You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by John-M Baker <jo...@db.com> on 2008/06/27 17:24:47 UTC
CXF and Acegisecurity
Are there any docs specifically on implementing CXF REST With
Acegisecurity? Google didnt return anything obvious.. A simple example
showing how to secure a couple methods would be handy.
Thanks,
John Baker
--
Web SSO
IT Infrastructure
Deutsche Bank London
URL: http://websso.cto.gt.intranet.db.com
---
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Please refer to http://www.db.com/en/content/eu_disclosures.htm for additional EU corporate and regulatory disclosures.
Re: CXF and Acegisecurity
Posted by Sergey Beryozkin <se...@iona.com>.
Hi
I'm actually not very familiar with how CXF WS-Security implementation works, lets see if someone from the security experts can
comment on this particular issue.
Cheers, Sergey
> Sergey,
>
> So far I've concluded that the CallbackHandler has to populate the Spring
> Security SecurityContext, such as (exclude the hacked up code):
>
> public class PasswordCallbackHandler
> implements CallbackHandler
> {
> public void handle(Callback[] arg0)
> throws IOException, UnsupportedCallbackException
> {
> for (Callback callback : arg0)
> {
> if (callback instanceof WSPasswordCallback)
> {
> WSPasswordCallback passwordCallback = (WSPasswordCallback)
> callback;
>
> if (validUser(passwordCallback)
> {
> // Register with Spring Security so annotated methods
> (@RolesAllowed)
> // will allow appropriate users. There must be a nice way
> of doing this
> // through the Spring context files!
> SecurityContextHolder.getContext().setAuthentication(
> new UsernamePasswordAuthenticationToken(
> passwordCallback.getIdentifer(),
> passwordCallback.getPassword(),
> new GrantedAuthority[] {
> new GrantedAuthorityImpl("ADMIN") } ));
>
> return;
> }
> }
> }
> }
>
> throw new RuntimeException("Invallid user");
> }
> }
>
> The WS method can then be annotated with @RoledAllowed({"ADMIN"}).
>
> But this isn't very clean however given WS Security doesn't provide any
> roles, what else can be done? It would be nice to put the above into
> Sprnig though so the user & role ("GrantedAuthority") mappings can be
> defined in XML. Is there something for this already?
>
>
> John Baker
> --
> Web SSO
> IT Infrastructure
> Deutsche Bank London
>
> URL: http://websso.cto.gt.intranet.db.com
>
>
>
>
> John-M Baker <jo...@db.com>
> 01/07/2008 12:35
> Please respond to
> users@cxf.apache.org
>
>
> To
> users@cxf.apache.org
> cc
> users@cxf.apache.org
> Subject
> Re: CXF and Acegisecurity
>
>
>
>
>
>
> Sergey,
>
> The problem seems to lie between enabling WS-Security on CXF (which isn't
> a problem) and wiring this into Spring Secuirty. Look at the following:
>
> Caused by:
> org.springframework.security.AuthenticationCredentialsNotFoundException:
> An Authentication object was not found in the SecurityContext
> at
> org.springframework.security.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:342)
> at
> org.springframework.security.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:254)
> at
> org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:63)
> at
> org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
> at
> org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
>
> That appears after successful authentication with WS-Security, and CXF
> trying to invoke a method that's annotated with @RolesAllowed.
>
>
>
> John Baker
> --
> Web SSO
> IT Infrastructure
> Deutsche Bank London
>
> URL: http://websso.cto.gt.intranet.db.com
>
>
>
>
> "Sergey Beryozkin" <se...@iona.com>
> 01/07/2008 10:14
> Please respond to
> users@cxf.apache.org
>
>
> To
> <us...@cxf.apache.org>
> cc
> <us...@cxf.apache.org>
> Subject
> Re: CXF and Acegisecurity
>
>
>
>
>
>
> Cool, thanks for a link. These links can get added to the wiki.
> I hope that in your project, where you combine JAX-RS and JAX-WS in one
> resource class, the single piece of
> Spring Security config should suffice, not sure though. let us know please
>
> how it goes
>
> Cheers, Sergey
>
> ----- Original Message -----
> From: "John-M Baker" <jo...@db.com>
> To: <us...@cxf.apache.org>
> Cc: <us...@cxf.apache.org>
> Sent: Tuesday, July 01, 2008 10:09 AM
> Subject: Re: CXF and Acegisecurity
>
>
>> There's also a good example here:
>>
>> http://www.jroller.com/habuma/entry/method_level_security_in_spring
>>
>> I'm currently looking at what is required to wire Spring security into
> the
>> WS-Security module!
>>
>>
>> John Baker
>> --
>> Web SSO
>> IT Infrastructure
>> Deutsche Bank London
>>
>> URL: http://websso.cto.gt.intranet.db.com
>>
>>
>>
>>
>> "Sergey Beryozkin" <se...@iona.com>
>> 01/07/2008 10:06
>> Please respond to
>> users@cxf.apache.org
>>
>>
>> To
>> <us...@cxf.apache.org>
>> cc
>>
>> Subject
>> Re: CXF and Acegisecurity
>>
>>
>>
>>
>>
>>
>> Hi
>>
>>
>>> Are there any docs specifically on implementing CXF REST With
>>> Acegisecurity? Google didnt return anything obvious.. A simple example
>>> showing how to secure a couple methods would be handy.
>>
>> have a look here please :
>>
>>
> http://static.springframework.org/spring-security/site/reference/html/ns-config.html#ns-method-security
>
>
>>
>>
>> It's a Spring Security module which you're after. It should be possible
> to
>> use AOP-like expressions to specify what kind of security
>> credentials need to be applied to various methods in your resource
>> class...
>>
>> Cheers, Sergey
>>
>>
>>>
>>> Thanks,
>>>
>>>
>>> John Baker
>>> --
>>> Web SSO
>>> IT Infrastructure
>>> Deutsche Bank London
>>>
>>> URL: http://websso.cto.gt.intranet.db.com
>>>
>>>
>>> ---
>>>
>>> This e-mail may contain confidential and/or privileged information. If
>> you are not the intended recipient (or have received this
>>> e-mail in error) please notify the sender immediately and delete this
>> e-mail. Any unauthorized copying, disclosure or distribution
>>> of the material in this e-mail is strictly forbidden.
>>>
>>> Please refer to http://www.db.com/en/content/eu_disclosures.htm for
>> additional EU corporate and regulatory disclosures.
>>
>> ----------------------------
>> IONA Technologies PLC (registered in Ireland)
>> Registered Number: 171387
>> Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
> Ireland
>>
>>
>>
>> ---
>>
>> This e-mail may contain confidential and/or privileged information. If
> you are not the intended recipient (or have received this
>> e-mail in error) please notify the sender immediately and delete this
> e-mail. Any unauthorized copying, disclosure or distribution
>> of the material in this e-mail is strictly forbidden.
>>
>> Please refer to http://www.db.com/en/content/eu_disclosures.htm for
> additional EU corporate and regulatory disclosures.
>
> ----------------------------
> IONA Technologies PLC (registered in Ireland)
> Registered Number: 171387
> Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
>
>
>
> ---
>
> This e-mail may contain confidential and/or privileged information. If you
> are not the intended recipient (or have received this e-mail in error)
> please notify the sender immediately and delete this e-mail. Any
> unauthorized copying, disclosure or distribution of the material in this
> e-mail is strictly forbidden.
>
> Please refer to http://www.db.com/en/content/eu_disclosures.htm for
> additional EU corporate and regulatory disclosures.
>
>
> ---
>
> This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this
> e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution
> of the material in this e-mail is strictly forbidden.
>
> Please refer to http://www.db.com/en/content/eu_disclosures.htm for additional EU corporate and regulatory disclosures.
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
Re: CXF and Acegisecurity
Posted by Daniel Kulp <dk...@apache.org>.
How are you validating the username/password? (your validUser
method) Shouldn't the configuration for that information also
include the roles that the users are in?
Dan
On Jul 1, 2008, at 7:57 AM, John-M Baker wrote:
> Sergey,
>
> So far I've concluded that the CallbackHandler has to populate the
> Spring
> Security SecurityContext, such as (exclude the hacked up code):
>
> public class PasswordCallbackHandler
> implements CallbackHandler
> {
> public void handle(Callback[] arg0)
> throws IOException, UnsupportedCallbackException
> {
> for (Callback callback : arg0)
> {
> if (callback instanceof WSPasswordCallback)
> {
> WSPasswordCallback passwordCallback = (WSPasswordCallback)
> callback;
>
> if (validUser(passwordCallback)
> {
> // Register with Spring Security so annotated methods
> (@RolesAllowed)
> // will allow appropriate users. There must be a nice
> way
> of doing this
> // through the Spring context files!
> SecurityContextHolder.getContext().setAuthentication(
> new UsernamePasswordAuthenticationToken(
> passwordCallback.getIdentifer(),
> passwordCallback.getPassword(),
> new GrantedAuthority[] {
> new GrantedAuthorityImpl("ADMIN") } ));
>
> return;
> }
> }
> }
> }
>
> throw new RuntimeException("Invallid user");
> }
> }
>
> The WS method can then be annotated with @RoledAllowed({"ADMIN"}).
>
> But this isn't very clean however given WS Security doesn't provide
> any
> roles, what else can be done? It would be nice to put the above into
> Sprnig though so the user & role ("GrantedAuthority") mappings can be
> defined in XML. Is there something for this already?
>
>
> John Baker
> --
> Web SSO
> IT Infrastructure
> Deutsche Bank London
>
> URL: http://websso.cto.gt.intranet.db.com
>
>
>
>
> John-M Baker <jo...@db.com>
> 01/07/2008 12:35
> Please respond to
> users@cxf.apache.org
>
>
> To
> users@cxf.apache.org
> cc
> users@cxf.apache.org
> Subject
> Re: CXF and Acegisecurity
>
>
>
>
>
>
> Sergey,
>
> The problem seems to lie between enabling WS-Security on CXF (which
> isn't
> a problem) and wiring this into Spring Secuirty. Look at the
> following:
>
> Caused by:
> org
> .springframework.security.AuthenticationCredentialsNotFoundException:
> An Authentication object was not found in the SecurityContext
> at
> org
> .springframework
> .security
> .intercept
> .AbstractSecurityInterceptor
> .credentialsNotFound(AbstractSecurityInterceptor.java:342)
> at
> org
> .springframework
> .security
> .intercept
> .AbstractSecurityInterceptor
> .beforeInvocation(AbstractSecurityInterceptor.java:254)
> at
> org
> .springframework
> .security
> .intercept
> .method
> .aopalliance
> .MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:63)
> at
> org
> .springframework
> .aop
> .framework
> .ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:
> 171)
> at
> org
> .springframework
> .aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
>
> That appears after successful authentication with WS-Security, and CXF
> trying to invoke a method that's annotated with @RolesAllowed.
>
>
>
> John Baker
> --
> Web SSO
> IT Infrastructure
> Deutsche Bank London
>
> URL: http://websso.cto.gt.intranet.db.com
>
>
>
>
> "Sergey Beryozkin" <se...@iona.com>
> 01/07/2008 10:14
> Please respond to
> users@cxf.apache.org
>
>
> To
> <us...@cxf.apache.org>
> cc
> <us...@cxf.apache.org>
> Subject
> Re: CXF and Acegisecurity
>
>
>
>
>
>
> Cool, thanks for a link. These links can get added to the wiki.
> I hope that in your project, where you combine JAX-RS and JAX-WS in
> one
> resource class, the single piece of
> Spring Security config should suffice, not sure though. let us know
> please
>
> how it goes
>
> Cheers, Sergey
>
> ----- Original Message -----
> From: "John-M Baker" <jo...@db.com>
> To: <us...@cxf.apache.org>
> Cc: <us...@cxf.apache.org>
> Sent: Tuesday, July 01, 2008 10:09 AM
> Subject: Re: CXF and Acegisecurity
>
>
>> There's also a good example here:
>>
>> http://www.jroller.com/habuma/entry/method_level_security_in_spring
>>
>> I'm currently looking at what is required to wire Spring security
>> into
> the
>> WS-Security module!
>>
>>
>> John Baker
>> --
>> Web SSO
>> IT Infrastructure
>> Deutsche Bank London
>>
>> URL: http://websso.cto.gt.intranet.db.com
>>
>>
>>
>>
>> "Sergey Beryozkin" <se...@iona.com>
>> 01/07/2008 10:06
>> Please respond to
>> users@cxf.apache.org
>>
>>
>> To
>> <us...@cxf.apache.org>
>> cc
>>
>> Subject
>> Re: CXF and Acegisecurity
>>
>>
>>
>>
>>
>>
>> Hi
>>
>>
>>> Are there any docs specifically on implementing CXF REST With
>>> Acegisecurity? Google didnt return anything obvious.. A simple
>>> example
>>> showing how to secure a couple methods would be handy.
>>
>> have a look here please :
>>
>>
> http://static.springframework.org/spring-security/site/reference/html/ns-config.html#ns-method-security
>
>
>>
>>
>> It's a Spring Security module which you're after. It should be
>> possible
> to
>> use AOP-like expressions to specify what kind of security
>> credentials need to be applied to various methods in your resource
>> class...
>>
>> Cheers, Sergey
>>
>>
>>>
>>> Thanks,
>>>
>>>
>>> John Baker
>>> --
>>> Web SSO
>>> IT Infrastructure
>>> Deutsche Bank London
>>>
>>> URL: http://websso.cto.gt.intranet.db.com
>>>
>>>
>>> ---
>>>
>>> This e-mail may contain confidential and/or privileged
>>> information. If
>> you are not the intended recipient (or have received this
>>> e-mail in error) please notify the sender immediately and delete
>>> this
>> e-mail. Any unauthorized copying, disclosure or distribution
>>> of the material in this e-mail is strictly forbidden.
>>>
>>> Please refer to http://www.db.com/en/content/eu_disclosures.htm for
>> additional EU corporate and regulatory disclosures.
>>
>> ----------------------------
>> IONA Technologies PLC (registered in Ireland)
>> Registered Number: 171387
>> Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
> Ireland
>>
>>
>>
>> ---
>>
>> This e-mail may contain confidential and/or privileged information.
>> If
> you are not the intended recipient (or have received this
>> e-mail in error) please notify the sender immediately and delete this
> e-mail. Any unauthorized copying, disclosure or distribution
>> of the material in this e-mail is strictly forbidden.
>>
>> Please refer to http://www.db.com/en/content/eu_disclosures.htm for
> additional EU corporate and regulatory disclosures.
>
> ----------------------------
> IONA Technologies PLC (registered in Ireland)
> Registered Number: 171387
> Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
> Ireland
>
>
>
> ---
>
> This e-mail may contain confidential and/or privileged information.
> If you
> are not the intended recipient (or have received this e-mail in error)
> please notify the sender immediately and delete this e-mail. Any
> unauthorized copying, disclosure or distribution of the material in
> this
> e-mail is strictly forbidden.
>
> Please refer to http://www.db.com/en/content/eu_disclosures.htm for
> additional EU corporate and regulatory disclosures.
>
>
> ---
>
> This e-mail may contain confidential and/or privileged information.
> If you are not the intended recipient (or have received this e-mail
> in error) please notify the sender immediately and delete this e-
> mail. Any unauthorized copying, disclosure or distribution of the
> material in this e-mail is strictly forbidden.
>
> Please refer to http://www.db.com/en/content/eu_disclosures.htm for
> additional EU corporate and regulatory disclosures.
---
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
Re: CXF and Acegisecurity
Posted by John-M Baker <jo...@db.com>.
Sergey,
So far I've concluded that the CallbackHandler has to populate the Spring
Security SecurityContext, such as (exclude the hacked up code):
public class PasswordCallbackHandler
implements CallbackHandler
{
public void handle(Callback[] arg0)
throws IOException, UnsupportedCallbackException
{
for (Callback callback : arg0)
{
if (callback instanceof WSPasswordCallback)
{
WSPasswordCallback passwordCallback = (WSPasswordCallback)
callback;
if (validUser(passwordCallback)
{
// Register with Spring Security so annotated methods
(@RolesAllowed)
// will allow appropriate users. There must be a nice way
of doing this
// through the Spring context files!
SecurityContextHolder.getContext().setAuthentication(
new UsernamePasswordAuthenticationToken(
passwordCallback.getIdentifer(),
passwordCallback.getPassword(),
new GrantedAuthority[] {
new GrantedAuthorityImpl("ADMIN") } ));
return;
}
}
}
}
throw new RuntimeException("Invallid user");
}
}
The WS method can then be annotated with @RoledAllowed({"ADMIN"}).
But this isn't very clean however given WS Security doesn't provide any
roles, what else can be done? It would be nice to put the above into
Sprnig though so the user & role ("GrantedAuthority") mappings can be
defined in XML. Is there something for this already?
John Baker
--
Web SSO
IT Infrastructure
Deutsche Bank London
URL: http://websso.cto.gt.intranet.db.com
John-M Baker <jo...@db.com>
01/07/2008 12:35
Please respond to
users@cxf.apache.org
To
users@cxf.apache.org
cc
users@cxf.apache.org
Subject
Re: CXF and Acegisecurity
Sergey,
The problem seems to lie between enabling WS-Security on CXF (which isn't
a problem) and wiring this into Spring Secuirty. Look at the following:
Caused by:
org.springframework.security.AuthenticationCredentialsNotFoundException:
An Authentication object was not found in the SecurityContext
at
org.springframework.security.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:342)
at
org.springframework.security.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:254)
at
org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:63)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
That appears after successful authentication with WS-Security, and CXF
trying to invoke a method that's annotated with @RolesAllowed.
John Baker
--
Web SSO
IT Infrastructure
Deutsche Bank London
URL: http://websso.cto.gt.intranet.db.com
"Sergey Beryozkin" <se...@iona.com>
01/07/2008 10:14
Please respond to
users@cxf.apache.org
To
<us...@cxf.apache.org>
cc
<us...@cxf.apache.org>
Subject
Re: CXF and Acegisecurity
Cool, thanks for a link. These links can get added to the wiki.
I hope that in your project, where you combine JAX-RS and JAX-WS in one
resource class, the single piece of
Spring Security config should suffice, not sure though. let us know please
how it goes
Cheers, Sergey
----- Original Message -----
From: "John-M Baker" <jo...@db.com>
To: <us...@cxf.apache.org>
Cc: <us...@cxf.apache.org>
Sent: Tuesday, July 01, 2008 10:09 AM
Subject: Re: CXF and Acegisecurity
> There's also a good example here:
>
> http://www.jroller.com/habuma/entry/method_level_security_in_spring
>
> I'm currently looking at what is required to wire Spring security into
the
> WS-Security module!
>
>
> John Baker
> --
> Web SSO
> IT Infrastructure
> Deutsche Bank London
>
> URL: http://websso.cto.gt.intranet.db.com
>
>
>
>
> "Sergey Beryozkin" <se...@iona.com>
> 01/07/2008 10:06
> Please respond to
> users@cxf.apache.org
>
>
> To
> <us...@cxf.apache.org>
> cc
>
> Subject
> Re: CXF and Acegisecurity
>
>
>
>
>
>
> Hi
>
>
>> Are there any docs specifically on implementing CXF REST With
>> Acegisecurity? Google didnt return anything obvious.. A simple example
>> showing how to secure a couple methods would be handy.
>
> have a look here please :
>
>
http://static.springframework.org/spring-security/site/reference/html/ns-config.html#ns-method-security
>
>
> It's a Spring Security module which you're after. It should be possible
to
> use AOP-like expressions to specify what kind of security
> credentials need to be applied to various methods in your resource
> class...
>
> Cheers, Sergey
>
>
>>
>> Thanks,
>>
>>
>> John Baker
>> --
>> Web SSO
>> IT Infrastructure
>> Deutsche Bank London
>>
>> URL: http://websso.cto.gt.intranet.db.com
>>
>>
>> ---
>>
>> This e-mail may contain confidential and/or privileged information. If
> you are not the intended recipient (or have received this
>> e-mail in error) please notify the sender immediately and delete this
> e-mail. Any unauthorized copying, disclosure or distribution
>> of the material in this e-mail is strictly forbidden.
>>
>> Please refer to http://www.db.com/en/content/eu_disclosures.htm for
> additional EU corporate and regulatory disclosures.
>
> ----------------------------
> IONA Technologies PLC (registered in Ireland)
> Registered Number: 171387
> Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
Ireland
>
>
>
> ---
>
> This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient (or have received this
> e-mail in error) please notify the sender immediately and delete this
e-mail. Any unauthorized copying, disclosure or distribution
> of the material in this e-mail is strictly forbidden.
>
> Please refer to http://www.db.com/en/content/eu_disclosures.htm for
additional EU corporate and regulatory disclosures.
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
---
This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
Please refer to http://www.db.com/en/content/eu_disclosures.htm for
additional EU corporate and regulatory disclosures.
---
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Please refer to http://www.db.com/en/content/eu_disclosures.htm for additional EU corporate and regulatory disclosures.
Re: CXF and Acegisecurity
Posted by John-M Baker <jo...@db.com>.
Sergey,
The problem seems to lie between enabling WS-Security on CXF (which isn't
a problem) and wiring this into Spring Secuirty. Look at the following:
Caused by:
org.springframework.security.AuthenticationCredentialsNotFoundException:
An Authentication object was not found in the SecurityContext
at
org.springframework.security.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:342)
at
org.springframework.security.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:254)
at
org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:63)
at
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
at
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)
That appears after successful authentication with WS-Security, and CXF
trying to invoke a method that's annotated with @RolesAllowed.
John Baker
--
Web SSO
IT Infrastructure
Deutsche Bank London
URL: http://websso.cto.gt.intranet.db.com
"Sergey Beryozkin" <se...@iona.com>
01/07/2008 10:14
Please respond to
users@cxf.apache.org
To
<us...@cxf.apache.org>
cc
<us...@cxf.apache.org>
Subject
Re: CXF and Acegisecurity
Cool, thanks for a link. These links can get added to the wiki.
I hope that in your project, where you combine JAX-RS and JAX-WS in one
resource class, the single piece of
Spring Security config should suffice, not sure though. let us know please
how it goes
Cheers, Sergey
----- Original Message -----
From: "John-M Baker" <jo...@db.com>
To: <us...@cxf.apache.org>
Cc: <us...@cxf.apache.org>
Sent: Tuesday, July 01, 2008 10:09 AM
Subject: Re: CXF and Acegisecurity
> There's also a good example here:
>
> http://www.jroller.com/habuma/entry/method_level_security_in_spring
>
> I'm currently looking at what is required to wire Spring security into
the
> WS-Security module!
>
>
> John Baker
> --
> Web SSO
> IT Infrastructure
> Deutsche Bank London
>
> URL: http://websso.cto.gt.intranet.db.com
>
>
>
>
> "Sergey Beryozkin" <se...@iona.com>
> 01/07/2008 10:06
> Please respond to
> users@cxf.apache.org
>
>
> To
> <us...@cxf.apache.org>
> cc
>
> Subject
> Re: CXF and Acegisecurity
>
>
>
>
>
>
> Hi
>
>
>> Are there any docs specifically on implementing CXF REST With
>> Acegisecurity? Google didnt return anything obvious.. A simple example
>> showing how to secure a couple methods would be handy.
>
> have a look here please :
>
>
http://static.springframework.org/spring-security/site/reference/html/ns-config.html#ns-method-security
>
>
> It's a Spring Security module which you're after. It should be possible
to
> use AOP-like expressions to specify what kind of security
> credentials need to be applied to various methods in your resource
> class...
>
> Cheers, Sergey
>
>
>>
>> Thanks,
>>
>>
>> John Baker
>> --
>> Web SSO
>> IT Infrastructure
>> Deutsche Bank London
>>
>> URL: http://websso.cto.gt.intranet.db.com
>>
>>
>> ---
>>
>> This e-mail may contain confidential and/or privileged information. If
> you are not the intended recipient (or have received this
>> e-mail in error) please notify the sender immediately and delete this
> e-mail. Any unauthorized copying, disclosure or distribution
>> of the material in this e-mail is strictly forbidden.
>>
>> Please refer to http://www.db.com/en/content/eu_disclosures.htm for
> additional EU corporate and regulatory disclosures.
>
> ----------------------------
> IONA Technologies PLC (registered in Ireland)
> Registered Number: 171387
> Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
Ireland
>
>
>
> ---
>
> This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient (or have received this
> e-mail in error) please notify the sender immediately and delete this
e-mail. Any unauthorized copying, disclosure or distribution
> of the material in this e-mail is strictly forbidden.
>
> Please refer to http://www.db.com/en/content/eu_disclosures.htm for
additional EU corporate and regulatory disclosures.
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
---
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Please refer to http://www.db.com/en/content/eu_disclosures.htm for additional EU corporate and regulatory disclosures.
Re: CXF and Acegisecurity
Posted by John-M Baker <jo...@db.com>.
Sergey,
If using WS-Security with CXF, is it possible to annotate methods that we
want secured? I.e.
<!-- Define the application configuration webservice that uses
WS-Security -->
<jaxws:endpoint id="cxf.server.soap.ApplicationConfigurationService"
implementor="#service.beans.applicationConfiguration"
address="/soap/applicationConfiguration">
<jaxws:inInterceptors>
<bean class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
<ref bean="cxf.server.wss4jInConfiguration"/>
</jaxws:inInterceptors>
</jaxws:endpoint>
Secures all the methods exposed through the
service.beans,applicatonConfiguration bean, but if I just want to secure
method X, is it possible?
Creating two separate services seems a little verbose.
John Baker
--
Web SSO
IT Infrastructure
Deutsche Bank London
URL: http://websso.cto.gt.intranet.db.com
"Sergey Beryozkin" <se...@iona.com>
01/07/2008 10:14
Please respond to
users@cxf.apache.org
To
<us...@cxf.apache.org>
cc
<us...@cxf.apache.org>
Subject
Re: CXF and Acegisecurity
Cool, thanks for a link. These links can get added to the wiki.
I hope that in your project, where you combine JAX-RS and JAX-WS in one
resource class, the single piece of
Spring Security config should suffice, not sure though. let us know please
how it goes
Cheers, Sergey
----- Original Message -----
From: "John-M Baker" <jo...@db.com>
To: <us...@cxf.apache.org>
Cc: <us...@cxf.apache.org>
Sent: Tuesday, July 01, 2008 10:09 AM
Subject: Re: CXF and Acegisecurity
> There's also a good example here:
>
> http://www.jroller.com/habuma/entry/method_level_security_in_spring
>
> I'm currently looking at what is required to wire Spring security into
the
> WS-Security module!
>
>
> John Baker
> --
> Web SSO
> IT Infrastructure
> Deutsche Bank London
>
> URL: http://websso.cto.gt.intranet.db.com
>
>
>
>
> "Sergey Beryozkin" <se...@iona.com>
> 01/07/2008 10:06
> Please respond to
> users@cxf.apache.org
>
>
> To
> <us...@cxf.apache.org>
> cc
>
> Subject
> Re: CXF and Acegisecurity
>
>
>
>
>
>
> Hi
>
>
>> Are there any docs specifically on implementing CXF REST With
>> Acegisecurity? Google didnt return anything obvious.. A simple example
>> showing how to secure a couple methods would be handy.
>
> have a look here please :
>
>
http://static.springframework.org/spring-security/site/reference/html/ns-config.html#ns-method-security
>
>
> It's a Spring Security module which you're after. It should be possible
to
> use AOP-like expressions to specify what kind of security
> credentials need to be applied to various methods in your resource
> class...
>
> Cheers, Sergey
>
>
>>
>> Thanks,
>>
>>
>> John Baker
>> --
>> Web SSO
>> IT Infrastructure
>> Deutsche Bank London
>>
>> URL: http://websso.cto.gt.intranet.db.com
>>
>>
>> ---
>>
>> This e-mail may contain confidential and/or privileged information. If
> you are not the intended recipient (or have received this
>> e-mail in error) please notify the sender immediately and delete this
> e-mail. Any unauthorized copying, disclosure or distribution
>> of the material in this e-mail is strictly forbidden.
>>
>> Please refer to http://www.db.com/en/content/eu_disclosures.htm for
> additional EU corporate and regulatory disclosures.
>
> ----------------------------
> IONA Technologies PLC (registered in Ireland)
> Registered Number: 171387
> Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
Ireland
>
>
>
> ---
>
> This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient (or have received this
> e-mail in error) please notify the sender immediately and delete this
e-mail. Any unauthorized copying, disclosure or distribution
> of the material in this e-mail is strictly forbidden.
>
> Please refer to http://www.db.com/en/content/eu_disclosures.htm for
additional EU corporate and regulatory disclosures.
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
---
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Please refer to http://www.db.com/en/content/eu_disclosures.htm for additional EU corporate and regulatory disclosures.
Re: CXF and Acegisecurity
Posted by Sergey Beryozkin <se...@iona.com>.
Cool, thanks for a link. These links can get added to the wiki.
I hope that in your project, where you combine JAX-RS and JAX-WS in one resource class, the single piece of
Spring Security config should suffice, not sure though. let us know please how it goes
Cheers, Sergey
----- Original Message -----
From: "John-M Baker" <jo...@db.com>
To: <us...@cxf.apache.org>
Cc: <us...@cxf.apache.org>
Sent: Tuesday, July 01, 2008 10:09 AM
Subject: Re: CXF and Acegisecurity
> There's also a good example here:
>
> http://www.jroller.com/habuma/entry/method_level_security_in_spring
>
> I'm currently looking at what is required to wire Spring security into the
> WS-Security module!
>
>
> John Baker
> --
> Web SSO
> IT Infrastructure
> Deutsche Bank London
>
> URL: http://websso.cto.gt.intranet.db.com
>
>
>
>
> "Sergey Beryozkin" <se...@iona.com>
> 01/07/2008 10:06
> Please respond to
> users@cxf.apache.org
>
>
> To
> <us...@cxf.apache.org>
> cc
>
> Subject
> Re: CXF and Acegisecurity
>
>
>
>
>
>
> Hi
>
>
>> Are there any docs specifically on implementing CXF REST With
>> Acegisecurity? Google didnt return anything obvious.. A simple example
>> showing how to secure a couple methods would be handy.
>
> have a look here please :
>
> http://static.springframework.org/spring-security/site/reference/html/ns-config.html#ns-method-security
>
>
> It's a Spring Security module which you're after. It should be possible to
> use AOP-like expressions to specify what kind of security
> credentials need to be applied to various methods in your resource
> class...
>
> Cheers, Sergey
>
>
>>
>> Thanks,
>>
>>
>> John Baker
>> --
>> Web SSO
>> IT Infrastructure
>> Deutsche Bank London
>>
>> URL: http://websso.cto.gt.intranet.db.com
>>
>>
>> ---
>>
>> This e-mail may contain confidential and/or privileged information. If
> you are not the intended recipient (or have received this
>> e-mail in error) please notify the sender immediately and delete this
> e-mail. Any unauthorized copying, disclosure or distribution
>> of the material in this e-mail is strictly forbidden.
>>
>> Please refer to http://www.db.com/en/content/eu_disclosures.htm for
> additional EU corporate and regulatory disclosures.
>
> ----------------------------
> IONA Technologies PLC (registered in Ireland)
> Registered Number: 171387
> Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
>
>
>
> ---
>
> This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this
> e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution
> of the material in this e-mail is strictly forbidden.
>
> Please refer to http://www.db.com/en/content/eu_disclosures.htm for additional EU corporate and regulatory disclosures.
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
Re: CXF and Acegisecurity
Posted by John-M Baker <jo...@db.com>.
There's also a good example here:
http://www.jroller.com/habuma/entry/method_level_security_in_spring
I'm currently looking at what is required to wire Spring security into the
WS-Security module!
John Baker
--
Web SSO
IT Infrastructure
Deutsche Bank London
URL: http://websso.cto.gt.intranet.db.com
"Sergey Beryozkin" <se...@iona.com>
01/07/2008 10:06
Please respond to
users@cxf.apache.org
To
<us...@cxf.apache.org>
cc
Subject
Re: CXF and Acegisecurity
Hi
> Are there any docs specifically on implementing CXF REST With
> Acegisecurity? Google didnt return anything obvious.. A simple example
> showing how to secure a couple methods would be handy.
have a look here please :
http://static.springframework.org/spring-security/site/reference/html/ns-config.html#ns-method-security
It's a Spring Security module which you're after. It should be possible to
use AOP-like expressions to specify what kind of security
credentials need to be applied to various methods in your resource
class...
Cheers, Sergey
>
> Thanks,
>
>
> John Baker
> --
> Web SSO
> IT Infrastructure
> Deutsche Bank London
>
> URL: http://websso.cto.gt.intranet.db.com
>
>
> ---
>
> This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient (or have received this
> e-mail in error) please notify the sender immediately and delete this
e-mail. Any unauthorized copying, disclosure or distribution
> of the material in this e-mail is strictly forbidden.
>
> Please refer to http://www.db.com/en/content/eu_disclosures.htm for
additional EU corporate and regulatory disclosures.
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
---
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Please refer to http://www.db.com/en/content/eu_disclosures.htm for additional EU corporate and regulatory disclosures.
Re: CXF and Acegisecurity
Posted by Sergey Beryozkin <se...@iona.com>.
Hi
> Are there any docs specifically on implementing CXF REST With
> Acegisecurity? Google didnt return anything obvious.. A simple example
> showing how to secure a couple methods would be handy.
have a look here please :
http://static.springframework.org/spring-security/site/reference/html/ns-config.html#ns-method-security
It's a Spring Security module which you're after. It should be possible to use AOP-like expressions to specify what kind of security
credentials need to be applied to various methods in your resource class...
Cheers, Sergey
>
> Thanks,
>
>
> John Baker
> --
> Web SSO
> IT Infrastructure
> Deutsche Bank London
>
> URL: http://websso.cto.gt.intranet.db.com
>
>
> ---
>
> This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this
> e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution
> of the material in this e-mail is strictly forbidden.
>
> Please refer to http://www.db.com/en/content/eu_disclosures.htm for additional EU corporate and regulatory disclosures.
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
RE: CXF and Acegisecurity
Posted by John-M Baker <jo...@db.com>.
Annotations does seem to be the answer gvien a URL based approach works
well for REST but not Webservices, and I'd like to expose the same bean
through both.
John Baker
--
Web SSO
IT Infrastructure
Deutsche Bank London
URL: http://websso.cto.gt.intranet.db.com
"Arundel, Donal" <do...@iona.com>
30/06/2008 16:57
Please respond to
users@cxf.apache.org
To
<us...@cxf.apache.org>
cc
Subject
RE: CXF and Acegisecurity
Maybe have a look at the ACEGI docs on ACL annotations if you want
method level access control, to allow distinguishing between REST CRUD
operations.
(Ideally from a pure engineering viewpoint one would extend ACEGIs ACL
syntax to support REST directly, but this is obviously more effort :-)
).
If you don't care about CRUD specific ACL (write Vs read ops)
then standard ACEGI ACL will allow you to protect HTTP URL patterns as
per any typical ACEGI demo.
You wouldn't need any annotations in this case.
Additionally you optionally could also have an interceptor to query the
acegi Authenticated credentials, for any fancy ACL, but most likely the
annotation support is what you are looking for.
Cheers,
Donal
-----Original Message-----
From: John-M Baker [mailto:john-m.baker@db.com]
Sent: 27 June 2008 16:25
To: users@cxf.apache.org
Subject: CXF and Acegisecurity
Are there any docs specifically on implementing CXF REST With
Acegisecurity? Google didnt return anything obvious.. A simple example
showing how to secure a couple methods would be handy.
Thanks,
John Baker
--
Web SSO
IT Infrastructure
Deutsche Bank London
URL: http://websso.cto.gt.intranet.db.com
---
This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient (or have received this e-mail in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
Please refer to http://www.db.com/en/content/eu_disclosures.htm for
additional EU corporate and regulatory disclosures.
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
---
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Please refer to http://www.db.com/en/content/eu_disclosures.htm for additional EU corporate and regulatory disclosures.
RE: CXF and Acegisecurity
Posted by "Arundel, Donal" <do...@iona.com>.
Maybe have a look at the ACEGI docs on ACL annotations if you want
method level access control, to allow distinguishing between REST CRUD
operations.
(Ideally from a pure engineering viewpoint one would extend ACEGIs ACL
syntax to support REST directly, but this is obviously more effort :-)
).
If you don't care about CRUD specific ACL (write Vs read ops)
then standard ACEGI ACL will allow you to protect HTTP URL patterns as
per any typical ACEGI demo.
You wouldn't need any annotations in this case.
Additionally you optionally could also have an interceptor to query the
acegi Authenticated credentials, for any fancy ACL, but most likely the
annotation support is what you are looking for.
Cheers,
Donal
-----Original Message-----
From: John-M Baker [mailto:john-m.baker@db.com]
Sent: 27 June 2008 16:25
To: users@cxf.apache.org
Subject: CXF and Acegisecurity
Are there any docs specifically on implementing CXF REST With
Acegisecurity? Google didnt return anything obvious.. A simple example
showing how to secure a couple methods would be handy.
Thanks,
John Baker
--
Web SSO
IT Infrastructure
Deutsche Bank London
URL: http://websso.cto.gt.intranet.db.com
---
This e-mail may contain confidential and/or privileged information. If
you are not the intended recipient (or have received this e-mail in
error) please notify the sender immediately and delete this e-mail. Any
unauthorized copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
Please refer to http://www.db.com/en/content/eu_disclosures.htm for
additional EU corporate and regulatory disclosures.
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland