Raised a separate JIRA for RBAC support for JAX-WS: https://issues.apache.org/jira/browse/CXF-4212
------ Oliver Wulff Blog: http://owulff.blogspot.com Solution Architect http://coders.talend.com Talend Application Integration Division http://www.talend.com ________________________________________ Von: Colm O hEigeartaigh [cohei...@apache.org] Gesendet: Mittwoch, 28. März 2012 13:19 Bis: dev@cxf.apache.org Betreff: Re: Role based access control with SAML in CXF +1 sounds good. Colm. On Wed, Mar 28, 2012 at 11:48 AM, Oliver Wulff <owu...@talend.com> wrote: > Hi guys > > > > I'd like to look into the following JIRA: > > https://issues.apache.org/jira/browse/CXF-3522 > > > > The CXF service provider gets a SAML token which contains an > AttributeStatement with claims information. One claim can be the roles. > > > > An initial fix (maybe I create a seperate JIRA) shall only look for the claim > which provides the role information thus we can instantiate the > SecurityContext and provide the role information. > > > > I'd like to discuss one open point with respect how to represent several > roles in a SAML token. Right now, the CXF STS separates them by using a > semicolon. > > > > I've verified what Microsoft is doing in this regard and found the following: > > http://blogs.msdn.com/b/sameersurve/archive/2012/01/19/how-sharepoint-2010-handles-multi-valued-claims.aspx > > > > I'd go with the same approach to support the following two: > > > > <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" > AttributeNamespace="http://schemas.xmlsoap.org/claims"; AttributeName="groups"> > > <saml:AttributeValue>Value1</saml:AttributeValue> > > <saml:AttributeValue>Value2</saml:AttributeValue> > > </saml:Attribute> > > > > > > <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" > AttributeNamespace="http://schemas.xmlsoap.org/claims"; AttributeName="groups"> > > <saml:AttributeValue>Value1</saml:AttributeValue> > > </saml:Attribute> > > <saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" > AttributeNamespace="http://schemas.xmlsoap.org/claims"; AttributeName="groups"> > > <saml:AttributeValue>Value2</saml:AttributeValue> > > </saml:Attribute> > > > > > > but for backwards compatibility also support to separate the values by a > separator like ";". > > > > I'd add two properties for an endpoint to tell the URI of the attribute which > provides the role information (with some default) and optionally the > separator. I'll add this functionality to the STS as well. > > > > The STS will then allow to configure how to encode multi-value claims like > "MULTI_VALUE", "MULTI_CLAIM" or "SEPARATOR". > > > > Thoughts? > > > > Oli > > > > ------ > > Oliver Wulff > > Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/> > Solution Architect > http://coders.talend.com > > <http://coders.talend.com>Talend Application Integration Division > http://www.talend.com -- Colm O hEigeartaigh Talend Community Coder http://coders.talend.com
