The new projects are as follows:
- cxf-x509: This shows how to use X.509 tokens for authentication and authorization. The service has a TransportBinding policy with an EndorsingSupportingToken X509Token policy. The roles of the authenticated client are mocked by a WSS4J Validator for this demo, but could be retrieved from (e.g) an ldap backend in a real-world demo.
- cxf-sts: The service in this demo has a TransportBinding policy with an EndorsingSupportingToken IssuedToken policy, requiring a SAML 2.0 token in a client request. The client obtains a SAML token from the CXF SecurityTokenService (STS) and includes it in the service request (also signing the request using the private key which corresponds to the certificate in the SAML token). An Authorization test is also available which uses Claims in the policy to tell the STS to add the roles of the client in the SAML token, which are then used for RBAC on the service side.
- cxf-sts-xacml: Similar to the cxf-sts demo, this testcase requires a SAML 2.0 token from the STS with the roles of the client embedded in the token. The service is then configured to create a XACML request and dispatch it to a Policy Decision Point (PDP) for authorization. The service endpoint then enforces the authorization decision of the PDP. This demo ships with a mocked PDP implementation. For an enterprise-grade PDP which works with CXF, please see Talend ESB.
- cxf-kerberos: The service in this demo requires a Kerberos token over TLS. A Kerberos KDC is started as part of the demo, and a CXF JAX-WS client obtains a token and sends it across to the service for authentication. Spnego is also demonstrated as part of this test-case.
Hi Colm,
ReplyDeleteFor me the x509 AuthorizationTest works only if I add these settings to the authorizationInterceptor:
<property name="userRolesMap">
<map>
<entry key="CN=Client,O=Apache,L=Dublin,ST=Leinster,C=IE" value="boss"/>
</map>
</property>
<property name="checkConfiguredRolesOnly" value="true"/>
Without these the SimpleAuthorizingInterceptor.isUserInRole fails.
Regards,
Ivan
Hi Ivan,
ReplyDeleteHave you modified the demo at all? I just tried it again + it works ok. How are you running it?
Colm.
Hi Colm. In the meantime I found the reason. I only modified the wss4j version in the pom.xml. I replaced 2.0.1-SNAPSHOT with 2.0.0, as that one was only available in the central repo. Now I tested also with 2.0.2-SNAPSHOT. For me 2.0.2-SNAPSHOT works, but 2.0.0 does not.
DeleteHi Ivan,
ReplyDeleteAh yes, that test-case depends on WSS4J 2.0.1-SNAPSHOT. WSS4J 2.0.1 is currently under vote, so I'll update the test-case when it gets released.
Colm.
This comment has been removed by a blog administrator.
ReplyDelete