
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>

<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">


<div>

        <table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">

                <tbody>

                        <tr>


                                <td>


                                        <table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">

                                                <tbody>

                                                        <tr>

                                                                <td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">

                                                                        <h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">

                                                                        <!-- To have a header image/logo replace the name below with your img tag -->

                                                                        <!-- Email clients will render the images when the message is read so any image -->

                                                                        <!-- must be made available on a public server, so that all recipients can load the image. -->

                                                                        <a href="http://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">Community</a></h1>

                                                                </td>


                                                        </tr>

                                                        <tr>

                                                                <td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px;  -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">

    JBWS-2210 : CXF Username Token JAAS integration

</h3>

<span style="margin-bottom: 10px;">

    reply from <a href="http://community.jboss.org/people/sergeyb">Sergey Beryozkin</a> in <i>JBoss Web Services Development</i> - <a href="http://community.jboss.org/message/537517#537517">View the full discussion</a>

</span>

<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">


<div class="jive-rendered-content"><p>Hi</p><p style="min-height: 8pt; height: 8pt; padding: 0px;">&#160;</p><p>I've created the initial patch for [1].</p><p style="min-height: 8pt; height: 8pt; padding: 0px;">&#160;</p><p>The reason it has to be a patch is that JBossCXF currently depends on CXF 2.2.6 while the system test which I've added depends on CXF 2.2.8-SNAPSHOT.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;">&#160;</p><p>The [UsernameAuthorizingTestCase] test is quite simple but it demonstrates the idea of separating authentication and authorization actions into separate phases.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;">&#160;</p><p>SubjectCreatingInterceptor extends [2] and authenticates and populates a Subject using a (legacy) JBossSX api which will need to be updated to use PicketBox API. SubjectCreatingInterceptor could've also overridden a createSecurityContext() from its superclass if the default SecurityContext.isUserInRole was not working (but it does in this case). Eventually this interceptor should likely make it into JBossCXF/trunk/src/main. At the moment some of the code required to deal with digests is missing, it is commented out but classes like NonceStore can be ported from JBossNative.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;">&#160;</p><p>Finally, CXF-based interceptor [3] is used to authorize the requests, here is a sample configuration :</p><p style="min-height: 8pt; height: 8pt; padding: 0px;">&#160;</p><p>&lt;util:map id="methodPermissions"&gt;<br/>&#160;&#160;&#160;&#160; &lt;entry key="sayHello" value="friend colleague"/&gt; <br/>&#160;&#160;&#160;&#160; &lt;entry key="greetMe" value="snoopies"/&gt; <br/>&#160; &lt;/util:map&gt;<br/> <br/>&#160; &lt;bean id="AuthorizeIn" class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor"&gt;<br/>&#160;&#160; &lt;property name="methodRolesMap" ref="methodPermissions"/&gt; <br/>&#160; &lt;/bean&gt;</p><p style="min-height: 8pt; height: 8pt; padding: 0px;">&#160;</p><p>Other authorizing interceptors can be added easily. For example, one can extend SimpleAuthorizingInterceptor and set a property identifying a service class on it. The setter would load and introspect a class for @RolesAllowed, @DenyAll, etc and set a roles map on the superclass. [4] can also be extended if say PicketBox AuthorizationManager were to be used.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;">&#160;</p><p>One thing which will need to be addressed at CXF level is a policy-first case, where interceptors are added by the policy runtime, so some work has to be done to ensure interceptors like SubjectCreatingInterceptor can be added when needed too.I'm planning to investigate what needs to be done...</p><p style="min-height: 8pt; height: 8pt; padding: 0px;">&#160;</p><p>Any comments - let me know please</p><p style="min-height: 8pt; height: 8pt; padding: 0px;">&#160;</p><p>cheers, Sergey</p><p style="min-height: 8pt; height: 8pt; padding: 0px;">&#160;</p><p>[1] <a class="jive-link-external-small" href="https://jira.jboss.org/jira/browse/JBWS-2210">https://jira.jboss.org/jira/browse/JBWS-2210</a></p><p>[2] <a class="jive-link-external-small" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JSecurityContextProvidingInterceptor.java">http://svn.apache.org/repos/asf/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JSecurityContextProvidingInterceptor.java</a></p><p><span>[3] </span><a class="jive-link-external-small" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java" target="_blank">http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java</a></p><p>[4] <a class="jive-link-external-small" href="http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java">http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java</a></p></div>


<div style="background-color: #f4f4f4; padding: 10px; margin-top: 20px;">

    <p style="margin: 0;">Reply to this message by <a href="http://community.jboss.org/message/537517#537517">going to Community</a></p>

        <p style="margin: 0;">Start a new discussion in JBoss Web Services Development at <a href="http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2047">Community</a></p>

</div></td>

                        </tr>

                    </tbody>

                </table>


                </td>

            </tr>

        </tbody>

    </table>


</div>


</body>

</html>