cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <>
Subject Re: Using WS-Security UsernameToken to authenticate users and populate SecurityContexts
Date Thu, 08 Apr 2010 16:09:24 GMT
Hi David

thanks for the comments...

On Wed, Apr 7, 2010 at 9:41 PM, David Valeri <> wrote:

> Sergey,
> I think this type of functionality would be very useful to a number of
> folks.  I have built two similar capabilities for clients very recently
> using CXF and Spring Security.  Based on the code provided below, I have
> several points that I would like to see addressed in a solution.
> 1) Architecture to support more than just UsernameTokens.  I have worked
> with systems that need to authenticate a user using UsernameTokens,
> BinarySecurityTokens, SAML Assertions, and a combination of more than one
> of
> these at a time.

Supporting UsernameTokens is the initial requirement. At the moment I do not
even know how BinarySecurityTokens or SAML Assertions are
processed/validated in CXF or WSS4J.

> For the most part, WSS4J simply validates the structural
> details of security.  That is, signature validity, trust chaining of
> digital
> certificates, etc.  As Glen pointed out with his reference to
>, WSS4J sometimes performs
> its
> own password checking (authentication).  Unfortunately, WSS4J doesn't
> provide hooks for authenticating other forms of credentials that I have
> listed above (I don't consider trust to be equivalent to authentication).
> It would be best if the authentication interface supported multiple
> credential types and allowed for authentication to be performed in a single
> location in the same manner every time (not sometimes in the WSS4J callback
> and sometimes in another interceptor for non-UT based credentials).

Makes sense. Assuming it is WSS4J which validates (the structure of)
BinarySecurityTokens then  AbstractWSS4JSecurityContextProvidingInterceptor
can also implement a processor for BinarySecurityTokens and delegate to
subclass to authenticate and setup a subject. Some extra methods will need
to be added, to be optionally overridden.

If it is not only WSS4J which is involved then perhaps another option is to
store (from WSS4J callback handler, etc) relevant details such username
token details, etc to be acted upon by other interceptors.

> That
> last bit there means disabling WSS4J's password authentication since it
> gets
> in the way of doing it later in our own interceptor.

AbstractWSS4JSecurityContextProvidingInterceptor does it now by implementing
a simplified UsernameTokenProcessor

> 2) Allow for end-user flexibility in choosing the credentials they want to
> authenticate.  For instance, each user is going to have their own security
> profiles and authentication requirements.  For instance, a message contains
> a UT for a portal user and a digital signature from the portal (I know
> using
> a SAML Assertion would be better here, but people still do it this way).
> Each organization will have different requirements as to which credentials
> get authenticated and what needs to end up in the security context.

I suppose AbstractWSS4JSecurityContextProvidingInterceptor subclasses should
be able to do it, for username tokens and other tokens later on.

> 3) Decouple the authentication interface from WSS4J.  What is passed in
> needs to be abstracted enough that it can work with other WS-Security
> libraries as well.
the only WSS4J class which is leaked at the moment is WSSecurityException.
Perhaps we can come up later on with a different more generic approach which
does not depend on WSS4J at all. As Dan indicated, in some cases
WSS4JInInterceptor is not even used, so that case will need to be addressed.
Experimenting wuth binary tokens might help with identifying another

> 4) It would be nice to be able to perform authorization using something
> like
> Spring Security at the service operation level.  With a POJO or JAX-WS
> based
> service, one can just use Spring Security's method interceptor to provide
> such security; however, in situations where one only has a WSDL based
> service or a provider style service, a method interceptor can't be used.
>  It
> would be nice to provide a hook into Spring Security to allow end-users to
> specify role based authorization policy based on a combination of
> interface,
> instance, and operation names.  It seems like your
> AbstractAuthorizingInterceptor and SimpleAuthorizingInterceptor are looking
> in this direction, but I think it would be best if we can stand on the
> shoulders of the Spring Security giant as much as possible so that we can
> take advantage of their rich authorization manager, voter, XML
> configuration
> capabilities.
Not sure what to say here yet. But I think non-Spring users should be taken
care of too. Or when simpler cases are dealt with then perhaps there's no
need to bring in Spring security. Perhaps the utility authorization
interceptors should just not be used when Spring Security is preferred ?

> 5) Try not to leave the ServiceMix CXF-BC out in the cold.  The CXF-BC
> currently has a limited capability to select the credentials to
> authenticate
> and would benefit from 1 and 2 above.  The CXF-BC ultimately delegates
> authentication to the JBI container through a ServiceMix components
> authentication service abstraction of JAAS.  Whatever solution we have for
> 1
> and 2 would help out the component if the ServiceMix authentication service
> abstraction could be wired up in lieu of whatever we provide out of the
> box.
I'm not planning to contribute to ServiceMix. I agree though that an ideal
solution will meet multiple requirements

thanks, Sergey

> -----Original Message-----
> From: Sergey Beryozkin []
> Sent: Wednesday, April 07, 2010 10:11 AM
> To:
> Subject: Using WS-Security UsernameToken to authenticate users and populate
> SecurityContexts
> Hi
> I've been looking recently at extending the CXF WS-Security component such
> that a current UsernameToken could be used by custom interceptors
> to authenticate a user with the external security systems and, if possible,
> provide enough information for CXF to populate a SecurityContext [1] to be
> used later on for
> authorization decisions.
> Here is the approach I've taken so far.
> A custom interceptor extends
> AbstractWSS4JSecurityContextProvidingInterceptor [2] and the only method it
> overrides is
> abstract Subject createSubject(String name, String password, boolean
> isDigest,
>                                    String nonce,
>                                    String created) throws
> WSSecurityException;
> For example, see [3].
> The idea here is that a custom interceptor interfaces whichever way it
> needs
> to with the external system and populates a Subject following this simple
> rule : first Subject principal is the current user (identified by a 'name'
> argument), followed by one or more Groups this user is a member of.
> AbstractWSS4JSecurityContextProvidingInterceptor will use this Subject to
> provide a functional SecurityContext instance.
> This is the first part, next is how to utilize a SecurityContext and get
> the
> expected roles associated one way or the other with a current method to be
> invoked. There's a number of usual options available here, perhaps even
> SpringSecurity can be used now that SecurityContext is available, or
> application code or other custom CXF interceptor can check the known roles
> against SecurityContext.
> I've also added AbstractAuthorizingInInterceptor interceptor which custom
> interceptors can override and return a list of expected roles given a
> (service) Method to be invoked upon, AbstractAuthorizingInInterceptor will
> then ask available SecurityContext to match the roles; one concrete
> implementation is SimpleAuthorizingInterceptor[5], it can be injected with
> a
> method specific or class (applying to all methods) roles. Another
> implementation which I will likely add later on will be injected with a
> name
> of annotation such as RolesAlloved and it will introspect a method and its
> class.
> Note that I haven't looked into the case when a policy runtimes adds the
> interceptors yet (as opposed to interceptors being configured form
> Spring/programmatically). I think an optional contextual property will need
> to be setup in such cases for users be able to indicate that say an
> interceptor such as [3] has to be used as opposed to WSS4JInInterceptor,
> etc.
> I'm going to validate this approach with JBoss CXF. If you have any
> comments
> then please let me know.
> I think we may have a simpler alternative eventually to the way
> authorization decisions are made. [1]-[3] is specific to ws-security, but
> [4]-[5] is not
> cheers, Sergey
> [1]
> [2]
> pache/cxf/ws/security/wss4j/AbstractWSS4JSecurityContextProvidingInterceptor<>
> .java
> [3]
> pache/cxf/ws/security/wss4j/<>
> [4]
> xf/interceptor/security/<>
> [5]
> xf/interceptor/security/<>

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message