You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Anne Racel <ar...@cormineid.com> on 2007/10/07 14:47:02 UTC
CXF + ACEGI security - full example
Hi folks -
I've done the research into several places on the web and found a way to
get CXF + ACEGI to work on my app. I'm just using the plain text
password, however, so I'd like a few other folks to bang on this before
I add it to the wiki:
Spring config - this goes in your cxf-servlet.xml file:
<jaxws:endpoint id="XScoutCXF_xml_bare"
implementor="[my implementation class - see standard docs
for what this should be]"
wsdlLocation="WEB-INF/wsdl/XScoutCXF.wsdl"
address="/XScoutCXF">
<jaxws:inInterceptors>
<bean
class="org.apache.cxf.binding.soap.saaj.SAAJInInterceptor"/>
<bean
class="org.apache.cxf.ws.security.wss4j.WSS4JInInterceptor">
<property name="properties">
<map>
<entry key="action" value="UsernameToken
Timestamp"/>
<entry key="passwordType" value="PasswordText"/>
<entry key="passwordCallbackClass" value="[your
class that extends CallbackHandler"/>
</map>
</property>
</bean>
<bean class="com[your class that extends
AbstractPhaseInterceptor]"/>
</jaxws:inInterceptors>
<jaxws:features>
<bean class="org.apache.cxf.feature.LoggingFeature" />
</jaxws:features>
</jaxws:endpoint>
The class that extends AbstractPhaseInterceptor has several required
constructors, but doesn't include a default constructor. You have to
add it though, and I found that this works:
public ValidateUserTokenInterceptor()
{
super(Phase.UNMARSHAL);
}
This is the essential method I had to add to the class that extends
AbstractPhaseInterceptor. I haven't figured out exactly how it works
yet, except that it errors out if the password isn't validated in the
class extending CallbackHandler:
public void handleMessage(Message message) throws Fault {
ApplicationContext ctx = getApplicationContext();
connector =
(SecurityConnector)ctx.getBean("securityConnector");
boolean userTokenValidated = true;
WSUsernameTokenPrincipal principal = null;
Vector<Object> result = (Vector) message
.getContextualProperty(WSHandlerConstants.RECV_RESULTS);
for (int i = 0; i < result.size(); i++) {
WSHandlerResult res = (WSHandlerResult) result.get(i);
String actor = res.getActor();
for (int j = 0; j < res.getResults().size(); j++) {
WSSecurityEngineResult secRes =
(WSSecurityEngineResult) res
.getResults().get(j);
//
int action = secRes.getAction();
switch(action)
{
case WSConstants.UT:
principal =
(WSUsernameTokenPrincipal)secRes.getPrincipal();
log.info(principal.getName());
break;
case WSConstants.SIGN:
principal =
(WSUsernameTokenPrincipal)secRes.getPrincipal();
log.info(principal.getName());
java.security.cert.X509Certificate cert =
secRes.getCertificate();
Principal subjectPrincipal =
cert.getSubjectDN();
log.info(subjectPrincipal.getName());
Principal issuerPrincipal =
cert.getIssuerDN();
log.info(issuerPrincipal.getName());
break;
case WSConstants.ENCR:
log.info("encrypted");
break;
case WSConstants.TS:
log.info("timestamp created:
"+secRes.getTimestamp().getCreated());
log.info("timestamp expires:
"+secRes.getTimestamp().getExpires());
break;
case WSConstants.NO_SECURITY:
log.info("No security");
}
}
}
if (!userTokenValidated) {
throw new RuntimeException("Security processing
failed");
}
}
Here's the essential method in the class that extends CallbackHandler.
This is where you actually look up your user to confirm the credentials.
The logic is: validate the user is in your system, then set the password
here to the password passed back. If the passwords don't match, the
system throws an error. So, in my case, with a plain text password,
pc.setPassword(pc.getPassword()); seems kinda weird, but it works.
public void handle(Callback[] callbacks) throws IOException,
UnsupportedCallbackException {
ApplicationContext ctx = getApplicationContext();
connector =
(SecurityConnector)ctx.getBean("securityConnector");
WSPasswordCallback pc = (WSPasswordCallback) callbacks[0];
System.out.println("we\'re in the callback handler");
if(pc.getUsage() == WSPasswordCallback.USERNAME_TOKEN)
{
// @TODO: password is sent in digest mode. we'll have
to code this to pull the clear password from the
// database to compare it at this end using the
following. Until then, we'll just need to set the
// password to something generic
/* to be implemented later:
* String plainText =
connector.getPassword(pc.getIdentifer());
*** this will throw an error if the incoming password
doesn't match what we found:
* pc.setPassword(plainText);
*/
/** interim code - set generic password */
pc.setPassword(PLAIN_TEXT);
}
else if(pc.getUsage() ==
WSPasswordCallback.USERNAME_TOKEN_UNKNOWN)
{
int userId = connector.getUser(pc.getIdentifer(),
pc.getPassword());
if(userId < 1)
{
throw new IOException("password incorrect for
user: " + pc.getIdentifer());
}
else
{
System.out.println("user id: " + userId +
"username: " + pc.getIdentifer());
pc.setPassword(pc.getPassword());
}
}
else
{
throw new UnsupportedCallbackException(callbacks[0],
"Unrecognized Callback");
}
}
Anne Racel
Senior Software Engineer
Cormine Intelligent Data
RE: CXF + ACEGI security - full example
Posted by Davide Gesino <wi...@libero.it>.
Does anyone have finished this example?
I have tried applying these snippets to my code, anyway I was not able to
make something work. :-(
What are the ACEGI jars to be imported?
What are the ACEGI relevant classes to create and store a login context
somewhere?
Kaleb Walton-2 wrote:
>
>
> Thank you for the example!
>
>
> |------------>
> | From: |
> |------------>
>
> >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |"Anne Racel" <ar...@cormineid.com>
> |
>
> >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |------------>
> | To: |
> |------------>
>
> >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |<cx...@incubator.apache.org>
> |
>
> >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |------------>
> | Date: |
> |------------>
>
> >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |10/07/2007 08:54 AM
> |
>
> >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |------------>
> | Subject: |
> |------------>
>
> >--------------------------------------------------------------------------------------------------------------------------------------------------|
> |RE: CXF + ACEGI security - full example
> |
>
> >--------------------------------------------------------------------------------------------------------------------------------------------------|
>
>
>
>
>
> Oops! - this should be: "your class that implements CallbackHandler"
>
> <entry key="passwordCallbackClass" value="[your
> class that extends CallbackHandler"/>
>
> Anne Racel
> Senior Software Engineer
> Cormine Intelligent Data
>
>
>
>
--
View this message in context: http://www.nabble.com/CXF-%2B-ACEGI-security---full-example-tf4583091.html#a13899025
Sent from the cxf-user mailing list archive at Nabble.com.
Re: CXF + ACEGI security - full example
Posted by Andreas Veithen <an...@gmail.com>.
Some time ago I wrote a couple of components that implement common
patterns to integrate CXF with Spring Security (formerly known as
Acegi). The code is currently in the sandbox area of CXF:
https://svn.apache.org/repos/asf/cxf/sandbox/veithen/cxf-spring-security/
Documentation is available here:
http://code.google.com/p/cxf-spring-security/wiki/Documentation
Andreas
On Wed, Oct 13, 2010 at 17:31, Hay Mg. Tran <ha...@yahoo.com> wrote:
>
> I am interested in a working example, too.
> In particular, I am looking for an example that integrate
> grails+cxf+ws-security.
>
> Thanks,
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/CXF-ACEGI-security-full-example-tp551843p3210677.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
RE: CXF + ACEGI security - full example
Posted by "Hay Mg. Tran" <ha...@yahoo.com>.
I am interested in a working example, too.
In particular, I am looking for an example that integrate
grails+cxf+ws-security.
Thanks,
--
View this message in context: http://cxf.547215.n5.nabble.com/CXF-ACEGI-security-full-example-tp551843p3210677.html
Sent from the cxf-user mailing list archive at Nabble.com.
RE: CXF + ACEGI security - full example
Posted by Kaleb Walton <kd...@us.ibm.com>.
Thank you for the example!
|------------>
| From: |
|------------>
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|"Anne Racel" <ar...@cormineid.com> |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| To: |
|------------>
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|<cx...@incubator.apache.org> |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Date: |
|------------>
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|10/07/2007 08:54 AM |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|------------>
| Subject: |
|------------>
>--------------------------------------------------------------------------------------------------------------------------------------------------|
|RE: CXF + ACEGI security - full example |
>--------------------------------------------------------------------------------------------------------------------------------------------------|
Oops! - this should be: "your class that implements CallbackHandler"
<entry key="passwordCallbackClass" value="[your
class that extends CallbackHandler"/>
Anne Racel
Senior Software Engineer
Cormine Intelligent Data
RE: CXF + ACEGI security - full example
Posted by Anne Racel <ar...@cormineid.com>.
Oops! - this should be: "your class that implements CallbackHandler"
<entry key="passwordCallbackClass" value="[your
class that extends CallbackHandler"/>
Anne Racel
Senior Software Engineer
Cormine Intelligent Data