You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@servicemix.apache.org by Radomir Kadlec <ra...@aura.cz> on 2012/02/27 13:20:22 UTC
cxfbc:provider with WS-Security and previous JAAS authentication
Hello,
I build some ServiceMix gateway for our business services.
The whole project uses osgi bundles as deployment model.
Used ServiceMix version: apache-servicemix-4.4.1-fuse-01-06
The *cxfbc:consumer* accepts SOAP requests, makes logging and authentication
(username token with password in plain text). It uses WSS4JInInterceptor
together with JAAS configured authentication and authorization to access
LDAP login module. All of this works fine.
I have no own password callback-handler for the incoming/outgoing messages,
WSS4JInInterceptor is configured with the *ws-security.validate.token*=false
property, so JAAS does all the work.
The *cxfbc:producer* shall only forward the incomming message together with
all SOAP headers (especially WS-Security header) to our business services.
*How can I configure the cxfbc:producer to include the username and password
catched from JAAS?*
Is it possible or I can not use cxfbc:producer and must use some simple http
forwarder?
The incoming message shall be forwarded only after successfully
authentization in JAAS.
I included my test configuration.
http://servicemix.396122.n5.nabble.com/file/n5518767/beans_cxf.xml
beans_cxf.xml
http://servicemix.396122.n5.nabble.com/file/n5518767/isl_a.wsdl isl_a.wsdl
Thanks,
Radomir
--
View this message in context: http://servicemix.396122.n5.nabble.com/cxfbc-provider-with-WS-Security-and-previous-JAAS-authentication-tp5518767p5518767.html
Sent from the ServiceMix - User mailing list archive at Nabble.com.
Re: cxfbc:provider with WS-Security and previous JAAS
authentication
Posted by pdicandia <pd...@dccsoft.com.ar>.
Hi,
I'm doing something similar... a web services proxy (esb forwards requests
and responses). Everything worked fine.
I was migrating from fuse 4.4.0 o 4.4.1 when i'm started to face an error in
web services that use security interceptors.
This configuration works fine in fuse 4.4.0, but in 4.4.1 i get an error in
the destination web service's response.
<cxf:cxfEndpoint id="datagenCatalog"
address="http://0.0.0.0:9091/esb/datagenCatalog"
wsdlURL="classpath:wsdl/catalog.wsdl">
<cxf:inInterceptors>
<bean class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<constructor-arg>
<map>
<entry key="action" value="UsernameToken" />
<entry key="passwordType" value="PasswordText" />
<entry key="passwordCallbackRef">
<ref bean="passwordCallback"/>
</entry>
</map>
</constructor-arg>
</bean>
</cxf:inInterceptors>
</cxf:cxfEndpoint>
Do you know if something changed in version 4.4.1 related to interceptors?
Thanks
--
View this message in context: http://servicemix.396122.n5.nabble.com/cxfbc-provider-with-WS-Security-and-previous-JAAS-authentication-tp5518767p5546380.html
Sent from the ServiceMix - User mailing list archive at Nabble.com.
Re: cxfbc:provider with WS-Security and previous JAAS authentication
Posted by Freeman Fang <fr...@gmail.com>.
Hi,
I thought you already cache it on cxfbc consumer side, :-)
Anyway, yeah, you need a customer interceptor on cxf consumer to cache
it, the key code should be like
SecurityToken token = message.get(SecurityToken.class);
if (token != null && token.getTokenType() ==
TokenType.UsernameToken) {
UsernameToken ut = (UsernameToken)token;
name = ut.getName();
password = ut.getPassword();
}
You need ensure your customer Interceptor is after WSS4JInInterceptor
and before JAASLoginInterceptor.
Freeman
On 2012-2-27, at 下午9:57, Radomir Kadlec wrote:
> Hi Freeman,
>
> thanks for all the tips.
>
> But from where shall I take username and password in the customer
> interceptor for *cxfbc:provider*?
> I use no customer interceptors in the *cxfbc:consumer*, so I don't
> save the
> incoming username and password anywhere. The JAAS auth module takes
> care for
> the authentication in the consumer.
>
> Does *JAAS* it?
> Or must I create also new customer interceptor for the
> cxfbc:consumer to
> save them temporary?
>
> Thanks,
> Radomir
>
> --
> View this message in context: http://servicemix.396122.n5.nabble.com/cxfbc-provider-with-WS-Security-and-previous-JAAS-authentication-tp5518767p5518967.html
> Sent from the ServiceMix - User mailing list archive at Nabble.com.
---------------------------------------------
Freeman Fang
FuseSource
Email:ffang@fusesource.com
Web: fusesource.com
Twitter: freemanfang
Blog: http://freemanfang.blogspot.com
Re: cxfbc:provider with WS-Security and previous JAAS
authentication
Posted by Radomir Kadlec <ra...@aura.cz>.
Hi Freeman,
thanks for all the tips.
But from where shall I take username and password in the customer
interceptor for *cxfbc:provider*?
I use no customer interceptors in the *cxfbc:consumer*, so I don't save the
incoming username and password anywhere. The JAAS auth module takes care for
the authentication in the consumer.
Does *JAAS* it?
Or must I create also new customer interceptor for the cxfbc:consumer to
save them temporary?
Thanks,
Radomir
--
View this message in context: http://servicemix.396122.n5.nabble.com/cxfbc-provider-with-WS-Security-and-previous-JAAS-authentication-tp5518767p5518967.html
Sent from the ServiceMix - User mailing list archive at Nabble.com.
Re: cxfbc:provider with WS-Security and previous JAAS authentication
Posted by Freeman Fang <fr...@gmail.com>.
Hi,
So basically you just want a pass through which can forward
UsernameToken ws-security action, right?
If you only want to keep UsernameToken action forward, no encrypt/
signature(as messages tranformation in JBI bus will make encrypt/
signature invalid anymore), then I think it should be doable. You
can configure cxf bc provider to use SAAJOutInterceptor and
WSS4JOutIntercepter to support ws-security, we actually have a
testcase CxfBcProviderSecurityTest[1] which should be a good start for
you, though it's not use usernameToken action. In your scenario, you
need WSS4JOutIntercepter configuration to use UsernameToken action,
and you need set username/password dynamically per each message, so
you need write a customer out intercepter, ensure it get invoked
before WSS4JOutIntercepter, and in your customer interceptor just do
some thing like
message.setContextualProperty(SecurityConstants.USERNAME, username);
message.setContextualProperty(SecurityConstants.PASSWORD, password);
here username/password is catched from JAAS.
[1]https://svn.apache.org/repos/asf/servicemix/components/trunk/bindings/servicemix-cxf-bc/src/test/java/org/apache/servicemix/cxfbc/ws/security/CxfBcProviderSecurityTest.java
Freeman
On 2012-2-27, at 下午8:20, Radomir Kadlec wrote:
> Hello,
>
> I build some ServiceMix gateway for our business services.
> The whole project uses osgi bundles as deployment model.
> Used ServiceMix version: apache-servicemix-4.4.1-fuse-01-06
>
> The *cxfbc:consumer* accepts SOAP requests, makes logging and
> authentication
> (username token with password in plain text). It uses
> WSS4JInInterceptor
> together with JAAS configured authentication and authorization to
> access
> LDAP login module. All of this works fine.
> I have no own password callback-handler for the incoming/outgoing
> messages,
> WSS4JInInterceptor is configured with the *ws-
> security.validate.token*=false
> property, so JAAS does all the work.
>
> The *cxfbc:producer* shall only forward the incomming message
> together with
> all SOAP headers (especially WS-Security header) to our business
> services.
>
> *How can I configure the cxfbc:producer to include the username and
> password
> catched from JAAS?*
>
> Is it possible or I can not use cxfbc:producer and must use some
> simple http
> forwarder?
> The incoming message shall be forwarded only after successfully
> authentization in JAAS.
>
> I included my test configuration.
> http://servicemix.396122.n5.nabble.com/file/n5518767/beans_cxf.xml
> beans_cxf.xml
> http://servicemix.396122.n5.nabble.com/file/n5518767/isl_a.wsdl
> isl_a.wsdl
>
> Thanks,
> Radomir
>
> --
> View this message in context: http://servicemix.396122.n5.nabble.com/cxfbc-provider-with-WS-Security-and-previous-JAAS-authentication-tp5518767p5518767.html
> Sent from the ServiceMix - User mailing list archive at Nabble.com.
---------------------------------------------
Freeman Fang
FuseSource
Email:ffang@fusesource.com
Web: fusesource.com
Twitter: freemanfang
Blog: http://freemanfang.blogspot.com