You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Christian Müller <ch...@gmail.com> on 2013/09/13 01:03:00 UTC
Apache CXF + WSS4J + Authentication failed counter
We are using the Apache Camel CXF component (Camel 2.10.x and CXF 2.6.x) to
expose web services to our customers. We are securing these services by
using HTTPS and WS-Security (user name and password token). Everything
works good so far.
After an external audit, we got the new requirement to monitor the
authentication failed attempts per user and block the user, if the
authentication failed counter reached a (configurable) limit.
1) Do we have such a functionality in a "special" WSS4JInInterceptor?
2) If not, which solution would you recommend?
a) Extending the WSS4JInInterceptor - isn't as easy as it may should to
fulfill my needs.
b) Writing our own interceptors. An in-interceptor to check whether
user is already blocked and to store the user name in a thread local. An
out-interceptor to increase the failed counter (if the authentication
failed) our to reset the failed counter (if the authentication was
successful).
c) Somehow different?
[1] http://cxf.apache.org/docs/ws-security.html
Thanks in advance,
Christian
-----------------
Software Integration Specialist
Apache Camel committer: https://camel.apache.org/team
V.P. Apache Camel: https://www.apache.org/foundation/
Apache Member: https://www.apache.org/foundation/members.html
https://www.linkedin.com/pub/christian-mueller/11/551/642
Re: Apache CXF + WSS4J + Authentication failed counter
Posted by Christian Müller <ch...@gmail.com>.
Hi Colm!
Thanks for taking time to answer my question. This was exactly I was
looking for (and I didn't know).
Best,
Christian
-----------------
Software Integration Specialist
Apache Camel committer: https://camel.apache.org/team
V.P. Apache Camel: https://www.apache.org/foundation/
Apache Member: https://www.apache.org/foundation/members.html
https://www.linkedin.com/pub/christian-mueller/11/551/642
On Fri, Sep 13, 2013 at 11:19 AM, Colm O hEigeartaigh
<co...@apache.org>wrote:
> Hi Christian,
>
> I would recommend writing your own Validator (or extending the existing one
> in WSS4J) for UsernameTokens. WSS4J sends tokens to a Validator instance
> for validation:
>
>
> http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/Validator.java?view=markup
>
> Here is the default UsernameTokenValidator:
>
>
> http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java?view=markup
>
> So I would recommend adding in some functionality to a subclass of the
> UsernameTokenValidator to perform your requirements. You can configure your
> Validator in CXF via the "ws-security.ut.validator" tag:
>
> http://cxf.apache.org/docs/ws-securitypolicy.html
>
> Colm.
>
>
> On Fri, Sep 13, 2013 at 12:03 AM, Christian Müller <
> christian.mueller@gmail.com> wrote:
>
> > We are using the Apache Camel CXF component (Camel 2.10.x and CXF 2.6.x)
> to
> > expose web services to our customers. We are securing these services by
> > using HTTPS and WS-Security (user name and password token). Everything
> > works good so far.
> >
> > After an external audit, we got the new requirement to monitor the
> > authentication failed attempts per user and block the user, if the
> > authentication failed counter reached a (configurable) limit.
> >
> > 1) Do we have such a functionality in a "special" WSS4JInInterceptor?
> > 2) If not, which solution would you recommend?
> > a) Extending the WSS4JInInterceptor - isn't as easy as it may should
> to
> > fulfill my needs.
> > b) Writing our own interceptors. An in-interceptor to check whether
> > user is already blocked and to store the user name in a thread local. An
> > out-interceptor to increase the failed counter (if the authentication
> > failed) our to reset the failed counter (if the authentication was
> > successful).
> > c) Somehow different?
> >
> > [1] http://cxf.apache.org/docs/ws-security.html
> >
> > Thanks in advance,
> > Christian
> > -----------------
> >
> > Software Integration Specialist
> >
> > Apache Camel committer: https://camel.apache.org/team
> > V.P. Apache Camel: https://www.apache.org/foundation/
> > Apache Member: https://www.apache.org/foundation/members.html
> >
> > https://www.linkedin.com/pub/christian-mueller/11/551/642
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>
Re: Apache CXF + WSS4J + Authentication failed counter
Posted by Colm O hEigeartaigh <co...@apache.org>.
Hi Christian,
I would recommend writing your own Validator (or extending the existing one
in WSS4J) for UsernameTokens. WSS4J sends tokens to a Validator instance
for validation:
http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/Validator.java?view=markup
Here is the default UsernameTokenValidator:
http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java?view=markup
So I would recommend adding in some functionality to a subclass of the
UsernameTokenValidator to perform your requirements. You can configure your
Validator in CXF via the "ws-security.ut.validator" tag:
http://cxf.apache.org/docs/ws-securitypolicy.html
Colm.
On Fri, Sep 13, 2013 at 12:03 AM, Christian Müller <
christian.mueller@gmail.com> wrote:
> We are using the Apache Camel CXF component (Camel 2.10.x and CXF 2.6.x) to
> expose web services to our customers. We are securing these services by
> using HTTPS and WS-Security (user name and password token). Everything
> works good so far.
>
> After an external audit, we got the new requirement to monitor the
> authentication failed attempts per user and block the user, if the
> authentication failed counter reached a (configurable) limit.
>
> 1) Do we have such a functionality in a "special" WSS4JInInterceptor?
> 2) If not, which solution would you recommend?
> a) Extending the WSS4JInInterceptor - isn't as easy as it may should to
> fulfill my needs.
> b) Writing our own interceptors. An in-interceptor to check whether
> user is already blocked and to store the user name in a thread local. An
> out-interceptor to increase the failed counter (if the authentication
> failed) our to reset the failed counter (if the authentication was
> successful).
> c) Somehow different?
>
> [1] http://cxf.apache.org/docs/ws-security.html
>
> Thanks in advance,
> Christian
> -----------------
>
> Software Integration Specialist
>
> Apache Camel committer: https://camel.apache.org/team
> V.P. Apache Camel: https://www.apache.org/foundation/
> Apache Member: https://www.apache.org/foundation/members.html
>
> https://www.linkedin.com/pub/christian-mueller/11/551/642
>
--
Colm O hEigeartaigh
Talend Community Coder
http://coders.talend.com