Hi List! Regarding the last post I wrote in this mailing list (two approaches for the IDP resolution depending on which application is asking for the token), I think it would be a great and "reusable" idea that the Tomcat plugin for the token processing and IDP redirection was able to be configured in a separated file, where you could write which IDP would be the correct to challenge the user depending on, for example, the pattern of the request URL. For example, if an application tries to access a secured resource like "http://www.mydomain.com/internal";, as "internal" is a substring of the requested URL, it would be resolved to IDP1, while for a request like "http://www.otherdomain.com/external"; would resolve against a second IDP.
As a proposal, the valve could be configured referring an IDP resolver bean with all the mappings needed for the resolution. Given the default configuration in the valve: -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- <Context> <Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" issuerURL="https://localhost:9443/fedizidp/"; truststoreFile="conf/stsstore.jks" truststorePassword="thepass" trustedIssu er=".*CN=www.mydomain.com.*" /> </Context> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- An approach could be to have an extension point like being able to specify the "idpResolverConfig" instead of the issuerURL, and this idpResolverConfig would keep the information needed to to the appropiate redirect in another spring configuration xml file (for example): -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- <Context> <Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator" idpResolverConfig ="conf/idpResolverMapping.xml" truststoreFile="conf/stsstore.jks" truststorePassword="thepass" trustedIssu er=".*CN=www.mydomain.com.*" /> </Context> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Then, this idpResolverMapping.xml could look like this: <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:util="http://www.springframework.org/schema/util"; xsi:schemaLocation=" http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-2.0.xsd";> <util:map id="idpMappings"> <entry key="/internal/*" value="http://idp1.mydomain.com"; /> <entry key="/external/*" value="http://idp2.mydomain.com"; /> </util:map> </beans> -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- What do you think? Thanks in advance for any feedback on this subject. Kind regards, Fran.
