You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Jose María Zaragoza <de...@gmail.com> on 2013/02/25 10:01:46 UTC
Security for WS & REST clients
Hi:
I'm newbie by using CXF framework and I'd like to take the best choice
about security matters ( authorization/authentication )
Maybe more expert users can help me.
I need to develop JAX-WS (SOAP/HTTP) and JAX-RS (XML/JSON/HTTP)
services and I need to get the client ID who is calling that web
service for loading custom config files by client profile/role .
Sometimes, it will be the same implementation but different prococol
binding ( I think CXF framework allows this feature )
1)
I would like to use a standard authetication/authorization model.
I've seen WS-Security but I think that it only works with SOAP
messages, am I wrong ? could it be used with REST client/services?
2)
Other choice is use HTTP Authentication , For example, I could use
Realm mechanism implemented by Tomcat to authenticate users
That is supported by SOAP/HTTP and REST/JSON//HTTP clients
Could I retrieve client ID ( Principal ) from WebserviceContext with
HTTP Authentication ?
Do i need to get HTTPRequest to get client ID ?
3)
As I told you, I want to load custom config files by client
profile/role calling a service
Could I to implement this by a interceptor and this interceptor
updates 'service call' with custom values ?
What is the best way to face this issue ?
I want to perform something like Filters (Servlet) and update requests
context with custom info by client/user/role
Thanks
Best regards
Re: Security for WS & REST clients
Posted by Freeman Fang <fr...@gmail.com>.
Hi,
Just take a look at JAASLoginInterceptor[1], the handleMessage method have all necessary code you need.
[1]https://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/JAASLoginInterceptor.java
-------------
Freeman(Yue) Fang
Red Hat, Inc.
FuseSource is now part of Red Hat
Web: http://fusesource.com | http://www.redhat.com/
Twitter: freemanfang
Blog: http://freemanfang.blogspot.com
http://blog.sina.com.cn/u/1473905042
weibo: @Freeman小屋
On 2013-2-25, at 下午7:42, Jose María Zaragoza wrote:
> Thanks
> Sounds good
>
> Do you have any example to "retrieve username/password from Http Basic
> auth and create SecurityContext accordingly and delegate to your
> container jaas(tomcat, karaf, etc)" ?
>
> I've seen this link
>
> http://chrisdail.com/2008/03/31/apache-cxf-with-http-basic-authentication/
> But this example looks to making authentication by hand , no JAAS module.
>
> You say that .JAASLoginInterceptor can retrieve user/password but I
> don't know neither how 'create SecurityContext' nor how 'delegate to
> your container jaas'
>
> And I don't know how I can implement another interceptor (if it's the
> same than authenticate would be easy but I'd like to make 2 different
> ) to extract Principal info for loading config files by user
>
> If you know about some example about these issues, I would apreciate it
>
> Thanks and best regards
>
>
>
>
> 2013/2/25 Freeman Fang <fr...@gmail.com>:
>> Hi,
>>
>> My comment inline
>> -------------
>> Freeman(Yue) Fang
>>
>> Red Hat, Inc.
>> FuseSource is now part of Red Hat
>> Web: http://fusesource.com | http://www.redhat.com/
>> Twitter: freemanfang
>> Blog: http://freemanfang.blogspot.com
>> http://blog.sina.com.cn/u/1473905042
>> weibo: @Freeman小屋
>>
>> On 2013-2-25, at 下午5:01, Jose María Zaragoza wrote:
>>
>>> Hi:
>>>
>>> I'm newbie by using CXF framework and I'd like to take the best choice
>>> about security matters ( authorization/authentication )
>>> Maybe more expert users can help me.
>>>
>>>
>>> I need to develop JAX-WS (SOAP/HTTP) and JAX-RS (XML/JSON/HTTP)
>>> services and I need to get the client ID who is calling that web
>>> service for loading custom config files by client profile/role .
>>> Sometimes, it will be the same implementation but different prococol
>>> binding ( I think CXF framework allows this feature )
>>>
>>>
>>> 1)
>>>
>>> I would like to use a standard authetication/authorization model.
>>> I've seen WS-Security but I think that it only works with SOAP
>>> messages, am I wrong ? could it be used with REST client/services?
>> Yes, the UsernameToken ws-security stuff is based on SOAP message so it won't work with REST typically.
>>>
>>>
>>> 2)
>>>
>>> Other choice is use HTTP Authentication , For example, I could use
>>> Realm mechanism implemented by Tomcat to authenticate users
>>> That is supported by SOAP/HTTP and REST/JSON//HTTP clients
>>>
>>> Could I retrieve client ID ( Principal ) from WebserviceContext with
>>> HTTP Authentication ?
>>> Do i need to get HTTPRequest to get client ID ?
>> Yeah, you can use HTTP basic auth both for SOAP and REST service
>> You can simply use org.apache.cxf.interceptor.security.JAASLoginInterceptor, which can retrieve username/password from Http Basic auth and create SecurityContext accordingly and delegate to your container jaas(tomcat, karaf, etc)
>>>
>>>
>>> 3)
>>>
>>> As I told you, I want to load custom config files by client
>>> profile/role calling a service
>>> Could I to implement this by a interceptor and this interceptor
>>> updates 'service call' with custom values ?
>>> What is the best way to face this issue ?
>>>
>> yeah, an interceptor usually is the way to go
>>> I want to perform something like Filters (Servlet) and update requests
>>> context with custom info by client/user/role
>>>
>>>
>>> Thanks
>>> Best regards
>>
Re: Security for WS & REST clients
Posted by Jose María Zaragoza <de...@gmail.com>.
Thanks
Sounds good
Do you have any example to "retrieve username/password from Http Basic
auth and create SecurityContext accordingly and delegate to your
container jaas(tomcat, karaf, etc)" ?
I've seen this link
http://chrisdail.com/2008/03/31/apache-cxf-with-http-basic-authentication/
But this example looks to making authentication by hand , no JAAS module.
You say that .JAASLoginInterceptor can retrieve user/password but I
don't know neither how 'create SecurityContext' nor how 'delegate to
your container jaas'
And I don't know how I can implement another interceptor (if it's the
same than authenticate would be easy but I'd like to make 2 different
) to extract Principal info for loading config files by user
If you know about some example about these issues, I would apreciate it
Thanks and best regards
2013/2/25 Freeman Fang <fr...@gmail.com>:
> Hi,
>
> My comment inline
> -------------
> Freeman(Yue) Fang
>
> Red Hat, Inc.
> FuseSource is now part of Red Hat
> Web: http://fusesource.com | http://www.redhat.com/
> Twitter: freemanfang
> Blog: http://freemanfang.blogspot.com
> http://blog.sina.com.cn/u/1473905042
> weibo: @Freeman小屋
>
> On 2013-2-25, at 下午5:01, Jose María Zaragoza wrote:
>
>> Hi:
>>
>> I'm newbie by using CXF framework and I'd like to take the best choice
>> about security matters ( authorization/authentication )
>> Maybe more expert users can help me.
>>
>>
>> I need to develop JAX-WS (SOAP/HTTP) and JAX-RS (XML/JSON/HTTP)
>> services and I need to get the client ID who is calling that web
>> service for loading custom config files by client profile/role .
>> Sometimes, it will be the same implementation but different prococol
>> binding ( I think CXF framework allows this feature )
>>
>>
>> 1)
>>
>> I would like to use a standard authetication/authorization model.
>> I've seen WS-Security but I think that it only works with SOAP
>> messages, am I wrong ? could it be used with REST client/services?
> Yes, the UsernameToken ws-security stuff is based on SOAP message so it won't work with REST typically.
>>
>>
>> 2)
>>
>> Other choice is use HTTP Authentication , For example, I could use
>> Realm mechanism implemented by Tomcat to authenticate users
>> That is supported by SOAP/HTTP and REST/JSON//HTTP clients
>>
>> Could I retrieve client ID ( Principal ) from WebserviceContext with
>> HTTP Authentication ?
>> Do i need to get HTTPRequest to get client ID ?
> Yeah, you can use HTTP basic auth both for SOAP and REST service
> You can simply use org.apache.cxf.interceptor.security.JAASLoginInterceptor, which can retrieve username/password from Http Basic auth and create SecurityContext accordingly and delegate to your container jaas(tomcat, karaf, etc)
>>
>>
>> 3)
>>
>> As I told you, I want to load custom config files by client
>> profile/role calling a service
>> Could I to implement this by a interceptor and this interceptor
>> updates 'service call' with custom values ?
>> What is the best way to face this issue ?
>>
> yeah, an interceptor usually is the way to go
>> I want to perform something like Filters (Servlet) and update requests
>> context with custom info by client/user/role
>>
>>
>> Thanks
>> Best regards
>
Re: Security for WS & REST clients
Posted by Freeman Fang <fr...@gmail.com>.
Hi,
My comment inline
-------------
Freeman(Yue) Fang
Red Hat, Inc.
FuseSource is now part of Red Hat
Web: http://fusesource.com | http://www.redhat.com/
Twitter: freemanfang
Blog: http://freemanfang.blogspot.com
http://blog.sina.com.cn/u/1473905042
weibo: @Freeman小屋
On 2013-2-25, at 下午5:01, Jose María Zaragoza wrote:
> Hi:
>
> I'm newbie by using CXF framework and I'd like to take the best choice
> about security matters ( authorization/authentication )
> Maybe more expert users can help me.
>
>
> I need to develop JAX-WS (SOAP/HTTP) and JAX-RS (XML/JSON/HTTP)
> services and I need to get the client ID who is calling that web
> service for loading custom config files by client profile/role .
> Sometimes, it will be the same implementation but different prococol
> binding ( I think CXF framework allows this feature )
>
>
> 1)
>
> I would like to use a standard authetication/authorization model.
> I've seen WS-Security but I think that it only works with SOAP
> messages, am I wrong ? could it be used with REST client/services?
Yes, the UsernameToken ws-security stuff is based on SOAP message so it won't work with REST typically.
>
>
> 2)
>
> Other choice is use HTTP Authentication , For example, I could use
> Realm mechanism implemented by Tomcat to authenticate users
> That is supported by SOAP/HTTP and REST/JSON//HTTP clients
>
> Could I retrieve client ID ( Principal ) from WebserviceContext with
> HTTP Authentication ?
> Do i need to get HTTPRequest to get client ID ?
Yeah, you can use HTTP basic auth both for SOAP and REST service
You can simply use org.apache.cxf.interceptor.security.JAASLoginInterceptor, which can retrieve username/password from Http Basic auth and create SecurityContext accordingly and delegate to your container jaas(tomcat, karaf, etc)
>
>
> 3)
>
> As I told you, I want to load custom config files by client
> profile/role calling a service
> Could I to implement this by a interceptor and this interceptor
> updates 'service call' with custom values ?
> What is the best way to face this issue ?
>
yeah, an interceptor usually is the way to go
> I want to perform something like Filters (Servlet) and update requests
> context with custom info by client/user/role
>
>
> Thanks
> Best regards