Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "Selector Architecture Harmonization"
(→Access Token max idle time) |
(→Authentication with OpenId, X509Certificate, ...) |
||
Line 414: | Line 414: | ||
===== Authentication with OpenId, X509Certificate, ...===== | ===== Authentication with OpenId, X509Certificate, ...===== | ||
− | For supporting new authentication type we have to add just one method getAccessToken( credential data ). | + | For supporting new authentication type we have to add just one method getAccessToken(new credential data ). |
==== JAX-RS API ==== | ==== JAX-RS API ==== |
Revision as of 11:27, 29 January 2009
{{#eclipseproject:technology.higgins|eclipse_custom_style.css}}
Since Selectors use most of the Higgins Components, work on harmonizing the Higgins selectors into a single architecture would be a huge step towards overall Higgins architecture harmonization/convergence.
A good first step in converging the selectors is start by harmonizing the GTK and Cocoa Selector and the AIR Client and Server. Aside from UI differences, the former performs all processing locally, whereas the latter presents a local UI but relies on a hosted server. The latter has the advantage of supporting roaming of cards as well as multiple simultaneous clients. The former has performance advantages. We'd like to get the best of both worlds by having a converged architecture which synchronizes cards between the client and the server. The common code would be in a local "selector service" component that alternative UI layers can use.
Contents
- 1 Top Level Diagram
- 2 Phase 1
- 3 Phase 2
- 3.1 Local I-Card Service
- 3.2 I-Card Cache (Component Set)
- 3.3 Server Modifications
- 3.4 Card Sync Protocol
- 3.4.1 Data Transfer objects
- 3.4.1.1 AccessTokenTO
- 3.4.1.2 BaseTO
- 3.4.1.3 RevisionTO
- 3.4.1.4 CardTO
- 3.4.1.5 MCardTO
- 3.4.1.6 PCardTO
- 3.4.1.7 ClaimTO
- 3.4.1.8 ClaimUiDescriptor
- 3.4.1.9 ClaimTypeTO
- 3.4.1.10 CardExtensionTO
- 3.4.1.11 StsPrivacyPolicyTO
- 3.4.1.12 TokenServiceTO
- 3.4.1.13 CredentialDescriptorTO
- 3.4.1.14 EndpointReferenceTO
- 3.4.1.15 CardHistoryTO
- 3.4.1.16 WebFormTO
- 3.4.1.17 CardCategoryTO
- 3.4.1.18 UserProfileTO
- 3.4.1.19 CardCredentialTO
- 3.4.1.20 UsernamePasswordCredentialTO
- 3.4.1.21 PinCredentialTO
- 3.4.1.22 UseAlwaysTO
- 3.4.1.23 CaptchaTO
- 3.4.1.24 OperationTO
- 3.4.2 Exceptions
- 3.4.3 Authentication
- 3.4.4 JAX-RS API
- 3.4.5 JAX-WS API
- 3.4.6 Sequences
- 3.4.1 Data Transfer objects
- 4 Phase 3
Top Level Diagram
As you can see we formalize the separation of presentation from core services:
Notes:
- We introduce the notion of a "Component Set" -- a set of components
- This architecture would run on Windows, Mac OSX, Linux and (with further work) potentially smart phones
- The "Selector UI" component would be either GTK, Cocoa or AIR-based, but the underlying Local I-Card Service would be common.
Phase 1
Phased approach to implementation.
First Steps
The first objective is to perfectly align the existing Components with the above diagram.
- Jeesmon: Split the shared tcpserver project into multiple projects to align with above. Suggestions for new names:
- org.eclipse.higgins.hss for http://wiki.eclipse.org/Components#Higgins_Selector_Selector_.28HSS.29
- org.eclipse.higgins.hss.manager for http://wiki.eclipse.org/Components#HSS_Manager
- org.eclipse.higgins.hss.launcher for http://wiki.eclipse.org/Components#Higgins_Launcher
- org.eclipse.higgins.hbx.ie (NOT hbxie! (taken)) for http://wiki.eclipse.org/Components#Higgins_Browser_Extension_.28HBX.29
- Jeesmon: Merge the currently separate HSS connectors into .higgins.hss per the following ticket 258504
- Jeesmon: Split the AIR Selector code (org.eclipse.higgins.air ) into two project files
- org.eclipse.higgins.selector.ui.air - selector UI in AIR/Flex
- org.eclipse.higgins.selector.client.air (will eventually be replaced with a common .higgins.lics Local I-Card Service in C++) - selector services in AIR/Flex
- Split GTK/Cocoa Selector component into smaller pieces. Here's the first split:
- Leave "org.eclipse.higgins.cbselector" project as-is (for Higgins 1.0 use)
- Copy just the GTK-based user interface portion of .cbselector (shown in a box here) into a new project .higgins.selector.ui.gtk as the first alternative implementation project within the new Selector UI component shown above.
- Copy the rest of the .cbselector project into a new .higgins.lics (Local I-Card Service) component
- Change GTK-based Selector to use standard Higgins HBX
Phase 2
Local I-Card Service
The client side of phase 2 involves creating the .higgins.lics project by copying the "Identity Selector Service" from the .cbselector and replacing the its i-card store with an i-card cache
Overview:
I-Card Cache (Component Set)
One possible way to implement the I-Card Cache:
Server Modifications
A new, RESTful binding I-Card Sync Web App component would be layered over an enhanced I-Card Service.
Card Sync Protocol
Our latest thinking is to create a new RESTful binding over the I-Card Service using JAX-RS. We have to decide on an implementation of JAX-RS. Perhaps Jersey?
Data Transfer objects
AccessTokenTO
public class AccessTokenTO
extends java.lang.Object
implements java.io.Serializable
AccessToken transfer object. See Selector_Architecture_Harmonization#Authentication
private java.lang.String id Represents token identifier.
private java.util.Date issuedTime Represents issued date time.
private java.lang.Integer maxIdleTime Represents max idle time in seconds.
BaseTO
public class BaseTO
extends java.lang.Object
implements java.io.Serializable
Base transfer object. All resources should extend it.
private java.lang.String id Represents unique resource server identifier.
private RevisionTO revision Represents revision information.
RevisionTO
public class RevisionTO
extends java.lang.Object
implements java.io.Serializable
Resource revision transfer object.
private java.util.Date modifiedTime Represents last modified date.
private java.lang.Long number Represents revision number.
CardTO
public class CardTO extends BaseTO implements java.io.Serializable
Card transfer object.
private java.lang.String cardId Represents card identifier.
private ClaimTO[] claims Card claims.
private java.util.Date expiredTime Card expired date.
private CardExtensionTO[] extensions Card extensions.
private byte[] hashSalt Card hash salt.
private byte[] image Card image.
private java.lang.String imageType Card image mime type.
private java.util.Date issuedTime Issued(created) time.
private java.lang.String issuer Card issuer name.
private byte[] issuerID Card issuer identifier.
private java.lang.String issuerName Human friendly card issuer name.
private java.util.Date lastUpdatedTime Last card updated date.
private byte[] masterKey Card master key.
private java.lang.String name Human friendly card name.
private java.lang.Boolean selfIssued Is card self issued.
private ClaimTypeTO[] supportedClaimTypes Represents array of all possible types of claim that are supported.
private java.lang.String[] supportedTokenTypes Represents arrays of token types which can be provided for this card.
private java.lang.String version Card version.
MCardTO
public class MCardTO
v
extends CardTO
implements java.io.Serializable
Managed card transfer object.
private java.lang.String ic07IssuerInformation Represents /ic07:IssuerInformation extension element
private java.lang.Boolean requireAppliesTo Represents requireAppliesTo card element.
private java.lang.Boolean strongRecipientIdentityRequired Represents /ic07:RequireStrongRecipientIdentity extension element If true than Selector MUST only allow the card to be used at a Relying Party that presents a cryptographically protected identity X.509v3 certificate.
private StsPrivacyPolicyTO stsPrivacyPolicyTO STS/IdP privacy policy
private TokenServiceTO[] tokenServices Represents array of security token services.
PCardTO
public class PCardTO
extends CardTO
implements java.io.Serializable
Personal card transfer object.
private byte[] pinDigest Contains the base64 encoded bytes of the SHA1 hash of the pin code
ClaimTO
public class ClaimTO
extends java.lang.Object
implements java.io.Serializable
Card claim transfer object.
private ClaimTO[] claims Contains sub-claims if claim is complex claim.
private ClaimTypeTO claimType Represents claim type
private ClaimUiDescriptor claimUiDescriptor Represents meta information for building user friendly claim editor.
private java.lang.String[] values Represents claim values.
ClaimUiDescriptor
public class ClaimUiDescriptor
extends java.lang.Object
implements java.io.Serializable
Claim user interface descriptor transfer object. Has meta information for building user friendly claim editor.
private java.lang.String inputMask Might contain input mask for formating claim value on client side.
private java.lang.String[] optionalValues Should contain possible optional values If type equal 4 (TYPE_COMBOBOX ).
private java.lang.String pattern Might contain regular express for validating user input on client side.
private java.lang.String type Defines claim editor type.
- TextField GUI component type TYPE_TEXTFILED = 0;
- TextArea GUI component type TYPE_TEXTAREA = 1;
- FileChooser GUI component type TYPE_FILE = 2;
- CheckField GUI component type TYPE_CHECKBOX = 3;
- ComboBox GUI component type TYPE_COMBOBOX = 4;
- Date(time) GUI component type TYPE_DATETIME = 5.
ClaimTypeTO
public class ClaimTypeTO
extends java.lang.Object
implements java.io.Serializable
ClaimType transfer object.
private java.lang.String description Represents description.
private java.lang.String displayName Represents the human friendly name.
private java.lang.Boolean isSimple Determines whether corresponding IClaim is simple or complex.
private java.lang.String type Represents type URI.
CardExtensionTO
public class CardExtensionTO
extends java.lang.Object
implements java.io.Serializable
CardExtension transfer object.
private java.lang.Boolean enabled Is extension enabled.
private java.lang.String extensionXmlElement Represents extension element data.
StsPrivacyPolicyTO
public class StsPrivacyPolicyTO
extends java.lang.Object
implements java.io.Serializable
STS/IdP privacy policy transfer object.
private java.lang.String url STS/IdP privacy policy url.
private java.lang.String version STS/IdP privacy policy version.
TokenServiceTO
public class TokenServiceTO
extends java.lang.Object
implements java.io.Serializable
Token service transfer object.
private EndpointReferenceTO endpointReference Represents Token Service endpoint.
private CredentialDescriptorTO userCredential Represents Token Service credential.
CredentialDescriptorTO
public class CredentialDescriptorTO
extends java.lang.Object
implements java.io.Serializable
Token service credential descriptor transfer object.
private java.lang.String credentialXmlElement Represent xml element.
private java.lang.String displayCredentialHint Represent user friendly credential hint.
private java.lang.String type Represent credential type.
- SelfIssuedCredential;
- X509V3Credential
- KerberosV5Credential
- UsernamePasswordCredential
EndpointReferenceTO
public class EndpointReferenceTO
extends java.lang.Object
implements java.io.Serializable
Token service Endpoint reference transfer object.
private java.net.URI address Represents address.
private java.lang.String identityXml Represents Identity element of TokenService.
private java.net.URI metadataAddress Represents Metadata Address URI if Metadata contains it.
private java.lang.String metadataXml Represents Metadata element of TokenService.
CardHistoryTO
public class CardHistoryTO
extends BaseTO
implements java.io.Serializable
Card history transfer object.
private java.util.Date date Represents date time of card usage.
private WebFormTO form Represents html web form elements.
WebFormTO
public class WebFormTO
extends java.lang.Object
implements java.io.Serializable
Web form transfer object.
private java.lang.String formAction Represents html form action element.
private java.lang.String formId Represents html form id element.
private java.lang.String formName Represents html form name element.
private java.net.URI url Represents web page URL.
CardCategoryTO
public class CardCategoryTO
extends BaseTO
implements java.io.Serializable
Card category transfer object.
private java.lang.String[] cuids Represents associated card id array.
private int idx Represents category index.
private java.lang.String name Represents category name.
private java.lang.String parentId Represents parent category identifier.
private java.lang.String type Represents category type.
UserProfileTO
public class UserProfileTO
extends BaseTO
implements java.io.Serializable
User profile transfer object.
private java.util.Date createdTime Represents user account created date.
private java.lang.String email Represents user email address.
private java.lang.String firstName Represents user first name.
private java.lang.String lastName Represents user last name.
private java.lang.String loginName Represents user login name.
private java.lang.String mobile Represents user mobile number.
private java.util.Date modifiedTime Represents last updated date.
CardCredentialTO
public class CardCredentialTO
extends BaseTO
implements java.io.Serializable
Card credential transfer object.
private java.lang.String credentialType Represent credential type.
UsernamePasswordCredentialTO
public class UsernamePasswordCredentialTO
extends CardCredentialTO
implements java.io.Serializable
UsernamePasswordCredential credential transfer object. It needs for supporting auto-login.
private java.net.URI tsAddress Represents STS/IdP addres.
private java.net.URI tsMetadataAddress Represents STS/IdP meta address
private java.lang.String username Represents username.
PinCredentialTO
public class PinCredentialTO
extends CardCredentialTO
implements java.io.Serializable
PinCredential transfer object.
private byte[] pinCode Represents pinCode.
UseAlwaysTO
public class UseAlwaysTO
extends BaseTO
implements java.io.Serializable
UseAlways transfer object. It needs for supporting auto-login.
private WebFormTO form Represents html web form elements.
CaptchaTO
public class CaptchaTO
extends BaseTO
implements java.io.Serializable
Captcha transfer object. It needs for password-reset workflow.
private byte[] image Captcha image.
OperationTO
public class OperationTO
extends java.lang.Object
implements java.io.Serializable
Log operation transfer object.
private java.lang.String name Represents operation/command name. It will be one of the following constants:- Persist
- Delete
- DeleteAll
private BaseTO resource Represents resource. It might be null for "Delete". private java.lang.String resourceId Represents server resource identifier. It might be null for "DeleteAll". private java.lang.String resourceType Represents resource type.
Exceptions
it'll be soon.
Authentication
Almost all Card Sync Web App methods requres user authentication (excepts addUserProfile, getPasswordResetCode etc). These diagrams illustrate the sequence of interactions between Local ICard Selector and Card Sync Web App.
Authentication Process
1. Get Access Token (Sign on). See Selector_Architecture_Harmonization#AccessTokenTO
1.1 Local ICard Selector contacts the Card Sync Web App, asking for AccessTokenTO by using username/password credential getAccessToken(userIdentifier,password).
1.2 Card Sync Web App invokes authenticate(userIdentifier, password) Card Sync Service method.
1.3 Card Sync Service delegate authentication to ILoginService (JAAS).
1.4 if ILoginService may authenticate user it return UserAccout instance (it needs for accessing protection data).
1.5 Card Sync Web App invokes buildAccessToken(userAccount) Card Sync Service method for generating AccessToken.
1.6 Card Sync Service builds and stores AccessToken.
1.7 Card Sync Web App return AccessTokenTO to Local ICard Selector.
2. Get user protected data.
2.1 Local ICard Selector asking Card Sync Web App for protected data by using Access Token Identifier (AccessTokenTO.id).
2.2 Card Sync Web App delegate validation of Access Token Identifier to Card Sync Service checkAccessToken(AccessTokenTO.id).
2.3 if Access Token Identifier is valid Card Sync Service return AccessToken.
2.4 Card Sync Web App retrieve protected data by using AccessToken.
2.5 Card Sync Web App return protected data to Local ICard Selector.
3. Delete Access Token (Sign out).
3.1 Local ICard Selector has to invoke deleteAccessToken(AccessTokenTO.id) Card Sync Web App method.
3.2 Card Sync Web App delegates it to Card Sync Service by using deleteAccessToken(id) method.
Pass Access Token Identifier with HTTP header "access_token"
We're going to support Rest API for synchronizing user cards. It assumes to use http GET requests for retrieving protection data, so it has to include Access Token Identifier to request url. if we pass Access Token Identifier by using http header, it may be more protected way (of course only with https).
Both Rest and Soap web services would read access token from http headers.
Encrypt/Decrypt Access Token Identifier
For prevent unauthorized access, we would encrypt Access Token Identifier by using public user key (on server side) and public server key (on client side).
Access Token idle timeout
if Access Token wasn't used more than idle timeout, it will be deleted automatically.
Single sign on
We would support single sign-on/sign-out workflow. it makes sense by secure reason ( and it may be useful for r-card solution).
Authentication with OpenId, X509Certificate, ...
For supporting new authentication type we have to add just one method getAccessToken(new credential data ).
JAX-RS API
it's in progress.
Resources
it's in progress.
MCard
PCard
CardHistory
CardCategory
CardCredential
UseAlways
UserProfile
WADL
Serializable formats
XML(application/xml)
JSON(application/json)
Google protobuf (application/x-protobuf)
http://code.google.com/p/protobuf/
X3 (application/x3)
JAX-WS API
it'll be soon.
WSDL
Serializable formats
SOAP (application/soap+xml)
Sequences
Synchronize card
Synchronize card history
Synchronize card category
Synchronize user profile
Phase 3
This phase is about adapting the AIR Selector to the new architecture.