Author: buildbot
Date: Tue Jul 8 08:47:13 2014
New Revision: 915457
Log:
Production update by buildbot for cxf
Added:
websites/production/cxf/content/docs/standardized-authentication-authorization.html
Modified:
websites/production/cxf/content/cache/docs.pageCache
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Added:
websites/production/cxf/content/docs/standardized-authentication-authorization.html
==============================================================================
---
websites/production/cxf/content/docs/standardized-authentication-authorization.html
(added)
+++
websites/production/cxf/content/docs/standardized-authentication-authorization.html
Tue Jul 8 08:47:13 2014
@@ -0,0 +1,175 @@
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd";>
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<html>
+ <head>
+
+<link type="text/css" rel="stylesheet" href="/resources/site.css">
+<script src='/resources/space.js'></script>
+
+<meta http-equiv="Content-type" content="text/html;charset=UTF-8">
+<meta name="keywords" content="business integration, EAI, SOA, Service
Oriented Architecture, web services, SOAP, JBI, JMS, WSDL, XML, EDI, Electronic
Data Interchange, standards support, integration standards, application
integration, middleware, software, solutions, services, CXF, open source">
+<meta name="description" content="Apache CXF, Services Framework -
Standardized Authentication / Authorization">
+
+
+<link type="text/css" rel="stylesheet"
href="/resources/highlighter/styles/shCoreCXF.css">
+<link type="text/css" rel="stylesheet"
href="/resources/highlighter/styles/shThemeCXF.css">
+
+<script src='/resources/highlighter/scripts/shCore.js'></script>
+<script src='/resources/highlighter/scripts/shBrushJava.js'></script>
+<script>
+ SyntaxHighlighter.defaults['toolbar'] = false;
+ SyntaxHighlighter.all();
+</script>
+
+
+ <title>
+Apache CXF -- Standardized Authentication / Authorization
+ </title>
+ </head>
+<body onload="init()">
+
+
+<table width="100%" cellpadding="0" cellspacing="0">
+ <tr>
+ <td id="cell-0-0" colspan="2"> </td>
+ <td id="cell-0-1"> </td>
+ <td id="cell-0-2" colspan="2"> </td>
+ </tr>
+ <tr>
+ <td id="cell-1-0"> </td>
+ <td id="cell-1-1"> </td>
+ <td id="cell-1-2">
+ <!-- Banner -->
+<div class="banner" id="banner"><div><table border="0" cellpadding="0"
cellspacing="0" width="100%"><tr><td align="left" colspan="1" nowrap>
+<a shape="rect" href="http://cxf.apache.org/"; title="Apache CXF"><span
style="font-weight: bold; font-size: 170%; color: white">Apache CXF</span></a>
+</td><td align="right" colspan="1" nowrap>
+<a shape="rect" href="http://www.apache.org/"; title="The Apache Sofware
Foundation"><img border="0" alt="ASF Logo"
src="http://cxf.apache.org/images/asf-logo.png";></a>
+</td></tr></table></div></div>
+ <!-- Banner -->
+ <div id="top-menu">
+ <table border="0" cellpadding="1" cellspacing="0" width="100%">
+ <tr>
+ <td>
+ <div align="left">
+ <!-- Breadcrumbs -->
+<a href="index.html">Index</a> > <a
href="standardized-authentication-authorization.html">Standardized
Authentication / Authorization</a>
+ <!-- Breadcrumbs -->
+ </div>
+ </td>
+ <td>
+ <div align="right">
+ <!-- Quicklinks -->
+<div id="quicklinks"><p><a shape="rect"
href="http://cxf.apache.org/download.html";>Download</a> | <a shape="rect"
href="http://cxf.apache.org/docs/index.html";>Documentation</a></p></div>
+ <!-- Quicklinks -->
+ </div>
+ </td>
+ </tr>
+ </table>
+ </div>
+ </td>
+ <td id="cell-1-3"> </td>
+ <td id="cell-1-4"> </td>
+ </tr>
+ <tr>
+ <td id="cell-2-0" colspan="2"> </td>
+ <td id="cell-2-1">
+ <table>
+ <tr valign="top">
+ <td height="100%">
+ <div id="wrapper-menu-page-right">
+ <div id="wrapper-menu-page-top">
+ <div id="wrapper-menu-page-bottom">
+ <div id="menu-page">
+ <!-- NavigationBar -->
+<div id="navigation"><ul class="alternate"><li><a shape="rect"
href="overview.html">Overview</a></li><li><a shape="rect"
href="how-tos.html">How-Tos</a></li><li><a shape="rect"
href="frontends.html">Frontends</a></li><li><a shape="rect"
href="databindings.html">DataBindings</a></li><li><a shape="rect"
href="transports.html">Transports</a></li><li><a shape="rect"
href="configuration.html">Configuration</a></li><li><a shape="rect"
href="debugging-and-logging.html">Debugging and Logging</a></li><li><a
shape="rect" href="tools.html">Tools</a></li><li><a shape="rect"
href="restful-services.html">RESTful Services</a></li><li><a shape="rect"
href="wsdl-bindings.html">WSDL Bindings</a></li><li><a shape="rect"
href="service-routing.html">Service Routing</a></li><li><a shape="rect"
href="dynamic-languages.html">Dynamic Languages</a></li><li><a shape="rect"
href="ws-support.html">WS-* Support</a></li><li><a shape="rect"
href="advanced-integration.html">Advanced Integration</a></li><li><a shape
="rect" href="deployment.html">Deployment</a></li><li><a shape="rect"
href="schemas-and-namespaces.html">Use of Schemas and
Namespaces</a></li></ul><hr><ul
class="alternate"><li><p>Search</p></li></ul><form
enctype="application/x-www-form-urlencoded" method="get" id="cse-search-box"
action="http://www.google.com/cse";>
+ <div>
+ <input type="hidden" name="cx" value="002890367768291051730:o99qiwa09y4">
+ <input type="hidden" name="ie" value="UTF-8">
+ <input type="text" name="q" size="21">
+ <input type="submit" name="sa" value="Search">
+ </div>
+</form>
+<script type="text/javascript"
src="http://www.google.com/cse/brand?form=cse-search-box&lang=en";></script><hr><ul
class="alternate"><li><a shape="rect"
href="http://cxf.apache.org/javadoc/latest/";>API 2.x (Javadoc)</a></li><li><a
shape="rect" href="http://cxf.apache.org/javadoc/latest-3.0.x/";>API 3.x
(Javadoc)</a></li><li><a shape="rect" href="http://cxf.apache.org/";>CXF
Website</a></li></ul></div>
+ <!-- NavigationBar -->
+ </div>
+ </div>
+ </div>
+ </div>
+ </td>
+ <td height="100%">
+ <!-- Content -->
+ <div class="wiki-content">
+<div id="ConfluenceContent"> <div class="aui-message hint shadowed
information-macro">
+ <span class="aui-icon icon-hint">Icon</span>
+ <div class="message-content">
+ Ideas / Proposal
+ </div>
+ </div>
+<p> </p><p>CXF already supports a wide range of authentication and
authorization approaches. Unfortunately they are all configured differently and
do not integrate well with each other.</p><p>So the idea is to create one
standardized authentication / authorization flow in CXF where the modules can
then fit in. There are a lot of security frameworks out there that could be
used as a basis for this. The problem is though that each framework  (like
Shiro or Spring Security) uses its own mechanisms which are not standardized.
So by choosing one framework we would force our users to depend on
this.</p><p>The best standardized security framework in java is JAAS. It is
already included in Java and most security frameworks can be hooked into it. So
let´s investigate what we could do with JAAS.</p><h2
id="StandardizedAuthentication/Authorization-AuthenticationusingJAAS">Authentication
using JAAS</h2><p>JAAS authentication is done by creating a LoginContext and
doing a login on
it. Things to configure is the name of the login config and the Callback
Handlers. So CXF needs mechanisms for the user to set the config name and needs
to provide CallBackHandlers to supply credentials.</p><h2
id="StandardizedAuthentication/Authorization-CallbackHandlers">CallbackHandlers</h2><p>CXF
needs to supply different data to identify the users depending on the chosen
authentication variant.</p><p>Basic Auth: username and password from HTTP
header</p><p>WS-Security UserNameToken: Username and password from SOAP
header</p><p>Spnego: Kerberos token from HTTP header</p><p>HTTPS client cert:
Certificate information</p><p>We could simply detect what information is
provided and configure the Callbackhandlers for each variant.</p><h2
id="StandardizedAuthentication/Authorization-JAASconfiguration">JAAS
configuration</h2><p>The JAAS configuration is supplied differently depending
on the runtime CXF runs in.</p><p>Standalone: For standalone usage the JAAS
config can simply come from
a file.</p><p>Servlet Container: Not sure. Is there a standard approach for
this?</p><p>Apache Karaf: Karaf already provides a JAAS integration so we just
have to configure the JAAS config name and supply a suitable config in
karaf</p><h2
id="StandardizedAuthentication/Authorization-SupplyingRoleandUserinformation">Supplying
Role and User information</h2><p>JAAS stores identity information in the JAAS
subject. The method getPrincipals returns Principal objects which can be users,
roles or even other identity information. To differentiate between roles and
users there are two common approaches.</p><ol><li>different Classes like a
UserPrincipal or RolePrincipal. Unfortunately there are no standard
interfaces</li><li>prefixes. So for example roles start with role- . Again
there is no standard</li></ol><h2
id="StandardizedAuthentication/Authorization-Authorization">Authorization</h2><p>Authorization
has very diverse requirements. So we need to make sure we integrate well with
different
approaches.</p><p>Generally the idea is to base the Authorization on the JAAS
login data. After a JAAS login the JAAS subject can be retrieved in a standard
way:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeContent panelContent pdl">
+<script class="theme: Default; brush: java; gutter: false"
type="syntaxhighlighter"><![CDATA[AccessControlContext acc =
AccesController.getContext();
+Subject subject = Subject.getSubject(acc);]]></script>
+</div></div><p>So the idea is that we provide certain default authorization
variants that rely on the above to retrieve authentication information in a
standardized way. So authorization is nicely decoupled from authentication and
fully standards based.</p><p>This then also provides a nice interface for users
or other frameworks to access authentication information and provide custom
authorization variants.</p><h2
id="StandardizedAuthentication/Authorization-DefaultAuthorizationVariants">Default
Authorization Variants</h2><h3
id="StandardizedAuthentication/Authorization-JEEannotations">JEE
annotations</h3><p>Java EE provides some standard annotations like
@RolesAllowed. We can provide an interceptor that reads the annotations of
serivce impls and provides authorization like in a JEE container.</p><h3
id="StandardizedAuthentication/Authorization-XACMLPEP">XACML PEP</h3><p>An
XACML policy enforcement point can retrieve the JAAS login data and do
authorization against an XACML Policy D
ecision Point (PDP).</p><h3
id="StandardizedAuthentication/Authorization-KarafrolebasedOSGiserviceAuthorization">Karaf
role based OSGi service Authorization</h3><p>Karaf 3 already supports
authorization on the OSGi service level and uses JAAS for authentication. So if
we do a JAAS login in CXF and the service impl code calls an OSGi service then
the Karaf role based securtiy should already work out of the box.</p><h2
id="StandardizedAuthentication/Authorization-Karafintegration">Karaf
integration</h2><p>Ideally we should integrate the new authentication /
authorization model in a way that enable the user to switch on authentication
for the karaf server without specific configurations in the user bundles that
implement the services.</p><p>So we could have a config setting for the CXF
OSGi servlet to enable JAAS authentication and set a JAAS config. This would
then enable authentication for all services using the named JAAS config from
karaf. We could then also switch on the annotaion
based authorization. So users could leverage this for their service by just
supplying the annotations and doing no other configs on the service
level.</p><p>A further approach would be to let the user configure named
features on the CXF servlet level (which are then retrieved as OSGi services).
So the user can even attach his own extensions on the server level like for
ecxample integrating a custom XACML PEP.</p><h2
id="StandardizedAuthentication/Authorization-Problems">Problems</h2><p>Doing a
full JAAS login requires to use subject.doAs to populate the
AcessControlContext. This is not possible in a CXF interceptor as the
interceptor only works on a message but can not call the next interceptor for
doAs. So the question is where to do the JAAS login and the
doAs?</p><p> </p></div>
+ </div>
+ <!-- Content -->
+ </td>
+ </tr>
+ </table>
+ </td>
+ <td id="cell-2-2" colspan="2"> </td>
+ </tr>
+ <tr>
+ <td id="cell-3-0"> </td>
+ <td id="cell-3-1"> </td>
+ <td id="cell-3-2">
+ <div id="footer">
+ <!-- Footer -->
+ <div id="site-footer">
+ <a href="http://cxf.apache.org/privacy-policy.html";>Privacy
Policy</a> -
+ (<a
href="https://cwiki.apache.org/confluence/pages/editpage.action?pageId=42568988";>edit
page</a>)
+ (<a
href="https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=42568988&showComments=true&showCommentArea=true#addcomment";>add
comment</a>)<br>
+ Apache CXF, CXF, Apache, the Apache feather logo are trademarks of The
Apache Software Foundation.<br>
+ All other marks mentioned may be trademarks or registered trademarks
of their respective owners.
+ </div>
+ <!-- Footer -->
+ </div>
+ </td>
+ <td id="cell-3-3"> </td>
+ <td id="cell-3-4"> </td>
+ </tr>
+ <tr>
+ <td id="cell-4-0" colspan="2"> </td>
+ <td id="cell-4-1"> </td>
+ <td id="cell-4-2" colspan="2"> </td>
+ </tr>
+</table>
+
+<script type="text/javascript">
+var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl."; :
"http://www.";);
+document.write(unescape("%3Cscript src='" + gaJsHost +
"google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));
+</script>
+<script type="text/javascript">
+try {
+var pageTracker = _gat._getTracker("UA-4458903-1");
+pageTracker._trackPageview();
+} catch(err) {}</script>
+
+</body>
+</html>
+
![http://cxf.apache.org/images/asf-logo.png"](http://cxf.apache.org/images/asf-logo.png"){kind=link}