[jboss-user] [JBoss Web Services Development] - JBWS-2210 : CXF Username Token JAAS integration

Sergey Beryozkin do-not-reply at jboss.com
Wed Apr 14 17:39:34 EDT 2010

Sergey Beryozkin [http://community.jboss.org/people/sergeyb] replied to the discussion

"JBWS-2210 : CXF Username Token JAAS integration"

To view the discussion, visit: http://community.jboss.org/message/537517#537517


I've created the initial patch for [1].

The reason it has to be a patch is that JBossCXF currently depends on CXF 2.2.6 while the system test which I've added depends on CXF 2.2.8-SNAPSHOT.

The [UsernameAuthorizingTestCase] test is quite simple but it demonstrates the idea of separating authentication and authorization actions into separate phases.

SubjectCreatingInterceptor extends [2] and authenticates and populates a Subject using a (legacy) JBossSX api which will need to be updated to use PicketBox API. SubjectCreatingInterceptor could've also overridden a createSecurityContext() from its superclass if the default SecurityContext.isUserInRole was not working (but it does in this case). Eventually this interceptor should likely make it into JBossCXF/trunk/src/main. At the moment some of the code required to deal with digests is missing, it is commented out but classes like NonceStore can be ported from JBossNative.

Finally, CXF-based interceptor [3] is used to authorize the requests, here is a sample configuration :

<util:map id="methodPermissions">
     <entry key="sayHello" value="friend colleague"/> 
     <entry key="greetMe" value="snoopies"/> 
  <bean id="AuthorizeIn" class="org.apache.cxf.interceptor.security.SimpleAuthorizingInterceptor">
   <property name="methodRolesMap" ref="methodPermissions"/> 

Other authorizing interceptors can be added easily. For example, one can extend SimpleAuthorizingInterceptor and set a property identifying a service class on it. The setter would load and introspect a class for @RolesAllowed, @DenyAll, etc and set a roles map on the superclass. [4] can also be extended if say PicketBox AuthorizationManager were to be used.

One thing which will need to be addressed at CXF level is a policy-first case, where interceptors are added by the policy runtime, so some work has to be done to ensure interceptors like SubjectCreatingInterceptor can be added when needed too.I'm planning to investigate what needs to be done...

Any comments - let me know please

cheers, Sergey

[1]  https://jira.jboss.org/jira/browse/JBWS-2210 https://jira.jboss.org/jira/browse/JBWS-2210
[2]  http://svn.apache.org/repos/asf/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JSecurityContextProvidingInterceptor.java http://svn.apache.org/repos/asf/cxf/trunk/rt/ws/security/src/main/java/org/apache/cxf/ws/security/wss4j/AbstractWSS4JSecurityContextProvidingInterceptor.java
[3]  http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/SimpleAuthorizingInterceptor.java
[4]  http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java http://svn.apache.org/repos/asf/cxf/trunk/rt/core/src/main/java/org/apache/cxf/interceptor/security/AbstractAuthorizingInInterceptor.java


Reply to this message by going to Community

Start a new discussion in JBoss Web Services Development at Community

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20100414/fb82109d/attachment.html 

More information about the jboss-user mailing list