cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Łukasz Dywicki <>
Subject Re: Ideas for standardizing CXF authentication and authorization
Date Thu, 10 Jul 2014 13:33:12 GMT
Issue which I mentioned was fixed. Issue for it is CXF-5864. I also
opt for JAAS as underlying framework since there is no other standard.
I was looking for Shrio-JAAS integrations but except couple statements
there is no live example of it. With SS it's easier as it supports
JAAS out of the box and allows to reduce amount of code needed to call
JAAS login module. I'm not sure but in SS 2.x there was reverse bridge
allowing to call Spring Security authentication manager via JAAS,
sadly can not find it right now.
In some scenarios as you already pointed additional check is needed.
Kerberos verifies identity but does not offer any way to retrieve user
privileges. I can imagine situation that someone is using Kerberos
without directory services - for these cases SS requires
implementation of UserDetailsService.

My plan was also to let service implementer retrieve Subject and it's
roles from current security context regardless if its JAX-RS or JAX-WS
code. Now CXF relies on JAX-RS in one place and I'm not aware of any
similarity for JAX-WS. With plain JAAS it will be possible, CXF just
needs to call Subject.doAs() in service invoker.

Best regards,
Twitter: ldywicki
Code-House -

2014-07-10 14:06 GMT+02:00 Christian Schneider <>:
> Spring security integration would be an interesting case that I hope can be
> covered with my approach.
> We could do the JAAS aauthentication with CXF without Spring Security and
> then use Spring security just for Authorization.
> The only thing we would need to do is provide a small module for Spring
> Security that retrieves the JAAS Login Context and creates a Spring Security
> context from it. Perhaps
> this is even present somewhere in spring security as this case should not be
> that uncommon. After that step Spring security would fully work.
> This of course only can work if the Authentication phase can be covered by
> JAAS. Which kind of authentication do you have in mind?
> Christian
> On 10.07.2014 13:38, Łukasz Dywicki wrote:
>> Hey Christian,
>> Great you brought this discussion. I already started working on
>> integration between spring security (SS) and cxf, mainly because JAAS
>> was not sufficient in all our cases and SS provides nice cover to it
>> such AccessDecisionManager session controlling and so on. As Oliver
>> pointed out - currently CXF is bound to HTTP headers or WSS4J
>> callbacks requiring re-sending credentials for each invocation which
>> really limit users while working on more advanced APIs. I would love
>> to see support for login/logout operations and session handling within
>> CXF.
>> There are couple issues which can not be solved with current CXF code
>> - for example AbstractAuthorizingInInterceptor forces presence of
>> security context even if subject is not necessary and method is not
>> annotated with any secure annotation or is annotated with @PermitAll.
>> Best regards,
>> Łukasz
>> --
>> Twitter: ldywicki
>> Blog:
>> Code-House -
> --
> Christian Schneider
> Open Source Architect

View raw message