You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cxf.apache.org by Stephen Langella <st...@inventrio.com> on 2010/09/17 03:08:08 UTC

Rest Security

	I have developed a rest service that uses https/SSL with client authentication.   I can have deployed the service and tested it using client proxies create with JAXRSClientFactory.  I have confirmed that the authentication is working and that the client can connect to the service etc.   What I am trying to do now is get the client's authentication identity such that I can make an authorization decision within the service.   I have annotated my rest service implementation using @Context such that both the javax.ws.rs.core.SecurityContext and org.apache.cxf.jaxrs.ext.MessageContext get injected.   I have validated that both do get injected at runtime.   The problem I am running into is when I call to getUserPrincipal(), it returns null, when I am expecting the client's DN.  In addition when I call getAuthenticationScheme(), it returns "Unknown scheme", when I am expecting "CLIENT_CERT_AUTH".  Any ideas on what I might be doing wrong?  Thanks in advance.

--Steve


Stephen Langella

Inventrio
545 Metro Place South, Suite 475
Dublin, OH 43017
Phone: (614) 389-2795 x102
Fax: (614) 522-6249
Email: Stephen.Langella@inventrio.com
http://www.inventrio.com

Re: Rest Security

Posted by Sergey Beryozkin <sb...@gmail.com>.

Hi

On Fri, Sep 17, 2010 at 2:08 AM, Stephen Langella <
stephen.langella@inventrio.com> wrote:

>
>        I have developed a rest service that uses https/SSL with client
> authentication.   I can have deployed the service and tested it using client
> proxies create with JAXRSClientFactory.  I have confirmed that the
> authentication is working and that the client can connect to the service
> etc.   What I am trying to do now is get the client's authentication
> identity such that I can make an authorization decision within the service.
>   I have annotated my rest service implementation using @Context such that
> both the javax.ws.rs.core.SecurityContext and
> org.apache.cxf.jaxrs.ext.MessageContext get injected.   I have validated
> that both do get injected at runtime.   The problem I am running into is
> when I call to getUserPrincipal(), it returns null, when I am expecting the
> client's DN.  In addition when I call getAuthenticationScheme(), it returns
> "Unknown scheme", when I am expecting "CLIENT_CERT_AUTH".  Any ideas on what
> I might be doing wrong?  Thanks in advance.
>
>
I suspect that HttpServletRequest is not returning a Principal it in the
case of "CLIENT_CERT_AUTH" . Can you please try injecting @Context
HttpServletRequest and try to get a Principal ? But to really confirm it is
there or not is to register a simple test filter and check from the filter
if the Principal is populated or not.

thanks, Sergey



> --Steve
>
>
> Stephen Langella
>
> Inventrio
> 545 Metro Place South, Suite 475
> Dublin, OH 43017
> Phone: (614) 389-2795 x102
> Fax: (614) 522-6249
> Email: Stephen.Langella@inventrio.com
> http://www.inventrio.com
>
>
>
>
>
>
>
>
>