You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by "ermanno.travaglino" <er...@gmail.com> on 2012/04/13 12:24:32 UTC
Enable/Disable STS Authentication
Hi everybody,
I use
http://owulff.blogspot.it/2011/11/configure-tomcat-for-federation-part.html
Federation plugin in my app, and the STS authentication works great. In my
web.xml i've in addition to the FederationFilter other kind of filters, for
different authentication schema, like HTTP basic (with a login.jsp page).
I've a configuration file from which I take the authentication type, then in
every filter I can check this and "disable" the filter if doesn't match. So,
I observed that the problem is in web.xml, because it contains the
security-constraint "Protected Area". This implies that even if it is of
basic authentication, the browser redirects the client still on STS, and
after authentication appears the login.jsp page. I hope I have expressed
well my problem.
thanks in advance,
Ermanno
--
View this message in context: http://cxf.547215.n5.nabble.com/Enable-Disable-STS-Authentication-tp5637879p5637879.html
Sent from the cxf-user mailing list archive at Nabble.com.
AW: AW: AW: AW: AW: Enable/Disable STS Authentication
Posted by Oliver Wulff <ow...@talend.com>.
I proposed a roadmap here:
http://cxf.547215.n5.nabble.com/Roadmap-for-fediz-in-sandbox-td5603441.html
If you would like to see support for other containers, let us know.
Thanks
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
Von: ermanno.travaglino [ermanno.travaglino@gmail.com]
Gesendet: Montag, 16. April 2012 13:46
Bis: users@cxf.apache.org
Betreff: Re: AW: AW: AW: AW: Enable/Disable STS Authentication
Hi all,
The reason I need this differentiation is that there are several
authentication schemes and so, for some of them, I don't need an IdP / STS.
I also have another problem and that is to be bound by Tomcat because of the
valve.
Ermanno
--
View this message in context: http://cxf.547215.n5.nabble.com/Enable-Disable-STS-Authentication-tp5637879p5643582.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: AW: AW: AW: AW: Enable/Disable STS Authentication
Posted by "ermanno.travaglino" <er...@gmail.com>.
Hi all,
The reason I need this differentiation is that there are several
authentication schemes and so, for some of them, I don't need an IdP / STS.
I also have another problem and that is to be bound by Tomcat because of the
valve.
Ermanno
--
View this message in context: http://cxf.547215.n5.nabble.com/Enable-Disable-STS-Authentication-tp5637879p5643582.html
Sent from the cxf-user mailing list archive at Nabble.com.
AW: AW: AW: AW: Enable/Disable STS Authentication
Posted by Oliver Wulff <ow...@talend.com>.
Hi Ermanno
No, you can't because the servlet filter is called at the time when authentication successfully passed. The only option might be to write a custom Authenticator and make the decision there which authenticator should be used.
Could you share with us the reason why to have this differentiation in the application instead of the IDP?
Thanks
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
Von: ermanno.travaglino [ermanno.travaglino@gmail.com]
Gesendet: Samstag, 14. April 2012 16:48
Bis: users@cxf.apache.org
Betreff: Re: AW: AW: AW: Enable/Disable STS Authentication
Is it possible to "implement" FederationAuthenticator app-side as a Filter to
give (me) the possibility to configure authentication type, and so
enable/disable STS authentication?
Thanks,
Ermanno
--
View this message in context: http://cxf.547215.n5.nabble.com/Enable-Disable-STS-Authentication-tp5637879p5640693.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: AW: AW: AW: Enable/Disable STS Authentication
Posted by "ermanno.travaglino" <er...@gmail.com>.
Is it possible to "implement" FederationAuthenticator app-side as a Filter to
give (me) the possibility to configure authentication type, and so
enable/disable STS authentication?
Thanks,
Ermanno
--
View this message in context: http://cxf.547215.n5.nabble.com/Enable-Disable-STS-Authentication-tp5637879p5640693.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: AW: AW: AW: Enable/Disable STS Authentication
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi Oli
On 13/04/12 16:15, Oliver Wulff wrote:
> What is the trigger/criteria to decide to do form based- or STS authentication?
>
That will be easier to manage for CXF-based filters once that is
supported in later Fediz releases
Cheers, Sergey
>
>
> ------
>
> Oliver Wulff
>
> Blog: http://owulff.blogspot.com
> Solution Architect
> http://coders.talend.com
>
> Talend Application Integration Division http://www.talend.com
>
> ________________________________________
> Von: ermanno.travaglino [ermanno.travaglino@gmail.com]
> Gesendet: Freitag, 13. April 2012 16:53
> Bis: users@cxf.apache.org
> Betreff: Re: AW: AW: Enable/Disable STS Authentication
>
> Well, we say that the security-constraint remains so. It would be nice to
> have a single login page (login.jsp) and according to the present
> configuration authenticate the client with form (basic) or with STS. Is it
> possible?
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Enable-Disable-STS-Authentication-tp5637879p5638529.html
> Sent from the cxf-user mailing list archive at Nabble.com.
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: AW: AW: AW: Enable/Disable STS Authentication
Posted by "ermanno.travaglino" <er...@gmail.com>.
There is a configuration file where my app takes the user settings.
--
View this message in context: http://cxf.547215.n5.nabble.com/Enable-Disable-STS-Authentication-tp5637879p5638615.html
Sent from the cxf-user mailing list archive at Nabble.com.
AW: AW: AW: Enable/Disable STS Authentication
Posted by Oliver Wulff <ow...@talend.com>.
What is the trigger/criteria to decide to do form based- or STS authentication?
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
Von: ermanno.travaglino [ermanno.travaglino@gmail.com]
Gesendet: Freitag, 13. April 2012 16:53
Bis: users@cxf.apache.org
Betreff: Re: AW: AW: Enable/Disable STS Authentication
Well, we say that the security-constraint remains so. It would be nice to
have a single login page (login.jsp) and according to the present
configuration authenticate the client with form (basic) or with STS. Is it
possible?
--
View this message in context: http://cxf.547215.n5.nabble.com/Enable-Disable-STS-Authentication-tp5637879p5638529.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: AW: AW: Enable/Disable STS Authentication
Posted by "ermanno.travaglino" <er...@gmail.com>.
Well, we say that the security-constraint remains so. It would be nice to
have a single login page (login.jsp) and according to the present
configuration authenticate the client with form (basic) or with STS. Is it
possible?
--
View this message in context: http://cxf.547215.n5.nabble.com/Enable-Disable-STS-Authentication-tp5637879p5638529.html
Sent from the cxf-user mailing list archive at Nabble.com.
AW: AW: Enable/Disable STS Authentication
Posted by Oliver Wulff <ow...@talend.com>.
You need the security constraint to trigger any kind of authentication mechanism (basic auth, form based or STS).
Would you be happy if the IDP/STS could support form based authentication as well thus your application has to care about federation only?
The reason I ask is that a workaround (if possible) might be a little bit hacky...
What is your criteria to use either the IDP/STS or FORM based authentication?
________________________________________
Von: ermanno.travaglino [ermanno.travaglino@gmail.com]
Gesendet: Freitag, 13. April 2012 14:41
Bis: users@cxf.apache.org
Betreff: Re: AW: Enable/Disable STS Authentication
You hit the mark! But for now, I'd to be able to exclude or include the STS
approach. Perhaps the problem is related to security-constraint in the
web.xml. Furthermore if I take off this configuration the other "filters"
(authentication schema) works, but as you can imagine STS authentication
doesn't work, and the client is redirected on the index.jsp without any kind
of authentication.
Is there a solution for this problem?
Ermanno
--
View this message in context: http://cxf.547215.n5.nabble.com/Enable-Disable-STS-Authentication-tp5637879p5638182.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: AW: Enable/Disable STS Authentication
Posted by "ermanno.travaglino" <er...@gmail.com>.
You hit the mark! But for now, I'd to be able to exclude or include the STS
approach. Perhaps the problem is related to security-constraint in the
web.xml. Furthermore if I take off this configuration the other "filters"
(authentication schema) works, but as you can imagine STS authentication
doesn't work, and the client is redirected on the index.jsp without any kind
of authentication.
Is there a solution for this problem?
Ermanno
--
View this message in context: http://cxf.547215.n5.nabble.com/Enable-Disable-STS-Authentication-tp5637879p5638182.html
Sent from the cxf-user mailing list archive at Nabble.com.
AW: Enable/Disable STS Authentication
Posted by Oliver Wulff <ow...@talend.com>.
Hi Ermanno
For clarification reasons, you mentioned FederationFilter. Do you mean the FederationServlet which is configured in web.xml or the FederationAuthenticator which is configured in servlet/context.xml?
I think I know what you mean. You would like to control the authentication type (basic auth, form based, certificates, ...) within your application. This is meaningful requirement to provide different options. One of the rational of Federation for Web Applications is to externalize the authentication completely which means that application doesn't have to deal with different kind of authentication as you would have to implement that in all your applications. The authentication is externalized to the IDP and STS. If you would like to support form based authentication, I'd recommend to add it in the IDP.
If you need control in your web application to enforce a certain authentication type, the WS-Federation spec defines the "wauth" parameter which allows an application to tell the IDP. I'm working on some extensions for the federation plugin where you can configure the wauth parameter or configure a CallbackHandler implementation which can figure out the wauth value at runtime based on the incoming request. This should be done by the end of next week.
Support for wauth for the IDP must be done also.
Does this approach make sense to you?
HTH
------
Oliver Wulff
Blog: http://owulff.blogspot.com
Solution Architect
http://coders.talend.com
Talend Application Integration Division http://www.talend.com
________________________________________
Von: ermanno.travaglino [ermanno.travaglino@gmail.com]
Gesendet: Freitag, 13. April 2012 12:24
Bis: users@cxf.apache.org
Betreff: Enable/Disable STS Authentication
Hi everybody,
I use
http://owulff.blogspot.it/2011/11/configure-tomcat-for-federation-part.html
Federation plugin in my app, and the STS authentication works great. In my
web.xml i've in addition to the FederationFilter other kind of filters, for
different authentication schema, like HTTP basic (with a login.jsp page).
I've a configuration file from which I take the authentication type, then in
every filter I can check this and "disable" the filter if doesn't match. So,
I observed that the problem is in web.xml, because it contains the
security-constraint "Protected Area". This implies that even if it is of
basic authentication, the browser redirects the client still on STS, and
after authentication appears the login.jsp page. I hope I have expressed
well my problem.
thanks in advance,
Ermanno
--
View this message in context: http://cxf.547215.n5.nabble.com/Enable-Disable-STS-Authentication-tp5637879p5637879.html
Sent from the cxf-user mailing list archive at Nabble.com.