CXF
  1. CXF
  2. CXF-3462

Provide CXF interceptor making it easy to use STS for validating BasicAuth info

    Details

    • Type: New Feature New Feature
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.4
    • Fix Version/s: 2.4.1
    • Component/s: WS-* Components
    • Labels:
      None

      Activity

      Sergey Beryozkin created issue -
      Hide
      Glen Mazza added a comment -

      What are the benefits of having an STS validate BasicAuth info? Is this for Token issuance (i.e., after validating via Basic Auth the STS will generate a token to the client) or just pure validation ("Yup. That username/password combo is good.") without a token being generated? If the former, I think WS-Trust would require upgrading to UsernameToken (not just basic auth), and there may be legitimate security reasons for that. If the latter, that would seem to be outside the scope of the STS (there's normally service-side callback handlers that can be used for that type of validation.)

      Show
      Glen Mazza added a comment - What are the benefits of having an STS validate BasicAuth info? Is this for Token issuance (i.e., after validating via Basic Auth the STS will generate a token to the client) or just pure validation ("Yup. That username/password combo is good.") without a token being generated? If the former, I think WS-Trust would require upgrading to UsernameToken (not just basic auth), and there may be legitimate security reasons for that. If the latter, that would seem to be outside the scope of the STS (there's normally service-side callback handlers that can be used for that type of validation.)
      Hide
      Sergey Beryozkin added a comment -

      It is the latter.
      Using service-side callback handlers and STS for validating the basic auth info is kind of orthogonal to each other, but as it happend, STSTokenValidator which uses STSClient is implemented as a callback handler, or WSS4J Validator.

      The goal is to ensure HTTPS protected endpoints (JAX-RS or JAX-WS ones not relying on WS-Sec) can utilize STS (when dictated by the internal sec policy) for validating the tokens and even more importantly, getting SAML tokens back which can be used for subsequent authorization decisions

      Show
      Sergey Beryozkin added a comment - It is the latter. Using service-side callback handlers and STS for validating the basic auth info is kind of orthogonal to each other, but as it happend, STSTokenValidator which uses STSClient is implemented as a callback handler, or WSS4J Validator. The goal is to ensure HTTPS protected endpoints (JAX-RS or JAX-WS ones not relying on WS-Sec) can utilize STS (when dictated by the internal sec policy) for validating the tokens and even more importantly, getting SAML tokens back which can be used for subsequent authorization decisions
      Hide
      Sergey Beryozkin added a comment -

      Actually, we are talking about STS generating a SAML token too, so if it is what you meant by the former then yes to that too

      Show
      Sergey Beryozkin added a comment - Actually, we are talking about STS generating a SAML token too, so if it is what you meant by the former then yes to that too
      Sergey Beryozkin made changes -
      Field Original Value New Value
      Status Open [ 1 ] Resolved [ 5 ]
      Assignee Sergey Beryozkin [ sergey_beryozkin ]
      Resolution Fixed [ 1 ]
      Daniel Kulp made changes -
      Status Resolved [ 5 ] Closed [ 6 ]
      Transition Time In Source Status Execution Times Last Executer Last Execution Date
      Open Open Resolved Resolved
      7d 19h 54m 1 Sergey Beryozkin 27/Apr/11 16:51
      Resolved Resolved Closed Closed
      102d 22h 52m 1 Daniel Kulp 08/Aug/11 15:43

        People

        • Assignee:
          Sergey Beryozkin
          Reporter:
          Sergey Beryozkin
        • Votes:
          0 Vote for this issue
          Watchers:
          1 Start watching this issue

          Dates

          • Created:
            Updated:
            Resolved:

            Development