You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by mattmadhavan <ma...@yahoo.com> on 2007/09/13 18:39:33 UTC
CXF+ACEGI
Hello,
Can some one point me to some docs on the CXF and ACEGI integration or CXF
and security like authentication and authorization. Some sample app will
even be great.
I found some blogs on the CXF+ACEGI, but it is Java centric. On the client
side we need to set the which class handles the security on the Server side!
But if I am using some other language for clients like C# it does n't seem
to be the proper way!
Any ideas will be greatly appreciated.
Thanks
Matt
--
View this message in context: http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a12658821
Sent from the cxf-user mailing list archive at Nabble.com.
RE: CXF+ACEGI
Posted by Aurelije Zovko <au...@gmail.com>.
I will be very interested too, especially for some very good example
implementation.
Regards,
Aurelije
From: Kaleb Walton [mailto:kdwalton@us.ibm.com]
Sent: Friday, October 05, 2007 12:41 PM
To: cxf-user@incubator.apache.org
Subject: Re: CXF+ACEGI
I'm yet another person very interested in securing my services using Acegi
as we will be using it as our primary method of authentication over all of
our service transport mechanisms (RMI, HTTP, etc.).
If someone has a soup-to-nuts example implementation that would be great to
see!
Regards,
Kaleb
Inactive hide details for "Ray Krueger" ---09/21/2007 04:51:44 PM---Yeah,
that looks great. If you want to do authentication at"Ray Krueger"
---09/21/2007 04:51:44 PM---Yeah, that looks great. If you want to do
authentication at the
From:
"Ray Krueger" <ra...@gmail.com>
To:
cxf-user@incubator.apache.org
Date:
09/21/2007 04:51 PM
Subject:
Re: CXF+ACEGI
_____
Yeah, that looks great. If you want to do authentication at the
ws-security layer I'd do it in the fashion described there and by
dkulp a few posts back...
On 9/21/07, mattmadhavan <ma...@yahoo.com> wrote:
>
> Sorry everybody! I was out for couple of days and I had forgotten to add
the
> link!
>
>
http://www.vorburger.ch/blog1/2006/10/propagating-acegis-security-context-in
.html
>
> Thanks
> Matt
>
>
>
> Willem2 wrote:
> >
> > Hi Matt
> >
> > I did not see any url in your mail below :(.
> > Could you send them again ?
> >
> > Willem.
> > mattmadhavan wrote:
> >> Hello All,
> >> Please refer to this blog. Seems to be one of the most popular blog.
> >> Please
> >> look at the client code! (Test case).
> >>
> >> Any ideas? If some one has a complete ACEGI security solution and posts
> >> it
> >> it will be Awesome! Ray do you mind posting a complete sample. It will
be
> >> greatly beneficial to everybody.
> >>
> >> Matt
> >>
> >>
> >> dkulp wrote:
> >>
> >>> Ray,
> >>>
> >>> On Monday 17 September 2007, Ray Krueger wrote:
> >>>
> >>>> The authorization and authentication concerns are addressed at the
> >>>> protocol layer first, and can then be extended into lower levels of
> >>>> the application via AOP and such. So, if you're interested in
securing
> >>>> your application at that level, then CXF doesn't even really enter
> >>>> into the discussion. Meaning that you're going to put the Acegi
filter
> >>>> out there, and configure it to protect whatever URLs your CXF
services
> >>>> are published on. Acegi wouldn't know anything about CXF in that
case.
> >>>>
> >>> This currently works fine if you use the CXFServlet approach and
deploy
> >>> your application as a war into some sort of Servlet container.
> >>>
> >>> However, if you do a J2SE standalone mode application, this is quite
> >>> hard
> >>> to do right now and is something we should make a bit easier.
> >>> Currently, you would need to grab the raw Jetty listeners, use the
Jetty
> >>> API's to add the filters, etc.... (Note: this also applies if you
want
> >>> to secure your decoupled destination for a ws-rm/ws-a interaction)
> >>>
> >>> We probably should allow filters to be added via the spring
> >>> configuration
> >>> for the destination. That would simplify things quite a bit.
> >>>
> >>>
> >>>> From there you can decide in your endpoints how you consider the
> >>>> 'Principal'. You could retrieve it from Acegi without it being part
of
> >>>> WS-Security and keep it loose that way. Or you could find some means
> >>>> of integrating Acegi into a WS-Security provider for CXF somehow.
> >>>>
> >>> This was the interceptor I mentioned before. An interceptor after
the
> >>> WS-Sec interceptors would have access to the stuff decoded from the
> >>> message. The interceptor could create the principal object and pass
> >>> that into Acegi.
> >>>
> >>> Dan
> >>>
> >>>
> >>>
> >>>> The application I am building will support both plain xml over http
> >>>> and soap over http. So in that case it makes sense for me to place
> >>>> security at the http layer, and avoid relying on something like
> >>>> WS-Security.
> >>>>
> >>>> On 9/17/07, Daniel Kulp <dk...@apache.org> wrote:
> >>>>
> >>>>> Interesting you should ask this..... I first heard about ACEGI
> >>>>> last week in a different conversation and have just started to look
> >>>>> into it a bit. I'd LOVE to have your input into this as to what
> >>>>> you think is needed or what you would consider good integration.
> >>>>>
> >>>>> Here are my thoughts so far: (keep in mind, I had never heard of
> >>>>> ACEGI till last week so I could be completely off base)
> >>>>>
> >>>>> 1) If you deploy your app as a war using the spring webapp stuff and
> >>>>> setting up to use aop for your service, it should just work. The
> >>>>> acegi filter should grab the basic-auth stuff, setup the security
> >>>>> context stuff it needs, and when we call invoke on the service, the
> >>>>> acegi stuff should grant/deny it.
> >>>>>
> >>>>> 2) Longer term, we could write an interceptor that grabs the
> >>>>> AuthorizationPolicy object and HTTPS/WS-Sec stuff from our message
> >>>>> and fills in the acegi contexts with the details. That really
> >>>>> wouldn't be a huge amount of work to do.
> >>>>>
> >>>>>
> >>>>> Dan
> >>>>>
> >>>>> On Thursday 13 September 2007, mattmadhavan wrote:
> >>>>>
> >>>>>> Hello,
> >>>>>> Can some one point me to some docs on the CXF and ACEGI
> >>>>>> integration or CXF and security like authentication and
> >>>>>> authorization. Some sample app will even be great.
> >>>>>>
> >>>>>> I found some blogs on the CXF+ACEGI, but it is Java centric. On
> >>>>>> the client side we need to set the which class handles the
> >>>>>> security on the Server side! But if I am using some other language
> >>>>>> for clients like C# it does n't seem to be the proper way!
> >>>>>>
> >>>>>> Any ideas will be greatly appreciated.
> >>>>>>
> >>>>>> Thanks
> >>>>>> Matt
> >>>>>>
> >>>>> --
> >>>>> J. Daniel Kulp
> >>>>> Principal Engineer
> >>>>> IONA
> >>>>> P: 781-902-8727 C: 508-380-7194
> >>>>> daniel.kulp@iona.com
> >>>>> http://www.dankulp.com/blog
> >>>>>
> >>>
> >>> --
> >>> J. Daniel Kulp
> >>> Principal Engineer
> >>> IONA
> >>> P: 781-902-8727 C: 508-380-7194
> >>> daniel.kulp@iona.com
> >>> http://www.dankulp.com/blog
> >>>
> >>>
> >>>
> >>
> >>
> >
> >
>
> --
> View this message in context:
http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a12828547
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>
Re: CXF+ACEGI
Posted by Kaleb Walton <kd...@us.ibm.com>.
I'm yet another person very interested in securing my services using Acegi
as we will be using it as our primary method of authentication over all of
our service transport mechanisms (RMI, HTTP, etc.).
If someone has a soup-to-nuts example implementation that would be great to
see!
Regards,
Kaleb
From: "Ray Krueger" <ra...@gmail.com>
To: cxf-user@incubator.apache.org
Date: 09/21/2007 04:51 PM
Subject: Re: CXF+ACEGI
Yeah, that looks great. If you want to do authentication at the
ws-security layer I'd do it in the fashion described there and by
dkulp a few posts back...
On 9/21/07, mattmadhavan <ma...@yahoo.com> wrote:
>
> Sorry everybody! I was out for couple of days and I had forgotten to add
the
> link!
>
>
http://www.vorburger.ch/blog1/2006/10/propagating-acegis-security-context-in.html
>
> Thanks
> Matt
>
>
>
> Willem2 wrote:
> >
> > Hi Matt
> >
> > I did not see any url in your mail below :(.
> > Could you send them again ?
> >
> > Willem.
> > mattmadhavan wrote:
> >> Hello All,
> >> Please refer to this blog. Seems to be one of the most popular blog.
> >> Please
> >> look at the client code! (Test case).
> >>
> >> Any ideas? If some one has a complete ACEGI security solution and
posts
> >> it
> >> it will be Awesome! Ray do you mind posting a complete sample. It will
be
> >> greatly beneficial to everybody.
> >>
> >> Matt
> >>
> >>
> >> dkulp wrote:
> >>
> >>> Ray,
> >>>
> >>> On Monday 17 September 2007, Ray Krueger wrote:
> >>>
> >>>> The authorization and authentication concerns are addressed at the
> >>>> protocol layer first, and can then be extended into lower levels of
> >>>> the application via AOP and such. So, if you're interested in
securing
> >>>> your application at that level, then CXF doesn't even really enter
> >>>> into the discussion. Meaning that you're going to put the Acegi
filter
> >>>> out there, and configure it to protect whatever URLs your CXF
services
> >>>> are published on. Acegi wouldn't know anything about CXF in that
case.
> >>>>
> >>> This currently works fine if you use the CXFServlet approach and
deploy
> >>> your application as a war into some sort of Servlet container.
> >>>
> >>> However, if you do a J2SE standalone mode application, this is quite
> >>> hard
> >>> to do right now and is something we should make a bit easier.
> >>> Currently, you would need to grab the raw Jetty listeners, use the
Jetty
> >>> API's to add the filters, etc.... (Note: this also applies if you
want
> >>> to secure your decoupled destination for a ws-rm/ws-a interaction)
> >>>
> >>> We probably should allow filters to be added via the spring
> >>> configuration
> >>> for the destination. That would simplify things quite a bit.
> >>>
> >>>
> >>>> From there you can decide in your endpoints how you consider the
> >>>> 'Principal'. You could retrieve it from Acegi without it being part
of
> >>>> WS-Security and keep it loose that way. Or you could find some means
> >>>> of integrating Acegi into a WS-Security provider for CXF somehow.
> >>>>
> >>> This was the interceptor I mentioned before. An interceptor after
the
> >>> WS-Sec interceptors would have access to the stuff decoded from the
> >>> message. The interceptor could create the principal object and pass
> >>> that into Acegi.
> >>>
> >>> Dan
> >>>
> >>>
> >>>
> >>>> The application I am building will support both plain xml over http
> >>>> and soap over http. So in that case it makes sense for me to place
> >>>> security at the http layer, and avoid relying on something like
> >>>> WS-Security.
> >>>>
> >>>> On 9/17/07, Daniel Kulp <dk...@apache.org> wrote:
> >>>>
> >>>>> Interesting you should ask this..... I first heard about ACEGI
> >>>>> last week in a different conversation and have just started to look
> >>>>> into it a bit. I'd LOVE to have your input into this as to what
> >>>>> you think is needed or what you would consider good integration.
> >>>>>
> >>>>> Here are my thoughts so far: (keep in mind, I had never heard of
> >>>>> ACEGI till last week so I could be completely off base)
> >>>>>
> >>>>> 1) If you deploy your app as a war using the spring webapp stuff
and
> >>>>> setting up to use aop for your service, it should just work. The
> >>>>> acegi filter should grab the basic-auth stuff, setup the security
> >>>>> context stuff it needs, and when we call invoke on the service, the
> >>>>> acegi stuff should grant/deny it.
> >>>>>
> >>>>> 2) Longer term, we could write an interceptor that grabs the
> >>>>> AuthorizationPolicy object and HTTPS/WS-Sec stuff from our message
> >>>>> and fills in the acegi contexts with the details. That really
> >>>>> wouldn't be a huge amount of work to do.
> >>>>>
> >>>>>
> >>>>> Dan
> >>>>>
> >>>>> On Thursday 13 September 2007, mattmadhavan wrote:
> >>>>>
> >>>>>> Hello,
> >>>>>> Can some one point me to some docs on the CXF and ACEGI
> >>>>>> integration or CXF and security like authentication and
> >>>>>> authorization. Some sample app will even be great.
> >>>>>>
> >>>>>> I found some blogs on the CXF+ACEGI, but it is Java centric. On
> >>>>>> the client side we need to set the which class handles the
> >>>>>> security on the Server side! But if I am using some other language
> >>>>>> for clients like C# it does n't seem to be the proper way!
> >>>>>>
> >>>>>> Any ideas will be greatly appreciated.
> >>>>>>
> >>>>>> Thanks
> >>>>>> Matt
> >>>>>>
> >>>>> --
> >>>>> J. Daniel Kulp
> >>>>> Principal Engineer
> >>>>> IONA
> >>>>> P: 781-902-8727 C: 508-380-7194
> >>>>> daniel.kulp@iona.com
> >>>>> http://www.dankulp.com/blog
> >>>>>
> >>>
> >>> --
> >>> J. Daniel Kulp
> >>> Principal Engineer
> >>> IONA
> >>> P: 781-902-8727 C: 508-380-7194
> >>> daniel.kulp@iona.com
> >>> http://www.dankulp.com/blog
> >>>
> >>>
> >>>
> >>
> >>
> >
> >
>
> --
> View this message in context:
http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a12828547
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>
Re: CXF+ACEGI
Posted by Ray Krueger <ra...@gmail.com>.
Yeah, that looks great. If you want to do authentication at the
ws-security layer I'd do it in the fashion described there and by
dkulp a few posts back...
On 9/21/07, mattmadhavan <ma...@yahoo.com> wrote:
>
> Sorry everybody! I was out for couple of days and I had forgotten to add the
> link!
>
> http://www.vorburger.ch/blog1/2006/10/propagating-acegis-security-context-in.html
>
> Thanks
> Matt
>
>
>
> Willem2 wrote:
> >
> > Hi Matt
> >
> > I did not see any url in your mail below :(.
> > Could you send them again ?
> >
> > Willem.
> > mattmadhavan wrote:
> >> Hello All,
> >> Please refer to this blog. Seems to be one of the most popular blog.
> >> Please
> >> look at the client code! (Test case).
> >>
> >> Any ideas? If some one has a complete ACEGI security solution and posts
> >> it
> >> it will be Awesome! Ray do you mind posting a complete sample. It will be
> >> greatly beneficial to everybody.
> >>
> >> Matt
> >>
> >>
> >> dkulp wrote:
> >>
> >>> Ray,
> >>>
> >>> On Monday 17 September 2007, Ray Krueger wrote:
> >>>
> >>>> The authorization and authentication concerns are addressed at the
> >>>> protocol layer first, and can then be extended into lower levels of
> >>>> the application via AOP and such. So, if you're interested in securing
> >>>> your application at that level, then CXF doesn't even really enter
> >>>> into the discussion. Meaning that you're going to put the Acegi filter
> >>>> out there, and configure it to protect whatever URLs your CXF services
> >>>> are published on. Acegi wouldn't know anything about CXF in that case.
> >>>>
> >>> This currently works fine if you use the CXFServlet approach and deploy
> >>> your application as a war into some sort of Servlet container.
> >>>
> >>> However, if you do a J2SE standalone mode application, this is quite
> >>> hard
> >>> to do right now and is something we should make a bit easier.
> >>> Currently, you would need to grab the raw Jetty listeners, use the Jetty
> >>> API's to add the filters, etc.... (Note: this also applies if you want
> >>> to secure your decoupled destination for a ws-rm/ws-a interaction)
> >>>
> >>> We probably should allow filters to be added via the spring
> >>> configuration
> >>> for the destination. That would simplify things quite a bit.
> >>>
> >>>
> >>>> From there you can decide in your endpoints how you consider the
> >>>> 'Principal'. You could retrieve it from Acegi without it being part of
> >>>> WS-Security and keep it loose that way. Or you could find some means
> >>>> of integrating Acegi into a WS-Security provider for CXF somehow.
> >>>>
> >>> This was the interceptor I mentioned before. An interceptor after the
> >>> WS-Sec interceptors would have access to the stuff decoded from the
> >>> message. The interceptor could create the principal object and pass
> >>> that into Acegi.
> >>>
> >>> Dan
> >>>
> >>>
> >>>
> >>>> The application I am building will support both plain xml over http
> >>>> and soap over http. So in that case it makes sense for me to place
> >>>> security at the http layer, and avoid relying on something like
> >>>> WS-Security.
> >>>>
> >>>> On 9/17/07, Daniel Kulp <dk...@apache.org> wrote:
> >>>>
> >>>>> Interesting you should ask this..... I first heard about ACEGI
> >>>>> last week in a different conversation and have just started to look
> >>>>> into it a bit. I'd LOVE to have your input into this as to what
> >>>>> you think is needed or what you would consider good integration.
> >>>>>
> >>>>> Here are my thoughts so far: (keep in mind, I had never heard of
> >>>>> ACEGI till last week so I could be completely off base)
> >>>>>
> >>>>> 1) If you deploy your app as a war using the spring webapp stuff and
> >>>>> setting up to use aop for your service, it should just work. The
> >>>>> acegi filter should grab the basic-auth stuff, setup the security
> >>>>> context stuff it needs, and when we call invoke on the service, the
> >>>>> acegi stuff should grant/deny it.
> >>>>>
> >>>>> 2) Longer term, we could write an interceptor that grabs the
> >>>>> AuthorizationPolicy object and HTTPS/WS-Sec stuff from our message
> >>>>> and fills in the acegi contexts with the details. That really
> >>>>> wouldn't be a huge amount of work to do.
> >>>>>
> >>>>>
> >>>>> Dan
> >>>>>
> >>>>> On Thursday 13 September 2007, mattmadhavan wrote:
> >>>>>
> >>>>>> Hello,
> >>>>>> Can some one point me to some docs on the CXF and ACEGI
> >>>>>> integration or CXF and security like authentication and
> >>>>>> authorization. Some sample app will even be great.
> >>>>>>
> >>>>>> I found some blogs on the CXF+ACEGI, but it is Java centric. On
> >>>>>> the client side we need to set the which class handles the
> >>>>>> security on the Server side! But if I am using some other language
> >>>>>> for clients like C# it does n't seem to be the proper way!
> >>>>>>
> >>>>>> Any ideas will be greatly appreciated.
> >>>>>>
> >>>>>> Thanks
> >>>>>> Matt
> >>>>>>
> >>>>> --
> >>>>> J. Daniel Kulp
> >>>>> Principal Engineer
> >>>>> IONA
> >>>>> P: 781-902-8727 C: 508-380-7194
> >>>>> daniel.kulp@iona.com
> >>>>> http://www.dankulp.com/blog
> >>>>>
> >>>
> >>> --
> >>> J. Daniel Kulp
> >>> Principal Engineer
> >>> IONA
> >>> P: 781-902-8727 C: 508-380-7194
> >>> daniel.kulp@iona.com
> >>> http://www.dankulp.com/blog
> >>>
> >>>
> >>>
> >>
> >>
> >
> >
>
> --
> View this message in context: http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a12828547
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>
Re: CXF+ACEGI
Posted by mattmadhavan <ma...@yahoo.com>.
Sorry everybody! I was out for couple of days and I had forgotten to add the
link!
http://www.vorburger.ch/blog1/2006/10/propagating-acegis-security-context-in.html
Thanks
Matt
Willem2 wrote:
>
> Hi Matt
>
> I did not see any url in your mail below :(.
> Could you send them again ?
>
> Willem.
> mattmadhavan wrote:
>> Hello All,
>> Please refer to this blog. Seems to be one of the most popular blog.
>> Please
>> look at the client code! (Test case).
>>
>> Any ideas? If some one has a complete ACEGI security solution and posts
>> it
>> it will be Awesome! Ray do you mind posting a complete sample. It will be
>> greatly beneficial to everybody.
>>
>> Matt
>>
>>
>> dkulp wrote:
>>
>>> Ray,
>>>
>>> On Monday 17 September 2007, Ray Krueger wrote:
>>>
>>>> The authorization and authentication concerns are addressed at the
>>>> protocol layer first, and can then be extended into lower levels of
>>>> the application via AOP and such. So, if you're interested in securing
>>>> your application at that level, then CXF doesn't even really enter
>>>> into the discussion. Meaning that you're going to put the Acegi filter
>>>> out there, and configure it to protect whatever URLs your CXF services
>>>> are published on. Acegi wouldn't know anything about CXF in that case.
>>>>
>>> This currently works fine if you use the CXFServlet approach and deploy
>>> your application as a war into some sort of Servlet container.
>>>
>>> However, if you do a J2SE standalone mode application, this is quite
>>> hard
>>> to do right now and is something we should make a bit easier.
>>> Currently, you would need to grab the raw Jetty listeners, use the Jetty
>>> API's to add the filters, etc.... (Note: this also applies if you want
>>> to secure your decoupled destination for a ws-rm/ws-a interaction)
>>>
>>> We probably should allow filters to be added via the spring
>>> configuration
>>> for the destination. That would simplify things quite a bit.
>>>
>>>
>>>> From there you can decide in your endpoints how you consider the
>>>> 'Principal'. You could retrieve it from Acegi without it being part of
>>>> WS-Security and keep it loose that way. Or you could find some means
>>>> of integrating Acegi into a WS-Security provider for CXF somehow.
>>>>
>>> This was the interceptor I mentioned before. An interceptor after the
>>> WS-Sec interceptors would have access to the stuff decoded from the
>>> message. The interceptor could create the principal object and pass
>>> that into Acegi.
>>>
>>> Dan
>>>
>>>
>>>
>>>> The application I am building will support both plain xml over http
>>>> and soap over http. So in that case it makes sense for me to place
>>>> security at the http layer, and avoid relying on something like
>>>> WS-Security.
>>>>
>>>> On 9/17/07, Daniel Kulp <dk...@apache.org> wrote:
>>>>
>>>>> Interesting you should ask this..... I first heard about ACEGI
>>>>> last week in a different conversation and have just started to look
>>>>> into it a bit. I'd LOVE to have your input into this as to what
>>>>> you think is needed or what you would consider good integration.
>>>>>
>>>>> Here are my thoughts so far: (keep in mind, I had never heard of
>>>>> ACEGI till last week so I could be completely off base)
>>>>>
>>>>> 1) If you deploy your app as a war using the spring webapp stuff and
>>>>> setting up to use aop for your service, it should just work. The
>>>>> acegi filter should grab the basic-auth stuff, setup the security
>>>>> context stuff it needs, and when we call invoke on the service, the
>>>>> acegi stuff should grant/deny it.
>>>>>
>>>>> 2) Longer term, we could write an interceptor that grabs the
>>>>> AuthorizationPolicy object and HTTPS/WS-Sec stuff from our message
>>>>> and fills in the acegi contexts with the details. That really
>>>>> wouldn't be a huge amount of work to do.
>>>>>
>>>>>
>>>>> Dan
>>>>>
>>>>> On Thursday 13 September 2007, mattmadhavan wrote:
>>>>>
>>>>>> Hello,
>>>>>> Can some one point me to some docs on the CXF and ACEGI
>>>>>> integration or CXF and security like authentication and
>>>>>> authorization. Some sample app will even be great.
>>>>>>
>>>>>> I found some blogs on the CXF+ACEGI, but it is Java centric. On
>>>>>> the client side we need to set the which class handles the
>>>>>> security on the Server side! But if I am using some other language
>>>>>> for clients like C# it does n't seem to be the proper way!
>>>>>>
>>>>>> Any ideas will be greatly appreciated.
>>>>>>
>>>>>> Thanks
>>>>>> Matt
>>>>>>
>>>>> --
>>>>> J. Daniel Kulp
>>>>> Principal Engineer
>>>>> IONA
>>>>> P: 781-902-8727 C: 508-380-7194
>>>>> daniel.kulp@iona.com
>>>>> http://www.dankulp.com/blog
>>>>>
>>>
>>> --
>>> J. Daniel Kulp
>>> Principal Engineer
>>> IONA
>>> P: 781-902-8727 C: 508-380-7194
>>> daniel.kulp@iona.com
>>> http://www.dankulp.com/blog
>>>
>>>
>>>
>>
>>
>
>
--
View this message in context: http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a12828547
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF+ACEGI
Posted by Willem Jiang <ni...@iona.com>.
Hi Matt
I did not see any url in your mail below :(.
Could you send them again ?
Willem.
mattmadhavan wrote:
> Hello All,
> Please refer to this blog. Seems to be one of the most popular blog. Please
> look at the client code! (Test case).
>
> Any ideas? If some one has a complete ACEGI security solution and posts it
> it will be Awesome! Ray do you mind posting a complete sample. It will be
> greatly beneficial to everybody.
>
> Matt
>
>
> dkulp wrote:
>
>> Ray,
>>
>> On Monday 17 September 2007, Ray Krueger wrote:
>>
>>> The authorization and authentication concerns are addressed at the
>>> protocol layer first, and can then be extended into lower levels of
>>> the application via AOP and such. So, if you're interested in securing
>>> your application at that level, then CXF doesn't even really enter
>>> into the discussion. Meaning that you're going to put the Acegi filter
>>> out there, and configure it to protect whatever URLs your CXF services
>>> are published on. Acegi wouldn't know anything about CXF in that case.
>>>
>> This currently works fine if you use the CXFServlet approach and deploy
>> your application as a war into some sort of Servlet container.
>>
>> However, if you do a J2SE standalone mode application, this is quite hard
>> to do right now and is something we should make a bit easier.
>> Currently, you would need to grab the raw Jetty listeners, use the Jetty
>> API's to add the filters, etc.... (Note: this also applies if you want
>> to secure your decoupled destination for a ws-rm/ws-a interaction)
>>
>> We probably should allow filters to be added via the spring configuration
>> for the destination. That would simplify things quite a bit.
>>
>>
>>> From there you can decide in your endpoints how you consider the
>>> 'Principal'. You could retrieve it from Acegi without it being part of
>>> WS-Security and keep it loose that way. Or you could find some means
>>> of integrating Acegi into a WS-Security provider for CXF somehow.
>>>
>> This was the interceptor I mentioned before. An interceptor after the
>> WS-Sec interceptors would have access to the stuff decoded from the
>> message. The interceptor could create the principal object and pass
>> that into Acegi.
>>
>> Dan
>>
>>
>>
>>> The application I am building will support both plain xml over http
>>> and soap over http. So in that case it makes sense for me to place
>>> security at the http layer, and avoid relying on something like
>>> WS-Security.
>>>
>>> On 9/17/07, Daniel Kulp <dk...@apache.org> wrote:
>>>
>>>> Interesting you should ask this..... I first heard about ACEGI
>>>> last week in a different conversation and have just started to look
>>>> into it a bit. I'd LOVE to have your input into this as to what
>>>> you think is needed or what you would consider good integration.
>>>>
>>>> Here are my thoughts so far: (keep in mind, I had never heard of
>>>> ACEGI till last week so I could be completely off base)
>>>>
>>>> 1) If you deploy your app as a war using the spring webapp stuff and
>>>> setting up to use aop for your service, it should just work. The
>>>> acegi filter should grab the basic-auth stuff, setup the security
>>>> context stuff it needs, and when we call invoke on the service, the
>>>> acegi stuff should grant/deny it.
>>>>
>>>> 2) Longer term, we could write an interceptor that grabs the
>>>> AuthorizationPolicy object and HTTPS/WS-Sec stuff from our message
>>>> and fills in the acegi contexts with the details. That really
>>>> wouldn't be a huge amount of work to do.
>>>>
>>>>
>>>> Dan
>>>>
>>>> On Thursday 13 September 2007, mattmadhavan wrote:
>>>>
>>>>> Hello,
>>>>> Can some one point me to some docs on the CXF and ACEGI
>>>>> integration or CXF and security like authentication and
>>>>> authorization. Some sample app will even be great.
>>>>>
>>>>> I found some blogs on the CXF+ACEGI, but it is Java centric. On
>>>>> the client side we need to set the which class handles the
>>>>> security on the Server side! But if I am using some other language
>>>>> for clients like C# it does n't seem to be the proper way!
>>>>>
>>>>> Any ideas will be greatly appreciated.
>>>>>
>>>>> Thanks
>>>>> Matt
>>>>>
>>>> --
>>>> J. Daniel Kulp
>>>> Principal Engineer
>>>> IONA
>>>> P: 781-902-8727 C: 508-380-7194
>>>> daniel.kulp@iona.com
>>>> http://www.dankulp.com/blog
>>>>
>>
>> --
>> J. Daniel Kulp
>> Principal Engineer
>> IONA
>> P: 781-902-8727 C: 508-380-7194
>> daniel.kulp@iona.com
>> http://www.dankulp.com/blog
>>
>>
>>
>
>
Re: CXF+ACEGI
Posted by mattmadhavan <ma...@yahoo.com>.
Hello All,
Please refer to this blog. Seems to be one of the most popular blog. Please
look at the client code! (Test case).
Any ideas? If some one has a complete ACEGI security solution and posts it
it will be Awesome! Ray do you mind posting a complete sample. It will be
greatly beneficial to everybody.
Matt
dkulp wrote:
>
> Ray,
>
> On Monday 17 September 2007, Ray Krueger wrote:
>> The authorization and authentication concerns are addressed at the
>> protocol layer first, and can then be extended into lower levels of
>> the application via AOP and such. So, if you're interested in securing
>> your application at that level, then CXF doesn't even really enter
>> into the discussion. Meaning that you're going to put the Acegi filter
>> out there, and configure it to protect whatever URLs your CXF services
>> are published on. Acegi wouldn't know anything about CXF in that case.
>
> This currently works fine if you use the CXFServlet approach and deploy
> your application as a war into some sort of Servlet container.
>
> However, if you do a J2SE standalone mode application, this is quite hard
> to do right now and is something we should make a bit easier.
> Currently, you would need to grab the raw Jetty listeners, use the Jetty
> API's to add the filters, etc.... (Note: this also applies if you want
> to secure your decoupled destination for a ws-rm/ws-a interaction)
>
> We probably should allow filters to be added via the spring configuration
> for the destination. That would simplify things quite a bit.
>
>> From there you can decide in your endpoints how you consider the
>> 'Principal'. You could retrieve it from Acegi without it being part of
>> WS-Security and keep it loose that way. Or you could find some means
>> of integrating Acegi into a WS-Security provider for CXF somehow.
>
> This was the interceptor I mentioned before. An interceptor after the
> WS-Sec interceptors would have access to the stuff decoded from the
> message. The interceptor could create the principal object and pass
> that into Acegi.
>
> Dan
>
>
>> The application I am building will support both plain xml over http
>> and soap over http. So in that case it makes sense for me to place
>> security at the http layer, and avoid relying on something like
>> WS-Security.
>>
>> On 9/17/07, Daniel Kulp <dk...@apache.org> wrote:
>> > Interesting you should ask this..... I first heard about ACEGI
>> > last week in a different conversation and have just started to look
>> > into it a bit. I'd LOVE to have your input into this as to what
>> > you think is needed or what you would consider good integration.
>> >
>> > Here are my thoughts so far: (keep in mind, I had never heard of
>> > ACEGI till last week so I could be completely off base)
>> >
>> > 1) If you deploy your app as a war using the spring webapp stuff and
>> > setting up to use aop for your service, it should just work. The
>> > acegi filter should grab the basic-auth stuff, setup the security
>> > context stuff it needs, and when we call invoke on the service, the
>> > acegi stuff should grant/deny it.
>> >
>> > 2) Longer term, we could write an interceptor that grabs the
>> > AuthorizationPolicy object and HTTPS/WS-Sec stuff from our message
>> > and fills in the acegi contexts with the details. That really
>> > wouldn't be a huge amount of work to do.
>> >
>> >
>> > Dan
>> >
>> > On Thursday 13 September 2007, mattmadhavan wrote:
>> > > Hello,
>> > > Can some one point me to some docs on the CXF and ACEGI
>> > > integration or CXF and security like authentication and
>> > > authorization. Some sample app will even be great.
>> > >
>> > > I found some blogs on the CXF+ACEGI, but it is Java centric. On
>> > > the client side we need to set the which class handles the
>> > > security on the Server side! But if I am using some other language
>> > > for clients like C# it does n't seem to be the proper way!
>> > >
>> > > Any ideas will be greatly appreciated.
>> > >
>> > > Thanks
>> > > Matt
>> >
>> > --
>> > J. Daniel Kulp
>> > Principal Engineer
>> > IONA
>> > P: 781-902-8727 C: 508-380-7194
>> > daniel.kulp@iona.com
>> > http://www.dankulp.com/blog
>
>
>
> --
> J. Daniel Kulp
> Principal Engineer
> IONA
> P: 781-902-8727 C: 508-380-7194
> daniel.kulp@iona.com
> http://www.dankulp.com/blog
>
>
--
View this message in context: http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a12758983
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF+ACEGI
Posted by Daniel Kulp <dk...@apache.org>.
Ray,
On Monday 17 September 2007, Ray Krueger wrote:
> The authorization and authentication concerns are addressed at the
> protocol layer first, and can then be extended into lower levels of
> the application via AOP and such. So, if you're interested in securing
> your application at that level, then CXF doesn't even really enter
> into the discussion. Meaning that you're going to put the Acegi filter
> out there, and configure it to protect whatever URLs your CXF services
> are published on. Acegi wouldn't know anything about CXF in that case.
This currently works fine if you use the CXFServlet approach and deploy
your application as a war into some sort of Servlet container.
However, if you do a J2SE standalone mode application, this is quite hard
to do right now and is something we should make a bit easier.
Currently, you would need to grab the raw Jetty listeners, use the Jetty
API's to add the filters, etc.... (Note: this also applies if you want
to secure your decoupled destination for a ws-rm/ws-a interaction)
We probably should allow filters to be added via the spring configuration
for the destination. That would simplify things quite a bit.
> From there you can decide in your endpoints how you consider the
> 'Principal'. You could retrieve it from Acegi without it being part of
> WS-Security and keep it loose that way. Or you could find some means
> of integrating Acegi into a WS-Security provider for CXF somehow.
This was the interceptor I mentioned before. An interceptor after the
WS-Sec interceptors would have access to the stuff decoded from the
message. The interceptor could create the principal object and pass
that into Acegi.
Dan
> The application I am building will support both plain xml over http
> and soap over http. So in that case it makes sense for me to place
> security at the http layer, and avoid relying on something like
> WS-Security.
>
> On 9/17/07, Daniel Kulp <dk...@apache.org> wrote:
> > Interesting you should ask this..... I first heard about ACEGI
> > last week in a different conversation and have just started to look
> > into it a bit. I'd LOVE to have your input into this as to what
> > you think is needed or what you would consider good integration.
> >
> > Here are my thoughts so far: (keep in mind, I had never heard of
> > ACEGI till last week so I could be completely off base)
> >
> > 1) If you deploy your app as a war using the spring webapp stuff and
> > setting up to use aop for your service, it should just work. The
> > acegi filter should grab the basic-auth stuff, setup the security
> > context stuff it needs, and when we call invoke on the service, the
> > acegi stuff should grant/deny it.
> >
> > 2) Longer term, we could write an interceptor that grabs the
> > AuthorizationPolicy object and HTTPS/WS-Sec stuff from our message
> > and fills in the acegi contexts with the details. That really
> > wouldn't be a huge amount of work to do.
> >
> >
> > Dan
> >
> > On Thursday 13 September 2007, mattmadhavan wrote:
> > > Hello,
> > > Can some one point me to some docs on the CXF and ACEGI
> > > integration or CXF and security like authentication and
> > > authorization. Some sample app will even be great.
> > >
> > > I found some blogs on the CXF+ACEGI, but it is Java centric. On
> > > the client side we need to set the which class handles the
> > > security on the Server side! But if I am using some other language
> > > for clients like C# it does n't seem to be the proper way!
> > >
> > > Any ideas will be greatly appreciated.
> > >
> > > Thanks
> > > Matt
> >
> > --
> > J. Daniel Kulp
> > Principal Engineer
> > IONA
> > P: 781-902-8727 C: 508-380-7194
> > daniel.kulp@iona.com
> > http://www.dankulp.com/blog
--
J. Daniel Kulp
Principal Engineer
IONA
P: 781-902-8727 C: 508-380-7194
daniel.kulp@iona.com
http://www.dankulp.com/blog
Re: CXF+ACEGI
Posted by Ray Krueger <ra...@gmail.com>.
Another factor in the discussion has to do with what you want to
secure. Acegi is built to secure web applications. It does this by
providing various ways to secure the HTTP communication.
The authorization and authentication concerns are addressed at the
protocol layer first, and can then be extended into lower levels of
the application via AOP and such. So, if you're interested in securing
your application at that level, then CXF doesn't even really enter
into the discussion. Meaning that you're going to put the Acegi filter
out there, and configure it to protect whatever URLs your CXF services
are published on. Acegi wouldn't know anything about CXF in that case.
>From there you can decide in your endpoints how you consider the
'Principal'. You could retrieve it from Acegi without it being part of
WS-Security and keep it loose that way. Or you could find some means
of integrating Acegi into a WS-Security provider for CXF somehow.
The application I am building will support both plain xml over http
and soap over http. So in that case it makes sense for me to place
security at the http layer, and avoid relying on something like
WS-Security.
On 9/17/07, Daniel Kulp <dk...@apache.org> wrote:
>
> Interesting you should ask this..... I first heard about ACEGI last
> week in a different conversation and have just started to look into it a
> bit. I'd LOVE to have your input into this as to what you think is
> needed or what you would consider good integration.
>
> Here are my thoughts so far: (keep in mind, I had never heard of ACEGI
> till last week so I could be completely off base)
>
> 1) If you deploy your app as a war using the spring webapp stuff and
> setting up to use aop for your service, it should just work. The acegi
> filter should grab the basic-auth stuff, setup the security context
> stuff it needs, and when we call invoke on the service, the acegi stuff
> should grant/deny it.
>
> 2) Longer term, we could write an interceptor that grabs the
> AuthorizationPolicy object and HTTPS/WS-Sec stuff from our message and
> fills in the acegi contexts with the details. That really wouldn't be
> a huge amount of work to do.
>
>
> Dan
>
>
>
> On Thursday 13 September 2007, mattmadhavan wrote:
> > Hello,
> > Can some one point me to some docs on the CXF and ACEGI integration or
> > CXF and security like authentication and authorization. Some sample
> > app will even be great.
> >
> > I found some blogs on the CXF+ACEGI, but it is Java centric. On the
> > client side we need to set the which class handles the security on the
> > Server side! But if I am using some other language for clients like C#
> > it does n't seem to be the proper way!
> >
> > Any ideas will be greatly appreciated.
> >
> > Thanks
> > Matt
>
>
>
> --
> J. Daniel Kulp
> Principal Engineer
> IONA
> P: 781-902-8727 C: 508-380-7194
> daniel.kulp@iona.com
> http://www.dankulp.com/blog
>
Re: CXF+ACEGI
Posted by Daniel Kulp <dk...@apache.org>.
Interesting you should ask this..... I first heard about ACEGI last
week in a different conversation and have just started to look into it a
bit. I'd LOVE to have your input into this as to what you think is
needed or what you would consider good integration.
Here are my thoughts so far: (keep in mind, I had never heard of ACEGI
till last week so I could be completely off base)
1) If you deploy your app as a war using the spring webapp stuff and
setting up to use aop for your service, it should just work. The acegi
filter should grab the basic-auth stuff, setup the security context
stuff it needs, and when we call invoke on the service, the acegi stuff
should grant/deny it.
2) Longer term, we could write an interceptor that grabs the
AuthorizationPolicy object and HTTPS/WS-Sec stuff from our message and
fills in the acegi contexts with the details. That really wouldn't be
a huge amount of work to do.
Dan
On Thursday 13 September 2007, mattmadhavan wrote:
> Hello,
> Can some one point me to some docs on the CXF and ACEGI integration or
> CXF and security like authentication and authorization. Some sample
> app will even be great.
>
> I found some blogs on the CXF+ACEGI, but it is Java centric. On the
> client side we need to set the which class handles the security on the
> Server side! But if I am using some other language for clients like C#
> it does n't seem to be the proper way!
>
> Any ideas will be greatly appreciated.
>
> Thanks
> Matt
--
J. Daniel Kulp
Principal Engineer
IONA
P: 781-902-8727 C: 508-380-7194
daniel.kulp@iona.com
http://www.dankulp.com/blog
Re: CXF+ACEGI + Anybody out there?
Posted by mattmadhavan <ma...@yahoo.com>.
Hello again,
Sorry to re-visit this thread again, but I am still not clear if we reached
any conclusion! Do we just use Acegi or use it with WSSJ?
Can some one please post a complete example - With all the configurations
etc? It will be awesome!
Thanks
Matt
Juan José Vázquez Delgado wrote:
>
> Hi all,
>
> I love CXF, but IMHO the ws-security module is not good enough solved. I
> suspect the responsible is wss4j wich is not too much powerful.
>
> I´m thinking in using the glassfish XWSS (https://xwss.dev.java.net/) in a
> similar way to Spring Web Services (
> http://static.springframework.org/spring-ws/site/). With XWSS you can
> setting handlers and validators like for instance an Acegi Handler.
>
> BR,
>
> Juanjo.
>
> On 9/21/07, Eric Miles <er...@kronos.com> wrote:
>>
>> We started some discussion the other day about CXF+Acegi out there the
>> other day, but hadn't seen anything since. Any discussion after I sent
>> the source code or my findings with integrating the two?
>>
>> On Tue, 2007-09-18 at 11:18 -0400, Eric Miles wrote:
>> > Actually, here is the code. Attached is the WSS4J callback class and
>> > the CXF interceptor that uses the Acegi authentication manager for
>> > authentication.
>> >
>> > Pretty simple and straight forward. If you look at the callback
>> > handler, you can see my comment regarding the WSS4J engine. I do have
>> > one concern in that this solution might not have worked for a digest
>> UT.
>> > I'll have to revisit as it has been several months since we first
>> looked
>> > at it.
>> >
>> > However, this is a spring board for any discussions. (Spring pun not
>> > intended)
>> >
>> > Eric
>> >
>> >
>> > On Tue, 2007-09-18 at 08:10 -0700, mattmadhavan wrote:
>> > > Eric,
>> > > Do you mind posting a complete example. May be we can have a very
>> > > constructive discussions based on that.
>> > >
>> > > Thanks
>> > > Matt
>> > >
>> > >
>> > >
>> > >
>> > > BigEHokie wrote:
>> > > >
>> > > > Dan,
>> > > >
>> > > > What sort of solution are you looking for? We are using an
>> > > > Acegi/Spring/CXF implementation at our company where we are using
>> > > > WS-Security and Acegi for authentication and AOP/Acegi for
>> > > > authorization. We could be interested in contributing.
>> > > >
>> > > > Thanks,
>> > > > Eric
>> > > >
>> > > >
>> > > > On Tue, 2007-09-18 at 00:15 +0200, Dan Diephouse wrote:
>> > > >> And I want somebody to contribute a cleaner solution :-D
>> > > >>
>> > > >> I know there is a lot of stuff we could do with Spring
>> Security/Acegi
>> > > >> that would be super cool. It'd be a real low barrier way to
>> contribute
>> > > >> some stuff if anyone is interested.
>> > > >>
>> > > >> Cheers,
>> > > >> - Dan
>> > > >>
>> > > >> mattmadhavan wrote:
>> > > >> > Hi Ray,
>> > > >> > No I do not want the client side to tell the server! Thats my
>> point.
>> > > >> Some
>> > > >> > good blogs I have seen, do that! Where the client 'tells' which
>> handler
>> > > >> to
>> > > >> > use!
>> > > >> >
>> > > >> > I want a cleaner ACEGI+ XFIRE solution!
>> > > >> >
>> > > >> > Thanks
>> > > >> > Matt
>> > > >> >
>> > > >> >
>> > > >> >
>> > > >> > Ray Krueger wrote:
>> > > >> >
>> > > >> > > You want the client to tell the server how to do security?
>> That
>> > > >> sounds
>> > > >> > > crazy :)
>> > > >> > >
>> > > >> > > Your client side should either be doing http based security or
>> > > >> > > ws-security. That doesn't have anything to do with Acegi at
>> that
>> > > >> > > point.
>> > > >> > >
>> > > >> > > On 9/14/07, Zarar Siddiqi <za...@gmail.com> wrote:
>> > > >> > >
>> > > >> > > > I'm trying to understand what you're saying but am having
>> > > >> difficulty. But
>> > > >> > > > here goes:
>> > > >> > > >
>> > > >> > > >
>> > > >> > > > > Can some one point me to some docs on the CXF and ACEGI
>> > > >> integration
>> > > >> > > > > or CXF and security like authentication and authorization.
>> > > >> > > > >
>> > > >> > > > I use Acegi for authorization purposes only. IMHO it doesn't
>> really
>> > > >> make
>> > > >> > > > sense for authentication (WS-Security can do that). So I
>> use
>> the
>> > > >> > > > MethodSecurityInterceptor and BeanNameAutoProxyCreator to
>> manage
>> > > >> calls to
>> > > >> > > > my
>> > > >> > > > service level methods. The Acegi docs can help you there,
>> the only
>> > > >> > > > difference I think is that you have to set the
>> authentication
>> token
>> > > >> > > > yourself, e.g.:
>> > > >> > > >
>> > > >> > > > UsernamePasswordAuthenticationToken token = new
>> > > >> > > > UsernamePasswordAuthenticationToken(
>> > > >> > > > user.getUsername(), user.getPassword(),
>> user.getAuthorities());
>> > > >> > > > // Populate Acegi Security Context
>> > > >> > > > SecurityContextHolder.getContext().setAuthentication(token);
>> > > >> > > >
>> > > >> > > >
>> > > >> > > > > I found some blogs on the CXF+ACEGI, but it is Java
>> centric. On
>> > > >> the
>> > > >> > > > >
>> > > >> > > > client
>> > > >> > > >
>> > > >> > > > > side
>> > > >> > > > > we need to set the which class handles the security on the
>> Server
>> > > >> side!
>> > > >> > > > > But if
>> > > >> > > > > I am using some other language for clients like C# it
>> doesn't
>> > > >> seem to
>> > > >> > > > >
>> > > >> > > > be
>> > > >> > > >
>> > > >> > > > > the proper way!
>> > > >> > > > >
>> > > >> > > > You can pass the class name which handles security to the
>> server
>> > > >> (crazy
>> > > >> > > > thought I think!) using a header element and then parse it
>> using
>> > > >> CXF
>> > > >> > > > interceptors.
>> > > >> > > >
>> > > >> > > > Zarar
>> > > >> > > >
>> > > >> > > >
>> > > >> > > >
>> > > >> > > >
>> > > >> > > > mattmadhavan wrote:
>> > > >> > > >
>> > > >> > > > > Any Help will be appreciated!
>> > > >> > > > >
>> > > >> > > > >
>> > > >> > > > >
>> > > >> > > > > mattmadhavan wrote:
>> > > >> > > > >
>> > > >> > > > > > Hello,
>> > > >> > > > > > Can some one point me to some docs on the CXF and ACEGI
>> > > >> integration or
>> > > >> > > > > > CXF and security like authentication and authorization.
>> Some
>> > > >> sample
>> > > >> > > > > >
>> > > >> > > > app
>> > > >> > > >
>> > > >> > > > > > will even be great.
>> > > >> > > > > >
>> > > >> > > > > > I found some blogs on the CXF+ACEGI, but it is Java
>> centric. On
>> > > >> the
>> > > >> > > > > > client side we need to set the which class handles the
>> security
>> > > >> on the
>> > > >> > > > > > Server side! But if I am using some other language for
>> clients
>> > > >> like C#
>> > > >> > > > > >
>> > > >> > > > it
>> > > >> > > >
>> > > >> > > > > > does n't seem to be the proper way!
>> > > >> > > > > >
>> > > >> > > > > > Any ideas will be greatly appreciated.
>> > > >> > > > > >
>> > > >> > > > > > Thanks
>> > > >> > > > > > Matt
>> > > >> > > > > >
>> > > >> > > > > >
>> > > >> > > > --
>> > > >> > > > View this message in context:
>> > > >> > > > http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a12677582
>> > > >> > > > Sent from the cxf-user mailing list archive at Nabble.com.
>> > > >> > > >
>> > > >> > > >
>> > > >> > > >
>> > > >> >
>> > > >> >
>> > > >>
>> > > >>
>> > > >> --
>> > > >> Dan Diephouse
>> > > >> MuleSource
>> > > >> http://mulesource.com | http://netzooid.com/blog
>> > > >
>> > > >
>> > >
>>
>
>
--
View this message in context: http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a13353960
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF+ACEGI + Anybody out there?
Posted by Juan José Vázquez Delgado <ju...@gmail.com>.
Hi all,
I love CXF, but IMHO the ws-security module is not good enough solved. I
suspect the responsible is wss4j wich is not too much powerful.
I´m thinking in using the glassfish XWSS (https://xwss.dev.java.net/) in a
similar way to Spring Web Services (
http://static.springframework.org/spring-ws/site/). With XWSS you can
setting handlers and validators like for instance an Acegi Handler.
BR,
Juanjo.
On 9/21/07, Eric Miles <er...@kronos.com> wrote:
>
> We started some discussion the other day about CXF+Acegi out there the
> other day, but hadn't seen anything since. Any discussion after I sent
> the source code or my findings with integrating the two?
>
> On Tue, 2007-09-18 at 11:18 -0400, Eric Miles wrote:
> > Actually, here is the code. Attached is the WSS4J callback class and
> > the CXF interceptor that uses the Acegi authentication manager for
> > authentication.
> >
> > Pretty simple and straight forward. If you look at the callback
> > handler, you can see my comment regarding the WSS4J engine. I do have
> > one concern in that this solution might not have worked for a digest UT.
> > I'll have to revisit as it has been several months since we first looked
> > at it.
> >
> > However, this is a spring board for any discussions. (Spring pun not
> > intended)
> >
> > Eric
> >
> >
> > On Tue, 2007-09-18 at 08:10 -0700, mattmadhavan wrote:
> > > Eric,
> > > Do you mind posting a complete example. May be we can have a very
> > > constructive discussions based on that.
> > >
> > > Thanks
> > > Matt
> > >
> > >
> > >
> > >
> > > BigEHokie wrote:
> > > >
> > > > Dan,
> > > >
> > > > What sort of solution are you looking for? We are using an
> > > > Acegi/Spring/CXF implementation at our company where we are using
> > > > WS-Security and Acegi for authentication and AOP/Acegi for
> > > > authorization. We could be interested in contributing.
> > > >
> > > > Thanks,
> > > > Eric
> > > >
> > > >
> > > > On Tue, 2007-09-18 at 00:15 +0200, Dan Diephouse wrote:
> > > >> And I want somebody to contribute a cleaner solution :-D
> > > >>
> > > >> I know there is a lot of stuff we could do with Spring
> Security/Acegi
> > > >> that would be super cool. It'd be a real low barrier way to
> contribute
> > > >> some stuff if anyone is interested.
> > > >>
> > > >> Cheers,
> > > >> - Dan
> > > >>
> > > >> mattmadhavan wrote:
> > > >> > Hi Ray,
> > > >> > No I do not want the client side to tell the server! Thats my
> point.
> > > >> Some
> > > >> > good blogs I have seen, do that! Where the client 'tells' which
> handler
> > > >> to
> > > >> > use!
> > > >> >
> > > >> > I want a cleaner ACEGI+ XFIRE solution!
> > > >> >
> > > >> > Thanks
> > > >> > Matt
> > > >> >
> > > >> >
> > > >> >
> > > >> > Ray Krueger wrote:
> > > >> >
> > > >> > > You want the client to tell the server how to do security? That
> > > >> sounds
> > > >> > > crazy :)
> > > >> > >
> > > >> > > Your client side should either be doing http based security or
> > > >> > > ws-security. That doesn't have anything to do with Acegi at
> that
> > > >> > > point.
> > > >> > >
> > > >> > > On 9/14/07, Zarar Siddiqi <za...@gmail.com> wrote:
> > > >> > >
> > > >> > > > I'm trying to understand what you're saying but am having
> > > >> difficulty. But
> > > >> > > > here goes:
> > > >> > > >
> > > >> > > >
> > > >> > > > > Can some one point me to some docs on the CXF and ACEGI
> > > >> integration
> > > >> > > > > or CXF and security like authentication and authorization.
> > > >> > > > >
> > > >> > > > I use Acegi for authorization purposes only. IMHO it doesn't
> really
> > > >> make
> > > >> > > > sense for authentication (WS-Security can do that). So I use
> the
> > > >> > > > MethodSecurityInterceptor and BeanNameAutoProxyCreator to
> manage
> > > >> calls to
> > > >> > > > my
> > > >> > > > service level methods. The Acegi docs can help you there,
> the only
> > > >> > > > difference I think is that you have to set the authentication
> token
> > > >> > > > yourself, e.g.:
> > > >> > > >
> > > >> > > > UsernamePasswordAuthenticationToken token = new
> > > >> > > > UsernamePasswordAuthenticationToken(
> > > >> > > > user.getUsername(), user.getPassword(),
> user.getAuthorities());
> > > >> > > > // Populate Acegi Security Context
> > > >> > > > SecurityContextHolder.getContext().setAuthentication(token);
> > > >> > > >
> > > >> > > >
> > > >> > > > > I found some blogs on the CXF+ACEGI, but it is Java
> centric. On
> > > >> the
> > > >> > > > >
> > > >> > > > client
> > > >> > > >
> > > >> > > > > side
> > > >> > > > > we need to set the which class handles the security on the
> Server
> > > >> side!
> > > >> > > > > But if
> > > >> > > > > I am using some other language for clients like C# it
> doesn't
> > > >> seem to
> > > >> > > > >
> > > >> > > > be
> > > >> > > >
> > > >> > > > > the proper way!
> > > >> > > > >
> > > >> > > > You can pass the class name which handles security to the
> server
> > > >> (crazy
> > > >> > > > thought I think!) using a header element and then parse it
> using
> > > >> CXF
> > > >> > > > interceptors.
> > > >> > > >
> > > >> > > > Zarar
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> > > > mattmadhavan wrote:
> > > >> > > >
> > > >> > > > > Any Help will be appreciated!
> > > >> > > > >
> > > >> > > > >
> > > >> > > > >
> > > >> > > > > mattmadhavan wrote:
> > > >> > > > >
> > > >> > > > > > Hello,
> > > >> > > > > > Can some one point me to some docs on the CXF and ACEGI
> > > >> integration or
> > > >> > > > > > CXF and security like authentication and authorization.
> Some
> > > >> sample
> > > >> > > > > >
> > > >> > > > app
> > > >> > > >
> > > >> > > > > > will even be great.
> > > >> > > > > >
> > > >> > > > > > I found some blogs on the CXF+ACEGI, but it is Java
> centric. On
> > > >> the
> > > >> > > > > > client side we need to set the which class handles the
> security
> > > >> on the
> > > >> > > > > > Server side! But if I am using some other language for
> clients
> > > >> like C#
> > > >> > > > > >
> > > >> > > > it
> > > >> > > >
> > > >> > > > > > does n't seem to be the proper way!
> > > >> > > > > >
> > > >> > > > > > Any ideas will be greatly appreciated.
> > > >> > > > > >
> > > >> > > > > > Thanks
> > > >> > > > > > Matt
> > > >> > > > > >
> > > >> > > > > >
> > > >> > > > --
> > > >> > > > View this message in context:
> > > >> > > > http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a12677582
> > > >> > > > Sent from the cxf-user mailing list archive at Nabble.com.
> > > >> > > >
> > > >> > > >
> > > >> > > >
> > > >> >
> > > >> >
> > > >>
> > > >>
> > > >> --
> > > >> Dan Diephouse
> > > >> MuleSource
> > > >> http://mulesource.com | http://netzooid.com/blog
> > > >
> > > >
> > >
>
Re: CXF+ACEGI + Anybody out there?
Posted by Eric Miles <er...@kronos.com>.
We started some discussion the other day about CXF+Acegi out there the
other day, but hadn't seen anything since. Any discussion after I sent
the source code or my findings with integrating the two?
On Tue, 2007-09-18 at 11:18 -0400, Eric Miles wrote:
> Actually, here is the code. Attached is the WSS4J callback class and
> the CXF interceptor that uses the Acegi authentication manager for
> authentication.
>
> Pretty simple and straight forward. If you look at the callback
> handler, you can see my comment regarding the WSS4J engine. I do have
> one concern in that this solution might not have worked for a digest UT.
> I'll have to revisit as it has been several months since we first looked
> at it.
>
> However, this is a spring board for any discussions. (Spring pun not
> intended)
>
> Eric
>
>
> On Tue, 2007-09-18 at 08:10 -0700, mattmadhavan wrote:
> > Eric,
> > Do you mind posting a complete example. May be we can have a very
> > constructive discussions based on that.
> >
> > Thanks
> > Matt
> >
> >
> >
> >
> > BigEHokie wrote:
> > >
> > > Dan,
> > >
> > > What sort of solution are you looking for? We are using an
> > > Acegi/Spring/CXF implementation at our company where we are using
> > > WS-Security and Acegi for authentication and AOP/Acegi for
> > > authorization. We could be interested in contributing.
> > >
> > > Thanks,
> > > Eric
> > >
> > >
> > > On Tue, 2007-09-18 at 00:15 +0200, Dan Diephouse wrote:
> > >> And I want somebody to contribute a cleaner solution :-D
> > >>
> > >> I know there is a lot of stuff we could do with Spring Security/Acegi
> > >> that would be super cool. It'd be a real low barrier way to contribute
> > >> some stuff if anyone is interested.
> > >>
> > >> Cheers,
> > >> - Dan
> > >>
> > >> mattmadhavan wrote:
> > >> > Hi Ray,
> > >> > No I do not want the client side to tell the server! Thats my point.
> > >> Some
> > >> > good blogs I have seen, do that! Where the client 'tells' which handler
> > >> to
> > >> > use!
> > >> >
> > >> > I want a cleaner ACEGI+ XFIRE solution!
> > >> >
> > >> > Thanks
> > >> > Matt
> > >> >
> > >> >
> > >> >
> > >> > Ray Krueger wrote:
> > >> >
> > >> > > You want the client to tell the server how to do security? That
> > >> sounds
> > >> > > crazy :)
> > >> > >
> > >> > > Your client side should either be doing http based security or
> > >> > > ws-security. That doesn't have anything to do with Acegi at that
> > >> > > point.
> > >> > >
> > >> > > On 9/14/07, Zarar Siddiqi <za...@gmail.com> wrote:
> > >> > >
> > >> > > > I'm trying to understand what you're saying but am having
> > >> difficulty. But
> > >> > > > here goes:
> > >> > > >
> > >> > > >
> > >> > > > > Can some one point me to some docs on the CXF and ACEGI
> > >> integration
> > >> > > > > or CXF and security like authentication and authorization.
> > >> > > > >
> > >> > > > I use Acegi for authorization purposes only. IMHO it doesn't really
> > >> make
> > >> > > > sense for authentication (WS-Security can do that). So I use the
> > >> > > > MethodSecurityInterceptor and BeanNameAutoProxyCreator to manage
> > >> calls to
> > >> > > > my
> > >> > > > service level methods. The Acegi docs can help you there, the only
> > >> > > > difference I think is that you have to set the authentication token
> > >> > > > yourself, e.g.:
> > >> > > >
> > >> > > > UsernamePasswordAuthenticationToken token = new
> > >> > > > UsernamePasswordAuthenticationToken(
> > >> > > > user.getUsername(), user.getPassword(), user.getAuthorities());
> > >> > > > // Populate Acegi Security Context
> > >> > > > SecurityContextHolder.getContext().setAuthentication(token);
> > >> > > >
> > >> > > >
> > >> > > > > I found some blogs on the CXF+ACEGI, but it is Java centric. On
> > >> the
> > >> > > > >
> > >> > > > client
> > >> > > >
> > >> > > > > side
> > >> > > > > we need to set the which class handles the security on the Server
> > >> side!
> > >> > > > > But if
> > >> > > > > I am using some other language for clients like C# it doesn't
> > >> seem to
> > >> > > > >
> > >> > > > be
> > >> > > >
> > >> > > > > the proper way!
> > >> > > > >
> > >> > > > You can pass the class name which handles security to the server
> > >> (crazy
> > >> > > > thought I think!) using a header element and then parse it using
> > >> CXF
> > >> > > > interceptors.
> > >> > > >
> > >> > > > Zarar
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > > >
> > >> > > > mattmadhavan wrote:
> > >> > > >
> > >> > > > > Any Help will be appreciated!
> > >> > > > >
> > >> > > > >
> > >> > > > >
> > >> > > > > mattmadhavan wrote:
> > >> > > > >
> > >> > > > > > Hello,
> > >> > > > > > Can some one point me to some docs on the CXF and ACEGI
> > >> integration or
> > >> > > > > > CXF and security like authentication and authorization. Some
> > >> sample
> > >> > > > > >
> > >> > > > app
> > >> > > >
> > >> > > > > > will even be great.
> > >> > > > > >
> > >> > > > > > I found some blogs on the CXF+ACEGI, but it is Java centric. On
> > >> the
> > >> > > > > > client side we need to set the which class handles the security
> > >> on the
> > >> > > > > > Server side! But if I am using some other language for clients
> > >> like C#
> > >> > > > > >
> > >> > > > it
> > >> > > >
> > >> > > > > > does n't seem to be the proper way!
> > >> > > > > >
> > >> > > > > > Any ideas will be greatly appreciated.
> > >> > > > > >
> > >> > > > > > Thanks
> > >> > > > > > Matt
> > >> > > > > >
> > >> > > > > >
> > >> > > > --
> > >> > > > View this message in context:
> > >> > > > http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a12677582
> > >> > > > Sent from the cxf-user mailing list archive at Nabble.com.
> > >> > > >
> > >> > > >
> > >> > > >
> > >> >
> > >> >
> > >>
> > >>
> > >> --
> > >> Dan Diephouse
> > >> MuleSource
> > >> http://mulesource.com | http://netzooid.com/blog
> > >
> > >
> >
Re: CXF+ACEGI + Anybody out there?
Posted by Eric Miles <er...@kronos.com>.
Actually, here is the code. Attached is the WSS4J callback class and
the CXF interceptor that uses the Acegi authentication manager for
authentication.
Pretty simple and straight forward. If you look at the callback
handler, you can see my comment regarding the WSS4J engine. I do have
one concern in that this solution might not have worked for a digest UT.
I'll have to revisit as it has been several months since we first looked
at it.
However, this is a spring board for any discussions. (Spring pun not
intended)
Eric
On Tue, 2007-09-18 at 08:10 -0700, mattmadhavan wrote:
> Eric,
> Do you mind posting a complete example. May be we can have a very
> constructive discussions based on that.
>
> Thanks
> Matt
>
>
>
>
> BigEHokie wrote:
> >
> > Dan,
> >
> > What sort of solution are you looking for? We are using an
> > Acegi/Spring/CXF implementation at our company where we are using
> > WS-Security and Acegi for authentication and AOP/Acegi for
> > authorization. We could be interested in contributing.
> >
> > Thanks,
> > Eric
> >
> >
> > On Tue, 2007-09-18 at 00:15 +0200, Dan Diephouse wrote:
> >> And I want somebody to contribute a cleaner solution :-D
> >>
> >> I know there is a lot of stuff we could do with Spring Security/Acegi
> >> that would be super cool. It'd be a real low barrier way to contribute
> >> some stuff if anyone is interested.
> >>
> >> Cheers,
> >> - Dan
> >>
> >> mattmadhavan wrote:
> >> > Hi Ray,
> >> > No I do not want the client side to tell the server! Thats my point.
> >> Some
> >> > good blogs I have seen, do that! Where the client 'tells' which handler
> >> to
> >> > use!
> >> >
> >> > I want a cleaner ACEGI+ XFIRE solution!
> >> >
> >> > Thanks
> >> > Matt
> >> >
> >> >
> >> >
> >> > Ray Krueger wrote:
> >> >
> >> > > You want the client to tell the server how to do security? That
> >> sounds
> >> > > crazy :)
> >> > >
> >> > > Your client side should either be doing http based security or
> >> > > ws-security. That doesn't have anything to do with Acegi at that
> >> > > point.
> >> > >
> >> > > On 9/14/07, Zarar Siddiqi <za...@gmail.com> wrote:
> >> > >
> >> > > > I'm trying to understand what you're saying but am having
> >> difficulty. But
> >> > > > here goes:
> >> > > >
> >> > > >
> >> > > > > Can some one point me to some docs on the CXF and ACEGI
> >> integration
> >> > > > > or CXF and security like authentication and authorization.
> >> > > > >
> >> > > > I use Acegi for authorization purposes only. IMHO it doesn't really
> >> make
> >> > > > sense for authentication (WS-Security can do that). So I use the
> >> > > > MethodSecurityInterceptor and BeanNameAutoProxyCreator to manage
> >> calls to
> >> > > > my
> >> > > > service level methods. The Acegi docs can help you there, the only
> >> > > > difference I think is that you have to set the authentication token
> >> > > > yourself, e.g.:
> >> > > >
> >> > > > UsernamePasswordAuthenticationToken token = new
> >> > > > UsernamePasswordAuthenticationToken(
> >> > > > user.getUsername(), user.getPassword(), user.getAuthorities());
> >> > > > // Populate Acegi Security Context
> >> > > > SecurityContextHolder.getContext().setAuthentication(token);
> >> > > >
> >> > > >
> >> > > > > I found some blogs on the CXF+ACEGI, but it is Java centric. On
> >> the
> >> > > > >
> >> > > > client
> >> > > >
> >> > > > > side
> >> > > > > we need to set the which class handles the security on the Server
> >> side!
> >> > > > > But if
> >> > > > > I am using some other language for clients like C# it doesn't
> >> seem to
> >> > > > >
> >> > > > be
> >> > > >
> >> > > > > the proper way!
> >> > > > >
> >> > > > You can pass the class name which handles security to the server
> >> (crazy
> >> > > > thought I think!) using a header element and then parse it using
> >> CXF
> >> > > > interceptors.
> >> > > >
> >> > > > Zarar
> >> > > >
> >> > > >
> >> > > >
> >> > > >
> >> > > > mattmadhavan wrote:
> >> > > >
> >> > > > > Any Help will be appreciated!
> >> > > > >
> >> > > > >
> >> > > > >
> >> > > > > mattmadhavan wrote:
> >> > > > >
> >> > > > > > Hello,
> >> > > > > > Can some one point me to some docs on the CXF and ACEGI
> >> integration or
> >> > > > > > CXF and security like authentication and authorization. Some
> >> sample
> >> > > > > >
> >> > > > app
> >> > > >
> >> > > > > > will even be great.
> >> > > > > >
> >> > > > > > I found some blogs on the CXF+ACEGI, but it is Java centric. On
> >> the
> >> > > > > > client side we need to set the which class handles the security
> >> on the
> >> > > > > > Server side! But if I am using some other language for clients
> >> like C#
> >> > > > > >
> >> > > > it
> >> > > >
> >> > > > > > does n't seem to be the proper way!
> >> > > > > >
> >> > > > > > Any ideas will be greatly appreciated.
> >> > > > > >
> >> > > > > > Thanks
> >> > > > > > Matt
> >> > > > > >
> >> > > > > >
> >> > > > --
> >> > > > View this message in context:
> >> > > > http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a12677582
> >> > > > Sent from the cxf-user mailing list archive at Nabble.com.
> >> > > >
> >> > > >
> >> > > >
> >> >
> >> >
> >>
> >>
> >> --
> >> Dan Diephouse
> >> MuleSource
> >> http://mulesource.com | http://netzooid.com/blog
> >
> >
>
Re: CXF+ACEGI + Anybody out there?
Posted by mattmadhavan <ma...@yahoo.com>.
Eric,
Do you mind posting a complete example. May be we can have a very
constructive discussions based on that.
Thanks
Matt
BigEHokie wrote:
>
> Dan,
>
> What sort of solution are you looking for? We are using an
> Acegi/Spring/CXF implementation at our company where we are using
> WS-Security and Acegi for authentication and AOP/Acegi for
> authorization. We could be interested in contributing.
>
> Thanks,
> Eric
>
>
> On Tue, 2007-09-18 at 00:15 +0200, Dan Diephouse wrote:
>> And I want somebody to contribute a cleaner solution :-D
>>
>> I know there is a lot of stuff we could do with Spring Security/Acegi
>> that would be super cool. It'd be a real low barrier way to contribute
>> some stuff if anyone is interested.
>>
>> Cheers,
>> - Dan
>>
>> mattmadhavan wrote:
>> > Hi Ray,
>> > No I do not want the client side to tell the server! Thats my point.
>> Some
>> > good blogs I have seen, do that! Where the client 'tells' which handler
>> to
>> > use!
>> >
>> > I want a cleaner ACEGI+ XFIRE solution!
>> >
>> > Thanks
>> > Matt
>> >
>> >
>> >
>> > Ray Krueger wrote:
>> >
>> > > You want the client to tell the server how to do security? That
>> sounds
>> > > crazy :)
>> > >
>> > > Your client side should either be doing http based security or
>> > > ws-security. That doesn't have anything to do with Acegi at that
>> > > point.
>> > >
>> > > On 9/14/07, Zarar Siddiqi <za...@gmail.com> wrote:
>> > >
>> > > > I'm trying to understand what you're saying but am having
>> difficulty. But
>> > > > here goes:
>> > > >
>> > > >
>> > > > > Can some one point me to some docs on the CXF and ACEGI
>> integration
>> > > > > or CXF and security like authentication and authorization.
>> > > > >
>> > > > I use Acegi for authorization purposes only. IMHO it doesn't really
>> make
>> > > > sense for authentication (WS-Security can do that). So I use the
>> > > > MethodSecurityInterceptor and BeanNameAutoProxyCreator to manage
>> calls to
>> > > > my
>> > > > service level methods. The Acegi docs can help you there, the only
>> > > > difference I think is that you have to set the authentication token
>> > > > yourself, e.g.:
>> > > >
>> > > > UsernamePasswordAuthenticationToken token = new
>> > > > UsernamePasswordAuthenticationToken(
>> > > > user.getUsername(), user.getPassword(), user.getAuthorities());
>> > > > // Populate Acegi Security Context
>> > > > SecurityContextHolder.getContext().setAuthentication(token);
>> > > >
>> > > >
>> > > > > I found some blogs on the CXF+ACEGI, but it is Java centric. On
>> the
>> > > > >
>> > > > client
>> > > >
>> > > > > side
>> > > > > we need to set the which class handles the security on the Server
>> side!
>> > > > > But if
>> > > > > I am using some other language for clients like C# it doesn't
>> seem to
>> > > > >
>> > > > be
>> > > >
>> > > > > the proper way!
>> > > > >
>> > > > You can pass the class name which handles security to the server
>> (crazy
>> > > > thought I think!) using a header element and then parse it using
>> CXF
>> > > > interceptors.
>> > > >
>> > > > Zarar
>> > > >
>> > > >
>> > > >
>> > > >
>> > > > mattmadhavan wrote:
>> > > >
>> > > > > Any Help will be appreciated!
>> > > > >
>> > > > >
>> > > > >
>> > > > > mattmadhavan wrote:
>> > > > >
>> > > > > > Hello,
>> > > > > > Can some one point me to some docs on the CXF and ACEGI
>> integration or
>> > > > > > CXF and security like authentication and authorization. Some
>> sample
>> > > > > >
>> > > > app
>> > > >
>> > > > > > will even be great.
>> > > > > >
>> > > > > > I found some blogs on the CXF+ACEGI, but it is Java centric. On
>> the
>> > > > > > client side we need to set the which class handles the security
>> on the
>> > > > > > Server side! But if I am using some other language for clients
>> like C#
>> > > > > >
>> > > > it
>> > > >
>> > > > > > does n't seem to be the proper way!
>> > > > > >
>> > > > > > Any ideas will be greatly appreciated.
>> > > > > >
>> > > > > > Thanks
>> > > > > > Matt
>> > > > > >
>> > > > > >
>> > > > --
>> > > > View this message in context:
>> > > > http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a12677582
>> > > > Sent from the cxf-user mailing list archive at Nabble.com.
>> > > >
>> > > >
>> > > >
>> >
>> >
>>
>>
>> --
>> Dan Diephouse
>> MuleSource
>> http://mulesource.com | http://netzooid.com/blog
>
>
--
View this message in context: http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a12759141
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF+ACEGI + Anybody out there?
Posted by Eric Miles <er...@kronos.com>.
It was a bit of extra coding, as there is some dis join between what
WS-Security wants to do and what Acegi wants to do (at least for
UsernameToken authentication). We also have a business requirement due
to some legacy data setup that proved to be problematic with WSS4J.
WSS4J wants you to return the password and it perform the password
comparison. Acegi security also wants to perform the password
comparison. Two separate process that you're trying to integrate that
both want to run the show...problem there :) Our business requirement
issue with WSS4J is we keep our passwords hashed in our DB. Allowing
WSS4J to perform our authentication would never work as we need to hash
the password in the token and compare that against the hashed password
in the DB. From my understanding, I can not change this process with
WSS4J. Acegi is nice in this regard as it allows you to provide a
password encoder that it will use against the provided password.
With all these factors, our strategy was to allow WSS4J to process the
UsernameToken to provide a Principal object with a username/password
that was provided in the header. Then after the processing for WSS4J we
have our own interceptor in the interceptor chain that will use the
Principal object to delegate authentication to the Acegi authentication
manager. Here's a snippet of our interceptor (apologize if formatting
turns out crappy):
// get the principal object
WSUsernameTokenPrincipal principal = (WSUsernameTokenPrincipal)
secRes.getPrincipal();
Authentication auth = new
UsernamePasswordAuthenticationToken(principal.getName(),
principal.getPassword());
auth = authenticationManager.authenticate(auth);
if(!auth.isAuthenticated()) {
throw new AuthorizationException("This user is not authentic");
}
SecurityContextHolder.getContext().setAuthentication(auth);
Now that the authentication object has been set within the context, you
can use Acegi throughout your code like you would any other webapp. It
really is nice. We even use Acegi annotations on our endpoints and use
AOP and a Role voter to authorize our web services. It makes for a
fairly clean solution. We use the same service classes for our web
services and our web application without any code change to support
authorization from each entry point. Code reuse bliss.
I am not all that familiar with WSS4J, so I could be wrong in some of my
understandings of how it works with WS-Security. Does anyone else have
a different experience or understanding of UsernameToken authentication
with WSS4J? Does this seem like a reasonable approach?
Eric
On Tue, 2007-09-18 at 10:50 +0200, Dan Diephouse wrote:
> I guess I'm interesting in seeing any code that could be shared between
> users come into CXF. Specifically, if I remember correctly from the
> solutions that I've seen, the WS-Security integration in particular
> takes an extra bit of coding. Would be very happy to include your
> contributions.
> Cheers,
> - Dan
>
> Eric Miles wrote:
> > Dan,
> >
> > What sort of solution are you looking for? We are using an
> > Acegi/Spring/CXF implementation at our company where we are using
> > WS-Security and Acegi for authentication and AOP/Acegi for
> > authorization. We could be interested in contributing.
> >
> > Thanks,
> > Eric
> >
> >
> > On Tue, 2007-09-18 at 00:15 +0200, Dan Diephouse wrote:
> >
> >> And I want somebody to contribute a cleaner solution :-D
> >>
> >> I know there is a lot of stuff we could do with Spring Security/Acegi
> >> that would be super cool. It'd be a real low barrier way to contribute
> >> some stuff if anyone is interested.
> >>
> >> Cheers,
> >> - Dan
> >>
> >> mattmadhavan wrote:
> >>
> >>> Hi Ray,
> >>> No I do not want the client side to tell the server! Thats my point. Some
> >>> good blogs I have seen, do that! Where the client 'tells' which handler to
> >>> use!
> >>>
> >>> I want a cleaner ACEGI+ XFIRE solution!
> >>>
> >>> Thanks
> >>> Matt
> >>>
> >>>
> >>>
> >>> Ray Krueger wrote:
> >>>
> >>>
> >>>> You want the client to tell the server how to do security? That sounds
> >>>> crazy :)
> >>>>
> >>>> Your client side should either be doing http based security or
> >>>> ws-security. That doesn't have anything to do with Acegi at that
> >>>> point.
> >>>>
> >>>> On 9/14/07, Zarar Siddiqi <za...@gmail.com> wrote:
> >>>>
> >>>>
> >>>>> I'm trying to understand what you're saying but am having difficulty. But
> >>>>> here goes:
> >>>>>
> >>>>>
> >>>>>
> >>>>>> Can some one point me to some docs on the CXF and ACEGI integration
> >>>>>> or CXF and security like authentication and authorization.
> >>>>>>
> >>>>>>
> >>>>> I use Acegi for authorization purposes only. IMHO it doesn't really make
> >>>>> sense for authentication (WS-Security can do that). So I use the
> >>>>> MethodSecurityInterceptor and BeanNameAutoProxyCreator to manage calls to
> >>>>> my
> >>>>> service level methods. The Acegi docs can help you there, the only
> >>>>> difference I think is that you have to set the authentication token
> >>>>> yourself, e.g.:
> >>>>>
> >>>>> UsernamePasswordAuthenticationToken token = new
> >>>>> UsernamePasswordAuthenticationToken(
> >>>>> user.getUsername(), user.getPassword(), user.getAuthorities());
> >>>>> // Populate Acegi Security Context
> >>>>> SecurityContextHolder.getContext().setAuthentication(token);
> >>>>>
> >>>>>
> >>>>>
> >>>>>> I found some blogs on the CXF+ACEGI, but it is Java centric. On the
> >>>>>>
> >>>>>>
> >>>>> client
> >>>>>
> >>>>>
> >>>>>> side
> >>>>>> we need to set the which class handles the security on the Server side!
> >>>>>> But if
> >>>>>> I am using some other language for clients like C# it doesn't seem to
> >>>>>>
> >>>>>>
> >>>>> be
> >>>>>
> >>>>>
> >>>>>> the proper way!
> >>>>>>
> >>>>>>
> >>>>> You can pass the class name which handles security to the server (crazy
> >>>>> thought I think!) using a header element and then parse it using CXF
> >>>>> interceptors.
> >>>>>
> >>>>> Zarar
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> mattmadhavan wrote:
> >>>>>
> >>>>>
> >>>>>> Any Help will be appreciated!
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> mattmadhavan wrote:
> >>>>>>
> >>>>>>
> >>>>>>> Hello,
> >>>>>>> Can some one point me to some docs on the CXF and ACEGI integration or
> >>>>>>> CXF and security like authentication and authorization. Some sample
> >>>>>>>
> >>>>>>>
> >>>>> app
> >>>>>
> >>>>>
> >>>>>>> will even be great.
> >>>>>>>
> >>>>>>> I found some blogs on the CXF+ACEGI, but it is Java centric. On the
> >>>>>>> client side we need to set the which class handles the security on the
> >>>>>>> Server side! But if I am using some other language for clients like C#
> >>>>>>>
> >>>>>>>
> >>>>> it
> >>>>>
> >>>>>
> >>>>>>> does n't seem to be the proper way!
> >>>>>>>
> >>>>>>> Any ideas will be greatly appreciated.
> >>>>>>>
> >>>>>>> Thanks
> >>>>>>> Matt
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>> --
> >>>>> View this message in context:
> >>>>> http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a12677582
> >>>>> Sent from the cxf-user mailing list archive at Nabble.com.
> >>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>
> >>>
> >> --
> >> Dan Diephouse
> >> MuleSource
> >> http://mulesource.com | http://netzooid.com/blog
> >>
>
>
Re: CXF+ACEGI + Anybody out there?
Posted by Dan Diephouse <da...@mulesource.com>.
I guess I'm interesting in seeing any code that could be shared between
users come into CXF. Specifically, if I remember correctly from the
solutions that I've seen, the WS-Security integration in particular
takes an extra bit of coding. Would be very happy to include your
contributions.
Cheers,
- Dan
Eric Miles wrote:
> Dan,
>
> What sort of solution are you looking for? We are using an
> Acegi/Spring/CXF implementation at our company where we are using
> WS-Security and Acegi for authentication and AOP/Acegi for
> authorization. We could be interested in contributing.
>
> Thanks,
> Eric
>
>
> On Tue, 2007-09-18 at 00:15 +0200, Dan Diephouse wrote:
>
>> And I want somebody to contribute a cleaner solution :-D
>>
>> I know there is a lot of stuff we could do with Spring Security/Acegi
>> that would be super cool. It'd be a real low barrier way to contribute
>> some stuff if anyone is interested.
>>
>> Cheers,
>> - Dan
>>
>> mattmadhavan wrote:
>>
>>> Hi Ray,
>>> No I do not want the client side to tell the server! Thats my point. Some
>>> good blogs I have seen, do that! Where the client 'tells' which handler to
>>> use!
>>>
>>> I want a cleaner ACEGI+ XFIRE solution!
>>>
>>> Thanks
>>> Matt
>>>
>>>
>>>
>>> Ray Krueger wrote:
>>>
>>>
>>>> You want the client to tell the server how to do security? That sounds
>>>> crazy :)
>>>>
>>>> Your client side should either be doing http based security or
>>>> ws-security. That doesn't have anything to do with Acegi at that
>>>> point.
>>>>
>>>> On 9/14/07, Zarar Siddiqi <za...@gmail.com> wrote:
>>>>
>>>>
>>>>> I'm trying to understand what you're saying but am having difficulty. But
>>>>> here goes:
>>>>>
>>>>>
>>>>>
>>>>>> Can some one point me to some docs on the CXF and ACEGI integration
>>>>>> or CXF and security like authentication and authorization.
>>>>>>
>>>>>>
>>>>> I use Acegi for authorization purposes only. IMHO it doesn't really make
>>>>> sense for authentication (WS-Security can do that). So I use the
>>>>> MethodSecurityInterceptor and BeanNameAutoProxyCreator to manage calls to
>>>>> my
>>>>> service level methods. The Acegi docs can help you there, the only
>>>>> difference I think is that you have to set the authentication token
>>>>> yourself, e.g.:
>>>>>
>>>>> UsernamePasswordAuthenticationToken token = new
>>>>> UsernamePasswordAuthenticationToken(
>>>>> user.getUsername(), user.getPassword(), user.getAuthorities());
>>>>> // Populate Acegi Security Context
>>>>> SecurityContextHolder.getContext().setAuthentication(token);
>>>>>
>>>>>
>>>>>
>>>>>> I found some blogs on the CXF+ACEGI, but it is Java centric. On the
>>>>>>
>>>>>>
>>>>> client
>>>>>
>>>>>
>>>>>> side
>>>>>> we need to set the which class handles the security on the Server side!
>>>>>> But if
>>>>>> I am using some other language for clients like C# it doesn't seem to
>>>>>>
>>>>>>
>>>>> be
>>>>>
>>>>>
>>>>>> the proper way!
>>>>>>
>>>>>>
>>>>> You can pass the class name which handles security to the server (crazy
>>>>> thought I think!) using a header element and then parse it using CXF
>>>>> interceptors.
>>>>>
>>>>> Zarar
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> mattmadhavan wrote:
>>>>>
>>>>>
>>>>>> Any Help will be appreciated!
>>>>>>
>>>>>>
>>>>>>
>>>>>> mattmadhavan wrote:
>>>>>>
>>>>>>
>>>>>>> Hello,
>>>>>>> Can some one point me to some docs on the CXF and ACEGI integration or
>>>>>>> CXF and security like authentication and authorization. Some sample
>>>>>>>
>>>>>>>
>>>>> app
>>>>>
>>>>>
>>>>>>> will even be great.
>>>>>>>
>>>>>>> I found some blogs on the CXF+ACEGI, but it is Java centric. On the
>>>>>>> client side we need to set the which class handles the security on the
>>>>>>> Server side! But if I am using some other language for clients like C#
>>>>>>>
>>>>>>>
>>>>> it
>>>>>
>>>>>
>>>>>>> does n't seem to be the proper way!
>>>>>>>
>>>>>>> Any ideas will be greatly appreciated.
>>>>>>>
>>>>>>> Thanks
>>>>>>> Matt
>>>>>>>
>>>>>>>
>>>>>>>
>>>>> --
>>>>> View this message in context:
>>>>> http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a12677582
>>>>> Sent from the cxf-user mailing list archive at Nabble.com.
>>>>>
>>>>>
>>>>>
>>>>>
>>>
>>>
>> --
>> Dan Diephouse
>> MuleSource
>> http://mulesource.com | http://netzooid.com/blog
>>
--
Dan Diephouse
MuleSource
http://mulesource.com | http://netzooid.com/blog
Re: CXF+ACEGI + Anybody out there?
Posted by Eric Miles <er...@kronos.com>.
Dan,
What sort of solution are you looking for? We are using an
Acegi/Spring/CXF implementation at our company where we are using
WS-Security and Acegi for authentication and AOP/Acegi for
authorization. We could be interested in contributing.
Thanks,
Eric
On Tue, 2007-09-18 at 00:15 +0200, Dan Diephouse wrote:
> And I want somebody to contribute a cleaner solution :-D
>
> I know there is a lot of stuff we could do with Spring Security/Acegi
> that would be super cool. It'd be a real low barrier way to contribute
> some stuff if anyone is interested.
>
> Cheers,
> - Dan
>
> mattmadhavan wrote:
> > Hi Ray,
> > No I do not want the client side to tell the server! Thats my point. Some
> > good blogs I have seen, do that! Where the client 'tells' which handler to
> > use!
> >
> > I want a cleaner ACEGI+ XFIRE solution!
> >
> > Thanks
> > Matt
> >
> >
> >
> > Ray Krueger wrote:
> >
> > > You want the client to tell the server how to do security? That sounds
> > > crazy :)
> > >
> > > Your client side should either be doing http based security or
> > > ws-security. That doesn't have anything to do with Acegi at that
> > > point.
> > >
> > > On 9/14/07, Zarar Siddiqi <za...@gmail.com> wrote:
> > >
> > > > I'm trying to understand what you're saying but am having difficulty. But
> > > > here goes:
> > > >
> > > >
> > > > > Can some one point me to some docs on the CXF and ACEGI integration
> > > > > or CXF and security like authentication and authorization.
> > > > >
> > > > I use Acegi for authorization purposes only. IMHO it doesn't really make
> > > > sense for authentication (WS-Security can do that). So I use the
> > > > MethodSecurityInterceptor and BeanNameAutoProxyCreator to manage calls to
> > > > my
> > > > service level methods. The Acegi docs can help you there, the only
> > > > difference I think is that you have to set the authentication token
> > > > yourself, e.g.:
> > > >
> > > > UsernamePasswordAuthenticationToken token = new
> > > > UsernamePasswordAuthenticationToken(
> > > > user.getUsername(), user.getPassword(), user.getAuthorities());
> > > > // Populate Acegi Security Context
> > > > SecurityContextHolder.getContext().setAuthentication(token);
> > > >
> > > >
> > > > > I found some blogs on the CXF+ACEGI, but it is Java centric. On the
> > > > >
> > > > client
> > > >
> > > > > side
> > > > > we need to set the which class handles the security on the Server side!
> > > > > But if
> > > > > I am using some other language for clients like C# it doesn't seem to
> > > > >
> > > > be
> > > >
> > > > > the proper way!
> > > > >
> > > > You can pass the class name which handles security to the server (crazy
> > > > thought I think!) using a header element and then parse it using CXF
> > > > interceptors.
> > > >
> > > > Zarar
> > > >
> > > >
> > > >
> > > >
> > > > mattmadhavan wrote:
> > > >
> > > > > Any Help will be appreciated!
> > > > >
> > > > >
> > > > >
> > > > > mattmadhavan wrote:
> > > > >
> > > > > > Hello,
> > > > > > Can some one point me to some docs on the CXF and ACEGI integration or
> > > > > > CXF and security like authentication and authorization. Some sample
> > > > > >
> > > > app
> > > >
> > > > > > will even be great.
> > > > > >
> > > > > > I found some blogs on the CXF+ACEGI, but it is Java centric. On the
> > > > > > client side we need to set the which class handles the security on the
> > > > > > Server side! But if I am using some other language for clients like C#
> > > > > >
> > > > it
> > > >
> > > > > > does n't seem to be the proper way!
> > > > > >
> > > > > > Any ideas will be greatly appreciated.
> > > > > >
> > > > > > Thanks
> > > > > > Matt
> > > > > >
> > > > > >
> > > > --
> > > > View this message in context:
> > > > http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a12677582
> > > > Sent from the cxf-user mailing list archive at Nabble.com.
> > > >
> > > >
> > > >
> >
> >
>
>
> --
> Dan Diephouse
> MuleSource
> http://mulesource.com | http://netzooid.com/blog
Re: CXF+ACEGI + Anybody out there?
Posted by mattmadhavan <ma...@yahoo.com>.
Hi Ray,
No I do not want the client side to tell the server! Thats my point. Some
good blogs I have seen, do that! Where the client 'tells' which handler to
use!
I want a cleaner ACEGI+ XFIRE solution!
Thanks
Matt
Ray Krueger wrote:
>
> You want the client to tell the server how to do security? That sounds
> crazy :)
>
> Your client side should either be doing http based security or
> ws-security. That doesn't have anything to do with Acegi at that
> point.
>
> On 9/14/07, Zarar Siddiqi <za...@gmail.com> wrote:
>>
>> I'm trying to understand what you're saying but am having difficulty. But
>> here goes:
>>
>> > Can some one point me to some docs on the CXF and ACEGI integration
>> > or CXF and security like authentication and authorization.
>>
>> I use Acegi for authorization purposes only. IMHO it doesn't really make
>> sense for authentication (WS-Security can do that). So I use the
>> MethodSecurityInterceptor and BeanNameAutoProxyCreator to manage calls to
>> my
>> service level methods. The Acegi docs can help you there, the only
>> difference I think is that you have to set the authentication token
>> yourself, e.g.:
>>
>> UsernamePasswordAuthenticationToken token = new
>> UsernamePasswordAuthenticationToken(
>> user.getUsername(), user.getPassword(), user.getAuthorities());
>> // Populate Acegi Security Context
>> SecurityContextHolder.getContext().setAuthentication(token);
>>
>> > I found some blogs on the CXF+ACEGI, but it is Java centric. On the
>> client
>> > side
>> > we need to set the which class handles the security on the Server side!
>> > But if
>> > I am using some other language for clients like C# it doesn't seem to
>> be
>> > the proper way!
>>
>> You can pass the class name which handles security to the server (crazy
>> thought I think!) using a header element and then parse it using CXF
>> interceptors.
>>
>> Zarar
>>
>>
>>
>>
>> mattmadhavan wrote:
>> >
>> > Any Help will be appreciated!
>> >
>> >
>> >
>> > mattmadhavan wrote:
>> >>
>> >> Hello,
>> >> Can some one point me to some docs on the CXF and ACEGI integration or
>> >> CXF and security like authentication and authorization. Some sample
>> app
>> >> will even be great.
>> >>
>> >> I found some blogs on the CXF+ACEGI, but it is Java centric. On the
>> >> client side we need to set the which class handles the security on the
>> >> Server side! But if I am using some other language for clients like C#
>> it
>> >> does n't seem to be the proper way!
>> >>
>> >> Any ideas will be greatly appreciated.
>> >>
>> >> Thanks
>> >> Matt
>> >>
>> >
>> >
>>
>> --
>> View this message in context:
>> http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a12677582
>> Sent from the cxf-user mailing list archive at Nabble.com.
>>
>>
>
>
--
View this message in context: http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a12679768
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF+ACEGI + Anybody out there?
Posted by Ray Krueger <ra...@gmail.com>.
You want the client to tell the server how to do security? That sounds crazy :)
Your client side should either be doing http based security or
ws-security. That doesn't have anything to do with Acegi at that
point.
On 9/14/07, Zarar Siddiqi <za...@gmail.com> wrote:
>
> I'm trying to understand what you're saying but am having difficulty. But
> here goes:
>
> > Can some one point me to some docs on the CXF and ACEGI integration
> > or CXF and security like authentication and authorization.
>
> I use Acegi for authorization purposes only. IMHO it doesn't really make
> sense for authentication (WS-Security can do that). So I use the
> MethodSecurityInterceptor and BeanNameAutoProxyCreator to manage calls to my
> service level methods. The Acegi docs can help you there, the only
> difference I think is that you have to set the authentication token
> yourself, e.g.:
>
> UsernamePasswordAuthenticationToken token = new
> UsernamePasswordAuthenticationToken(
> user.getUsername(), user.getPassword(), user.getAuthorities());
> // Populate Acegi Security Context
> SecurityContextHolder.getContext().setAuthentication(token);
>
> > I found some blogs on the CXF+ACEGI, but it is Java centric. On the client
> > side
> > we need to set the which class handles the security on the Server side!
> > But if
> > I am using some other language for clients like C# it doesn't seem to be
> > the proper way!
>
> You can pass the class name which handles security to the server (crazy
> thought I think!) using a header element and then parse it using CXF
> interceptors.
>
> Zarar
>
>
>
>
> mattmadhavan wrote:
> >
> > Any Help will be appreciated!
> >
> >
> >
> > mattmadhavan wrote:
> >>
> >> Hello,
> >> Can some one point me to some docs on the CXF and ACEGI integration or
> >> CXF and security like authentication and authorization. Some sample app
> >> will even be great.
> >>
> >> I found some blogs on the CXF+ACEGI, but it is Java centric. On the
> >> client side we need to set the which class handles the security on the
> >> Server side! But if I am using some other language for clients like C# it
> >> does n't seem to be the proper way!
> >>
> >> Any ideas will be greatly appreciated.
> >>
> >> Thanks
> >> Matt
> >>
> >
> >
>
> --
> View this message in context: http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a12677582
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>
Re: CXF+ACEGI + Anybody out there?
Posted by Ray Krueger <ra...@gmail.com>.
Acegi can be used on the secure the application the server-side.
WS-Security stuff can be used as well.
Your client side application need only present the credentials to the
server to say who it wants to log in as. That's not a an Acegi thing,
it's really not even a java thing at that point.
If you set up Acegi to use BASIC authentication in front of your
webapp for example. Any client application (java, C#, doesn't matter);
can authenticate to your application via BASIC authentication. That is
a standard protocol, it is application independent.
Would you mind posting some of the URLs to the articles you're seeing
that seem the most interesting?
On 9/14/07, Glen Mazza <gl...@verizon.net> wrote:
> Am Freitag, den 14.09.2007, 08:16 -0700 schrieb Zarar Siddiqi:
> > UsernamePasswordAuthenticationToken token = new
> > UsernamePasswordAuthenticationToken(
> > user.getUsername(), user.getPassword(), user.getAuthorities());
> > // Populate Acegi Security Context
> > SecurityContextHolder.getContext().setAuthentication(token);
> >
> > > I found some blogs on the CXF+ACEGI, but it is Java centric. On the client
> > > side
> > > we need to set the which class handles the security on the Server side!
> > > But if
> > > I am using some other language for clients like C# it doesn't seem to be
> > > the proper way!
> >
> > You can pass the class name which handles security to the server (crazy
> > thought I think!)
>
> Yes...that does seem strange. I wonder if passing a role instead of a
> specific class would be better, and have the business logic of what to
> do with that role remain at the server.
>
> Glen
>
> > using a header element and then parse it using CXF
> > interceptors.
> >
> > Zarar
> >
>
>
>
Re: CXF+ACEGI + Anybody out there?
Posted by Glen Mazza <gl...@verizon.net>.
Am Freitag, den 14.09.2007, 08:16 -0700 schrieb Zarar Siddiqi:
> UsernamePasswordAuthenticationToken token = new
> UsernamePasswordAuthenticationToken(
> user.getUsername(), user.getPassword(), user.getAuthorities());
> // Populate Acegi Security Context
> SecurityContextHolder.getContext().setAuthentication(token);
>
> > I found some blogs on the CXF+ACEGI, but it is Java centric. On the client
> > side
> > we need to set the which class handles the security on the Server side!
> > But if
> > I am using some other language for clients like C# it doesn't seem to be
> > the proper way!
>
> You can pass the class name which handles security to the server (crazy
> thought I think!)
Yes...that does seem strange. I wonder if passing a role instead of a
specific class would be better, and have the business logic of what to
do with that role remain at the server.
Glen
> using a header element and then parse it using CXF
> interceptors.
>
> Zarar
>
Re: CXF+ACEGI + Anybody out there?
Posted by Zarar Siddiqi <za...@gmail.com>.
I'm trying to understand what you're saying but am having difficulty. But
here goes:
> Can some one point me to some docs on the CXF and ACEGI integration
> or CXF and security like authentication and authorization.
I use Acegi for authorization purposes only. IMHO it doesn't really make
sense for authentication (WS-Security can do that). So I use the
MethodSecurityInterceptor and BeanNameAutoProxyCreator to manage calls to my
service level methods. The Acegi docs can help you there, the only
difference I think is that you have to set the authentication token
yourself, e.g.:
UsernamePasswordAuthenticationToken token = new
UsernamePasswordAuthenticationToken(
user.getUsername(), user.getPassword(), user.getAuthorities());
// Populate Acegi Security Context
SecurityContextHolder.getContext().setAuthentication(token);
> I found some blogs on the CXF+ACEGI, but it is Java centric. On the client
> side
> we need to set the which class handles the security on the Server side!
> But if
> I am using some other language for clients like C# it doesn't seem to be
> the proper way!
You can pass the class name which handles security to the server (crazy
thought I think!) using a header element and then parse it using CXF
interceptors.
Zarar
mattmadhavan wrote:
>
> Any Help will be appreciated!
>
>
>
> mattmadhavan wrote:
>>
>> Hello,
>> Can some one point me to some docs on the CXF and ACEGI integration or
>> CXF and security like authentication and authorization. Some sample app
>> will even be great.
>>
>> I found some blogs on the CXF+ACEGI, but it is Java centric. On the
>> client side we need to set the which class handles the security on the
>> Server side! But if I am using some other language for clients like C# it
>> does n't seem to be the proper way!
>>
>> Any ideas will be greatly appreciated.
>>
>> Thanks
>> Matt
>>
>
>
--
View this message in context: http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a12677582
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF+ACEGI + Anybody out there?
Posted by mattmadhavan <ma...@yahoo.com>.
Any Help will be appreciated!
mattmadhavan wrote:
>
> Hello,
> Can some one point me to some docs on the CXF and ACEGI integration or CXF
> and security like authentication and authorization. Some sample app will
> even be great.
>
> I found some blogs on the CXF+ACEGI, but it is Java centric. On the client
> side we need to set the which class handles the security on the Server
> side! But if I am using some other language for clients like C# it does
> n't seem to be the proper way!
>
> Any ideas will be greatly appreciated.
>
> Thanks
> Matt
>
--
View this message in context: http://www.nabble.com/CXF%2BACEGI-tf4436973.html#a12676576
Sent from the cxf-user mailing list archive at Nabble.com.