You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by DTaylor <Da...@Merge.com> on 2012/01/18 17:53:31 UTC

Multiple STS Authentication and Authorization

Good day,

I've run into a situation where we are using CXF, but the client at this
point wants to have a multiple STS setup as follows:

STS A:  Takes a username and login, returns a SAML 1.1 token (TOKEN_A) with
a basic set of claims (username, role, given name)

STS B:  Takes TOKEN_A, and creates a new SAML 1.1 token (TOKEN_B) from it
(perhaps my phrasing here is incorrect, my apologies I'm going directly from
the req's doc) with additional claims added (custom_claim1, custom_claim2,
custom_claim3).

Service A (SA) takes TOKEN_A as credentials, while Service B takes TOKEN_B
(SB)as credentials. From our client, we want to make a series of calls to
both SA and SB.  My questions are:

1) Is CXF capable of this in general?
2) Is CXF able to handle this case using the WSDL 2 Java generated classes
and code across the two services and two STSs?
3) For custom / manual security code, if I've retrieved a security token,
TOKEN_A, using one STSClient instance, do I retrieve TOKEN_B utilizing a new
STSClient instance and the method:
requestSecurityToken(String appliesTo, String action, String requestType,
SecurityToken target)?

Thanks,

Dan.

--
View this message in context: http://cxf.547215.n5.nabble.com/Multiple-STS-Authentication-and-Authorization-tp5155338p5155338.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: AW: AW: AW: Multiple STS Authentication and Authorization

Posted by DTaylor <Da...@Merge.com>.

Hi Oliver,

My apologies I was pulled into other duties.  I will take a look at your
proposal as soon as I can find it.

Thanks,
Dan

--
View this message in context: http://cxf.547215.n5.nabble.com/Multiple-STS-Authentication-and-Authorization-tp5155338p5484191.html
Sent from the cxf-user mailing list archive at Nabble.com.

AW: AW: AW: Multiple STS Authentication and Authorization

Posted by Oliver Wulff <ow...@talend.com>.

Hi Dan

I'll make a proposal in the dev list about the extension for claims and/or identity mapping for the STS.

Looking forward for your feedback.

Thanks
Oli

------

Oliver Wulff

http://owulff.blogspot.com
Solution Architect
Talend Application Integration Division http://www.talend.com

________________________________________
Von: DTaylor [Dan.Taylor@Merge.com]
Gesendet: Mittwoch, 18. Januar 2012 21:26
Bis: users@cxf.apache.org
Betreff: Re: AW: AW: Multiple STS Authentication and Authorization

Hi Oliver,

Sorry I thought I'd answered.

We are talking initially about the identity mapping, and in a later
application the claims transformation scenario.  In terms of the time frame,
if I can get a workaround in place, then somewhere in the vicinity of 1 - 2
months I believe.  Otherwise closer to 1 month.

Thank you for the link by the way, I will look into it now.

Thanks,

Dan.

--
View this message in context: http://cxf.547215.n5.nabble.com/Multiple-STS-Authentication-and-Authorization-tp5155338p5155800.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: AW: AW: Multiple STS Authentication and Authorization

Posted by DTaylor <Da...@Merge.com>.

Hi Oliver,

Sorry I thought I'd answered.

We are talking initially about the identity mapping, and in a later
application the claims transformation scenario.  In terms of the time frame,
if I can get a workaround in place, then somewhere in the vicinity of 1 - 2
months I believe.  Otherwise closer to 1 month.

Thank you for the link by the way, I will look into it now.

Thanks,

Dan.

--
View this message in context: http://cxf.547215.n5.nabble.com/Multiple-STS-Authentication-and-Authorization-tp5155338p5155800.html
Sent from the cxf-user mailing list archive at Nabble.com.

AW: AW: Multiple STS Authentication and Authorization

Posted by Oliver Wulff <ow...@talend.com>.

Hi Dan

If you do it manually, you will loose the token caching functionality. Maybe as a starting point have a look to the following class:
http://svn.apache.org/viewvc/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/policy/interceptors/IssuedTokenInterceptorProvider.java?view=markup

The following lines show how to set the security token:

216 message.put(SecurityConstants.TOKEN_ID, tok.getId());
217 }
218 getTokenStore(message).add(tok);
 
What timelines do you have?

As asked before, do we talk about identity mapping or claims transformation?

Thanks



------

Oliver Wulff

http://owulff.blogspot.com
Solution Architect
Talend Application Integration Division http://www.talend.com

________________________________________
Von: DTaylor [Dan.Taylor@Merge.com]
Gesendet: Mittwoch, 18. Januar 2012 20:14
Bis: users@cxf.apache.org
Betreff: Re: AW: Multiple STS Authentication and Authorization

Hi Oli,

Thanks for your response.  The item you specified with your JIRA issue
CXF-3520 is pretty much the exact scenario we will require for future
service implementations.

Is there a way to do the work described in CXF-3520 manually and
(relatively) easily using the STSClient class, or is it more a matter of
constructing our own request to the second STS at the moment?

Also, the ClaimsSecurityContext enhancement would also be of great help to
us as well with future plans.

Thanks again,

Dan.


--
View this message in context: http://cxf.547215.n5.nabble.com/Multiple-STS-Authentication-and-Authorization-tp5155338p5155628.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: AW: Multiple STS Authentication and Authorization

Posted by DTaylor <Da...@Merge.com>.

Hi Oli,

Thanks for your response.  The item you specified with your JIRA issue
CXF-3520 is pretty much the exact scenario we will require for future
service implementations.

Is there a way to do the work described in CXF-3520 manually and
(relatively) easily using the STSClient class, or is it more a matter of
constructing our own request to the second STS at the moment?

Also, the ClaimsSecurityContext enhancement would also be of great help to
us as well with future plans.

Thanks again,

Dan.


--
View this message in context: http://cxf.547215.n5.nabble.com/Multiple-STS-Authentication-and-Authorization-tp5155338p5155628.html
Sent from the cxf-user mailing list archive at Nabble.com.

AW: Multiple STS Authentication and Authorization

Posted by Oliver Wulff <ow...@talend.com>.

Hi Dan

I do have a very similar scenario. Just to double check,
- there are two security domains/realms in this use case
- does a person has got an identity in both security domains which means that when the STS issues TOKEN_B it must first map the identity (see STS IdentityMapper) and the retrieve the claims for this identity
OR
does the person has got an identity in one security domain and you map for instance the roles of TOKEN_A to the required claims (Claims transformation).

Unfortunately, this set up is not yet fully implemented. The CXF STS supports already to map identities and write custom claims handler or use the LdapClaimsHandler as described here:
http://owulff.blogspot.com/2011/10/configure-ldap-directory-for-cxf-sts.html

Maybe the following blog might be of interest to you too:
http://coheigea.blogspot.com/2011/11/apache-cxf-sts-documentation-part-x.html

Claims transformation is not yet supported in the CXF STS but already raised here:
https://issues.apache.org/jira/browse/CXF-3882

A CXF client doesn't yet send a request to more than one STS. I've raised this here:
https://issues.apache.org/jira/browse/CXF-3520

The idea is that the WS-SecurityPolicy definition of the service provider defines in the IssuedToken policy where its trusted STS (security domain B) is deployed. The CXF client has also configured the STSClient bean which defines the location of its STS (security domain A). If the STS url's differ (when calling service B), the CXF Client should first go to STS A and get TOKEN_A and then send this token to STS B to get TOKEN_B which is sent to the service. Does that make sense to you?

I've also raised an enhancement to parse the claims information in the SAML token and add it to a ClaimsSecurityContext here:
https://issues.apache.org/jira/browse/CXF-3522

Of course, you can access the SAML token also directly in your code.

Thanks
Oli


------

Oliver Wulff

http://owulff.blogspot.com
Solution Architect
Talend Application Integration Division http://www.talend.com

________________________________________
Von: DTaylor [Dan.Taylor@Merge.com]
Gesendet: Mittwoch, 18. Januar 2012 17:53
Bis: users@cxf.apache.org
Betreff: Multiple STS Authentication and Authorization

Good day,

I've run into a situation where we are using CXF, but the client at this
point wants to have a multiple STS setup as follows:

STS A:  Takes a username and login, returns a SAML 1.1 token (TOKEN_A) with
a basic set of claims (username, role, given name)

STS B:  Takes TOKEN_A, and creates a new SAML 1.1 token (TOKEN_B) from it
(perhaps my phrasing here is incorrect, my apologies I'm going directly from
the req's doc) with additional claims added (custom_claim1, custom_claim2,
custom_claim3).

Service A (SA) takes TOKEN_A as credentials, while Service B takes TOKEN_B
(SB)as credentials. From our client, we want to make a series of calls to
both SA and SB.  My questions are:

1) Is CXF capable of this in general?
2) Is CXF able to handle this case using the WSDL 2 Java generated classes
and code across the two services and two STSs?
3) For custom / manual security code, if I've retrieved a security token,
TOKEN_A, using one STSClient instance, do I retrieve TOKEN_B utilizing a new
STSClient instance and the method:
requestSecurityToken(String appliesTo, String action, String requestType,
SecurityToken target)?

Thanks,

Dan.

--
View this message in context: http://cxf.547215.n5.nabble.com/Multiple-STS-Authentication-and-Authorization-tp5155338p5155338.html
Sent from the cxf-user mailing list archive at Nabble.com.