You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Juan Pedro Silva Gallino <ps...@dit.upm.es> on 2010/12/17 15:40:10 UTC
Hints on wiring CXF WSS4J X509 validation with Spring Security (former
Acegi).
Hi everybody. As always, let me first congratulate you on what a good
piece of software CXF is.
Now, on the subject that brings me here, I was able to secure my web
services in quite a straight forward way with the available documentation.
I'm using a org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor for
validating timestamps, signatures, and encryption. Now I'm trying to use
Spring Security (former Acegi) for authorization.
This is not a new topic, I've found quite a few threads of posts on the
subject, most remarkably
http://www.mail-archive.com/users@cxf.apache.org/msg09944.html (I guess
http://code.google.com/p/cxf-spring-security/wiki/Documentation derives
from it), but most deal with UsernameToken authentication as opposed to
authentication based on X509 certificates. My first guess was to try to
re-implement the same behavior for X509 tokens.
So, I parted from the code of the password callback handler in
http://nikofactory.blogspot.com/2009/10/receta-cxf-wss4j-y-spring-security.html
:
public class SecurityInPasswordHandler implements CallbackHandler {
@Autowired
private AuthenticationManager authenticationManager;
@Autowired
private UserDetailsService userService;
public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException, AuthenticationException {
WSPasswordCallback pwdCallback = (WSPasswordCallback) callbacks[0];
int usage = pwdCallback.getUsage();
if ((usage == WSPasswordCallback.USERNAME_TOKEN) || (usage == WSPasswordCallback.USERNAME_TOKEN_UNKNOWN)) {
String password = pwdCallback.getPassword();
if (usage == WSPasswordCallback.USERNAME_TOKEN) {
UserDetails userDetails = userService.loadUserByUsername(pwdCallback.getIdentifier());
password = userDetails.getPassword();
}
Authentication authentication = new UsernamePasswordAuthenticationToken(pwdCallback.getIdentifier(), password);
authentication = authenticationManager.authenticate(authentication); //throws AuthenticationException
SecurityContextHolder.getContext().setAuthentication(authentication);
// Return the password to the caller
pwdCallback.setPassword(password);
}
}
}
and figured I would try creating a X509AuthenticationToken instead of a
UN token.
However, to create one I need a ||X509Certificate, and I don't know
where to get one from.
So, my questions would be two:
A) First of all, Is this the correct approach?, or am I missing the big
picture here?
B) If this is the correct way to go, where can I get a X509Certificate
from to create the X509AuthenticationToken?.
Any examples/hints/tips on how to create this wiring would be very much
appreciated!!.
Regards,
Juan Pedro