CXF
  1. CXF
  2. CXF-3462

Provide CXF interceptor making it easy to use STS for validating BasicAuth info

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.4
    • Fix Version/s: 2.4.1
    • Component/s: WS-* Components
    • Labels:
      None

      Activity

      Hide
      Glen Mazza added a comment -

      What are the benefits of having an STS validate BasicAuth info? Is this for Token issuance (i.e., after validating via Basic Auth the STS will generate a token to the client) or just pure validation ("Yup. That username/password combo is good.") without a token being generated? If the former, I think WS-Trust would require upgrading to UsernameToken (not just basic auth), and there may be legitimate security reasons for that. If the latter, that would seem to be outside the scope of the STS (there's normally service-side callback handlers that can be used for that type of validation.)

      Show
      Glen Mazza added a comment - What are the benefits of having an STS validate BasicAuth info? Is this for Token issuance (i.e., after validating via Basic Auth the STS will generate a token to the client) or just pure validation ("Yup. That username/password combo is good.") without a token being generated? If the former, I think WS-Trust would require upgrading to UsernameToken (not just basic auth), and there may be legitimate security reasons for that. If the latter, that would seem to be outside the scope of the STS (there's normally service-side callback handlers that can be used for that type of validation.)
      Hide
      Sergey Beryozkin added a comment -

      It is the latter.
      Using service-side callback handlers and STS for validating the basic auth info is kind of orthogonal to each other, but as it happend, STSTokenValidator which uses STSClient is implemented as a callback handler, or WSS4J Validator.

      The goal is to ensure HTTPS protected endpoints (JAX-RS or JAX-WS ones not relying on WS-Sec) can utilize STS (when dictated by the internal sec policy) for validating the tokens and even more importantly, getting SAML tokens back which can be used for subsequent authorization decisions

      Show
      Sergey Beryozkin added a comment - It is the latter. Using service-side callback handlers and STS for validating the basic auth info is kind of orthogonal to each other, but as it happend, STSTokenValidator which uses STSClient is implemented as a callback handler, or WSS4J Validator. The goal is to ensure HTTPS protected endpoints (JAX-RS or JAX-WS ones not relying on WS-Sec) can utilize STS (when dictated by the internal sec policy) for validating the tokens and even more importantly, getting SAML tokens back which can be used for subsequent authorization decisions
      Hide
      Sergey Beryozkin added a comment -

      Actually, we are talking about STS generating a SAML token too, so if it is what you meant by the former then yes to that too

      Show
      Sergey Beryozkin added a comment - Actually, we are talking about STS generating a SAML token too, so if it is what you meant by the former then yes to that too

        People

        • Assignee:
          Sergey Beryozkin
          Reporter:
          Sergey Beryozkin
        • Votes:
          0 Vote for this issue
          Watchers:
          1 Start watching this issue

          Dates

          • Created:
            Updated:
            Resolved:

            Development