cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey Beryozkin <sberyoz...@gmail.com>
Subject Re: Using WS-Security UsernameToken to authenticate users and populate SecurityContexts
Date Wed, 07 Apr 2010 17:46:59 GMT
Hi Glen

On Wed, Apr 7, 2010 at 6:25 PM, Glen Mazza <glen.mazza@gmail.com> wrote:

>
>
> Glen,
>
>
> On Wed, Apr 7, 2010 at 5:12 PM, Glen Mazza <glen.mazza@gmail.com> wrote:
>
> >
> > Sergey, be careful with your first reason--that of using the
> > CallbackHandlers
> > to *return* passwords, that's an old erroneous design apparently since
> > fixed
> > in WSS4J (https://issues.apache.org/jira/browse/WSS-183) that should not
> > necessarily be used as a reason for doing what you're doing--that process
> > should be taken out of CXF instead when it upgrades to the new WSS4J.
> >
>
> >I'm sorry but this does [not] sounds convincing. You're kind of indicating
> that
> >what is proposed is not good enough ? But you have not said anything about
> the authorization.
> >WSS4J is restricting with respects to digests at thje moment but as I
> said,
> >we're after the authorization here.
>
> All I'm saying is that if you're using the argument of "CXF requires
> passwords to be supplied in the CallbackHandlers!" as a reason for doing
> what you're doing, that's not valid anymore because that problem is fixed
> with the new WSS4J.


I guess I was not specific enough, hope my follow-up response made things
clearer.


>  I'm sure however there are plenty of other good reasons
> for doing what you're doing, it's just that that particular one should soon
> no longer be relevant.  I was also mentioning this to you in case you were
> unaware of the problem and were thinking of a solution which involved the
> Callbackhandler continuing to serve its erroneous dual role
> (https://issues.apache.org/jira/browse/WSS-183,
> https://issues.apache.org/jira/browse/CXF-2150) of validating credentials
> for password text and providing credentials for password digest for some
> higher entity to validate.
>

I'm aware of this problem but it is an orthogonal one.  Likewise not sure
what you mean by a dual role. In this case  a callback handler only requires
a subclass to do the authentication.


>
>
> >
> > Actually, I think Metro does what you want--allows the option for
> > container-managed authentication *without* the callbackhandler
> > (
> http://www.jroller.com/gmazza/entry/metro_usernametoken_profile#MetroUT3
> > ).
> > If you can repeat the same with CXF, great!
> >
>
> > I really don't follow why you refer to Metro, what is to do with the use
> > of
> > CXF ?
>
> It was meant as a sanity check that whatever you are proposing is also
> being
> done by another web service stack.  But I misunderstood what you were
> proposing, hence what I was saying above is not relevant.  You're talking
> about authorization, not authentication.  Never min


I'm talking about both authentication and authorization. I believe the
proposed solution makes it more easier to authorize, as I tried to clarify
in the other email.

cheers, Sergey



> d.
>
> Glen
>
> --
> View this message in context:
> http://old.nabble.com/Using-WS-Security-UsernameToken-to-authenticate-users-and-populate--SecurityContexts-tp28165583p28168187.html
> Sent from the cxf-dev mailing list archive at Nabble.com.
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message