Bonjour Olivier, Le 07/04/2011 20:53, Oliver Wulff a écrit : > Salut Jérôme > > As I understand your scenario, globus is acting as an intermediary where the > http(s) connection is terminated. Globus does some processing with the > message and must call other services on behalf of the original user which > triggered the call. Am I right?
Yes. In fact this is not Globus that needs to call other services on behalf of the original user but one service that was developed with the Globus toolkit framework and that I'm migrating to Apache CXF. But that's basically the same. > If yes, WS-Trust addresses this use case. The intermediary (Globus) can get > issued a security token from the stst on behalf of the original caller. This > means that you could use SAML HOK between the original application and the > intermediary and SAML Bearer (including the original user id) to the target > services. > > Does this make sense to you? I have to say that I don't understand exactly what you mean. I know SAML but not very well and I honestly did not had time to look carefully to WS-Trust yet. Do you have any documentation that I could use to understand properly your explanation? (if the documentation uses CXF it's even better ;-)). Concerning the STS, should I create one? Thanks for your help, Best, Jerome > Thanks > Oli > > ________________________________________ > Von: Daniel Kulp [[email protected]] > Gesendet: Donnerstag, 7. April 2011 19:15 > An: [email protected] > Cc: Jérôme Revillard; [email protected] > Betreff: Re: User credential delegation > > On Monday 04 April 2011 3:29:21 AM Jérôme Revillard wrote: >> Hi Colm, all, >> >> In our platform, the user needs to follow a specific >> authentication.authorization process in order to be able to access all >> the other resources. This process is handle by a specific authentication >> services. It's a bit complex because it needs to talk to many other >> services on behalf of the user identity. So that mean that this service >> needs to have access to the user private/public certificate (a proxy >> certificate with a limited lifetime). >> >> To do so, in our previous implementation, we uses the java Globus >> toolkit: >> http://lists.globus.org/pipermail/gt-user/2011-January/009645.html. I just >> realized that this delegation was part of the >> WS-SecureConversation protocol inside globus. Do you know if I can do >> the same thing with CXF? > You "likely can", but it will likely require a bit of work and I really don't > know enough about how the Globus stuff did it to make suggestions. > > Most likely with WS-SecConv, the first request would include the client certs > that would be required for the authentication. The conversation token would > be generated and returned to the client and used from there. NORMALLY, we > just discard the certs and such from the first request as it's not needed > anymore. However, you could write an intereceptor that would record that > information for use later. Subsequent requests could grab that infromation > associated with the conversation token and use that for auth decisions and > such. > > Dan > > >> Best, >> Jerome >> >> Le 01/04/2011 18:01, Colm O hEigeartaigh a écrit : >>> Hi Jerome, >>> >>> Could you explain in more detail what your use-case entails? >>> >>> Colm. >>> >>> On Fri, Apr 1, 2011 at 4:53 PM, Jérôme Revillard <[email protected]> > wrote: >>>> Dear all, >>>> >>>> Is there a way with CXF to do credential delegation (get the user >>>> private key server side)? Can WS-Trust help for this? >>>> >>>> Best, >>>> Jerome >>>> >>>> -- >>>> ===================================================== >>>> Dr Jérôme Revillard >>>> CTO MAAT France >>>> www.maatg.com >>>> ===================================================== > -- > Daniel Kulp > [email protected] > http://dankulp.com/blog > Talend - http://www.talend.com -- ===================================================== Dr Jérôme Revillard CTO MAAT France www.maatg.com Immeuble Alliance Entree A, 74160 Archamps (France) Mob. 0034 607 700 106 Tel. 0033 450 439 602 Fax. 0033 450 439 601 =====================================================
smime.p7s
Description: S/MIME Cryptographic Signature
