You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cxf.apache.org by Honey Goyal <er...@gmail.com> on 2014/04/10 10:05:34 UTC
Secure CXF rsServer with Jaas authentication
Hi,
I am newbie to CXF. I have configured CXF JAASAuthenticationFilter to
authenticate by jaas realm to each rest call. But each time i had to pass
Basic Authenticate header to authenticate it. Can i configure any token
based login along with JAAS? So that only first time it authenticate with
jaas and return any auth token. Next time only i need that auth token to
make call from client side.
This is my working blueprint
<?xml version="1.0" encoding="UTF-8"?>
<blueprint
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
xmlns:camel="http://camel.apache.org/schema/blueprint"
xmlns:cxf="http://camel.apache.org/schema/blueprint/cxf"
xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.0.0"
xmlns:jaxrs="http://cxf.apache.org/blueprint/jaxrs"
xsi:schemaLocation="
http://www.osgi.org/xmlns/blueprint/v1.0.0
http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
http://camel.apache.org/schema/blueprint/cxf
http://camel.apache.org/schema/blueprint/cxf/camel-cxf.xsd
http://cxf.apache.org/blueprint/jaxrs
http://cxf.apache.org/schemas/blueprint/jaxrs.xsd
http://camel.apache.org/schema/blueprint
http://camel.apache.org/schema/blueprint/camel-blueprint.xsd" >
<cm:property-placeholder persistent-id="com.xxxx.cp.securitytoken">
<cm:default-properties>
<cm:property name="myapp.api.url"
value="http://localhost:80/v1" />
</cm:default-properties>
</cm:property-placeholder>
<cxf:rsServer id="rsServer" address="/security"
serviceClass="com.xxxx.cp.securitytoken.SecurityTokenServiceImpl">
<cxf:providers>
<ref component-id="authorizationFilter"/>
</cxf:providers>
</cxf:rsServer>
< bean id="authorizationFilter"
class="org.apache.cxf.jaxrs.security.JAASAuthenticationFilter">
Name of the JAAS Context
<property name="contextName" value="myRealm"/>
</bean>
<camelContext xmlns="http://camel.apache.org/schema/blueprint"
id="security">
<route>
<from uri="cxfrs://bean://rsServer"/>
<to uri="{{myapp.api.url}}?bridgeEndpoint=true" />
</route>
</camelContext>
</blueprint>
--
View this message in context: http://cxf.547215.n5.nabble.com/Secure-CXF-rsServer-with-Jaas-authentication-tp5742659.html
Sent from the cxf-dev mailing list archive at Nabble.com.
RE: Secure CXF rsServer with Jaas authentication
Posted by Honey Goyal <er...@gmail.com>.
Thanks for response. Yeah read jaxrs Oauth2 documentation. It is really
what i need :)
On Apr 10, 2014 11:44 PM, "Andrei Shakirin [via CXF]" <
ml-node+s547215n5742669h83@n5.nabble.com> wrote:
> Hi,
>
> I am redirecting the question into user list, if you don't mind.
>
> I think OAuth 2.0 client credentials could be elegant solution for this
> case (https://cxf.apache.org/docs/jax-rs-oauth2.html).
> You will be able to authenticate client first time with HTTP basic
> credentials against OAuth Authentication Service (authentication can be
> JAAS based) and issue AccessToken (and RefreshToken).
> For further call Resource Service will validate AccessToken and you don't
> need to send HTTP basic credentials anymore.
>
> Second option is using SAML authentication token and STS with JAAS
> extension, but this is more involved (
> https://cxf.apache.org/docs/jax-rs-saml.html ).
>
> Does it make sense for you?
>
> Regards,
> Andrei.
>
> > -----Original Message-----
> > From: Honey Goyal [mailto:[hidden email]<http://user/SendEmail.jtp?type=node&node=5742669&i=0>]
>
> > Sent: Donnerstag, 10. April 2014 10:06
> > To: [hidden email]<http://user/SendEmail.jtp?type=node&node=5742669&i=1>
> > Subject: Secure CXF rsServer with Jaas authentication
> >
> > Hi,
> >
> > I am newbie to CXF. I have configured CXF JAASAuthenticationFilter to
> > authenticate by jaas realm to each rest call. But each time i had to
> pass Basic
> > Authenticate header to authenticate it. Can i configure any token based
> login
> > along with JAAS? So that only first time it authenticate with jaas and
> return any
> > auth token. Next time only i need that auth token to make call from
> client side.
> >
> > This is my working blueprint
> >
> > <?xml version="1.0" encoding="UTF-8"?>
> > <blueprint
> > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> > xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
> > xmlns:camel="http://camel.apache.org/schema/blueprint"
> > xmlns:cxf="http://camel.apache.org/schema/blueprint/cxf"
> > xmlns:cm="
> http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.0.0"
> > xmlns:jaxrs="http://cxf.apache.org/blueprint/jaxrs"
> > xsi:schemaLocation="
> > http://www.osgi.org/xmlns/blueprint/v1.0.0
> > http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
> > http://camel.apache.org/schema/blueprint/cxf
> > http://camel.apache.org/schema/blueprint/cxf/camel-cxf.xsd
> > http://cxf.apache.org/blueprint/jaxrs
> > http://cxf.apache.org/schemas/blueprint/jaxrs.xsd
> > http://camel.apache.org/schema/blueprint
> > http://camel.apache.org/schema/blueprint/camel-blueprint.xsd" >
> >
> > <cm:property-placeholder persistent-id="com.xxxx.cp.securitytoken">
> > <cm:default-properties>
> > <cm:property name="myapp.api.url"
> > value="http://localhost:80/v1" />
> > </cm:default-properties>
> > </cm:property-placeholder>
> >
> > <cxf:rsServer id="rsServer" address="/security"
> > serviceClass="com.xxxx.cp.securitytoken.SecurityTokenServiceImpl">
> > <cxf:providers>
> > <ref component-id="authorizationFilter"/>
> > </cxf:providers>
> > </cxf:rsServer>
> >
> > < bean id="authorizationFilter"
> > class="org.apache.cxf.jaxrs.security.JAASAuthenticationFilter">
> > Name of the JAAS Context
> > <property name="contextName" value="myRealm"/>
> > </bean>
> >
> > <camelContext xmlns="http://camel.apache.org/schema/blueprint"
> > id="security">
> > <route>
> > <from uri="cxfrs://bean://rsServer"/>
> > <to uri="{{myapp.api.url}}?bridgeEndpoint=true" />
> > </route>
> > </camelContext>
> >
> > </blueprint>
> >
> >
> >
> > --
> > View this message in context:
> http://cxf.547215.n5.nabble.com/Secure-CXF-
> > rsServer-with-Jaas-authentication-tp5742659.html
> > Sent from the cxf-dev mailing list archive at Nabble.com.
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
>
> http://cxf.547215.n5.nabble.com/Secure-CXF-rsServer-with-Jaas-authentication-tp5742659p5742669.html
> To unsubscribe from Secure CXF rsServer with Jaas authentication, click
> here<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=5742659&code=ZXIuaG9uZXkyMDEyQGdtYWlsLmNvbXw1NzQyNjU5fC0xOTIzNzA4OTQ=>
> .
> NAML<http://cxf.547215.n5.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>
--
View this message in context: http://cxf.547215.n5.nabble.com/Secure-CXF-rsServer-with-Jaas-authentication-tp5742659p5742697.html
Sent from the cxf-dev mailing list archive at Nabble.com.
Re: Secure CXF rsServer with Jaas authentication
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi Andrei
On 10/04/14 19:13, Andrei Shakirin wrote:
> Hi,
>
> I am redirecting the question into user list, if you don't mind.
>
> I think OAuth 2.0 client credentials could be elegant solution for this case (https://cxf.apache.org/docs/jax-rs-oauth2.html).
> You will be able to authenticate client first time with HTTP basic credentials against OAuth Authentication Service (authentication can be JAAS based) and issue AccessToken (and RefreshToken).
> For further call Resource Service will validate AccessToken and you don't need to send HTTP basic credentials anymore.
>
> Second option is using SAML authentication token and STS with JAAS extension, but this is more involved (https://cxf.apache.org/docs/jax-rs-saml.html ).
>
I think it is a perfect summary of the options on the RS path
Cheers, Sergey
> Does it make sense for you?
>
> Regards,
> Andrei.
>
>> -----Original Message-----
>> From: Honey Goyal [mailto:er.honey2012@gmail.com]
>> Sent: Donnerstag, 10. April 2014 10:06
>> To: dev@cxf.apache.org
>> Subject: Secure CXF rsServer with Jaas authentication
>>
>> Hi,
>>
>> I am newbie to CXF. I have configured CXF JAASAuthenticationFilter to
>> authenticate by jaas realm to each rest call. But each time i had to pass Basic
>> Authenticate header to authenticate it. Can i configure any token based login
>> along with JAAS? So that only first time it authenticate with jaas and return any
>> auth token. Next time only i need that auth token to make call from client side.
>>
>> This is my working blueprint
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <blueprint
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>> xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
>> xmlns:camel="http://camel.apache.org/schema/blueprint"
>> xmlns:cxf="http://camel.apache.org/schema/blueprint/cxf"
>> xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.0.0"
>> xmlns:jaxrs="http://cxf.apache.org/blueprint/jaxrs"
>> xsi:schemaLocation="
>> http://www.osgi.org/xmlns/blueprint/v1.0.0
>> http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
>> http://camel.apache.org/schema/blueprint/cxf
>> http://camel.apache.org/schema/blueprint/cxf/camel-cxf.xsd
>> http://cxf.apache.org/blueprint/jaxrs
>> http://cxf.apache.org/schemas/blueprint/jaxrs.xsd
>> http://camel.apache.org/schema/blueprint
>> http://camel.apache.org/schema/blueprint/camel-blueprint.xsd" >
>>
>> <cm:property-placeholder persistent-id="com.xxxx.cp.securitytoken">
>> <cm:default-properties>
>> <cm:property name="myapp.api.url"
>> value="http://localhost:80/v1" />
>> </cm:default-properties>
>> </cm:property-placeholder>
>>
>> <cxf:rsServer id="rsServer" address="/security"
>> serviceClass="com.xxxx.cp.securitytoken.SecurityTokenServiceImpl">
>> <cxf:providers>
>> <ref component-id="authorizationFilter"/>
>> </cxf:providers>
>> </cxf:rsServer>
>>
>> < bean id="authorizationFilter"
>> class="org.apache.cxf.jaxrs.security.JAASAuthenticationFilter">
>> Name of the JAAS Context
>> <property name="contextName" value="myRealm"/>
>> </bean>
>>
>> <camelContext xmlns="http://camel.apache.org/schema/blueprint"
>> id="security">
>> <route>
>> <from uri="cxfrs://bean://rsServer"/>
>> <to uri="{{myapp.api.url}}?bridgeEndpoint=true" />
>> </route>
>> </camelContext>
>>
>> </blueprint>
>>
>>
>>
>> --
>> View this message in context: http://cxf.547215.n5.nabble.com/Secure-CXF-
>> rsServer-with-Jaas-authentication-tp5742659.html
>> Sent from the cxf-dev mailing list archive at Nabble.com.
RE: Secure CXF rsServer with Jaas authentication
Posted by Andrei Shakirin <as...@talend.com>.
Hi,
I am redirecting the question into user list, if you don't mind.
I think OAuth 2.0 client credentials could be elegant solution for this case (https://cxf.apache.org/docs/jax-rs-oauth2.html).
You will be able to authenticate client first time with HTTP basic credentials against OAuth Authentication Service (authentication can be JAAS based) and issue AccessToken (and RefreshToken).
For further call Resource Service will validate AccessToken and you don't need to send HTTP basic credentials anymore.
Second option is using SAML authentication token and STS with JAAS extension, but this is more involved (https://cxf.apache.org/docs/jax-rs-saml.html ).
Does it make sense for you?
Regards,
Andrei.
> -----Original Message-----
> From: Honey Goyal [mailto:er.honey2012@gmail.com]
> Sent: Donnerstag, 10. April 2014 10:06
> To: dev@cxf.apache.org
> Subject: Secure CXF rsServer with Jaas authentication
>
> Hi,
>
> I am newbie to CXF. I have configured CXF JAASAuthenticationFilter to
> authenticate by jaas realm to each rest call. But each time i had to pass Basic
> Authenticate header to authenticate it. Can i configure any token based login
> along with JAAS? So that only first time it authenticate with jaas and return any
> auth token. Next time only i need that auth token to make call from client side.
>
> This is my working blueprint
>
> <?xml version="1.0" encoding="UTF-8"?>
> <blueprint
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
> xmlns:camel="http://camel.apache.org/schema/blueprint"
> xmlns:cxf="http://camel.apache.org/schema/blueprint/cxf"
> xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.0.0"
> xmlns:jaxrs="http://cxf.apache.org/blueprint/jaxrs"
> xsi:schemaLocation="
> http://www.osgi.org/xmlns/blueprint/v1.0.0
> http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
> http://camel.apache.org/schema/blueprint/cxf
> http://camel.apache.org/schema/blueprint/cxf/camel-cxf.xsd
> http://cxf.apache.org/blueprint/jaxrs
> http://cxf.apache.org/schemas/blueprint/jaxrs.xsd
> http://camel.apache.org/schema/blueprint
> http://camel.apache.org/schema/blueprint/camel-blueprint.xsd" >
>
> <cm:property-placeholder persistent-id="com.xxxx.cp.securitytoken">
> <cm:default-properties>
> <cm:property name="myapp.api.url"
> value="http://localhost:80/v1" />
> </cm:default-properties>
> </cm:property-placeholder>
>
> <cxf:rsServer id="rsServer" address="/security"
> serviceClass="com.xxxx.cp.securitytoken.SecurityTokenServiceImpl">
> <cxf:providers>
> <ref component-id="authorizationFilter"/>
> </cxf:providers>
> </cxf:rsServer>
>
> < bean id="authorizationFilter"
> class="org.apache.cxf.jaxrs.security.JAASAuthenticationFilter">
> Name of the JAAS Context
> <property name="contextName" value="myRealm"/>
> </bean>
>
> <camelContext xmlns="http://camel.apache.org/schema/blueprint"
> id="security">
> <route>
> <from uri="cxfrs://bean://rsServer"/>
> <to uri="{{myapp.api.url}}?bridgeEndpoint=true" />
> </route>
> </camelContext>
>
> </blueprint>
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Secure-CXF-
> rsServer-with-Jaas-authentication-tp5742659.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
RE: Secure CXF rsServer with Jaas authentication
Posted by Andrei Shakirin <as...@talend.com>.
Hi,
I am redirecting the question into user list, if you don't mind.
I think OAuth 2.0 client credentials could be elegant solution for this case (https://cxf.apache.org/docs/jax-rs-oauth2.html).
You will be able to authenticate client first time with HTTP basic credentials against OAuth Authentication Service (authentication can be JAAS based) and issue AccessToken (and RefreshToken).
For further call Resource Service will validate AccessToken and you don't need to send HTTP basic credentials anymore.
Second option is using SAML authentication token and STS with JAAS extension, but this is more involved (https://cxf.apache.org/docs/jax-rs-saml.html ).
Does it make sense for you?
Regards,
Andrei.
> -----Original Message-----
> From: Honey Goyal [mailto:er.honey2012@gmail.com]
> Sent: Donnerstag, 10. April 2014 10:06
> To: dev@cxf.apache.org
> Subject: Secure CXF rsServer with Jaas authentication
>
> Hi,
>
> I am newbie to CXF. I have configured CXF JAASAuthenticationFilter to
> authenticate by jaas realm to each rest call. But each time i had to pass Basic
> Authenticate header to authenticate it. Can i configure any token based login
> along with JAAS? So that only first time it authenticate with jaas and return any
> auth token. Next time only i need that auth token to make call from client side.
>
> This is my working blueprint
>
> <?xml version="1.0" encoding="UTF-8"?>
> <blueprint
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xmlns="http://www.osgi.org/xmlns/blueprint/v1.0.0"
> xmlns:camel="http://camel.apache.org/schema/blueprint"
> xmlns:cxf="http://camel.apache.org/schema/blueprint/cxf"
> xmlns:cm="http://aries.apache.org/blueprint/xmlns/blueprint-cm/v1.0.0"
> xmlns:jaxrs="http://cxf.apache.org/blueprint/jaxrs"
> xsi:schemaLocation="
> http://www.osgi.org/xmlns/blueprint/v1.0.0
> http://www.osgi.org/xmlns/blueprint/v1.0.0/blueprint.xsd
> http://camel.apache.org/schema/blueprint/cxf
> http://camel.apache.org/schema/blueprint/cxf/camel-cxf.xsd
> http://cxf.apache.org/blueprint/jaxrs
> http://cxf.apache.org/schemas/blueprint/jaxrs.xsd
> http://camel.apache.org/schema/blueprint
> http://camel.apache.org/schema/blueprint/camel-blueprint.xsd" >
>
> <cm:property-placeholder persistent-id="com.xxxx.cp.securitytoken">
> <cm:default-properties>
> <cm:property name="myapp.api.url"
> value="http://localhost:80/v1" />
> </cm:default-properties>
> </cm:property-placeholder>
>
> <cxf:rsServer id="rsServer" address="/security"
> serviceClass="com.xxxx.cp.securitytoken.SecurityTokenServiceImpl">
> <cxf:providers>
> <ref component-id="authorizationFilter"/>
> </cxf:providers>
> </cxf:rsServer>
>
> < bean id="authorizationFilter"
> class="org.apache.cxf.jaxrs.security.JAASAuthenticationFilter">
> Name of the JAAS Context
> <property name="contextName" value="myRealm"/>
> </bean>
>
> <camelContext xmlns="http://camel.apache.org/schema/blueprint"
> id="security">
> <route>
> <from uri="cxfrs://bean://rsServer"/>
> <to uri="{{myapp.api.url}}?bridgeEndpoint=true" />
> </route>
> </camelContext>
>
> </blueprint>
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Secure-CXF-
> rsServer-with-Jaas-authentication-tp5742659.html
> Sent from the cxf-dev mailing list archive at Nabble.com.