You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Alp Timurhan Çevik <at...@promed.com.tr> on 2011/03/21 17:08:48 UTC

Authorization & Custom fields

Hello,

 

As I tried to state in my previous message, I have a scenario that involves having some custom fields for auth information and I am trying to use spring security with the auth info. I am not using ws security, but would like to support it, fort he new clients,where as the old clients should not be needed to send data with ws security.

 

Further getting into the concept, I tried to implement the handlers such that;

 

1.       Intercept the oncoming message, which has fields like <user>sdsd</user><password>asas<password>

2.       Use WSS4JOutInterceptor to add WSSecurity related headers, if headers not present

3.       Intercept the same message again with WSS4JINInterceptor, 

a.       and use spring security for checking auth info (this part is unclear yet)

b.      could use JAAS here instead of WSS4JINInterceptor

4.       Using simple auth interceptor to check for methods and roles. The method and role mapping is needed, as different services run different methods.

 

So, the idea, is using custom fields as fields for keeping auth info and constructing ws security related information from these fields.

 

-          do you think that makes sense, or am I just messing around ? 

-          I have played around with phases, but have not been able to complete step 2, does anyone have an idea how to do that ?

 

Cheers,

Alp

Re: Authorization & Custom fields

Posted by Sergey Beryozkin <sb...@gmail.com>.

Hi

Here is a brief overview of how CXF can help.

JAASLoginInterceptor can get a CXF-specific UsernameToken (a simple bean
containing the name, password, etc) or AuthorizationInfo bean (populated by
transport-specific Destinations, for ex, from the HTTP Authorization header)
and delegate to the container-managed authentication
sub-system...JAASLoginInterceptor does not bypass it, it simply lets users
to avoid relying on updating web.xml for this to happen, and it will work
with Karaf/etc...

So, when we are talking the legacy clients, you can have the custom fields
extracted and UsernameToken created and saved on the current message and
JAASLoginInterceptor will populate SecurityContext (with Principal, roles,
etc).

When you have WS-Security aware clients, you have two options, one is to
register custom interceptors which will work with WSS4J Principals. If you
have not only UsernameTokens to deal with then it's the only option.
Another option is to set a "ws-security.validate.token" property - and this
will let you to reuse JAASLoginInterceptor for populating the
SecurityContext.

SecurityContext populated by JAASLoginInterceptor can be cast to
LoginSecurityContext, which will give you an access to the actual roles and
Subject. This can be used for example to bridge between CXF SecurityContexts
and Spring security contexts...

Hope it heps a bit
Sergey

2011/3/21 Alp Timurhan Çevik <at...@promed.com.tr>

> Hello,
>
>
>
> As I tried to state in my previous message, I have a scenario that involves
> having some custom fields for auth information and I am trying to use spring
> security with the auth info. I am not using ws security, but would like to
> support it, fort he new clients,where as the old clients should not be
> needed to send data with ws security.
>
>
>
> Further getting into the concept, I tried to implement the handlers such
> that;
>
>
>
> 1.       Intercept the oncoming message, which has fields like
> <user>sdsd</user><password>asas<password>
>
> 2.       Use WSS4JOutInterceptor to add WSSecurity related headers, if
> headers not present
>
> 3.       Intercept the same message again with WSS4JINInterceptor,
>
> a.       and use spring security for checking auth info (this part is
> unclear yet)
>
> b.      could use JAAS here instead of WSS4JINInterceptor
>
> 4.       Using simple auth interceptor to check for methods and roles. The
> method and role mapping is needed, as different services run different
> methods.
>
>
>
> So, the idea, is using custom fields as fields for keeping auth info and
> constructing ws security related information from these fields.
>
>
>
> -          do you think that makes sense, or am I just messing around ?
>
> -          I have played around with phases, but have not been able to
> complete step 2, does anyone have an idea how to do that ?
>
>
>
> Cheers,
>
> Alp
>
>
>
>
>
>
>
>
>
>
>
>


-- 
Sergey Beryozkin

Application Integration Division of Talend <http://www.talend.com>
http://sberyozkin.blogspot.com