You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Ja kub <jj...@gmail.com> on 2013/07/11 00:00:35 UTC
spring security and cxf - how to do soap fault instead of html 403
Hallo
Do you know if there is any out of the box solution to send soap fault when
authentication to web service fails (auth is with client cert over ssl)?
Now I get regular html page, but I would prefer to get soap fault.
Is there any integration of cxf with spring security ?
Does cxf standalone provide client cert authentication ?
I can give up spring security and validate manually, and throw exception,
but probably this is not an elegant solution.
Regards
Jakub
Re: spring security and cxf - how to do soap fault instead of html 403
Posted by Ja kub <jj...@gmail.com>.
Sergey,
I will do so, thx for help.
BR,
Jakub
On Thu, Jul 11, 2013 at 12:26 PM, Sergey Beryozkin <sb...@gmail.com>wrote:
> Hi
>
> On 11/07/13 10:59, Ja kub wrote:
>
>> Hi Sergey,
>>
>> Thx for response.
>>
>> Sorry I haven't written before, but I run cxf on tomcat, as servlet, this
>> changes situation:
>> <servlet>
>> <servlet-name>cxf</servlet-**name>
>> <display-name>cxf</display-**name>
>> <description>Apache CXF Endpoint</description>
>>
>> <servlet-class>org.apache.cxf.**transport.servlet.CXFServlet</**
>> servlet-class>
>> <load-on-startup>1</load-on-**startup>
>> <async-supported>true</async-**supported>
>> </servlet>
>>
>> so above config will probably not work (it's for jetty).
>>
>> First I thought I can somehow do this authorization with spring-security,
>> and display soap fault on auth error.
>> To be able to do it in interceptor I can not use spring-security for
>> authorization. Possibly in such case, when I do authorization manually, it
>> will be enough to throw RuntimeException from authorization method, and
>> cxf
>> will generate usual soap fault (I guess it will).
>> This will go with http 200 status, I guess. Maybe it will be sufficient.
>> Your solution would be nicer, because it could go with 403 http status.
>>
>
> I wonder if we should work on creating a CXF level interceptor, similar to
> JAASLoginInterceptor (works with Basic Auth, etc), to get client certs
> utilized for creating security context and using it with CXF
> SimpleAuthorizingInterceptor
>
> In meantime - please experiment with intercepting somehow Spring Sec
> reporting 403,
>
> Sergey
>
>>
>> Thx again for response.
>>
>> BR,
>> Jakub
>>
>>
>>
>>
>> On Thu, Jul 11, 2013 at 11:37 AM, Sergey Beryozkin <sberyozkin@gmail.com
>> >wrote:
>>
>> Hi
>>>
>>> On 10/07/13 23:00, Ja kub wrote:
>>>
>>> Hallo
>>>>
>>>> Do you know if there is any out of the box solution to send soap fault
>>>> when
>>>> authentication to web service fails (auth is with client cert over ssl)?
>>>>
>>>> Now I get regular html page, but I would prefer to get soap fault.
>>>>
>>>>
>>> I think you can register a Fault out interceptor in
>>> jaxws:outFaultInterceptors, this interceptor will write a soap fault
>>> directly:
>>>
>>> public class CustomOutFaultInterceptor extends
>>> AbstractPhaseInterceptor<****Message>
>>>
>>> {
>>> public CustomOutFaultInterceptor() {
>>> this(Phase.PRE_STREAM);
>>> }
>>> public void handleMessage(Message message) throws Fault {
>>> Exception ex = message.getContent(Exception.****class);
>>> // check the exception
>>>
>>> HttpServletResponse response = (HttpServletResponse)message.***
>>> *
>>> getExchange()
>>> .getInMessage().get(****AbstractHTTPDestination.HTTP_****
>>>
>>> RESPONSE);
>>>
>>> // write to response directly
>>>
>>> }
>>>
>>> }
>>>
>>> CXF may have utilities for generating SoapFaults, I guess it is a simple
>>> DOM in case of 403
>>>
>>>
>>>
>>> Is there any integration of cxf with spring security ?
>>>> Does cxf standalone provide client cert authentication ?
>>>>
>>>>
>>>> Have look at this configuration example (I copied it from one of
>>> ws-security tests):
>>> http://svn.apache.org/repos/****asf/cxf/trunk/systests/rs-**<http://svn.apache.org/repos/**asf/cxf/trunk/systests/rs-**>
>>> security/src/test/java/org/****apache/cxf/systest/jaxrs/**
>>> security/xml/server.xml<http:/**/svn.apache.org/repos/asf/cxf/**
>>> trunk/systests/rs-security/**src/test/java/org/apache/cxf/**
>>> systest/jaxrs/security/xml/**server.xml<http://svn.apache.org/repos/asf/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/server.xml>
>>> >
>>>
>>>
>>> Note, the client certs then will also be available as Message properties,
>>> here is how you can get to them:
>>>
>>> private Certificate[] getTLSCertificates(Message message) {
>>> TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.****class);
>>>
>>> return tlsInfo != null ? tlsInfo.getPeerCertificates() : null;
>>>
>>> }
>>>
>>> I can give up spring security and validate manually, and throw
>>> exception,
>>>
>>>> but probably this is not an elegant solution.
>>>>
>>>>
>>>> HTH, Sergey
>>>
>>> Regards
>>>
>>>> Jakub
>>>>
>>>>
>>>>
>>> --
>>> Sergey Beryozkin
>>>
>>> Talend Community Coders
>>> http://coders.talend.com/
>>>
>>> Blog: http://sberyozkin.blogspot.com
>>>
>>>
>>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>
> Blog: http://sberyozkin.blogspot.com
>
Re: spring security and cxf - how to do soap fault instead of html
403
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
On 11/07/13 10:59, Ja kub wrote:
> Hi Sergey,
>
> Thx for response.
>
> Sorry I haven't written before, but I run cxf on tomcat, as servlet, this
> changes situation:
> <servlet>
> <servlet-name>cxf</servlet-name>
> <display-name>cxf</display-name>
> <description>Apache CXF Endpoint</description>
>
> <servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
> <load-on-startup>1</load-on-startup>
> <async-supported>true</async-supported>
> </servlet>
>
> so above config will probably not work (it's for jetty).
>
> First I thought I can somehow do this authorization with spring-security,
> and display soap fault on auth error.
> To be able to do it in interceptor I can not use spring-security for
> authorization. Possibly in such case, when I do authorization manually, it
> will be enough to throw RuntimeException from authorization method, and cxf
> will generate usual soap fault (I guess it will).
> This will go with http 200 status, I guess. Maybe it will be sufficient.
> Your solution would be nicer, because it could go with 403 http status.
I wonder if we should work on creating a CXF level interceptor, similar
to JAASLoginInterceptor (works with Basic Auth, etc), to get client
certs utilized for creating security context and using it with CXF
SimpleAuthorizingInterceptor
In meantime - please experiment with intercepting somehow Spring Sec
reporting 403,
Sergey
>
> Thx again for response.
>
> BR,
> Jakub
>
>
>
>
> On Thu, Jul 11, 2013 at 11:37 AM, Sergey Beryozkin <sb...@gmail.com>wrote:
>
>> Hi
>>
>> On 10/07/13 23:00, Ja kub wrote:
>>
>>> Hallo
>>>
>>> Do you know if there is any out of the box solution to send soap fault
>>> when
>>> authentication to web service fails (auth is with client cert over ssl)?
>>>
>>> Now I get regular html page, but I would prefer to get soap fault.
>>>
>>
>> I think you can register a Fault out interceptor in
>> jaxws:outFaultInterceptors, this interceptor will write a soap fault
>> directly:
>>
>> public class CustomOutFaultInterceptor extends AbstractPhaseInterceptor<**Message>
>> {
>> public CustomOutFaultInterceptor() {
>> this(Phase.PRE_STREAM);
>> }
>> public void handleMessage(Message message) throws Fault {
>> Exception ex = message.getContent(Exception.**class);
>> // check the exception
>>
>> HttpServletResponse response = (HttpServletResponse)message.**
>> getExchange()
>> .getInMessage().get(**AbstractHTTPDestination.HTTP_**
>> RESPONSE);
>>
>> // write to response directly
>>
>> }
>>
>> }
>>
>> CXF may have utilities for generating SoapFaults, I guess it is a simple
>> DOM in case of 403
>>
>>
>>
>>> Is there any integration of cxf with spring security ?
>>> Does cxf standalone provide client cert authentication ?
>>>
>>>
>> Have look at this configuration example (I copied it from one of
>> ws-security tests):
>> http://svn.apache.org/repos/**asf/cxf/trunk/systests/rs-**
>> security/src/test/java/org/**apache/cxf/systest/jaxrs/**
>> security/xml/server.xml<http://svn.apache.org/repos/asf/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/server.xml>
>>
>> Note, the client certs then will also be available as Message properties,
>> here is how you can get to them:
>>
>> private Certificate[] getTLSCertificates(Message message) {
>> TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.**class);
>> return tlsInfo != null ? tlsInfo.getPeerCertificates() : null;
>>
>> }
>>
>> I can give up spring security and validate manually, and throw exception,
>>> but probably this is not an elegant solution.
>>>
>>>
>> HTH, Sergey
>>
>> Regards
>>> Jakub
>>>
>>>
>>
>> --
>> Sergey Beryozkin
>>
>> Talend Community Coders
>> http://coders.talend.com/
>>
>> Blog: http://sberyozkin.blogspot.com
>>
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: spring security and cxf - how to do soap fault instead of html 403
Posted by Ja kub <jj...@gmail.com>.
Hi Sergey,
Thx for response.
Sorry I haven't written before, but I run cxf on tomcat, as servlet, this
changes situation:
<servlet>
<servlet-name>cxf</servlet-name>
<display-name>cxf</display-name>
<description>Apache CXF Endpoint</description>
<servlet-class>org.apache.cxf.transport.servlet.CXFServlet</servlet-class>
<load-on-startup>1</load-on-startup>
<async-supported>true</async-supported>
</servlet>
so above config will probably not work (it's for jetty).
First I thought I can somehow do this authorization with spring-security,
and display soap fault on auth error.
To be able to do it in interceptor I can not use spring-security for
authorization. Possibly in such case, when I do authorization manually, it
will be enough to throw RuntimeException from authorization method, and cxf
will generate usual soap fault (I guess it will).
This will go with http 200 status, I guess. Maybe it will be sufficient.
Your solution would be nicer, because it could go with 403 http status.
Thx again for response.
BR,
Jakub
On Thu, Jul 11, 2013 at 11:37 AM, Sergey Beryozkin <sb...@gmail.com>wrote:
> Hi
>
> On 10/07/13 23:00, Ja kub wrote:
>
>> Hallo
>>
>> Do you know if there is any out of the box solution to send soap fault
>> when
>> authentication to web service fails (auth is with client cert over ssl)?
>>
>> Now I get regular html page, but I would prefer to get soap fault.
>>
>
> I think you can register a Fault out interceptor in
> jaxws:outFaultInterceptors, this interceptor will write a soap fault
> directly:
>
> public class CustomOutFaultInterceptor extends AbstractPhaseInterceptor<**Message>
> {
> public CustomOutFaultInterceptor() {
> this(Phase.PRE_STREAM);
> }
> public void handleMessage(Message message) throws Fault {
> Exception ex = message.getContent(Exception.**class);
> // check the exception
>
> HttpServletResponse response = (HttpServletResponse)message.**
> getExchange()
> .getInMessage().get(**AbstractHTTPDestination.HTTP_**
> RESPONSE);
>
> // write to response directly
>
> }
>
> }
>
> CXF may have utilities for generating SoapFaults, I guess it is a simple
> DOM in case of 403
>
>
>
>> Is there any integration of cxf with spring security ?
>> Does cxf standalone provide client cert authentication ?
>>
>>
> Have look at this configuration example (I copied it from one of
> ws-security tests):
> http://svn.apache.org/repos/**asf/cxf/trunk/systests/rs-**
> security/src/test/java/org/**apache/cxf/systest/jaxrs/**
> security/xml/server.xml<http://svn.apache.org/repos/asf/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/server.xml>
>
> Note, the client certs then will also be available as Message properties,
> here is how you can get to them:
>
> private Certificate[] getTLSCertificates(Message message) {
> TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.**class);
> return tlsInfo != null ? tlsInfo.getPeerCertificates() : null;
>
> }
>
> I can give up spring security and validate manually, and throw exception,
>> but probably this is not an elegant solution.
>>
>>
> HTH, Sergey
>
> Regards
>> Jakub
>>
>>
>
> --
> Sergey Beryozkin
>
> Talend Community Coders
> http://coders.talend.com/
>
> Blog: http://sberyozkin.blogspot.com
>
Re: spring security and cxf - how to do soap fault instead of html
403
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
On 10/07/13 23:00, Ja kub wrote:
> Hallo
>
> Do you know if there is any out of the box solution to send soap fault when
> authentication to web service fails (auth is with client cert over ssl)?
>
> Now I get regular html page, but I would prefer to get soap fault.
I think you can register a Fault out interceptor in
jaxws:outFaultInterceptors, this interceptor will write a soap fault
directly:
public class CustomOutFaultInterceptor extends
AbstractPhaseInterceptor<Message> {
public CustomOutFaultInterceptor() {
this(Phase.PRE_STREAM);
}
public void handleMessage(Message message) throws Fault {
Exception ex = message.getContent(Exception.class);
// check the exception
HttpServletResponse response =
(HttpServletResponse)message.getExchange()
.getInMessage().get(AbstractHTTPDestination.HTTP_RESPONSE);
// write to response directly
}
}
CXF may have utilities for generating SoapFaults, I guess it is a simple
DOM in case of 403
>
> Is there any integration of cxf with spring security ?
> Does cxf standalone provide client cert authentication ?
>
Have look at this configuration example (I copied it from one of
ws-security tests):
http://svn.apache.org/repos/asf/cxf/trunk/systests/rs-security/src/test/java/org/apache/cxf/systest/jaxrs/security/xml/server.xml
Note, the client certs then will also be available as Message
properties, here is how you can get to them:
private Certificate[] getTLSCertificates(Message message) {
TLSSessionInfo tlsInfo = message.get(TLSSessionInfo.class);
return tlsInfo != null ? tlsInfo.getPeerCertificates() : null;
}
> I can give up spring security and validate manually, and throw exception,
> but probably this is not an elegant solution.
>
HTH, Sergey
> Regards
> Jakub
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com