You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cxf.apache.org by Stephen Langella <st...@inventrio.com> on 2009/08/18 20:37:12 UTC
Determining Caller's Identity
I have written and Apache CXF Web Service (WSDL First), inside the
service I want to enforce authorization based on the identity of the
client that called the service. I wanted to know if there was an API
call I can make from the service implementation to obtain the client
identity. For example if the client authenticate over HTTPS with a
client certificate.
--Steve
Stephen Langella
Co-Founder
Inventrio, LLC
www.inventrio.com
Stephen.Langella@inventrio.com
Re: Interceptor to modify http soap-message
Posted by Daniel Kulp <dk...@apache.org>.
Under "normal" operation, the messages are streamed out on the wire as they
are produced. Thus, you cannot really "rewrite" them that way. There are
options, however, depending on how complex of a re-writing you need to do:
Options:
1) Usually highest performing, but usually harder to write and "transforms"
usually have to be pretty simple: Write your own XMLStreamWriter that
wrappers the original writers and kind of filters the events. This is
generally useful for simple things like element renaming, string munging,
namespace re-mapping, etc.... that can be done in a streaming manner.
2) Next best option: configure in the SAAJOutInterceptor and in POST-
MARSHALL, grab the SoapMessage out of the message and manipulate it as a DOM.
This allows more complex things like XSLT transforms, etc...., but does keep
the message in memory instead of streaming.
3) If you need to operate at the stream level, you would need to register an
interceptor (that runs before StaxOutInterceptor) that replaces the
OutputStream with something that would buffer the output (like a
ByteArrayOutputStream, but our CachedOutputStream is probably better) and then
stick an interceptor at the end that would take the buffer, do whatever
transform is needed, and write it to the original output stream.
Hope that helps.
Dan
On Wed August 19 2009 7:09:44 am Hartmut Lang wrote:
> Hi,
>
> We have the need to modify some of the soap messages that are generated
> by CXF.
> The idea is to use an OutInterceptor.
> Is there an example how such an interceptor should work, if it has to
> change the soap-message in the POST_MARSHALL phase.
>
> Our approach was to rewrite the outputstream of the message. But the
> problem here is the "HTTPConduit.WrappedOutputStream" that is used.
> We found no way to overwrite the content that is already in that stream.
>
> Is rewriting the stream the right approach?
> Any ideas, examples on that?
>
> Thanks,
> Hartmut
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
Interceptor to modify http soap-message
Posted by Hartmut Lang <ha...@ericsson.com>.
Hi,
We have the need to modify some of the soap messages that are generated
by CXF.
The idea is to use an OutInterceptor.
Is there an example how such an interceptor should work, if it has to
change the soap-message in the POST_MARSHALL phase.
Our approach was to rewrite the outputstream of the message. But the
problem here is the "HTTPConduit.WrappedOutputStream" that is used.
We found no way to overwrite the content that is already in that stream.
Is rewriting the stream the right approach?
Any ideas, examples on that?
Thanks,
Hartmut
Re: Determining Caller's Identity
Posted by Stephen Langella <St...@osumc.edu>.
Josef,
Thanks
--Steve
Stephen Langella
Co-Director
Software Research Institute
Center for IT Innovations in Healthcare
Ohio State University
Senior Researcher
Department of Biomedical Informatics
Ohio State University
Office: (614) 293-9534
Lab: (614) 292-8420
Stephen.Langella@osumc.edu
> From: Josef Bajada <Jo...@go.com.mt>
> Reply-To: <us...@cxf.apache.org>
> Date: Wed, 19 Aug 2009 17:05:36 +0200
> To: <us...@cxf.apache.org>
> Subject: RE: Determining Caller's Identity
>
> Just put the annotation @Resource before the field and by
> resource-injection it should be populated automatically by the
> container.
>
> Josef
>
>
>
> -----Original Message-----
> From: Stephen Langella [mailto:Stephen.Langella@osumc.edu]
> Sent: 19 August 2009 15:48
> To: users@cxf.apache.org
> Subject: Re: Determining Caller's Identity
>
> Josef,
>
> Thanks for the information, how do I get a handle the the
> WebServiceContext inside my service implementation?
>
> --Steve
>
> Stephen Langella
> Co-Director
> Software Research Institute
> Center for IT Innovations in Healthcare
> Ohio State University
>
> Senior Researcher
> Department of Biomedical Informatics
> Ohio State University
>
> Office: (614) 293-9534
> Lab: (614) 292-8420
> Stephen.Langella@osumc.edu
>
>
>> From: Josef Bajada <Jo...@go.com.mt>
>> Reply-To: <us...@cxf.apache.org>
>> Date: Wed, 19 Aug 2009 15:03:05 +0200
>> To: <us...@cxf.apache.org>
>> Subject: RE: Determining Caller's Identity
>>
>> If you use the servlet container's authentication and transport
> security
>> methods (through WEB-INF/web.xml) to force authentication (such as
> HTTP
>> BASIC Auth over HTTPS), you can simply put the following line in your
>> service implementation class.
>>
>>
>> /**
>> * The web-service context will be automatically injected by the
>> JAX-WS Container.
>> */
>> @Resource
>> private WebServiceContext context;
>>
>>
>> //in your methods where you need to check the caller:
>> if (context.getUserPrincipal() != null)
>> {
>> log.info(getUserPrincipal().getName() + ":: just called our
>> methods");
>> }
>>
>> Regards,
>> Josef
>>
>>
>>
>> -----Original Message-----
>> From: Eamonn Dwyer [mailto:eamdwyercxf@hotmail.com]
>> Sent: 19 August 2009 12:57
>> To: users@cxf.apache.org
>> Subject: RE: Determining Caller's Identity
>>
>>
>> Hi Stephen
>> Not quite what you want but maybe you could do something like this
>> inside an interceptor rather than inside your service.
>>
>> TLSSessionInfo tlsSessionInfo = message.put(TLSSessionInfo.class);
>> Certificate[] peerCerts = tlsSessionInfo.getPeerCertificates();
>> ... check the peer certificates and authorize based on this
>>
>> Regards
>> Eamonn
>>
>>> From: stephen.langella@inventrio.com
>>> To: users@cxf.apache.org
>>> Subject: Determining Caller's Identity
>>> Date: Tue, 18 Aug 2009 14:37:12 -0400
>>>
>>> I have written and Apache CXF Web Service (WSDL First), inside the
>>> service I want to enforce authorization based on the identity of the
>>> client that called the service. I wanted to know if there was an API
>>
>>> call I can make from the service implementation to obtain the client
>>> identity. For example if the client authenticate over HTTPS with a
>>> client certificate.
>>>
>>> --Steve
>>>
>>> Stephen Langella
>>> Co-Founder
>>> Inventrio, LLC
>>> www.inventrio.com
>>>
>>> Stephen.Langella@inventrio.com
>>>
>>>
>>>
>>>
>>>
>>>
>>
>> _________________________________________________________________
>> See all the ways you can stay connected to friends and family
>> http://www.microsoft.com/windows/windowslive/default.aspx
>
>
RE: Determining Caller's Identity
Posted by Josef Bajada <Jo...@go.com.mt>.
Just put the annotation @Resource before the field and by
resource-injection it should be populated automatically by the
container.
Josef
-----Original Message-----
From: Stephen Langella [mailto:Stephen.Langella@osumc.edu]
Sent: 19 August 2009 15:48
To: users@cxf.apache.org
Subject: Re: Determining Caller's Identity
Josef,
Thanks for the information, how do I get a handle the the
WebServiceContext inside my service implementation?
--Steve
Stephen Langella
Co-Director
Software Research Institute
Center for IT Innovations in Healthcare
Ohio State University
Senior Researcher
Department of Biomedical Informatics
Ohio State University
Office: (614) 293-9534
Lab: (614) 292-8420
Stephen.Langella@osumc.edu
> From: Josef Bajada <Jo...@go.com.mt>
> Reply-To: <us...@cxf.apache.org>
> Date: Wed, 19 Aug 2009 15:03:05 +0200
> To: <us...@cxf.apache.org>
> Subject: RE: Determining Caller's Identity
>
> If you use the servlet container's authentication and transport
security
> methods (through WEB-INF/web.xml) to force authentication (such as
HTTP
> BASIC Auth over HTTPS), you can simply put the following line in your
> service implementation class.
>
>
> /**
> * The web-service context will be automatically injected by the
> JAX-WS Container.
> */
> @Resource
> private WebServiceContext context;
>
>
> //in your methods where you need to check the caller:
> if (context.getUserPrincipal() != null)
> {
> log.info(getUserPrincipal().getName() + ":: just called our
> methods");
> }
>
> Regards,
> Josef
>
>
>
> -----Original Message-----
> From: Eamonn Dwyer [mailto:eamdwyercxf@hotmail.com]
> Sent: 19 August 2009 12:57
> To: users@cxf.apache.org
> Subject: RE: Determining Caller's Identity
>
>
> Hi Stephen
> Not quite what you want but maybe you could do something like this
> inside an interceptor rather than inside your service.
>
> TLSSessionInfo tlsSessionInfo = message.put(TLSSessionInfo.class);
> Certificate[] peerCerts = tlsSessionInfo.getPeerCertificates();
> ... check the peer certificates and authorize based on this
>
> Regards
> Eamonn
>
>> From: stephen.langella@inventrio.com
>> To: users@cxf.apache.org
>> Subject: Determining Caller's Identity
>> Date: Tue, 18 Aug 2009 14:37:12 -0400
>>
>> I have written and Apache CXF Web Service (WSDL First), inside the
>> service I want to enforce authorization based on the identity of the
>> client that called the service. I wanted to know if there was an API
>
>> call I can make from the service implementation to obtain the client
>> identity. For example if the client authenticate over HTTPS with a
>> client certificate.
>>
>> --Steve
>>
>> Stephen Langella
>> Co-Founder
>> Inventrio, LLC
>> www.inventrio.com
>>
>> Stephen.Langella@inventrio.com
>>
>>
>>
>>
>>
>>
>
> _________________________________________________________________
> See all the ways you can stay connected to friends and family
> http://www.microsoft.com/windows/windowslive/default.aspx
Re: Determining Caller's Identity
Posted by Stephen Langella <St...@osumc.edu>.
Josef,
Thanks for the information, how do I get a handle the the
WebServiceContext inside my service implementation?
--Steve
Stephen Langella
Co-Director
Software Research Institute
Center for IT Innovations in Healthcare
Ohio State University
Senior Researcher
Department of Biomedical Informatics
Ohio State University
Office: (614) 293-9534
Lab: (614) 292-8420
Stephen.Langella@osumc.edu
> From: Josef Bajada <Jo...@go.com.mt>
> Reply-To: <us...@cxf.apache.org>
> Date: Wed, 19 Aug 2009 15:03:05 +0200
> To: <us...@cxf.apache.org>
> Subject: RE: Determining Caller's Identity
>
> If you use the servlet container's authentication and transport security
> methods (through WEB-INF/web.xml) to force authentication (such as HTTP
> BASIC Auth over HTTPS), you can simply put the following line in your
> service implementation class.
>
>
> /**
> * The web-service context will be automatically injected by the
> JAX-WS Container.
> */
> @Resource
> private WebServiceContext context;
>
>
> //in your methods where you need to check the caller:
> if (context.getUserPrincipal() != null)
> {
> log.info(getUserPrincipal().getName() + ":: just called our
> methods");
> }
>
> Regards,
> Josef
>
>
>
> -----Original Message-----
> From: Eamonn Dwyer [mailto:eamdwyercxf@hotmail.com]
> Sent: 19 August 2009 12:57
> To: users@cxf.apache.org
> Subject: RE: Determining Caller's Identity
>
>
> Hi Stephen
> Not quite what you want but maybe you could do something like this
> inside an interceptor rather than inside your service.
>
> TLSSessionInfo tlsSessionInfo = message.put(TLSSessionInfo.class);
> Certificate[] peerCerts = tlsSessionInfo.getPeerCertificates();
> ... check the peer certificates and authorize based on this
>
> Regards
> Eamonn
>
>> From: stephen.langella@inventrio.com
>> To: users@cxf.apache.org
>> Subject: Determining Caller's Identity
>> Date: Tue, 18 Aug 2009 14:37:12 -0400
>>
>> I have written and Apache CXF Web Service (WSDL First), inside the
>> service I want to enforce authorization based on the identity of the
>> client that called the service. I wanted to know if there was an API
>
>> call I can make from the service implementation to obtain the client
>> identity. For example if the client authenticate over HTTPS with a
>> client certificate.
>>
>> --Steve
>>
>> Stephen Langella
>> Co-Founder
>> Inventrio, LLC
>> www.inventrio.com
>>
>> Stephen.Langella@inventrio.com
>>
>>
>>
>>
>>
>>
>
> _________________________________________________________________
> See all the ways you can stay connected to friends and family
> http://www.microsoft.com/windows/windowslive/default.aspx
RE: Determining Caller's Identity
Posted by Eamonn Dwyer <ea...@hotmail.com>.
Hi Dan and Dan
I think the attribute names maybe slightly different to the ones mentioned below - looking at the code in SSLUtils.java propagateSecureSession they seem to be
"javax.servlet.request.cipher_suite" and "javax.servlet.request.X509Certificate".
or if you feel like going the interceptor route the code would look something like (though you will need to add code to distinguish between the clients own certificate and the client's own certificate's CA chain
....
public class TestInterceptor extends AbstractPhaseInterceptor<Message> {
public TestInterceptor() {
super(Phase.RECEIVE);
}
public void handleMessage(Message message) throws Fault {
// TODO Auto-generated method stub
TLSSessionInfo tlsSessionInfo = (TLSSessionInfo)message.get(TLSSessionInfo.class);
Certificate[] peerCerts = tlsSessionInfo.getPeerCertificates();
for (int i = 0; i < peerCerts.length; i++) {
X509Certificate x509certificate = (X509Certificate)peerCerts[i];
System.out.println("x509certificate " + x509certificate.getSubjectDN());
}
}
}
the output would look like
x509certificate CN=bob, OU=eng, O=mycompany.com
x509certificate CN=trent, OU=eng, O=mycompany.com
Regs
Eamonn
> From: dkulp@apache.org
> To: users@cxf.apache.org
> Subject: Re: Determining Caller's Identity
> Date: Wed, 19 Aug 2009 13:53:49 -0400
> CC: Stephen.Langella@osumc.edu
>
> On Wed August 19 2009 1:20:25 pm Stephen Langella wrote:
> > Josef,
> >
> > I tried what you suggested but context.getUserPrincipal() returned
> > null. Keep in mind I am using X.509 client certificates to authenticate
> > with the server, I am trying to get the subject DN from the clients
> > certificate as opposed to a basic authentication user id. Is this
> > supported or am I doing something wrong? In Googling around I found a
> > JIRA issue related to this and it is not clear whether or not what I am
> > trying to do is supported:
> >
> > https://issues.apache.org/jira/browse/CXF-1680
>
> That had to do with X509 things withing a WS-Security secured message, not
> really using certs for SSL/https. For https, what you probably need to do is
> pull the HttpServletRequest out of the context
> (context.get(MessageContext.SERVLET_REQUEST)) and then use the
> HttpServletRequest.getAttribute(...) call to retrieve the various HTTPS
> attributes. "javax.net.ssl.peer_certificates" and
> "javax.net.ssl.cipher_suite" and such.
>
> Dan
>
>
> >
> > I would appreciate if someone would comment, thanks in advance.
> >
> > --Steve
> >
> > Stephen Langella
> > Co-Director
> > Software Research Institute
> > Center for IT Innovations in Healthcare
> > Ohio State University
> >
> > Senior Researcher
> > Department of Biomedical Informatics
> > Ohio State University
> >
> > Office: (614) 293-9534
> > Lab: (614) 292-8420
> > Stephen.Langella@osumc.edu
> >
> > > From: Josef Bajada <Jo...@go.com.mt>
> > > Reply-To: <us...@cxf.apache.org>
> > > Date: Wed, 19 Aug 2009 15:03:05 +0200
> > > To: <us...@cxf.apache.org>
> > > Subject: RE: Determining Caller's Identity
> > >
> > > If you use the servlet container's authentication and transport security
> > > methods (through WEB-INF/web.xml) to force authentication (such as HTTP
> > > BASIC Auth over HTTPS), you can simply put the following line in your
> > > service implementation class.
> > >
> > >
> > > /**
> > > * The web-service context will be automatically injected by the
> > > JAX-WS Container.
> > > */
> > > @Resource
> > > private WebServiceContext context;
> > >
> > >
> > > //in your methods where you need to check the caller:
> > > if (context.getUserPrincipal() != null)
> > > {
> > > log.info(getUserPrincipal().getName() + ":: just called our
> > > methods");
> > > }
> > >
> > > Regards,
> > > Josef
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Eamonn Dwyer [mailto:eamdwyercxf@hotmail.com]
> > > Sent: 19 August 2009 12:57
> > > To: users@cxf.apache.org
> > > Subject: RE: Determining Caller's Identity
> > >
> > >
> > > Hi Stephen
> > > Not quite what you want but maybe you could do something like this
> > > inside an interceptor rather than inside your service.
> > >
> > > TLSSessionInfo tlsSessionInfo = message.put(TLSSessionInfo.class);
> > > Certificate[] peerCerts = tlsSessionInfo.getPeerCertificates();
> > > ... check the peer certificates and authorize based on this
> > >
> > > Regards
> > > Eamonn
> > >
> > >> From: stephen.langella@inventrio.com
> > >> To: users@cxf.apache.org
> > >> Subject: Determining Caller's Identity
> > >> Date: Tue, 18 Aug 2009 14:37:12 -0400
> > >>
> > >> I have written and Apache CXF Web Service (WSDL First), inside the
> > >> service I want to enforce authorization based on the identity of the
> > >> client that called the service. I wanted to know if there was an API
> > >>
> > >> call I can make from the service implementation to obtain the client
> > >> identity. For example if the client authenticate over HTTPS with a
> > >> client certificate.
> > >>
> > >> --Steve
> > >>
> > >> Stephen Langella
> > >> Co-Founder
> > >> Inventrio, LLC
> > >> www.inventrio.com
> > >>
> > >> Stephen.Langella@inventrio.com
> > >
> > > _________________________________________________________________
> > > See all the ways you can stay connected to friends and family
> > > http://www.microsoft.com/windows/windowslive/default.aspx
>
> --
> Daniel Kulp
> dkulp@apache.org
> http://www.dankulp.com/blog
_________________________________________________________________
See all the ways you can stay connected to friends and family
http://www.microsoft.com/windows/windowslive/default.aspx
Re: Determining Caller's Identity
Posted by Daniel Kulp <dk...@apache.org>.
On Wed August 19 2009 1:20:25 pm Stephen Langella wrote:
> Josef,
>
> I tried what you suggested but context.getUserPrincipal() returned
> null. Keep in mind I am using X.509 client certificates to authenticate
> with the server, I am trying to get the subject DN from the clients
> certificate as opposed to a basic authentication user id. Is this
> supported or am I doing something wrong? In Googling around I found a
> JIRA issue related to this and it is not clear whether or not what I am
> trying to do is supported:
>
> https://issues.apache.org/jira/browse/CXF-1680
That had to do with X509 things withing a WS-Security secured message, not
really using certs for SSL/https. For https, what you probably need to do is
pull the HttpServletRequest out of the context
(context.get(MessageContext.SERVLET_REQUEST)) and then use the
HttpServletRequest.getAttribute(...) call to retrieve the various HTTPS
attributes. "javax.net.ssl.peer_certificates" and
"javax.net.ssl.cipher_suite" and such.
Dan
>
> I would appreciate if someone would comment, thanks in advance.
>
> --Steve
>
> Stephen Langella
> Co-Director
> Software Research Institute
> Center for IT Innovations in Healthcare
> Ohio State University
>
> Senior Researcher
> Department of Biomedical Informatics
> Ohio State University
>
> Office: (614) 293-9534
> Lab: (614) 292-8420
> Stephen.Langella@osumc.edu
>
> > From: Josef Bajada <Jo...@go.com.mt>
> > Reply-To: <us...@cxf.apache.org>
> > Date: Wed, 19 Aug 2009 15:03:05 +0200
> > To: <us...@cxf.apache.org>
> > Subject: RE: Determining Caller's Identity
> >
> > If you use the servlet container's authentication and transport security
> > methods (through WEB-INF/web.xml) to force authentication (such as HTTP
> > BASIC Auth over HTTPS), you can simply put the following line in your
> > service implementation class.
> >
> >
> > /**
> > * The web-service context will be automatically injected by the
> > JAX-WS Container.
> > */
> > @Resource
> > private WebServiceContext context;
> >
> >
> > //in your methods where you need to check the caller:
> > if (context.getUserPrincipal() != null)
> > {
> > log.info(getUserPrincipal().getName() + ":: just called our
> > methods");
> > }
> >
> > Regards,
> > Josef
> >
> >
> >
> > -----Original Message-----
> > From: Eamonn Dwyer [mailto:eamdwyercxf@hotmail.com]
> > Sent: 19 August 2009 12:57
> > To: users@cxf.apache.org
> > Subject: RE: Determining Caller's Identity
> >
> >
> > Hi Stephen
> > Not quite what you want but maybe you could do something like this
> > inside an interceptor rather than inside your service.
> >
> > TLSSessionInfo tlsSessionInfo = message.put(TLSSessionInfo.class);
> > Certificate[] peerCerts = tlsSessionInfo.getPeerCertificates();
> > ... check the peer certificates and authorize based on this
> >
> > Regards
> > Eamonn
> >
> >> From: stephen.langella@inventrio.com
> >> To: users@cxf.apache.org
> >> Subject: Determining Caller's Identity
> >> Date: Tue, 18 Aug 2009 14:37:12 -0400
> >>
> >> I have written and Apache CXF Web Service (WSDL First), inside the
> >> service I want to enforce authorization based on the identity of the
> >> client that called the service. I wanted to know if there was an API
> >>
> >> call I can make from the service implementation to obtain the client
> >> identity. For example if the client authenticate over HTTPS with a
> >> client certificate.
> >>
> >> --Steve
> >>
> >> Stephen Langella
> >> Co-Founder
> >> Inventrio, LLC
> >> www.inventrio.com
> >>
> >> Stephen.Langella@inventrio.com
> >
> > _________________________________________________________________
> > See all the ways you can stay connected to friends and family
> > http://www.microsoft.com/windows/windowslive/default.aspx
--
Daniel Kulp
dkulp@apache.org
http://www.dankulp.com/blog
Re: Determining Caller's Identity
Posted by Stephen Langella <St...@osumc.edu>.
Josef,
I tried what you suggested but context.getUserPrincipal() returned null.
Keep in mind I am using X.509 client certificates to authenticate with the
server, I am trying to get the subject DN from the clients certificate as
opposed to a basic authentication user id. Is this supported or am I doing
something wrong? In Googling around I found a JIRA issue related to this
and it is not clear whether or not what I am trying to do is supported:
https://issues.apache.org/jira/browse/CXF-1680
I would appreciate if someone would comment, thanks in advance.
--Steve
Stephen Langella
Co-Director
Software Research Institute
Center for IT Innovations in Healthcare
Ohio State University
Senior Researcher
Department of Biomedical Informatics
Ohio State University
Office: (614) 293-9534
Lab: (614) 292-8420
Stephen.Langella@osumc.edu
> From: Josef Bajada <Jo...@go.com.mt>
> Reply-To: <us...@cxf.apache.org>
> Date: Wed, 19 Aug 2009 15:03:05 +0200
> To: <us...@cxf.apache.org>
> Subject: RE: Determining Caller's Identity
>
> If you use the servlet container's authentication and transport security
> methods (through WEB-INF/web.xml) to force authentication (such as HTTP
> BASIC Auth over HTTPS), you can simply put the following line in your
> service implementation class.
>
>
> /**
> * The web-service context will be automatically injected by the
> JAX-WS Container.
> */
> @Resource
> private WebServiceContext context;
>
>
> //in your methods where you need to check the caller:
> if (context.getUserPrincipal() != null)
> {
> log.info(getUserPrincipal().getName() + ":: just called our
> methods");
> }
>
> Regards,
> Josef
>
>
>
> -----Original Message-----
> From: Eamonn Dwyer [mailto:eamdwyercxf@hotmail.com]
> Sent: 19 August 2009 12:57
> To: users@cxf.apache.org
> Subject: RE: Determining Caller's Identity
>
>
> Hi Stephen
> Not quite what you want but maybe you could do something like this
> inside an interceptor rather than inside your service.
>
> TLSSessionInfo tlsSessionInfo = message.put(TLSSessionInfo.class);
> Certificate[] peerCerts = tlsSessionInfo.getPeerCertificates();
> ... check the peer certificates and authorize based on this
>
> Regards
> Eamonn
>
>> From: stephen.langella@inventrio.com
>> To: users@cxf.apache.org
>> Subject: Determining Caller's Identity
>> Date: Tue, 18 Aug 2009 14:37:12 -0400
>>
>> I have written and Apache CXF Web Service (WSDL First), inside the
>> service I want to enforce authorization based on the identity of the
>> client that called the service. I wanted to know if there was an API
>
>> call I can make from the service implementation to obtain the client
>> identity. For example if the client authenticate over HTTPS with a
>> client certificate.
>>
>> --Steve
>>
>> Stephen Langella
>> Co-Founder
>> Inventrio, LLC
>> www.inventrio.com
>>
>> Stephen.Langella@inventrio.com
>>
>>
>>
>>
>>
>>
>
> _________________________________________________________________
> See all the ways you can stay connected to friends and family
> http://www.microsoft.com/windows/windowslive/default.aspx
RE: Determining Caller's Identity
Posted by Josef Bajada <Jo...@go.com.mt>.
If you use the servlet container's authentication and transport security
methods (through WEB-INF/web.xml) to force authentication (such as HTTP
BASIC Auth over HTTPS), you can simply put the following line in your
service implementation class.
/**
* The web-service context will be automatically injected by the
JAX-WS Container.
*/
@Resource
private WebServiceContext context;
//in your methods where you need to check the caller:
if (context.getUserPrincipal() != null)
{
log.info(getUserPrincipal().getName() + ":: just called our
methods");
}
Regards,
Josef
-----Original Message-----
From: Eamonn Dwyer [mailto:eamdwyercxf@hotmail.com]
Sent: 19 August 2009 12:57
To: users@cxf.apache.org
Subject: RE: Determining Caller's Identity
Hi Stephen
Not quite what you want but maybe you could do something like this
inside an interceptor rather than inside your service.
TLSSessionInfo tlsSessionInfo = message.put(TLSSessionInfo.class);
Certificate[] peerCerts = tlsSessionInfo.getPeerCertificates();
... check the peer certificates and authorize based on this
Regards
Eamonn
> From: stephen.langella@inventrio.com
> To: users@cxf.apache.org
> Subject: Determining Caller's Identity
> Date: Tue, 18 Aug 2009 14:37:12 -0400
>
> I have written and Apache CXF Web Service (WSDL First), inside the
> service I want to enforce authorization based on the identity of the
> client that called the service. I wanted to know if there was an API
> call I can make from the service implementation to obtain the client
> identity. For example if the client authenticate over HTTPS with a
> client certificate.
>
> --Steve
>
> Stephen Langella
> Co-Founder
> Inventrio, LLC
> www.inventrio.com
>
> Stephen.Langella@inventrio.com
>
>
>
>
>
>
_________________________________________________________________
See all the ways you can stay connected to friends and family
http://www.microsoft.com/windows/windowslive/default.aspx
RE: Determining Caller's Identity
Posted by Eamonn Dwyer <ea...@hotmail.com>.
Hi Stephen
Not quite what you want but maybe you could do something like this inside an interceptor rather than inside your service.
TLSSessionInfo tlsSessionInfo = message.put(TLSSessionInfo.class);
Certificate[] peerCerts = tlsSessionInfo.getPeerCertificates();
... check the peer certificates and authorize based on this
Regards
Eamonn
> From: stephen.langella@inventrio.com
> To: users@cxf.apache.org
> Subject: Determining Caller's Identity
> Date: Tue, 18 Aug 2009 14:37:12 -0400
>
> I have written and Apache CXF Web Service (WSDL First), inside the
> service I want to enforce authorization based on the identity of the
> client that called the service. I wanted to know if there was an API
> call I can make from the service implementation to obtain the client
> identity. For example if the client authenticate over HTTPS with a
> client certificate.
>
> --Steve
>
> Stephen Langella
> Co-Founder
> Inventrio, LLC
> www.inventrio.com
>
> Stephen.Langella@inventrio.com
>
>
>
>
>
>
_________________________________________________________________
See all the ways you can stay connected to friends and family
http://www.microsoft.com/windows/windowslive/default.aspx