<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">
<div>
        <table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
                <tbody>
                        <tr>
                                <td>
                                        <table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
                                                <tbody>
                                                        <tr>
                                                                <td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">
                                                                        <h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">
                                                                        <!-- To have a header image/logo replace the name below with your img tag -->
                                                                        <!-- Email clients will render the images when the message is read so any image -->
                                                                        <!-- must be made available on a public server, so that all recipients can load the image. -->
                                                                        <a href="http://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">Community</a></h1>
                                                                </td>
                                                        </tr>
                                                        <tr>
                                                                <td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">
JBWS-2210 : CXF Username Token JAAS integration
</h3>
<span style="margin-bottom: 10px;">
created by <a href="http://community.jboss.org/people/sergeyb">Sergey Beryozkin</a> in <i>JBoss Web Services Development</i> - <a href="http://community.jboss.org/message/536321#536321">View the full discussion</a>
</span>
<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">
<div class="jive-rendered-content"><p>Hi</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>I've been looking recently at resolving JBWS-2210 [1].</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>The issue is to do with the fact that a WS-Security UsernameToken can not be currently used in JBoss CXF to integrate with the JBoss security subsystem for authentication and authorization decisions be made.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>I've done some initial changes in CXF and started a discussion on the cxf dev list [2].</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Here is the summary of the proposed approach.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>The idea is to override a CXF WSS4JInInterceptor and provide a CallbachHandler to the WSS4J module which will ensure that an authentication occurs but also that a current SecurityContext is properly populated. The CXF interceptor which overrides CXF WSS4JInInterceptor is an abstract one [3], its job is to ensure that irrespectively of whether a current password is digested or not, the concrete subclass is requested to authenticate and populate a Subject.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>CXF also includes an abstract AuthorizingInInterceptor[4] which requests a subclass for a list of expected roles and asks SecurityContext if a user is in role.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Given the above, here's how I'm thinking of resolving JBWS-2210 :</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>- provide a CXF interceptor (to be included in JBoss CXF) which will extend [3] and delegate to JBoss AuthenticationManager to populate a Subject</p><p>- provide a CXF interceptor (to be included in JBoss CXF) which will extend [4] and retrieve a list of expected roles;</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>JBoss CXF WS-Security UsernameToken-aware endpoints will include the above two interceptors if the authentication & authorization is needed.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>At the moment I'm working on a system test validating the above approach.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>If you have any comments then please let me know</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>cheers, Sergey</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p><span>[1] </span><a class="jive-link-external-small" href="https://jira.jboss.org/jira/browse/JBWS-2210" target="_blank">https://jira.jboss.org/jira/browse/JBWS-2210</a></p><p><span>[2] </span><a class="jive-link-external-small" href="http://old.nabble.com/Using-WS-Security-UsernameToken-to-authenticate-users-and-populate--SecurityContexts-td28165583.html" target="_blank">http://old.nabble.com/Using-WS-Security-UsernameToken-to-authenticate-users-and-populate--SecurityContexts-td28165583.html</a></p><p>[3] <a class="jive-link-external-small" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JSecurityContextProvidingInterceptor.java">http://svn.apache.org/repos/asf/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JSecurityContextProvidingInterceptor.java</a><br/> [4] <a class="jive-link-external-small" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java">http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java</a></p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p></div>
<div style="background-color: #f4f4f4; padding: 10px; margin-top: 20px;">
<p style="margin: 0;">Reply to this message by <a href="http://community.jboss.org/message/536321#536321">going to Community</a></p>
        <p style="margin: 0;">Start a new discussion in JBoss Web Services Development at <a href="http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2047">Community</a></p>
</div></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>