[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [jetty-dev] WS-Federation support for jetty
|
Thanks for your input Jesse. I've got something up and running. I've created an UserIdentity, UserPrincipal, LoginService and Authenticator. But I faced a few things I'd appreciate your input:
As I understood, the role of the LoginService is the validation of the credentials which could be password, kerberos ticket or a SAML token. But I don't really understand what the role of the IdentityService.
Is the LoginService tight to a context or will each servlet context has got its own LoginService instance? The reason I ask is that my processing logic requires the current context to access the configuration. There is no way to delegate the context to the login() method.
Can I get some context information within the doStart() method?
The SpnegoLoginService.validate() method always returns false which is called in some of the authenticators:
// Has authentication been revoked?
if (authentication instanceof Authentication.User &&
_loginService!=null &&
!_loginService.validate(((Authentication.User)authentication).getUserIdentity()))
{
session.removeAttribute(SessionAuthentication.__J_AUTHENTICATED);
}
Why is it not called in the SpnegoAuthenticator and why do you return false?
In my case, the validate method can be used to check whether the validity of the saml token is still valid. If not, I can invalidate it here. Makes sense?
Thanks
Oli
________________________________________
From: jetty-dev-bounces@xxxxxxxxxxx [jetty-dev-bounces@xxxxxxxxxxx] on behalf of Jesse McConnell [jesse.mcconnell@xxxxxxxxx]
Sent: 22 November 2012 00:08
To: Jetty @ Eclipse developer discussion list
Subject: Re: [jetty-dev] WS-Federation support for jetty
Seems pretty straight forward, though you might end up making a
LoginService as well. Actually this is not unlike the Spnego setup I
added quite a while ago...take a look at those classes in the
jetty-security module.
good luck and keep me posted :)
jesse
--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx
On Wed, Nov 21, 2012 at 10:29 AM, Oliver Wulff <owulff@xxxxxxxxxx> wrote:
> Hi there
>
> I've started looking into adding support for WS-Federation Passive Requestor
> Profile in Jetty by adding a new module for the Apache CXF Fediz project.
> The approach of this SSO concept is that unauthenticated requests are
> redirected to a central IDP component (as provided by Fediz) which does the
> authentication. Finally, a SAML token is issued and posted to Jetty via the
> browser. The token is validated and a session is created.
>
> My idea is to write a custom authenticator (extend LoginAuthenticator) which
> does the redirect and validates the SAML token (similar to FormAuthenticator
> with the exception to redirect instead of forward). The Fediz project
> provides most of the WS-Federation related processing in a container
> independent module. I only have to adapt that module to Jetty.
>
> Finally, the SAML token has a restriction on its validity which might be
> smaller than the http session duration. As the Authenticator should only be
> called once during the initial authentication I thought to write a custom
> handler which checks the validity of the cached token and triggers a
> redirect to the IDP in case the token is invalid.
>
> Does that make sense to integrate it as described above?
>
> Thanks
> Oli
>
>
> _______________________________________________
> jetty-dev mailing list
> jetty-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-dev
>
_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-dev
