cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Joe Luo (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CXF-5922) Secure CXF WSDL with standard HTTP Authentication
Date Fri, 01 Aug 2014 10:18:39 GMT
Joe Luo created CXF-5922:
----------------------------

             Summary: Secure CXF WSDL with standard HTTP Authentication
                 Key: CXF-5922
                 URL: https://issues.apache.org/jira/browse/CXF-5922
             Project: CXF
          Issue Type: Improvement
          Components: JAX-WS Runtime
    Affects Versions: 2.7.8
            Reporter: Joe Luo


I am running a camel route in JBoss Fuse, with CXF as a consumer endpoint, using the Provider<T>
route mechanism. The route is secured with SSL and HTTP Basic Authentication using JAASLoginInterceptor
and SimpleAuthorizingInterceptor interceptors. 

Now I want to secure WSDL on the camel-cxf consumer endpoint with HTTP Basic Authentication,
similarly going through JAAS. 

However, since WSDLGetInterceptor is placed in Phase.READ, it is not possible to use JAASLoginInterceptor
and SimpleAuthorizingInterceptorbecause due to the fact that the two interceptors are placed
in Phase.UNMARSHAL and Phase.PRE_INVOKE respectively and they are far behind Phase.READ.

There are two possible solutions I can thinking of:
    # move the WSDLGetInterceptor and RawMessageWSDLGetInterceptor from the Phase.READ to
Phase.PRE-INVOKE or later so they can take advantage of JAASLoginInterceptor and SimpleAuthorizingInterceptor
just as other SOAP calls;
    # introduce one (or two) special interceptor to do what the JAASLoginInterceptor and the
SimpleAuthorizingInterceptor normally do just for WSDL GET invocation.

The first option might introduce too much change but the second option sounds a better choice.
We should introduce one or two interceptors for WSDL GET invocation to integrate with standard
HTTP Authentication just like other SOAP calls so users do not have to write custom interceptors
themselves. Instead they can simply enable it through configuration only. 

It should also satisfy requirement for using the same authentication/authorization method
through JAAS just like other SOAP calls.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message