You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Andrei Shakirin <as...@talend.com> on 2014/01/10 12:36:02 UTC

RE: CXF - JAAS

Hi,

> -----Original Message-----
> From: bcrafa@gmail.com [mailto:bcrafa@gmail.com]
> Sent: Donnerstag, 9. Januar 2014 14:48
> To: Andrei Shakirin
> Subject: CXF - JAAS
> 
> Hi Andrei,
> 
> Thank you very much for your answer to my post on CXF mail list.
> 
> I've read all related documentation and i think i understand the general
> ideas.
> 
> At this point my problem is lack of knowledge in CXF but also in JAAS so i feel i
> need additional suggestions in how to finish the link between those two.
> 
> I mean ... cxf JAASLoginInterceptor will expect UsernameToken or
> AuthorizationPolicy in the message and

Yes, basically HTTP basic authentication credentials will be available via AuthorizationPolicy.class (stored into message on transport level).
UsernameToken is SOAP specific and I guess no interesting for your JAXRS case.

> LoginContext/NamePasswordCallbackHandler would require some resource
> to check the credentials with.

NamePasswordCallbackHandler implements standard JAAS CallbackHandler interface and initializes JAAS password and name callbacks with received user/password.
After that code:
            LoginContext ctx = new LoginContext(getContextName(), null, handler, loginConfig);  
            ctx.login();

invokes configured JAAS login modules for specified context. Login modules can validate username/password using LDAP, Kerberos, SQL DB, etc. 
See JAAS links for details how to configure JAAS and implement login modules: http://www.javaranch.com/journal/2008/04/authentication-using-JAAS.html .
This approach is very useful in case if your container already supports JAAS and has own login modules (Karaf, JEE application server, Spring), but you can implement that also in plain java application.

> 
> I have not a clear idea about how to setup those elements.
> 

Using JAAS is standard approach, but perhaps in your use case it is enough just to validate username/password and roles using SimpleAuthorizingFilter.
See https://svn.apache.org/repos/asf/cxf/trunk/rt/frontend/jaxrs/src/main/java/org/apache/cxf/jaxrs/security/SimpleAuthorizingFilter.java  and system test https://svn.apache.org/repos/asf/cxf/trunk/systests/jaxrs/src/test/java/org/apache/cxf/systest/jaxrs/security/JAXRSSimpleSecurityTest.java for details.

You could also implement own ContainerRequestFilter (JAXRS 2.0, CXF 3.0.0) or RequestHandler (JAXRS 1.1 CXF 2.7.X) and validate credentials there - decision depends on your use case.

> Again thank you for your help.

You welcome.

> 
> Best regards,
> 
> Rafael B.C.
> 

Regards,
Andrei.

> 
> _____________________________________
> Sent from http://cxf.547215.n5.nabble.com

RE: CXF - JAAS

Posted by blacar <bc...@gmail.com>.

At the end i was able to set this up thanks to your advices and some google.

I used JAAS and CXF JAASAuthenticationFilter.
To not overcomplicate things i've used BASIC authentication using property
file to store credentials in plain text.

The only point here is to be aware of Base64 encode the username:password
and sent it on the authorization header. Then AuthorizationPolicy is
correctly instantiated and NamePasswordCallbackHandler is called.

The other point was to link all this with Jetty server ... it took me a
while, but at the end was very easy since the only i have to do is set a
system property "java.security.auth.login.config" pointing to my jaas login
config file where i declared the login modules i need.



--
View this message in context: http://cxf.547215.n5.nabble.com/RE-CXF-JAAS-tp5738439p5738526.html
Sent from the cxf-user mailing list archive at Nabble.com.