You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Juan Manuel CABRERA (JIRA)" <ji...@apache.org> on 2012/08/23 13:38:42 UTC
[jira] [Created] (FEDIZ-20) IDP should maintain authentication
state
Juan Manuel CABRERA created FEDIZ-20:
----------------------------------------
Summary: IDP should maintain authentication state
Key: FEDIZ-20
URL: https://issues.apache.org/jira/browse/FEDIZ-20
Project: CXF-Fediz
Issue Type: New Feature
Components: IDP
Affects Versions: 1.0.0
Reporter: Juan Manuel CABRERA
The IDP relies on the browser to cache the end user's credentials (classical way to work for a HTTP Basic authentication).
So in the IDP there is no way to kill a end user session without killing the browser.
The IDP should maintain these credentials (or better : the proof that these credentials were checked at some point - i.e. a token).
If for instance this token is stored in the HTTP session, the IDP will then be capable of removing it from the session, effectively killing the authentication and forcing the end user to enter again his credentials.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (FEDIZ-20) IDP should maintain authentication
state
Posted by "Oliver Wulff (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FEDIZ-20?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oliver Wulff resolved FEDIZ-20.
-------------------------------
Resolution: Fixed
Fix Version/s: 1.0.2
> IDP should maintain authentication state
> ----------------------------------------
>
> Key: FEDIZ-20
> URL: https://issues.apache.org/jira/browse/FEDIZ-20
> Project: CXF-Fediz
> Issue Type: Improvement
> Components: IDP
> Affects Versions: 1.0.0
> Reporter: Juan Manuel CABRERA
> Assignee: Oliver Wulff
> Fix For: 1.0.2
>
>
> The IDP relies on the browser to cache the end user's credentials (classical way to work for a HTTP Basic authentication).
> So in the IDP there is no way to kill a end user session without killing the browser.
> The IDP should maintain these credentials (or better : the proof that these credentials were checked at some point - i.e. a token).
> If for instance this token is stored in the HTTP session, the IDP will then be capable of removing it from the session, effectively killing the authentication and forcing the end user to enter again his credentials.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (FEDIZ-20) IDP should maintain authentication
state
Posted by "Oliver Wulff (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FEDIZ-20?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13466705#comment-13466705 ]
Oliver Wulff commented on FEDIZ-20:
-----------------------------------
The IDP first requests a token from the STS for the successful authentication. Then this token is stored in the session. For every RP (application) token it requests a new token on-behalf-of the cached token.
You can configure the cache time in the init parameter 'token.internal.lifetime'. Default 2 hours.
I've raised FEDIZ-28 to logout/terminate the session with the IDP.
> IDP should maintain authentication state
> ----------------------------------------
>
> Key: FEDIZ-20
> URL: https://issues.apache.org/jira/browse/FEDIZ-20
> Project: CXF-Fediz
> Issue Type: Improvement
> Components: IDP
> Affects Versions: 1.0.0
> Reporter: Juan Manuel CABRERA
> Assignee: Oliver Wulff
>
> The IDP relies on the browser to cache the end user's credentials (classical way to work for a HTTP Basic authentication).
> So in the IDP there is no way to kill a end user session without killing the browser.
> The IDP should maintain these credentials (or better : the proof that these credentials were checked at some point - i.e. a token).
> If for instance this token is stored in the HTTP session, the IDP will then be capable of removing it from the session, effectively killing the authentication and forcing the end user to enter again his credentials.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (FEDIZ-20) IDP should maintain authentication
state
Posted by "Juan Manuel CABRERA (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FEDIZ-20?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Juan Manuel CABRERA updated FEDIZ-20:
-------------------------------------
Issue Type: Improvement (was: New Feature)
> IDP should maintain authentication state
> ----------------------------------------
>
> Key: FEDIZ-20
> URL: https://issues.apache.org/jira/browse/FEDIZ-20
> Project: CXF-Fediz
> Issue Type: Improvement
> Components: IDP
> Affects Versions: 1.0.0
> Reporter: Juan Manuel CABRERA
>
> The IDP relies on the browser to cache the end user's credentials (classical way to work for a HTTP Basic authentication).
> So in the IDP there is no way to kill a end user session without killing the browser.
> The IDP should maintain these credentials (or better : the proof that these credentials were checked at some point - i.e. a token).
> If for instance this token is stored in the HTTP session, the IDP will then be capable of removing it from the session, effectively killing the authentication and forcing the end user to enter again his credentials.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (FEDIZ-20) IDP should maintain authentication
state
Posted by "Oliver Wulff (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/FEDIZ-20?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Oliver Wulff reassigned FEDIZ-20:
---------------------------------
Assignee: Oliver Wulff
> IDP should maintain authentication state
> ----------------------------------------
>
> Key: FEDIZ-20
> URL: https://issues.apache.org/jira/browse/FEDIZ-20
> Project: CXF-Fediz
> Issue Type: Improvement
> Components: IDP
> Affects Versions: 1.0.0
> Reporter: Juan Manuel CABRERA
> Assignee: Oliver Wulff
>
> The IDP relies on the browser to cache the end user's credentials (classical way to work for a HTTP Basic authentication).
> So in the IDP there is no way to kill a end user session without killing the browser.
> The IDP should maintain these credentials (or better : the proof that these credentials were checked at some point - i.e. a token).
> If for instance this token is stored in the HTTP session, the IDP will then be capable of removing it from the session, effectively killing the authentication and forcing the end user to enter again his credentials.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira