[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [jetty-dev] WS-Federation support for jetty
|
Hi Jesse
Did you have some time to look into this?
Thanks
Oli
________________________________________
From: jetty-dev-bounces@xxxxxxxxxxx [jetty-dev-bounces@xxxxxxxxxxx] on behalf of Oliver Wulff [owulff@xxxxxxxxxx]
Sent: 26 November 2012 20:51
To: Jetty @ Eclipse developer discussion list
Subject: Re: [jetty-dev] WS-Federation support for jetty
I've committed a working snapshot for jetty 7 and 8 here:
git clone git://git.apache.org/cxf-fediz.git
or
svn co https://svn.apache.org/repos/asf/cxf/fediz/trunk
(see module "plugins/jetty")
I've put together some documentation here:
http://cxf.apache.org/fediz-jetty.html
There are a few things missing like AudienceRestriction validation support etc (see TODO).
Looking forward for your feedback.
Thanks
Oli
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
From: jetty-dev-bounces@xxxxxxxxxxx [jetty-dev-bounces@xxxxxxxxxxx] on behalf of Jesse McConnell [jesse.mcconnell@xxxxxxxxx]
Sent: 26 November 2012 18:31
To: Jetty @ Eclipse developer discussion list
Subject: Re: [jetty-dev] WS-Federation support for jetty
IdentityService is for pulling actual information about a user from
some datasource...in ldap terms it would be used for pulling roles and
the like.
So LoginService handles Authentication and IdentityService more of an
Authorization credentials in a broad nutshell...I think, been a while
since I messed with them :)
As for the rest of it, I'll have to take a closer look but what your
saying sounds reasonable at first blush.
cheers,
jesse
--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx
On Thu, Nov 22, 2012 at 4:31 PM, Oliver Wulff <owulff@xxxxxxxxxx> wrote:
> Thanks for your input Jesse. I've got something up and running. I've created an UserIdentity, UserPrincipal, LoginService and Authenticator. But I faced a few things I'd appreciate your input:
>
> As I understood, the role of the LoginService is the validation of the credentials which could be password, kerberos ticket or a SAML token. But I don't really understand what the role of the IdentityService.
>
> Is the LoginService tight to a context or will each servlet context has got its own LoginService instance? The reason I ask is that my processing logic requires the current context to access the configuration. There is no way to delegate the context to the login() method.
>
> Can I get some context information within the doStart() method?
>
> The SpnegoLoginService.validate() method always returns false which is called in some of the authenticators:
> // Has authentication been revoked?
> if (authentication instanceof Authentication.User &&
> _loginService!=null &&
> !_loginService.validate(((Authentication.User)authentication).getUserIdentity()))
> {
>
> session.removeAttribute(SessionAuthentication.__J_AUTHENTICATED);
> }
>
> Why is it not called in the SpnegoAuthenticator and why do you return false?
>
> In my case, the validate method can be used to check whether the validity of the saml token is still valid. If not, I can invalidate it here. Makes sense?
>
> Thanks
> Oli
>
> ________________________________________
> From: jetty-dev-bounces@xxxxxxxxxxx [jetty-dev-bounces@xxxxxxxxxxx] on behalf of Jesse McConnell [jesse.mcconnell@xxxxxxxxx]
> Sent: 22 November 2012 00:08
> To: Jetty @ Eclipse developer discussion list
> Subject: Re: [jetty-dev] WS-Federation support for jetty
>
> Seems pretty straight forward, though you might end up making a
> LoginService as well. Actually this is not unlike the Spnego setup I
> added quite a while ago...take a look at those classes in the
> jetty-security module.
>
> good luck and keep me posted :)
>
> jesse
>
> --
> jesse mcconnell
> jesse.mcconnell@xxxxxxxxx
>
>
> On Wed, Nov 21, 2012 at 10:29 AM, Oliver Wulff <owulff@xxxxxxxxxx> wrote:
>> Hi there
>>
>> I've started looking into adding support for WS-Federation Passive Requestor
>> Profile in Jetty by adding a new module for the Apache CXF Fediz project.
>> The approach of this SSO concept is that unauthenticated requests are
>> redirected to a central IDP component (as provided by Fediz) which does the
>> authentication. Finally, a SAML token is issued and posted to Jetty via the
>> browser. The token is validated and a session is created.
>>
>> My idea is to write a custom authenticator (extend LoginAuthenticator) which
>> does the redirect and validates the SAML token (similar to FormAuthenticator
>> with the exception to redirect instead of forward). The Fediz project
>> provides most of the WS-Federation related processing in a container
>> independent module. I only have to adapt that module to Jetty.
>>
>> Finally, the SAML token has a restriction on its validity which might be
>> smaller than the http session duration. As the Authenticator should only be
>> called once during the initial authentication I thought to write a custom
>> handler which checks the validity of the cached token and triggers a
>> redirect to the IDP in case the token is invalid.
>>
>> Does that make sense to integrate it as described above?
>>
>> Thanks
>> Oli
>>
>>
>> _______________________________________________
>> jetty-dev mailing list
>> jetty-dev@xxxxxxxxxxx
>> https://dev.eclipse.org/mailman/listinfo/jetty-dev
>>
> _______________________________________________
> jetty-dev mailing list
> jetty-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-dev
> _______________________________________________
> jetty-dev mailing list
> jetty-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/jetty-dev
_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-dev
_______________________________________________
jetty-dev mailing list
jetty-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-dev
