[wildfly-dev] How to secure Camel CXF endpoints with Elytron?
Peter Palaga
ppalaga at redhat.com
Wed May 2 17:49:03 EDT 2018
Hi all, esp. Darran and Stuart,
We (WildFly Camel Team) have a request [1] to support securing Camel CXF
endpoints with Elytron and I am trying to figure out the best way to
achieve that.
= Current state
A Camel context is started by Weld during
Phase.INSTALL_CDI_VALIDATOR_FACTORY. This triggers a creation of the CXF
WS endpoint. To expose the endpoint on Undertow, we create an ad hoc
DeploymentInfo [2] with a context path requested by the Camel route [3].
To handle security, users are suggested to use CXF Interceptors, such as
JAASLoginInterceptor [4]. The JAASLoginInterceptor works well with
security domains defined in the legacy Security subsystem.
= The problem
A user wants to get rid of the legacy Security subsystem and use Elytron
instead.
= How to solve it
As Darran pointed out in the chat, there is no JAAS support in Elytron
and we thus cannot keep relying on JAASLoginInterceptor & Co.
I investigated how Elytron is integrated in Undertow subsystem (esp.
UndertowDeploymentInfoService) and I tried to do the same for our custom
DeploymentInfo in Camel subsystem. The key point was to obtain a
reference to securityFunction and apply it to the DeploymentInfo. In
this way our Camel CXF endpoints indeed got protected by an Elytron
security domain.
I have a dirty but working PoC [5] where I just copied parts of
UndertowDeploymentInfoService to a new CamelDynamicDeploymentService.
I'd like to try re-using UndertowDeploymentInfoService as a whole so
that I do not duplicate the security sensitive code. But before I do,
could you Darran, Stuart and others please approve the general idea or
eventually suggest something better?
Thanks,
-- Peter
[1] https://issues.jboss.org/browse/ENTESB-7959
[2]
https://github.com/wildfly-extras/wildfly-camel/blob/6.0.0/cxfhttp/src/main/java/org/apache/cxf/transport/undertow/wildfly/WildflyHTTPServerEngine.java#L64
[3]
https://github.com/wildfly-extras/wildfly-camel/blob/6.0.0/cxfhttp/src/main/java/org/apache/cxf/transport/undertow/wildfly/WildflyHTTPServerEngine.java#L66
[4]
https://github.com/wildfly-extras/wildfly-camel-examples/blob/6.0.0/camel-cxf-jaxws-cdi-secure/src/main/java/org/wildfly/camel/examples/cxf/jaxws/Application.java#L112
[5] https://github.com/ppalaga/wildfly-camel/commits/ENTESB-7959.180430
More information about the wildfly-dev
mailing list