Riccardo Serafin [
http://community.jboss.org/people/barakka] created the discussion
"Re: JBWS-2210 : CXF Username Token JAAS integration"
To view the discussion, visit:
http://community.jboss.org/message/583153#583153
--------------------------------------------------------------
Thanks a lot!!
It did help, although not 100%. With the class you have suggested, I then get a caller
unauthorized exception in the ejb security interceptors.
So, instead of that example, I've tried with the
org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingInterceptor pulled from the
jbossws-cxf integration libs, and it worked perfectly. In the other case, I believe, the
subject or the security context are not propagated to the ejb security interceptors (the
call "secAdaptorFactory.newSecurityAdapter().pushSubjectContext(subject, principal,
password)" in the SubjectCreatingInterceptor).
There is still a thing that I'm not getting though: I've been playing both with
UsernameToken auth and SAML token auth using the PicketLink trust project. In case of
UsernameTokenAuth the login modules get called when the SubjectCreatingInterceptor calls
the validate on the AuthenticationManager, which is during the interceptor message
handling.
Instead, the SAML handler only creates the correct credentials and the validation (login)
is invoked when the call hits the ejb security interceptor. The SAML handler does have
some code that propagates the context (which in the end uses the
SecurityContextAssociation from JBoss security spi to do it).
This let's me think that, maybe, by just propagating the security context in the
SimpleSubjectCreatingInterceptor from the example you gave, and therefore avoid the call
to the AuthenticationManager, the credential validation would be triggered directly in the
ejb security interceptors. Is this the correct interpretation? I haven't tried it out,
as the SubjectCreatingInterceptor just works, but I'm still curious :) .
Thanks a lot in any case, as this avoided having to override the WSSecurityPolicy loader
and create a mix between SubjectCreatingInterceptor and the PolicyBasedWSS4JInInterceptor,
which I already tried, was working, but was also very, very ugly.
Riccardo.
--------------------------------------------------------------
Reply to this message by going to Community
[
http://community.jboss.org/message/583153#583153]
Start a new discussion in JBoss Web Services Development at Community
[
http://community.jboss.org/choose-container!input.jspa?contentType=1&...]