You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Slava Imeshev <im...@yahoo.com> on 2009/02/19 23:58:12 UTC
Authentication and authorization
Hi all,
I have an interesting use case that I am not sure how to approach.
Consider a service MyService on Tomcat, pseudocode:
MyService {
Set<Entry> getEntries();
}
For that service, if the requester did not authenticate, the
getEntries would return a limited list of entries, only those allowed
for "public" access. If the requestor did authenticate, the service
returns an extended set. How can this be done with CXF?
Regards,
Slava Imeshev
Re: Authentication and authorization
Posted by Daniel Kulp <dk...@apache.org>.
On Fri February 20 2009 6:46:15 pm Slava Imeshev wrote:
> > Couple of approaches:
> >
> > 1) (simple) In the "anonymous" case, the getUserPrincipal()
> > will just return
> > null. It will return non-null for everyone else. Thus,
> > in your impl, just
> > detect it that way.
>
> Hmm. I though that a request doesn't get to the protected resource if
> it is not authenticated, as in a web.xml:
Right. So basically what you do is NOT put a security-constraint in the
web.xml. Thus, all requests would go into the service. However, if the
user DOES provide auth details, the principal would be filled in.
Dan
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Remote builder</web-resource-name>
> <url-pattern>/service/integration/</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>service-user</role-name>
> </auth-constraint>
> </security-constraint>
>
> Slava
>
> > 2) (complex) You CAN write an interceptor that replaces the
> > Principal in the
> > context with something else. If the principal is null,
> > create an anonymous
> > principal and reset the security context information to point
> > to that. In
> > general (1) is much easier. :-)
> >
> > Dan
> >
> > On Fri February 20 2009 3:55:56 pm Slava Imeshev wrote:
> > > Daniel,
> > >
> > > Thanks!
> > >
> > > I have another question. I have also a use case when the web
>
> service
>
> > > should provide the result w/o authentication at all. The options I
> > > have right now are
> > >
> > > 1. To say that the authentication is always required.
> > >
> > > 2. To bind the service to a URL that does not require
> >
> > authentication.
> >
> > > 3. Somehow pre-process the request and replace a request w/o
> > > authentication with a request with synthetic user "anonymous".
> > >
> > > I think # 1 and # 2 are easy but don't do exactly what is
> >
> > required. #3
> >
> > > seem to be optimal but I am not sure how to approach it.
> > >
> > > Any suggestions/ideas?
> > >
> > > Regards,
> > >
> > > Slava Imeshev
> > >
> > > > -----Original Message-----
> > > > From: Daniel Kulp [mailto:dkulp@apache.org]
> > > > Sent: Friday, February 20, 2009 12:43 PM
> > > > To: users@cxf.apache.org
> > > > Cc: Slava Imeshev
> > > > Subject: Re: Authentication and authorization
> > > >
> > > > On Fri February 20 2009 1:21:42 pm Slava Imeshev wrote:
> > > > > Daniel,
> > > > >
> > > > > I am pretty new to CXF. I'd very grateful if you could you
>
> point
>
> > > me
> > >
> > > > > in the right direction. Any examples/tutorials?
> > > >
> > > > It's pretty simple acutally. In your Impl bean, add a field:
> > > >
> > > >
> > > > @Resource
> > > > private WebServiceContext context;
> > > >
> > > > That will get the context injected.
> > > >
> > > >
> > > > Then in your method, do:
> > > >
> > > > context.getUserPrincipal()
> > > > or
> > > > context.isUserInRole("blah");
> > > >
> > > > As long as the user has authenticated (basic auth), then
> > > > those methods should
> > > > return the information that the app server returns from the
> > > > HttpServletRequest.
> > > >
> > > > Dan
> > > >
> > > > > Regards,
> > > > >
> > > > > Slava Imeshev
> > > > >
> > > > > > -----Original Message-----
> > > > > > From: Daniel Kulp [mailto:dkulp@apache.org]
> > > > > > Sent: Friday, February 20, 2009 7:58 AM
> > > > > > To: users@cxf.apache.org
> > > > > > Cc: Slava Imeshev
> > > > > > Subject: Re: Authentication and authorization
> > > > > >
> > > > > >
> > > > > > The JAX-WS spec kind of covers this.
> > > > > >
> > > > > > If you inject WebServiceContext, from the context, you can
> > > > > > get the user
> > > > > > principal and call the isUserInRole call which would call
> > > > > > back into the tomcat
> > > > > > auth modules. From that, you can act on it any way
> >
> > you please.
> >
> > > > > > Dan
> > > > > >
> > > > > > On Thu February 19 2009 5:58:12 pm Slava Imeshev wrote:
> > > > > > > Hi all,
> > > > > > >
> > > > > > > I have an interesting use case that I am not sure how
> > > >
> > > > to approach.
> > > >
> > > > > > > Consider a service MyService on Tomcat, pseudocode:
> > > > > > >
> > > > > > > MyService {
> > > > > > > Set<Entry> getEntries();
> > > > > > > }
> > > > > > >
> > > > > > > For that service, if the requester did not authenticate,
>
> the
>
> > > > > > > getEntries would return a limited list of entries, only
> > > > > >
> > > > > > those allowed
> > > > > >
> > > > > > > for "public" access. If the requestor did authenticate,
>
> the
>
> > > > > service
> > > > >
> > > > > > > returns an extended set. How can this be done with CXF?
> > > > > > >
> > > > > > > Regards,
> > > > > > >
> > > > > > > Slava Imeshev
> > > > > >
> > > > > > --
> > > > > > Daniel Kulp
> > > > > > dkulp@apache.org
> > > > > > http://www.dankulp.com/blog
> > > >
> > > > --
> > > > Daniel Kulp
> > > > dkulp@apache.org
> > > > http://www.dankulp.com/blog
> >
> > --
> > Daniel Kulp
> > dkulp@apache.org
> > http://www.dankulp.com/blog
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
RE: Authentication and authorization
Posted by Slava Imeshev <si...@comcast.net>.
> Couple of approaches:
>
> 1) (simple) In the "anonymous" case, the getUserPrincipal()
> will just return
> null. It will return non-null for everyone else. Thus,
> in your impl, just
> detect it that way.
Hmm. I though that a request doesn't get to the protected resource if
it is not authenticated, as in a web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Remote builder</web-resource-name>
<url-pattern>/service/integration/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>service-user</role-name>
</auth-constraint>
</security-constraint>
Slava
>
> 2) (complex) You CAN write an interceptor that replaces the
> Principal in the
> context with something else. If the principal is null,
> create an anonymous
> principal and reset the security context information to point
> to that. In
> general (1) is much easier. :-)
>
> Dan
>
>
> On Fri February 20 2009 3:55:56 pm Slava Imeshev wrote:
> > Daniel,
> >
> > Thanks!
> >
> > I have another question. I have also a use case when the web
service
> > should provide the result w/o authentication at all. The options I
> > have right now are
> >
> > 1. To say that the authentication is always required.
> >
> > 2. To bind the service to a URL that does not require
> authentication.
> >
> > 3. Somehow pre-process the request and replace a request w/o
> > authentication with a request with synthetic user "anonymous".
> >
> > I think # 1 and # 2 are easy but don't do exactly what is
> required. #3
> > seem to be optimal but I am not sure how to approach it.
> >
> > Any suggestions/ideas?
> >
> > Regards,
> >
> > Slava Imeshev
> >
> > > -----Original Message-----
> > > From: Daniel Kulp [mailto:dkulp@apache.org]
> > > Sent: Friday, February 20, 2009 12:43 PM
> > > To: users@cxf.apache.org
> > > Cc: Slava Imeshev
> > > Subject: Re: Authentication and authorization
> > >
> > > On Fri February 20 2009 1:21:42 pm Slava Imeshev wrote:
> > > > Daniel,
> > > >
> > > > I am pretty new to CXF. I'd very grateful if you could you
point
> >
> > me
> >
> > > > in the right direction. Any examples/tutorials?
> > >
> > > It's pretty simple acutally. In your Impl bean, add a field:
> > >
> > >
> > > @Resource
> > > private WebServiceContext context;
> > >
> > > That will get the context injected.
> > >
> > >
> > > Then in your method, do:
> > >
> > > context.getUserPrincipal()
> > > or
> > > context.isUserInRole("blah");
> > >
> > > As long as the user has authenticated (basic auth), then
> > > those methods should
> > > return the information that the app server returns from the
> > > HttpServletRequest.
> > >
> > > Dan
> > >
> > > > Regards,
> > > >
> > > > Slava Imeshev
> > > >
> > > > > -----Original Message-----
> > > > > From: Daniel Kulp [mailto:dkulp@apache.org]
> > > > > Sent: Friday, February 20, 2009 7:58 AM
> > > > > To: users@cxf.apache.org
> > > > > Cc: Slava Imeshev
> > > > > Subject: Re: Authentication and authorization
> > > > >
> > > > >
> > > > > The JAX-WS spec kind of covers this.
> > > > >
> > > > > If you inject WebServiceContext, from the context, you can
> > > > > get the user
> > > > > principal and call the isUserInRole call which would call
> > > > > back into the tomcat
> > > > > auth modules. From that, you can act on it any way
> you please.
> > > > >
> > > > > Dan
> > > > >
> > > > > On Thu February 19 2009 5:58:12 pm Slava Imeshev wrote:
> > > > > > Hi all,
> > > > > >
> > > > > > I have an interesting use case that I am not sure how
> > >
> > > to approach.
> > >
> > > > > > Consider a service MyService on Tomcat, pseudocode:
> > > > > >
> > > > > > MyService {
> > > > > > Set<Entry> getEntries();
> > > > > > }
> > > > > >
> > > > > > For that service, if the requester did not authenticate,
the
> > > > > > getEntries would return a limited list of entries, only
> > > > >
> > > > > those allowed
> > > > >
> > > > > > for "public" access. If the requestor did authenticate,
the
> > > >
> > > > service
> > > >
> > > > > > returns an extended set. How can this be done with CXF?
> > > > > >
> > > > > > Regards,
> > > > > >
> > > > > > Slava Imeshev
> > > > >
> > > > > --
> > > > > Daniel Kulp
> > > > > dkulp@apache.org
> > > > > http://www.dankulp.com/blog
> > >
> > > --
> > > Daniel Kulp
> > > dkulp@apache.org
> > > http://www.dankulp.com/blog
>
> --
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog
Re: Authentication and authorization
Posted by Daniel Kulp <dk...@apache.org>.
Couple of approaches:
1) (simple) In the "anonymous" case, the getUserPrincipal() will just return
null. It will return non-null for everyone else. Thus, in your impl, just
detect it that way.
2) (complex) You CAN write an interceptor that replaces the Principal in the
context with something else. If the principal is null, create an anonymous
principal and reset the security context information to point to that. In
general (1) is much easier. :-)
Dan
On Fri February 20 2009 3:55:56 pm Slava Imeshev wrote:
> Daniel,
>
> Thanks!
>
> I have another question. I have also a use case when the web service
> should provide the result w/o authentication at all. The options I
> have right now are
>
> 1. To say that the authentication is always required.
>
> 2. To bind the service to a URL that does not require authentication.
>
> 3. Somehow pre-process the request and replace a request w/o
> authentication with a request with synthetic user "anonymous".
>
> I think # 1 and # 2 are easy but don't do exactly what is required. #3
> seem to be optimal but I am not sure how to approach it.
>
> Any suggestions/ideas?
>
> Regards,
>
> Slava Imeshev
>
> > -----Original Message-----
> > From: Daniel Kulp [mailto:dkulp@apache.org]
> > Sent: Friday, February 20, 2009 12:43 PM
> > To: users@cxf.apache.org
> > Cc: Slava Imeshev
> > Subject: Re: Authentication and authorization
> >
> > On Fri February 20 2009 1:21:42 pm Slava Imeshev wrote:
> > > Daniel,
> > >
> > > I am pretty new to CXF. I'd very grateful if you could you point
>
> me
>
> > > in the right direction. Any examples/tutorials?
> >
> > It's pretty simple acutally. In your Impl bean, add a field:
> >
> >
> > @Resource
> > private WebServiceContext context;
> >
> > That will get the context injected.
> >
> >
> > Then in your method, do:
> >
> > context.getUserPrincipal()
> > or
> > context.isUserInRole("blah");
> >
> > As long as the user has authenticated (basic auth), then
> > those methods should
> > return the information that the app server returns from the
> > HttpServletRequest.
> >
> > Dan
> >
> > > Regards,
> > >
> > > Slava Imeshev
> > >
> > > > -----Original Message-----
> > > > From: Daniel Kulp [mailto:dkulp@apache.org]
> > > > Sent: Friday, February 20, 2009 7:58 AM
> > > > To: users@cxf.apache.org
> > > > Cc: Slava Imeshev
> > > > Subject: Re: Authentication and authorization
> > > >
> > > >
> > > > The JAX-WS spec kind of covers this.
> > > >
> > > > If you inject WebServiceContext, from the context, you can
> > > > get the user
> > > > principal and call the isUserInRole call which would call
> > > > back into the tomcat
> > > > auth modules. From that, you can act on it any way you please.
> > > >
> > > > Dan
> > > >
> > > > On Thu February 19 2009 5:58:12 pm Slava Imeshev wrote:
> > > > > Hi all,
> > > > >
> > > > > I have an interesting use case that I am not sure how
> >
> > to approach.
> >
> > > > > Consider a service MyService on Tomcat, pseudocode:
> > > > >
> > > > > MyService {
> > > > > Set<Entry> getEntries();
> > > > > }
> > > > >
> > > > > For that service, if the requester did not authenticate, the
> > > > > getEntries would return a limited list of entries, only
> > > >
> > > > those allowed
> > > >
> > > > > for "public" access. If the requestor did authenticate, the
> > >
> > > service
> > >
> > > > > returns an extended set. How can this be done with CXF?
> > > > >
> > > > > Regards,
> > > > >
> > > > > Slava Imeshev
> > > >
> > > > --
> > > > Daniel Kulp
> > > > dkulp@apache.org
> > > > http://www.dankulp.com/blog
> >
> > --
> > Daniel Kulp
> > dkulp@apache.org
> > http://www.dankulp.com/blog
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
Re: Authentication and authorization
Posted by Daniel Kulp <dk...@apache.org>.
On Fri February 20 2009 5:20:27 pm Christian Schneider wrote:
> Hi Dan,
>
> thanks for this great hint. I did not know this was so easy. Is this
> already described somewhere in the wiki?
> If not I could write a page about it.
Probably not as it's part of the JAX-WS spec so is kind of "assumed" to be
knowledge. That said, all the "security" related things need MUCH better
documentation on the wiki. We need much more information about WS-Security,
authentication, integration with Spring security, etc....
> Can I make this work with JMS too? I guess currently it will not work. I
> know that it is possible in Tibco EMS to get the client user that sent
> the message as a JMS header.
> I guess we could use this to populate the context. ActiveMQ will
> probably support something similar. On a quick search I found
> http://activemq.apache.org/maven/activemq-core/apidocs/org/apache/activemq/
>broker/UserIDBroker.html .
> As far as I read this could do the trick.
If you can get the Principal (and roles if possible), then it's real easy to
do. If you look in the Http destination, it basically creates an object that
implements org.apache.cxf.security.SecurityContext (interface in API project)
that wrappers the calls on the ServletRequest and sets that on the message.
The WebServiceContext is really looking for that object on the message.
Thus, if JMS provided an implementation of that interface that could get the
information, then it should work identically.
Dan
>
> Greetings
>
> Christian
>
> Daniel Kulp schrieb:
> > On Fri February 20 2009 1:21:42 pm Slava Imeshev wrote:
> >> Daniel,
> >>
> >> I am pretty new to CXF. I'd very grateful if you could you point me
> >> in the right direction. Any examples/tutorials?
> >
> > It's pretty simple acutally. In your Impl bean, add a field:
> >
> >
> > @Resource
> > private WebServiceContext context;
> >
> > That will get the context injected.
> >
> >
> > Then in your method, do:
> >
> > context.getUserPrincipal()
> > or
> > context.isUserInRole("blah");
> >
> > As long as the user has authenticated (basic auth), then those methods
> > should return the information that the app server returns from the
> > HttpServletRequest.
> >
> > Dan
> >
> >> Regards,
> >>
> >> Slava Imeshev
> >>
> >>> -----Original Message-----
> >>> From: Daniel Kulp [mailto:dkulp@apache.org]
> >>> Sent: Friday, February 20, 2009 7:58 AM
> >>> To: users@cxf.apache.org
> >>> Cc: Slava Imeshev
> >>> Subject: Re: Authentication and authorization
> >>>
> >>>
> >>> The JAX-WS spec kind of covers this.
> >>>
> >>> If you inject WebServiceContext, from the context, you can
> >>> get the user
> >>> principal and call the isUserInRole call which would call
> >>> back into the tomcat
> >>> auth modules. From that, you can act on it any way you please.
> >>>
> >>> Dan
> >>>
> >>> On Thu February 19 2009 5:58:12 pm Slava Imeshev wrote:
> >>>> Hi all,
> >>>>
> >>>> I have an interesting use case that I am not sure how to approach.
> >>>>
> >>>> Consider a service MyService on Tomcat, pseudocode:
> >>>>
> >>>> MyService {
> >>>> Set<Entry> getEntries();
> >>>> }
> >>>>
> >>>> For that service, if the requester did not authenticate, the
> >>>> getEntries would return a limited list of entries, only
> >>>
> >>> those allowed
> >>>
> >>>> for "public" access. If the requestor did authenticate, the
> >>
> >> service
> >>
> >>>> returns an extended set. How can this be done with CXF?
> >>>>
> >>>> Regards,
> >>>>
> >>>> Slava Imeshev
> >>>
> >>> --
> >>> Daniel Kulp
> >>> dkulp@apache.org
> >>> http://www.dankulp.com/blog
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
RE: Authentication and authorization
Posted by Slava Imeshev <im...@yahoo.com>.
Daniel,
Thanks!
I have another question. I have also a use case when the web service
should provide the result w/o authentication at all. The options I
have right now are
1. To say that the authentication is always required.
2. To bind the service to a URL that does not require authentication.
3. Somehow pre-process the request and replace a request w/o
authentication with a request with synthetic user "anonymous".
I think # 1 and # 2 are easy but don't do exactly what is required. #3
seem to be optimal but I am not sure how to approach it.
Any suggestions/ideas?
Regards,
Slava Imeshev
> -----Original Message-----
> From: Daniel Kulp [mailto:dkulp@apache.org]
> Sent: Friday, February 20, 2009 12:43 PM
> To: users@cxf.apache.org
> Cc: Slava Imeshev
> Subject: Re: Authentication and authorization
>
> On Fri February 20 2009 1:21:42 pm Slava Imeshev wrote:
> > Daniel,
> >
> > I am pretty new to CXF. I'd very grateful if you could you point
me
> > in the right direction. Any examples/tutorials?
>
> It's pretty simple acutally. In your Impl bean, add a field:
>
>
> @Resource
> private WebServiceContext context;
>
> That will get the context injected.
>
>
> Then in your method, do:
>
> context.getUserPrincipal()
> or
> context.isUserInRole("blah");
>
> As long as the user has authenticated (basic auth), then
> those methods should
> return the information that the app server returns from the
> HttpServletRequest.
>
> Dan
>
>
>
> >
> > Regards,
> >
> > Slava Imeshev
> >
> > > -----Original Message-----
> > > From: Daniel Kulp [mailto:dkulp@apache.org]
> > > Sent: Friday, February 20, 2009 7:58 AM
> > > To: users@cxf.apache.org
> > > Cc: Slava Imeshev
> > > Subject: Re: Authentication and authorization
> > >
> > >
> > > The JAX-WS spec kind of covers this.
> > >
> > > If you inject WebServiceContext, from the context, you can
> > > get the user
> > > principal and call the isUserInRole call which would call
> > > back into the tomcat
> > > auth modules. From that, you can act on it any way you please.
> > >
> > > Dan
> > >
> > > On Thu February 19 2009 5:58:12 pm Slava Imeshev wrote:
> > > > Hi all,
> > > >
> > > > I have an interesting use case that I am not sure how
> to approach.
> > > >
> > > > Consider a service MyService on Tomcat, pseudocode:
> > > >
> > > > MyService {
> > > > Set<Entry> getEntries();
> > > > }
> > > >
> > > > For that service, if the requester did not authenticate, the
> > > > getEntries would return a limited list of entries, only
> > >
> > > those allowed
> > >
> > > > for "public" access. If the requestor did authenticate, the
> >
> > service
> >
> > > > returns an extended set. How can this be done with CXF?
> > > >
> > > > Regards,
> > > >
> > > > Slava Imeshev
> > >
> > > --
> > > Daniel Kulp
> > > dkulp@apache.org
> > > http://www.dankulp.com/blog
>
> --
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog
Re: Authentication and authorization
Posted by Christian Schneider <ch...@die-schneider.net>.
Hi Dan,
thanks for this great hint. I did not know this was so easy. Is this
already described somewhere in the wiki?
If not I could write a page about it.
Can I make this work with JMS too? I guess currently it will not work. I
know that it is possible in Tibco EMS to get the client user that sent
the message as a JMS header.
I guess we could use this to populate the context. ActiveMQ will
probably support something similar. On a quick search I found
http://activemq.apache.org/maven/activemq-core/apidocs/org/apache/activemq/broker/UserIDBroker.html
.
As far as I read this could do the trick.
Greetings
Christian
Daniel Kulp schrieb:
> On Fri February 20 2009 1:21:42 pm Slava Imeshev wrote:
>
>> Daniel,
>>
>> I am pretty new to CXF. I'd very grateful if you could you point me
>> in the right direction. Any examples/tutorials?
>>
>
> It's pretty simple acutally. In your Impl bean, add a field:
>
>
> @Resource
> private WebServiceContext context;
>
> That will get the context injected.
>
>
> Then in your method, do:
>
> context.getUserPrincipal()
> or
> context.isUserInRole("blah");
>
> As long as the user has authenticated (basic auth), then those methods should
> return the information that the app server returns from the
> HttpServletRequest.
>
> Dan
>
>
>
>
>> Regards,
>>
>> Slava Imeshev
>>
>>
>>> -----Original Message-----
>>> From: Daniel Kulp [mailto:dkulp@apache.org]
>>> Sent: Friday, February 20, 2009 7:58 AM
>>> To: users@cxf.apache.org
>>> Cc: Slava Imeshev
>>> Subject: Re: Authentication and authorization
>>>
>>>
>>> The JAX-WS spec kind of covers this.
>>>
>>> If you inject WebServiceContext, from the context, you can
>>> get the user
>>> principal and call the isUserInRole call which would call
>>> back into the tomcat
>>> auth modules. From that, you can act on it any way you please.
>>>
>>> Dan
>>>
>>> On Thu February 19 2009 5:58:12 pm Slava Imeshev wrote:
>>>
>>>> Hi all,
>>>>
>>>> I have an interesting use case that I am not sure how to approach.
>>>>
>>>> Consider a service MyService on Tomcat, pseudocode:
>>>>
>>>> MyService {
>>>> Set<Entry> getEntries();
>>>> }
>>>>
>>>> For that service, if the requester did not authenticate, the
>>>> getEntries would return a limited list of entries, only
>>>>
>>> those allowed
>>>
>>>
>>>> for "public" access. If the requestor did authenticate, the
>>>>
>> service
>>
>>
>>>> returns an extended set. How can this be done with CXF?
>>>>
>>>> Regards,
>>>>
>>>> Slava Imeshev
>>>>
>>> --
>>> Daniel Kulp
>>> dkulp@apache.org
>>> http://www.dankulp.com/blog
>>>
>
>
--
Christian Schneider
---
http://www.liquid-reality.de
Re: Authentication and authorization
Posted by Daniel Kulp <dk...@apache.org>.
On Fri February 20 2009 1:21:42 pm Slava Imeshev wrote:
> Daniel,
>
> I am pretty new to CXF. I'd very grateful if you could you point me
> in the right direction. Any examples/tutorials?
It's pretty simple acutally. In your Impl bean, add a field:
@Resource
private WebServiceContext context;
That will get the context injected.
Then in your method, do:
context.getUserPrincipal()
or
context.isUserInRole("blah");
As long as the user has authenticated (basic auth), then those methods should
return the information that the app server returns from the
HttpServletRequest.
Dan
>
> Regards,
>
> Slava Imeshev
>
> > -----Original Message-----
> > From: Daniel Kulp [mailto:dkulp@apache.org]
> > Sent: Friday, February 20, 2009 7:58 AM
> > To: users@cxf.apache.org
> > Cc: Slava Imeshev
> > Subject: Re: Authentication and authorization
> >
> >
> > The JAX-WS spec kind of covers this.
> >
> > If you inject WebServiceContext, from the context, you can
> > get the user
> > principal and call the isUserInRole call which would call
> > back into the tomcat
> > auth modules. From that, you can act on it any way you please.
> >
> > Dan
> >
> > On Thu February 19 2009 5:58:12 pm Slava Imeshev wrote:
> > > Hi all,
> > >
> > > I have an interesting use case that I am not sure how to approach.
> > >
> > > Consider a service MyService on Tomcat, pseudocode:
> > >
> > > MyService {
> > > Set<Entry> getEntries();
> > > }
> > >
> > > For that service, if the requester did not authenticate, the
> > > getEntries would return a limited list of entries, only
> >
> > those allowed
> >
> > > for "public" access. If the requestor did authenticate, the
>
> service
>
> > > returns an extended set. How can this be done with CXF?
> > >
> > > Regards,
> > >
> > > Slava Imeshev
> >
> > --
> > Daniel Kulp
> > dkulp@apache.org
> > http://www.dankulp.com/blog
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
RE: Authentication and authorization
Posted by Slava Imeshev <im...@yahoo.com>.
Daniel,
I am pretty new to CXF. I'd very grateful if you could you point me
in the right direction. Any examples/tutorials?
Regards,
Slava Imeshev
> -----Original Message-----
> From: Daniel Kulp [mailto:dkulp@apache.org]
> Sent: Friday, February 20, 2009 7:58 AM
> To: users@cxf.apache.org
> Cc: Slava Imeshev
> Subject: Re: Authentication and authorization
>
>
> The JAX-WS spec kind of covers this.
>
> If you inject WebServiceContext, from the context, you can
> get the user
> principal and call the isUserInRole call which would call
> back into the tomcat
> auth modules. From that, you can act on it any way you please.
>
> Dan
>
>
> On Thu February 19 2009 5:58:12 pm Slava Imeshev wrote:
> > Hi all,
> >
> > I have an interesting use case that I am not sure how to approach.
> >
> > Consider a service MyService on Tomcat, pseudocode:
> >
> > MyService {
> > Set<Entry> getEntries();
> > }
> >
> > For that service, if the requester did not authenticate, the
> > getEntries would return a limited list of entries, only
> those allowed
> > for "public" access. If the requestor did authenticate, the
service
> > returns an extended set. How can this be done with CXF?
> >
> > Regards,
> >
> > Slava Imeshev
>
> --
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog
Re: Authentication and authorization
Posted by Daniel Kulp <dk...@apache.org>.
The JAX-WS spec kind of covers this.
If you inject WebServiceContext, from the context, you can get the user
principal and call the isUserInRole call which would call back into the tomcat
auth modules. From that, you can act on it any way you please.
Dan
On Thu February 19 2009 5:58:12 pm Slava Imeshev wrote:
> Hi all,
>
> I have an interesting use case that I am not sure how to approach.
>
> Consider a service MyService on Tomcat, pseudocode:
>
> MyService {
> Set<Entry> getEntries();
> }
>
> For that service, if the requester did not authenticate, the
> getEntries would return a limited list of entries, only those allowed
> for "public" access. If the requestor did authenticate, the service
> returns an extended set. How can this be done with CXF?
>
> Regards,
>
> Slava Imeshev
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
RE: Authentication and authorization
Posted by Slava Imeshev <im...@yahoo.com>.
Thanks for the ThreadLocal tip.
We are planning to use HTTP basic authentication. I am still getting
my head around CXF, so I have more questions:
1. At what point do I get the header?
2. What about case when caller has not authenticated at all? AFAIU
authentication kicks-in before the request hits the processing
servlet.
Regards,
Slava Imeshev
> -----Original Message-----
> From: derek.adams [mailto:derek_a_adams@yahoo.com]
> Sent: Friday, February 20, 2009 10:27 AM
> To: users@cxf.apache.org
> Subject: RE: Authentication and authorization
>
>
> Which authentication method are you using? If you are using
> WS-Security via
> the WSS4JInInterceptor, then you can set the authenticated
> user in your
> password callback class. Generally, the easiest method is to
> set a thread
> local variable (the method Spring security uses). If you are
> using HTTP
> basic authentication, I am pretty sure you would be able to
> get the username
> from the HTTP headers.
>
>
> Slava Imeshev wrote:
> >
> > Hi Derek,
> >
> > Thank you. How will webservice implementation know who is
> calling? And
> > how will it know that in one case user has not been authenticated?
> >
> > Regards,
> >
> > Slava Imeshev
> >
> > P.S. There is no Spring in picture
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Authentication-and-authorization-tp22111
> 513p22125831.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
Re: Authentication and authorization
Posted by "derek.adams" <de...@yahoo.com>.
Oops.. text formatting got screwed up. That annotation at the bottom should
be sitting before the method.
--
View this message in context: http://www.nabble.com/Authentication-and-authorization-tp22111513p22128360.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Authentication and authorization
Posted by Derek Adams <de...@yahoo.com>.
I didn't know about the WebServiceContext object when I did my initial implementation, so I haven't tried it. I had decided to use Spring security for the auth provider, so I just plugged that in at the password callback level. A cool side-effect of this approach is that you can use Spring security annotations to protect web service calls at the method level like this:
public User updateUser(String username, User info) throws AtlasFault {
... Guarded impl code ...
}
and within the body of a method, you can make a call to the standard Spring security threadlocal to get the user roles and filter data accordingly. The way I am doing it is probably not too portable though, so I guess it just depends on what you need.
@Secured( { AtlasRoles.ROLE_USER_MGMT_ADMIN })
________________________________
From: Tedman Leung <te...@sfu.ca>
To: users@cxf.apache.org
Sent: Friday, February 20, 2009 2:37:22 PM
Subject: Re: Authentication and authorization
Just out of curiosity, if you're using a WSS4J interceptor, wouldn't it be
easier to just call WebServiceContext.getUserPrincipal()? or is that some
how unreliable?
On Fri, Feb 20, 2009 at 10:27:15AM -0800, derek.adams wrote:
>
> Which authentication method are you using? If you are using WS-Security via
> the WSS4JInInterceptor, then you can set the authenticated user in your
> password callback class. Generally, the easiest method is to set a thread
> local variable (the method Spring security uses). If you are using HTTP
> basic authentication, I am pretty sure you would be able to get the username
> from the HTTP headers.
>
--
Ted Leung
tedman@sfu.ca
It's time for a new bike when the bulb in your shift light burns out.
Re: Authentication and authorization
Posted by Tedman Leung <te...@sfu.ca>.
Just out of curiosity, if you're using a WSS4J interceptor, wouldn't it be
easier to just call WebServiceContext.getUserPrincipal()? or is that some
how unreliable?
On Fri, Feb 20, 2009 at 10:27:15AM -0800, derek.adams wrote:
>
> Which authentication method are you using? If you are using WS-Security via
> the WSS4JInInterceptor, then you can set the authenticated user in your
> password callback class. Generally, the easiest method is to set a thread
> local variable (the method Spring security uses). If you are using HTTP
> basic authentication, I am pretty sure you would be able to get the username
> from the HTTP headers.
>
>
> Slava Imeshev wrote:
> >
> > Hi Derek,
> >
> > Thank you. How will webservice implementation know who is calling? And
> > how will it know that in one case user has not been authenticated?
> >
> > Regards,
> >
> > Slava Imeshev
> >
> > P.S. There is no Spring in picture
> >
> >
>
> --
> View this message in context: http://www.nabble.com/Authentication-and-authorization-tp22111513p22125831.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Ted Leung
tedman@sfu.ca
It's time for a new bike when the bulb in your shift light burns out.
RE: Authentication and authorization
Posted by "derek.adams" <de...@yahoo.com>.
Which authentication method are you using? If you are using WS-Security via
the WSS4JInInterceptor, then you can set the authenticated user in your
password callback class. Generally, the easiest method is to set a thread
local variable (the method Spring security uses). If you are using HTTP
basic authentication, I am pretty sure you would be able to get the username
from the HTTP headers.
Slava Imeshev wrote:
>
> Hi Derek,
>
> Thank you. How will webservice implementation know who is calling? And
> how will it know that in one case user has not been authenticated?
>
> Regards,
>
> Slava Imeshev
>
> P.S. There is no Spring in picture
>
>
--
View this message in context: http://www.nabble.com/Authentication-and-authorization-tp22111513p22125831.html
Sent from the cxf-user mailing list archive at Nabble.com.
RE: Authentication and authorization
Posted by Slava Imeshev <im...@yahoo.com>.
Hi Derek,
Thank you. How will webservice implementation know who is calling? And
how will it know that in one case user has not been authenticated?
Regards,
Slava Imeshev
P.S. There is no Spring in picture
> -----Original Message-----
> From: derek.adams [mailto:derek_a_adams@yahoo.com]
> Sent: Friday, February 20, 2009 6:43 AM
> To: users@cxf.apache.org
> Subject: Re: Authentication and authorization
>
>
> This would be handled by your backing authorization
> mechanism. For instance,
> if you are using Spring security as your
authentication/authorization
> provider, you could get the role of the current principal and
> limit the
> results programatically based on who made the web service call.
>
>
> Slava Imeshev wrote:
> >
> > Hi all,
> >
> > I have an interesting use case that I am not sure how to approach.
> >
> > Consider a service MyService on Tomcat, pseudocode:
> >
> > MyService {
> > Set<Entry> getEntries();
> > }
> >
> > For that service, if the requester did not authenticate, the
> > getEntries would return a limited list of entries, only
> those allowed
> > for "public" access. If the requestor did authenticate, the
service
> > returns an extended set. How can this be done with CXF?
> >
> > Regards,
> >
> > Slava Imeshev
> >
> >
> >
> >
>
> --
> View this message in context:
> http://www.nabble.com/Authentication-and-authorization-tp22111
> 513p22120410.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
Re: Authentication and authorization
Posted by "derek.adams" <de...@yahoo.com>.
This would be handled by your backing authorization mechanism. For instance,
if you are using Spring security as your authentication/authorization
provider, you could get the role of the current principal and limit the
results programatically based on who made the web service call.
Slava Imeshev wrote:
>
> Hi all,
>
> I have an interesting use case that I am not sure how to approach.
>
> Consider a service MyService on Tomcat, pseudocode:
>
> MyService {
> Set<Entry> getEntries();
> }
>
> For that service, if the requester did not authenticate, the
> getEntries would return a limited list of entries, only those allowed
> for "public" access. If the requestor did authenticate, the service
> returns an extended set. How can this be done with CXF?
>
> Regards,
>
> Slava Imeshev
>
>
>
>
--
View this message in context: http://www.nabble.com/Authentication-and-authorization-tp22111513p22120410.html
Sent from the cxf-user mailing list archive at Nabble.com.