You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Jerome Revillard <jr...@maatg.com> on 2011/03/09 14:33:21 UTC

Get the container Principal/Subject/Credential from a web service

Dear all,

Is there an equivalent to WebServiceContext in order to get the container
Principal/Subject/Credential from a web service?

Best,
Jerome

--
View this message in context: http://cxf.547215.n5.nabble.com/Get-the-container-Principal-Subject-Credential-from-a-web-service-tp3415505p3415505.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: Get the container Principal/Subject/Credential from a web service

Posted by Jérôme Revillard <jr...@maatg.com>.

Ok thanks, I will look at it.

Best,
Jerome

Le 09/03/2011 16:02, Christian Schneider a écrit :
> I guess you could perhaps fetch this from the https connection in an
> interceptor. The connection is stored in the message.
>
> A much simpler way would be to simply use a config file or a -D
> parameter at server start that tells your app which DN to check for.
>
> Christian
>
>
>
> Am 09.03.2011 15:26, schrieb Jérôme Revillard:
>> Exactly, I want one of our specific service to be accessible only by the
>> container certificate. So I will compare the user principal with the
>> container one.
>>
>> Do I have to do a specific interceptor for that? if yes, where can I
>> retrieve this info from the message?
>>
>> Jerome
>>
>> Le 09/03/2011 15:22, Christian Schneider a écrit :
>>> Hmm .. you mean the DN the server certifacte contains?
>>> Why would you need that at runtime? Do you want to detect the
>>> environment you run in?
>>>
>>> Christian
>>>
>>>
>>> Am 09.03.2011 15:15, schrieb Jérôme Revillard:
>>>> Oups.. I misread your email too :-) ... As I said previously, I
>>>> need the
>>>> container identity not the user one.
>>>>
>>>> Best,
>>>> Jerome
>

-- 
=====================================================
Dr Jérôme Revillard
CTO MAAT France
www.maatg.com

Immeuble Alliance Entree A,
74160 Archamps (France) 

Mob.	0034 607 700 106
Tel.	0033 450 439 602
Fax.	0033 450 439 601
=====================================================

Re: Get the container Principal/Subject/Credential from a web service

Posted by Christian Schneider <ch...@die-schneider.net>.

I guess you could perhaps fetch this from the https connection in an 
interceptor. The connection is stored in the message.

A much simpler way would be to simply use a config file or a -D 
parameter at server start that tells your app which DN to check for.

Christian



Am 09.03.2011 15:26, schrieb Jérôme Revillard:
> Exactly, I want one of our specific service to be accessible only by the
> container certificate. So I will compare the user principal with the
> container one.
>
> Do I have to do a specific interceptor for that? if yes, where can I
> retrieve this info from the message?
>
> Jerome
>
> Le 09/03/2011 15:22, Christian Schneider a écrit :
>> Hmm .. you mean the DN the server certifacte contains?
>> Why would you need that at runtime? Do you want to detect the
>> environment you run in?
>>
>> Christian
>>
>>
>> Am 09.03.2011 15:15, schrieb Jérôme Revillard:
>>> Oups.. I misread your email too :-) ... As I said previously, I need the
>>> container identity not the user one.
>>>
>>> Best,
>>> Jerome

-- 
----
http://www.liquid-reality.de

Re: Get the container Principal/Subject/Credential from a web service

Posted by Jérôme Revillard <jr...@maatg.com>.

Exactly, I want one of our specific service to be accessible only by the
container certificate. So I will compare the user principal with the
container one.

Do I have to do a specific interceptor for that? if yes, where can I
retrieve this info from the message?

Jerome

Le 09/03/2011 15:22, Christian Schneider a écrit :
> Hmm .. you mean the DN the server certifacte contains?
> Why would you need that at runtime? Do you want to detect the
> environment you run in?
>
> Christian
>
>
> Am 09.03.2011 15:15, schrieb Jérôme Revillard:
>> Oups.. I misread your email too :-) ... As I said previously, I need the
>> container identity not the user one.
>>
>> Best,
>> Jerome
>

-- 
=====================================================
Dr Jérôme Revillard
CTO MAAT France
www.maatg.com

Immeuble Alliance Entree A,
74160 Archamps (France) 

Mob.	0034 607 700 106
Tel.	0033 450 439 602
Fax.	0033 450 439 601
=====================================================

Re: Get the container Principal/Subject/Credential from a web service

Posted by Christian Schneider <ch...@die-schneider.net>.

Hmm .. you mean the DN the server certifacte contains?
Why would you need that at runtime? Do you want to detect the 
environment you run in?

Christian


Am 09.03.2011 15:15, schrieb Jérôme Revillard:
> Oups.. I misread your email too :-) ... As I said previously, I need the
> container identity not the user one.
>
> Best,
> Jerome

-- 
----
http://www.liquid-reality.de

Re: Get the container Principal/Subject/Credential from a web service

Posted by Jérôme Revillard <jr...@maatg.com>.

Oups.. I misread your email too :-) ... As I said previously, I need the
container identity not the user one.

Best,
Jerome

Le 09/03/2011 15:09, Christian Schneider a écrit :
> Hi Jerome,
>
> we actually support WebServiceContext.
> You can add it as a property to your implementation class like this:
>
> @Resource
> WebServiceContext wsContext;
>
> The wsdl_first example shows this.
>
> Christian
>
> Am 09.03.2011 14:33, schrieb Jerome Revillard:
>> Dear all,
>>
>> Is there an equivalent to WebServiceContext in order to get the
>> container
>> Principal/Subject/Credential from a web service?
>>
>> Best,
>> Jerome
>>
>> -- 
>> View this message in context:
>> http://cxf.547215.n5.nabble.com/Get-the-container-Principal-Subject-Credential-from-a-web-service-tp3415505p3415505.html
>> Sent from the cxf-user mailing list archive at Nabble.com.
>>
>

-- 
=====================================================
Dr Jérôme Revillard
CTO MAAT France
www.maatg.com

Immeuble Alliance Entree A,
74160 Archamps (France) 

Mob.	0034 607 700 106
Tel.	0033 450 439 602
Fax.	0033 450 439 601
=====================================================

Re: Get the container Principal/Subject/Credential from a web service

Posted by Jerome Revillard <jr...@maatg.com>.

Thanks a lot Christian. I will check it right now.

Best,
Jerome

--
View this message in context: http://cxf.547215.n5.nabble.com/Get-the-container-Principal-Subject-Credential-from-a-web-service-tp3415505p3415607.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: Get the container Principal/Subject/Credential from a web service

Posted by Christian Schneider <ch...@die-schneider.net>.

Hi Jerome,

we actually support WebServiceContext.
You can add it as a property to your implementation class like this:

@Resource
WebServiceContext wsContext;

The wsdl_first example shows this.

Christian

Am 09.03.2011 14:33, schrieb Jerome Revillard:
> Dear all,
>
> Is there an equivalent to WebServiceContext in order to get the container
> Principal/Subject/Credential from a web service?
>
> Best,
> Jerome
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Get-the-container-Principal-Subject-Credential-from-a-web-service-tp3415505p3415505.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>

-- 
----
http://www.liquid-reality.de

Re: Get the container Principal/Subject/Credential from a web service

Posted by Jerome Revillard <jr...@maatg.com>.

thanks a lot for your prompt reply but I think that there is a
misunderstanding. I can get the user principal without problem but I need to
compare it with the principal (certificate DN) of the container into which
the services is running.

Best,
Jerome

--
View this message in context: http://cxf.547215.n5.nabble.com/Get-the-container-Principal-Subject-Credential-from-a-web-service-tp3415505p3415604.html
Sent from the cxf-user mailing list archive at Nabble.com.

Re: Get the container Principal/Subject/Credential from a web service

Posted by Sergey Beryozkin <sb...@gmail.com>.

Hi

On Wed, Mar 9, 2011 at 1:33 PM, Jerome Revillard <jr...@maatg.com>wrote:

> Dear all,
>
> Is there an equivalent to WebServiceContext in order to get the container
> Principal/Subject/Credential from a web service?
>
> WebServiceContext implementation uses
org.apache.cxf.security.SecurityContext internally. So if you prefer you may
want to register a custom CXF in interceptor and get the internal
SecurityContext from the current message:

SecurityContext sc = message.get(SecurityContext.class)
sc.getUserPrincipal()
sc.isUserInRole

In CXF 2.3.3 we have introduced LoginSecurityContext which extends
SecurityContext.
One can use it to get the actual Subject and the list of roles but only if
it was CXF that initiated the external authentication process, possibly via
JAAS. Please see:

http://cxf.apache.org/docs/security.html#Security-Authentication

Cheers, Sergey

> Best,
> Jerome
>
>