You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Christian Müller <ch...@gmail.com> on 2013/09/13 01:03:00 UTC

Apache CXF + WSS4J + Authentication failed counter

We are using the Apache Camel CXF component (Camel 2.10.x and CXF 2.6.x) to
expose web services to our customers. We are securing these services by
using HTTPS and WS-Security (user name and password token). Everything
works good so far.

After an external audit, we got the new requirement to monitor the
authentication failed attempts per user and block the user, if the
authentication failed counter reached a (configurable) limit.

1) Do we have such a functionality in a "special" WSS4JInInterceptor?
2) If not, which solution would you recommend?
    a) Extending the WSS4JInInterceptor - isn't as easy as it may should to
fulfill my needs.
    b) Writing our own interceptors. An in-interceptor to check whether
user is already blocked and to store the user name in a thread local. An
out-interceptor to increase the failed counter (if the authentication
failed) our to reset the failed counter (if the authentication was
successful).
    c) Somehow different?

[1] http://cxf.apache.org/docs/ws-security.html

Thanks in advance,
Christian
-----------------

Software Integration Specialist

Apache Camel committer: https://camel.apache.org/team
V.P. Apache Camel: https://www.apache.org/foundation/
Apache Member: https://www.apache.org/foundation/members.html

https://www.linkedin.com/pub/christian-mueller/11/551/642

Re: Apache CXF + WSS4J + Authentication failed counter

Posted by Christian Müller <ch...@gmail.com>.

Hi Colm!

Thanks for taking time to answer my question. This was exactly I was
looking for (and I didn't know).

Best,
Christian
-----------------

Software Integration Specialist

Apache Camel committer: https://camel.apache.org/team
V.P. Apache Camel: https://www.apache.org/foundation/
Apache Member: https://www.apache.org/foundation/members.html

https://www.linkedin.com/pub/christian-mueller/11/551/642


On Fri, Sep 13, 2013 at 11:19 AM, Colm O hEigeartaigh
<co...@apache.org>wrote:

> Hi Christian,
>
> I would recommend writing your own Validator (or extending the existing one
> in WSS4J) for UsernameTokens. WSS4J sends tokens to a Validator instance
> for validation:
>
>
> http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/Validator.java?view=markup
>
> Here is the default UsernameTokenValidator:
>
>
> http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java?view=markup
>
> So I would recommend adding in some functionality to a subclass of the
> UsernameTokenValidator to perform your requirements. You can configure your
> Validator in CXF via the "ws-security.ut.validator" tag:
>
> http://cxf.apache.org/docs/ws-securitypolicy.html
>
> Colm.
>
>
> On Fri, Sep 13, 2013 at 12:03 AM, Christian Müller <
> christian.mueller@gmail.com> wrote:
>
> > We are using the Apache Camel CXF component (Camel 2.10.x and CXF 2.6.x)
> to
> > expose web services to our customers. We are securing these services by
> > using HTTPS and WS-Security (user name and password token). Everything
> > works good so far.
> >
> > After an external audit, we got the new requirement to monitor the
> > authentication failed attempts per user and block the user, if the
> > authentication failed counter reached a (configurable) limit.
> >
> > 1) Do we have such a functionality in a "special" WSS4JInInterceptor?
> > 2) If not, which solution would you recommend?
> >     a) Extending the WSS4JInInterceptor - isn't as easy as it may should
> to
> > fulfill my needs.
> >     b) Writing our own interceptors. An in-interceptor to check whether
> > user is already blocked and to store the user name in a thread local. An
> > out-interceptor to increase the failed counter (if the authentication
> > failed) our to reset the failed counter (if the authentication was
> > successful).
> >     c) Somehow different?
> >
> > [1] http://cxf.apache.org/docs/ws-security.html
> >
> > Thanks in advance,
> > Christian
> > -----------------
> >
> > Software Integration Specialist
> >
> > Apache Camel committer: https://camel.apache.org/team
> > V.P. Apache Camel: https://www.apache.org/foundation/
> > Apache Member: https://www.apache.org/foundation/members.html
> >
> > https://www.linkedin.com/pub/christian-mueller/11/551/642
> >
>
>
>
> --
> Colm O hEigeartaigh
>
> Talend Community Coder
> http://coders.talend.com
>

Re: Apache CXF + WSS4J + Authentication failed counter

Posted by Colm O hEigeartaigh <co...@apache.org>.

Hi Christian,

I would recommend writing your own Validator (or extending the existing one
in WSS4J) for UsernameTokens. WSS4J sends tokens to a Validator instance
for validation:

http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/Validator.java?view=markup

Here is the default UsernameTokenValidator:

http://svn.apache.org/viewvc/webservices/wss4j/branches/1_6_x-fixes/src/main/java/org/apache/ws/security/validate/UsernameTokenValidator.java?view=markup

So I would recommend adding in some functionality to a subclass of the
UsernameTokenValidator to perform your requirements. You can configure your
Validator in CXF via the "ws-security.ut.validator" tag:

http://cxf.apache.org/docs/ws-securitypolicy.html

Colm.


On Fri, Sep 13, 2013 at 12:03 AM, Christian Müller <
christian.mueller@gmail.com> wrote:

> We are using the Apache Camel CXF component (Camel 2.10.x and CXF 2.6.x) to
> expose web services to our customers. We are securing these services by
> using HTTPS and WS-Security (user name and password token). Everything
> works good so far.
>
> After an external audit, we got the new requirement to monitor the
> authentication failed attempts per user and block the user, if the
> authentication failed counter reached a (configurable) limit.
>
> 1) Do we have such a functionality in a "special" WSS4JInInterceptor?
> 2) If not, which solution would you recommend?
>     a) Extending the WSS4JInInterceptor - isn't as easy as it may should to
> fulfill my needs.
>     b) Writing our own interceptors. An in-interceptor to check whether
> user is already blocked and to store the user name in a thread local. An
> out-interceptor to increase the failed counter (if the authentication
> failed) our to reset the failed counter (if the authentication was
> successful).
>     c) Somehow different?
>
> [1] http://cxf.apache.org/docs/ws-security.html
>
> Thanks in advance,
> Christian
> -----------------
>
> Software Integration Specialist
>
> Apache Camel committer: https://camel.apache.org/team
> V.P. Apache Camel: https://www.apache.org/foundation/
> Apache Member: https://www.apache.org/foundation/members.html
>
> https://www.linkedin.com/pub/christian-mueller/11/551/642
>



-- 
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com