targetNamespace in callbackHandler

[Ben Berner <bn...@googlemail.com>]

Hello cxf-users,
I need to check whether the client invoking a web service is authorized to
do so.  The database has targetNamespace of the service paired with the
username/key.  So, need to find the targetNamespace of the WebService at
runtime in ServerPasswordCallback Class that implements CallbackHandler
(using ws-security).  Is this possible via some api or I need to inject
something into this callback class?
Regards,
Ben

Re: targetNamespace in callbackHandler

[Daniel Kulp <dk...@apache.org>]

On May 14, 2008, at 3:58 PM, sudip shrestha wrote:

> This approach with ThreadLocal var storing thread specifc service  
> QName
> worked.  Made sure my interceptor got invoked during the READ phase  
> which is
> before the PRE_PROTOCOL phase.  Now I can make sure the client is  
> invoking
> only the service it is authorized to invoke... but this is  
> something, making
> extra calls adding overheads, IMO, I should not have to do,  
> something the
> WS-* spec should provide.


Well, IDEALLY to me, the WSS4J stuff would fill in the appropriate  
principal object on the context (which could then fill in the  
approriate stuff in Acegi/Spring Security if using Acegi) and then you  
could use the annotations on the service itself to be able to control  
some of that.  IMO.   :-)

Dan


>
>
>
> On Tue, May 13, 2008 at 3:12 PM, Daniel Kulp <dk...@apache.org> wrote:
>
>>
>> On May 13, 2008, at 4:01 PM, Ben Berner wrote:
>>
>> Dan, I looked at the javadocs, but can't seem to find any  
>> association of
>>> Service Endpoint with the Exchange Object.
>>>
>>
>> Just call:
>>
>> Service service = exchange.get(Service.class);
>>
>> There's a bunch of things stored on the exchange like that.   The  
>> Bus is
>> there, the Endpoint, the Binding, depending on the phase, the  
>> OperationInfo
>> would be there, etc...
>>
>>  Also is there a particular
>>> interceptor I need to implement for this?
>>>
>>
>> Easiest to just subclass the AbstractPhaseInterceptor.  Not sure on  
>> the
>> phase.   The WSS4JInInterceptor runs in the PRE_PROTOCOL phase, so  
>> after
>> that most likely.
>>
>> Dan
>>
>>
>>
>>
>>
>>> Regards,
>>> Ben
>>>
>>> On Tue, May 13, 2008 at 2:28 PM, Ben Berner <bn.berner@googlemail.com 
>>> >
>>> wrote:
>>>
>>> I thought about injecting the namespace into the the handlers.. but
>>>> that's
>>>> a lot of work for me as I am in the process of migrating my  
>>>> services from
>>>> XFire to CXF.  Now, the second scenario makes me think instead of  
>>>> using
>>>> another interceptor on top of Handler, why not just use the the  
>>>> simple
>>>> interceptor that does the validation...
>>>>
>>>>
>>>> On Tue, May 13, 2008 at 2:04 PM, Daniel Kulp <dk...@apache.org>  
>>>> wrote:
>>>>
>>>>
>>>>> On May 13, 2008, at 1:01 PM, Ben Berner wrote:
>>>>>
>>>>> Hello cxf-users,
>>>>>
>>>>>> I need to check whether the client invoking a web service is
>>>>>> authorized to
>>>>>> do so.  The database has targetNamespace of the service paired  
>>>>>> with
>>>>>> the
>>>>>> username/key.  So, need to find the targetNamespace of the  
>>>>>> WebService
>>>>>> at
>>>>>> runtime in ServerPasswordCallback Class that implements
>>>>>> CallbackHandler
>>>>>> (using ws-security).  Is this possible via some api or I need to
>>>>>> inject
>>>>>> something into this callback class?
>>>>>> Regards,
>>>>>> Ben
>>>>>>
>>>>>>
>>>>> Hmmmmm........  interesting problem.   I'm not sure what the  
>>>>> best way to
>>>>> do it is.    It could also depend on how you are configuring the  
>>>>> ws-sec
>>>>> stuff.  If you are configuring the ws-sec/handler stuff on the  
>>>>> bus, you
>>>>> really cannot store any state in it as that instance will be  
>>>>> shared by
>>>>> all
>>>>> services.   You COULD configure it on a per-service basis and just
>>>>> inject
>>>>> the target namespace of that service into the handler as a  
>>>>> constructor
>>>>> arg
>>>>> or property or something.    That's quite a bit more configuration
>>>>> though.
>>>>>
>>>>> If you want to keep it configured on a per-bus basis, I would  
>>>>> add an
>>>>> interceptor in front of the ws-sec in interceptor that grabs the  
>>>>> Service
>>>>> object from the Exchange, grabs the namespace in there and  
>>>>> stores it in
>>>>> a
>>>>> public ThreadLocal or something that the Handler would have  
>>>>> access to.
>>>>>
>>>>>
>>>>> ---
>>>>> Daniel Kulp
>>>>> dkulp@apache.org
>>>>> http://www.dankulp.com/blog
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>> ---
>> Daniel Kulp
>> dkulp@apache.org
>> http://www.dankulp.com/blog
>>
>>
>>
>>
>>

---
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog

Re: targetNamespace in callbackHandler

[Ben Berner <bn...@googlemail.com>]

I am not too familiar with ThreadLocal object. Could you post your sample
code on how to use it in the context of the interceptor and the
CallbackHandler?
Regards,
Ben

On Wed, May 14, 2008 at 2:58 PM, sudip shrestha <su...@gmail.com> wrote:

> This approach with ThreadLocal var storing thread specifc service QName
> worked.  Made sure my interceptor got invoked during the READ phase which
> is
> before the PRE_PROTOCOL phase.  Now I can make sure the client is invoking
> only the service it is authorized to invoke... but this is something,
> making
> extra calls adding overheads, IMO, I should not have to do, something the
> WS-* spec should provide.
>
>
> On Tue, May 13, 2008 at 3:12 PM, Daniel Kulp <dk...@apache.org> wrote:
>
> >
> > On May 13, 2008, at 4:01 PM, Ben Berner wrote:
> >
> >  Dan, I looked at the javadocs, but can't seem to find any association of
> >> Service Endpoint with the Exchange Object.
> >>
> >
> > Just call:
> >
> > Service service = exchange.get(Service.class);
> >
> > There's a bunch of things stored on the exchange like that.   The Bus is
> > there, the Endpoint, the Binding, depending on the phase, the
> OperationInfo
> > would be there, etc...
> >
> >   Also is there a particular
> >> interceptor I need to implement for this?
> >>
> >
> > Easiest to just subclass the AbstractPhaseInterceptor.  Not sure on the
> > phase.   The WSS4JInInterceptor runs in the PRE_PROTOCOL phase, so after
> > that most likely.
> >
> > Dan
> >
> >
> >
> >
> >
> >> Regards,
> >> Ben
> >>
> >> On Tue, May 13, 2008 at 2:28 PM, Ben Berner <bn...@googlemail.com>
> >> wrote:
> >>
> >>  I thought about injecting the namespace into the the handlers.. but
> >>> that's
> >>> a lot of work for me as I am in the process of migrating my services
> from
> >>> XFire to CXF.  Now, the second scenario makes me think instead of using
> >>> another interceptor on top of Handler, why not just use the the simple
> >>> interceptor that does the validation...
> >>>
> >>>
> >>> On Tue, May 13, 2008 at 2:04 PM, Daniel Kulp <dk...@apache.org> wrote:
> >>>
> >>>
> >>>> On May 13, 2008, at 1:01 PM, Ben Berner wrote:
> >>>>
> >>>> Hello cxf-users,
> >>>>
> >>>>> I need to check whether the client invoking a web service is
> >>>>> authorized to
> >>>>> do so.  The database has targetNamespace of the service paired with
> >>>>> the
> >>>>> username/key.  So, need to find the targetNamespace of the WebService
> >>>>> at
> >>>>> runtime in ServerPasswordCallback Class that implements
> >>>>> CallbackHandler
> >>>>> (using ws-security).  Is this possible via some api or I need to
> >>>>> inject
> >>>>> something into this callback class?
> >>>>> Regards,
> >>>>> Ben
> >>>>>
> >>>>>
> >>>> Hmmmmm........  interesting problem.   I'm not sure what the best way
> to
> >>>> do it is.    It could also depend on how you are configuring the
> ws-sec
> >>>> stuff.  If you are configuring the ws-sec/handler stuff on the bus,
> you
> >>>> really cannot store any state in it as that instance will be shared by
> >>>> all
> >>>> services.   You COULD configure it on a per-service basis and just
> >>>> inject
> >>>> the target namespace of that service into the handler as a constructor
> >>>> arg
> >>>> or property or something.    That's quite a bit more configuration
> >>>> though.
> >>>>
> >>>> If you want to keep it configured on a per-bus basis, I would add an
> >>>> interceptor in front of the ws-sec in interceptor that grabs the
> Service
> >>>> object from the Exchange, grabs the namespace in there and stores it
> in
> >>>> a
> >>>> public ThreadLocal or something that the Handler would have access to.
> >>>>
> >>>>
> >>>> ---
> >>>> Daniel Kulp
> >>>> dkulp@apache.org
> >>>> http://www.dankulp.com/blog
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>
> > ---
> > Daniel Kulp
> > dkulp@apache.org
> > http://www.dankulp.com/blog
> >
> >
> >
> >
> >
>

Re: targetNamespace in callbackHandler

[sudip shrestha <su...@gmail.com>]

This approach with ThreadLocal var storing thread specifc service QName
worked.  Made sure my interceptor got invoked during the READ phase which is
before the PRE_PROTOCOL phase.  Now I can make sure the client is invoking
only the service it is authorized to invoke... but this is something, making
extra calls adding overheads, IMO, I should not have to do, something the
WS-* spec should provide.


On Tue, May 13, 2008 at 3:12 PM, Daniel Kulp <dk...@apache.org> wrote:

>
> On May 13, 2008, at 4:01 PM, Ben Berner wrote:
>
>  Dan, I looked at the javadocs, but can't seem to find any association of
>> Service Endpoint with the Exchange Object.
>>
>
> Just call:
>
> Service service = exchange.get(Service.class);
>
> There's a bunch of things stored on the exchange like that.   The Bus is
> there, the Endpoint, the Binding, depending on the phase, the OperationInfo
> would be there, etc...
>
>   Also is there a particular
>> interceptor I need to implement for this?
>>
>
> Easiest to just subclass the AbstractPhaseInterceptor.  Not sure on the
> phase.   The WSS4JInInterceptor runs in the PRE_PROTOCOL phase, so after
> that most likely.
>
> Dan
>
>
>
>
>
>> Regards,
>> Ben
>>
>> On Tue, May 13, 2008 at 2:28 PM, Ben Berner <bn...@googlemail.com>
>> wrote:
>>
>>  I thought about injecting the namespace into the the handlers.. but
>>> that's
>>> a lot of work for me as I am in the process of migrating my services from
>>> XFire to CXF.  Now, the second scenario makes me think instead of using
>>> another interceptor on top of Handler, why not just use the the simple
>>> interceptor that does the validation...
>>>
>>>
>>> On Tue, May 13, 2008 at 2:04 PM, Daniel Kulp <dk...@apache.org> wrote:
>>>
>>>
>>>> On May 13, 2008, at 1:01 PM, Ben Berner wrote:
>>>>
>>>> Hello cxf-users,
>>>>
>>>>> I need to check whether the client invoking a web service is
>>>>> authorized to
>>>>> do so.  The database has targetNamespace of the service paired with
>>>>> the
>>>>> username/key.  So, need to find the targetNamespace of the WebService
>>>>> at
>>>>> runtime in ServerPasswordCallback Class that implements
>>>>> CallbackHandler
>>>>> (using ws-security).  Is this possible via some api or I need to
>>>>> inject
>>>>> something into this callback class?
>>>>> Regards,
>>>>> Ben
>>>>>
>>>>>
>>>> Hmmmmm........  interesting problem.   I'm not sure what the best way to
>>>> do it is.    It could also depend on how you are configuring the ws-sec
>>>> stuff.  If you are configuring the ws-sec/handler stuff on the bus, you
>>>> really cannot store any state in it as that instance will be shared by
>>>> all
>>>> services.   You COULD configure it on a per-service basis and just
>>>> inject
>>>> the target namespace of that service into the handler as a constructor
>>>> arg
>>>> or property or something.    That's quite a bit more configuration
>>>> though.
>>>>
>>>> If you want to keep it configured on a per-bus basis, I would add an
>>>> interceptor in front of the ws-sec in interceptor that grabs the Service
>>>> object from the Exchange, grabs the namespace in there and stores it in
>>>> a
>>>> public ThreadLocal or something that the Handler would have access to.
>>>>
>>>>
>>>> ---
>>>> Daniel Kulp
>>>> dkulp@apache.org
>>>> http://www.dankulp.com/blog
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
> ---
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog
>
>
>
>
>

Re: targetNamespace in callbackHandler

[Daniel Kulp <dk...@apache.org>]

On May 13, 2008, at 4:01 PM, Ben Berner wrote:

> Dan, I looked at the javadocs, but can't seem to find any  
> association of
> Service Endpoint with the Exchange Object.

Just call:

Service service = exchange.get(Service.class);

There's a bunch of things stored on the exchange like that.   The Bus  
is there, the Endpoint, the Binding, depending on the phase, the  
OperationInfo would be there, etc...

>  Also is there a particular
> interceptor I need to implement for this?

Easiest to just subclass the AbstractPhaseInterceptor.  Not sure on  
the phase.   The WSS4JInInterceptor runs in the PRE_PROTOCOL phase, so  
after that most likely.

Dan



>
> Regards,
> Ben
>
> On Tue, May 13, 2008 at 2:28 PM, Ben Berner <bn...@googlemail.com>
> wrote:
>
>> I thought about injecting the namespace into the the handlers.. but  
>> that's
>> a lot of work for me as I am in the process of migrating my  
>> services from
>> XFire to CXF.  Now, the second scenario makes me think instead of  
>> using
>> another interceptor on top of Handler, why not just use the the  
>> simple
>> interceptor that does the validation...
>>
>>
>> On Tue, May 13, 2008 at 2:04 PM, Daniel Kulp <dk...@apache.org>  
>> wrote:
>>
>>>
>>> On May 13, 2008, at 1:01 PM, Ben Berner wrote:
>>>
>>> Hello cxf-users,
>>>> I need to check whether the client invoking a web service is
>>>> authorized to
>>>> do so.  The database has targetNamespace of the service paired with
>>>> the
>>>> username/key.  So, need to find the targetNamespace of the  
>>>> WebService
>>>> at
>>>> runtime in ServerPasswordCallback Class that implements
>>>> CallbackHandler
>>>> (using ws-security).  Is this possible via some api or I need to
>>>> inject
>>>> something into this callback class?
>>>> Regards,
>>>> Ben
>>>>
>>>
>>> Hmmmmm........  interesting problem.   I'm not sure what the best  
>>> way to
>>> do it is.    It could also depend on how you are configuring the  
>>> ws-sec
>>> stuff.  If you are configuring the ws-sec/handler stuff on the  
>>> bus, you
>>> really cannot store any state in it as that instance will be  
>>> shared by all
>>> services.   You COULD configure it on a per-service basis and just  
>>> inject
>>> the target namespace of that service into the handler as a  
>>> constructor arg
>>> or property or something.    That's quite a bit more configuration  
>>> though.
>>>
>>> If you want to keep it configured on a per-bus basis, I would add an
>>> interceptor in front of the ws-sec in interceptor that grabs the  
>>> Service
>>> object from the Exchange, grabs the namespace in there and stores  
>>> it in a
>>> public ThreadLocal or something that the Handler would have access  
>>> to.
>>>
>>>
>>> ---
>>> Daniel Kulp
>>> dkulp@apache.org
>>> http://www.dankulp.com/blog
>>>
>>>
>>>
>>>
>>>
>>

---
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog

Re: targetNamespace in callbackHandler

[Ben Berner <bn...@googlemail.com>]

Dan, I looked at the javadocs, but can't seem to find any association of
Service Endpoint with the Exchange Object.  Also is there a particular
interceptor I need to implement for this?
Regards,
Ben

On Tue, May 13, 2008 at 2:28 PM, Ben Berner <bn...@googlemail.com>
wrote:

> I thought about injecting the namespace into the the handlers.. but that's
> a lot of work for me as I am in the process of migrating my services from
> XFire to CXF.  Now, the second scenario makes me think instead of using
> another interceptor on top of Handler, why not just use the the simple
> interceptor that does the validation...
>
>
> On Tue, May 13, 2008 at 2:04 PM, Daniel Kulp <dk...@apache.org> wrote:
>
> >
> > On May 13, 2008, at 1:01 PM, Ben Berner wrote:
> >
> >  Hello cxf-users,
> > > I need to check whether the client invoking a web service is
> > > authorized to
> > > do so.  The database has targetNamespace of the service paired with
> > > the
> > > username/key.  So, need to find the targetNamespace of the WebService
> > > at
> > > runtime in ServerPasswordCallback Class that implements
> > > CallbackHandler
> > > (using ws-security).  Is this possible via some api or I need to
> > > inject
> > > something into this callback class?
> > > Regards,
> > > Ben
> > >
> >
> > Hmmmmm........  interesting problem.   I'm not sure what the best way to
> > do it is.    It could also depend on how you are configuring the ws-sec
> > stuff.  If you are configuring the ws-sec/handler stuff on the bus, you
> > really cannot store any state in it as that instance will be shared by all
> > services.   You COULD configure it on a per-service basis and just inject
> > the target namespace of that service into the handler as a constructor arg
> > or property or something.    That's quite a bit more configuration though.
> >
> > If you want to keep it configured on a per-bus basis, I would add an
> > interceptor in front of the ws-sec in interceptor that grabs the Service
> > object from the Exchange, grabs the namespace in there and stores it in a
> > public ThreadLocal or something that the Handler would have access to.
> >
> >
> > ---
> > Daniel Kulp
> > dkulp@apache.org
> > http://www.dankulp.com/blog
> >
> >
> >
> >
> >
>

Re: targetNamespace in callbackHandler

[Ben Berner <bn...@googlemail.com>]

I thought about injecting the namespace into the the handlers.. but that's a
lot of work for me as I am in the process of migrating my services from
XFire to CXF.  Now, the second scenario makes me think instead of using
another interceptor on top of Handler, why not just use the the simple
interceptor that does the validation...


On Tue, May 13, 2008 at 2:04 PM, Daniel Kulp <dk...@apache.org> wrote:

>
> On May 13, 2008, at 1:01 PM, Ben Berner wrote:
>
>  Hello cxf-users,
> > I need to check whether the client invoking a web service is authorized
> > to
> > do so.  The database has targetNamespace of the service paired with the
> > username/key.  So, need to find the targetNamespace of the WebService at
> > runtime in ServerPasswordCallback Class that implements CallbackHandler
> > (using ws-security).  Is this possible via some api or I need to inject
> > something into this callback class?
> > Regards,
> > Ben
> >
>
> Hmmmmm........  interesting problem.   I'm not sure what the best way to
> do it is.    It could also depend on how you are configuring the ws-sec
> stuff.  If you are configuring the ws-sec/handler stuff on the bus, you
> really cannot store any state in it as that instance will be shared by all
> services.   You COULD configure it on a per-service basis and just inject
> the target namespace of that service into the handler as a constructor arg
> or property or something.    That's quite a bit more configuration though.
>
> If you want to keep it configured on a per-bus basis, I would add an
> interceptor in front of the ws-sec in interceptor that grabs the Service
> object from the Exchange, grabs the namespace in there and stores it in a
> public ThreadLocal or something that the Handler would have access to.
>
>
> ---
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog
>
>
>
>
>

Re: targetNamespace in callbackHandler

[Daniel Kulp <dk...@apache.org>]

On May 13, 2008, at 1:01 PM, Ben Berner wrote:

> Hello cxf-users,
> I need to check whether the client invoking a web service is  
> authorized to
> do so.  The database has targetNamespace of the service paired with  
> the
> username/key.  So, need to find the targetNamespace of the  
> WebService at
> runtime in ServerPasswordCallback Class that implements  
> CallbackHandler
> (using ws-security).  Is this possible via some api or I need to  
> inject
> something into this callback class?
> Regards,
> Ben

Hmmmmm........  interesting problem.   I'm not sure what the best way  
to do it is.    It could also depend on how you are configuring the ws- 
sec stuff.  If you are configuring the ws-sec/handler stuff on the  
bus, you really cannot store any state in it as that instance will be  
shared by all services.   You COULD configure it on a per-service  
basis and just inject the target namespace of that service into the  
handler as a constructor arg or property or something.    That's quite  
a bit more configuration though.

If you want to keep it configured on a per-bus basis, I would add an  
interceptor in front of the ws-sec in interceptor that grabs the  
Service object from the Exchange, grabs the namespace in there and  
stores it in a public ThreadLocal or something that the Handler would  
have access to.


---
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog