THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Claims Based Access Control
CXF JAX-RS offers an extension letting users to enforce a new fine-grained supports Claims Based Access Control (CBAC) based on Claim and Claims annotations as well as ClaimMode enum classusing claims extracted from SAML Assertions. Please see the JAX-RS Claims page for more information.
Role Based Access Control
If you have an existing RBAC system (based on javax.annotation.security.RolesAllowed or even org.springframework.security.annotation.Secured annotations) in place and have SAML assertions with claims that are known to represent roles, then making those claims work with the RBAC system can be achieved easily.
For example, given this code:
...
import org.springframework.security.annotation.Secured;
@Path("/bookstore")
public class SecureBookStore {
@POST
@Secured("admin")
public Book addBook(Book book) {
return book;
}
}
where @Secured can be replaced with @RoledAllowed if needed, the following configuration will do it:
...
<bean id="serviceBeanRoles" class="org.apache.cxf.systest.jaxrs.security.saml.SecureBookStore"/>
<bean id="samlEnvHandler" class="org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler">
<property name="securityContextProvider">
<bean class="org.apache.cxf.systest.jaxrs.security.saml.CustomSecurityContextProvider"/>
</property>
</bean>
<bean id="authorizationInterceptor" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
<property name="securedObject" ref="serviceBean"/>
<property name="annotationClassName"
value="org.springframework.security.annotation.Secured"/>
</bean>
<bean id="rolesHandler" class="org.apache.cxf.jaxrs.security.SimpleAuthorizingFilter">
<property name="interceptor" ref="authorizationInterceptor"/>
</bean>
<jaxrs:server address="/saml-roles">
<jaxrs:serviceBeans>
<ref bean="serviceBeanRoles"/>
</jaxrs:serviceBeans>
<jaxrs:providers>
<ref bean="samlEnvHandler"/>
<ref bean="rolesHandler"/>
</jaxrs:providers>
<!-- If default role qualifier and format are not supported:
<jaxrs:properties>
<entry key="org.apache.cxf.saml.claims.role.nameformat"
value="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<entry key="org.apache.cxf.saml.claims.role.qualifier"
value="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"/>
</jaxrs:properties>
-->
</jaxrs:server>
That is all what is needed. Note that in order to help the default SAML SecurityContextProvider figure out which claims are roles, one can set the two properties as shown above - this not needed if it's known that claims identifying roles have NameFormat and Name values with the default values, which are "http://schemas.xmlsoap.org/ws/2005/05/identity/claims" and "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" respectively at the moment.
Note that you can have RBAC and CBAC combined for a more sophisticated access control rules be enforced while still keeping the existing code relying on @RolesAllowed or @Secured intact. Override ClaimsAuthorizingFilter and configure it with the Claims rules directly and register it alongside SimpleAuthorizingFilter and here you go.
Also note how SecureAnnotationsInterceptor can handle different types of role annotations, with @RoledAllowed being supported by defaultCXF JAX-RS also supports Role Based Access Control (RBAC) based on role claims extracted from SAML Assertions. Please see the JAX-RS Claims page for more information.
SAML Web SSO Profile
Please see this page for more information