Versions Compared

Old Version 4

changes.mady.by.user Colm O hEigeartaigh

Saved on

compared with

New Version 5

changes.mady.by.user Colm O hEigeartaigh

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

where "auth-format" and "authentication" are aliases for "http://claims/authentication-format" and "http://claims/authentication" respectively.

Enforcing Claims authorization

Simply adding Claims annotations are per the examples above is not sufficient to enforce claims based authorization.

...

To enforce claims authorization, a ClaimsAuthorizingInterceptor must be set as an "inInterceptor", passing it a reference to the secured object. There is also a JAX-RS filter wrapper around ClaimsAuthorizingInterceptor available, which is called ClaimsAuthorizingFilter.

An instance of org.apache.cxf.rs.security.saml.authorization.ClaimsAuthorizingFilter (note org.apache.cxf.rs.security.claims.ClaimsAuthorizingFilter from CXF 3.3.0) is used to enforce CBAC. It's a simple JAX-RS filter wrapper around ClaimsAuthorizingInterceptor.

...

For example, given this code:

import org.springframework.security.annotation.Secured;
 
@Path("/bookstore")
public class SecureBookStore {
     
    @POST
    @Secured("admin")
    public Book addBook(Book book) {
        return book;
    }
}

where @Secured can be replaced with @RoledAllowed if needed, the following configuration will do it:

<bean id="serviceBeanRoles" class="org.apache.cxf.systest.jaxrs.security.saml.SecureBookStore"/>
<bean id="samlEnvHandler" class="org.apache.cxf.rs.security.saml.SamlEnvelopedInHandler">
 <property name="securityContextProvider">
    <bean class="org.apache.cxf.systest.jaxrs.security.saml.CustomSecurityContextProvider"/>
 </property>
</bean>
 
<bean id="authorizationInterceptor" class="org.apache.cxf.interceptor.security.SecureAnnotationsInterceptor">
    <property name="securedObject" ref="serviceBean"/>
    <property name="annotationClassName"
              value="org.springframework.security.annotation.Secured"/>
</bean>
     
<bean id="rolesHandler" class="org.apache.cxf.jaxrs.security.SimpleAuthorizingFilter">
    <property name="interceptor" ref="authorizationInterceptor"/>
</bean>
     
<jaxrs:server address="/saml-roles">
  <jaxrs:serviceBeans>
     <ref bean="serviceBeanRoles"/>
  </jaxrs:serviceBeans>
  <jaxrs:providers>
      <ref bean="samlEnvHandler"/>
      <ref bean="rolesHandler"/>
  </jaxrs:providers>
   
  <!-- If default role qualifier and format are not supported:
        
  <jaxrs:properties>
     <entry key="org.apache.cxf.saml.claims.role.nameformat"
                value="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
     <entry key="org.apache.cxf.saml.claims.role.qualifier"
                value="urn:oid:1.3.6.1.4.1.5923.1.1.1.1"/>
  </jaxrs:properties>
  -->
</jaxrs:server>

That is all what is needed. Note that in order to help the default SAML SecurityContextProvider figure out which claims are roles, one can set the two properties as shown above - this not needed if it's known that claims identifying roles have NameFormat and Name values with the default values, which are "http://schemas.xmlsoap.org/ws/2005/05/identity/claims" and "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/role" respectively at the moment.

...