You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Burkard Stephan <St...@visana.ch> on 2018/07/11 15:11:19 UTC
How to implement a CXF interceptor for a proprietary token
Hi
We have a SOAP based backend system that has its own proprietary security token. The token is quite simple, it is based on a shared secret.
To integrate this backend, I have to add such tokens to messages sent to it and validate such tokens to receive calls from it. The creation and validation is not a problem. I already have code to create and validate the tokens.
I also found "AbstractTokenInterceptor" as base class and "UsernameTokenInterceptor" as a "reference implementation" to handle tokens in an interceptor. But the Javadocs say almost nothing about the methods to implement.
Therefore I studied the source code of them a bit. I assume I have to implement the method "addToken" to add such a token to a message sent to the backend. And "processToken" sounds like validate the token of an incoming message. But what is "assertTokens" for?
And this is just the most basic question. In "UsernameTokenInterceptor" there is a lot of stuff I don't understand or at least don't know why it is done.
Where can I get an understanding of *what needs to be done* (ws-security theory) and how to extend "AbstractTokenInterceptor" to do these things (CXF and interceptor know-how)? Are there any recommended books, tutorials or articles?
Thanks a lot
Stephan
Re: How to implement a CXF interceptor for a proprietary token
Posted by Colm O hEigeartaigh <co...@apache.org>.
You'll have to write a custom interceptor in that case - you could use the
BinarySecurityTokenInterceptor as a guide.
Colm.
On Thu, Jul 12, 2018 at 3:55 PM, Burkard Stephan <St...@visana.ch>
wrote:
> Hi Colm
>
> Sorry for the missing parts. The Token is unfortunately not base-64
> encoded, but a URL encoded string and embedded into the Soap header as
> follows:
>
> <urn:SoapLoginInformation xmlns:urn="[namespace]">
> <Token>[Token]</Token>
> </urn:SoapLoginInformation>
>
> Does "BinarySecurityToken" nevertheless work as a base for this type of
> token or is there something else in CXF I could use?
>
> Thanks
> Stephan
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Colm O hEigeartaigh <co...@apache.org>
> Gesendet: Donnerstag, 12. Juli 2018 13:54
> An: users@cxf.apache.org
> Betreff: Re: How to implement a CXF interceptor for a proprietary token
>
> Hi,
>
> What's missing from your email is *how* the security token is supposed to
> be sent to the SOAP backend. Typically for WS-Security, security tokens are
> BASE-64 encoded and inserted into the security header of the request as a
> "BinarySecurityToken".
>
> If this is the case then you can leverage the following interceptor in CXF:
>
> https://github.com/apache/cxf/blob/master/rt/ws/security/
> src/main/java/org/apache/cxf/ws/security/wss4j/
> BinarySecurityTokenInterceptor.java
>
> To see how to use it take a look at the following test:
>
> https://github.com/apache/cxf/blob/master/systests/ws-
> security/src/test/java/org/apache/cxf/systest/ws/tokens/
> BinarySecurityTokenTest.java
>
> The interceptor is added for the test in Spring config here:
>
> https://github.com/apache/cxf/blob/ebfb3a364c496f76c8b27aacc9bdd7
> b8aa804602/systests/ws-security/src/test/resources/
> org/apache/cxf/systest/ws/tokens/client.xml#L174
>
> On the receiving side, the BinarySecurityTokenInterceptor just processes
> the token but doesn't validate it. You can implement your custom validation
> logic in a WSS4J "Validator" implementation, and reference it in the JAX-WS
> properties of the service endpoint via the "ws-security.bst.validator"
> configuration key.
>
> Colm.
>
> On Wed, Jul 11, 2018 at 4:11 PM, Burkard Stephan <
> Stephan.Burkard@visana.ch>
> wrote:
>
> > Hi
> >
> > We have a SOAP based backend system that has its own proprietary
> > security token. The token is quite simple, it is based on a shared
> secret.
> >
> > To integrate this backend, I have to add such tokens to messages sent
> > to it and validate such tokens to receive calls from it. The creation
> > and validation is not a problem. I already have code to create and
> > validate the tokens.
> >
> > I also found "AbstractTokenInterceptor" as base class and
> > "UsernameTokenInterceptor" as a "reference implementation" to handle
> > tokens in an interceptor. But the Javadocs say almost nothing about
> > the methods to implement.
> >
> > Therefore I studied the source code of them a bit. I assume I have to
> > implement the method "addToken" to add such a token to a message sent
> > to the backend. And "processToken" sounds like validate the token of
> > an incoming message. But what is "assertTokens" for?
> >
> > And this is just the most basic question. In "UsernameTokenInterceptor"
> > there is a lot of stuff I don't understand or at least don't know why
> > it is done.
> >
> > Where can I get an understanding of *what needs to be done*
> > (ws-security
> > theory) and how to extend "AbstractTokenInterceptor" to do these
> > things (CXF and interceptor know-how)? Are there any recommended
> > books, tutorials or articles?
> >
> > Thanks a lot
> > Stephan
> >
> >
> >
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
AW: How to implement a CXF interceptor for a proprietary token
Posted by Burkard Stephan <St...@visana.ch>.
Hi Colm
Sorry for the missing parts. The Token is unfortunately not base-64 encoded, but a URL encoded string and embedded into the Soap header as follows:
<urn:SoapLoginInformation xmlns:urn="[namespace]">
<Token>[Token]</Token>
</urn:SoapLoginInformation>
Does "BinarySecurityToken" nevertheless work as a base for this type of token or is there something else in CXF I could use?
Thanks
Stephan
-----Ursprüngliche Nachricht-----
Von: Colm O hEigeartaigh <co...@apache.org>
Gesendet: Donnerstag, 12. Juli 2018 13:54
An: users@cxf.apache.org
Betreff: Re: How to implement a CXF interceptor for a proprietary token
Hi,
What's missing from your email is *how* the security token is supposed to be sent to the SOAP backend. Typically for WS-Security, security tokens are
BASE-64 encoded and inserted into the security header of the request as a "BinarySecurityToken".
If this is the case then you can leverage the following interceptor in CXF:
https://github.com/apache/cxf/blob/master/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/BinarySecurityTokenInterceptor.java
To see how to use it take a look at the following test:
https://github.com/apache/cxf/blob/master/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/BinarySecurityTokenTest.java
The interceptor is added for the test in Spring config here:
https://github.com/apache/cxf/blob/ebfb3a364c496f76c8b27aacc9bdd7b8aa804602/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/client.xml#L174
On the receiving side, the BinarySecurityTokenInterceptor just processes the token but doesn't validate it. You can implement your custom validation logic in a WSS4J "Validator" implementation, and reference it in the JAX-WS properties of the service endpoint via the "ws-security.bst.validator"
configuration key.
Colm.
On Wed, Jul 11, 2018 at 4:11 PM, Burkard Stephan <St...@visana.ch>
wrote:
> Hi
>
> We have a SOAP based backend system that has its own proprietary
> security token. The token is quite simple, it is based on a shared secret.
>
> To integrate this backend, I have to add such tokens to messages sent
> to it and validate such tokens to receive calls from it. The creation
> and validation is not a problem. I already have code to create and
> validate the tokens.
>
> I also found "AbstractTokenInterceptor" as base class and
> "UsernameTokenInterceptor" as a "reference implementation" to handle
> tokens in an interceptor. But the Javadocs say almost nothing about
> the methods to implement.
>
> Therefore I studied the source code of them a bit. I assume I have to
> implement the method "addToken" to add such a token to a message sent
> to the backend. And "processToken" sounds like validate the token of
> an incoming message. But what is "assertTokens" for?
>
> And this is just the most basic question. In "UsernameTokenInterceptor"
> there is a lot of stuff I don't understand or at least don't know why
> it is done.
>
> Where can I get an understanding of *what needs to be done*
> (ws-security
> theory) and how to extend "AbstractTokenInterceptor" to do these
> things (CXF and interceptor know-how)? Are there any recommended
> books, tutorials or articles?
>
> Thanks a lot
> Stephan
>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com
Re: How to implement a CXF interceptor for a proprietary token
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi,
What's missing from your email is *how* the security token is supposed to
be sent to the SOAP backend. Typically for WS-Security, security tokens are
BASE-64 encoded and inserted into the security header of the request as a
"BinarySecurityToken".
If this is the case then you can leverage the following interceptor in CXF:
https://github.com/apache/cxf/blob/master/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/BinarySecurityTokenInterceptor.java
To see how to use it take a look at the following test:
https://github.com/apache/cxf/blob/master/systests/ws-security/src/test/java/org/apache/cxf/systest/ws/tokens/BinarySecurityTokenTest.java
The interceptor is added for the test in Spring config here:
https://github.com/apache/cxf/blob/ebfb3a364c496f76c8b27aacc9bdd7b8aa804602/systests/ws-security/src/test/resources/org/apache/cxf/systest/ws/tokens/client.xml#L174
On the receiving side, the BinarySecurityTokenInterceptor just processes
the token but doesn't validate it. You can implement your custom validation
logic in a WSS4J "Validator" implementation, and reference it in the JAX-WS
properties of the service endpoint via the "ws-security.bst.validator"
configuration key.
Colm.
On Wed, Jul 11, 2018 at 4:11 PM, Burkard Stephan <St...@visana.ch>
wrote:
> Hi
>
> We have a SOAP based backend system that has its own proprietary security
> token. The token is quite simple, it is based on a shared secret.
>
> To integrate this backend, I have to add such tokens to messages sent to
> it and validate such tokens to receive calls from it. The creation and
> validation is not a problem. I already have code to create and validate the
> tokens.
>
> I also found "AbstractTokenInterceptor" as base class and
> "UsernameTokenInterceptor" as a "reference implementation" to handle tokens
> in an interceptor. But the Javadocs say almost nothing about the methods to
> implement.
>
> Therefore I studied the source code of them a bit. I assume I have to
> implement the method "addToken" to add such a token to a message sent to
> the backend. And "processToken" sounds like validate the token of an
> incoming message. But what is "assertTokens" for?
>
> And this is just the most basic question. In "UsernameTokenInterceptor"
> there is a lot of stuff I don't understand or at least don't know why it is
> done.
>
> Where can I get an understanding of *what needs to be done* (ws-security
> theory) and how to extend "AbstractTokenInterceptor" to do these things
> (CXF and interceptor know-how)? Are there any recommended books, tutorials
> or articles?
>
> Thanks a lot
> Stephan
>
>
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com