THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
where "auth-format" and "authentication" are aliases for "http://claims/authentication-format" and "http://claims/authentication" respectively.
Given the above example, the question is how to extract the information available in a received token (SAML/JWT) for the current request to succeed in passing through the security filter enforcing the CBAC rules.
The first and most important thing which needs to be done is to verify that an assertion Subject can be mapped to a recognized identity instance.
There is a number of ways a Subject can be validated.
If STS is asked to validate the assertion then a successful response from IDP will likely be good enough for CXF to trust the identity of the provider.
If the assertion signature is verified locally using the public key of IDP then it could a good enough confirmation too.
Alternatively, a custom validator, extending either org.apache.ws.security.validate.SamlAssertionValidator or CXF SAML SecurityContextProvider implementation can be registered with the server side SAML handler.
The latter option is preferred because not only one can validate Subject - but also ensure that a resulting SecurityContext will return a user Principal with a proper name - given that the actual Subject name available in the assertion may need to be translated to a name recognized by the local security stores or application. A combination of the assertion's Subject and AttributeStatement elements may need to be checked to establish a real name.
In cases like this you may want to register a custom SecurityContextProvider even if you have STS validating the assertion. Yet another reason is to retrieve the information about roles for a given Subject or map the assertion claims to roles for working with the RBAC to succeed, see the next section for more information.
Have a look please at this server configuration example:
Enforcing Claims authorization
Simply adding Claims annotations are per the examples above is not sufficient to enforce claims based authorization.
First we need to configure the appropriate interceptors/filters to authenticate the type of token we are interested in extracting claims from. See the JAX-RS SAML page for information on how to configure SAML, and the JAX-RS JOSE page for information on how to configure JWT.
For both SAML and JWT, once the incoming token is validated, a ClaimsSecurityContext security context will be created containing the claims contained in the token, as well as the authenticated subject and role (claims).
To enforce claims authorization, a ClaimsAuthorizingInterceptor must be set as an "inInterceptor", passing it a reference to the secured object. There is also a JAX-RS filter wrapper around ClaimsAuthorizingInterceptor available, which is called ClaimsAuthorizingFilter.
An instance of org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingFilter (note org.apache.cxf.rs.security.claims.ClaimsAuthorizingFilter from CXF 3.3.0) is used to enforce CBAC. It's a simple JAX-RS filter wrapper around ClaimsAuthorizingInterceptor.
Here is an example of enforcing Claims authorization against a JWT token. BookStoreAuthn is the service object which is annotated with Claims annotations. The ClaimsAuthorizingFilter is added as a JAX-RS provider to the endpoint, wrapping the serviceBean. A JwtAuthenticationFilter instance is also added to validate the received JWT token and to set up the ClaimsSecurityContext. The rs.security.signature.in.properties property is used to verify the signature on the received token.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<bean id="serviceBeanClaimsserviceBean" class="org.apache.cxf.systest.jaxrs.security.jose.samljwt.SecureClaimBookStoreBookStoreAuthn"/> <bean id="samlEnvHandlerclaimsHandler" class="org.apache.cxf.rsjaxrs.security.saml.SamlEnvelopedInHandlerClaimsAuthorizingFilter"> <property name="securityContextProvidersecuredObject"> <bean class="org.apache.cxf.systest.jaxrs.security.saml.CustomSecurityContextProvider ref="serviceBean"/> </property> </bean> <bean id="claimsHandlerjwtAuthzFilter" class="org.apache.cxf.rs.security.samljose.authorizationjaxrs.ClaimsAuthorizingFilterJwtAuthenticationFilter"> <property name="securedObjectroleClaim" refvalue="serviceBeanClaimsrole"/> </bean> <jaxrs:server address="/saml-claims"> https://localhost:${testutil.ports.jaxrs-jwt-authn-authz}/signedjwtauthz"> <jaxrs:serviceBeans> <ref bean="serviceBeanClaimsserviceBean"/> </jaxrs:serviceBeans> <jaxrs:providers> <ref bean="samlEnvHandlerjwtAuthzFilter"/> <ref bean="claimsHandler"/> </jaxrs:providers> </jaxrs:server> |
...
<jaxrs:properties> <entry key="rs.security. |
...
signature. |
...
in.properties"
value="org/apache/cxf/systest/jaxrs/security/bob.jwk.properties"/>
</jaxrs:properties>
</jaxrs:server> |