You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Schneider Christian <Ch...@enbw.com> on 2010/11/25 13:51:14 UTC
Authentication / Authorization with with http jetty transport in
standalone mode
Hi all,
I already know how to configure security in a servlet environment but the service uses the built in jetty to open the http port. I have not yet found any information on how to set up authentication / authorization in this case.
In my case basic auth against a static set of usernames / passwords would be enough for authentication.
For authorization a static group would be ok. Ideal would be to get the group from LDAP.
Can I simply do these configs in the jetty instance somehow?
Best regards
Christian
Christian Schneider
Informationsverarbeitung
Business Solutions
Handel und Dispatching
Tel : +49-(0)721-63-15482
EnBW Systeme Infrastruktur Support GmbH
Sitz der Gesellschaft: Karlsruhe
Handelsregister: Amtsgericht Mannheim ‑ HRB 108550
Vorsitzender des Aufsichtsrats: Dr. Bernhard Beck
Geschäftsführer: Jochen Adenau, Hans-Günther Meier
Re: AW: Authentication / Authorization with with http jetty transport in standalone mode
Posted by Daniel Kulp <dk...@apache.org>.
The current http-jetty transport subclasses the AbstractHandler stuff
directly and doesn't really implement any of the Servlet things. I kind of
keep thinking that it would be good to re-write it to leverage the Servlet
transport and then use the Jetty ServletHandler (and thus the filters can be
configured in), but nothing that's been a high enough priority to really
pursue it.
Dan
On Thursday 25 November 2010 11:25:44 am Schneider Christian wrote:
> Hi Freeman and Sergey,
>
> thanks for your hints already. I am sure one of the approaches will help me
> for the short run. When doing authentication in tomcat I once used a
> ServletFilter (javax.servlet.Filter). Is that also possible in our
> embedded jetty?
>
> As far as I know we use a ServletHandler in the jetty transport.
> (http://jetty.codehaus.org/jetty/jetty-6/apidocs/org/mortbay/jetty/servlet
> /ServletHandler.html) In the API documentation I found that filters are not
> supported. Is that true?
>
> I think the great thing about Filters is that they work with all Servlet
> containers so they would be a generic way of implementing authentication
> completely outside of the cxf codebase. Which would be a good thing in my
> opinion.
>
> Best regards
>
> Christian
>
>
>
> Christian Schneider
> Informationsverarbeitung
> Business Solutions
> Handel und Dispatching
>
> Tel : +49-(0)721-63-15482
>
> EnBW Systeme Infrastruktur Support GmbH
> Sitz der Gesellschaft: Karlsruhe
> Handelsregister: Amtsgericht Mannheim HRB 108550
> Vorsitzender des Aufsichtsrats: Dr. Bernhard Beck
> Geschäftsführer: Jochen Adenau, Hans-Günther Meier
>
>
> -----Ursprüngliche Nachricht-----
> Von: Sergey Beryozkin [mailto:sberyozkin@gmail.com]
> Gesendet: Donnerstag, 25. November 2010 14:59
> An: users@cxf.apache.org
> Betreff: Re: Authentication / Authorization with with http jetty transport
> in standalone mode
>
> Hi Christian
>
> You may also want to check this page :
>
> http://docs.codehaus.org/display/JETTY/Realms
>
> I did try what is recommended there when using 'mvn jetty:run' to test the
> web app I was working with and it worked well - there should be a way to
> express it all using the CXF Jetty config as well (using a handler config
> as Freeman recommends)...
>
> cheers, Sergey
>
> On Thu, Nov 25, 2010 at 12:51 PM, Schneider Christian <
>
> Christian.Schneider@enbw.com> wrote:
> > Hi all,
> >
> > I already know how to configure security in a servlet environment but the
> > service uses the built in jetty to open the http port. I have not yet
> > found any information on how to set up authentication / authorization in
> > this case.
> >
> > In my case basic auth against a static set of usernames / passwords would
> > be enough for authentication.
> > For authorization a static group would be ok. Ideal would be to get the
> > group from LDAP.
> >
> > Can I simply do these configs in the jetty instance somehow?
> >
> > Best regards
> >
> > Christian
> >
> >
> > Christian Schneider
> > Informationsverarbeitung
> > Business Solutions
> > Handel und Dispatching
> >
> > Tel : +49-(0)721-63-15482
> >
> > EnBW Systeme Infrastruktur Support GmbH
> > Sitz der Gesellschaft: Karlsruhe
> > Handelsregister: Amtsgericht Mannheim - HRB 108550
> > Vorsitzender des Aufsichtsrats: Dr. Bernhard Beck
> > Geschäftsführer: Jochen Adenau, Hans-Günther Meier
--
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog
RE: Authentication / Authorization with with http jetty transport
in standalone mode
Posted by "Thomson, Duncan" <du...@mitre.org>.
Could this be implemented by providing a custom "TrustDecider"?
I'm going to need to do something similar.
I did find an example of a TrustDecider that uses a CRL or OCSP responder. Perhaps you can use this model.
The example is here: http://www.koders.com/java/fid4F11D3469D5DE5A8B762E302874B626FE2CE2729.aspx?s=SelfSignedCert
Please let me know if this works for you.
Thanks,
Duncan
>-----Original Message-----
>From: Sergey Beryozkin [mailto:sberyozkin@gmail.com]
>Sent: Thursday, November 25, 2010 8:45 AM
>To: users@cxf.apache.org
>Subject: Re: Authentication / Authorization with with http jetty
>transport in standalone mode
>
>Hi Christian
>
>Unfortunately I don't have an access to the relevant code any more but
>awhile back, while working on the JAX-WS TCK passing with a private
>jetty-based container, we implemented a custom CXF MessageObserver which
>would pass the incoming request via a chain of servlet filters, before
>forwarding the request further to the CXF chain.
>
>I suspect there could be simpler options around, perhaps Spring can be
>applied somehow, for example, Josh H has managed to apply spring
>security
>filters to DOSGI endpoints (with embedded Jetty being used)
>
>cheers, Sergey
>
>On Thu, Nov 25, 2010 at 4:25 PM, Schneider Christian <
>Christian.Schneider@enbw.com> wrote:
>
>> Hi Freeman and Sergey,
>>
>> thanks for your hints already. I am sure one of the approaches will
>help me
>> for the short run.
>> When doing authentication in tomcat I once used a ServletFilter
>> (javax.servlet.Filter). Is that also possible in our embedded jetty?
>>
>> As far as I know we use a ServletHandler in the jetty transport. (
>> http://jetty.codehaus.org/jetty/jetty-
>6/apidocs/org/mortbay/jetty/servlet/ServletHandler.html)
>> In the API documentation I found that filters are not supported. Is
>that
>> true?
>>
>> I think the great thing about Filters is that they work with all
>Servlet
>> containers so they would be a generic way of implementing
>authentication
>> completely outside of the cxf codebase. Which would be a good thing in
>my
>> opinion.
>>
>> Best regards
>>
>> Christian
>>
>>
>>
>> Christian Schneider
>> Informationsverarbeitung
>> Business Solutions
>> Handel und Dispatching
>>
>> Tel : +49-(0)721-63-15482
>>
>> EnBW Systeme Infrastruktur Support GmbH
>> Sitz der Gesellschaft: Karlsruhe
>> Handelsregister: Amtsgericht Mannheim HRB 108550
>> Vorsitzender des Aufsichtsrats: Dr. Bernhard Beck
>> Geschäftsführer: Jochen Adenau, Hans-Günther Meier
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Sergey Beryozkin [mailto:sberyozkin@gmail.com]
>> Gesendet: Donnerstag, 25. November 2010 14:59
>> An: users@cxf.apache.org
>> Betreff: Re: Authentication / Authorization with with http jetty
>transport
>> in standalone mode
>>
>> Hi Christian
>>
>> You may also want to check this page :
>>
>> http://docs.codehaus.org/display/JETTY/Realms
>>
>> I did try what is recommended there when using 'mvn jetty:run' to test
>the
>> web app I was working with and it worked well - there should be a way
>to
>> express it all using the CXF Jetty config as well (using a handler
>config
>> as
>> Freeman recommends)...
>>
>> cheers, Sergey
>>
>> On Thu, Nov 25, 2010 at 12:51 PM, Schneider Christian <
>> Christian.Schneider@enbw.com> wrote:
>>
>> > Hi all,
>> >
>> > I already know how to configure security in a servlet environment
>but the
>> > service uses the built in jetty to open the http port. I have not
>yet
>> found
>> > any information on how to set up authentication / authorization in
>this
>> > case.
>> >
>> > In my case basic auth against a static set of usernames / passwords
>would
>> > be enough for authentication.
>> > For authorization a static group would be ok. Ideal would be to get
>the
>> > group from LDAP.
>> >
>> > Can I simply do these configs in the jetty instance somehow?
>> >
>> > Best regards
>> >
>> > Christian
>> >
>> >
>> > Christian Schneider
>> > Informationsverarbeitung
>> > Business Solutions
>> > Handel und Dispatching
>> >
>> > Tel : +49-(0)721-63-15482
>> >
>> > EnBW Systeme Infrastruktur Support GmbH
>> > Sitz der Gesellschaft: Karlsruhe
>> > Handelsregister: Amtsgericht Mannheim - HRB 108550
>> > Vorsitzender des Aufsichtsrats: Dr. Bernhard Beck
>> > Geschäftsführer: Jochen Adenau, Hans-Günther Meier
>> >
>> >
>> >
>> >
>>
Re: Authentication / Authorization with with http jetty transport in
standalone mode
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi Christian
Unfortunately I don't have an access to the relevant code any more but
awhile back, while working on the JAX-WS TCK passing with a private
jetty-based container, we implemented a custom CXF MessageObserver which
would pass the incoming request via a chain of servlet filters, before
forwarding the request further to the CXF chain.
I suspect there could be simpler options around, perhaps Spring can be
applied somehow, for example, Josh H has managed to apply spring security
filters to DOSGI endpoints (with embedded Jetty being used)
cheers, Sergey
On Thu, Nov 25, 2010 at 4:25 PM, Schneider Christian <
Christian.Schneider@enbw.com> wrote:
> Hi Freeman and Sergey,
>
> thanks for your hints already. I am sure one of the approaches will help me
> for the short run.
> When doing authentication in tomcat I once used a ServletFilter
> (javax.servlet.Filter). Is that also possible in our embedded jetty?
>
> As far as I know we use a ServletHandler in the jetty transport. (
> http://jetty.codehaus.org/jetty/jetty-6/apidocs/org/mortbay/jetty/servlet/ServletHandler.html)
> In the API documentation I found that filters are not supported. Is that
> true?
>
> I think the great thing about Filters is that they work with all Servlet
> containers so they would be a generic way of implementing authentication
> completely outside of the cxf codebase. Which would be a good thing in my
> opinion.
>
> Best regards
>
> Christian
>
>
>
> Christian Schneider
> Informationsverarbeitung
> Business Solutions
> Handel und Dispatching
>
> Tel : +49-(0)721-63-15482
>
> EnBW Systeme Infrastruktur Support GmbH
> Sitz der Gesellschaft: Karlsruhe
> Handelsregister: Amtsgericht Mannheim HRB 108550
> Vorsitzender des Aufsichtsrats: Dr. Bernhard Beck
> Geschäftsführer: Jochen Adenau, Hans-Günther Meier
>
>
> -----Ursprüngliche Nachricht-----
> Von: Sergey Beryozkin [mailto:sberyozkin@gmail.com]
> Gesendet: Donnerstag, 25. November 2010 14:59
> An: users@cxf.apache.org
> Betreff: Re: Authentication / Authorization with with http jetty transport
> in standalone mode
>
> Hi Christian
>
> You may also want to check this page :
>
> http://docs.codehaus.org/display/JETTY/Realms
>
> I did try what is recommended there when using 'mvn jetty:run' to test the
> web app I was working with and it worked well - there should be a way to
> express it all using the CXF Jetty config as well (using a handler config
> as
> Freeman recommends)...
>
> cheers, Sergey
>
> On Thu, Nov 25, 2010 at 12:51 PM, Schneider Christian <
> Christian.Schneider@enbw.com> wrote:
>
> > Hi all,
> >
> > I already know how to configure security in a servlet environment but the
> > service uses the built in jetty to open the http port. I have not yet
> found
> > any information on how to set up authentication / authorization in this
> > case.
> >
> > In my case basic auth against a static set of usernames / passwords would
> > be enough for authentication.
> > For authorization a static group would be ok. Ideal would be to get the
> > group from LDAP.
> >
> > Can I simply do these configs in the jetty instance somehow?
> >
> > Best regards
> >
> > Christian
> >
> >
> > Christian Schneider
> > Informationsverarbeitung
> > Business Solutions
> > Handel und Dispatching
> >
> > Tel : +49-(0)721-63-15482
> >
> > EnBW Systeme Infrastruktur Support GmbH
> > Sitz der Gesellschaft: Karlsruhe
> > Handelsregister: Amtsgericht Mannheim - HRB 108550
> > Vorsitzender des Aufsichtsrats: Dr. Bernhard Beck
> > Geschäftsführer: Jochen Adenau, Hans-Günther Meier
> >
> >
> >
> >
>
AW: Authentication / Authorization with with http jetty transport
in standalone mode
Posted by Schneider Christian <Ch...@enbw.com>.
Hi Freeman and Sergey,
thanks for your hints already. I am sure one of the approaches will help me for the short run.
When doing authentication in tomcat I once used a ServletFilter (javax.servlet.Filter). Is that also possible in our embedded jetty?
As far as I know we use a ServletHandler in the jetty transport. (http://jetty.codehaus.org/jetty/jetty-6/apidocs/org/mortbay/jetty/servlet/ServletHandler.html) In the API documentation I found that filters are not supported. Is that true?
I think the great thing about Filters is that they work with all Servlet containers so they would be a generic way of implementing authentication completely outside of the cxf codebase. Which would be a good thing in my opinion.
Best regards
Christian
Christian Schneider
Informationsverarbeitung
Business Solutions
Handel und Dispatching
Tel : +49-(0)721-63-15482
EnBW Systeme Infrastruktur Support GmbH
Sitz der Gesellschaft: Karlsruhe
Handelsregister: Amtsgericht Mannheim HRB 108550
Vorsitzender des Aufsichtsrats: Dr. Bernhard Beck
Geschäftsführer: Jochen Adenau, Hans-Günther Meier
-----Ursprüngliche Nachricht-----
Von: Sergey Beryozkin [mailto:sberyozkin@gmail.com]
Gesendet: Donnerstag, 25. November 2010 14:59
An: users@cxf.apache.org
Betreff: Re: Authentication / Authorization with with http jetty transport in standalone mode
Hi Christian
You may also want to check this page :
http://docs.codehaus.org/display/JETTY/Realms
I did try what is recommended there when using 'mvn jetty:run' to test the
web app I was working with and it worked well - there should be a way to
express it all using the CXF Jetty config as well (using a handler config as
Freeman recommends)...
cheers, Sergey
On Thu, Nov 25, 2010 at 12:51 PM, Schneider Christian <
Christian.Schneider@enbw.com> wrote:
> Hi all,
>
> I already know how to configure security in a servlet environment but the
> service uses the built in jetty to open the http port. I have not yet found
> any information on how to set up authentication / authorization in this
> case.
>
> In my case basic auth against a static set of usernames / passwords would
> be enough for authentication.
> For authorization a static group would be ok. Ideal would be to get the
> group from LDAP.
>
> Can I simply do these configs in the jetty instance somehow?
>
> Best regards
>
> Christian
>
>
> Christian Schneider
> Informationsverarbeitung
> Business Solutions
> Handel und Dispatching
>
> Tel : +49-(0)721-63-15482
>
> EnBW Systeme Infrastruktur Support GmbH
> Sitz der Gesellschaft: Karlsruhe
> Handelsregister: Amtsgericht Mannheim - HRB 108550
> Vorsitzender des Aufsichtsrats: Dr. Bernhard Beck
> Geschäftsführer: Jochen Adenau, Hans-Günther Meier
>
>
>
>
Re: Authentication / Authorization with with http jetty transport in
standalone mode
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi Christian
You may also want to check this page :
http://docs.codehaus.org/display/JETTY/Realms
I did try what is recommended there when using 'mvn jetty:run' to test the
web app I was working with and it worked well - there should be a way to
express it all using the CXF Jetty config as well (using a handler config as
Freeman recommends)...
cheers, Sergey
On Thu, Nov 25, 2010 at 12:51 PM, Schneider Christian <
Christian.Schneider@enbw.com> wrote:
> Hi all,
>
> I already know how to configure security in a servlet environment but the
> service uses the built in jetty to open the http port. I have not yet found
> any information on how to set up authentication / authorization in this
> case.
>
> In my case basic auth against a static set of usernames / passwords would
> be enough for authentication.
> For authorization a static group would be ok. Ideal would be to get the
> group from LDAP.
>
> Can I simply do these configs in the jetty instance somehow?
>
> Best regards
>
> Christian
>
>
> Christian Schneider
> Informationsverarbeitung
> Business Solutions
> Handel und Dispatching
>
> Tel : +49-(0)721-63-15482
>
> EnBW Systeme Infrastruktur Support GmbH
> Sitz der Gesellschaft: Karlsruhe
> Handelsregister: Amtsgericht Mannheim - HRB 108550
> Vorsitzender des Aufsichtsrats: Dr. Bernhard Beck
> Geschäftsführer: Jochen Adenau, Hans-Günther Meier
>
>
>
>
Re: Authentication / Authorization with with http jetty transport in standalone mode
Posted by Freeman Fang <fr...@gmail.com>.
Hi,
To enable server side HTTP Basic Auth, we need an interceptor to do
it, the basic idea is extract AuthorizationPolicy from the incoming
message and compare the username/password, but it's not so
complicated, here is a good article[1] to show how to do it.
Or another way to configure server side basic auth could be configure
the jetty instance to handle the authentication, as Jetty has a
"SecurityHandler" that can be configured into the handlers via CXF
config.
Hope this helps.
[1]http://chrisdail.com/2008/03/31/apache-cxf-with-http-basic-authentication/
Freeman
On 2010-11-25, at 下午8:51, Schneider Christian wrote:
> Hi all,
>
> I already know how to configure security in a servlet environment
> but the service uses the built in jetty to open the http port. I
> have not yet found any information on how to set up authentication /
> authorization in this case.
>
> In my case basic auth against a static set of usernames / passwords
> would be enough for authentication.
> For authorization a static group would be ok. Ideal would be to get
> the group from LDAP.
>
> Can I simply do these configs in the jetty instance somehow?
>
> Best regards
>
> Christian
>
>
> Christian Schneider
> Informationsverarbeitung
> Business Solutions
> Handel und Dispatching
>
> Tel : +49-(0)721-63-15482
>
> EnBW Systeme Infrastruktur Support GmbH
> Sitz der Gesellschaft: Karlsruhe
> Handelsregister: Amtsgericht Mannheim ‑ HRB 108550
> Vorsitzender des Aufsichtsrats: Dr. Bernhard Beck
> Geschäftsführer: Jochen Adenau, Hans-Günther Meier
>
>
>
--
Freeman Fang
------------------------
FuseSource: http://fusesource.com
blog: http://freemanfang.blogspot.com
twitter: http://twitter.com/freemanfang
Apache Servicemix:http://servicemix.apache.org
Apache Cxf: http://cxf.apache.org
Apache Karaf: http://karaf.apache.org
Apache Felix: http://felix.apache.org