You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@servicemix.apache.org by briandillon <br...@gmail.com> on 2009/05/27 21:29:59 UTC
Re: Security Subject can not be propagated in servicemix-cxf-se
when using the cxf-se proxies
Freeman Fang wrote:
>
> No, we don't pass the securitySubject to cxf se so far, not even sure
> it's really necessary, since currently AA are delegate to JAAS service
> in SMX.
>
Freeman,
I need to accomplish fine-grain, operation-based authorization and so far
this is the only way I would see how to do this within the CXF SE SU - ie by
passing the securitySubject which has all the roles for the authenticated
user. The current JAAS authorization approach appears to only permit
coarse-grained authorization at the entire service - but not individual
operations. Is there a way to accomplish operation-based authorization using
the security.xml config??
Kindly
Brian
--
View this message in context: http://www.nabble.com/Security-Subject-can-not-be-propagated-in-servicemix-cxf-se-when-using-the-cxf-se-proxies-tp22573857p23749185.html
Sent from the ServiceMix - User mailing list archive at Nabble.com.
Re: Security Subject can not be propagated in servicemix-cxf-se
when using the cxf-se proxies
Posted by briandillon <br...@gmail.com>.
Freeman Fang wrote:
>
> Hi,
> Which class you can't find from your compilation error?
> You may need take a look at [1]
>
>
Found the issue Freeman - it was the "void" return type in your constructor
listing throwing things off. I removed it, add imports, and it works fine
now. I actually decided not to pass the Subject onto the SE but rather
perform fine-grained authorization purely in the BC so I don't have to add
code to the SE. I used CRUD based roles in JAAS properties files, applied
them to the SMX authorizationMap for the service, and then do a simple
String.contains to map roles to operators for fine-grained access - throwing
a fault if the role(s) don't map for the required op:
Role -> Op
*.create - > add*
*.read -> get* || search*
*.update -> update*
*.delete -> delete*
such that I end up with:
import java.util.Set;
import org.apache.cxf.message.Message;
import org.apache.cxf.phase.AbstractPhaseInterceptor;
import org.apache.cxf.phase.Phase;
import org.apache.cxf.interceptor.Fault;
import javax.security.auth.Subject;
public class RoleInInterceptor extends AbstractPhaseInterceptor<Message> {
public RoleInInterceptor() {
super(Phase.PRE_INVOKE);
}
public void handleMessage(Message message) throws Fault {
Subject sub = message.get(Subject.class);
// now go through all the JAAS roles/Principals until we match the
// required role(s) for the requested operation
Set principals = sub.getPrincipals();
for (int i=0; i < principals.size(); i++) {
...
if (message.WSDL_OPERATION.startsWith("add") ... {
}
}
--
View this message in context: http://www.nabble.com/Security-Subject-can-not-be-propagated-in-servicemix-cxf-se-when-using-the-cxf-se-proxies-tp22573857p23862191.html
Sent from the ServiceMix - User mailing list archive at Nabble.com.
Re: Security Subject can not be propagated in servicemix-cxf-se when
using the cxf-se proxies
Posted by Freeman Fang <fr...@gmail.com>.
Hi,
Which class you can't find from your compilation error?
You may need take a look at [1]
[1]https://svn.apache.org/repos/asf/servicemix/smx3/branches/servicemix-3.2/deployables/bindingcomponents/servicemix-cxf-bc/src/main/java/org/apache/servicemix/cxfbc/interceptors/JbiJAASInterceptor.java
Freeman
briandillon wrote:
>
> Freeman Fang wrote:
>
>> Hi Brian,
>>
>> One solution could be write your own *interceptors* *to* save subject on
>> *cxf*
>> bc and extract it from *cxf* se
>> something like
>> public class SaveSubjectInterceptor extends AbstractPhaseInterceptor {
>>
>> public SaveSubjectInterceptor() {
>> super(Phase.PRE_INVOKE);
>> }
>>
>> public void handleMessage(Message message) throws Fault {
>> NormalizedMessage nm =
>> message.getContent(NormalizedMessage.class);
>> Subject *securitySubject* = message.get(Subject.class);
>> nm.setProperty("*securitySubject*", *securitySubject*);
>> }
>>
>> }
>>
>>
>>
>
> Freeman,
> can you point me to a full example of such a BC InInterceptor under SMX as I
> can't get the imports+POM dependencies correct for all the classes above.
>
> Thanks!
> Brian
>
--
Freeman Fang
------------------------
Open Source SOA: http://fusesource.com
Re: Security Subject can not be propagated in servicemix-cxf-se
when using the cxf-se proxies
Posted by briandillon <br...@gmail.com>.
Freeman Fang wrote:
>
> Hi Brian,
>
> One solution could be write your own *interceptors* *to* save subject on
> *cxf*
> bc and extract it from *cxf* se
> something like
> public class SaveSubjectInterceptor extends AbstractPhaseInterceptor {
>
> public SaveSubjectInterceptor() {
> super(Phase.PRE_INVOKE);
> }
>
> public void handleMessage(Message message) throws Fault {
> NormalizedMessage nm =
> message.getContent(NormalizedMessage.class);
> Subject *securitySubject* = message.get(Subject.class);
> nm.setProperty("*securitySubject*", *securitySubject*);
> }
>
> }
>
>
Freeman,
can you point me to a full example of such a BC InInterceptor under SMX as I
can't get the imports+POM dependencies correct for all the classes above.
Thanks!
Brian
--
View this message in context: http://www.nabble.com/Security-Subject-can-not-be-propagated-in-servicemix-cxf-se-when-using-the-cxf-se-proxies-tp22573857p23854182.html
Sent from the ServiceMix - User mailing list archive at Nabble.com.
Re: Security Subject can not be propagated in servicemix-cxf-se when
using the cxf-se proxies
Posted by Freeman Fang <fr...@gmail.com>.
Hi Brian,
Not sure we can support the fine-grained authorization based on
operation, since not all kind of service has operation concept, and even
service has operation, the operation dispatch is all controlled by the
service itself, the container shouldn't know the operation dispatch
details inside service.
But one solution I can come up with is define your fine-grained
service/endpoint, which means put all operation allowed by roles "read"
in, let's say, ReadService, and put all operation allowed by roles
"write" in WriteService, adjust your service with your role.
Freeman
briandillon wrote:
>
> Freeman Fang wrote:
>
>> Hi Brian,
>>
>> One solution could be write your own *interceptors* *to* save subject on
>> *cxf*
>> bc and extract it from *cxf* se
>>
>>
>>
>
> Thanks Freeman. I may just try this. It would be nice if the security.xml
> config allowed a an authorizationMap with entries like:
>
> <sm:authorizationEntry service="*:ServiceName_v2*:Get*" roles="read"
> />
>
> to permit fine-grained authorization at an operation level (where ":Get*"
> were all the read-based ops) utilizing the existing JAAS construct.
>
> Brian
>
--
Freeman Fang
------------------------
Open Source SOA: http://fusesource.com
Re: Security Subject can not be propagated in servicemix-cxf-se
when using the cxf-se proxies
Posted by briandillon <br...@gmail.com>.
Freeman Fang wrote:
>
> Hi Brian,
>
> One solution could be write your own *interceptors* *to* save subject on
> *cxf*
> bc and extract it from *cxf* se
>
>
Thanks Freeman. I may just try this. It would be nice if the security.xml
config allowed a an authorizationMap with entries like:
<sm:authorizationEntry service="*:ServiceName_v2*:Get*" roles="read"
/>
to permit fine-grained authorization at an operation level (where ":Get*"
were all the read-based ops) utilizing the existing JAAS construct.
Brian
--
View this message in context: http://www.nabble.com/Security-Subject-can-not-be-propagated-in-servicemix-cxf-se-when-using-the-cxf-se-proxies-tp22573857p23783390.html
Sent from the ServiceMix - User mailing list archive at Nabble.com.
Re: Security Subject can not be propagated in servicemix-cxf-se when
using the cxf-se proxies
Posted by Freeman Fang <fr...@gmail.com>.
Hi Brian,
One solution could be write your own *interceptors* *to* save subject on
*cxf*
bc and extract it from *cxf* se
something like
public class SaveSubjectInterceptor extends AbstractPhaseInterceptor {
public SaveSubjectInterceptor() {
super(Phase.PRE_INVOKE);
}
public void handleMessage(Message message) throws Fault {
NormalizedMessage nm =
message.getContent(NormalizedMessage.class);
Subject *securitySubject* = message.get(Subject.class);
nm.setProperty("*securitySubject*", *securitySubject*);
}
}
and add this *interceptor* for your *cxf* bc consumer *endpoint*
configuration.
Similarly write your own *interceptor* *to* extract the
*securitySubject* for
your *cxf* se and *use* it later...
Freeman
briandillon wrote:
>
> Freeman Fang wrote:
>
>> No, we don't pass the securitySubject to cxf se so far, not even sure
>> it's really necessary, since currently AA are delegate to JAAS service
>> in SMX.
>>
>>
>
> Freeman,
> I need to accomplish fine-grain, operation-based authorization and so far
> this is the only way I would see how to do this within the CXF SE SU - ie by
> passing the securitySubject which has all the roles for the authenticated
> user. The current JAAS authorization approach appears to only permit
> coarse-grained authorization at the entire service - but not individual
> operations. Is there a way to accomplish operation-based authorization using
> the security.xml config??
>
> Kindly
> Brian
>
--
Freeman Fang
------------------------
Open Source SOA: http://fusesource.com