[
https://issues.apache.org/jira/browse/FEDIZ-23?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh closed FEDIZ-23.
------------------------------------
> Support different authentication mechanism
> ------------------------------------------
>
> Key: FEDIZ-23
> URL: https://issues.apache.org/jira/browse/FEDIZ-23
> Project: CXF-Fediz
> Issue Type: Improvement
> Components: IDP
> Affects Versions: 1.0.0
> Reporter: Oliver Wulff
> Assignee: Colm O hEigeartaigh
> Fix For: 1.2.0
>
>
> The IDP only supports basic authentication in the current setup.
> The IDP should introduce an interface to plugin a custom authentication
> mechanism.
> Per default, implementation for the following mechanism should be provided
> out of the box:
> - form based
> - certificate
> The authentication mechanism is chosen based on the wauth parameter passed in
> the signin request. If this parameter is missing the configured default is
> used.
> The following configuration snippet illustrate the idea. The
> FederationEntryPoint (already implemented but not yet used) reads the wauth
> Parameter and figures out the url which is protected by the appropriate
> authentication protocol. IDPs use different wauth values for the same
> authentication protocol and the IDP configuration allows to configure more
> than one wauth value for the same authentication protocol
> {code}
> String loginUri = idpConfig.getAuthenticationURIs().get(wauth);
> {code}
> After the redirect, the entrypoint of a specific http element configuration
> does the further processing.
> {code}
> <security:http pattern="/federation/" auto-config="false"
> use-expressions="true"
> entry-point-ref="federationEntryPoint">
> <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
> <security:custom-filter after="SERVLET_API_SUPPORT_FILTER"
> ref="entitlementsEnricher" />
> <security:intercept-url
> pattern="/FederationMetadata/2007-06/FederationMetadata.xml"
> access="isAnonymous() or isAuthenticated()" />
> </security:http>
> <!-- Implemented but not yet used. Redirects to a dedicated http config
> -->
> <!-- Then the entrypoint of username/password (/federation/up), kerberos
> (/federation/krb), certificate (/federation/cert), ...
> <bean id="federationEntryPoint"
> class="org.apache.cxf.fediz.service.idp.FederationEntryPoint" />
> <security:http pattern="/federation/krb" auto-config="false"
> use-expressions="true"
> entry-point-ref="kerberosEntryPoint">
> <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
> <security:custom-filter after="SERVLET_API_SUPPORT_FILTER"
> ref="entitlementsEnricher" />
> <security:intercept-url
> pattern="/FederationMetadata/2007-06/FederationMetadata.xml"
> access="isAnonymous() or isAuthenticated()" />
> <security:custom-filter ref="kerberosAuthenticationProcessingFilter"
> position="BASIC_AUTH_FILTER" />
> </security:http>
> <bean id="kerberosEntryPoint"
>
> class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />
> <security:http pattern="/federation/up" auto-config="false"
> use-expressions="true" entry-point-ref="">
> <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
> <security:custom-filter after="SERVLET_API_SUPPORT_FILTER"
> ref="entitlementsEnricher" />
> <security:intercept-url
> pattern="/FederationMetadata/2007-06/FederationMetadata.xml"
> access="isAnonymous() or isAuthenticated()" />
> <!-- MUST be http-basic thus systests run fine -->
> <security:http-basic />
> <!--<security:form-login />-->
> </security:http>
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
