cxf-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Veithen <andreas.veit...@gmail.com>
Subject Re: Spring Security with CXF JMS Endpoint
Date Wed, 03 Feb 2010 20:29:31 GMT
John,

Some time ago I started to develop a set of components (interceptors,
callback handlers and features) to simplify integration between CXF
and Spring Security. I've extended this a bit and wrote some
documentation. The code is available as a Google Code project [1]. If
you go for the two-headers approach, then your use case can be
implemented with the existing components. Please refer to [2] for the
documentation.

Andreas

PS: The intention is still to make this code part of the CXF
distribution. Several people were interested in this, but until now I
was unable to recruit anybody to test, review and/or complete the
code.

[1] http://code.google.com/p/cxf-spring-security/
[2] http://code.google.com/p/cxf-spring-security/wiki/Documentation

On Mon, Feb 1, 2010 at 22:55, johnpfeifer4 <johnpfeifer4@gmail.com> wrote:
>
> I've done some digging... I'm going to need the username and password to
> validate against our spring security authentication provider.
>
> I'm thinking that I could configure the interceptor to look for user/pass in
> JMS Headers or in a single header (in the case of Basic Auth).  I'll have to
> dig around a bit more and let you know what I find.
>
> Thanks,
>
> John
>
> Andreas Veithen-2 wrote:
>>
>> Isn't the JMSXUserID set to the user who connected to the broker?
>> Since John's use case is a HTTP->JMS bridge with HTTP Basic Auth, I
>> would be surprised that the connection to the broker is opened using
>> the credentials of the user who submitted the HTTP request.
>>
>> Andreas
>>
>> On Mon, Feb 1, 2010 at 21:16, Daniel Kulp <dkulp@apache.org> wrote:
>>>
>>> Christian recently did some updates to the JMS transport to pull the
>>> JMSXUserID from the JMS Message and stick that into our SecurityContext.
>>>   You
>>> would probably need an interceptor that would then take that and feed
>>> that
>>> into the Spring security context.      If you do develop some
>>> interceptors for
>>> this, we'd love to have them.  :-)
>>>
>>> Dan
>>>
>>>
>>>
>>>
>>> On Mon February 1 2010 1:51:44 pm johnpfeifer4 wrote:
>>>> I was wondering if anyone has an example of implement spring security
>>>> with
>>>>  a CXF JMS Endpoint.  We currently secure all of our endpoints with the
>>>>  <security:http> element, limiting access to certain endpoints to
a
>>>>  particular role(s).
>>>>
>>>> Now we have a requirement to enforce security for JMS endpoints.  It
>>>> seems
>>>> that the listener that picks it off the JMS queue would have to know
>>>> where
>>>> to find the credentials on the message.   Perhaps we need to write our
>>>> own
>>>> interceptors to do this?
>>>>
>>>> I figured I would post here before I start my own investigation.  Any
>>>> help
>>>> would be greatly appreciated.
>>>>
>>>> Thanks,
>>>>
>>>> John
>>>>
>>>
>>> --
>>> Daniel Kulp
>>> dkulp@apache.org
>>> http://www.dankulp.com/blog
>>>
>>
>>
>
> --
> View this message in context: http://old.nabble.com/Spring-Security-with-CXF-JMS-Endpoint-tp27409262p27412082.html
> Sent from the cxf-user mailing list archive at Nabble.com.
>
>

Mime
View raw message