Hi Sergei, For me is also interesting to have a simple way to configure REST service with authentication schemas it accepts. For example one service will accept only SAML, second service accepts either Basic Auths or SAML, depending what client sent. For SOAP services that is quite easy to do using WS-Policy assertions. Do you think kind of similar mechanism is useful for REST?
Regards, Andrei. > -----Original Message----- > From: Sergey Beryozkin [mailto:sberyoz...@gmail.com] > Sent: Mittwoch, 5. Februar 2014 22:22 > To: dev@cxf.apache.org > Subject: Re: REST security enhancements > > Hi Oli > On 05/02/14 19:56, Oliver Wulff wrote: > > Hi there > > > > For the REST services of the Fediz IDP I'd like to support initially three > > security > use cases. > > > > 1) Basic Authentication, Username/Password validated against the STS > > 2) Basic Authentication, Username/Password validated with JAAS > I guess realistically, in case of Basic, it is either 1 or 2 > > > 3) SAML token in Basic Authorization header > > > > In CXF 3.0, each REST security interceptor enforces the security > > credentials it > supports. Therefore, you can't just configure all interceptors like: > > org.apache.cxf.ws.security.trust.AuthPolicyValidatingInterceptor > > org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler > > org.apache.cxf.jaxrs.security.JAASAuthenticationFilter > > > > The interceptors should not throw an exception but instead assert the token > (similar the policy) and finally an interceptor checks whether one token was > provided and successfully validated. > > > > Other ideas? > > > I'll be OK with the individual interceptors enforcing it. Otherwise we'd need > to > chain them, etc, but having a basic delegating interceptor which would check > the authorization scheme and do something like: > > public void handleMessage(Message message) { if > (isBasic(message.get(Message.REQUEST_HEADERS))) { > basicAuthInterceptor.handleMessage(message); > } else { > samlInterceptor.handleMessage(message); > } > > Some basic policy support can be thought of as well, as you said, for example, > we can have a BasicAuthJaas policy - this will use JAAS interceptor, etc. I > think > the policies are more interesting when we can expect some interoperability but > also when a series of interceptors is needed to validate a single > requirement... > > So I'd start with the direct coding first Cheers, Sergey > > > > > Thanks > > Oli > > > > > > > > > > ------ > > > > Oliver Wulff > > > > Blog: http://owulff.blogspot.com<http://owulff.blogspot.com/> > > Solution Architect > > http://coders.talend.com > > > > <http://coders.talend.com>Talend Application Integration Division > > http://www.talend.com > > > > > -- > Sergey Beryozkin > > Talend Community Coders > http://coders.talend.com/ > > Blog: http://sberyozkin.blogspot.com
