(Migrated) Combining TLS auth and other

(This message has been automatically imported from the retired mailing list)

Is it possible to combine TLS (client certificate) authentication with
another one, like HTTP Basic or WSS? If so, I can’t see how to do this
in the UI.

In general: I wonder if these layers could be stacked in the same way as
WSGI middleware. Things like:

  • authentication and authorization
  • SOAP decoding/response encoding/fault reporting
  • logging

Then for example you could apply SOAP decoding and WSS authentication to
messages received over AMQP.

A similar stack could be applied for outgoing channels too. (At the
moment I have a requirement to make an outgoing channel with both TLS
client cert and WSS authentication)

Regards,

Brian.

On 10/04/15 12:00, Brian Candler wrote:

Is it possible to combine TLS (client certificate) authentication with
another one, like HTTP Basic or WSS? If so, I can’t see how to do this
in the UI.

Currently this isn’t possible - there is a 1:N rather than N:N relation
between security definitions and their users (HTTP/SOAP).

In general: I wonder if these layers could be stacked in the same way
as WSGI middleware. Things like:

  • authentication and authorization
  • SOAP decoding/response encoding/fault reporting
  • logging

Then for example you could apply SOAP decoding and WSS authentication
to messages received over AMQP.

This is a couple of separate tasks (SOAP processing vs. auth) but yes,
it sounds like a good idea. It would need a major overhaul though so I
will open a couple of tickets on GH but again, the works won’t begin
without contributions or sponsorship.

I’m also not sure what you mean about logging - how do you mean stacking
it like in WSGI?

A similar stack could be applied for outgoing channels too. (At the
moment I have a requirement to make an outgoing channel with both TLS
client cert and WSS authentication)

I see - without the changes above this won’t be possible to achieve from
GUI alone.

It will be most convenient to produce the SOAP message in an adapter
service and have the GUI configure TLS but the GUI won’t stack both auth
mechanisms.