You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Sergey Beryozkin <se...@iona.com> on 2009/05/01 22:37:00 UTC
Re: Security in Jaxws/Jaxrs
Hi Vishal
I'm very sorry for a late reply - I was planning to reply much earlier but
then I got swamped with some work and forgot.
There're a number of options, depending on your preferences
1. Do it in the application code, in the resource class. This is may or may
not the best option. Typically this is something users prefer to do outside
of the application code. But then you may want to look at the resource class
which checks the injected SecurityContexts as the facade or as an
interceptor really which delegates to the actual application class which may
make this option more viable.
So in this case you have to have
@Resource WebServiceContext jaxwsContext;
@Context SecurityContext jaxrsSecurityContext;
declared in your code. Next, you need to figure out whether it's a JAXWS or
JAXRS invocation in progress, so you can do it like this
// not sure at the moment how exactly to get security context from jaxws one
if (jaxwsContext.getSecurityContext() == null) {
checkPrincipal(jaxrsSecurityContext.getPrincipal());
} else {
checkPrincipal(jaxwsContext.getSecurityContext().getPrincipal());
}
2. Use Spring security - we have some simple tests showing how
authentication and authorization can be done
3. For JAXRS : Use CXF JAX-RS RequestFilter or custom invoker (which simply
extends JAXRSInvoker and is registered as an invoker property) where you can
get all the info you need (method name, Principal, etc)
For JAXWS : do a custom CXF in Interceptor which will throw Fault if
needed.
Perhaps there're more options... Let me know please if you need more info on
any of the these options
Cheers, Sergey
Vishal.a wrote:
>
> Hello All,
>
> I have services written,that have both JaxRs and Jaxws.I have to implement
> security on the services now.There are 2 things i need to do
>
> 1. Authentication - Using Basic Http Authentication
> 2. Authorization - Secure each and every method.
>
> I have seen posts that show me how to do for either JaxRS or Jaxws,can
> someone tell me what would be the best way to approach it for doing it for
> both REST and SOAP.
>
> Any help is appreciated.
>
> Thanks,
> Vishal
>
--
View this message in context: http://www.nabble.com/Security-in-Jaxws-Jaxrs-tp23266441p23339367.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Security in Jaxws/Jaxrs
Posted by Sergey Beryozkin <sb...@progress.com>.
Hi Kynan
>
> Hi Sergey,
>
> Yes thanks. As I thought, I'd already written the filter to use the
> HttpHeaders directly but was wondering if there was another preferred/better
> way.
I've looked at the AbstractHttpDestination class, an inbound message should have
AuthorizationPolicy.class available when the basic authentication is used,
message.get(AuthorizationPolicy.class)
it should make it simpler getting to the user name/password if needed.
>
> For note: there's a bug in HttpHeadersImpl which cannot handle a header
> which is a non-empty collection populated with a single null item - in
> HttpHeadersImpl:
thanks for reporting it, fixed now on the trunk
cheers, Sergey
>
> private List<String> getListValues(String headerName) {
> List<String> values = headers.get(headerName);
> if (values == null || values.isEmpty()) {
> return Collections.emptyList();
> }
> if (HttpUtils.isDateRelatedHeader(headerName)) {
> return values;
> }
> String[] ls = values.get(0).split(",");
> if (ls.length == 1) {
> return Collections.singletonList(ls[0].trim());
> } else {
> List<String> newValues = new ArrayList<String>();
> for (String v : ls) {
> newValues.add(v.trim());
> }
> return newValues;
> }
> }
>
> Should be :
>
> private List<String> getListValues(String headerName) {
> List<String> values = headers.get(headerName);
> // add check here if first value in collection is null
> if (values == null || values.isEmpty() || values.get(0) == null) {
> return Collections.emptyList();
> }
> if (HttpUtils.isDateRelatedHeader(headerName)) {
> return values;
> }
>
> String[] ls = values.get(0).split(",");
> if (ls.length == 1) {
> return Collections.singletonList(ls[0].trim());
> } else {
> List<String> newValues = new ArrayList<String>();
> for (String v : ls) {
> newValues.add(v.trim());
> }
> return newValues;
> }
> }
>
>
> Otherwise the values.get(0).split will throw NPE.
>
> Regards,
> Kynan
>
>
> Sergey Beryozkin-2 wrote:
>>
>> Hi Kynan
>>
>> here's a sample CustomInvoker :
>>
>> http://svn.apache.org/repos/asf/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/jaxrs/CustomJAXRSInvoker.java
>>
>> At the moment filters/invokers can not get contexts like SecurityContext
>> injected so it has to be created manually.
>>
>> Or you can just get m.get(org.apache.cxf.security.SecurityContext.class)
>> from the message and get Principal from there.
>>
>> Or would you like to work directly with HTTP headers ? They're availbale
>> on the message too, you can also do
>> HttpHeaders headers = new HttpHeadersImpl(m) and use HttpHeaders...
>>
>> Let me know please if you need more info
>>
>> cheers, Sergey
>>
>> ----- Original Message -----
>> From: "Kynan Fraser" <ky...@customware.net>
>> To: <us...@cxf.apache.org>
>> Sent: Thursday, July 02, 2009 9:44 AM
>> Subject: Re: Security in Jaxws/Jaxrs
>>
>>
>>>
>>> Hi Sergey,
>>>
>>> As a follow up to this, i'm trying to implement a basic http filter using
>>> a
>>> request handler. Is there a way to obtain the http auth info? I can't
>>> find
>>> it on any of the contexts or message.
>>>
>>> Is there an example of a basic auth client and a request handler or
>>> custom
>>> invoker handling the authentication?
>>>
>>> Thanks,
>>> Kynan
>>>
>>>
>>> Sergey Beryozkin wrote:
>>>>
>>>> Hi Vishal
>>>>
>>>> I'm very sorry for a late reply - I was planning to reply much earlier
>>>> but
>>>> then I got swamped with some work and forgot.
>>>>
>>>> There're a number of options, depending on your preferences
>>>>
>>>> 1. Do it in the application code, in the resource class. This is may or
>>>> may not the best option. Typically this is something users prefer to do
>>>> outside of the application code. But then you may want to look at the
>>>> resource class which checks the injected SecurityContexts as the facade
>>>> or
>>>> as an interceptor really which delegates to the actual application class
>>>> which may make this option more viable.
>>>>
>>>> So in this case you have to have
>>>> @Resource WebServiceContext jaxwsContext;
>>>> @Context SecurityContext jaxrsSecurityContext;
>>>>
>>>> declared in your code. Next, you need to figure out whether it's a JAXWS
>>>> or JAXRS invocation in progress, so you can do it like this
>>>> // not sure at the moment how exactly to get security context from jaxws
>>>> one
>>>> if (jaxwsContext.getSecurityContext() == null) {
>>>> checkPrincipal(jaxrsSecurityContext.getPrincipal());
>>>> } else {
>>>> checkPrincipal(jaxwsContext.getSecurityContext().getPrincipal());
>>>> }
>>>>
>>>> 2. Use Spring security - we have some simple tests showing how
>>>> authentication and authorization can be done
>>>>
>>>> 3. For JAXRS : Use CXF JAX-RS RequestFilter or custom invoker (which
>>>> simply extends JAXRSInvoker and is registered as an invoker property)
>>>> where you can get all the info you need (method name, Principal, etc)
>>>> For JAXWS : do a custom CXF in Interceptor which will throw Fault if
>>>> needed.
>>>>
>>>> Perhaps there're more options... Let me know please if you need more
>>>> info
>>>> on any of the these options
>>>>
>>>> Cheers, Sergey
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Vishal.a wrote:
>>>>>
>>>>> Hello All,
>>>>>
>>>>> I have services written,that have both JaxRs and Jaxws.I have to
>>>>> implement security on the services now.There are 2 things i need to do
>>>>>
>>>>> 1. Authentication - Using Basic Http Authentication
>>>>> 2. Authorization - Secure each and every method.
>>>>>
>>>>> I have seen posts that show me how to do for either JaxRS or Jaxws,can
>>>>> someone tell me what would be the best way to approach it for doing it
>>>>> for both REST and SOAP.
>>>>>
>>>>> Any help is appreciated.
>>>>>
>>>>> Thanks,
>>>>> Vishal
>>>>>
>>>>
>>>>
>>>
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Security-in-Jaxws-Jaxrs-tp23266441p24303305.html
>>> Sent from the cxf-user mailing list archive at Nabble.com.
>>>
>>
>>
>
> --
> View this message in context: http://www.nabble.com/Security-in-Jaxws-Jaxrs-tp23266441p24315708.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
Re: Security in Jaxws/Jaxrs
Posted by Kynan Fraser <ky...@customware.net>.
Hi Sergey,
Yes thanks. As I thought, I'd already written the filter to use the
HttpHeaders directly but was wondering if there was another preferred/better
way.
For note: there's a bug in HttpHeadersImpl which cannot handle a header
which is a non-empty collection populated with a single null item - in
HttpHeadersImpl:
private List<String> getListValues(String headerName) {
List<String> values = headers.get(headerName);
if (values == null || values.isEmpty()) {
return Collections.emptyList();
}
if (HttpUtils.isDateRelatedHeader(headerName)) {
return values;
}
String[] ls = values.get(0).split(",");
if (ls.length == 1) {
return Collections.singletonList(ls[0].trim());
} else {
List<String> newValues = new ArrayList<String>();
for (String v : ls) {
newValues.add(v.trim());
}
return newValues;
}
}
Should be :
private List<String> getListValues(String headerName) {
List<String> values = headers.get(headerName);
// add check here if first value in collection is null
if (values == null || values.isEmpty() || values.get(0) == null) {
return Collections.emptyList();
}
if (HttpUtils.isDateRelatedHeader(headerName)) {
return values;
}
String[] ls = values.get(0).split(",");
if (ls.length == 1) {
return Collections.singletonList(ls[0].trim());
} else {
List<String> newValues = new ArrayList<String>();
for (String v : ls) {
newValues.add(v.trim());
}
return newValues;
}
}
Otherwise the values.get(0).split will throw NPE.
Regards,
Kynan
Sergey Beryozkin-2 wrote:
>
> Hi Kynan
>
> here's a sample CustomInvoker :
>
> http://svn.apache.org/repos/asf/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/jaxrs/CustomJAXRSInvoker.java
>
> At the moment filters/invokers can not get contexts like SecurityContext
> injected so it has to be created manually.
>
> Or you can just get m.get(org.apache.cxf.security.SecurityContext.class)
> from the message and get Principal from there.
>
> Or would you like to work directly with HTTP headers ? They're availbale
> on the message too, you can also do
> HttpHeaders headers = new HttpHeadersImpl(m) and use HttpHeaders...
>
> Let me know please if you need more info
>
> cheers, Sergey
>
> ----- Original Message -----
> From: "Kynan Fraser" <ky...@customware.net>
> To: <us...@cxf.apache.org>
> Sent: Thursday, July 02, 2009 9:44 AM
> Subject: Re: Security in Jaxws/Jaxrs
>
>
>>
>> Hi Sergey,
>>
>> As a follow up to this, i'm trying to implement a basic http filter using
>> a
>> request handler. Is there a way to obtain the http auth info? I can't
>> find
>> it on any of the contexts or message.
>>
>> Is there an example of a basic auth client and a request handler or
>> custom
>> invoker handling the authentication?
>>
>> Thanks,
>> Kynan
>>
>>
>> Sergey Beryozkin wrote:
>>>
>>> Hi Vishal
>>>
>>> I'm very sorry for a late reply - I was planning to reply much earlier
>>> but
>>> then I got swamped with some work and forgot.
>>>
>>> There're a number of options, depending on your preferences
>>>
>>> 1. Do it in the application code, in the resource class. This is may or
>>> may not the best option. Typically this is something users prefer to do
>>> outside of the application code. But then you may want to look at the
>>> resource class which checks the injected SecurityContexts as the facade
>>> or
>>> as an interceptor really which delegates to the actual application class
>>> which may make this option more viable.
>>>
>>> So in this case you have to have
>>> @Resource WebServiceContext jaxwsContext;
>>> @Context SecurityContext jaxrsSecurityContext;
>>>
>>> declared in your code. Next, you need to figure out whether it's a JAXWS
>>> or JAXRS invocation in progress, so you can do it like this
>>> // not sure at the moment how exactly to get security context from jaxws
>>> one
>>> if (jaxwsContext.getSecurityContext() == null) {
>>> checkPrincipal(jaxrsSecurityContext.getPrincipal());
>>> } else {
>>> checkPrincipal(jaxwsContext.getSecurityContext().getPrincipal());
>>> }
>>>
>>> 2. Use Spring security - we have some simple tests showing how
>>> authentication and authorization can be done
>>>
>>> 3. For JAXRS : Use CXF JAX-RS RequestFilter or custom invoker (which
>>> simply extends JAXRSInvoker and is registered as an invoker property)
>>> where you can get all the info you need (method name, Principal, etc)
>>> For JAXWS : do a custom CXF in Interceptor which will throw Fault if
>>> needed.
>>>
>>> Perhaps there're more options... Let me know please if you need more
>>> info
>>> on any of the these options
>>>
>>> Cheers, Sergey
>>>
>>>
>>>
>>>
>>>
>>> Vishal.a wrote:
>>>>
>>>> Hello All,
>>>>
>>>> I have services written,that have both JaxRs and Jaxws.I have to
>>>> implement security on the services now.There are 2 things i need to do
>>>>
>>>> 1. Authentication - Using Basic Http Authentication
>>>> 2. Authorization - Secure each and every method.
>>>>
>>>> I have seen posts that show me how to do for either JaxRS or Jaxws,can
>>>> someone tell me what would be the best way to approach it for doing it
>>>> for both REST and SOAP.
>>>>
>>>> Any help is appreciated.
>>>>
>>>> Thanks,
>>>> Vishal
>>>>
>>>
>>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Security-in-Jaxws-Jaxrs-tp23266441p24303305.html
>> Sent from the cxf-user mailing list archive at Nabble.com.
>>
>
>
--
View this message in context: http://www.nabble.com/Security-in-Jaxws-Jaxrs-tp23266441p24315708.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Security in Jaxws/Jaxrs
Posted by Sergey Beryozkin <sb...@progress.com>.
Hi Kynan
here's a sample CustomInvoker :
http://svn.apache.org/repos/asf/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/jaxrs/CustomJAXRSInvoker.java
At the moment filters/invokers can not get contexts like SecurityContext injected so it has to be created manually.
Or you can just get m.get(org.apache.cxf.security.SecurityContext.class) from the message and get Principal from there.
Or would you like to work directly with HTTP headers ? They're availbale on the message too, you can also do
HttpHeaders headers = new HttpHeadersImpl(m) and use HttpHeaders...
Let me know please if you need more info
cheers, Sergey
----- Original Message -----
From: "Kynan Fraser" <ky...@customware.net>
To: <us...@cxf.apache.org>
Sent: Thursday, July 02, 2009 9:44 AM
Subject: Re: Security in Jaxws/Jaxrs
>
> Hi Sergey,
>
> As a follow up to this, i'm trying to implement a basic http filter using a
> request handler. Is there a way to obtain the http auth info? I can't find
> it on any of the contexts or message.
>
> Is there an example of a basic auth client and a request handler or custom
> invoker handling the authentication?
>
> Thanks,
> Kynan
>
>
> Sergey Beryozkin wrote:
>>
>> Hi Vishal
>>
>> I'm very sorry for a late reply - I was planning to reply much earlier but
>> then I got swamped with some work and forgot.
>>
>> There're a number of options, depending on your preferences
>>
>> 1. Do it in the application code, in the resource class. This is may or
>> may not the best option. Typically this is something users prefer to do
>> outside of the application code. But then you may want to look at the
>> resource class which checks the injected SecurityContexts as the facade or
>> as an interceptor really which delegates to the actual application class
>> which may make this option more viable.
>>
>> So in this case you have to have
>> @Resource WebServiceContext jaxwsContext;
>> @Context SecurityContext jaxrsSecurityContext;
>>
>> declared in your code. Next, you need to figure out whether it's a JAXWS
>> or JAXRS invocation in progress, so you can do it like this
>> // not sure at the moment how exactly to get security context from jaxws
>> one
>> if (jaxwsContext.getSecurityContext() == null) {
>> checkPrincipal(jaxrsSecurityContext.getPrincipal());
>> } else {
>> checkPrincipal(jaxwsContext.getSecurityContext().getPrincipal());
>> }
>>
>> 2. Use Spring security - we have some simple tests showing how
>> authentication and authorization can be done
>>
>> 3. For JAXRS : Use CXF JAX-RS RequestFilter or custom invoker (which
>> simply extends JAXRSInvoker and is registered as an invoker property)
>> where you can get all the info you need (method name, Principal, etc)
>> For JAXWS : do a custom CXF in Interceptor which will throw Fault if
>> needed.
>>
>> Perhaps there're more options... Let me know please if you need more info
>> on any of the these options
>>
>> Cheers, Sergey
>>
>>
>>
>>
>>
>> Vishal.a wrote:
>>>
>>> Hello All,
>>>
>>> I have services written,that have both JaxRs and Jaxws.I have to
>>> implement security on the services now.There are 2 things i need to do
>>>
>>> 1. Authentication - Using Basic Http Authentication
>>> 2. Authorization - Secure each and every method.
>>>
>>> I have seen posts that show me how to do for either JaxRS or Jaxws,can
>>> someone tell me what would be the best way to approach it for doing it
>>> for both REST and SOAP.
>>>
>>> Any help is appreciated.
>>>
>>> Thanks,
>>> Vishal
>>>
>>
>>
>
> --
> View this message in context: http://www.nabble.com/Security-in-Jaxws-Jaxrs-tp23266441p24303305.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
Re: Security in Jaxws/Jaxrs
Posted by Kynan Fraser <ky...@customware.net>.
Hi Sergey,
As a follow up to this, i'm trying to implement a basic http filter using a
request handler. Is there a way to obtain the http auth info? I can't find
it on any of the contexts or message.
Is there an example of a basic auth client and a request handler or custom
invoker handling the authentication?
Thanks,
Kynan
Sergey Beryozkin wrote:
>
> Hi Vishal
>
> I'm very sorry for a late reply - I was planning to reply much earlier but
> then I got swamped with some work and forgot.
>
> There're a number of options, depending on your preferences
>
> 1. Do it in the application code, in the resource class. This is may or
> may not the best option. Typically this is something users prefer to do
> outside of the application code. But then you may want to look at the
> resource class which checks the injected SecurityContexts as the facade or
> as an interceptor really which delegates to the actual application class
> which may make this option more viable.
>
> So in this case you have to have
> @Resource WebServiceContext jaxwsContext;
> @Context SecurityContext jaxrsSecurityContext;
>
> declared in your code. Next, you need to figure out whether it's a JAXWS
> or JAXRS invocation in progress, so you can do it like this
> // not sure at the moment how exactly to get security context from jaxws
> one
> if (jaxwsContext.getSecurityContext() == null) {
> checkPrincipal(jaxrsSecurityContext.getPrincipal());
> } else {
> checkPrincipal(jaxwsContext.getSecurityContext().getPrincipal());
> }
>
> 2. Use Spring security - we have some simple tests showing how
> authentication and authorization can be done
>
> 3. For JAXRS : Use CXF JAX-RS RequestFilter or custom invoker (which
> simply extends JAXRSInvoker and is registered as an invoker property)
> where you can get all the info you need (method name, Principal, etc)
> For JAXWS : do a custom CXF in Interceptor which will throw Fault if
> needed.
>
> Perhaps there're more options... Let me know please if you need more info
> on any of the these options
>
> Cheers, Sergey
>
>
>
>
>
> Vishal.a wrote:
>>
>> Hello All,
>>
>> I have services written,that have both JaxRs and Jaxws.I have to
>> implement security on the services now.There are 2 things i need to do
>>
>> 1. Authentication - Using Basic Http Authentication
>> 2. Authorization - Secure each and every method.
>>
>> I have seen posts that show me how to do for either JaxRS or Jaxws,can
>> someone tell me what would be the best way to approach it for doing it
>> for both REST and SOAP.
>>
>> Any help is appreciated.
>>
>> Thanks,
>> Vishal
>>
>
>
--
View this message in context: http://www.nabble.com/Security-in-Jaxws-Jaxrs-tp23266441p24303305.html
Sent from the cxf-user mailing list archive at Nabble.com.