Hi Mark Thanks for your quick feedback...
There are two pieces - IDP and authenticator - where we have to decide how to package this. >>> Given that Tomcat doesn't support web services out of the box, I don't think it makes sense to ship WS-Federation as part of the standard Tomcat distribution. That rules out option 1 in my view. >>> WS-Federation doesn't address federation to web services only. WS-Federation describes an active requestor profile (which is for web service clients/providers) and a passive requestor profile (which is for sso for web applications). The patch I applied is for the later. I've extended the current FormAuthenticator class. The key difference is that the FormAuthenticator does a forward to another location to challenge the user to enter username/password whereas the FederationAuthenticator redirects the browser to another web site which is called the IDP. The IDP sends a hidden form back to the browser which will be automatically submitted. This HTTP POST contains the security token which is validated by the FederationAuthenticator and creates a FederationPrincipal which extends from GenericPrincipal and provides the user, roles and claims (as part of FederationPrincipal). This allows the application developer to use the standard servlet api to get the current principal, check for roles and if the application is claims based they can downcast to FederationPrincipal. >>> That leaves 2 or 3. I remain to be convinced that there is any demand for this functionality. I haven't seen any evidence (questions on the users list, bugs raised in Bugzilla) that folks are using the JSR-109 support in the extras package so I find it hard to see how there would be much demand for WS-Federation >>> As mentioned above WS-Federation passive requestor profile doesn't relate to web services and JSR-109 at all. Instead it gives the tomcat community a great added value for enterprise web applications where authentication is externalized to another site and provides the basis to implement claims based authorization. This kind of funtionality does further enable users to use Tomcat in the cloud but keep the authentication within the company. Considering this, I'd prefer to go with option 2 (extra tomcat module). Regards Oliver ________________________________________ Von: Mark Thomas [ma...@apache.org] Gesendet: Montag, 17. Oktober 2011 13:10 Bis: Tomcat Developers List Betreff: Re: Bug 51334 - Federation support for Tomcat On 17/10/2011 09:22, Oliver Wulff wrote: > Hi guys > > I've attached an initial version of the patch for the following > bugzilla task: > > https://issues.apache.org/bugzilla/show_bug.cgi?id=51334 > > I'd like to initiate a discussion how to bundle and integrate this > into tomcat. I've added a comment to the attachment which is listed > at the bottom of this mail. I see four options. 1. Include this in the standard Tomcat distribution. 2. Ship this as a Tomcat extras module. [1] 3. Distribute this from Apache extras. [2] 4. Ship this from a.n.other code hosting service (Google code, source forge etc.) Given that Tomcat doesn't support web services out of the box, I don't think it makes sense to ship WS-Federation as part of the standard Tomcat distribution. That rules out option 1 in my view. Since I always view option 3 as better than option 4, that rules out option 4 in my view. That leaves 2 or 3. I remain to be convinced that there is any demand for this functionality. I haven't seen any evidence (questions on the users list, bugs raised in Bugzilla) that folks are using the JSR-109 support in the extras package so I find it hard to see how there would be much demand for WS-Federation. With this in mind, I'm currently leaning towards option 3 but with links being added to the WS-Federation implementation in the standard Tomcat docs (much the same way we did with Waffle and friends for Windows auth integration). If we do see clear demand for this being shipped with Tomcat then it could move to a Tomcat extras module if everyone involved was happy with such a move. Mark [1] http://tomcat.apache.org/download-70.cgi [2] http://code.google.com/a/apache-extras.org/hosting/ > > The maven module wsfed-tomcat contains a custom authenticator called > FederationAuthenticator. There are more information in > docs/readme.txt how to configure it. > > To test this piece of functionality you need a third party component > which is the IDP. Technically, the IDP is a web application. There > some more information on the IDP here: > > http://owulff.blogspot.com/2011/10/configure-and-deploy-identity-provider.html > > (There is a unit test to test the federation logic in wsfed-core > which doesn't need a servlet container up and running in > wsfed-core/src/test/java/..../FederationProcessorTest.java). > > The IDP is just a servlet which delegates main of the functionality > to the STS (SecurityTokenService) which is capable to issue any kind > of security tokens like SAML 2.0. The IDP is completely apache > licensed (CXF 2.5 STS, WSS4J, OpenSAML). > > I need your advice what the options are to provide the IDP because it > should not be part of the tomcat distribution itself. Maybe a > separate downloadable file or just a blog? I also see an opportunity > that the IDP could be enhanced further thus it can be used within > enterprises and support more authentication options than just > username/password (ex. kerberos). > > Looking forward for your feedback. > > Regards > > Oliver --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
