[jboss-dev-forums] [JBoss Web Services Development] - Re: JBWS-2210 : CXF Username Token JAAS integration

[Riccardo Serafin]

Riccardo Serafin [http://community.jboss.org/people/barakka] created the discussion

"Re: JBWS-2210 : CXF Username Token JAAS integration"

To view the discussion, visit: http://community.jboss.org/message/583153#583153

--------------------------------------------------------------
Thanks a lot!!

It did help, although not 100%. With the class you have suggested, I then get a caller unauthorized exception in the ejb security interceptors. 

So, instead of that example, I've tried with the org.jboss.wsf.stack.cxf.security.authentication.SubjectCreatingInterceptor pulled from the jbossws-cxf integration libs, and it worked perfectly. In the other case, I believe, the subject or the security context are not propagated to the ejb security interceptors (the call "secAdaptorFactory.newSecurityAdapter().pushSubjectContext(subject, principal, password)" in the SubjectCreatingInterceptor).

There is still a thing that I'm not getting though: I've been playing both with UsernameToken auth and SAML token auth using the PicketLink trust project. In case of UsernameTokenAuth the login modules get called when the SubjectCreatingInterceptor calls the validate on the AuthenticationManager, which is during the interceptor message handling. 

Instead, the SAML handler only creates the correct credentials and the validation (login) is invoked when the call hits the ejb security interceptor. The SAML handler does have some code that propagates the context (which in the end uses the 
SecurityContextAssociation from JBoss security spi to do it).

This let's me think that, maybe, by just propagating the security context in the SimpleSubjectCreatingInterceptor from the example you gave, and therefore avoid the call to the AuthenticationManager, the credential validation would be triggered directly in the ejb security interceptors. Is this the correct interpretation? I haven't tried it out, as the SubjectCreatingInterceptor just works, but I'm still curious  :) .

Thanks a lot in any case, as this avoided having to override the WSSecurityPolicy loader and create a mix between SubjectCreatingInterceptor and the PolicyBasedWSS4JInInterceptor, which I already tried, was working, but was also very, very ugly.

Riccardo.
--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/583153#583153]

Start a new discussion in JBoss Web Services Development at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2047]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20110125/f12af850/attachment.html