Hi Oliver
On Tue, May 3, 2011 at 9:12 PM, Oliver Wulff <[email protected]> wrote:
> Hi there
>
> CXF 2.4 has a lot of security enhancements in supporting additional security
> tokens like Saml2 and BinarySecurityTokens etc.
>
> IMHO, the service developer should not care what kind of security token has
> been sent by a caller to figure out who called him. JAX-WS defines the
> WebServiceContext to provide some basic information like principal of the
> caller and whether the caller is in a specific role or not.
>
> WS-Federation and WS-Trust provides much more options where the security
> token requestor can ask to put some specific claims into the issued security
> token - represented as an attribute statement in a saml token.
>
> Microsoft provides a flexible and extensible framework called Windows
> Identity Foundation [1] which allows to decouple the application code, the
> authorization logic and the security tokens sent on the wire and.
>
> First, I'm not an expert in spring security but it allows more fine grained
> authorization functionality than isUserInRole. But it needs the claims
> statements made by a third party like an STS.
>
> Wouldn't it make sense to somehow set up the spring security context within a
> CXF interceptor based on the claims made in a saml token?
>
> A claim consists of:
> ClaimType: URI, Namespace which tells you what the value of the claims mean
> Issuer: who issued the claim, usually an STS
> Value: value of the claim
> ValueType: type information
>
> Don't know whether spring security already has a java bean for that.
>
> What is your take on this?
>
Can some of the claims be used for servicing isUserInRole calls ? This
is something I have to catch up with, but looking say at [2] suggests
that the sample token there can be used for asserting
isUserInRole("staff") ?
What other types of claims can be used and how in principle they can
be used for authorizing the access to a given service method ?
thanks, Sergey
[2] http://en.wikipedia.org/wiki/SAML_2.0
> Thanks
> Oli
>
> [1] http://msdn.microsoft.com/en-us/library/ee748484.aspx
>
--
Sergey Beryozkin
Application Integration Division of Talend
http://sberyozkin.blogspot.com
