cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John-M Baker <john-m.ba...@db.com>
Subject Re: CXF and Acegisecurity
Date Tue, 01 Jul 2008 11:57:21 GMT
Sergey,

So far I've concluded that the CallbackHandler has to populate the Spring 
Security SecurityContext, such as (exclude the hacked up code):

public class PasswordCallbackHandler
   implements CallbackHandler 
{
   public void handle(Callback[] arg0) 
      throws IOException, UnsupportedCallbackException 
   {
      for (Callback callback : arg0) 
      {
         if (callback instanceof WSPasswordCallback) 
         {
            WSPasswordCallback passwordCallback = (WSPasswordCallback) 
callback;

            if (validUser(passwordCallback) 
            { 
              // Register with Spring Security so annotated methods 
(@RolesAllowed)
              // will allow appropriate users.  There must be a nice way 
of doing this
              // through the Spring context files!
              SecurityContextHolder.getContext().setAuthentication(
                    new UsernamePasswordAuthenticationToken(
                          passwordCallback.getIdentifer(),
                          passwordCallback.getPassword(),
                          new GrantedAuthority[] { 
                             new GrantedAuthorityImpl("ADMIN") } ));
 
              return;
            }
          }
        }
      }
 
      throw new RuntimeException("Invallid user");
   }
}

The WS method can then be annotated with @RoledAllowed({"ADMIN"}).

But this isn't very clean however given WS Security doesn't provide any 
roles, what else can be done?   It would be nice to put the above into 
Sprnig though so the user & role ("GrantedAuthority") mappings can be 
defined in XML.  Is there something for this already?


John Baker
-- 
Web SSO 
IT Infrastructure 
Deutsche Bank London

URL:  http://websso.cto.gt.intranet.db.com




John-M Baker <john-m.baker+external@db.com> 
01/07/2008 12:35
Please respond to
users@cxf.apache.org


To
users@cxf.apache.org
cc
users@cxf.apache.org
Subject
Re: CXF and Acegisecurity






Sergey,

The problem seems to lie between enabling WS-Security on CXF (which isn't 
a problem) and wiring this into Spring Secuirty.  Look at the following:

Caused by: 
org.springframework.security.AuthenticationCredentialsNotFoundException: 
An Authentication object was not found in the SecurityContext
  at 
org.springframework.security.intercept.AbstractSecurityInterceptor.credentialsNotFound(AbstractSecurityInterceptor.java:342)
  at 
org.springframework.security.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:254)
  at 
org.springframework.security.intercept.method.aopalliance.MethodSecurityInterceptor.invoke(MethodSecurityInterceptor.java:63)
  at 
org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:171)
  at 
org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:204)

That appears after successful authentication with WS-Security, and CXF 
trying to invoke a method that's annotated with @RolesAllowed. 



John Baker
-- 
Web SSO 
IT Infrastructure 
Deutsche Bank London

URL:  http://websso.cto.gt.intranet.db.com




"Sergey Beryozkin" <sergey.beryozkin@iona.com> 
01/07/2008 10:14
Please respond to
users@cxf.apache.org


To
<users@cxf.apache.org>
cc
<users@cxf.apache.org>
Subject
Re: CXF and Acegisecurity






Cool, thanks for a link. These links can get added to the wiki.
I hope that in your project, where you combine JAX-RS and JAX-WS in one 
resource class, the single piece of
Spring Security config should suffice, not sure though. let us know please 

how it goes

Cheers, Sergey

----- Original Message ----- 
From: "John-M Baker" <john-m.baker@db.com>
To: <users@cxf.apache.org>
Cc: <users@cxf.apache.org>
Sent: Tuesday, July 01, 2008 10:09 AM
Subject: Re: CXF and Acegisecurity


> There's also a good example here:
>
> http://www.jroller.com/habuma/entry/method_level_security_in_spring
>
> I'm currently looking at what is required to wire Spring security into 
the
> WS-Security module!
>
>
> John Baker
> -- 
> Web SSO
> IT Infrastructure
> Deutsche Bank London
>
> URL:  http://websso.cto.gt.intranet.db.com
>
>
>
>
> "Sergey Beryozkin" <sergey.beryozkin@iona.com>
> 01/07/2008 10:06
> Please respond to
> users@cxf.apache.org
>
>
> To
> <users@cxf.apache.org>
> cc
>
> Subject
> Re: CXF and Acegisecurity
>
>
>
>
>
>
> Hi
>
>
>> Are there any docs specifically on implementing CXF REST With
>> Acegisecurity? Google didnt return anything obvious..  A simple example
>> showing how to secure a couple methods would be handy.
>
> have a look here please :
>
> 
http://static.springframework.org/spring-security/site/reference/html/ns-config.html#ns-method-security


>
>
> It's a Spring Security module which you're after. It should be possible 
to
> use AOP-like expressions to specify what kind of security
> credentials need to be applied to various methods in your resource
> class...
>
> Cheers, Sergey
>
>
>>
>> Thanks,
>>
>>
>> John Baker
>> -- 
>> Web SSO
>> IT Infrastructure
>> Deutsche Bank London
>>
>> URL:  http://websso.cto.gt.intranet.db.com
>>
>>
>> ---
>>
>> This e-mail may contain confidential and/or privileged information. If
> you are not the intended recipient (or have received this
>> e-mail in error) please notify the sender immediately and delete this
> e-mail. Any unauthorized copying, disclosure or distribution
>> of the material in this e-mail is strictly forbidden.
>>
>> Please refer to http://www.db.com/en/content/eu_disclosures.htm for
> additional EU corporate and regulatory disclosures.
>
> ----------------------------
> IONA Technologies PLC (registered in Ireland)
> Registered Number: 171387
> Registered Address: The IONA Building, Shelbourne Road, Dublin 4, 
Ireland
>
>
>
> ---
>
> This e-mail may contain confidential and/or privileged information. If 
you are not the intended recipient (or have received this 
> e-mail in error) please notify the sender immediately and delete this 
e-mail. Any unauthorized copying, disclosure or distribution 
> of the material in this e-mail is strictly forbidden.
>
> Please refer to http://www.db.com/en/content/eu_disclosures.htm for 
additional EU corporate and regulatory disclosures. 

----------------------------
IONA Technologies PLC (registered in Ireland)
Registered Number: 171387
Registered Address: The IONA Building, Shelbourne Road, Dublin 4, Ireland



---

This e-mail may contain confidential and/or privileged information. If you 
are not the intended recipient (or have received this e-mail in error) 
please notify the sender immediately and delete this e-mail. Any 
unauthorized copying, disclosure or distribution of the material in this 
e-mail is strictly forbidden.

Please refer to http://www.db.com/en/content/eu_disclosures.htm for 
additional EU corporate and regulatory disclosures.


---

This e-mail may contain confidential and/or privileged information. If you are not the intended
recipient (or have received this e-mail in error) please notify the sender immediately and
delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in
this e-mail is strictly forbidden.

Please refer to http://www.db.com/en/content/eu_disclosures.htm for additional EU corporate
and regulatory disclosures.
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message