You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@servicemix.apache.org by vinh <vi...@faa.gov> on 2010/06/29 15:10:16 UTC
How to access username principle in a cxf-se with ws-security?
I finally got the Ws-Security working with CXF-BC & CXF-SE combination. I'm
now trying to access the username from the soap header in the SE to check
permission and ownership of the user calling a operation, but there seems to
be no way of doing that. I know that once a message get passed from the BC
to the SE, it just takes the SOAP body and wraps in a JBI msg. Is there
anyway to stuff the soap header in the JBI msg or, have the BC truly forward
the SOAP msg as it has received it. I've tried to disable the JBIwrapper on
the BC and SE, while it sends the message as SOAP it only sends the body of
the original msg san header.
I'm not sure why this is so hard and complex to do this on the BC/SE, since
it was relatively easy to do with JAXWS.
Thanks
Vinh
--
View this message in context: http://servicemix.396122.n5.nabble.com/How-to-access-username-principle-in-a-cxf-se-with-ws-security-tp511856p511856.html
Sent from the ServiceMix - User mailing list archive at Nabble.com.
Re: How to access username principle in a cxf-se with ws-security?
Posted by vinh <vi...@faa.gov>.
Thank you it works.
Vinh
--
View this message in context: http://servicemix.396122.n5.nabble.com/How-to-access-username-principle-in-a-cxf-se-with-ws-security-tp511856p512117.html
Sent from the ServiceMix - User mailing list archive at Nabble.com.
Re: How to access username principle in a cxf-se with ws-security?
Posted by Freeman Fang <fr...@gmail.com>.
Hi,
You can put the interceptors which you want to share across different
SUs in a jar, then in the SUs you can refer it with
<classpath>
....
</classpath>
Take a look at [1] to get more details.
[1]http://servicemix.apache.org/classloaders.html
Freeman
On 2010-6-30, at 下午4:27, Akitoshi Yoshida wrote:
> Hi Freeman,
> I have a related question here, namely how we can package the
> extension classes for this scenario.
> If you have your own CXF interceptors or feature implementation and
> you want to use them for several endpoints, where can you put these
> classes? Do you need to write your own binding component and put them
> in that component or is there any other way (e.g. by making the
> standard cxf-bc component aware of these classes somehow)?
>
> Thanks.
> Aki
>
> On Tue, Jun 29, 2010 at 4:16 PM, Freeman Fang
> <fr...@gmail.com> wrote:
>> Hi,
>>
>> My comment inline
>> On 2010-6-29, at 下午9:10, vinh wrote:
>>
>>>
>>>
>>> I finally got the Ws-Security working with CXF-BC & CXF-SE
>>> combination.
>>> I'm
>>> now trying to access the username from the soap header in the SE
>>> to check
>>> permission and ownership of the user calling a operation, but
>>> there seems
>>> to
>>> be no way of doing that. I know that once a message get passed
>>> from the BC
>>> to the SE, it just takes the SOAP body and wraps in a JBI msg. Is
>>> there
>>> anyway to stuff the soap header in the JBI msg or, have the BC truly
>>> forward
>>> the SOAP msg as it has received it. I've tried to disable the
>>> JBIwrapper
>>> on
>>> the BC and SE, while it sends the message as SOAP it only sends
>>> the body
>>> of
>>> the original msg san header.
>>
>> Actually we save soap headers into JBI NormalizedMessage properties
>> with KEY
>> "javax.jbi.messaging.protocol.headers", but we exclude the ws-
>> security soap
>> headers as it use Sun's SAAJ impl, which use ElementImpl has a field
>> without implementing Serializable interface, it will cause
>> java.io.NotSerializableException when we try to serialize(it will
>> happen
>> when you use jms flow) the JBI message. And this security header
>> generally
>> isn't necessary inside jbi container since we have already delegate
>> the AA
>> to smx JAAS service at this stage.
>>
>> If you still want to use username in cxf se endpoint yourself , you
>> can
>> write your own interceptor(You can take a look at
>> JbiJAASInterceptor[1] to
>> get idea how to extract username token from wss4j soap headers) for
>> cxfbc
>> consumer endpoint to set username as JBI NormalizedMessage
>> property, let's
>> say, with key "USERNAME"
>>
>> Then in cxf se endpoint pojo class, you can extract the username
>> with code
>> like
>>
>> javax.xml.ws.handler.MessageContext ctx =
>> wsContext.getMessageContext();
>> org.apache.cxf.message.Message message =
>> ((org.apache.cxf.jaxws.context.WrappedMessageContext)
>> ctx).getWrappedMessage();
>> String username = (String) message.get("USERNAME");
>>
>> Your cxf se pojo class need a resource injection like
>>
>> @Resource
>> private WebServiceContext wsContext;
>>
>> Hope this helps.
>> [1]https://svn.apache.org/repos/asf/servicemix/components/bindings/servicemix-cxf-bc/trunk/src/main/java/org/apache/servicemix/cxfbc/interceptors/JbiJAASInterceptor.java
>>
>> Freeman
>>>
>>> I'm not sure why this is so hard and complex to do this on the BC/
>>> SE,
>>> since
>>> it was relatively easy to do with JAXWS.
>>>
>>> Thanks
>>> Vinh
>>> --
>>> View this message in context:
>>> http://servicemix.396122.n5.nabble.com/How-to-access-username-principle-in-a-cxf-se-with-ws-security-tp511856p511856.html
>>> Sent from the ServiceMix - User mailing list archive at Nabble.com.
>>
>>
>> --
>> Freeman Fang
>> ------------------------
>> Open Source SOA: http://fusesource.com
>>
>>
--
Freeman Fang
------------------------
Open Source SOA: http://fusesource.com
Re: How to access username principle in a cxf-se with ws-security?
Posted by Akitoshi Yoshida <sa...@googlemail.com>.
Hi Freeman,
I have a related question here, namely how we can package the
extension classes for this scenario.
If you have your own CXF interceptors or feature implementation and
you want to use them for several endpoints, where can you put these
classes? Do you need to write your own binding component and put them
in that component or is there any other way (e.g. by making the
standard cxf-bc component aware of these classes somehow)?
Thanks.
Aki
On Tue, Jun 29, 2010 at 4:16 PM, Freeman Fang <fr...@gmail.com> wrote:
> Hi,
>
> My comment inline
> On 2010-6-29, at 下午9:10, vinh wrote:
>
>>
>>
>> I finally got the Ws-Security working with CXF-BC & CXF-SE combination.
>> I'm
>> now trying to access the username from the soap header in the SE to check
>> permission and ownership of the user calling a operation, but there seems
>> to
>> be no way of doing that. I know that once a message get passed from the BC
>> to the SE, it just takes the SOAP body and wraps in a JBI msg. Is there
>> anyway to stuff the soap header in the JBI msg or, have the BC truly
>> forward
>> the SOAP msg as it has received it. I've tried to disable the JBIwrapper
>> on
>> the BC and SE, while it sends the message as SOAP it only sends the body
>> of
>> the original msg san header.
>
> Actually we save soap headers into JBI NormalizedMessage properties with KEY
> "javax.jbi.messaging.protocol.headers", but we exclude the ws-security soap
> headers as it use Sun's SAAJ impl, which use ElementImpl has a field
> without implementing Serializable interface, it will cause
> java.io.NotSerializableException when we try to serialize(it will happen
> when you use jms flow) the JBI message. And this security header generally
> isn't necessary inside jbi container since we have already delegate the AA
> to smx JAAS service at this stage.
>
> If you still want to use username in cxf se endpoint yourself , you can
> write your own interceptor(You can take a look at JbiJAASInterceptor[1] to
> get idea how to extract username token from wss4j soap headers) for cxfbc
> consumer endpoint to set username as JBI NormalizedMessage property, let's
> say, with key "USERNAME"
>
> Then in cxf se endpoint pojo class, you can extract the username with code
> like
>
> javax.xml.ws.handler.MessageContext ctx =
> wsContext.getMessageContext();
> org.apache.cxf.message.Message message =
> ((org.apache.cxf.jaxws.context.WrappedMessageContext)
> ctx).getWrappedMessage();
> String username = (String) message.get("USERNAME");
>
> Your cxf se pojo class need a resource injection like
>
> @Resource
> private WebServiceContext wsContext;
>
> Hope this helps.
> [1]https://svn.apache.org/repos/asf/servicemix/components/bindings/servicemix-cxf-bc/trunk/src/main/java/org/apache/servicemix/cxfbc/interceptors/JbiJAASInterceptor.java
>
> Freeman
>>
>> I'm not sure why this is so hard and complex to do this on the BC/SE,
>> since
>> it was relatively easy to do with JAXWS.
>>
>> Thanks
>> Vinh
>> --
>> View this message in context:
>> http://servicemix.396122.n5.nabble.com/How-to-access-username-principle-in-a-cxf-se-with-ws-security-tp511856p511856.html
>> Sent from the ServiceMix - User mailing list archive at Nabble.com.
>
>
> --
> Freeman Fang
> ------------------------
> Open Source SOA: http://fusesource.com
>
>
Re: How to access username principle in a cxf-se with ws-security?
Posted by Freeman Fang <fr...@gmail.com>.
Hi,
My comment inline
On 2010-6-29, at 下午9:10, vinh wrote:
>
>
> I finally got the Ws-Security working with CXF-BC & CXF-SE
> combination. I'm
> now trying to access the username from the soap header in the SE to
> check
> permission and ownership of the user calling a operation, but there
> seems to
> be no way of doing that. I know that once a message get passed from
> the BC
> to the SE, it just takes the SOAP body and wraps in a JBI msg. Is
> there
> anyway to stuff the soap header in the JBI msg or, have the BC truly
> forward
> the SOAP msg as it has received it. I've tried to disable the
> JBIwrapper on
> the BC and SE, while it sends the message as SOAP it only sends the
> body of
> the original msg san header.
Actually we save soap headers into JBI NormalizedMessage properties
with KEY "javax.jbi.messaging.protocol.headers", but we exclude the ws-
security soap headers as it use Sun's SAAJ impl, which use
ElementImpl has a field without implementing Serializable interface,
it will cause java.io.NotSerializableException when we try to
serialize(it will happen when you use jms flow) the JBI message. And
this security header generally isn't necessary inside jbi container
since we have already delegate the AA to smx JAAS service at this stage.
If you still want to use username in cxf se endpoint yourself , you
can write your own interceptor(You can take a look at
JbiJAASInterceptor[1] to get idea how to extract username token from
wss4j soap headers) for cxfbc consumer endpoint to set username as JBI
NormalizedMessage property, let's say, with key "USERNAME"
Then in cxf se endpoint pojo class, you can extract the username with
code like
javax.xml.ws.handler.MessageContext ctx =
wsContext.getMessageContext();
org.apache.cxf.message.Message message =
((org.apache.cxf.jaxws.context.WrappedMessageContext)
ctx).getWrappedMessage();
String username = (String) message.get("USERNAME");
Your cxf se pojo class need a resource injection like
@Resource
private WebServiceContext wsContext;
Hope this helps.
[1]https://svn.apache.org/repos/asf/servicemix/components/bindings/servicemix-cxf-bc/trunk/src/main/java/org/apache/servicemix/cxfbc/interceptors/JbiJAASInterceptor.java
Freeman
>
> I'm not sure why this is so hard and complex to do this on the BC/
> SE, since
> it was relatively easy to do with JAXWS.
>
> Thanks
> Vinh
> --
> View this message in context: http://servicemix.396122.n5.nabble.com/How-to-access-username-principle-in-a-cxf-se-with-ws-security-tp511856p511856.html
> Sent from the ServiceMix - User mailing list archive at Nabble.com.
--
Freeman Fang
------------------------
Open Source SOA: http://fusesource.com