Full Spring Security Support in Apache CXF Fediz
New features are going to be added in the next version 1.1 of Fediz. I described here how to configure the new Fediz plugin for Spring Security with Container Managed Security (Pre-Authentication in Spring Security terms). The current snapshot version of Fediz 1.1 provides also full/native Spring Security support which means the Servlet Container runs unauthenticated (no security constraints defined in web.xml) and Spring Security enforces authentication.
You can either download the sources here:
git clone git://git.apache.org/cxf-fediz.git
or
svn co https://svn.apache.org/repos/asf/cxf/fediz/trunk
or download it from the snapshot maven repository.
A new example springWebapp has been added to the distribution to show this.
As in the Pre-Authentication case, the application can get access to the Spring Security Context like this:
SecurityContextHolder.getContext().getAuthentication();
The Authentication object is of instance FederationAuthenticationToken provides the following methods.
| Method | Class | Description |
| getCredentials | Element | Issues Security Token (ex. SAML Assertion) |
| getDetails | WebAuthenticationDetails | >Authentication details like IP, Session ID |
| getName | String | Authenticated user name |
| getAuthorities | Collection<? extends GrantedAuthority> | List of roles |
| getUserDetails | FederationUser | Extends the standard Spring User class with method getClaims() |
You can get more information from the Fediz Wiki how to configure Spring Security or have a look at the example here. The example shows how to configure Fediz for Spring Security and how to use the Spring Security API in your application code. Please post feedback and ideas to the CXF mailing list or the JIRA task FEDIZ-39.
Apache CXF Fediz is a subproject of Apache CXF. Fediz helps you to secure your web applications and delegate security enforcement to the underlying application server. With Fediz, authentication is externalized from your web application to an identity provider installed as a dedicated server component. The supported standard is WS-Federation Passive Requestor Profile.
Thank you for all support and feedback!
Hi,
ReplyDeleteWe are interested in using Fediz as an IdP and spring-security-saml as an RP. Is such a setup possible?
Also, we are getting an error when running the simpleWebapp example from this snapshot:
apache-fediz-1.1.0-20130524.180440-44
It returns a 500 error in the browser and a warning in the log:
HTTP Status 500 - Failed to create SignInRequest.
Is it some kind of misconfiguration?
thanx
Sorry I missed your comment. The Fediz IDP doesn't support the SAML profiles yet. It's planned for a future release.
DeleteBut you can use the Fediz IDP and the fediz plugin for spring security. Then you can use the full spring security functionality. It's just a different Spring Authentication Provider.
Hello,
ReplyDeleteI am using the latest snapshot apache-fediz-1.1.0-SNAPSHOT to configure Fediz. Actually i want Form based authentication feature to be implemented. I have added signinform.jsp in of my IDP's web.xml. When i run SpringWebApp sample application, i can see the form login page consisting username/password but my problem is the form is not getting submitted. It's working fine for popup based authentication. Can you please help.
Thanks
Hi
ReplyDeleteYou can configure in the security-config.xml of the fediz idp whether the idp should provide a form-Login or basic-auth. See here:
https://svn.apache.org/viewvc/cxf/fediz/trunk/services/idp/src/main/webapp/WEB-INF/security-config.xml?view=markup
You don't have to do this in the web.xml of the fediz-idp.
Does this address your issue?