THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
We could simply detect what information is provided and configure the Callbackhandlers for each variantinformation we can supply. Depending on when the login should happen we could collect CallbackHandlers in the Message using Interceptors.
JAAS configuration
The JAAS configuration is supplied differently depending on the runtime CXF runs in.
...
- different Classes like a UserPrincipal or RolePrincipal. Unfortunately there are no standard interfacesThere seems to be a Group interface which allows to differentiate between Users and Groups and also allows to see group members.
- prefixes. So for example roles start with role- . Again there There is no standard for this approach
Authorization
Authorization has very diverse requirements. So we need to make sure we integrate well with different approaches.
...
Karaf 3 already supports authorization on the OSGi service level and uses JAAS for authentication. So if we do a JAAS login in CXF and the service impl code calls an OSGi service then the Karaf role based securtiy should already work out of the box.
Exception handling and answer generation
Currently the authentication and athorization modules often also generate the answer to the caller. It might be a good idea to decouple this.
In the authentication and authorization we only throw a defined Exception:
- Failure at Authentication: javax.security.auth.login.LoginException could also be more specific like AccountLockedException
- Failure at Authorization: org.apache.cxf.interceptor.security.AccessDeniedException or java.security.AccessControlException
Then in the transport like the http transport we map the exception to the defined status code and http response:
- LoginException: HTTP Code 401
- AccessDeniedException, AccessControlException: HTTP Code 403
Karaf integration
Ideally we should integrate the new authentication / authorization model in a way that enable the user to switch on authentication for the karaf server without specific configurations in the user bundles that implement the services.
...
Doing a full JAAS login requires to use subject.doAs to populate the AcessControlContext. This is not possible in a CXF interceptor as the interceptor only works on a message but can not call the next interceptor for doAs. So the question is where to do the JAAS login and the doAs?
Links
http://docs.oracle.com/javase/6/docs/technotes/guides/security/jaas/JAASRefGuide.html