You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by johnpfeifer4 <jo...@gmail.com> on 2010/02/01 19:51:44 UTC
Spring Security with CXF JMS Endpoint
I was wondering if anyone has an example of implement spring security with a
CXF JMS Endpoint. We currently secure all of our endpoints with the
<security:http> element, limiting access to certain endpoints to a
particular role(s).
Now we have a requirement to enforce security for JMS endpoints. It seems
that the listener that picks it off the JMS queue would have to know where
to find the credentials on the message. Perhaps we need to write our own
interceptors to do this?
I figured I would post here before I start my own investigation. Any help
would be greatly appreciated.
Thanks,
John
--
View this message in context: http://old.nabble.com/Spring-Security-with-CXF-JMS-Endpoint-tp27409262p27409262.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Spring Security with CXF JMS Endpoint
Posted by johnpfeifer4 <jo...@gmail.com>.
Actually we are using mule to perform an HTTP/JMS protocol bridge using basic
authentication as the authentication scheme. Our messages are SOAP
messages. We can pass along the Authorization HTTP Header on the JMS
message.
We then have CXF JMS Endpoints which listen to the JMS queue and process the
messages. Currently we have no security enabled for these endpoints, but
I'd like to use Spring Security Annotations to annotate our WebMethods.
The problem that I'm having is that we need something similar to the
org.springframework.web.filter.DelegatingFilterProxy (which intercepts http
requests and bind the security tokens to the current thread) which will
validate the user/password and populate the necessary security tokes used by
spring security. This needs to happen after the message is pulled from the
queue but before unmarshalling occurs and the service is invoked.
Hope this helps!
John
Andreas Veithen-2 wrote:
>
> What is the protocol that you are going to use? WS-Security with SOAP/JMS?
>
> Andreas
>
> On Mon, Feb 1, 2010 at 19:51, johnpfeifer4 <jo...@gmail.com> wrote:
>>
>> I was wondering if anyone has an example of implement spring security
>> with a
>> CXF JMS Endpoint. We currently secure all of our endpoints with the
>> <security:http> element, limiting access to certain endpoints to a
>> particular role(s).
>>
>> Now we have a requirement to enforce security for JMS endpoints. It
>> seems
>> that the listener that picks it off the JMS queue would have to know
>> where
>> to find the credentials on the message. Perhaps we need to write our
>> own
>> interceptors to do this?
>>
>> I figured I would post here before I start my own investigation. Any
>> help
>> would be greatly appreciated.
>>
>> Thanks,
>>
>> John
>>
>> --
>> View this message in context:
>> http://old.nabble.com/Spring-Security-with-CXF-JMS-Endpoint-tp27409262p27409262.html
>> Sent from the cxf-user mailing list archive at Nabble.com.
>>
>>
>
>
--
View this message in context: http://old.nabble.com/Spring-Security-with-CXF-JMS-Endpoint-tp27409262p27410555.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Spring Security with CXF JMS Endpoint
Posted by Andreas Veithen <an...@gmail.com>.
What is the protocol that you are going to use? WS-Security with SOAP/JMS?
Andreas
On Mon, Feb 1, 2010 at 19:51, johnpfeifer4 <jo...@gmail.com> wrote:
>
> I was wondering if anyone has an example of implement spring security with a
> CXF JMS Endpoint. We currently secure all of our endpoints with the
> <security:http> element, limiting access to certain endpoints to a
> particular role(s).
>
> Now we have a requirement to enforce security for JMS endpoints. It seems
> that the listener that picks it off the JMS queue would have to know where
> to find the credentials on the message. Perhaps we need to write our own
> interceptors to do this?
>
> I figured I would post here before I start my own investigation. Any help
> would be greatly appreciated.
>
> Thanks,
>
> John
>
> --
> View this message in context: http://old.nabble.com/Spring-Security-with-CXF-JMS-Endpoint-tp27409262p27409262.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>
Re: Spring Security with CXF JMS Endpoint
Posted by Daniel Kulp <dk...@apache.org>.
On Mon February 1 2010 4:55:27 pm johnpfeifer4 wrote:
> I've done some digging... I'm going to need the username and password to
> validate against our spring security authentication provider.
>
> I'm thinking that I could configure the interceptor to look for user/pass
> in JMS Headers or in a single header (in the case of Basic Auth). I'll
> have to dig around a bit more and let you know what I find.
Yea. If you need that, then the JMSXUserID wouldn't be appropriate. In
that case, you would call mesage.get(Message.PROTOCOL_HEADERS) and get the
header out of there.
Dan
>
> Thanks,
>
> John
>
> Andreas Veithen-2 wrote:
> > Isn't the JMSXUserID set to the user who connected to the broker?
> > Since John's use case is a HTTP->JMS bridge with HTTP Basic Auth, I
> > would be surprised that the connection to the broker is opened using
> > the credentials of the user who submitted the HTTP request.
> >
> > Andreas
> >
> > On Mon, Feb 1, 2010 at 21:16, Daniel Kulp <dk...@apache.org> wrote:
> >> Christian recently did some updates to the JMS transport to pull the
> >> JMSXUserID from the JMS Message and stick that into our SecurityContext.
> >> You
> >> would probably need an interceptor that would then take that and feed
> >> that
> >> into the Spring security context. If you do develop some
> >> interceptors for
> >> this, we'd love to have them. :-)
> >>
> >> Dan
> >>
> >> On Mon February 1 2010 1:51:44 pm johnpfeifer4 wrote:
> >>> I was wondering if anyone has an example of implement spring security
> >>> with
> >>> a CXF JMS Endpoint. We currently secure all of our endpoints with the
> >>> <security:http> element, limiting access to certain endpoints to a
> >>> particular role(s).
> >>>
> >>> Now we have a requirement to enforce security for JMS endpoints. It
> >>> seems
> >>> that the listener that picks it off the JMS queue would have to know
> >>> where
> >>> to find the credentials on the message. Perhaps we need to write our
> >>> own
> >>> interceptors to do this?
> >>>
> >>> I figured I would post here before I start my own investigation. Any
> >>> help
> >>> would be greatly appreciated.
> >>>
> >>> Thanks,
> >>>
> >>> John
> >>
> >> --
> >> Daniel Kulp
> >> dkulp@apache.org
> >> http://www.dankulp.com/blog
>
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
Re: Spring Security with CXF JMS Endpoint
Posted by Christian Schneider <ch...@die-schneider.net>.
Hi John,
some time ago I wrote a really small HTTP2JMSBridge
(http://www.liquid-reality.de:8080/display/liquid/HTTP2JMSBridge).
It has the ability to create a connection to the jms provider with the
username/password given to it by using http basic auth.
The bridge even pools the connections.
Having said that the code is probably not production ready but it is
apache licensed. So I am sure you can tweak it to your needs.
Greetings
Christian
Am 01.02.2010 22:55, schrieb johnpfeifer4:
> I've done some digging... I'm going to need the username and password to
> validate against our spring security authentication provider.
>
> I'm thinking that I could configure the interceptor to look for user/pass in
> JMS Headers or in a single header (in the case of Basic Auth). I'll have to
> dig around a bit more and let you know what I find.
>
> Thanks,
>
> John
>
--
Christian Schneider
---
http://www.liquid-reality.de
Re: Spring Security with CXF JMS Endpoint
Posted by Andreas Veithen <an...@gmail.com>.
John,
Some time ago I started to develop a set of components (interceptors,
callback handlers and features) to simplify integration between CXF
and Spring Security. I've extended this a bit and wrote some
documentation. The code is available as a Google Code project [1]. If
you go for the two-headers approach, then your use case can be
implemented with the existing components. Please refer to [2] for the
documentation.
Andreas
PS: The intention is still to make this code part of the CXF
distribution. Several people were interested in this, but until now I
was unable to recruit anybody to test, review and/or complete the
code.
[1] http://code.google.com/p/cxf-spring-security/
[2] http://code.google.com/p/cxf-spring-security/wiki/Documentation
On Mon, Feb 1, 2010 at 22:55, johnpfeifer4 <jo...@gmail.com> wrote:
>
> I've done some digging... I'm going to need the username and password to
> validate against our spring security authentication provider.
>
> I'm thinking that I could configure the interceptor to look for user/pass in
> JMS Headers or in a single header (in the case of Basic Auth). I'll have to
> dig around a bit more and let you know what I find.
>
> Thanks,
>
> John
>
> Andreas Veithen-2 wrote:
>>
>> Isn't the JMSXUserID set to the user who connected to the broker?
>> Since John's use case is a HTTP->JMS bridge with HTTP Basic Auth, I
>> would be surprised that the connection to the broker is opened using
>> the credentials of the user who submitted the HTTP request.
>>
>> Andreas
>>
>> On Mon, Feb 1, 2010 at 21:16, Daniel Kulp <dk...@apache.org> wrote:
>>>
>>> Christian recently did some updates to the JMS transport to pull the
>>> JMSXUserID from the JMS Message and stick that into our SecurityContext.
>>> You
>>> would probably need an interceptor that would then take that and feed
>>> that
>>> into the Spring security context. If you do develop some
>>> interceptors for
>>> this, we'd love to have them. :-)
>>>
>>> Dan
>>>
>>>
>>>
>>>
>>> On Mon February 1 2010 1:51:44 pm johnpfeifer4 wrote:
>>>> I was wondering if anyone has an example of implement spring security
>>>> with
>>>> a CXF JMS Endpoint. We currently secure all of our endpoints with the
>>>> <security:http> element, limiting access to certain endpoints to a
>>>> particular role(s).
>>>>
>>>> Now we have a requirement to enforce security for JMS endpoints. It
>>>> seems
>>>> that the listener that picks it off the JMS queue would have to know
>>>> where
>>>> to find the credentials on the message. Perhaps we need to write our
>>>> own
>>>> interceptors to do this?
>>>>
>>>> I figured I would post here before I start my own investigation. Any
>>>> help
>>>> would be greatly appreciated.
>>>>
>>>> Thanks,
>>>>
>>>> John
>>>>
>>>
>>> --
>>> Daniel Kulp
>>> dkulp@apache.org
>>> http://www.dankulp.com/blog
>>>
>>
>>
>
> --
> View this message in context: http://old.nabble.com/Spring-Security-with-CXF-JMS-Endpoint-tp27409262p27412082.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>
Re: Spring Security with CXF JMS Endpoint
Posted by johnpfeifer4 <jo...@gmail.com>.
I've done some digging... I'm going to need the username and password to
validate against our spring security authentication provider.
I'm thinking that I could configure the interceptor to look for user/pass in
JMS Headers or in a single header (in the case of Basic Auth). I'll have to
dig around a bit more and let you know what I find.
Thanks,
John
Andreas Veithen-2 wrote:
>
> Isn't the JMSXUserID set to the user who connected to the broker?
> Since John's use case is a HTTP->JMS bridge with HTTP Basic Auth, I
> would be surprised that the connection to the broker is opened using
> the credentials of the user who submitted the HTTP request.
>
> Andreas
>
> On Mon, Feb 1, 2010 at 21:16, Daniel Kulp <dk...@apache.org> wrote:
>>
>> Christian recently did some updates to the JMS transport to pull the
>> JMSXUserID from the JMS Message and stick that into our SecurityContext.
>> You
>> would probably need an interceptor that would then take that and feed
>> that
>> into the Spring security context. If you do develop some
>> interceptors for
>> this, we'd love to have them. :-)
>>
>> Dan
>>
>>
>>
>>
>> On Mon February 1 2010 1:51:44 pm johnpfeifer4 wrote:
>>> I was wondering if anyone has an example of implement spring security
>>> with
>>> a CXF JMS Endpoint. We currently secure all of our endpoints with the
>>> <security:http> element, limiting access to certain endpoints to a
>>> particular role(s).
>>>
>>> Now we have a requirement to enforce security for JMS endpoints. It
>>> seems
>>> that the listener that picks it off the JMS queue would have to know
>>> where
>>> to find the credentials on the message. Perhaps we need to write our
>>> own
>>> interceptors to do this?
>>>
>>> I figured I would post here before I start my own investigation. Any
>>> help
>>> would be greatly appreciated.
>>>
>>> Thanks,
>>>
>>> John
>>>
>>
>> --
>> Daniel Kulp
>> dkulp@apache.org
>> http://www.dankulp.com/blog
>>
>
>
--
View this message in context: http://old.nabble.com/Spring-Security-with-CXF-JMS-Endpoint-tp27409262p27412082.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Spring Security with CXF JMS Endpoint
Posted by Andreas Veithen <an...@gmail.com>.
Isn't the JMSXUserID set to the user who connected to the broker?
Since John's use case is a HTTP->JMS bridge with HTTP Basic Auth, I
would be surprised that the connection to the broker is opened using
the credentials of the user who submitted the HTTP request.
Andreas
On Mon, Feb 1, 2010 at 21:16, Daniel Kulp <dk...@apache.org> wrote:
>
> Christian recently did some updates to the JMS transport to pull the
> JMSXUserID from the JMS Message and stick that into our SecurityContext. You
> would probably need an interceptor that would then take that and feed that
> into the Spring security context. If you do develop some interceptors for
> this, we'd love to have them. :-)
>
> Dan
>
>
>
>
> On Mon February 1 2010 1:51:44 pm johnpfeifer4 wrote:
>> I was wondering if anyone has an example of implement spring security with
>> a CXF JMS Endpoint. We currently secure all of our endpoints with the
>> <security:http> element, limiting access to certain endpoints to a
>> particular role(s).
>>
>> Now we have a requirement to enforce security for JMS endpoints. It seems
>> that the listener that picks it off the JMS queue would have to know where
>> to find the credentials on the message. Perhaps we need to write our own
>> interceptors to do this?
>>
>> I figured I would post here before I start my own investigation. Any help
>> would be greatly appreciated.
>>
>> Thanks,
>>
>> John
>>
>
> --
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog
>
Re: Spring Security with CXF JMS Endpoint
Posted by Daniel Kulp <dk...@apache.org>.
On Mon February 1 2010 3:25:23 pm johnpfeifer4 wrote:
> Dan,
>
> We have to get this done ASAP so we're willing to do the development (and
> contribute). Can you tell me if this code is in the latest release
> version?
Yep. It's in 2.2.6. From any interceptor, you can call:
SecurityContext sc = message.get(SecurityContext.class);
sc.getPrincipal();
Which SHOULD have the username set on it providing the JMS provider has been
setup to provide that information.
Dan
>
> Thanks,
>
> John
>
> dkulp wrote:
> > Christian recently did some updates to the JMS transport to pull the
> > JMSXUserID from the JMS Message and stick that into our SecurityContext.
> > You
> > would probably need an interceptor that would then take that and feed
> > that into the Spring security context. If you do develop some
> > interceptors for
> > this, we'd love to have them. :-)
> >
> > Dan
> >
> > On Mon February 1 2010 1:51:44 pm johnpfeifer4 wrote:
> >> I was wondering if anyone has an example of implement spring security
> >> with
> >> a CXF JMS Endpoint. We currently secure all of our endpoints with the
> >> <security:http> element, limiting access to certain endpoints to a
> >> particular role(s).
> >>
> >> Now we have a requirement to enforce security for JMS endpoints. It
> >> seems
> >> that the listener that picks it off the JMS queue would have to know
> >> where
> >> to find the credentials on the message. Perhaps we need to write our
> >> own
> >> interceptors to do this?
> >>
> >> I figured I would post here before I start my own investigation. Any
> >> help
> >> would be greatly appreciated.
> >>
> >> Thanks,
> >>
> >> John
>
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
RE: Spring Security with CXF JMS Endpoint
Posted by Sergey Beryozkin <sb...@progress.com>.
Hi
dkulp wrote:
>
>
> Christian recently did some updates to the JMS transport to pull the
> JMSXUserID from the JMS Message and stick that into our
SecurityContext.
> You
> would probably need an interceptor that would then take that and feed
that
> into the Spring security context. If you do develop some
interceptors
> for
> this, we'd love to have them. :-)
Hope these interceptors will work for CXF JAXRS services getting JMS
messages too :-), given that CXF SecurityContext is neutral enough
Cheers, Sergey
>
> Dan
>
>
>
>
> On Mon February 1 2010 1:51:44 pm johnpfeifer4 wrote:
>> I was wondering if anyone has an example of implement spring security
>> with
>> a CXF JMS Endpoint. We currently secure all of our endpoints with
the
>> <security:http> element, limiting access to certain endpoints to a
>> particular role(s).
>>
>> Now we have a requirement to enforce security for JMS endpoints. It
>> seems
>> that the listener that picks it off the JMS queue would have to know
>> where
>> to find the credentials on the message. Perhaps we need to write
our
>> own
>> interceptors to do this?
>>
>> I figured I would post here before I start my own investigation. Any
>> help
>> would be greatly appreciated.
>>
>> Thanks,
>>
>> John
>>
>
> --
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog
>
>
--
View this message in context:
http://old.nabble.com/Spring-Security-with-CXF-JMS-Endpoint-tp27409262p2
7410771.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Spring Security with CXF JMS Endpoint
Posted by johnpfeifer4 <jo...@gmail.com>.
Dan,
We have to get this done ASAP so we're willing to do the development (and
contribute). Can you tell me if this code is in the latest release version?
Thanks,
John
dkulp wrote:
>
>
> Christian recently did some updates to the JMS transport to pull the
> JMSXUserID from the JMS Message and stick that into our SecurityContext.
> You
> would probably need an interceptor that would then take that and feed that
> into the Spring security context. If you do develop some interceptors
> for
> this, we'd love to have them. :-)
>
> Dan
>
>
>
>
> On Mon February 1 2010 1:51:44 pm johnpfeifer4 wrote:
>> I was wondering if anyone has an example of implement spring security
>> with
>> a CXF JMS Endpoint. We currently secure all of our endpoints with the
>> <security:http> element, limiting access to certain endpoints to a
>> particular role(s).
>>
>> Now we have a requirement to enforce security for JMS endpoints. It
>> seems
>> that the listener that picks it off the JMS queue would have to know
>> where
>> to find the credentials on the message. Perhaps we need to write our
>> own
>> interceptors to do this?
>>
>> I figured I would post here before I start my own investigation. Any
>> help
>> would be greatly appreciated.
>>
>> Thanks,
>>
>> John
>>
>
> --
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog
>
>
--
View this message in context: http://old.nabble.com/Spring-Security-with-CXF-JMS-Endpoint-tp27409262p27410771.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Spring Security with CXF JMS Endpoint
Posted by Daniel Kulp <dk...@apache.org>.
Christian recently did some updates to the JMS transport to pull the
JMSXUserID from the JMS Message and stick that into our SecurityContext. You
would probably need an interceptor that would then take that and feed that
into the Spring security context. If you do develop some interceptors for
this, we'd love to have them. :-)
Dan
On Mon February 1 2010 1:51:44 pm johnpfeifer4 wrote:
> I was wondering if anyone has an example of implement spring security with
> a CXF JMS Endpoint. We currently secure all of our endpoints with the
> <security:http> element, limiting access to certain endpoints to a
> particular role(s).
>
> Now we have a requirement to enforce security for JMS endpoints. It seems
> that the listener that picks it off the JMS queue would have to know where
> to find the credentials on the message. Perhaps we need to write our own
> interceptors to do this?
>
> I figured I would post here before I start my own investigation. Any help
> would be greatly appreciated.
>
> Thanks,
>
> John
>
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog