[wildfly-dev] How to secure Camel CXF endpoints with Elytron?

Peter Palaga ppalaga at redhat.com
Wed May 2 17:49:03 EDT 2018 

Hi all, esp. Darran and Stuart,

We (WildFly Camel Team) have a request [1] to support securing Camel CXF 
endpoints with Elytron and I am trying to figure out the best way to 
achieve that.

= Current state

A Camel context is started by Weld during 
Phase.INSTALL_CDI_VALIDATOR_FACTORY. This triggers a creation of the CXF 
WS endpoint. To expose the endpoint on Undertow, we create an ad hoc 
DeploymentInfo [2] with a context path requested by the Camel route [3].

To handle security, users are suggested to use CXF Interceptors, such as 
JAASLoginInterceptor [4]. The JAASLoginInterceptor works well with 
security domains defined in the legacy Security subsystem.

= The problem

A user wants to get rid of the legacy Security subsystem and use Elytron 
instead.

= How to solve it

As Darran pointed out in the chat, there is no JAAS support in Elytron 
and we thus cannot keep relying on JAASLoginInterceptor & Co.

I investigated how Elytron is integrated in Undertow subsystem (esp. 
UndertowDeploymentInfoService) and I tried to do the same for our custom 
DeploymentInfo in Camel subsystem. The key point was to obtain a 
reference to securityFunction and apply it to the DeploymentInfo. In 
this way our Camel CXF endpoints indeed got protected by an Elytron 
security domain.

I have a dirty but working PoC [5] where I just copied parts of 
UndertowDeploymentInfoService to a new CamelDynamicDeploymentService.

I'd like to try re-using UndertowDeploymentInfoService as a whole so 
that I do not duplicate the security sensitive code. But before I do, 
could you Darran, Stuart and others please approve the general idea or 
eventually suggest something better?

Thanks,

-- Peter

[1] https://issues.jboss.org/browse/ENTESB-7959
[2] 
https://github.com/wildfly-extras/wildfly-camel/blob/6.0.0/cxfhttp/src/main/java/org/apache/cxf/transport/undertow/wildfly/WildflyHTTPServerEngine.java#L64
[3] 
https://github.com/wildfly-extras/wildfly-camel/blob/6.0.0/cxfhttp/src/main/java/org/apache/cxf/transport/undertow/wildfly/WildflyHTTPServerEngine.java#L66
[4] 
https://github.com/wildfly-extras/wildfly-camel-examples/blob/6.0.0/camel-cxf-jaxws-cdi-secure/src/main/java/org/wildfly/camel/examples/cxf/jaxws/Application.java#L112
[5] https://github.com/ppalaga/wildfly-camel/commits/ENTESB-7959.180430

More information about the wildfly-dev mailing list