You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by rpd <Ro...@yahoo.co.uk> on 2013/08/18 12:25:41 UTC
Simple Problem - Restful HTTP Basic Auth over HTTPS
Hi
We're trying to evaluate CXF for our project at the moment - so are not
really into it yet. So it may be that we're missing a blindingly obvious
answer to the following.
We want to create a series of restful web-services and will be using Tomcat
7. Probably most if not all services will be using HTTPS and will require
basic HTTP auth. If doing this with servlets it would be simple. Configure
the HTTPS connector in server.xml mostly takes care of the HTTPS part.
Create a database table of users then use a Tomcat JDBCRealm so that the
users/credentials are accessible by Tomcat. Annotate every servlet that
needs to be authenticated. Tomcat then associates the user with the session
once authenticated or sends back a 401 message if not.
With CXF it's really not clear how this well-trodden process should work at
all and it's a real sticking point for us. The posts and documentation I
have read seems to suggest all manner of very complex solutions to this
simple problem (including request-handlers, interceptors, JAAS, Spring
security). This makes is think that we're missing something obvious.
Any advice as to how to approach as to how to address this simple problem
would be most gratefully received.
Thanks.
Rob
--
View this message in context: http://cxf.547215.n5.nabble.com/Simple-Problem-Restful-HTTP-Basic-Auth-over-HTTPS-tp5732594.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Simple Problem - Restful HTTP Basic Auth over HTTPS
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
On 22/08/13 19:39, rpd wrote:
> Hi Sergey
>
> Glad to say that it's all working fine - thanks a lot for your help. So I've now got web-container managed basic-authentication with https transport and I can build resful web-services using JAX-RS with CXF. Great!
>
Good news, thanks for confirming
>
> As a matter of interest you said that I could "delay working with Application" as a next step. What is "Application" and why is it more desirable than working with service classes? This is just a beginning for me on this stuff and it is hard to work out some of the docs.
>
Application is a JAX-RS 'container' which packages service classes and
providers, using Application offers a portable approach toward deploying
JAX-RS services, but it requires a bit more work this is why I suggested
to do it next
http://jax-rs-spec.java.net/nonav/2.0/apidocs/javax/ws/rs/core/Application.html
HTH, Sergey
>
> Rob
>
>
> ________________________________
> From: Sergey Beryozkin [via CXF] <ml...@n5.nabble.com>
> To: rpd <Ro...@yahoo.co.uk>
> Sent: Wednesday, 21 August 2013, 17:24
> Subject: Re: Simple Problem - Restful HTTP Basic Auth over HTTPS
>
>
>
> Hi
> On 21/08/13 16:41, rpd wrote:
>
>> Hi Sergey - I'm ready to try things now with a fresh Tomcat deployment
>> configured to use Basic Auth container-based security and HTTPS for any
>> servlet I choose. Now it's time to try out CXF. Have to say I'm finding
>> the apparent lack of an idiot's guide/hello world quite hard to deal with.
>>
>> Since I don't want to add Spring to the mix, I assume that I should be
>> consulting
>> http://cxf.apache.org/docs/jaxrs-services-configuration.html#JAXRSServicesConfiguration-ConfiguringJAXRSservicesincontainerwithoutSpring
>> - right?
>>
>> To try a simple service which web.xml fragment should I use? In the
>> documentation there are several xml fragments. I am guessing that I should
>> use the following right (I want to write only JAX-RS services)?
>>
>> <servlet>
>> <servlet-name>CXFServlet</servlet-name>
>> <display-name>CXF Servlet</display-name>
>> <servlet-class>
>> org.apache.cxf.jaxrs.servlet.CXFNonSpringJaxrsServlet
>> </servlet-class>
>> <init-param>
>> <param-name>javax.ws.rs.Application</param-name>
>> <param-value>
>> org.apache.cxf.systest.jaxrs.BookApplication
>> (name=1 id=2)
>> </param-value>
>> </init-param>
>> <load-on-startup>1</load-on-startup>
>> </servlet>
>>
> Yes, you can delay starting working with Application, do it at the next
> step, try first registering a basic JAX-RS service class first:
>
> <init-param>
> <param-name>jaxrs.serviceClasses</param-name>
> <param-value>
> org.bar.SimpleJaxrsService
> </param-value>
> </init-param>
>
>> Is there some guide to how to set things up first? For example, I'm
>> assuming that I need to set up the CXF_HOME env variable? Which jars should
>> be in my project's lib folder - there are many? Etc?
>>
> The simplest option is download a CXF distro and copy all the libs from
> there; using Maven can be more effective, especially with
> 3.0.0-SNAPSHOT, where Dan refactored the JAX-RS frontend to have a bare
> minimum of dependencies
>
> Cheers, Sergey
>
>>
>>
>> --
>> View this message in context: http://cxf.547215.n5.nabble.com/Simple-Problem-Restful-HTTP-Basic-Auth-over-HTTPS-tp5732594p5732818.html
>> Sent from the cxf-user mailing list archive at Nabble.com.
>>
>
>
Re: Simple Problem - Restful HTTP Basic Auth over HTTPS
Posted by rpd <Ro...@yahoo.co.uk>.
Hi Sergey
Glad to say that it's all working fine - thanks a lot for your help. So I've now got web-container managed basic-authentication with https transport and I can build resful web-services using JAX-RS with CXF. Great!
As a matter of interest you said that I could "delay working with Application" as a next step. What is "Application" and why is it more desirable than working with service classes? This is just a beginning for me on this stuff and it is hard to work out some of the docs.
Rob
________________________________
From: Sergey Beryozkin [via CXF] <ml...@n5.nabble.com>
To: rpd <Ro...@yahoo.co.uk>
Sent: Wednesday, 21 August 2013, 17:24
Subject: Re: Simple Problem - Restful HTTP Basic Auth over HTTPS
Hi
On 21/08/13 16:41, rpd wrote:
> Hi Sergey - I'm ready to try things now with a fresh Tomcat deployment
> configured to use Basic Auth container-based security and HTTPS for any
> servlet I choose. Now it's time to try out CXF. Have to say I'm finding
> the apparent lack of an idiot's guide/hello world quite hard to deal with.
>
> Since I don't want to add Spring to the mix, I assume that I should be
> consulting
> http://cxf.apache.org/docs/jaxrs-services-configuration.html#JAXRSServicesConfiguration-ConfiguringJAXRSservicesincontainerwithoutSpring
> - right?
>
> To try a simple service which web.xml fragment should I use? In the
> documentation there are several xml fragments. I am guessing that I should
> use the following right (I want to write only JAX-RS services)?
>
> <servlet>
> <servlet-name>CXFServlet</servlet-name>
> <display-name>CXF Servlet</display-name>
> <servlet-class>
> org.apache.cxf.jaxrs.servlet.CXFNonSpringJaxrsServlet
> </servlet-class>
> <init-param>
> <param-name>javax.ws.rs.Application</param-name>
> <param-value>
> org.apache.cxf.systest.jaxrs.BookApplication
> (name=1 id=2)
> </param-value>
> </init-param>
> <load-on-startup>1</load-on-startup>
> </servlet>
>
Yes, you can delay starting working with Application, do it at the next
step, try first registering a basic JAX-RS service class first:
<init-param>
<param-name>jaxrs.serviceClasses</param-name>
<param-value>
org.bar.SimpleJaxrsService
</param-value>
</init-param>
> Is there some guide to how to set things up first? For example, I'm
> assuming that I need to set up the CXF_HOME env variable? Which jars should
> be in my project's lib folder - there are many? Etc?
>
The simplest option is download a CXF distro and copy all the libs from
there; using Maven can be more effective, especially with
3.0.0-SNAPSHOT, where Dan refactored the JAX-RS frontend to have a bare
minimum of dependencies
Cheers, Sergey
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Simple-Problem-Restful-HTTP-Basic-Auth-over-HTTPS-tp5732594p5732818.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
________________________________
If you reply to this email, your message will be added to the discussion below:http://cxf.547215.n5.nabble.com/Simple-Problem-Restful-HTTP-Basic-Auth-over-HTTPS-tp5732594p5732825.html
To unsubscribe from Simple Problem - Restful HTTP Basic Auth over HTTPS, click here.
NAML
--
View this message in context: http://cxf.547215.n5.nabble.com/Simple-Problem-Restful-HTTP-Basic-Auth-over-HTTPS-tp5732594p5732908.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Simple Problem - Restful HTTP Basic Auth over HTTPS
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
On 21/08/13 16:41, rpd wrote:
> Hi Sergey - I'm ready to try things now with a fresh Tomcat deployment
> configured to use Basic Auth container-based security and HTTPS for any
> servlet I choose. Now it's time to try out CXF. Have to say I'm finding
> the apparent lack of an idiot's guide/hello world quite hard to deal with.
>
> Since I don't want to add Spring to the mix, I assume that I should be
> consulting
> http://cxf.apache.org/docs/jaxrs-services-configuration.html#JAXRSServicesConfiguration-ConfiguringJAXRSservicesincontainerwithoutSpring
> - right?
>
> To try a simple service which web.xml fragment should I use? In the
> documentation there are several xml fragments. I am guessing that I should
> use the following right (I want to write only JAX-RS services)?
>
> <servlet>
> <servlet-name>CXFServlet</servlet-name>
> <display-name>CXF Servlet</display-name>
> <servlet-class>
> org.apache.cxf.jaxrs.servlet.CXFNonSpringJaxrsServlet
> </servlet-class>
> <init-param>
> <param-name>javax.ws.rs.Application</param-name>
> <param-value>
> org.apache.cxf.systest.jaxrs.BookApplication
> (name=1 id=2)
> </param-value>
> </init-param>
> <load-on-startup>1</load-on-startup>
> </servlet>
>
Yes, you can delay starting working with Application, do it at the next
step, try first registering a basic JAX-RS service class first:
<init-param>
<param-name>jaxrs.serviceClasses</param-name>
<param-value>
org.bar.SimpleJaxrsService
</param-value>
</init-param>
> Is there some guide to how to set things up first? For example, I'm
> assuming that I need to set up the CXF_HOME env variable? Which jars should
> be in my project's lib folder - there are many? Etc?
>
The simplest option is download a CXF distro and copy all the libs from
there; using Maven can be more effective, especially with
3.0.0-SNAPSHOT, where Dan refactored the JAX-RS frontend to have a bare
minimum of dependencies
Cheers, Sergey
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Simple-Problem-Restful-HTTP-Basic-Auth-over-HTTPS-tp5732594p5732818.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: Simple Problem - Restful HTTP Basic Auth over HTTPS
Posted by rpd <Ro...@yahoo.co.uk>.
Hi Sergey - I'm ready to try things now with a fresh Tomcat deployment
configured to use Basic Auth container-based security and HTTPS for any
servlet I choose. Now it's time to try out CXF. Have to say I'm finding
the apparent lack of an idiot's guide/hello world quite hard to deal with.
Since I don't want to add Spring to the mix, I assume that I should be
consulting
http://cxf.apache.org/docs/jaxrs-services-configuration.html#JAXRSServicesConfiguration-ConfiguringJAXRSservicesincontainerwithoutSpring
- right?
To try a simple service which web.xml fragment should I use? In the
documentation there are several xml fragments. I am guessing that I should
use the following right (I want to write only JAX-RS services)?
<servlet>
<servlet-name>CXFServlet</servlet-name>
<display-name>CXF Servlet</display-name>
<servlet-class>
org.apache.cxf.jaxrs.servlet.CXFNonSpringJaxrsServlet
</servlet-class>
<init-param>
<param-name>javax.ws.rs.Application</param-name>
<param-value>
org.apache.cxf.systest.jaxrs.BookApplication
(name=1 id=2)
</param-value>
</init-param>
<load-on-startup>1</load-on-startup>
</servlet>
Is there some guide to how to set things up first? For example, I'm
assuming that I need to set up the CXF_HOME env variable? Which jars should
be in my project's lib folder - there are many? Etc?
--
View this message in context: http://cxf.547215.n5.nabble.com/Simple-Problem-Restful-HTTP-Basic-Auth-over-HTTPS-tp5732594p5732818.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Simple Problem - Restful HTTP Basic Auth over HTTPS
Posted by rpd <Ro...@yahoo.co.uk>.
Thanks Sergey - I'll now try this stuff out with some codes.
rgds
Rob
________________________________
From: Sergey Beryozkin [via CXF] <ml...@n5.nabble.com>
To: rpd <Ro...@yahoo.co.uk>
Sent: Monday, 19 August 2013, 8:58
Subject: Re: Simple Problem - Restful HTTP Basic Auth over HTTPS
Hi
On 18/08/13 23:30, rpd wrote:
> Dear Sergey
>
> Thanks very much for responding so quickly. I looked up what I could find
> on CXFServlet and understand that I must deploy it in my web.xml. So that
> solves the https issue so long as I configure Tomcat SSL etc.
>
> However, I don't think that you're advising me to extend CXFServlet in my
> code instead of HttpServlet and therefore write normal servlet code. So,
> given that I am not writing the all-familiar servlet, that leaves me
> wondering how a service that I implement is going to...
CXFServlet is a regular Servlet whose primary goal is to route a current
HTTP request to a WS or RS endpoint. My understanding was, you were
preferring to keep using Servlet-level declarative security, right ? So
I believe you can apply all the security-constraints to CXFServlet,
example, tell Tomcat it should do Basic authentication.
>
> (a) perform the HTTP basic auth
See above; using JAAS would be another option
> (b) allow me to access the user-name (I think you called the principal)
> against the session.
>
You can inject JAX-RS SecurityContext into your service code and access
Principal (and its name)
> Take, for example, the code fragment on pages 175-176 of the Apache CXF Web
> Development book - the "CategoryService" class. Suppose that all methods
> require as a pre-condition that the requestor be authenticated. Suppose also
> that I needed to obtain the user-name in one or all of the methods (e.g. the
> getCategory method).
>
> How would I modify this code to get what I need and what would I need to
> setup beforehand apart from the deployment of the CXFServlet? (NB we're not
> Spring guys either I'm afraid)
> I don't own the copy, but I'm hoping what I said above should clarify
things more
Cheers, Sergey
> best regards, Rob.
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Simple-Problem-Restful-HTTP-Basic-Auth-over-HTTPS-tp5732594p5732612.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
________________________________
If you reply to this email, your message will be added to the discussion below:http://cxf.547215.n5.nabble.com/Simple-Problem-Restful-HTTP-Basic-Auth-over-HTTPS-tp5732594p5732628.html
To unsubscribe from Simple Problem - Restful HTTP Basic Auth over HTTPS, click here.
NAML
--
View this message in context: http://cxf.547215.n5.nabble.com/Simple-Problem-Restful-HTTP-Basic-Auth-over-HTTPS-tp5732594p5732635.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Simple Problem - Restful HTTP Basic Auth over HTTPS
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
On 18/08/13 23:30, rpd wrote:
> Dear Sergey
>
> Thanks very much for responding so quickly. I looked up what I could find
> on CXFServlet and understand that I must deploy it in my web.xml. So that
> solves the https issue so long as I configure Tomcat SSL etc.
>
> However, I don't think that you're advising me to extend CXFServlet in my
> code instead of HttpServlet and therefore write normal servlet code. So,
> given that I am not writing the all-familiar servlet, that leaves me
> wondering how a service that I implement is going to...
CXFServlet is a regular Servlet whose primary goal is to route a current
HTTP request to a WS or RS endpoint. My understanding was, you were
preferring to keep using Servlet-level declarative security, right ? So
I believe you can apply all the security-constraints to CXFServlet,
example, tell Tomcat it should do Basic authentication.
>
> (a) perform the HTTP basic auth
See above; using JAAS would be another option
> (b) allow me to access the user-name (I think you called the principal)
> against the session.
>
You can inject JAX-RS SecurityContext into your service code and access
Principal (and its name)
> Take, for example, the code fragment on pages 175-176 of the Apache CXF Web
> Development book - the "CategoryService" class. Suppose that all methods
> require as a pre-condition that the requestor be authenticated. Suppose also
> that I needed to obtain the user-name in one or all of the methods (e.g. the
> getCategory method).
>
> How would I modify this code to get what I need and what would I need to
> setup beforehand apart from the deployment of the CXFServlet? (NB we're not
> Spring guys either I'm afraid)
>
I don't own the copy, but I'm hoping what I said above should clarify
things more
Cheers, Sergey
> best regards, Rob.
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Simple-Problem-Restful-HTTP-Basic-Auth-over-HTTPS-tp5732594p5732612.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com
Re: Simple Problem - Restful HTTP Basic Auth over HTTPS
Posted by rpd <Ro...@yahoo.co.uk>.
Dear Sergey
Thanks very much for responding so quickly. I looked up what I could find
on CXFServlet and understand that I must deploy it in my web.xml. So that
solves the https issue so long as I configure Tomcat SSL etc.
However, I don't think that you're advising me to extend CXFServlet in my
code instead of HttpServlet and therefore write normal servlet code. So,
given that I am not writing the all-familiar servlet, that leaves me
wondering how a service that I implement is going to...
(a) perform the HTTP basic auth
(b) allow me to access the user-name (I think you called the principal)
against the session.
Take, for example, the code fragment on pages 175-176 of the Apache CXF Web
Development book - the "CategoryService" class. Suppose that all methods
require as a pre-condition that the requestor be authenticated. Suppose also
that I needed to obtain the user-name in one or all of the methods (e.g. the
getCategory method).
How would I modify this code to get what I need and what would I need to
setup beforehand apart from the deployment of the CXFServlet? (NB we're not
Spring guys either I'm afraid)
best regards, Rob.
--
View this message in context: http://cxf.547215.n5.nabble.com/Simple-Problem-Restful-HTTP-Basic-Auth-over-HTTPS-tp5732594p5732612.html
Sent from the cxf-user mailing list archive at Nabble.com.
Re: Simple Problem - Restful HTTP Basic Auth over HTTPS
Posted by Sergey Beryozkin <sb...@gmail.com>.
Hi
Thanks for your query,
On 18/08/13 13:25, rpd wrote:
> Hi
>
> We're trying to evaluate CXF for our project at the moment - so are not
> really into it yet. So it may be that we're missing a blindingly obvious
> answer to the following.
>
> We want to create a series of restful web-services and will be using Tomcat
> 7. Probably most if not all services will be using HTTPS and will require
> basic HTTP auth. If doing this with servlets it would be simple. Configure
> the HTTPS connector in server.xml mostly takes care of the HTTPS part.
> Create a database table of users then use a Tomcat JDBCRealm so that the
> users/credentials are accessible by Tomcat. Annotate every servlet that
> needs to be authenticated. Tomcat then associates the user with the session
> once authenticated or sends back a 401 message if not.
>
> With CXF it's really not clear how this well-trodden process should work at
> all and it's a real sticking point for us. The posts and documentation I
> have read seems to suggest all manner of very complex solutions to this
> simple problem (including request-handlers, interceptors, JAAS, Spring
> security). This makes is think that we're missing something obvious.
First of all, if you prefer, you can continue using the existing Tomcat
configuration with CXF, and specifically with CXFServlet.
CXF will make the authenticated Principal available to the web service
application (via Security context).
CXF can make it easy to use JAAS LoginModules but you do not have to use
JAAS if you do not need to.
Then you can use simple Authorization support if needed:
http://cxf.apache.org/docs/security.html#Security-Authorization,
etc
Does it help a bit ?
Cheers, Sergey
>
> Any advice as to how to approach as to how to address this simple problem
> would be most gratefully received.
>
> Thanks.
>
> Rob
>
>
>
> --
> View this message in context: http://cxf.547215.n5.nabble.com/Simple-Problem-Restful-HTTP-Basic-Auth-over-HTTPS-tp5732594.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
Blog: http://sberyozkin.blogspot.com