On 17/10/2011 09:22, Oliver Wulff wrote: > Hi guys > > I've attached an initial version of the patch for the following > bugzilla task: > > https://issues.apache.org/bugzilla/show_bug.cgi?id=51334 > > I'd like to initiate a discussion how to bundle and integrate this > into tomcat. I've added a comment to the attachment which is listed > at the bottom of this mail.
I see four options. 1. Include this in the standard Tomcat distribution. 2. Ship this as a Tomcat extras module. [1] 3. Distribute this from Apache extras. [2] 4. Ship this from a.n.other code hosting service (Google code, source forge etc.) Given that Tomcat doesn't support web services out of the box, I don't think it makes sense to ship WS-Federation as part of the standard Tomcat distribution. That rules out option 1 in my view. Since I always view option 3 as better than option 4, that rules out option 4 in my view. That leaves 2 or 3. I remain to be convinced that there is any demand for this functionality. I haven't seen any evidence (questions on the users list, bugs raised in Bugzilla) that folks are using the JSR-109 support in the extras package so I find it hard to see how there would be much demand for WS-Federation. With this in mind, I'm currently leaning towards option 3 but with links being added to the WS-Federation implementation in the standard Tomcat docs (much the same way we did with Waffle and friends for Windows auth integration). If we do see clear demand for this being shipped with Tomcat then it could move to a Tomcat extras module if everyone involved was happy with such a move. Mark [1] http://tomcat.apache.org/download-70.cgi [2] http://code.google.com/a/apache-extras.org/hosting/ > > The maven module wsfed-tomcat contains a custom authenticator called > FederationAuthenticator. There are more information in > docs/readme.txt how to configure it. > > To test this piece of functionality you need a third party component > which is the IDP. Technically, the IDP is a web application. There > some more information on the IDP here: > > http://owulff.blogspot.com/2011/10/configure-and-deploy-identity-provider.html > > (There is a unit test to test the federation logic in wsfed-core > which doesn't need a servlet container up and running in > wsfed-core/src/test/java/..../FederationProcessorTest.java). > > The IDP is just a servlet which delegates main of the functionality > to the STS (SecurityTokenService) which is capable to issue any kind > of security tokens like SAML 2.0. The IDP is completely apache > licensed (CXF 2.5 STS, WSS4J, OpenSAML). > > I need your advice what the options are to provide the IDP because it > should not be part of the tomcat distribution itself. Maybe a > separate downloadable file or just a blog? I also see an opportunity > that the IDP could be enhanced further thus it can be used within > enterprises and support more authentication options than just > username/password (ex. kerberos). > > Looking forward for your feedback. > > Regards > > Oliver --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
