You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Juan Pedro Silva Gallino <ps...@dit.upm.es> on 2010/12/17 15:40:10 UTC

Hints on wiring CXF WSS4J X509 validation with Spring Security (former Acegi).

Hi everybody. As always, let me first congratulate you on what a good 
piece of software CXF is.
Now, on the subject that brings me here, I was able to secure my web 
services in quite a straight forward way with the available documentation.
I'm using a org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor for 
validating timestamps, signatures, and encryption. Now I'm trying to use 
Spring Security (former Acegi) for authorization.

This is not a new topic, I've found quite a few threads of posts on the 
subject, most remarkably 
http://www.mail-archive.com/users@cxf.apache.org/msg09944.html (I guess 
http://code.google.com/p/cxf-spring-security/wiki/Documentation derives 
from it), but most deal with UsernameToken authentication as opposed to 
authentication based on X509 certificates. My first guess was to try to 
re-implement the same behavior for X509 tokens.
So, I parted from the code of the password callback handler in 
http://nikofactory.blogspot.com/2009/10/receta-cxf-wss4j-y-spring-security.html 
:

public class SecurityInPasswordHandler implements CallbackHandler {
     @Autowired
     private AuthenticationManager authenticationManager;
     @Autowired
     private UserDetailsService userService;

     public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException, AuthenticationException {

         WSPasswordCallback pwdCallback = (WSPasswordCallback) callbacks[0];

         int usage = pwdCallback.getUsage();
         if ((usage == WSPasswordCallback.USERNAME_TOKEN) || (usage == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN)) {
             String password = pwdCallback.getPassword();
             if (usage == WSPasswordCallback.USERNAME_TOKEN) {
                 UserDetails userDetails = userService.loadUserByUsername(pwdCallback.getIdentifier());
                 password = userDetails.getPassword();
             }
             Authentication authentication = new UsernamePasswordAuthenticationToken(pwdCallback.getIdentifier(), password);
             authentication = authenticationManager.authenticate(authentication); //throws AuthenticationException
             SecurityContextHolder.getContext().setAuthentication(authentication);
             // Return the password to the caller
             pwdCallback.setPassword(password);
         }
     }
}

and figured I would try creating a X509AuthenticationToken instead of a 
UN token.
However, to create one I need a ||X509Certificate, and I don't know 
where to get one from.

So, my questions would be two:
A) First of all, Is this the correct approach?, or am I missing the big 
picture here?
B) If this is the correct way to go, where can I get a X509Certificate 
from to create the X509AuthenticationToken?.

Any examples/hints/tips on how to create this wiring would be very much 
appreciated!!.
Regards,
                 Juan Pedro