You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2015/04/16 10:54:00 UTC
[jira] [Resolved] (FEDIZ-23) Support different authentication
mechanism
[ https://issues.apache.org/jira/browse/FEDIZ-23?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved FEDIZ-23.
--------------------------------------
Resolution: Fixed
> Support different authentication mechanism
> ------------------------------------------
>
> Key: FEDIZ-23
> URL: https://issues.apache.org/jira/browse/FEDIZ-23
> Project: CXF-Fediz
> Issue Type: Improvement
> Components: IDP
> Affects Versions: 1.0.0
> Reporter: Oliver Wulff
> Assignee: Colm O hEigeartaigh
> Fix For: 1.2.0
>
>
> The IDP only supports basic authentication in the current setup.
> The IDP should introduce an interface to plugin a custom authentication mechanism.
> Per default, implementation for the following mechanism should be provided out of the box:
> - form based
> - certificate
> The authentication mechanism is chosen based on the wauth parameter passed in the signin request. If this parameter is missing the configured default is used.
> The following configuration snippet illustrate the idea. The FederationEntryPoint (already implemented but not yet used) reads the wauth Parameter and figures out the url which is protected by the appropriate authentication protocol. IDPs use different wauth values for the same authentication protocol and the IDP configuration allows to configure more than one wauth value for the same authentication protocol
> {code}
> String loginUri = idpConfig.getAuthenticationURIs().get(wauth);
> {code}
> After the redirect, the entrypoint of a specific http element configuration does the further processing.
> {code}
> <security:http pattern="/federation/" auto-config="false" use-expressions="true"
> entry-point-ref="federationEntryPoint">
> <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
> <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
> <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" />
> </security:http>
> <!-- Implemented but not yet used. Redirects to a dedicated http config -->
> <!-- Then the entrypoint of username/password (/federation/up), kerberos (/federation/krb), certificate (/federation/cert), ...
> <bean id="federationEntryPoint" class="org.apache.cxf.fediz.service.idp.FederationEntryPoint" />
> <security:http pattern="/federation/krb" auto-config="false" use-expressions="true"
> entry-point-ref="kerberosEntryPoint">
> <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
> <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
> <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" />
> <security:custom-filter ref="kerberosAuthenticationProcessingFilter" position="BASIC_AUTH_FILTER" />
> </security:http>
> <bean id="kerberosEntryPoint"
> class="org.apache.cxf.fediz.service.idp.kerberos.KerberosEntryPoint" />
> <security:http pattern="/federation/up" auto-config="false" use-expressions="true" entry-point-ref="">
> <security:custom-filter after="CHANNEL_FILTER" ref="stsPortFilter" />
> <security:custom-filter after="SERVLET_API_SUPPORT_FILTER" ref="entitlementsEnricher" />
> <security:intercept-url pattern="/FederationMetadata/2007-06/FederationMetadata.xml" access="isAnonymous() or isAuthenticated()" />
> <!-- MUST be http-basic thus systests run fine -->
> <security:http-basic />
> <!--<security:form-login />-->
> </security:http>
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)