Salut Jérôme As I understand your scenario, globus is acting as an intermediary where the http(s) connection is terminated. Globus does some processing with the message and must call other services on behalf of the original user which triggered the call. Am I right?
If yes, WS-Trust addresses this use case. The intermediary (Globus) can get issued a security token from the stst on behalf of the original caller. This means that you could use SAML HOK between the original application and the intermediary and SAML Bearer (including the original user id) to the target services. Does this make sense to you? Thanks Oli ________________________________________ Von: Daniel Kulp [[email protected]] Gesendet: Donnerstag, 7. April 2011 19:15 An: [email protected] Cc: Jérôme Revillard; [email protected] Betreff: Re: User credential delegation On Monday 04 April 2011 3:29:21 AM Jérôme Revillard wrote: > Hi Colm, all, > > In our platform, the user needs to follow a specific > authentication.authorization process in order to be able to access all > the other resources. This process is handle by a specific authentication > services. It's a bit complex because it needs to talk to many other > services on behalf of the user identity. So that mean that this service > needs to have access to the user private/public certificate (a proxy > certificate with a limited lifetime). > > To do so, in our previous implementation, we uses the java Globus > toolkit: > http://lists.globus.org/pipermail/gt-user/2011-January/009645.html. I just > realized that this delegation was part of the > WS-SecureConversation protocol inside globus. Do you know if I can do > the same thing with CXF? You "likely can", but it will likely require a bit of work and I really don't know enough about how the Globus stuff did it to make suggestions. Most likely with WS-SecConv, the first request would include the client certs that would be required for the authentication. The conversation token would be generated and returned to the client and used from there. NORMALLY, we just discard the certs and such from the first request as it's not needed anymore. However, you could write an intereceptor that would record that information for use later. Subsequent requests could grab that infromation associated with the conversation token and use that for auth decisions and such. Dan > > Best, > Jerome > > Le 01/04/2011 18:01, Colm O hEigeartaigh a écrit : > > Hi Jerome, > > > > Could you explain in more detail what your use-case entails? > > > > Colm. > > > > On Fri, Apr 1, 2011 at 4:53 PM, Jérôme Revillard <[email protected]> wrote: > >> Dear all, > >> > >> Is there a way with CXF to do credential delegation (get the user > >> private key server side)? Can WS-Trust help for this? > >> > >> Best, > >> Jerome > >> > >> -- > >> ===================================================== > >> Dr Jérôme Revillard > >> CTO MAAT France > >> www.maatg.com > >> ===================================================== -- Daniel Kulp [email protected] http://dankulp.com/blog Talend - http://www.talend.com
