You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Antoine Roux <an...@net-vitesse.com> on 2010/07/23 10:39:05 UTC
WS-Security and user information
Hi,
I have a web service authenticating with WS-Security. On the server side, I
set up the WSS4j interceptor and I have a password call back that checks the
the username/password against my database. The service being called
subsequently if authentication succeeds needs to know the identity of the
user.
What is th right to pass it to the service? Is it to store it in the
session? Or is there a better way?
--
Antoine Roux,
NetVitesse S.A.R.L
antoine.roux@net-vitesse.com
Phone: +33 (0)1 61 37 04 24
Mobile: +33 (0)6 20 69 07 96
Fax: +33 (0)1 70 24 87 88
Re: WS-Security and user information
Posted by Sergey Beryozkin <sb...@gmail.com>.
Sorry, my advice was a bit misleading then.
The reason I mentioned the approach with extending the interceptor was that
it allows one to do create the security context which is role-aware early
and possibly propagate it further to EJB/etc - this is how things are done
in JBossCXF. But this is an overkill if all one wants is to get a principal
:-).
cheers, Sergey
On Fri, Jul 23, 2010 at 4:20 PM, Daniel Kulp <dk...@apache.org> wrote:
> On Friday 23 July 2010 4:39:05 am Antoine Roux wrote:
> > Hi,
> > I have a web service authenticating with WS-Security. On the server side,
> I
> > set up the WSS4j interceptor and I have a password call back that checks
> > the the username/password against my database. The service being called
> > subsequently if authentication succeeds needs to know the identity of the
> > user.
> > What is th right to pass it to the service? Is it to store it in the
> > session? Or is there a better way?
>
> It's actually already stored in the session. If you have the
> WebServiceContext injected, you can call the getPrincipal method on it
> which
> will likely be the Principal provided by wss4j in your case.
>
> Dan
>
>
>
> >
> > --
> > Antoine Roux,
> > NetVitesse S.A.R.L
> > antoine.roux@net-vitesse.com
> > Phone: +33 (0)1 61 37 04 24
> > Mobile: +33 (0)6 20 69 07 96
> > Fax: +33 (0)1 70 24 87 88
>
> --
> Daniel Kulp
> dkulp@apache.org
> http://dankulp.com/blog
>
Re: WS-Security and user information
Posted by Daniel Kulp <dk...@apache.org>.
On Friday 23 July 2010 4:39:05 am Antoine Roux wrote:
> Hi,
> I have a web service authenticating with WS-Security. On the server side, I
> set up the WSS4j interceptor and I have a password call back that checks
> the the username/password against my database. The service being called
> subsequently if authentication succeeds needs to know the identity of the
> user.
> What is th right to pass it to the service? Is it to store it in the
> session? Or is there a better way?
It's actually already stored in the session. If you have the
WebServiceContext injected, you can call the getPrincipal method on it which
will likely be the Principal provided by wss4j in your case.
Dan
>
> --
> Antoine Roux,
> NetVitesse S.A.R.L
> antoine.roux@net-vitesse.com
> Phone: +33 (0)1 61 37 04 24
> Mobile: +33 (0)6 20 69 07 96
> Fax: +33 (0)1 70 24 87 88
--
Daniel Kulp
dkulp@apache.org
http://dankulp.com/blog
Re: WS-Security and user information
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
You might want to consider extending
AbstractUsernameTokenAuthenticatingInterceptor [1] and override its
createSubject(...) method *instead of* registering a callback with
WSS4JInInterceptor. You'd only need a callback if UT is actually encrypted.
Then register this custom interceptor instead of WSS4JInInterceptor. The
subject should have the first Principal representing the actual
authenticated user and other principals optionally representing Groups.
For example, see [2]. [2] actually extends UsernameTokenInterceptor (it is
to address a WSDL/WS-policy first case) but the signature is the same. Then
you just register it with an endpoint.
Cheers, Sergey
[1]
http://svn.apache.org/repos/asf/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractUsernameTokenAuthenticatingInterceptor.java
[2]
http://svn.apache.org/repos/asf/cxf/trunk/systests/ws-specs/src/test/java/org/apache/cxf/systest/ws/wssec10/server/CustomUsernameTokenInterceptor.java
On Fri, Jul 23, 2010 at 9:39 AM, Antoine Roux
<an...@net-vitesse.com>wrote:
> Hi,
> I have a web service authenticating with WS-Security. On the server side, I
> set up the WSS4j interceptor and I have a password call back that checks
> the
> the username/password against my database. The service being called
> subsequently if authentication succeeds needs to know the identity of the
> user.
> What is th right to pass it to the service? Is it to store it in the
> session? Or is there a better way?
>
> --
> Antoine Roux,
> NetVitesse S.A.R.L
> antoine.roux@net-vitesse.com
> Phone: +33 (0)1 61 37 04 24
> Mobile: +33 (0)6 20 69 07 96
> Fax: +33 (0)1 70 24 87 88
>