Return-Path: <dev-return-17214-archive-asf-public=cust-asf.ponee.io@cxf.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id A5A24200C0D
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Tue, 31 Jan 2017 17:44:52 +0100 (CET)
Received: by cust-asf.ponee.io (Postfix)
	id A4372160B52; Tue, 31 Jan 2017 16:44:52 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id C45D0160B36
	for <archive-asf-public@cust-asf.ponee.io>; Tue, 31 Jan 2017 17:44:51 +0100 (CET)
Received: (qmail 6004 invoked by uid 500); 31 Jan 2017 16:44:50 -0000
Mailing-List: contact dev-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@cxf.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@cxf.apache.org>
List-Post: <mailto:dev@cxf.apache.org>
List-Id: <dev.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list dev@cxf.apache.org
Received: (qmail 5991 invoked by uid 99); 31 Jan 2017 16:44:50 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 31 Jan 2017 16:44:50 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 1CBD5C0096
	for <dev@cxf.apache.org>; Tue, 31 Jan 2017 16:44:50 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 4.291
X-Spam-Level: ****
X-Spam-Status: No, score=4.291 tagged_above=-999 required=6.31
	tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
	HTML_MESSAGE=2, HTML_OBFUSCATE_10_20=1.162, KAM_INFOUSMEBIZ=0.75,
	RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01,
	RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001]
	autolearn=disabled
Authentication-Results: spamd4-us-west.apache.org (amavisd-new);
	dkim=pass (2048-bit key) header.d=gmail.com
Received: from mx1-lw-us.apache.org ([10.40.0.8])
	by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024)
	with ESMTP id KmJOKf-BtRIJ for <dev@cxf.apache.org>;
	Tue, 31 Jan 2017 16:44:47 +0000 (UTC)
Received: from mail-qk0-f181.google.com (mail-qk0-f181.google.com [209.85.220.181])
	by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id E4EBE5FCD0
	for <dev@cxf.apache.org>; Tue, 31 Jan 2017 16:44:46 +0000 (UTC)
Received: by mail-qk0-f181.google.com with SMTP id 11so169799023qkl.3
        for <dev@cxf.apache.org>; Tue, 31 Jan 2017 08:44:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to;
        bh=FzD3C3ib5W7n3m7v3+yt+w1n183LivsuEGozIzcf6ek=;
        b=ZBEVuqeqmcNxoCZMyB8K5j9Jaupl31IGqiai2ImJaERk+N+i3gab61tMvWpr7xu90O
         FE6F9T3lJebrN48bhiylV/LcQ6ge74PaxV33sfd3bO2o8x0xWZwvNCT3OeSb+pQ9+bhx
         D8QS1/nTfaZlgK+QpHLNXBvitPjy+/we3XYfprh93yCvNFEZYpuHf3mhtUX+nx1XgoL+
         /vHHcwgTWQ9kQMDkpvCa9dWtNjyY3o8MIDsslr/qMXs6pDJQR5WwX6zalPMccy50M5XR
         HZeLOl4uMaqv08JhQZRzsMRkj3j4/SV25jI9TZF6eA5je5SXD2VK5DGRKRMSTN5q7NR3
         JdUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to;
        bh=FzD3C3ib5W7n3m7v3+yt+w1n183LivsuEGozIzcf6ek=;
        b=uTmOX19S/NUyNGzM0Pp09iUH5V5mUOkHVzUBe+bx9SMNaFxpEehC/fxyk+lW9rnwe9
         I/rb7fDfhW/7Is3Gaeuo2U7nmIRNLXkruS1l9mMK2Fc2OqYhbvEC51LAS5N088lRNq71
         I6vIx1Vz8SZpTK0xSqZSG9B+VHKb7mI3JZXvcy9f8cYhRFVKBJHwwZcPkf4063F3VT40
         8NRcfmFzyMJnYzD73Z3aOp5uCenYL78Ki0ND4DvVnFLCZNbd3xX17dcQBfNHt0TWv0Kv
         m72fx2Au1OMfpKWMzqWMN81U159Kviw567YNJecYIXk0IxkCW2rLIcKhoUa1x05jGnOx
         pAQw==
X-Gm-Message-State: AIkVDXKCnYhHqPm/TOzPs8T3ApAO1MtySnsx9KC7huUMgXOmAcCfGFQ+XbnOU6yZun4unhTQdZANhPyybm3LqQ==
X-Received: by 10.55.131.4 with SMTP id f4mr27914344qkd.1.1485881077409; Tue,
 31 Jan 2017 08:44:37 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.104.101 with HTTP; Tue, 31 Jan 2017 08:44:37 -0800 (PST)
In-Reply-To: <CAEOOik1H9TH4u3Q92_CmRnjQNbk-JbwNvWUGcUDcb+zF9GXgww@mail.gmail.com>
References: <CAEOOik0dMZzsovvCh5ug6JbRjMNbP6g4tQPxcZ4q7dTveZ3UWg@mail.gmail.com>
 <CAB8XdGD39hTVho8rv=h_BcDLdS9JzjMgm8Kr3oWL+xguSnu=3Q@mail.gmail.com> <CAEOOik1H9TH4u3Q92_CmRnjQNbk-JbwNvWUGcUDcb+zF9GXgww@mail.gmail.com>
From: Claude Libois <clibois.work@gmail.com>
Date: Tue, 31 Jan 2017 17:44:37 +0100
Message-ID: <CAEOOik1JmUykpE35nXS9pzf64HRxFDkYTnart9RhgDU2QSHn3g@mail.gmail.com>
Subject: Re: Unimplemented isUserInRole from createSecurityContext in
 WSS4JInInterceptor ?
To: dev@cxf.apache.org, Colm O hEigeartaigh <coheigea@apache.org>
Content-Type: multipart/alternative; boundary=94eb2c071e9acc308f054766a5d7
archived-at: Tue, 31 Jan 2017 16:44:52 -0000

--94eb2c071e9acc308f054766a5d7
Content-Type: text/plain; charset=UTF-8

Ok I have implemented my own custom interceptor and this works like a
charm. Thank for the input.
Best Regards,
Claude

2017-01-31 13:12 GMT+01:00 Claude Libois <clibois.work@gmail.com>:

> Thanks for the quick reply ! Indeed I didn't add the JAASLoginInterceptor
> because the implementation was rather oriented to user/password(wich indeed
> works well with WSS4JInteceptor...).  Actually, there is an X509 principal
> after de WSS4JInterceptor but no Principal for groups so I need to trigger
> my own LoginModule with the right callbackhandler to get those groups. I
> wonder if I shouldn't write my own interceptor base on JAASLoginInterceptor
> cause some part explicitly check for a username/password.
> Best Regards,
> Claude
>
>
> 2017-01-31 12:06 GMT+01:00 Colm O hEigeartaigh <coheigea@apache.org>:
>
>> On Tue, Jan 31, 2017 at 10:05 AM, Claude Libois <clibois.work@gmail.com>
>> wrote:
>>
>> >
>> > I try to do some authorization after a SOAP call with WSS Security and
>> > digitial signature. My JAAS principal is created based on Signing
>> > certificate and we do a lookup in the LDAP to get some role. I wanted to
>> > filter my service to give access only to some role.
>>
>>
>> WSS4J validates the Signature and stores the principal, and CXF creates a
>> security context. As there is no JAAS Subject at this stage in your
>> example, it just creates a security context returning false for
>> "isUserInRole" (so yes, this is intentional).
>>
>> You have two options:
>>
>> a) Override the default SignatureTrustValidator in WSS4J. After successful
>> validation, then write some code to authenticate the principal using JAAS
>> +
>> save the JAAS Subject on the "Credential" the Validator returns. If you do
>> this, CXF will automatically set up the security context using the roles
>> retrieved from the JAAS Subject, and you don't need then to use the
>> JAASLoginInterceptor at all.
>>
>> b) Keep WSS4J as it is, but then you need to tell the JAASLoginInterceptor
>> how to find the principal by writing a CallbackHandler which will examine
>> the existing security context and return the principal name to use for
>> JAAS. You can do this by setting the "callbackHandlerProviders" property
>> of
>> JAASLoginInterceptor...take a look at the source and the default
>> implementations, it should be fairly straightforward to implement.
>>
>> Colm.
>>
>>
>>
>> > For this I did the
>> > following configuration:
>> >
>> > <bean class="org.apache.cxf.interceptor.security.JAASLoginInterceptor"
>> > id="jaas"> <!-- user for UserToken Authentication-->
>> >     <property name="roleClassifier" value="***"/>
>> >     <property name="contextName" value="***"/>
>> > </bean>
>> > <bean id="authorizationInterceptor"
>> > class="org.apache.cxf.interceptor.security.SimpleAuthorizing
>> Interceptor">
>> >           <property name="globalRoles" value="***"/>
>> > </bean>
>> > <bean id="mapAggregator"
>> > class="org.apache.cxf.ws.addressing.MAPAggregator"> <!-- required for
>> > WSA see http://cxf.apache.org/docs/wsaconfiguration.html-->
>> >     <property name="allowDuplicates" value="false"/>
>> >     <property name="addressingRequired" value="true"/>
>> > </bean>
>> > <bean id="mapCodec"
>> > class="org.apache.cxf.ws.addressing.soap.MAPCodec"/> <!-- required for
>> > WSA see http://cxf.apache.org/docs/wsaconfiguration.html-->
>> > <bean id="exceptionThrower"
>> > class="be.leforem.service.external.offresemploi.HttpExceptionThrower"/>
>> >  <bean id="faultInterceptor"
>> > class="be.leforem.service.external.offresemploi.FaultInterceptor"/>
>> >     <cxf:bus bus="cxf" >
>> >         <cxf:outFaultInterceptors>
>> >             <ref component-id="faultInterceptor"/>
>> >         </cxf:outFaultInterceptors>
>> >     </cxf:bus>
>> >
>> > <camelcxf:cxfEndpoint id="***"
>> >                       address="camel://direct:***"
>> >                       serviceName="*"**
>> >                       endpointName="***"
>> >                       wsdlURL="META-INF/wsdl/***.wsdl"
>> >                       publishedEndpointUrl="{{wsdlPublicUrl}}"
>> >                       xmlns:c="***"> <!-- Service with Certificate
>> > usage(signing)-->
>> >     <camelcxf:properties>
>> >         <entry key="ws-security.timestamp.timeToLive"
>> > value="${wss.timestamp.timeToLive}"/>
>> >         <entry key="ws-security.timestamp.futureTimeToLive"
>> > value="${wss.timestamp.futureTimeToLive}"/>
>> >         <entry key="ws-security.enable.timestamp.cache" value="true"/>
>> > <!-- avoid replay attack-->
>> >         <entry key="ws-security.callback-handler"
>> > value-ref="passwordCallback" />
>> >         <entry key="ws-security.signature.properties"
>> > value="file:${karaf.home}***"/>
>> >         <entry key="ws-security.encryption.properties"
>> > value="file:${karaf.home}***"/>
>> >         <entry key="ws-security.encryption.username"
>> > value="useReqSigCert"/>
>> >         <entry key="ws-security.enableRevocation" value="${useCrl}"/>
>> >         <entry key="ws-security.return.security.error" value="true"/>
>> > <!-- return more explicit error message with ws-security -->
>> >         <entry key="ws-security.subject.cert.constraints" value=".*"/>
>> >         <entry key="schema-validation-enabled"
>> > value="${schemaValidations}"/>
>> >         <entry key="sigIssuerCertConstraints" value="${
>> > issuerCertConstraints}"/>
>> >         <entry key="ws-security.validate.token" value="true"/>    <!--
>> > validate token(Certificate here)-->
>> >     </camelcxf:properties>
>> >     <camelcxf:inInterceptors>
>> >         <ref component-id="authorizationInterceptor"/>
>> >         <ref component-id="mapAggregator"/>      <!-- required for WSA
>> > see http://cxf.apache.org/docs/wsaconfiguration.html-->
>> >         <ref component-id="mapCodec"/>
>> >     </camelcxf:inInterceptors>
>> >     <camelcxf:inFaultInterceptors>
>> >         <ref component-id="mapAggregator"/>    <!-- required for WSA
>> > see http://cxf.apache.org/docs/wsaconfiguration.html-->
>> >         <ref component-id="mapCodec"/>
>> >     </camelcxf:inFaultInterceptors>
>> >     <camelcxf:outInterceptors>
>> >         <ref component-id="mapAggregator"/>  <!-- required for WSA see
>> > http://cxf.apache.org/docs/wsaconfiguration.html-->
>> >         <ref component-id="mapCodec"/>
>> >     </camelcxf:outInterceptors>
>> >     <camelcxf:outFaultInterceptors>
>> >         <ref component-id="mapAggregator"/>  <!-- required for WSA see
>> > http://cxf.apache.org/docs/wsaconfiguration.html-->
>> >         <ref component-id="mapCodec"/>
>> >     </camelcxf:outFaultInterceptors>
>> > </camelcxf:cxfEndpoint>
>> >
>> > I have noticed that the WSS4JInterceptor create a SecurityContext this
>> way:
>> >
>> > protected SecurityContext createSecurityContext(final Principal p) {
>> >     return new SecurityContext() {
>> >
>> >         public Principal getUserPrincipal() {
>> >             return p;
>> >         }
>> >
>> >         public boolean isUserInRole(String arg0) {
>> >             return false;
>> >         }
>> >     };
>> > }
>> >
>> > So there is no way my authorizaiton will work due to isUserInRole not
>> > really implemented.
>> > My question is:
>> > - Is it intentionnal ?
>> > - Is there another way than rewriting this class to force a real role
>> base
>> > verification such the one we can find in the JAASLoginInterceptor ?
>> >
>> > protected SecurityContext createSecurityContext(String name, Subject
>> > subject) {
>> >     if (getRoleClassifier() != null) {
>> >         return new RolePrefixSecurityContextImpl(subject,
>> > getRoleClassifier(),
>> >
>> getRoleClassifierType());
>> >     } else {
>> >         return new DefaultSecurityContext(name, subject);
>> >     }
>> > }
>> >
>> > - Is there any documentation to do the things properly ? I was quite
>> > cumbersome to find how to achieve this
>> > Best Regards,
>> > Claude
>> >
>>
>>
>>
>> --
>> Colm O hEigeartaigh
>>
>> Talend Community Coder
>> http://coders.talend.com
>>
>
>

--94eb2c071e9acc308f054766a5d7--