-06/FederationMetadata.xml" 
> access="isAnonymous() or isAuthenticated()" />
>         <!-- MUST be http-basic thus systests run fine -->
>         <security:http-basic />
>         <!--<security:form-login />-->
>     </security:http>
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (FEDIZ-23) Support different authentication mechanism

Reply via email to