cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Freeman Fang <freeman.f...@gmail.com>
Subject Re: AbstractUsernameTokenAuthenticatingInterceptor.createSubject principal ordering
Date Mon, 20 May 2013 10:45:24 GMT
Hi Alessio,

I thought your original problem comes from that you can't tell the difference between UserPrincipal
and RolePrincipal in some containers(as I encounter similar issue in Karaf), no? If so, the
configuration way used in org.apache.cxf.interceptor.security.JAASLoginInterceptor could be
borrowed here.

And about your question, yes, we probably should do it as the RolePrincipal may not always
implements Group interface in some cases.

Thanks
-------------
Freeman(Yue) Fang

Red Hat, Inc. 
FuseSource is now part of Red Hat
Web: http://fusesource.com | http://www.redhat.com/
Twitter: freemanfang
Blog: http://freemanfang.blogspot.com
http://blog.sina.com.cn/u/1473905042
weibo: @Freeman小屋

www.camelone.org : The open source integration conference: 

On 2013-5-20, at 下午5:24, Alessio Soldano wrote:

> Hi Freeman,
> thanks for the feedback;
> 
> On 05/20/2013 10:43 AM, Freeman Fang wrote:
>> FYI, we have  org.apache.cxf.interceptor.security.DefaultSecurityContext which also
rely on this logic, please see the comment below
>> /**
>> * SecurityContext which implements isUserInRole using the
>> * following approach : skip the first Subject principal, and then checks
>> * Groups the principal is a member of
>> * 
> 
> yep, while if you look at the findPrincipal method in there it does
> exactly the same I proposed with skipping Group instance to get the user
> principal.
> 
> 
>> And when deploy cxf endpoint in some container, though by default CXF will assume
that role Principals are represented by javax.security.acl.Group instances, in some containers
objects representing a user principal and role principal are implementing the same marker
interface such as Principal, Karaf is in this case.
>> 
>> To works with this scenario, in CXF we can configure 
>> <property name="roleClassifier" value="RolePrincipal"/>
>>   <property name="roleClassifierType" value="classname"/>
>> for org.apache.cxf.interceptor.security.JAASLoginInterceptor, please take a look
at [1] to get more details.
>> 
>> [1]http://cxf.apache.org/docs/security.html
> 
> I previously missed this, thanks.
> So basically what would you propose for the
> AbstractUsernameTokenAuthenticationInterceptor? Perhaps to extract the
> user principal check to a separated protected method that could be
> overridden differently according the containers need?
> 
> 
> Thanks
> Alessio
> 
> -- 
> Alessio Soldano
> Web Service Lead, JBoss


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message