You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by marcelo melo <ma...@gmail.com> on 2008/05/01 02:39:34 UTC
Retrieve the user using WS-Security and Signature
Hi all,
I am developing a service using signatures only, with no user-password
authentication. However, when developing a Client, I am forced to set
a user in order to invoke the service. Is there a way of retrieving
the user on the server side (for auditing purposes)?
I tried to use a password callback handler, which succesfully
retrieved me the user, but required me to correctly inform a password,
which I don't (at least won't if the key is not generated by me) know.
Also, if someone could give me an insight of how, if possible, to use
this user on my service class, I would be very grateful.
Thanks
Re: Retrieve the user using WS-Security and Signature
Posted by marcelo melo <ma...@gmail.com>.
Well, once again, thanks a lot!
I'll continue to use the Interceptors, since the code is working, but
the context thing was exactly what I was lookin for.
On Fri, May 2, 2008 at 9:46 PM, Daniel Kulp <dk...@apache.org> wrote:
>
>
> Note: this is probably not thread safe. Interceptors are "shared" by all
> invokations on the endpoint. Thus, the interceptor needs to make sure it
> doesn't maintain state (like the Principal object) in an instance variable
> that might be wiped out by an invokation being processed on another thread.
>
> To answer your other question...
> Assuming JAX-WS on server side, in your service implementation, add:
> @Resource
> WebServiceContext context;
> as an instance field. The runtime will inject a WebServiceContext instance
> in there. After that, in your interceptor, do something like:
> message.put("USER_NAME", principal.getName());
>
> Then, in your impl, do:
>
> String user = (String)context.getMessageContext().get("USER_NAME");
>
> You might even be able to do what you need without any interceptor. The
> WebServiceContext basically wrappers the message. Thus, you may be able to
> just do:
> context.getMessageContext().get(WSHandlerConstants.RECV_RESULTS)
> in your service impl to get the Vector there.
>
> Dan
>
>
>
>
>
> marcelo melo-2 wrote:
> >
> > Actually I was able to retrive the certificate via an Interceptor, on
> > the handleMessage of the Interceptorm here's what I did:
> >
> > Vector result = (Vector)
> > message.getContextualProperty(WSHandlerConstants.RECV_RESULTS);
> > for (int i = 0; i < result.size(); i++) {
> > WSHandlerResult res = (WSHandlerResult) result.get(i);
> > for (int j = 0; j < res.getResults().size(); j++) {
> > WSSecurityEngineResult secRes = (WSSecurityEngineResult)
> > res.getResults().get(j);
> >
> > X500Name principal = (X500Name) secRes.get("principal");
> > if(principal != null) {
> > this.setUser(principal.getName());
> > break;
> > }
> > }
> >
> > This gives me the pricipal stored on the certificate, which is enough
> > for me. I did not try you method 'cause I was not sure where I would
> > put the code, but thanks anyway
>
>
> >
> >
> > On Thu, May 1, 2008 at 5:33 AM, O hEigeartaigh, Colm
> > <Co...@iona.com> wrote:
> >>
> >> The WSS4JInInterceptor attaches the X509 certificate that was used for
> >> signature to the message with:
> >>
> >> WSSecurityEngineResult actionResult =
> >> WSSecurityUtil.fetchActionResult(wsResult, WSConstants.SIGN);
> >> msg.put(SIGNATURE_RESULT, actionResult);
> >>
> >> You can access this downstream by doing something like:
> >>
> >> WSSecurityEngineResult result =
> >> (WSSecurityEngineResult)
> >> inmsg.get(WSS4JInInterceptor.SIGNATURE_RESULT);
> >>
> >> X509Certificate certificate =
> >> (X509Certificate)result
> >> .get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
> >>
> >> You can manipulate this X509Certificate object to get what you want I
> >> think.
> >>
> >> Colm.
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: marcelo melo [mailto:marcelotmelo@gmail.com]
> >> Sent: 01 May 2008 01:40
> >> To: users@cxf.apache.org
> >> Subject: Retrieve the user using WS-Security and Signature
> >>
> >> Hi all,
> >>
> >> I am developing a service using signatures only, with no user-password
> >> authentication. However, when developing a Client, I am forced to set
> >> a user in order to invoke the service. Is there a way of retrieving
> >> the user on the server side (for auditing purposes)?
> >> I tried to use a password callback handler, which succesfully
> >> retrieved me the user, but required me to correctly inform a password,
> >> which I don't (at least won't if the key is not generated by me) know.
> >> Also, if someone could give me an insight of how, if possible, to use
> >> this user on my service class, I would be very grateful.
> >>
> >> Thanks
> >>
> >> ----------------------------
> >> IONA Technologies PLC (registered in Ireland)
> >> Registered Number: 171387
> >> Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
> >> Ireland
> >>
> >
> >
>
> --
> View this message in context: http://www.nabble.com/Retrieve-the-user-using-WS-Security-and-Signature-tp16994689p17030305.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>
Re: Retrieve the user using WS-Security and Signature
Posted by Daniel Kulp <dk...@apache.org>.
Note: this is probably not thread safe. Interceptors are "shared" by all
invokations on the endpoint. Thus, the interceptor needs to make sure it
doesn't maintain state (like the Principal object) in an instance variable
that might be wiped out by an invokation being processed on another thread.
To answer your other question...
Assuming JAX-WS on server side, in your service implementation, add:
@Resource
WebServiceContext context;
as an instance field. The runtime will inject a WebServiceContext instance
in there. After that, in your interceptor, do something like:
message.put("USER_NAME", principal.getName());
Then, in your impl, do:
String user = (String)context.getMessageContext().get("USER_NAME");
You might even be able to do what you need without any interceptor. The
WebServiceContext basically wrappers the message. Thus, you may be able to
just do:
context.getMessageContext().get(WSHandlerConstants.RECV_RESULTS)
in your service impl to get the Vector there.
Dan
marcelo melo-2 wrote:
>
> Actually I was able to retrive the certificate via an Interceptor, on
> the handleMessage of the Interceptorm here's what I did:
>
> Vector result = (Vector)
> message.getContextualProperty(WSHandlerConstants.RECV_RESULTS);
> for (int i = 0; i < result.size(); i++) {
> WSHandlerResult res = (WSHandlerResult) result.get(i);
> for (int j = 0; j < res.getResults().size(); j++) {
> WSSecurityEngineResult secRes = (WSSecurityEngineResult)
> res.getResults().get(j);
>
> X500Name principal = (X500Name) secRes.get("principal");
> if(principal != null) {
> this.setUser(principal.getName());
> break;
> }
> }
>
> This gives me the pricipal stored on the certificate, which is enough
> for me. I did not try you method 'cause I was not sure where I would
> put the code, but thanks anyway
>
>
> On Thu, May 1, 2008 at 5:33 AM, O hEigeartaigh, Colm
> <Co...@iona.com> wrote:
>>
>> The WSS4JInInterceptor attaches the X509 certificate that was used for
>> signature to the message with:
>>
>> WSSecurityEngineResult actionResult =
>> WSSecurityUtil.fetchActionResult(wsResult, WSConstants.SIGN);
>> msg.put(SIGNATURE_RESULT, actionResult);
>>
>> You can access this downstream by doing something like:
>>
>> WSSecurityEngineResult result =
>> (WSSecurityEngineResult)
>> inmsg.get(WSS4JInInterceptor.SIGNATURE_RESULT);
>>
>> X509Certificate certificate =
>> (X509Certificate)result
>> .get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
>>
>> You can manipulate this X509Certificate object to get what you want I
>> think.
>>
>> Colm.
>>
>>
>>
>> -----Original Message-----
>> From: marcelo melo [mailto:marcelotmelo@gmail.com]
>> Sent: 01 May 2008 01:40
>> To: users@cxf.apache.org
>> Subject: Retrieve the user using WS-Security and Signature
>>
>> Hi all,
>>
>> I am developing a service using signatures only, with no user-password
>> authentication. However, when developing a Client, I am forced to set
>> a user in order to invoke the service. Is there a way of retrieving
>> the user on the server side (for auditing purposes)?
>> I tried to use a password callback handler, which succesfully
>> retrieved me the user, but required me to correctly inform a password,
>> which I don't (at least won't if the key is not generated by me) know.
>> Also, if someone could give me an insight of how, if possible, to use
>> this user on my service class, I would be very grateful.
>>
>> Thanks
>>
>> ----------------------------
>> IONA Technologies PLC (registered in Ireland)
>> Registered Number: 171387
>> Registered Address: The IONA Building, Shelbourne Road, Dublin 4,
>> Ireland
>>
>
>
--
View this message in context: http://www.nabble.com/Retrieve-the-user-using-WS-Security-and-Signature-tp16994689p17030305.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Retrieve the user using WS-Security and Signature
Posted by marcelo melo <ma...@gmail.com>.
Actually I was able to retrive the certificate via an Interceptor, on
the handleMessage of the Interceptorm here's what I did:
Vector result = (Vector)
message.getContextualProperty(WSHandlerConstants.RECV_RESULTS);
for (int i = 0; i < result.size(); i++) {
WSHandlerResult res = (WSHandlerResult) result.get(i);
for (int j = 0; j < res.getResults().size(); j++) {
WSSecurityEngineResult secRes = (WSSecurityEngineResult)
res.getResults().get(j);
X500Name principal = (X500Name) secRes.get("principal");
if(principal != null) {
this.setUser(principal.getName());
break;
}
}
This gives me the pricipal stored on the certificate, which is enough
for me. I did not try you method 'cause I was not sure where I would
put the code, but thanks anyway
On Thu, May 1, 2008 at 5:33 AM, O hEigeartaigh, Colm
<Co...@iona.com> wrote:
>
> The WSS4JInInterceptor attaches the X509 certificate that was used for
> signature to the message with:
>
> WSSecurityEngineResult actionResult =
> WSSecurityUtil.fetchActionResult(wsResult, WSConstants.SIGN);
> msg.put(SIGNATURE_RESULT, actionResult);
>
> You can access this downstream by doing something like:
>
> WSSecurityEngineResult result =
> (WSSecurityEngineResult)
> inmsg.get(WSS4JInInterceptor.SIGNATURE_RESULT);
>
> X509Certificate certificate =
> (X509Certificate)result
> .get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
>
> You can manipulate this X509Certificate object to get what you want I
> think.
>
> Colm.
>
>
>
> -----Original Message-----
> From: marcelo melo [mailto:marcelotmelo@gmail.com]
> Sent: 01 May 2008 01:40
> To: users@cxf.apache.org
> Subject: Retrieve the user using WS-Security and Signature
>
> Hi all,
>
> I am developing a service using signatures only, with no user-password
> authentication. However, when developing a Client, I am forced to set
> a user in order to invoke the service. Is there a way of retrieving
> the user on the server side (for auditing purposes)?
> I tried to use a password callback handler, which succesfully
> retrieved me the user, but required me to correctly inform a password,
> which I don't (at least won't if the key is not generated by me) know.
> Also, if someone could give me an insight of how, if possible, to use
> this user on my service class, I would be very grateful.
>
> Thanks
>
> ----------------------------
> IONA Technologies PLC (registered in Ireland)
> Registered Number: 171387
> Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland
>
RE: Retrieve the user using WS-Security and Signature
Posted by "O hEigeartaigh, Colm" <Co...@iona.com>.
The WSS4JInInterceptor attaches the X509 certificate that was used for
signature to the message with:
WSSecurityEngineResult actionResult =
WSSecurityUtil.fetchActionResult(wsResult, WSConstants.SIGN);
msg.put(SIGNATURE_RESULT, actionResult);
You can access this downstream by doing something like:
WSSecurityEngineResult result =
(WSSecurityEngineResult)
inmsg.get(WSS4JInInterceptor.SIGNATURE_RESULT);
X509Certificate certificate =
(X509Certificate)result
.get(WSSecurityEngineResult.TAG_X509_CERTIFICATE);
You can manipulate this X509Certificate object to get what you want I
think.
Colm.
-----Original Message-----
From: marcelo melo [mailto:marcelotmelo@gmail.com]
Sent: 01 May 2008 01:40
To: users@cxf.apache.org
Subject: Retrieve the user using WS-Security and Signature
Hi all,
I am developing a service using signatures only, with no user-password
authentication. However, when developing a Client, I am forced to set
a user in order to invoke the service. Is there a way of retrieving
the user on the server side (for auditing purposes)?
I tried to use a password callback handler, which succesfully
retrieved me the user, but required me to correctly inform a password,
which I don't (at least won't if the key is not generated by me) know.
Also, if someone could give me an insight of how, if possible, to use
this user on my service class, I would be very grateful.
Thanks
----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland