You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Kynan Fraser <ky...@customware.net> on 2009/07/02 10:44:28 UTC
Re: Security in Jaxws/Jaxrs
Hi Sergey,
As a follow up to this, i'm trying to implement a basic http filter using a
request handler. Is there a way to obtain the http auth info? I can't find
it on any of the contexts or message.
Is there an example of a basic auth client and a request handler or custom
invoker handling the authentication?
Thanks,
Kynan
Sergey Beryozkin wrote:
>
> Hi Vishal
>
> I'm very sorry for a late reply - I was planning to reply much earlier but
> then I got swamped with some work and forgot.
>
> There're a number of options, depending on your preferences
>
> 1. Do it in the application code, in the resource class. This is may or
> may not the best option. Typically this is something users prefer to do
> outside of the application code. But then you may want to look at the
> resource class which checks the injected SecurityContexts as the facade or
> as an interceptor really which delegates to the actual application class
> which may make this option more viable.
>
> So in this case you have to have
> @Resource WebServiceContext jaxwsContext;
> @Context SecurityContext jaxrsSecurityContext;
>
> declared in your code. Next, you need to figure out whether it's a JAXWS
> or JAXRS invocation in progress, so you can do it like this
> // not sure at the moment how exactly to get security context from jaxws
> one
> if (jaxwsContext.getSecurityContext() == null) {
> checkPrincipal(jaxrsSecurityContext.getPrincipal());
> } else {
> checkPrincipal(jaxwsContext.getSecurityContext().getPrincipal());
> }
>
> 2. Use Spring security - we have some simple tests showing how
> authentication and authorization can be done
>
> 3. For JAXRS : Use CXF JAX-RS RequestFilter or custom invoker (which
> simply extends JAXRSInvoker and is registered as an invoker property)
> where you can get all the info you need (method name, Principal, etc)
> For JAXWS : do a custom CXF in Interceptor which will throw Fault if
> needed.
>
> Perhaps there're more options... Let me know please if you need more info
> on any of the these options
>
> Cheers, Sergey
>
>
>
>
>
> Vishal.a wrote:
>>
>> Hello All,
>>
>> I have services written,that have both JaxRs and Jaxws.I have to
>> implement security on the services now.There are 2 things i need to do
>>
>> 1. Authentication - Using Basic Http Authentication
>> 2. Authorization - Secure each and every method.
>>
>> I have seen posts that show me how to do for either JaxRS or Jaxws,can
>> someone tell me what would be the best way to approach it for doing it
>> for both REST and SOAP.
>>
>> Any help is appreciated.
>>
>> Thanks,
>> Vishal
>>
>
>
--
View this message in context: http://www.nabble.com/Security-in-Jaxws-Jaxrs-tp23266441p24303305.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Security in Jaxws/Jaxrs
Posted by Sergey Beryozkin <sb...@progress.com>.
Hi Kynan
>
> Hi Sergey,
>
> Yes thanks. As I thought, I'd already written the filter to use the
> HttpHeaders directly but was wondering if there was another preferred/better
> way.
I've looked at the AbstractHttpDestination class, an inbound message should have
AuthorizationPolicy.class available when the basic authentication is used,
message.get(AuthorizationPolicy.class)
it should make it simpler getting to the user name/password if needed.
>
> For note: there's a bug in HttpHeadersImpl which cannot handle a header
> which is a non-empty collection populated with a single null item - in
> HttpHeadersImpl:
thanks for reporting it, fixed now on the trunk
cheers, Sergey
>
> private List<String> getListValues(String headerName) {
> List<String> values = headers.get(headerName);
> if (values == null || values.isEmpty()) {
> return Collections.emptyList();
> }
> if (HttpUtils.isDateRelatedHeader(headerName)) {
> return values;
> }
> String[] ls = values.get(0).split(",");
> if (ls.length == 1) {
> return Collections.singletonList(ls[0].trim());
> } else {
> List<String> newValues = new ArrayList<String>();
> for (String v : ls) {
> newValues.add(v.trim());
> }
> return newValues;
> }
> }
>
> Should be :
>
> private List<String> getListValues(String headerName) {
> List<String> values = headers.get(headerName);
> // add check here if first value in collection is null
> if (values == null || values.isEmpty() || values.get(0) == null) {
> return Collections.emptyList();
> }
> if (HttpUtils.isDateRelatedHeader(headerName)) {
> return values;
> }
>
> String[] ls = values.get(0).split(",");
> if (ls.length == 1) {
> return Collections.singletonList(ls[0].trim());
> } else {
> List<String> newValues = new ArrayList<String>();
> for (String v : ls) {
> newValues.add(v.trim());
> }
> return newValues;
> }
> }
>
>
> Otherwise the values.get(0).split will throw NPE.
>
> Regards,
> Kynan
>
>
> Sergey Beryozkin-2 wrote:
>>
>> Hi Kynan
>>
>> here's a sample CustomInvoker :
>>
>> http://svn.apache.org/repos/asf/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/jaxrs/CustomJAXRSInvoker.java
>>
>> At the moment filters/invokers can not get contexts like SecurityContext
>> injected so it has to be created manually.
>>
>> Or you can just get m.get(org.apache.cxf.security.SecurityContext.class)
>> from the message and get Principal from there.
>>
>> Or would you like to work directly with HTTP headers ? They're availbale
>> on the message too, you can also do
>> HttpHeaders headers = new HttpHeadersImpl(m) and use HttpHeaders...
>>
>> Let me know please if you need more info
>>
>> cheers, Sergey
>>
>> ----- Original Message -----
>> From: "Kynan Fraser" <ky...@customware.net>
>> To: <us...@cxf.apache.org>
>> Sent: Thursday, July 02, 2009 9:44 AM
>> Subject: Re: Security in Jaxws/Jaxrs
>>
>>
>>>
>>> Hi Sergey,
>>>
>>> As a follow up to this, i'm trying to implement a basic http filter using
>>> a
>>> request handler. Is there a way to obtain the http auth info? I can't
>>> find
>>> it on any of the contexts or message.
>>>
>>> Is there an example of a basic auth client and a request handler or
>>> custom
>>> invoker handling the authentication?
>>>
>>> Thanks,
>>> Kynan
>>>
>>>
>>> Sergey Beryozkin wrote:
>>>>
>>>> Hi Vishal
>>>>
>>>> I'm very sorry for a late reply - I was planning to reply much earlier
>>>> but
>>>> then I got swamped with some work and forgot.
>>>>
>>>> There're a number of options, depending on your preferences
>>>>
>>>> 1. Do it in the application code, in the resource class. This is may or
>>>> may not the best option. Typically this is something users prefer to do
>>>> outside of the application code. But then you may want to look at the
>>>> resource class which checks the injected SecurityContexts as the facade
>>>> or
>>>> as an interceptor really which delegates to the actual application class
>>>> which may make this option more viable.
>>>>
>>>> So in this case you have to have
>>>> @Resource WebServiceContext jaxwsContext;
>>>> @Context SecurityContext jaxrsSecurityContext;
>>>>
>>>> declared in your code. Next, you need to figure out whether it's a JAXWS
>>>> or JAXRS invocation in progress, so you can do it like this
>>>> // not sure at the moment how exactly to get security context from jaxws
>>>> one
>>>> if (jaxwsContext.getSecurityContext() == null) {
>>>> checkPrincipal(jaxrsSecurityContext.getPrincipal());
>>>> } else {
>>>> checkPrincipal(jaxwsContext.getSecurityContext().getPrincipal());
>>>> }
>>>>
>>>> 2. Use Spring security - we have some simple tests showing how
>>>> authentication and authorization can be done
>>>>
>>>> 3. For JAXRS : Use CXF JAX-RS RequestFilter or custom invoker (which
>>>> simply extends JAXRSInvoker and is registered as an invoker property)
>>>> where you can get all the info you need (method name, Principal, etc)
>>>> For JAXWS : do a custom CXF in Interceptor which will throw Fault if
>>>> needed.
>>>>
>>>> Perhaps there're more options... Let me know please if you need more
>>>> info
>>>> on any of the these options
>>>>
>>>> Cheers, Sergey
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Vishal.a wrote:
>>>>>
>>>>> Hello All,
>>>>>
>>>>> I have services written,that have both JaxRs and Jaxws.I have to
>>>>> implement security on the services now.There are 2 things i need to do
>>>>>
>>>>> 1. Authentication - Using Basic Http Authentication
>>>>> 2. Authorization - Secure each and every method.
>>>>>
>>>>> I have seen posts that show me how to do for either JaxRS or Jaxws,can
>>>>> someone tell me what would be the best way to approach it for doing it
>>>>> for both REST and SOAP.
>>>>>
>>>>> Any help is appreciated.
>>>>>
>>>>> Thanks,
>>>>> Vishal
>>>>>
>>>>
>>>>
>>>
>>> --
>>> View this message in context:
>>> http://www.nabble.com/Security-in-Jaxws-Jaxrs-tp23266441p24303305.html
>>> Sent from the cxf-user mailing list archive at Nabble.com.
>>>
>>
>>
>
> --
> View this message in context: http://www.nabble.com/Security-in-Jaxws-Jaxrs-tp23266441p24315708.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
Re: Security in Jaxws/Jaxrs
Posted by Kynan Fraser <ky...@customware.net>.
Hi Sergey,
Yes thanks. As I thought, I'd already written the filter to use the
HttpHeaders directly but was wondering if there was another preferred/better
way.
For note: there's a bug in HttpHeadersImpl which cannot handle a header
which is a non-empty collection populated with a single null item - in
HttpHeadersImpl:
private List<String> getListValues(String headerName) {
List<String> values = headers.get(headerName);
if (values == null || values.isEmpty()) {
return Collections.emptyList();
}
if (HttpUtils.isDateRelatedHeader(headerName)) {
return values;
}
String[] ls = values.get(0).split(",");
if (ls.length == 1) {
return Collections.singletonList(ls[0].trim());
} else {
List<String> newValues = new ArrayList<String>();
for (String v : ls) {
newValues.add(v.trim());
}
return newValues;
}
}
Should be :
private List<String> getListValues(String headerName) {
List<String> values = headers.get(headerName);
// add check here if first value in collection is null
if (values == null || values.isEmpty() || values.get(0) == null) {
return Collections.emptyList();
}
if (HttpUtils.isDateRelatedHeader(headerName)) {
return values;
}
String[] ls = values.get(0).split(",");
if (ls.length == 1) {
return Collections.singletonList(ls[0].trim());
} else {
List<String> newValues = new ArrayList<String>();
for (String v : ls) {
newValues.add(v.trim());
}
return newValues;
}
}
Otherwise the values.get(0).split will throw NPE.
Regards,
Kynan
Sergey Beryozkin-2 wrote:
>
> Hi Kynan
>
> here's a sample CustomInvoker :
>
> http://svn.apache.org/repos/asf/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/jaxrs/CustomJAXRSInvoker.java
>
> At the moment filters/invokers can not get contexts like SecurityContext
> injected so it has to be created manually.
>
> Or you can just get m.get(org.apache.cxf.security.SecurityContext.class)
> from the message and get Principal from there.
>
> Or would you like to work directly with HTTP headers ? They're availbale
> on the message too, you can also do
> HttpHeaders headers = new HttpHeadersImpl(m) and use HttpHeaders...
>
> Let me know please if you need more info
>
> cheers, Sergey
>
> ----- Original Message -----
> From: "Kynan Fraser" <ky...@customware.net>
> To: <us...@cxf.apache.org>
> Sent: Thursday, July 02, 2009 9:44 AM
> Subject: Re: Security in Jaxws/Jaxrs
>
>
>>
>> Hi Sergey,
>>
>> As a follow up to this, i'm trying to implement a basic http filter using
>> a
>> request handler. Is there a way to obtain the http auth info? I can't
>> find
>> it on any of the contexts or message.
>>
>> Is there an example of a basic auth client and a request handler or
>> custom
>> invoker handling the authentication?
>>
>> Thanks,
>> Kynan
>>
>>
>> Sergey Beryozkin wrote:
>>>
>>> Hi Vishal
>>>
>>> I'm very sorry for a late reply - I was planning to reply much earlier
>>> but
>>> then I got swamped with some work and forgot.
>>>
>>> There're a number of options, depending on your preferences
>>>
>>> 1. Do it in the application code, in the resource class. This is may or
>>> may not the best option. Typically this is something users prefer to do
>>> outside of the application code. But then you may want to look at the
>>> resource class which checks the injected SecurityContexts as the facade
>>> or
>>> as an interceptor really which delegates to the actual application class
>>> which may make this option more viable.
>>>
>>> So in this case you have to have
>>> @Resource WebServiceContext jaxwsContext;
>>> @Context SecurityContext jaxrsSecurityContext;
>>>
>>> declared in your code. Next, you need to figure out whether it's a JAXWS
>>> or JAXRS invocation in progress, so you can do it like this
>>> // not sure at the moment how exactly to get security context from jaxws
>>> one
>>> if (jaxwsContext.getSecurityContext() == null) {
>>> checkPrincipal(jaxrsSecurityContext.getPrincipal());
>>> } else {
>>> checkPrincipal(jaxwsContext.getSecurityContext().getPrincipal());
>>> }
>>>
>>> 2. Use Spring security - we have some simple tests showing how
>>> authentication and authorization can be done
>>>
>>> 3. For JAXRS : Use CXF JAX-RS RequestFilter or custom invoker (which
>>> simply extends JAXRSInvoker and is registered as an invoker property)
>>> where you can get all the info you need (method name, Principal, etc)
>>> For JAXWS : do a custom CXF in Interceptor which will throw Fault if
>>> needed.
>>>
>>> Perhaps there're more options... Let me know please if you need more
>>> info
>>> on any of the these options
>>>
>>> Cheers, Sergey
>>>
>>>
>>>
>>>
>>>
>>> Vishal.a wrote:
>>>>
>>>> Hello All,
>>>>
>>>> I have services written,that have both JaxRs and Jaxws.I have to
>>>> implement security on the services now.There are 2 things i need to do
>>>>
>>>> 1. Authentication - Using Basic Http Authentication
>>>> 2. Authorization - Secure each and every method.
>>>>
>>>> I have seen posts that show me how to do for either JaxRS or Jaxws,can
>>>> someone tell me what would be the best way to approach it for doing it
>>>> for both REST and SOAP.
>>>>
>>>> Any help is appreciated.
>>>>
>>>> Thanks,
>>>> Vishal
>>>>
>>>
>>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Security-in-Jaxws-Jaxrs-tp23266441p24303305.html
>> Sent from the cxf-user mailing list archive at Nabble.com.
>>
>
>
--
View this message in context: http://www.nabble.com/Security-in-Jaxws-Jaxrs-tp23266441p24315708.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Security in Jaxws/Jaxrs
Posted by Sergey Beryozkin <sb...@progress.com>.
Hi Kynan
here's a sample CustomInvoker :
http://svn.apache.org/repos/asf/cxf/trunk/systests/src/test/java/org/apache/cxf/systest/jaxrs/CustomJAXRSInvoker.java
At the moment filters/invokers can not get contexts like SecurityContext injected so it has to be created manually.
Or you can just get m.get(org.apache.cxf.security.SecurityContext.class) from the message and get Principal from there.
Or would you like to work directly with HTTP headers ? They're availbale on the message too, you can also do
HttpHeaders headers = new HttpHeadersImpl(m) and use HttpHeaders...
Let me know please if you need more info
cheers, Sergey
----- Original Message -----
From: "Kynan Fraser" <ky...@customware.net>
To: <us...@cxf.apache.org>
Sent: Thursday, July 02, 2009 9:44 AM
Subject: Re: Security in Jaxws/Jaxrs
>
> Hi Sergey,
>
> As a follow up to this, i'm trying to implement a basic http filter using a
> request handler. Is there a way to obtain the http auth info? I can't find
> it on any of the contexts or message.
>
> Is there an example of a basic auth client and a request handler or custom
> invoker handling the authentication?
>
> Thanks,
> Kynan
>
>
> Sergey Beryozkin wrote:
>>
>> Hi Vishal
>>
>> I'm very sorry for a late reply - I was planning to reply much earlier but
>> then I got swamped with some work and forgot.
>>
>> There're a number of options, depending on your preferences
>>
>> 1. Do it in the application code, in the resource class. This is may or
>> may not the best option. Typically this is something users prefer to do
>> outside of the application code. But then you may want to look at the
>> resource class which checks the injected SecurityContexts as the facade or
>> as an interceptor really which delegates to the actual application class
>> which may make this option more viable.
>>
>> So in this case you have to have
>> @Resource WebServiceContext jaxwsContext;
>> @Context SecurityContext jaxrsSecurityContext;
>>
>> declared in your code. Next, you need to figure out whether it's a JAXWS
>> or JAXRS invocation in progress, so you can do it like this
>> // not sure at the moment how exactly to get security context from jaxws
>> one
>> if (jaxwsContext.getSecurityContext() == null) {
>> checkPrincipal(jaxrsSecurityContext.getPrincipal());
>> } else {
>> checkPrincipal(jaxwsContext.getSecurityContext().getPrincipal());
>> }
>>
>> 2. Use Spring security - we have some simple tests showing how
>> authentication and authorization can be done
>>
>> 3. For JAXRS : Use CXF JAX-RS RequestFilter or custom invoker (which
>> simply extends JAXRSInvoker and is registered as an invoker property)
>> where you can get all the info you need (method name, Principal, etc)
>> For JAXWS : do a custom CXF in Interceptor which will throw Fault if
>> needed.
>>
>> Perhaps there're more options... Let me know please if you need more info
>> on any of the these options
>>
>> Cheers, Sergey
>>
>>
>>
>>
>>
>> Vishal.a wrote:
>>>
>>> Hello All,
>>>
>>> I have services written,that have both JaxRs and Jaxws.I have to
>>> implement security on the services now.There are 2 things i need to do
>>>
>>> 1. Authentication - Using Basic Http Authentication
>>> 2. Authorization - Secure each and every method.
>>>
>>> I have seen posts that show me how to do for either JaxRS or Jaxws,can
>>> someone tell me what would be the best way to approach it for doing it
>>> for both REST and SOAP.
>>>
>>> Any help is appreciated.
>>>
>>> Thanks,
>>> Vishal
>>>
>>
>>
>
> --
> View this message in context: http://www.nabble.com/Security-in-Jaxws-Jaxrs-tp23266441p24303305.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>